Windows Analysis Report
051_qbot.dll.dll

Overview

General Information

Sample Name: 051_qbot.dll.dll
(renamed file extension from vir to dll, renamed because original name is a hash value)
Original Sample Name: 051_qbot.dll.vir
Analysis ID: 882805
MD5: c7eb6a5c1f2ef5a2297fc0d22b77dd6a
SHA1: e0f9e6adb3fb31544fcfe3a1af983b1cbc47e8e1
SHA256: 16da93b87fcdf876d31beeb0802330df52c200a2c22a65bcfffac6457ff06062
Infos:

Detection

Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Qbot
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
QakBot, qbotQbot QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
  • GOLD CABIN
 https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

AV Detection
barindex
Found malware configuration
Source: 0000000F.00000002.493775474.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685686808", "Version": "404.1346", "C2 list": ["86.173.2.12:2222", "92.9.45.20:2222", "100.4.163.158:2222", "213.64.33.92:2222", "75.98.154.19:443", "78.192.109.105:2222", "88.126.94.4:50000", "70.28.50.223:2083", "92.154.17.149:2222", "24.234.220.88:993", "87.252.106.39:995", "174.4.89.3:443", "12.172.173.82:20", "90.29.86.138:2222", "70.160.67.203:443", "223.166.13.95:995", "184.181.75.148:443", "95.45.50.93:2222", "201.143.215.69:443", "64.121.161.102:443", "2.82.8.80:443", "188.28.19.84:443", "81.101.185.146:443", "79.77.142.22:2222", "84.215.202.8:443", "183.87.163.165:443", "74.12.147.139:2078", "74.12.147.139:2222", "74.12.147.139:2222", "74.12.147.139:2083", "70.28.50.223:2078", "94.204.202.106:443", "87.221.153.182:2222", "70.28.50.223:2087", "24.234.220.88:990", "2.49.63.160:2222", "72.205.104.134:443", "199.27.66.213:443", "83.249.198.100:2222", "90.104.151.37:2222", "116.75.63.183:443", "70.28.50.223:2078", "117.195.17.148:993", "77.126.99.230:443", "45.62.70.33:443", "24.234.220.88:465", "203.109.44.236:995", "75.109.111.89:443", "161.142.103.187:995", "77.86.98.236:443", "147.147.30.126:2222", "124.246.122.199:2222", "103.123.223.133:443", "180.151.19.13:2078", "176.142.207.63:443", "12.172.173.82:32101", "103.140.174.20:2222", "70.50.83.216:2222", "12.172.173.82:465", "38.2.18.164:443", "93.187.148.45:995", "70.64.77.115:443", "12.172.173.82:21", "70.49.205.198:2222", "27.0.48.233:443", "12.172.173.82:50001", "83.110.223.61:443", "103.141.50.43:995", "85.101.239.116:443", "103.42.86.42:995", "92.1.170.110:995", "81.229.117.95:2222", "124.122.47.148:443", "103.212.19.254:995", "103.139.242.6:443", "125.99.76.102:443", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "70.28.50.223:32100", "79.168.224.165:2222", "121.121.108.120:995", "69.160.121.6:61201", "200.84.211.255:2222", "201.244.108.183:995", "93.187.148.45:443", "85.61.165.153:2222", "184.182.66.109:443", "175.156.217.7:2222", "70.28.50.223:3389", "114.143.176.236:443", "65.95.141.84:2222", "80.6.50.34:443", "12.172.173.82:2087", "47.199.241.39:443", "66.241.183.99:443", "113.11.92.30:443", "186.75.95.6:443", "125.99.69.178:443", "109.130.247.84:2222", "96.56.197.26:2222", "70.50.1.252:2222", "91.160.70.68:32100", "67.70.120.249:2222", "209.171.160.69:995", "98.163.227.79:443", "176.133.4.230:995", "24.234.220.88:995", "45.62.75.250:443", "200.44.198.47:2222", "173.17.45.60:443", "5.192.141.228:2222", "184.63.133.131:995", "70.28.50.223:2083", "78.82.143.154:2222", "73.88.173.113:443", "181.4.225.225:443", "24.234.220.88:443", "174.58.146.57:443"]}
Multi AV Scanner detection for submitted file
Source: 051_qbot.dll.dll ReversingLabs: Detection: 51%
Source: 051_qbot.dll.dll Virustotal: Detection: 58% Perma Link
Antivirus detection for URL or domain
Source: https://188.28.19.84/t5 Avira URL Cloud: Label: malware
Sample uses string decryption to hide its real strings
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: error res='%s' err=%d len=%u
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: netstat -nao
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: runas
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ipconfig /all
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: net localgroup
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: nltest /domain_trusts /all_trusts
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Microsoft
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SELF_TEST_1
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: p%08x
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Self test FAILED!!!
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Self test OK.
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: /t5
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: whoami /all
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: cmd
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: route print
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .lnk
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: arp -a
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: net share
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: cmd.exe /c set
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Self check
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %u;%u;%u;
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ProfileImagePath
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: at.exe %u:%u "%s" /I
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ProgramData
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Self check ok!
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: powershell.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: qwinsta
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: net view
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Component_08
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Start screenshot
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: schtasks.exe /Delete /F /TN %u
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: appidapi.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: c:\ProgramData
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Component_07
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: powershell.exe -encodedCommand %S
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: powershell.exe -encodedCommand
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: error res='%s' err=%d len=%u
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: netstat -nao
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: runas
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ipconfig /all
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SystemRoot
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: cscript.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: MBAMService.exe;mbamgui.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: C:\INTERNAL\__empty
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_PhysicalMemory
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ALLUSERSPROFILE
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: image/jpeg
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: LocalLow
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: displayName
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: shlwapi.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: CommandLine
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: kernel32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SubmitSamplesConsent
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: 1234567890
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: wbj.go
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_DiskDrive
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: System32
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Name
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: WRSA.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: c:\\
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SpyNetReporting
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: FALSE
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: aswhookx.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Packages
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: application/x-shockwave-flash
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: RepUx.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Winsta0
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: avp.exe;kavtray.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: root\SecurityCenter2
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: MsMpEng.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: userenv.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: csc_ui.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: \\.\pipe\
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: pstorec.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: NTUSER.DAT
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: from
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\sethc.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: netapi32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: gdi32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: setupapi.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SELECT * FROM Win32_Processor
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: iphlpapi.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Caption
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: CrAmTray.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_ComputerSystem
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: user32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SentinelServiceHost.exe;SentinelStaticuser.exe;SentinelAgent.exe;SentinelStaticuserScanner.exe;SentinelUI.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: \sf2.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: egui.exe;ekrn.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Software\Microsoft
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %S.%06d
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: bcrypt.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SELECT * FROM AntiVirusProduct
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: wtsapi32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: shell32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: TRUE
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_Bios
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: c:\hiberfil.sysss
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: */*
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ByteFence.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: type=0x%04X
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: snxhk_border_mywnd
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ROOT\CIMV2
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: dwuser.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: https
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: fshoster32.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: kernelbase.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: regsvr32.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %s\system32\
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_Process
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: rundll32.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: LOCALAPPDATA
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: cmd.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: APPDATA
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: select
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: mcshield.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: advapi32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ws2_32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .cfg
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_Product
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: WQL
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: wininet.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: LastBootUpTime
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: S:(ML;;NW;;;LW)
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: urlmon.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Create
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_PnPEntity
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Initializing database...
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: winsta0\default
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .dat
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: WBJ_IGNORE
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: next
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: wpcap.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: image/pjpeg
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: fmon.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: vbs
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: aswhooka.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SysWOW64
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: mpr.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: image/gif
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: crypt32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ntdll.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: open
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\wextract.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SystemRoot
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: cscript.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: MBAMService.exe;mbamgui.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: C:\INTERNAL\__empty
