Windows Analysis Report
licking.dll

AV Detection

Source: 00000014.00000002.569589743.00000000033FA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: netstat -nao
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: runas
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ipconfig /all
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: net localgroup
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Microsoft
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SELF_TEST_1
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: p%08x
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Self test FAILED!!!
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Self test OK.
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: /t5
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: whoami /all
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: cmd
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: route print
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .lnk
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: arp -a
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: net share
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: cmd.exe /c set
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Self check
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %u;%u;%u;
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ProfileImagePath
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ProgramData
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Self check ok!
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: powershell.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: qwinsta
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: net view
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Component_08
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Start screenshot
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: appidapi.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: c:\ProgramData
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Component_07
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: powershell.exe -encodedCommand
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: netstat -nao
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: runas
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ipconfig /all
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SystemRoot
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: cscript.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: C:\INTERNAL\__empty
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_PhysicalMemory
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: image/jpeg
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: LocalLow
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: displayName
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: shlwapi.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: CommandLine
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: kernel32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SubmitSamplesConsent
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: 1234567890
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: wbj.go
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_DiskDrive
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: System32
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Name
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: WRSA.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: c:\\
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SpyNetReporting
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: FALSE
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: aswhookx.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Packages
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: application/x-shockwave-flash
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: RepUx.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Winsta0
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: avp.exe;kavtray.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: root\SecurityCenter2
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: MsMpEng.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: userenv.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: csc_ui.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: \\.\pipe\
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: pstorec.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: NTUSER.DAT
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: from
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: netapi32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: gdi32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: setupapi.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: iphlpapi.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Caption
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: CrAmTray.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_ComputerSystem
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: user32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: \sf2.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: egui.exe;ekrn.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Software\Microsoft
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %S.%06d
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: bcrypt.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: wtsapi32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: shell32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: TRUE
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_Bios
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: c:\hiberfil.sysss
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: */*
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ByteFence.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: type=0x%04X
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: snxhk_border_mywnd
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ROOT\CIMV2
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: https
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: fshoster32.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: kernelbase.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: regsvr32.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %s\system32\
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_Process
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: rundll32.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: LOCALAPPDATA
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: cmd.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: APPDATA
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: select
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: mcshield.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: advapi32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ws2_32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .cfg
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_Product
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: WQL
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: wininet.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: LastBootUpTime
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: urlmon.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Create
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_PnPEntity
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Initializing database...
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: winsta0\default
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .dat
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: WBJ_IGNORE
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: next
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: wpcap.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: image/pjpeg
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: fmon.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: vbs
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: aswhooka.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SysWOW64
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: mpr.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: image/gif
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: crypt32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ntdll.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: open
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SystemRoot
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: cscript.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: C:\INTERNAL\__empty
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_PhysicalMemory
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: image/jpeg
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: LocalLow
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: displayName
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: shlwapi.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: CommandLine
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: kernel32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SubmitSamplesConsent
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: 1234567890
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: wbj.go
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_DiskDrive
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: System32
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Name
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: WRSA.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: c:\\
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SpyNetReporting
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: FALSE
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: aswhookx.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Packages
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: application/x-shockwave-flash
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: RepUx.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Winsta0
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: avp.exe;kavtray.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: root\SecurityCenter2
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: MsMpEng.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: userenv.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: csc_ui.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: \\.\pipe\
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: pstorec.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: NTUSER.DAT
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: from
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: netapi32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: gdi32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: setupapi.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: iphlpapi.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Caption
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: CrAmTray.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_ComputerSystem
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: user32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: \sf2.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: egui.exe;ekrn.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Software\Microsoft
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %S.%06d
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: bcrypt.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: wtsapi32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: shell32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: TRUE
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_Bios
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: c:\hiberfil.sysss
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: */*
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ByteFence.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: type=0x%04X
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: snxhk_border_mywnd
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ROOT\CIMV2
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: https
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: fshoster32.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: kernelbase.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: regsvr32.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %s\system32\
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_Process
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: rundll32.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: LOCALAPPDATA
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: cmd.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: APPDATA
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: select
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: mcshield.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: advapi32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ws2_32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .cfg
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_Product
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: WQL
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: wininet.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: LastBootUpTime
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: urlmon.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Create
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Win32_PnPEntity
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Initializing database...
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: winsta0\default
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: .dat
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: WBJ_IGNORE
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: next
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: wpcap.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: image/pjpeg
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: fmon.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: vbs
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: aswhooka.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: SysWOW64
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: mpr.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: image/gif
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: crypt32.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: ntdll.dll
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: open
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 20.2.rundll32.exe.3320000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Cryptography

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,		3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500A3 mv_twofish_crypt,		3_2_100500A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C0B0 mv_cast5_crypt2,		3_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0 mv_camellia_crypt,		3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,		3_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C1B0 mv_cast5_crypt,		3_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,		3_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,		3_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,		3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,		3_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004D4B0 mv_tea_crypt,		3_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100364E0 mv_rc4_crypt,		3_2_100364E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002523 mv_aes_crypt,		3_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001363B mv_encryption_init_info_alloc,		3_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000867B mv_blowfish_crypt_ecb,		3_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100136FB mv_encryption_init_info_alloc,		3_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,		3_2_10013860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,		3_2_10012A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc,		3_2_10012B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001BF0 mv_aes_crypt,		3_2_10001BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012CF0 mv_encryption_info_free,mv_free,mv_free,mv_free,		3_2_10012CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012D40 mv_encryption_info_get_side_data,mv_encryption_info_alloc,		3_2_10012D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0 mv_blowfish_crypt_ecb,		3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010E40 mv_des_crypt,		3_2_10010E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012F30 mv_encryption_info_add_side_data,mv_malloc,		3_2_10012F30

Compliance

Source: licking.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: licking.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: unknown

Network traffic detected: IP country count 30

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View	IP Address: 2.82.8.80 2.82.8.80
Source: Joe Sandbox View	IP Address: 70.160.67.203 70.160.67.203

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Source: rundll32.exe, rundll32.exe, 00000003.00000002.619865666.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.619663470.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.620074354.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.628094499.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.559908843.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.570492393.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, licking.dll

String found in binary or memory: https://streams.videolan.org/upload/

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1004D9B0 mv_thread_message_queue_recv,AcquireSRWLockExclusive,SleepConditionVariableSRW,SleepConditionVariableSRW,mv_fifo_can_read,mv_fifo_can_read,ReleaseSRWLockExclusive,mv_fifo_read,WakeConditionVariable,mv_fifo_can_read,

3_2_1004D9B0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: loaddll32.exe, 00000000.00000002.816403905.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Source: licking.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 20.2.rundll32.exe.3320000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 20.2.rundll32.exe.3410930.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 20.2.rundll32.exe.3410930.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: licking.dll

Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs licking.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 660

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004F020		3_2_1004F020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D060		3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028070		3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500A3		3_2_100500A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0B0		3_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0		3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500E1		3_2_100500E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008144		3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A1A1		3_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100101D0		3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001021B		3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10058218		3_2_10058218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027220		3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10033261		3_2_10033261
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007270		3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024280		3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023350		3_2_10023350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100353B0		3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100243C0		3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480		3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004D4B0		3_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004C4C0		3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D4D0		3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004E517		3_2_1004E517
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F523		3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024546		3_2_10024546
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100105C0		3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100215D0		3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023620		3_2_10023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000164B		3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100206A7		3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004E71B		3_2_1004E71B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010750		3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000E760		3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010778		3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A800		3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030800		3_2_10030800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B830		3_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024873		3_2_10024873
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10026870		3_2_10026870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001900		3_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091900		3_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D910		3_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F91B		3_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1009D970		3_2_1009D970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010980		3_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001099C		3_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100339B9		3_2_100339B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C9F0		3_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FA00		3_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AA10		3_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091A40		3_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007A50		3_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EAC0		3_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAE0		3_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAF7		3_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10025B0C		3_2_10025B0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AB30		3_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10003BA5		3_2_10003BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FBC0		3_2_1000FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001C10		3_2_10001C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DC10		3_2_1000DC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EC10		3_2_1000EC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10031C30		3_2_10031C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000BC40		3_2_1000BC40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004C96		3_2_10004C96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000ECC9		3_2_1000ECC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DD40		3_2_1000DD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CD50		3_2_1000CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002DD90		3_2_1002DD90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EDB0		3_2_1000EDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0		3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004DDC5		3_2_1004DDC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023E60		3_2_10023E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004E92		3_2_10004E92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CEA0		3_2_1000CEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EEB0		3_2_1002EEB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004FED0		3_2_1004FED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10050F00		3_2_10050F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EF48		3_2_1002EF48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002F80		3_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CF80		3_2_1000CF80

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 100089C0 appears 35 times

Source: licking.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_i

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\licking.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\licking.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 660
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 656
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\licking.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_i			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_q			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_stable			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_i			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_q			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_stable			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",next			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_license			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_configuration			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{97253EDA-9E51-4673-8DC9-CE7D694C2945}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{97253EDA-9E51-4673-8DC9-CE7D694C2945}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{11E2E7D3-94AE-43D8-9C73-A2D28668E7F7}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5476
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5676
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6744

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Ophazamts

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D4C.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@30/18@0/100

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: licking.dll

Static PE information: More than 582 > 100 exports found

Source: licking.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Source: licking.dll

Static PE information: real checksum: 0xf1b7b should be: 0xf5a04

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100A2A90 push eax; mov dword ptr [esp], esi

3_2_100A2B31

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6928 base: 8D3C50 value: E9 63 D7 B3 FF

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe TID: 4812

Thread sleep count: 196 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 Start: 10035315 End: 1003515E

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h]

3_2_1001E0D9

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1008DB50 cpuid

3_2_1008DB50

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

3_2_10092180

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100A0AD0 GetCurrentThread,GetThreadTimes,GetSystemTimeAsFileTime,QueryPerformanceFrequency,QueryPerformanceCounter,GetCurrentProcess,GetProcessTimes,_errno,GetModuleHandleA,GetProcAddress,

3_2_100A0AD0

Lowering of HIPS / PFW / Operating System Security Settings

Source: rundll32.exe, 00000014.00000003.558797497.000000000509F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000014.00000003.558797497.000000000509F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000014.00000003.558797497.000000000509F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000014.00000003.558797497.000000000509F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000014.00000003.558797497.000000000509F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000014.00000003.558797497.000000000509F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 20.2.rundll32.exe.3320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.3410930.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.3410930.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.569965244.0000000005020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.569589743.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 20.2.rundll32.exe.3320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.3410930.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.3410930.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.569965244.0000000005020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.569589743.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY