Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e.dll

Overview

General Information

Sample name:e.dll
Analysis ID:1519390
MD5:972d3e17b96745be89b80ec5d8f4f9d3
SHA1:e97c6461bbdcd91566f4cb75b456e399b7fe06c2
SHA256:b116511e3960ab5fa53ad6a3243240be11235ebdc323705827713cf12a9aeeda
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Abnormal high CPU Usage
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1868 cmdline: loaddll32.exe "C:\Users\user\Desktop\e.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4564 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6520 cmdline: rundll32.exe "C:\Users\user\Desktop\e.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: e.dllAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: e.dllJoe Sandbox ML: detected
Source: e.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: Binary string: a:\s7i.pdbL source: e.dll
Source: Binary string: a:\s7i.pdb source: loaddll32.exe, 00000000.00000002.3294503794.0000000000E3F000.00000002.00000001.01000000.00000003.sdmp, e.dll
Source: unknownDNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049B2084 NtCreateThreadEx,3_2_049B2084
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048916803_2_04891680
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048922A83_2_048922A8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04891EAF3_2_04891EAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048916983_2_04891698
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048940943_2_04894094
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0489252C3_2_0489252C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048944583_2_04894458
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048945E83_2_048945E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049B20843_2_049B2084
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049B22A03_2_049B22A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049B71D23_2_049B71D2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049B14603_2_049B1460
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049BA6603_2_049BA660
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049B74103_2_049B7410
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049BA9003_2_049BA900
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_049B12403_2_049B1240
Source: e.dllStatic PE information: Number of sections : 13 > 10
Source: e.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: e.dllStatic PE information: Section: z4g ZLIB complexity 0.9946666190294715
Source: e.dllStatic PE information: Section: qm ZLIB complexity 0.9991314643252213
Source: e.dllStatic PE information: Section: L ZLIB complexity 0.9966262291217672
Source: classification engineClassification label: mal60.evad.winDLL@6/0@1/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\e.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: e.dllStatic file information: File size 2228224 > 1048576
Source: e.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: a:\s7i.pdbL source: e.dll
Source: Binary string: a:\s7i.pdb source: loaddll32.exe, 00000000.00000002.3294503794.0000000000E3F000.00000002.00000001.01000000.00000003.sdmp, e.dll
Source: e.dllStatic PE information: section name: .crt1
Source: e.dllStatic PE information: section name: z4g
Source: e.dllStatic PE information: section name: qm
Source: e.dllStatic PE information: section name: L
Source: e.dllStatic PE information: section name: CONST
Source: e.dllStatic PE information: section name: 3
Source: e.dllStatic PE information: section name: buicKDZl
Source: e.dllStatic PE information: section name: CRT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103996B pushfd ; ret 0_2_0103997B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010399DB pushfd ; iretd 0_2_010399DC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103D1F4 push edi; ret 0_2_0103D1F5
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E3C340 mov eax, dword ptr fs:[00000030h]0_2_00E3C340
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E31090 cpuid 0_2_00E31090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Software Packing		Security Account Manager11
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519390 Sample: e.dll Startdate: 26/09/2024 Architecture: WINDOWS Score: 60 17 206.23.85.13.in-addr.arpa 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 21 Machine Learning detection for sample 2->21 23 AI detected suspicious sample 2->23 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 25 Tries to detect sandboxes / dynamic malware analysis system (file name check) 8->25 11 cmd.exe 1 8->11         started        13 conhost.exe 8->13         started        process6 process7 15 rundll32.exe 11->15         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
e.dll100%AviraHEUR/AGEN.1300770
e.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
206.23.85.13.in-addr.arpa
unknown
unknownfalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1519390
    Start date and time:2024-09-26 13:04:41 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 16s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:e.dll
    Detection:MAL
    Classification:mal60.evad.winDLL@6/0@1/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 86%
    • Number of executed functions: 11
    • Number of non-executed functions: 10
    Cookbook Comments:
    • Found application associated with file extension: .dll

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: e.dll

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.857208389757357
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:e.dll
    File size:2'228'224 bytes
    MD5:972d3e17b96745be89b80ec5d8f4f9d3
    SHA1:e97c6461bbdcd91566f4cb75b456e399b7fe06c2
    SHA256:b116511e3960ab5fa53ad6a3243240be11235ebdc323705827713cf12a9aeeda
    SHA512:060b6a99fae4af1d869cd23b84ab2b18d69eeba5ff60ac1355e605e5ecfe049b41fb52dc5989cdac90572133389673cc48fe366494bcb01de278bf93a247982a
    SSDEEP:49152:kwNgYx8UccgdkvUADkwkxSnTyCbJux8OwyvW:kwBVcNgUyZbnTytPTW
    TLSH:90A502BDB064C781D64B397F7E0A332DB53A17805187AD26E51778AE70236EC11B42BB
    File Content Preview:MZ......................@............................................q...q...q..0/...q..u*...q...,...q.......q..u*...q....V..q.......q..M....q..Rich.q..............PE..L...q3.f...........!......... !.....P.............@..........................."........

    File Icon

    Icon Hash:0f372331d982ca5a

    Static PE Info

    General

    Entrypoint:0x401450
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    DLL Characteristics:TERMINAL_SERVER_AWARE
    Time Stamp:0x66F43371 [Wed Sep 25 15:59:45 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:abe607481ac2953967a12ac99e7e578f

    Entrypoint Preview

    Instruction
    inc edx
    inc edx
    inc eax
    add dword ptr [00433320h], esp
    inc eax
    dec eax
    inc edx
    dec eax
    jmp 00007F56B0B98CBFh
    dec eax
    mov eax, esi
    push eax
    pop dword ptr [00433310h]
    xor edx, 0Ah
    inc edx
    mov eax, edx
    xor dword ptr [00433318h], ebx
    mov eax, edi
    push eax
    pop dword ptr [00433314h]
    mov dword ptr [0043331Ch], ebp
    lea eax, dword ptr [00401210h]
    call eax
    jmp 00007F56B0B98C63h
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    mov dword ptr [ebp+00h], eax
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    push ebp
    mov ebp, esp
    push eax
    mov eax, 00000001h
    mov dword ptr [ebp-04h], 00000000h
    add esp, 04h
    pop ebp
    ret
    nop
    nop

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xf6940x50.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x20f0000x6d28.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2160000x9a4c.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0xf0300x1c.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xf0000x30.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xc9100xd000d8c6c2ce2710e51965ec969f1e605308False0.09927133413461539data1.5511921998856308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .crt10xe0000x4e0x1000029ebcb0413d7a466159aef461509fffFalse0.025634765625data0.19194904064040105IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0xf0000x8370x10003936868e1249266d25c6c43831ecaa9cFalse0.298583984375data2.7036873961689896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x100000x242000x24000728fa214bf78861ed2be0464e5b2e851False0.2669542100694444data6.204494425770218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    z4g0x350000x7a4cf0x7b000398319310efec22a8e1707da92eb10beFalse0.9946666190294715data7.995421677975023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    qm0xb00000x70e8f0x71000fa2c61d59fecbab30f271e9278c4e647False0.9991314643252213data7.99943170498821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    L0x1210000xe75040xe8000d17b37313f02147b68341a0bca06f4bfFalse0.9966262291217672data7.997710795649098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    CONST0x2090000xd880x1000b052a42265a0ef04c82877e017c33121False0.7548828125data7.057514057791508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    30x20a0000x13a00x20006c371933aac1ef87a68049c0aca61de8False0.5489501953125data5.6043812950914065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    buicKDZl0x20c0000xf0e0x1000ecb3c30a4d5685f7394de862efbb63cdFalse0.756591796875data6.855147821668895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    CRT0x20d0000x19200x2000f44e399cc7eb92f94e27ac6c5b5c2312False0.7213134765625data6.598433129737103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x20f0000x6d280x700085992fe593ac7adce6fc2d273bfa339cFalse0.30946568080357145data5.688832279317778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x2160000xada80xb00096222f6edd2ec89fd0af45e507598034False0.1380282315340909data5.6863785572940495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0x20f3100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5469043151969981
    RT_ICON0x2103b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.600177304964539
    RT_ICON0x2108200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5107879924953096
    RT_ICON0x2118c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.648936170212766
    RT_ICON0x211d300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5668386491557224
    RT_ICON0x212dd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6551418439716312
    RT_ICON0x2132400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5905253283302064
    RT_ICON0x2142e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6826241134751773
    RT_ICON0x2147500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5466697936210131
    RT_ICON0x2157f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6445035460992907
    RT_GROUP_ICON0x215c600x22dataRussianRussia1.0588235294117647
    RT_GROUP_ICON0x215c880x22dataRussianRussia1.0588235294117647
    RT_GROUP_ICON0x215cb00x22dataRussianRussia1.0588235294117647
    RT_GROUP_ICON0x215cd80x22dataRussianRussia1.0588235294117647
    RT_GROUP_ICON0x215d000x22dataRussianRussia1.0588235294117647

    Imports

    DLLImport
    OLEAUT32.dllVarBoolFromR4
    KERNEL32.dllGetSystemTimeAsFileTime, GetStdHandle, SuspendThread, LoadLibraryExW, OutputDebugStringA, GetModuleFileNameW, GetBinaryTypeW
    GDI32.dllBitBlt

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    RussianRussia

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Sep 26, 2024 13:06:04.147870064 CEST5355884162.159.36.2192.168.2.5
    Sep 26, 2024 13:06:04.706095934 CEST6101153192.168.2.51.1.1.1
    Sep 26, 2024 13:06:04.713687897 CEST53610111.1.1.1192.168.2.5

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Sep 26, 2024 13:06:04.706095934 CEST192.168.2.51.1.1.10x1598Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Sep 26, 2024 13:06:04.713687897 CEST1.1.1.1192.168.2.50x1598Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:07:05:31
    Start date:26/09/2024
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\e.dll"
    Imagebase:0x270000
    File size:126'464 bytes
    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:1
    Start time:07:05:31
    Start date:26/09/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:2
    Start time:07:05:31
    Start date:26/09/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1
    Imagebase:0x790000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:07:05:31
    Start date:26/09/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\e.dll",#1
    Imagebase:0x380000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:7%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:20%
      Total number of Nodes:15
      Total number of Limit Nodes:1
      execution_graph 603 e31450 604 e3145f 603->604 606 e31210 604->606 608 e3121b 606->608 607 e31224 607->604 608->607 612 e3bac0 608->612 613 e3bafc GetBinaryTypeW 612->613 614 e31298 613->614 614->607 615 e3c8c0 614->615 616 e3c8dc 615->616 618 e3c906 616->618 619 e3c340 616->619 618->607 623 e3bb70 619->623 622 e3c38c 624 e3bb84 GetPEB 623->624 624->622

      Callgraph

      • Executed
      • Not Executed
      • Opacity -> Relevance
      • Disassembly available
      callgraph 0 Function_01039602 1 Function_00E310E0 61 Function_00E31090 1->61 2 Function_00E3CFE0 29 Function_00E3CEA0 2->29 68 Function_00E3CE60 2->68 96 Function_00E3BF20 2->96 113 Function_00E3D700 2->113 3 Function_00E3D1E0 4 Function_0103AA05 5 Function_0103B204 6 Function_0103AA10 7 Function_01039917 8 Function_01039415 9 Function_01039A15 10 Function_0103A61E 11 Function_01039523 12 Function_01039722 13 Function_00E312C0 14 Function_00E3C8C0 14->1 14->2 79 Function_00E3D370 14->79 81 Function_00E3C340 14->81 104 Function_00E3D730 14->104 105 Function_00E3BE30 14->105 15 Function_00E3BAC0 16 Function_01039227 17 Function_0103A526 18 Function_0103962A 19 Function_0103B128 20 Function_00FDAED1 21 Function_0103A730 22 Function_00E3C7D0 22->29 22->104 23 Function_00E3B9D0 77 Function_00E3BB70 23->77 24 Function_0103A83F 25 Function_0103AA3F 26 Function_0103AE3D 27 Function_0103AB41 28 Function_00E3C2A0 28->29 28->104 88 Function_00E3CF50 29->88 30 Function_00E3BBA0 31 Function_0103A447 32 Function_00F511B3 33 Function_01039A45 34 Function_0103984B 35 Function_0103A34B 36 Function_00E3D4AA 69 Function_00E3D160 36->69 37 Function_0103A949 38 Function_01039552 39 Function_01039351 40 Function_0103A257 41 Function_0103925A 42 Function_0103975A 43 Function_0103AE5A 44 Function_01039A59 45 Function_01039D5F 46 Function_0103AA62 47 Function_00E3D680 48 Function_0103AC66 49 Function_0103A564 50 Function_0103996B 51 Function_0103966A 52 Function_0103B069 53 Function_00E3148E 54 Function_01039D6E 55 Function_01039272 56 Function_00E3C391 57 Function_0103AE71 58 Function_00E3C590 58->77 59 Function_00E3C890 60 Function_00E3C190 62 Function_00E3BE90 62->3 118 Function_00E3C610 62->118 63 Function_0103B27B 64 Function_0103C17B 65 Function_0103A57A 66 Function_0103957F 67 Function_0103987D 70 Function_00E3CA60 70->29 70->58 70->59 70->77 97 Function_00E3CC20 70->97 71 Function_00E3BA60 72 Function_0103AE8A 73 Function_0103B189 74 Function_0103A28F 75 Function_0103A592 76 Function_00E3B970 78 Function_00E3C270 78->60 79->29 79->77 89 Function_00E3CA50 79->89 79->113 80 Function_0103AB96 81->77 82 Function_00E31340 83 Function_00E3D448 83->62 84 Function_010392AE 85 Function_0103A2AE 86 Function_00E31450 117 Function_00E31210 86->117 87 Function_00E3C550 87->78 90 Function_00E3C150 91 Function_00E3C65B 92 Function_0103A9BE 93 Function_0103ADBE 94 Function_0103B0C3 95 Function_0103AFC2 96->90 106 Function_00E3C530 96->106 107 Function_00E3C030 96->107 97->22 97->59 97->105 98 Function_00E3B920 99 Function_00E3BC2A 100 Function_0103AED3 101 Function_0103A2D2 102 Function_01039AD1 103 Function_0103A9D1 104->47 112 Function_00E3BC00 104->112 107->69 107->77 108 Function_010399DB 109 Function_0103AAD8 110 Function_010395E1 111 Function_00E31000 112->87 113->28 113->70 114 Function_0103A6E6 115 Function_0103A9E5 116 Function_0103B0EF 117->13 117->14 117->15 117->23 117->71 117->76 117->98 119 Function_010398F4 120 Function_0103D1F4 121 Function_0103A5FA 122 Function_010395F9

      Executed Functions

      Function 00E3BAC0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 e3bac0-e3bb28 GetBinaryTypeW 2 e3bb41-e3bb48 0->2 3 e3bb2a-e3bb59 0->3 4 e3bb2c-e3bb37 2->4 6 e3bb5b-e3bb62 3->6 7 e3bb38-e3bb3f 3->7 6->4 7->4
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.3294464876.0000000000E3B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
      • Associated: 00000000.00000002.3294446405.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294464876.0000000000E31000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294503794.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294521713.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294551536.0000000000E65000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294707802.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e30000_loaddll32.jbxd
      Similarity
      • API ID: BinaryType
      • String ID:
      • API String ID: 3726996659-0
      • Opcode ID: bc1864139be9b3ca866185c9d41e0864b201b8388311d604146d5e0ecb91bb27
      • Instruction ID: e1b03a382b0a9becc9f6bb8261e16c52d6bdc7bbecffeee8506edd65e67150e2
      • Opcode Fuzzy Hash: bc1864139be9b3ca866185c9d41e0864b201b8388311d604146d5e0ecb91bb27
      • Instruction Fuzzy Hash: AC112DB0D4021C9BDB24EF68E84D3E8FFB0BB10304F209199D509AB284D7759AC9CF92

      Non-executed Functions

      Function 00E3C340 Relevance: .1, Instructions: 121COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3294464876.0000000000E3B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
      • Associated: 00000000.00000002.3294446405.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294464876.0000000000E31000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294503794.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294521713.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294551536.0000000000E65000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294707802.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e30000_loaddll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7c94d9f95395a9fd8753916e1c88b798279fe2062e1fe3af7c92149602a08d41
      • Instruction ID: 27c1e83a2ad7ec2485110c5eec8439a7aef7ae30817c7bc1ebeebe6e34979447
      • Opcode Fuzzy Hash: 7c94d9f95395a9fd8753916e1c88b798279fe2062e1fe3af7c92149602a08d41
      • Instruction Fuzzy Hash: 555116B4A04214DFDB14CF99C498ABDBBB2FB48304F30949AD822BB3A0D775E950DB51
      Function 00E31090 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3294464876.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
      • Associated: 00000000.00000002.3294446405.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294464876.0000000000E3B000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294503794.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294521713.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294551536.0000000000E65000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3294707802.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e30000_loaddll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c8131a87a82cb8dfb0b3bb1e919aff05b0805bd29c01486d7ee8a9e21bcb2293
      • Instruction ID: f406d531653340e41dfd8032e31fb324fdbbf7212dcb24a435809cf0af96bd70
      • Opcode Fuzzy Hash: c8131a87a82cb8dfb0b3bb1e919aff05b0805bd29c01486d7ee8a9e21bcb2293
      • Instruction Fuzzy Hash: 61F012B19043199FD710CF6AE94046BBBF4FB49360B50843EE898A7340D770A944CF61

      Execution Graph

      Execution Coverage:22.8%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:75.6%
      Total number of Nodes:41
      Total number of Limit Nodes:5
      execution_graph 1645 48922a8 1646 48922e6 1645->1646 1646->1646 1647 489231e VirtualProtect 1646->1647 1649 4891d04 1647->1649 1648 4891d58 VirtualAlloc 1648->1649 1649->1648 1650 4891eaf 1651 4891ed8 1650->1651 1655 49b1460 1651->1655 1652 4891d58 VirtualAlloc 1653 4891d04 1652->1653 1653->1652 1657 49b14a5 1655->1657 1656 49b15cc 1656->1653 1657->1656 1659 49b7a20 1657->1659 1660 49b7a65 1659->1660 1661 49ba642 1660->1661 1665 49b71d2 VirtualFree 1660->1665 1668 49ba660 1660->1668 1672 49b22a0 1660->1672 1661->1657 1666 49b7176 1665->1666 1666->1665 1667 49b7231 1666->1667 1667->1660 1671 49ba6db 1668->1671 1669 49ba812 1669->1660 1670 49ba757 VirtualAllocExNuma 1670->1671 1671->1669 1671->1670 1674 49b2303 1672->1674 1673 49b6b8b 1673->1660 1674->1673 1675 49ba660 VirtualAllocExNuma 1674->1675 1677 49b71d2 VirtualFree 1674->1677 1678 49b2084 1674->1678 1675->1674 1677->1674 1679 49b2087 NtCreateThreadEx 1678->1679 1680 49b205c 1678->1680 1679->1680 1680->1678 1681 49b2130 1680->1681 1681->1674 1682 2d81eb1 VirtualProtect 1683 2d81fcb 1682->1683 1684 2d81151 1685 2d81166 1684->1685 1688 2d82222 VirtualAlloc 1685->1688 1687 2d81189 1689 2d822c3 1688->1689 1689->1687 1690 4891680 1692 4891c5c 1690->1692 1691 4891d58 VirtualAlloc 1691->1692 1692->1691

      Executed Functions

      Function 049B22A0 Relevance: 9.0, Strings: 2, Instructions: 6457COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 49b22a0-49b22fb 1 49b2303-49b233f 0->1 1->1 2 49b2341-49b24bb 1->2 3 49b24c2-49b24d1 2->3 4 49b24d7-49b252f 3->4 5 49b2636-49b2644 3->5 6 49b2563-49b25f1 call 49b2084 4->6 7 49b2531 4->7 8 49b2692-49b26a2 5->8 9 49b2646-49b268d 5->9 19 49b25f3-49b2631 6->19 13 49b2533-49b255a 7->13 11 49b26f9-49b270c 8->11 12 49b26a4-49b26f4 8->12 10 49b2850-49b285f 9->10 14 49b3d68-49b3d7a 10->14 15 49b2865-49b289d 10->15 16 49b273a-49b274c 11->16 17 49b270e-49b2735 11->17 12->10 13->13 18 49b255c 13->18 24 49b3da8-49b3db8 14->24 25 49b3d7c-49b3da3 14->25 20 49b2968-49b2b7f 15->20 21 49b28a3-49b28a6 15->21 22 49b2752-49b27ba call 49b1450 call 49ba660 16->22 23 49b27d7-49b27e6 16->23 17->10 18->6 19->10 28 49b2f15-49b2f9e 20->28 29 49b2b85-49b2b8d 20->29 26 49b295e-49b2962 21->26 27 49b28ac-49b2957 21->27 61 49b27bc-49b27d5 22->61 31 49b27e8-49b2802 23->31 32 49b2804-49b2813 23->32 33 49b3dba-49b3dc9 24->33 34 49b3dce-49b3de0 24->34 25->3 26->20 26->21 27->26 38 49b2fd0-49b30a7 28->38 39 49b2fa0-49b2fa3 28->39 35 49b2efb-49b2f0f 29->35 36 49b2b93-49b2ef9 29->36 31->10 40 49b2837-49b284a 32->40 41 49b2815-49b2835 32->41 33->3 42 49b515f-49b5171 34->42 43 49b3de6-49b494b 34->43 35->28 35->29 36->35 48 49b30a9-49b30af 38->48 49 49b30e4-49b30ef 38->49 44 49b2fca-49b2fce 39->44 45 49b2fa5-49b2fc3 39->45 40->10 50 49b6b8b-49b6b9e 40->50 41->10 46 49b51e3-49b51f2 42->46 47 49b5173-49b51cd call 49b71d2 42->47 51 49b4a0f-49b4a32 43->51 52 49b4951-49b4957 43->52 44->38 44->39 45->44 53 49b5212-49b5225 46->53 54 49b51f4-49b520d 46->54 73 49b51cf-49b51de 47->73 62 49b30de-49b30e2 48->62 63 49b30b1-49b30d7 48->63 57 49b31a8-49b3734 49->57 58 49b30f5-49b30f8 49->58 59 49b4a38-49b4a40 51->59 60 49b4e91-49b5066 51->60 55 49b495d-49b49fe 52->55 56 49b4a05-49b4a09 52->56 64 49b5227-49b5241 53->64 65 49b5246-49b5258 53->65 54->3 55->56 56->51 56->52 70 49b373a-49b3742 57->70 71 49b3d20-49b3d63 57->71 66 49b319e-49b31a2 58->66 67 49b30fe-49b319c 58->67 68 49b4e77-49b4e8b 59->68 69 49b4a46-49b4e75 59->69 72 49b506d-49b5070 60->72 61->10 62->48 62->49 63->62 64->3 74 49b57d8-49b57ea 65->74 75 49b525e-49b57d3 65->75 66->57 66->58 67->66 68->59 68->60 69->68 76 49b3748-49b3d04 70->76 77 49b3d06-49b3d1a 70->77 71->3 78 49b510e-49b5112 72->78 79 49b5076-49b510c 72->79 73->3 80 49b66fe-49b6710 74->80 81 49b57f0-49b5b54 74->81 75->3 76->77 77->70 77->71 78->72 82 49b5118-49b515a 78->82 79->78 80->3 83 49b6716-49b688c 80->83 85 49b5b56-49b5b59 81->85 82->3 86 49b6952-49b6954 83->86 87 49b6892 83->87 88 49b5b5b-49b5b81 85->88 89 49b5b83-49b5b87 85->89 91 49b6959-49b695b 86->91 90 49b6897-49b689d 87->90 88->89 89->85 92 49b5b89-49b5e93 89->92 93 49b6948-49b694c 90->93 94 49b68a3-49b6946 90->94 95 49b695d-49b6981 91->95 96 49b6984-49b6988 91->96 97 49b5e99-49b5ea1 92->97 98 49b5f5e-49b66f9 92->98 93->86 93->90 94->93 95->96 96->91 99 49b698a-49b6a9a 96->99 100 49b5f4f-49b5f58 97->100 101 49b5ea7-49b5f4d 97->101 98->3 102 49b6a9f-49b6aa2 99->102 100->97 100->98 101->100 103 49b6ac8-49b6acc 102->103 104 49b6aa4-49b6ac5 102->104 103->102 105 49b6ace-49b6b86 103->105 104->103 105->3
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2158314718.00000000049B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 049B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_49b1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 5`oj$5`oj
      • API String ID: 0-1924437217
      • Opcode ID: 5f15b64cda2abce3a350891acdf06b586557113f18447526f92c819481131827
      • Instruction ID: 79ba19766c5a429a08c560cb49112d9e54a772c554c63831b62974bf294025ee
      • Opcode Fuzzy Hash: 5f15b64cda2abce3a350891acdf06b586557113f18447526f92c819481131827
      • Instruction Fuzzy Hash: 4D93F77BB546114BD72CCE6DCCD12E9A6C76BC8314F1ED63E884ADB398DDB898064680
      Function 048922A8 Relevance: 3.2, APIs: 2, Instructions: 172memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 158 48922a8-48922e2 159 48922e6-489231c 158->159 159->159 160 489231e-489235d VirtualProtect 159->160 161 4892361-489236d 160->161 164 4891d18-4891d20 161->164 164->164 165 4891d22-4891dec call 48947a8 VirtualAlloc call 48947a8 164->165 169 4891df1-4891e8a call 48947a8 * 2 165->169 169->161
      APIs
      • VirtualAlloc.KERNELBASE(?,?,?,?,?,-00000001,-00000001), ref: 04891DAA
      • VirtualProtect.KERNELBASE(?,00000800,?,?), ref: 0489235A
      Memory Dump Source
      • Source File: 00000003.00000002.2158125777.0000000004891000.00000020.00001000.00020000.00000000.sdmp, Offset: 04891000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4891000_rundll32.jbxd
      Similarity
      • API ID: Virtual$AllocProtect
      • String ID:
      • API String ID: 2447062925-0
      • Opcode ID: e3d0b00510a6c716ea44dc0f727e4e475cbbcd87a214dbe7fa62648bb9f1230c
      • Instruction ID: e6e16850a4abf6c0749836a12b9e1b13619d87a294d4ceb7d815777925831043
      • Opcode Fuzzy Hash: e3d0b00510a6c716ea44dc0f727e4e475cbbcd87a214dbe7fa62648bb9f1230c
      • Instruction Fuzzy Hash: E261A1725083458FD314CF29C844BAAFBE6EBC5310F19CA6ED499CB3A1DB349906CB51
      Function 049BA660 Relevance: 1.7, APIs: 1, Instructions: 199memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 174 49ba660-49ba6d9 175 49ba6df-49ba702 174->175 176 49ba6db-49ba6dc 175->176 177 49ba704-49ba716 175->177 176->175 178 49ba71c-49ba747 177->178 179 49ba812-49ba825 177->179 180 49ba74b-49ba755 178->180 181 49ba7a3-49ba7ad 180->181 182 49ba757-49ba7a1 VirtualAllocExNuma 180->182 184 49ba7af-49ba7b3 181->184 185 49ba7b5-49ba7bf 181->185 183 49ba806-49ba80c 182->183 183->179 183->180 184->183 186 49ba828-49ba8f7 185->186 187 49ba7c1-49ba7cb 185->187 186->183 188 49ba7cd-49ba7e1 187->188 189 49ba7e3-49ba7ed 187->189 188->183 189->183 190 49ba7ef-49ba802 189->190 190->183
      APIs
      • VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 049BA78C
      Memory Dump Source
      • Source File: 00000003.00000002.2158314718.00000000049B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 049B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_49b1000_rundll32.jbxd
      Similarity
      • API ID: AllocNumaVirtual
      • String ID:
      • API String ID: 4233825816-0
      • Opcode ID: bb014535e84222415e2740a909c11e7032433d37d621b54b47bb84e637f0ffb1
      • Instruction ID: 839d6f00f1dc584a1475bafeb437f6553e85ffc1d7482e156c434ee522f4542f
      • Opcode Fuzzy Hash: bb014535e84222415e2740a909c11e7032433d37d621b54b47bb84e637f0ffb1
      • Instruction Fuzzy Hash: 9C71C276A182418FC718CF29D9906ABB7E6FBC8310F15892DE5D5CB390EB75E805CB81
      Function 049B2084 Relevance: 1.7, APIs: 1, Instructions: 157nativethreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 193 49b2084-49b2085 194 49b2087-49b20f4 NtCreateThreadEx 193->194 195 49b2104-49b210c 193->195 196 49b20f6-49b20ff 194->196 197 49b210e-49b2116 195->197 198 49b2160 195->198 200 49b205c-49b205e 196->200 201 49b2118-49b2120 197->201 202 49b2142-49b215b 197->202 199 49b2163-49b2167 198->199 199->200 203 49b2060-49b2072 200->203 204 49b2077-49b207f 200->204 205 49b216c-49b21ca 201->205 206 49b2122-49b212a 201->206 202->200 203->199 204->193 209 49b21d4-49b21fe 205->209 206->200 207 49b2130-49b213f 206->207 209->209 210 49b2200-49b2299 209->210 210->196
      APIs
      • NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?), ref: 049B20D8
      Memory Dump Source
      • Source File: 00000003.00000002.2158314718.00000000049B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 049B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_49b1000_rundll32.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: e75de7f7c8973f8968923a43fc5e49e24cd9e31366405c05753316aafa650609
      • Instruction ID: c29bfed7cc92829941573ecc71595280041ba39e98c2821e32d810d8b5e68c60
      • Opcode Fuzzy Hash: e75de7f7c8973f8968923a43fc5e49e24cd9e31366405c05753316aafa650609
      • Instruction Fuzzy Hash: C5611972A101299FCB14CFA8CD45ADDBBB2FF88210F1581A5D549BB214D730A995CF90
      Function 04891EAF Relevance: 1.6, APIs: 1, Instructions: 302memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • VirtualAlloc.KERNELBASE(?,?,?,?,?,-00000001,-00000001), ref: 04891DAA
      Memory Dump Source
      • Source File: 00000003.00000002.2158125777.0000000004891000.00000020.00001000.00020000.00000000.sdmp, Offset: 04891000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4891000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 43441840d981fc0e48581257efbd703a297d5be34b5871038f5b806ae43a33d4
      • Instruction ID: 039d163431580656c7ba174336d8cb943557e8a024ee33d9e40562c782397fc6
      • Opcode Fuzzy Hash: 43441840d981fc0e48581257efbd703a297d5be34b5871038f5b806ae43a33d4
      • Instruction Fuzzy Hash: AEB1D576A047408FD728CF2AC8857EAF7E6BFC9310F198A2E945ECB354DB7499058B41
      Function 04891680 Relevance: 1.4, APIs: 1, Instructions: 168memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 232 4891680-4891cc2 234 4891ce2-4891cfd 232->234 235 4891cc4 232->235 236 4891d04-4891d16 234->236 237 4891cc6-4891ce0 235->237 239 4891d18-4891d20 236->239 237->234 237->237 239->239 240 4891d22-489236d call 48947a8 VirtualAlloc call 48947a8 * 3 239->240 240->236
      APIs
      • VirtualAlloc.KERNELBASE(?,?,?,?,?,-00000001,-00000001), ref: 04891DAA
      Memory Dump Source
      • Source File: 00000003.00000002.2158125777.0000000004891000.00000020.00001000.00020000.00000000.sdmp, Offset: 04891000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4891000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 9209b95e7a654a98648ea02ff8e2b9b1ed9d890023c3405c67b015ec8733cd38
      • Instruction ID: 0e90d57ecd848a1e67bb90058f244881fc4038ae9b95c66cded17d212948db0a
      • Opcode Fuzzy Hash: 9209b95e7a654a98648ea02ff8e2b9b1ed9d890023c3405c67b015ec8733cd38
      • Instruction Fuzzy Hash: 7F61C1B1A183448FD714CF29C844BABFBE5EBC9310F158A6EA099CB394DB74D906CB51
      Function 049B71D2 Relevance: 1.4, APIs: 1, Instructions: 140COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 250 49b71d2-49b7215 VirtualFree 251 49b7218-49b7221 250->251 252 49b7176-49b7178 251->252 253 49b717a-49b718c 252->253 254 49b718e-49b7196 252->254 253->252 255 49b719c-49b71aa 254->255 256 49b7243-49b725b 254->256 257 49b7231-49b7240 255->257 258 49b71b0-49b71b8 255->258 256->252 259 49b71be-49b71c6 258->259 260 49b7260-49b7363 258->260 261 49b71c8-49b71d0 259->261 262 49b7226-49b722c 259->262 260->251 261->250 261->252 262->252
      APIs
      • VirtualFree.KERNELBASE(?,?,?), ref: 049B71EF
      Memory Dump Source
      • Source File: 00000003.00000002.2158314718.00000000049B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 049B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_49b1000_rundll32.jbxd
      Similarity
      • API ID: FreeVirtual
      • String ID:
      • API String ID: 1263568516-0
      • Opcode ID: b7a3d79787c70ef02c968f3679bf5a098247546748f07890eda2144efe5530b4
      • Instruction ID: d2d41636d464c9613ceaf1712e659b8b9210b5879c9ce7e1efe20bdceca18f09
      • Opcode Fuzzy Hash: b7a3d79787c70ef02c968f3679bf5a098247546748f07890eda2144efe5530b4
      • Instruction Fuzzy Hash: CC511877E001199FCB24CFA8D941ADDB7B2FF98314F26819AD549B7240DB34BA468F90
      Function 049B1460 Relevance: .9, Instructions: 925COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 276 49b1460-49b14a3 277 49b14a5-49b14e3 276->277 277->277 278 49b14e5-49b15ac 277->278 279 49b15b3-49b15b5 278->279 280 49b15c0-49b15ca 279->280 281 49b15b7-49b15bb 279->281 283 49b15de-49b15e8 280->283 284 49b15cc-49b15db 280->284 282 49b199f 281->282 285 49b19a1-49b19a5 282->285 286 49b19aa-49b1ee1 283->286 287 49b15ee-49b15f8 283->287 285->279 286->279 288 49b1988-49b199d 287->288 289 49b15fe-49b1608 287->289 288->282 290 49b160e-49b1618 289->290 291 49b1964-49b1986 289->291 292 49b161e-49b1627 290->292 293 49b194d-49b1962 290->293 291->285 294 49b1939-49b194b 292->294 295 49b162d-49b1637 292->295 293->282 294->282 295->279 296 49b163d-49b190f call 49b7a20 295->296 297 49b1911-49b1934 296->297 297->279
      Memory Dump Source
      • Source File: 00000003.00000002.2158314718.00000000049B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 049B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_49b1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 093a39e6cca87a2677cf1c299fbee650360222ba92ddac3544452e444ea6eb42
      • Instruction ID: b5235683ef1911ff98059f02d0ad13523eb4b5b402e70e94f05b3d278b3251ae
      • Opcode Fuzzy Hash: 093a39e6cca87a2677cf1c299fbee650360222ba92ddac3544452e444ea6eb42
      • Instruction Fuzzy Hash: 3B52E537B546214BD72CCE7DCD912AAF6D7ABC8310F1AD63E9889D7348DEB49C058680
      Function 02D81EB1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 152 2d81eb1-2d81f0d VirtualProtect 153 2d82067-2d8208f 152->153 154 2d81fcb-2d82034 call 2d814a3 153->154 155 2d82095 153->155 154->153
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2157946408.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_2d80000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: X
      • API String ID: 544645111-3081909835
      • Opcode ID: d2a3a0994755566863b41518f0ba61358616c682e99c523238f9e6b8a90c07c6
      • Instruction ID: 2358085d9a790853ba5ce9578b55f69c483abd2e32c682b963db830abbe11bac
      • Opcode Fuzzy Hash: d2a3a0994755566863b41518f0ba61358616c682e99c523238f9e6b8a90c07c6
      • Instruction Fuzzy Hash: 1831D0B5E006288FCB44CF58C880A9DFBB1FF48310F5981AAC909A7352D731AD85CF90
      Function 02D82222 Relevance: 1.3, APIs: 1, Instructions: 89memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.2157946408.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_2d80000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a853c751a643228eb4d2c365fda210328325f3f8cf685f1355486acaac55ff4e
      • Instruction ID: b2c23738c2960d091e4493fe2b701dd3e46e1feb49c435579406a78727106e62
      • Opcode Fuzzy Hash: a853c751a643228eb4d2c365fda210328325f3f8cf685f1355486acaac55ff4e
      • Instruction Fuzzy Hash: CD41DDB09002068FDB48DF98C5947AAFBF1FF48304F14856ED859AB351D375A985CFA1

      Non-executed Functions

      Function 0489252C Relevance: .7, Instructions: 718COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.2158125777.0000000004891000.00000020.00001000.00020000.00000000.sdmp, Offset: 04891000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4891000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 12792a5a6addfeb328d96472114ccac6a2331575a3cf4f757739667327385a4c
      • Instruction ID: 4811a62a04d422009979679de6cace93d4fef190bb7f7b930fcb243af990572a
      • Opcode Fuzzy Hash: 12792a5a6addfeb328d96472114ccac6a2331575a3cf4f757739667327385a4c
      • Instruction Fuzzy Hash: 53620531208785DFCB36CF28C5C4A9AB7E5BB85314F198EADE489CB244D770BA45CB52
      Function 04891698 Relevance: .4, Instructions: 377COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.2158125777.0000000004891000.00000020.00001000.00020000.00000000.sdmp, Offset: 04891000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4891000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e4f313722a15e4623c191befe274cfec4421622090087dd00f6223ee18e92283
      • Instruction ID: 3e1635b342aab1ff68f996b7631cb17817d49a1958efc942ca9dde8f321fbb8e
      • Opcode Fuzzy Hash: e4f313722a15e4623c191befe274cfec4421622090087dd00f6223ee18e92283
      • Instruction Fuzzy Hash: FAF1053160C786CFDB39CF14C5E4AEAB7E2AFC9314F594A1DD48A8B284DB706845CB52
      Function 04894094 Relevance: .2, Instructions: 225COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.2158125777.0000000004891000.00000020.00001000.00020000.00000000.sdmp, Offset: 04891000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4891000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: de3e03a65e88790c5d447cc3591d9ddcaabb615879e588449687da4972cc4df9
      • Instruction ID: 01f783443ed07dadd0596291ce42898b3a063ff873a3263a58f355c1068d8982
      • Opcode Fuzzy Hash: de3e03a65e88790c5d447cc3591d9ddcaabb615879e588449687da4972cc4df9
      • Instruction Fuzzy Hash: 08B1F471A087958BCB39CF68C190BAEB7E1BBD8710F154A2DD9DA67240D7307846CB92
      Function 049B7410 Relevance: .2, Instructions: 223COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.2158314718.00000000049B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 049B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_49b1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a5f9c8c5a2fb2c465fe9bbec516f99338104a401a59b05172606eb737b11d40d
      • Instruction ID: 51c311c79fdfd526d97521090de73bcbe59338726c8ff2271616b97a35fecb91
      • Opcode Fuzzy Hash: a5f9c8c5a2fb2c465fe9bbec516f99338104a401a59b05172606eb737b11d40d
      • Instruction Fuzzy Hash: 87A1E231208381CFD724CF68C980B9AB7E6BBC8314F558E6DE5899B355D770F8458BA2
      Function 049BA900 Relevance: .2, Instructions: 188COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.2158314718.00000000049B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 049B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_49b1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 20d48e04fb9530becd907377b4d1e1e4d70ff61d1300d58a14be977c140d52b2
      • Instruction ID: 24f99f8c275fb1fc6365e0ce0a360b9398efea0a134d989e0639ae509c07aa47
      • Opcode Fuzzy Hash: 20d48e04fb9530becd907377b4d1e1e4d70ff61d1300d58a14be977c140d52b2
      • Instruction Fuzzy Hash: 99716B766082528FC724CF29C99059BB7E3FFC8314F658A2DE48997354EB30B916CB91
      Function 049B1240 Relevance: .1, Instructions: 148COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.2158314718.00000000049B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 049B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_49b1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 83666c064191d2458f42f2e3a85c81b189d49f5d15294839f4282af49e29407c
      • Instruction ID: 8660112c1b8e50d25379c61a8dc0a9631c9526baf4587f30928afd5fb3e0f67e
      • Opcode Fuzzy Hash: 83666c064191d2458f42f2e3a85c81b189d49f5d15294839f4282af49e29407c
      • Instruction Fuzzy Hash: 7E51A9326083428FC710CF29C491AAAB7E6FBC9354F1A496DE5D59B354E730F906CB82
      Function 048945E8 Relevance: .1, Instructions: 142COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.2158125777.0000000004891000.00000020.00001000.00020000.00000000.sdmp, Offset: 04891000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4891000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d935ef4b35b266fb722b1a127a908a385e5b7b79592bc7714fe966ad5c3fe869
      • Instruction ID: b82cfc2b25c963a55a1719a321bcb4ccc2dda358710536ffca784910e0b37893
      • Opcode Fuzzy Hash: d935ef4b35b266fb722b1a127a908a385e5b7b79592bc7714fe966ad5c3fe869
      • Instruction Fuzzy Hash: D3515872D086759BDB24CF18C44016AF7E0AF85B24F1A4A69EC99BB251D770BC52CBC2
      Function 04894458 Relevance: .1, Instructions: 111COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.2158125777.0000000004891000.00000020.00001000.00020000.00000000.sdmp, Offset: 04891000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4891000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f7ee78b225cc89823236e83c6bd0c4a5e3c3649f5ac76e28c28b5ab477508547
      • Instruction ID: 9e040892db27d8393de88c38d9322a783a3894166b0952ee90ef38cf0eb53010
      • Opcode Fuzzy Hash: f7ee78b225cc89823236e83c6bd0c4a5e3c3649f5ac76e28c28b5ab477508547
      • Instruction Fuzzy Hash: CF41903160C6A18BCB04CF69C49052EBBE2AFC9B14F598E1DE4C59B294D674FC06CB92