Windows Analysis Report
F072.dll

AV Detection

Source: 00000011.00000002.418554458.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Source: F072.dll

Avira: detected

Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: netstat -nao
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: runas
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ipconfig /all
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: net localgroup
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Microsoft
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELF_TEST_1
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: p%08x
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Self test FAILED!!!
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Self test OK.
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: /t5
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: whoami /all
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cmd
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: route print
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .lnk
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: arp -a
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: net share
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cmd.exe /c set
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Self check
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %u;%u;%u;
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ProfileImagePath
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ProgramData
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Self check ok!
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: powershell.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: qwinsta
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: net view
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Component_08
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Start screenshot
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: appidapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\ProgramData
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Component_07
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: powershell.exe -encodedCommand
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: netstat -nao
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: runas
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ipconfig /all
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SystemRoot
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cscript.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/jpeg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LocalLow
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: displayName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: shlwapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CommandLine
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: kernel32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: 1234567890
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wbj.go
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_DiskDrive
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: System32
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Name
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WRSA.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SpyNetReporting
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: FALSE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aswhookx.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Packages
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: RepUx.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Winsta0
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: root\SecurityCenter2
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: MsMpEng.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: userenv.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: csc_ui.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \\.\pipe\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: pstorec.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: NTUSER.DAT
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: from
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: netapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: gdi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: setupapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: iphlpapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CrAmTray.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: user32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \sf2.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Software\Microsoft
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %S.%06d
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bcrypt.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wtsapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: shell32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: TRUE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Bios
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: */*
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ByteFence.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: type=0x%04X
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ROOT\CIMV2
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: https
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: fshoster32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: kernelbase.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: regsvr32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s\system32\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Process
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: rundll32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LOCALAPPDATA
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cmd.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: APPDATA
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: select
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: mcshield.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: advapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ws2_32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .cfg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Product
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WQL
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wininet.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LastBootUpTime
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: urlmon.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Create
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_PnPEntity
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Initializing database...
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: winsta0\default
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .dat
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WBJ_IGNORE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: next
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wpcap.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/pjpeg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: fmon.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: vbs
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aswhooka.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SysWOW64
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: mpr.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/gif
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: crypt32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ntdll.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: open
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SystemRoot
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cscript.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/jpeg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LocalLow
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: displayName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: shlwapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CommandLine
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: kernel32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: 1234567890
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wbj.go
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_DiskDrive
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: System32
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Name
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WRSA.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SpyNetReporting
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: FALSE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aswhookx.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Packages
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: RepUx.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Winsta0
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: root\SecurityCenter2
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: MsMpEng.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: userenv.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: csc_ui.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \\.\pipe\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: pstorec.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: NTUSER.DAT
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: from
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: netapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: gdi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: setupapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: iphlpapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CrAmTray.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: user32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \sf2.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Software\Microsoft
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %S.%06d
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bcrypt.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wtsapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: shell32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: TRUE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Bios
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: */*
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ByteFence.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: type=0x%04X
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ROOT\CIMV2
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: https
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: fshoster32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: kernelbase.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: regsvr32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s\system32\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Process
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: rundll32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LOCALAPPDATA
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cmd.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: APPDATA
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: select
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: mcshield.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: advapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ws2_32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .cfg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Product
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WQL
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wininet.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LastBootUpTime
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: urlmon.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Create
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_PnPEntity
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Initializing database...
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: winsta0\default
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .dat
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WBJ_IGNORE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: next
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wpcap.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/pjpeg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: fmon.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: vbs
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aswhooka.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SysWOW64
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: mpr.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/gif
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: crypt32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ntdll.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: open
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Cryptography

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,		3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C0B0 mv_cast5_crypt2,		3_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0 mv_camellia_crypt,		3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,		3_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C1B0 mv_cast5_crypt,		3_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,		3_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,		3_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,		3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,		3_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002523 mv_aes_crypt,		3_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001363B mv_encryption_init_info_alloc,		3_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000867B mv_blowfish_crypt_ecb,		3_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100136FB mv_encryption_init_info_alloc,		3_2_100136FB