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_PhysicalMemory
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ALLUSERSPROFILE
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: image/jpeg
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: LocalLow
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: displayName
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: shlwapi.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: CommandLine
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: kernel32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SubmitSamplesConsent
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: 1234567890
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: wbj.go
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_DiskDrive
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: System32
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Name
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: WRSA.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: c:\\
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SpyNetReporting
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: FALSE
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: aswhookx.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Packages
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: application/x-shockwave-flash
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: RepUx.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Winsta0
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: avp.exe;kavtray.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: root\SecurityCenter2
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: MsMpEng.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: userenv.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: csc_ui.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: \\.\pipe\
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: pstorec.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: NTUSER.DAT
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: from
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\sethc.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: netapi32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: gdi32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: setupapi.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SELECT * FROM Win32_Processor
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: iphlpapi.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Caption
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: CrAmTray.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_ComputerSystem
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: user32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SentinelServiceHost.exe;SentinelStaticuser.exe;SentinelAgent.exe;SentinelStaticuserScanner.exe;SentinelUI.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: \sf2.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: egui.exe;ekrn.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Software\Microsoft
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %S.%06d
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: bcrypt.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SELECT * FROM AntiVirusProduct
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: wtsapi32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: shell32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: TRUE
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_Bios
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: c:\hiberfil.sysss
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: */*
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ByteFence.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: type=0x%04X
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: snxhk_border_mywnd
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ROOT\CIMV2
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: dwuser.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: https
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: fshoster32.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: kernelbase.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: regsvr32.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %s\system32\
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_Process
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: rundll32.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: LOCALAPPDATA
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: cmd.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: APPDATA
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: select
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: mcshield.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: advapi32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ws2_32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .cfg
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_Product
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: WQL
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: wininet.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: LastBootUpTime
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: S:(ML;;NW;;;LW)
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: urlmon.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Create
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Win32_PnPEntity
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Initializing database...
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: winsta0\default
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: .dat
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: WBJ_IGNORE
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: next
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: wpcap.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: image/pjpeg
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: fmon.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: vbs
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: aswhooka.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: SysWOW64
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: mpr.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: image/gif
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: crypt32.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: ntdll.dll
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: open
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\wextract.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Uses 32bit PE files
Source: 051_qbot.dll.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DLL
Source: unknown HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10009E70 FindFirstFileW,FindNextFileW, 15_2_10009E70

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 86.173.2.12:2222
Source: Malware configuration extractor IPs: 92.9.45.20:2222
Source: Malware configuration extractor IPs: 100.4.163.158:2222
Source: Malware configuration extractor IPs: 213.64.33.92:2222
Source: Malware configuration extractor IPs: 75.98.154.19:443
Source: Malware configuration extractor IPs: 78.192.109.105:2222
Source: Malware configuration extractor IPs: 88.126.94.4:50000
Source: Malware configuration extractor IPs: 70.28.50.223:2083
Source: Malware configuration extractor IPs: 92.154.17.149:2222
Source: Malware configuration extractor IPs: 24.234.220.88:993
Source: Malware configuration extractor IPs: 87.252.106.39:995
Source: Malware configuration extractor IPs: 174.4.89.3:443
Source: Malware configuration extractor IPs: 12.172.173.82:20
Source: Malware configuration extractor IPs: 90.29.86.138:2222
Source: Malware configuration extractor IPs: 70.160.67.203:443
Source: Malware configuration extractor IPs: 223.166.13.95:995
Source: Malware configuration extractor IPs: 184.181.75.148:443
Source: Malware configuration extractor IPs: 95.45.50.93:2222
Source: Malware configuration extractor IPs: 201.143.215.69:443
Source: Malware configuration extractor IPs: 64.121.161.102:443
Source: Malware configuration extractor IPs: 2.82.8.80:443
Source: Malware configuration extractor IPs: 188.28.19.84:443
Source: Malware configuration extractor IPs: 81.101.185.146:443
Source: Malware configuration extractor IPs: 79.77.142.22:2222
Source: Malware configuration extractor IPs: 84.215.202.8:443
Source: Malware configuration extractor IPs: 183.87.163.165:443
Source: Malware configuration extractor IPs: 74.12.147.139:2078
Source: Malware configuration extractor IPs: 74.12.147.139:2222
Source: Malware configuration extractor IPs: 74.12.147.139:2222
Source: Malware configuration extractor IPs: 74.12.147.139:2083
Source: Malware configuration extractor IPs: 70.28.50.223:2078
Source: Malware configuration extractor IPs: 94.204.202.106:443
Source: Malware configuration extractor IPs: 87.221.153.182:2222
Source: Malware configuration extractor IPs: 70.28.50.223:2087
Source: Malware configuration extractor IPs: 24.234.220.88:990
Source: Malware configuration extractor IPs: 2.49.63.160:2222
Source: Malware configuration extractor IPs: 72.205.104.134:443
Source: Malware configuration extractor IPs: 199.27.66.213:443
Source: Malware configuration extractor IPs: 83.249.198.100:2222
Source: Malware configuration extractor IPs: 90.104.151.37:2222
Source: Malware configuration extractor IPs: 116.75.63.183:443
Source: Malware configuration extractor IPs: 70.28.50.223:2078
Source: Malware configuration extractor IPs: 117.195.17.148:993
Source: Malware configuration extractor IPs: 77.126.99.230:443
Source: Malware configuration extractor IPs: 45.62.70.33:443
Source: Malware configuration extractor IPs: 24.234.220.88:465
Source: Malware configuration extractor IPs: 203.109.44.236:995
Source: Malware configuration extractor IPs: 75.109.111.89:443
Source: Malware configuration extractor IPs: 161.142.103.187:995
Source: Malware configuration extractor IPs: 77.86.98.236:443
Source: Malware configuration extractor IPs: 147.147.30.126:2222
Source: Malware configuration extractor IPs: 124.246.122.199:2222
Source: Malware configuration extractor IPs: 103.123.223.133:443
Source: Malware configuration extractor IPs: 180.151.19.13:2078
Source: Malware configuration extractor IPs: 176.142.207.63:443
Source: Malware configuration extractor IPs: 12.172.173.82:32101
Source: Malware configuration extractor IPs: 103.140.174.20:2222
Source: Malware configuration extractor IPs: 70.50.83.216:2222
Source: Malware configuration extractor IPs: 12.172.173.82:465
Source: Malware configuration extractor IPs: 38.2.18.164:443
Source: Malware configuration extractor IPs: 93.187.148.45:995
Source: Malware configuration extractor IPs: 70.64.77.115:443
Source: Malware configuration extractor IPs: 12.172.173.82:21
Source: Malware configuration extractor IPs: 70.49.205.198:2222
Source: Malware configuration extractor IPs: 27.0.48.233:443
Source: Malware configuration extractor IPs: 12.172.173.82:50001
Source: Malware configuration extractor IPs: 83.110.223.61:443
Source: Malware configuration extractor IPs: 103.141.50.43:995
Source: Malware configuration extractor IPs: 85.101.239.116:443
Source: Malware configuration extractor IPs: 103.42.86.42:995
Source: Malware configuration extractor IPs: 92.1.170.110:995
Source: Malware configuration extractor IPs: 81.229.117.95:2222
Source: Malware configuration extractor IPs: 124.122.47.148:443
Source: Malware configuration extractor IPs: 103.212.19.254:995
Source: Malware configuration extractor IPs: 103.139.242.6:443
Source: Malware configuration extractor IPs: 125.99.76.102:443
Source: Malware configuration extractor IPs: 50.68.186.195:443
Source: Malware configuration extractor IPs: 47.205.25.170:443
Source: Malware configuration extractor IPs: 12.172.173.82:993
Source: Malware configuration extractor IPs: 12.172.173.82:22
Source: Malware configuration extractor IPs: 70.28.50.223:32100
Source: Malware configuration extractor IPs: 79.168.224.165:2222
Source: Malware configuration extractor IPs: 121.121.108.120:995
Source: Malware configuration extractor IPs: 69.160.121.6:61201
Source: Malware configuration extractor IPs: 200.84.211.255:2222
Source: Malware configuration extractor IPs: 201.244.108.183:995
Source: Malware configuration extractor IPs: 93.187.148.45:443
Source: Malware configuration extractor IPs: 85.61.165.153:2222
Source: Malware configuration extractor IPs: 184.182.66.109:443
Source: Malware configuration extractor IPs: 175.156.217.7:2222
Source: Malware configuration extractor IPs: 70.28.50.223:3389
Source: Malware configuration extractor IPs: 114.143.176.236:443
Source: Malware configuration extractor IPs: 65.95.141.84:2222
Source: Malware configuration extractor IPs: 80.6.50.34:443
Source: Malware configuration extractor IPs: 12.172.173.82:2087
Source: Malware configuration extractor IPs: 47.199.241.39:443
Source: Malware configuration extractor IPs: 66.241.183.99:443
Source: Malware configuration extractor IPs: 113.11.92.30:443
Source: Malware configuration extractor IPs: 186.75.95.6:443
Source: Malware configuration extractor IPs: 125.99.69.178:443
Source: Malware configuration extractor IPs: 109.130.247.84:2222
Source: Malware configuration extractor IPs: 96.56.197.26:2222
Source: Malware configuration extractor IPs: 70.50.1.252:2222
Source: Malware configuration extractor IPs: 91.160.70.68:32100
Source: Malware configuration extractor IPs: 67.70.120.249:2222
Source: Malware configuration extractor IPs: 209.171.160.69:995
Source: Malware configuration extractor IPs: 98.163.227.79:443
Source: Malware configuration extractor IPs: 176.133.4.230:995
Source: Malware configuration extractor IPs: 24.234.220.88:995
Source: Malware configuration extractor IPs: 45.62.75.250:443
Source: Malware configuration extractor IPs: 200.44.198.47:2222
Source: Malware configuration extractor IPs: 173.17.45.60:443
Source: Malware configuration extractor IPs: 5.192.141.228:2222
Source: Malware configuration extractor IPs: 184.63.133.131:995
Source: Malware configuration extractor IPs: 70.28.50.223:2083
Source: Malware configuration extractor IPs: 78.82.143.154:2222
Source: Malware configuration extractor IPs: 73.88.173.113:443
Source: Malware configuration extractor IPs: 181.4.225.225:443
Source: Malware configuration extractor IPs: 24.234.220.88:443
Source: Malware configuration extractor IPs: 174.58.146.57:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 2.82.8.80 2.82.8.80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: yahoo.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.yahoo.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 74Cache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49718 -> 74.12.147.139:2222
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 27
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: unknown TCP traffic detected without corresponding DNS query: 74.12.147.139
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: C = {"useYAC":0,"usePE":0,"servicePath":"https:\/\/www.yahoo.com\/pdarla\/php\/fc.php","xservicePath":"","beaconPath":"https:\/\/www.yahoo.com\/pdarla\/php\/b.php","renderPath":"","allowFiF":false,"srenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","renderFile":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","sfbrenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","msgPath":"https:\/\/fc.yahoo.com\/unsupported-1946.html","cscPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-csc.html","root":"pdarla","edgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1","sedgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1","version":"4-11-1","tpbURI":"","hostFile":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/js\/g-r-min.js","beaconsDisabled":true,"rotationTimingDisabled":true,"fdb_locale":"What don't you like about this ad?|It's offensive|Something else|Thank you for helping us improve your Yahoo experience|It's not relevant|It's distracting|I don't like this ad|Send|Done|Why do I see ads?|Learn more about your feedback.|Want an ad-free inbox? Upgrade to Yahoo Mail Pro!|Upgrade Now","positions":{"DEFAULT":{"supports":false},"LDRB":{"w":728,"h":90},"LREC":{"w":300,"h":250},"MAST":{"w":1,"h":1},"MON":{"w":1,"h":1}},"lang":"en-US"}, equals www.yahoo.com (Yahoo)
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: C.events = {"AUTO":{"autoDDG":1,"autoIV":1,"autoMax":25,"autoRT":10000,"autoStart":1,"name":"AUTO","ps":{"LREC":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"LREC3":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"LREC4":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"MON":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"MON2":{"autoIV":1,"autoMax":25,"autoRT":"10000"}},"groups":{"LREC3":"MON2","LREC4":"MON2","MON2":"LREC3,LREC4"},"sp":2023538075,"sa":"Y-BUCKET=\"900\" ctout=380 rs=\"lu:0;pt:home;site:fp;ver:megastrm\" refresh=true","ref":"https:\/\/www.yahoo.com\/","ult":{"pg":{"property":"fp_en-US","rid":"0vbd66ti7utvc","test":"900"}}},"adFetch":{"ps":"LDRB,LREC,MAST,MON","sp":2023538075,"sa":"Y-BUCKET=\"900\" ctout=380 rs=\"lu:0;pt:home;site:fp;ver:megastrm\"","ref":"https:\/\/www.yahoo.com\/","ult":{"pg":{"property":"fp_en-US","rid":"0vbd66ti7utvc","test":"900"}}}}; equals www.yahoo.com (Yahoo)
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: C.positions = {"LDRB":{"clean":"sda-LDRB","dest":"sda-LDRB-iframe","fdb":1,"h":90,"id":"LDRB","metaSize":true,"pos":"LDRB","supports":{"exp-ovr":1,"exp-push":1,"lyr":0},"w":728,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"LREC":{"clean":"sda-LREC","dest":"sda-LREC-iframe","fdb":1,"h":250,"id":"LREC","metaSize":true,"pos":"LREC","supports":{"exp-ovr":0,"exp-push":0,"lyr":0},"w":300,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"},"doubleBuffering":false},"MAST":{"clean":"sda-MAST","closeBtn":{"adc":0,"mode":2,"useShow":1},"dest":"sda-MAST-iframe","fdb":1,"h":250,"id":"MAST","metaSize":true,"pos":"MAST","supports":{"exp-ovr":0,"exp-push":1,"resize-to":1},"w":970,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"MON":{"clean":"sda-MON","dest":"sda-MON-iframe","fdb":1,"h":600,"id":"MON","metaSize":true,"pos":"MON","supports":{"exp-ovr":1,"exp-push":1,"lyr":0,"resize-to":1},"w":300,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"DEFAULT":{"sandbox":false}}; equals www.yahoo.com (Yahoo)
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: w._comscore.push({"c1":"2","c2":"7241469","c5":2023538075,"c7":"https://www.yahoo.com/","c14":-1}); equals www.yahoo.com (Yahoo)
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: var pixelDetectUrl = "https://www.yahoo.com/px.gif"; equals www.yahoo.com (Yahoo)
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: {"@context":"http://schema.org","@type":"WebSite","url":"https://www.yahoo.com/","potentialAction":{"@type":"SearchAction","target":"https://search.yahoo.com/search?p={search_term_string}","query-input":"required name=search_term_string"}} equals www.yahoo.com (Yahoo)
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: </script><noscript><img src=https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c14=-1></noscript><script type=text/javascript nonce=4848d1e18af8eff8b88bc71dfea98a5e7f21a316811ebbb22150eec95387bbdd> equals www.yahoo.com (Yahoo)
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: brought back his talk show partially because he made no money on Bad Trip</div><div class="C($streamItemGray) Fz(11px) Mt(2px) Va(b) D(ib)--md1160" data-test-locator="stream-cluster-pub">The AV Club</div></a></li><li class="stream-cluster-item Fl(start) W(50%) W(100%)!--md1160 Mb(8px)--md1160" data-uuid="a6d53e8e-c9fc-3d9e-9287-d539d84743cb" data-parent-uuid="3edbd05a-399e-3fa4-af2e-d1c8375820cf" data-type="3" data-cpos="14" data-cposy="33" data-ycts="001000086,001000075,001000031" data-wikis="Eric_Wareheim,Cartoon_Network,Eric_Andr%c3%a9,Tim_Heidecker,Adult_Swim,Absolutely_Productions,Hannibal_Buress" data-test-locator="stream-cluster-item"><a class="js-content-viewer rapidnofollow wafer-caas Td(n) D(ib) Va(t) W(90%) Mend(10%) C(--dory):h C(--black)" data-uuid="a6d53e8e-c9fc-3d9e-9287-d539d84743cb" data-ylk="itc:0;elm:rhdln;bpos:1;cpos:14;cposy:33;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__main.fpExpl;ct:video;g:a6d53e8e-c9fc-3d9e-9287-d539d84743cb;grpt:storyCluster;pkgt:cluster_all_img;pos:3;slk:The Eric Andre Show: Season 6;" href="/entertainment/eric-andre-show-season-6-210245541.html" data-wf-caas-prefetch="1" data-wf-caas-uuid="a6d53e8e-c9fc-3d9e-9287-d539d84743cb" data-hosted-type="HOSTED"><img class="Fl(start) W(29%) Miw(65px) Maw(72px) Mend(10px) Trsdu(0s)! D(n)--md1160 Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/mzML.c575CXGYRGc4RAjkw--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHBpZD15dGFjaHlvbg--/https://s.yimg.com/hd/cp-video-transcode/production/a6d53e8e-c9fc-3d9e-9287-d539d84743cb/2023-05-03/21-03-06/8c967733-6e7a-56a0-b53a-c3f02ffd45d7/stream_1920x1080x0_v2_3_0.jpg.cf.jpg" alt=""/><div class="Lh(15px) C(--cobalt) C(--dory):h Fw(b) LineClamp(3,45px) Pend(10px)--md1160 D(i)--md1160"><b class="Hidden">Video </b>The Eric Andre Show: Season 6</div><div class="C($streamItemGray) Fz(11px) Mt(2px) Va(b) D(ib)--md1160" data-test-locator="stream-cluster-pub">Internet Video Archive</div></a></li></ul></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{&quot;adMeta&quot;:{&quot;adchoicesUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;advertiseWithUsUrl&quot;:&quot;https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;,&quot;sponsoredUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;enableDrawerFeedback&quot;:false,&quot;enableAdLiteUpSellFeedback&quot;:true},&quot;features&quot;:{},&quot;i13n&quot;:{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;Celebrity&quot;,&quot;cpos&quot;:14,&quot;cposy&quot;:31},&quot;intlFujiUiConfig&quot;:{&quot;roundedCorner&quot;:false,&quot;useVerticalControlIcons&quot;:false},&quot;xhrPathPrefix&quot;:&quot;/fp_ms/_rcv/remote&quot;,&quot;ncpParams&quot;:{&quot;query&quot;:{&quot;pageContext&quot;:{&quot;lu&quot;:0,&quot;pageType&quot;:&quot;home&quot;,&quot;site&quot;:&quot;fp&quot;,&
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: </div><div class="C($streamItemGray) Fz(11px) Mt(2px) Va(b) D(ib)--md1160" data-test-locator="stream-cluster-pub">Indiewire</div></a></li><li class="stream-cluster-item Fl(start) W(50%) W(100%)!--md1160 Mb(8px)--md1160" data-uuid="adc5c2a8-d428-3932-a15d-a80499fe97fd" data-parent-uuid="31257518-accc-363e-b071-5bcbf96256b1" data-type="3" data-cpos="15" data-cposy="36" data-ycts="001000031,001000069" data-wikis="Elle_Fanning,Natasha_Lyonne,Devery_Jacobs,Jenna_Ortega,Sheryl_Lee_Ralph,Ayo_Edebiri,The_Hollywood_Reporter" data-test-locator="stream-cluster-item"><a class="js-content-viewer rapidnofollow wafer-caas Td(n) D(ib) Va(t) W(90%) Mend(10%) C(--dory):h C(--black)" data-uuid="adc5c2a8-d428-3932-a15d-a80499fe97fd" data-ylk="itc:0;elm:rhdln;bpos:1;cpos:15;cposy:36;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__main.fpExpl;ct:video;g:adc5c2a8-d428-3932-a15d-a80499fe97fd;grpt:storyCluster;pkgt:cluster_all_img;pos:3;slk:The Hollywood Reporter&#x27;s Full, Uncensored TV Comedy Actress Roundtable With Ayo Edebiri, Elle Fanning, Devery Jacobs, Natasha Lyonne, Jenna Ortega, and Sheryl Lee Ralph | THR Video;" href="/entertainment/hollywood-reporters-full-uncensored-tv-043226539.html" data-wf-caas-prefetch="1" data-wf-caas-uuid="adc5c2a8-d428-3932-a15d-a80499fe97fd" data-hosted-type="HOSTED"><img class="Fl(start) W(29%) Miw(65px) Maw(72px) Mend(10px) Trsdu(0s)! D(n)--md1160 Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/cgPpkyweHixu2K0SeMV0Uw--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHBpZD15dGFjaHlvbg--/https://media.zenfs.com/en/the_hollywood_reporter_217/5f24d5fa447bdb44718983ac6b35ec65.cf.jpg" alt=""/><div class="Lh(15px) C(--cobalt) C(--dory):h Fw(b) LineClamp(3,45px) Pend(10px)--md1160 D(i)--md1160"><b class="Hidden">Video </b>The Hollywood Reporter&#x27;s Full, Uncensored TV Comedy Actress Roundtable With Ayo Edebiri, Elle Fanning, Devery Jacobs, Natasha Lyonne, Jenna Ortega, and Sheryl Lee Ralph | THR Video</div><div class="C($streamItemGray) Fz(11px) Mt(2px) Va(b) D(ib)--md1160" data-test-locator="stream-cluster-pub">The Hollywood Reporter</div></a></li></ul></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{&quot;adMeta&quot;:{&quot;adchoicesUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;advertiseWithUsUrl&quot;:&quot;https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;,&quot;sponsoredUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;enableDrawerFeedback&quot;:false,&quot;enableAdLiteUpSellFeedback&quot;:true},&quot;features&quot;:{},&quot;i13n&quot;:{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;Celebrity&quot;,&quot;cpos&quot;:15,&quot;cposy&quot;:34},&quot;intlFujiUiConfig&quot;:{&quot;roundedCorner&quot;:false,&quot;useVerticalControlIcons&quot;:false},&quot;xhrPathPrefix&quot;:&quot;/fp_ms/_rcv/remote&quot;,&quot;n
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: s tallest mountain and helped the climber down to safety.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{&quot;adMeta&quot;:{&quot;adchoicesUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;advertiseWithUsUrl&quot;:&quot;https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;,&quot;sponsoredUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;enableDrawerFeedback&quot;:false,&quot;enableAdLiteUpSellFeedback&quot;:true},&quot;features&quot;:{},&quot;i13n&quot;:{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;News&quot;,&quot;cpos&quot;:19,&quot;cposy&quot;:44},&quot;intlFujiUiConfig&quot;:{&quot;roundedCorner&quot;:false,&quot;useVerticalControlIcons&quot;:false},&quot;xhrPathPrefix&quot;:&quot;/fp_ms/_rcv/remote&quot;,&quot;ncpParams&quot;:{&quot;query&quot;:{&quot;pageContext&quot;:{&quot;lu&quot;:0,&quot;pageType&quot;:&quot;home&quot;,&quot;site&quot;:&quot;fp&quot;,&quot;appName&quot;:&quot;megastrm&quot;}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&amp;m_id=react-wafer-stream&amp;ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="a9316a23-2384-31c0-b720-1e38ffdc5bf6" data-cpos="20" data-cposy="45" data-ycts="001000288" data-wikis="Father" data-property="Celebrity" data-i13n-cfg="{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;Celebrity&quot;,&quot;cpos&quot;:20,&quot;cposy&quot;:45}" data-test-locator="stream-item" data-yaft-module="stream_item_20"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:55.91%" data-test-locator="stream-item-image"><a href="/news/fort-worth-area-couple-took-110000593.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:20;cposy:45;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__main.fpExpl;ct:story;g:a9316a23-2384-31c0-b720-1e38ffdc5bf6;grpt:singlestory;pkgt:orphan_img;pos:1;cnt_tpc:Celebrity;slk:Fort Worth area couple took a DNA test for fun. The results revealed a shocking truth;" aria-hidden="true" class="js-content-viewer rapidnofollow" tabindex="-1"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/U1DfOGB5y9ypZCueAYqcQg--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHBpZD15dGFjaHlvbg--/https://media.zenfs.com/en/fort_worth_star_telegram_mcclatchy_952/5ed51b8a929de7d0b50302550fcadbf6.cf.jpg"
Source: 051_qbot.dll.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 051_qbot.dll.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 051_qbot.dll.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 051_qbot.dll.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 051_qbot.dll.dll String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 051_qbot.dll.dll String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 051_qbot.dll.dll String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 051_qbot.dll.dll String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 051_qbot.dll.dll String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 051_qbot.dll.dll String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 051_qbot.dll.dll String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: 051_qbot.dll.dll String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 051_qbot.dll.dll String found in binary or memory: http://ocsp.digicert.com0C
Source: 051_qbot.dll.dll String found in binary or memory: http://ocsp.digicert.com0H
Source: 051_qbot.dll.dll String found in binary or memory: http://ocsp.digicert.com0I
Source: 051_qbot.dll.dll String found in binary or memory: http://ocsp.digicert.com0O
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: http://schema.org
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: 051_qbot.dll.dll String found in binary or memory: http://www.digicert.com/CPS0
Source: 051_qbot.dll.dll String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-41;BnId=0;ct=61578007;st=11
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830441%7C0%7C225%7CAdId=11101911;BnId=2;ct=6157800
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=WN8lf1wGIS9pUgu6_LdRdnqWc2MxbKQuIVqraKPpZ2Fkqh.P
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://fp-graviton-home-gateway.media.yahoo.com/
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://openweb.jac.yahoosandbox.com
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://openweb.jac.yahoosandbox.com/1.5.0/jac.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/aaq/hc/homepage-pwa-defer-1.1.6.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/aaq/nel/js/spotIm.custom.SpotIMJAC.modal.9d3270fa67932556c75baaed2c09c955.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/aaq/spotim/
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/aaq/vzm/cs_1.4.0.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-core-1.63.0.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/cx/pv/perf-vitals_3.1.0.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/nn/lib/metro/g/myy/advertisement_0.0.19.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/ss/rapid-3.53.38.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uc/sf/0.1.322/js/safe.min.js
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/E8bGprFjv9Ud.x2CfVg8yg--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/GJM0T9nuvPjhGuFxUfcZuA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/KSYWdTSFf6cb6I5mKjI6VA--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/P.vUCyhgznB9JdplpfhN5g--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/U1DfOGB5y9ypZCueAYqcQg--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/VP4Uj0yGwgz5fiidx_YgMQ--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/VukkCtYgwUsNyskWRMerTw--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/aBrN1qBz8Mzvm1aK6NNj2A--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/arPZdthdJCau7x.13pfhgA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/cgPpkyweHixu2K0SeMV0Uw--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/jmA4dNVmZNOKZFQv4w3ZxQ--~B/Zmk9c3RyaW07aD0zODg7cT05NTt3PTcyMDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/mzML.c575CXGYRGc4RAjkw--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/nPWGibR39WaNZnEFkmTQNg--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/nZoIEBF.tT3Nt3BwqaTcQw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/zen0uone64pvOLhjI3iHFw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://search.yahoo.com/search?p=
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;
Source: 051_qbot.dll.dll String found in binary or memory: https://www.digicert.com/CPS0
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://www.yahoo.com/
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://www.yahoo.com/px.gif
Source: 3IEQMPPK.htm.22.dr String found in binary or memory: https://yep.video.yahoo.com/oath/js/1/oath-player.js?ypv=8.5.43&lang=en-US
Source: unknown HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 74Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: yahoo.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: yahoo.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.yahoo.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.6:49717 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.485142732.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Uses 32bit PE files
Source: 051_qbot.dll.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DLL
Yara signature match
Source: 15.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 15.2.rundll32.exe.f609f8.0.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 15.2.rundll32.exe.f609f8.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 652
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ADAACE0 3_2_6ADAACE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ADA6880 3_2_6ADA6880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10018E20 15_2_10018E20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10003A40 15_2_10003A40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100172EF 15_2_100172EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100132F1 15_2_100132F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10016F30 15_2_10016F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10014B53 15_2_10014B53
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100144D8 NtProtectVirtualMemory,NtProtectVirtualMemory, 15_2_100144D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000A51F NtAllocateVirtualMemory,NtWriteVirtualMemory, 15_2_1000A51F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000A93E GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 15_2_1000A93E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000AA38 GetLastError,NtResumeThread,FindCloseChangeNotification, 15_2_1000AA38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000CAF3 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 15_2_1000CAF3
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ncryptsslp.dll
PE file contains more sections than normal
Source: 051_qbot.dll.dll Static PE information: Number of sections : 15 > 10
Source: 051_qbot.dll.dll ReversingLabs: Detection: 51%
Source: 051_qbot.dll.dll Virustotal: Detection: 58%
Source: 051_qbot.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\051_qbot.dll.dll,lcopy_block_row
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 672
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\051_qbot.dll.dll,lcopy_sample_rows
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\051_qbot.dll.dll,ldiv_round_up
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",lcopy_block_row
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",lcopy_sample_rows
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",ldiv_round_up
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",next
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",lround_up
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",lpeg_write_tables
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 656
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\051_qbot.dll.dll,lcopy_block_row Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\051_qbot.dll.dll,lcopy_sample_rows Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\051_qbot.dll.dll,ldiv_round_up Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",lcopy_block_row Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",lcopy_sample_rows Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",ldiv_round_up Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",next Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",lround_up Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",lpeg_write_tables Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Vouaefiford
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEAD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@30/20@2/100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000D2F7 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 15_2_1000D2F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000C800 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 15_2_1000C800
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\051_qbot.dll.dll,lcopy_block_row
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5260
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{08F170A1-EDBF-46A4-9A3C-5817DDA08329}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{AC962EC3-BC9C-4EC4-9FD4-6BB1CBA060A3}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7080
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4256
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7104
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{08F170A1-EDBF-46A4-9A3C-5817DDA08329}
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: 051_qbot.dll.dll Static PE information: More than 104 > 100 exports found
Source: 051_qbot.dll.dll Static PE information: Image base 0x6ad80000 > 0x60000000
PE file contains sections with non-standard names
Source: 051_qbot.dll.dll Static PE information: section name: /4
Source: 051_qbot.dll.dll Static PE information: section name: /14
Source: 051_qbot.dll.dll Static PE information: section name: /29
Source: 051_qbot.dll.dll Static PE information: section name: /41
Source: 051_qbot.dll.dll Static PE information: section name: /55
Source: 051_qbot.dll.dll Static PE information: section name: /67
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6AD814B0 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress, 3_2_6AD814B0
PE file contains an invalid checksum
Source: 051_qbot.dll.dll Static PE information: real checksum: 0xc341d should be: 0xbf9e6

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5256 base: E13C50 value: E9 63 D7 B7 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3236 Thread sleep count: 200 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5164 Thread sleep time: -60000s >= -30000s
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\wermgr.exe Process information queried: ProcessInformation
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000B967 GetSystemInfo, 15_2_1000B967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10009E70 FindFirstFileW,FindNextFileW, 15_2_10009E70
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.9.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6AD814B0 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress, 3_2_6AD814B0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6AD81F50 mov eax, dword ptr fs:[00000030h] 3_2_6AD81F50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_3_00E62297 mov eax, dword ptr fs:[00000030h] 15_3_00E62297
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_10001015 mov eax, dword ptr fs:[00000030h] 15_2_10001015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_100021CD mov eax, dword ptr fs:[00000030h] 15_2_100021CD
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ADC5370 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,EnterCriticalSection,TlsGetValue,GetLastError,TlsGetValue,GetLastError,LeaveCriticalSection, 3_2_6ADC5370

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 9C0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 990000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: E13C50 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 990000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 9C0000 protect: page read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 990000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\051_qbot.dll.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ADB3D50 cpuid 3_2_6ADB3D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ADC52A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_6ADC52A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_1000BC31 GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW, 15_2_1000BC31
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 0000000F.00000003.485111466.0000000004B3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: rundll32.exe, 0000000F.00000003.485111466.0000000004B3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: rundll32.exe, 0000000F.00000003.485111466.0000000004B3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 0000000F.00000003.485111466.0000000004B3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 0000000F.00000003.485111466.0000000004B3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: rundll32.exe, 0000000F.00000003.485111466.0000000004B3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Qbot
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 15.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.f609f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.f609f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.493775474.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.493856745.0000000004AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Qbot
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 15.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.f609f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.f609f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.493775474.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.493856745.0000000004AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 882805 Sample: 051_qbot.dll.vir Startdate: 06/06/2023 Architecture: WINDOWS Score: 100 33 103.212.19.254 VNET-ASVNETNETWORKSPVTLTDIN India 2->33 35 184.63.133.131 VIASAT-SP-BACKBONEUS United States 2->35 37 93 other IPs or domains 2->37 47 Found malware configuration 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 3 other signatures 2->53 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 8 other processes 9->18 signatures6 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->55 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Injects a PE file into a foreign processes 11->61 20 wermgr.exe 11->20         started        23 rundll32.exe 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 5 9 18->27         started        29 WerFault.exe 9 18->29         started        process7 dnsIp8 39 188.28.19.84, 443, 49717 H3GUKGB United Kingdom 20->39 41 74.12.147.139, 2222 BACOMCA Canada 20->41 45 3 other IPs or domains 20->45 31 WerFault.exe 20 9 23->31         started        43 192.168.2.1 unknown unknown 25->43 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
38.2.18.164
 unknown United States
174 COGENT-174US true
2.82.8.80
 unknown Portugal
3243 MEO-RESIDENCIALPT true
70.160.67.203
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
83.110.223.61
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE true
209.171.160.69
 unknown Canada
852 ASN852CA true
84.215.202.8
 unknown Norway
41164 GET-NOGETNorwayNO true
184.182.66.109
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
200.84.211.255
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE true
125.99.69.178
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN true
174.4.89.3
 unknown Canada
6327 SHAWCA true
121.121.108.120
 unknown Malaysia
9534 MAXIS-AS1-APBinariangBerhadMY true
161.142.103.187
 unknown Malaysia
9930 TTNET-MYTIMEdotComBerhadMY true
213.64.33.92
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE true
114.143.176.236
 unknown India
17762 HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN true
24.234.220.88
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
67.70.120.249
 unknown Canada
577 BACOMCA true
73.88.173.113
 unknown United States
7922 COMCAST-7922US true
72.205.104.134
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
117.195.17.148
 unknown India
9829 BSNL-NIBNationalInternetBackboneIN true
69.160.121.6
 unknown Jamaica
33576 DIG001JM true
176.133.4.230
 unknown France
5410 BOUYGTEL-ISPFR true
183.87.163.165
 unknown India
132220 JPRDIGITAL-INJPRDigitalPvtLtdIN true
184.181.75.148
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
70.49.205.198
 unknown Canada
577 BACOMCA true
87.221.153.182
 unknown Spain
12479 UNI2-ASES true
70.50.1.252
 unknown Canada
577 BACOMCA true
85.101.239.116
 unknown Turkey
9121 TTNETTR true
181.4.225.225
 unknown Argentina
7303 TelecomArgentinaSAAR true
100.4.163.158
 unknown United States
701 UUNETUS true
103.141.50.43
 unknown India
133693 SKISP-AS-INSriKrishnaInternetServicesPrivateLimitedI true
70.50.83.216
 unknown Canada
577 BACOMCA true
92.1.170.110
 unknown United Kingdom
13285 OPALTELECOM-ASTalkTalkCommunicationsLimitedGB true
64.121.161.102
 unknown United States
6079 RCN-ASUS true
96.56.197.26
 unknown United States
6128 CABLE-NET-1US true
188.28.19.84
 unknown United Kingdom
206067 H3GUKGB true
125.99.76.102
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN true
81.101.185.146
 unknown United Kingdom
5089 NTLGB true
116.75.63.183
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN true
124.246.122.199
 unknown Singapore
63850 ENTRUSTICT-AS-APQRHUBPTYLTDTAEntrustICTAU true
147.147.30.126
 unknown United Kingdom
6871 PLUSNETUKInternetServiceProviderGB true
109.130.247.84
 unknown Belgium
5432 PROXIMUS-ISP-ASBE true
75.109.111.89
 unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS true
88.126.94.4
 unknown France
12322 PROXADFR true
124.122.47.148
 unknown Thailand
17552 TRUE-AS-APTrueInternetCoLtdTH true
66.241.183.99
 unknown United States
16604 HUNTEL-NETUS true
180.151.19.13
 unknown India
10029 SHYAMSPECTRA-ASSHYAMSPECTRAPVTLTDIN true
94.204.202.106
 unknown United Arab Emirates
15802 DU-AS1AE true
47.205.25.170
 unknown United States
5650 FRONTIER-FRTRUS true
95.45.50.93
 unknown Ireland
5466 EIRCOMInternetHouseIE true
103.212.19.254
 unknown India
132956 VNET-ASVNETNETWORKSPVTLTDIN true
85.61.165.153
 unknown Spain
12479 UNI2-ASES true
91.160.70.68
 unknown France
12322 PROXADFR true
87.248.100.215
 new-fp-shed.wg1.b.yahoo.com United Kingdom
34010 YAHOO-IRDGB false
201.143.215.69
 unknown Mexico
8151 UninetSAdeCVMX true
184.63.133.131
 unknown United States
7155 VIASAT-SP-BACKBONEUS true
203.109.44.236
 unknown India
135777 NECONN-ASShreenortheastConnectAndServicesPvtLtdIN true
90.104.151.37
 unknown France
3215 FranceTelecom-OrangeFR true
201.244.108.183
 unknown Colombia
19429 ETB-ColombiaCO true
2.49.63.160
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE true
103.42.86.42
 unknown India
133660 EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt true
80.6.50.34
 unknown United Kingdom
5089 NTLGB true
175.156.217.7
 unknown Singapore
4773 MOBILEONELTD-AS-APMobileOneLtdMobileInternetServicePr true
103.139.242.6
 unknown India
138798 MUTINY-AS-INMutinySystemsPrivateLimitedIN true
27.0.48.233
 unknown India
132573 SAINGN-AS-INSAINGNNetworkServicesIN true
70.28.50.223
 unknown Canada
577 BACOMCA true
173.17.45.60
 unknown United States
30036 MEDIACOM-ENTERPRISE-BUSINESSUS true
81.229.117.95
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE true
70.64.77.115
 unknown Canada
6327 SHAWCA true
87.252.106.39
 unknown Italy
48544 TECNOADSL-ASIT true
79.77.142.22
 unknown United Kingdom
9105 TISCALI-UKTalkTalkCommunicationsLimitedGB true
98.163.227.79
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
93.187.148.45
 unknown United Kingdom
8680 SURE-INTERNATIONAL-LIMITEDGB true
186.75.95.6
 unknown Panama
11556 CableWirelessPanamaPA true
50.68.186.195
 unknown Canada
6327 SHAWCA true
45.62.70.33
 unknown Canada
40440 NRTC-CA true
83.249.198.100
 unknown Sweden
39651 COMHEM-SWEDENSE true
12.172.173.82
 unknown United States
2386 INS-ASUS true
47.199.241.39
 unknown United States
5650 FRONTIER-FRTRUS true
79.168.224.165
 unknown Portugal
2860 NOS_COMUNICACOESPT true
199.27.66.213
 unknown United States
40608 HCTNEBRASKAUS true
200.44.198.47
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE true
176.142.207.63
 unknown France
5410 BOUYGTEL-ISPFR true
86.173.2.12
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB true
45.62.75.250
 unknown Canada
40440 NRTC-CA true
92.154.17.149
 unknown France
3215 FranceTelecom-OrangeFR true
90.29.86.138
 unknown France
3215 FranceTelecom-OrangeFR true
174.58.146.57
 unknown United States
7922 COMCAST-7922US true
223.166.13.95
 unknown China
17621 CNCGROUP-SHChinaUnicomShanghainetworkCN true
5.192.141.228
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE true
65.95.141.84
 unknown Canada
577 BACOMCA true
75.98.154.19
 unknown United States
32444 SAFELINK-MVUS true
77.126.99.230
 unknown Israel
9116 GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste true
103.123.223.133
 unknown India
138329 KWS-AS-APKenstarWebSolutionsPrivateLimitedIN true
74.12.147.139
 unknown Canada
577 BACOMCA true
74.6.143.26
 yahoo.com United States
26101 YAHOO-3US false
92.9.45.20
 unknown United Kingdom
13285 OPALTELECOM-ASTalkTalkCommunicationsLimitedGB true
113.11.92.30
 unknown Bangladesh
7565 BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD true
77.86.98.236
 unknown United Kingdom
12390 KINGSTON-UK-ASGB true
103.140.174.20
 unknown India
138763 PRAVEEN1-ASPraveenTelecomPvtLtdIN true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
new-fp-shed.wg1.b.yahoo.com 87.248.100.215 true
yahoo.com 74.6.143.26 true
www.yahoo.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://yahoo.com/ false
    		high
    https://www.yahoo.com/ false
      		high
      https://188.28.19.84/t5 true
      • 0%, Virustotal, Browse
      • Avira URL Cloud: malware
      		 unknown