Compliance

Source: F072.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: unknown

HTTPS traffic detected: 68.87.41.40:443 -> 192.168.2.5:49731 version: TLS 1.2

Source: F072.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Spreading

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_04949DA8 FindFirstFileW,FindNextFileW,

17_2_04949DA8

Networking

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1

Source: global traffic

TCP traffic: 192.168.2.5:49748 -> 85.57.212.13:3389

Source: unknown

Network traffic detected: IP country count 30

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13

Source: national[1].htm.24.dr

String found in binary or memory: Find tutorials and demos\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca rel=\"nofollow\" href=\"https:\u002F\u002Fwww.facebook.com\u002Fxfinity\"\u003EFacebook equals www.facebook.com (Facebook)

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.399211143.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.407006224.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.414998004.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.414998450.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.419061010.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, F072.dll	String found in binary or memory: https://streams.videolan.org/upload/
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/learn/internet-service/acp
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/mobile/policies/broadband-disclosures
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/networkmanagement

Source: unknown

DNS traffic detected: queries for: xfinity.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1

Source: unknown

HTTPS traffic detected: 68.87.41.40:443 -> 192.168.2.5:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: loaddll32.exe, 00000000.00000002.409804519.000000000123B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Source: F072.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 17.2.rundll32.exe.4940000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 17.2.rundll32.exe.2c51168.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 17.2.rundll32.exe.2c51168.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 664

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D060		3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028070		3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0AB		3_2_1002B0AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0		3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008144		3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A1A1		3_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100101D0		3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001021B		3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027220		3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007270		3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024280		3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002334C		3_2_1002334C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100353B0		3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100243C0		3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480		3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004C4C0		3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D4D0		3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F523		3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100105C0		3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100215D0		3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000164B		3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100206A7		3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010750		3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000E760		3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010778		3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A800		3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_049571FF		17_2_049571FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04958D30		17_2_04958D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0495320D		17_2_0495320D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04943A40		17_2_04943A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04956E40		17_2_04956E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04954A6F		17_2_04954A6F

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0494A412 NtAllocateVirtualMemory,NtWriteVirtualMemory,		17_2_0494A412
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0494A823 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,		17_2_0494A823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0494CA0F NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,		17_2_0494CA0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_049543F4 NtProtectVirtualMemory,NtProtectVirtualMemory,		17_2_049543F4

Source: F072.dll

Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs F072.dll

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll

Source: F072.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\F072.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F072.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F072.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_i			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_q			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_stable			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_i			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_q			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_stable			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",next			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_license			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_configuration			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Ixayi

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF92.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@31/23@2/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494D213 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

17_2_0494D213

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494C71C CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

17_2_0494C71C

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_i

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5240
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{26CAAE63-F26A-4151-91F8-5B190E00B3CB}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5708
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5236
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4696
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4732
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E98255E4-990A-4ADC-9ACC-3D92A2E78CDC}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{26CAAE63-F26A-4151-91F8-5B190E00B3CB}

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: F072.dll

Static PE information: More than 582 > 100 exports found

Source: F072.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: F072.dll

Static PE information: real checksum: 0xf1b7b should be: 0xf2fd9

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6828 base: 1093C50 value: E9 63 D7 69 FF

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe TID: 5392	Thread sleep count: 181 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 6848	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494B883 GetSystemInfo,

17_2_0494B883

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_04949DA8 FindFirstFileW,FindNextFileW,

17_2_04949DA8

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g

Anti Debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 Start: 10035315 End: 1003515E

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h]		3_2_1001E0D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_046B2297 mov eax, dword ptr fs:[00000030h]		17_3_046B2297
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04941015 mov eax, dword ptr fs:[00000030h]		17_2_04941015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_049421CD mov eax, dword ptr fs:[00000030h]		17_2_049421CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 760000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 730000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1093C50			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 730000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 760000 protect: page read and write			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: 730000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494C2D1 GetSystemTimeAsFileTime,

17_2_0494C2D1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

3_2_10092180

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494BB4D GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

17_2_0494BB4D

Lowering of HIPS / PFW / Operating System Security Settings

Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 17.2.rundll32.exe.4940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c51168.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c51168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.418718397.0000000004980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.418554458.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 17.2.rundll32.exe.4940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c51168.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c51168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.418718397.0000000004980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.418554458.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY