Edit tour

Windows Analysis Report
stk.dll

Overview

General Information

Sample name:stk.dll
Analysis ID:1640273
MD5:14e800e2bd120aa901d6ad64d4cb2e0d
SHA1:1c0e573414c9203d21ffaaf0f0e1f7e1ac2c2ef1
SHA256:fdb66a946c59598ecc3cb143c16582b442ec3642b0df1bb025d9eda304ca2236
Infos:

Detection

Score:88
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Drops PE files
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • loaddll64.exe (PID: 2984 cmdline: loaddll64.exe "C:\Users\user\Desktop\stk.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3816 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\stk.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 4448 cmdline: rundll32.exe "C:\Users\user\Desktop\stk.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • rundll32.exe (PID: 6016 cmdline: c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,7295 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2092 cmdline: rundll32.exe C:\Users\user\Desktop\stk.dll,Init MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 3808 cmdline: c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,6138 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3796 cmdline: c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,5329 MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-17T02:49:48.761319+010020283713Unknown Traffic192.168.2.1649703172.67.69.236443TCP
2025-03-17T02:49:51.725612+010020283713Unknown Traffic192.168.2.1649705172.67.69.236443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: stk.dllVirustotal: Detection: 41%Perma Link
Source: stk.dllReversingLabs: Detection: 21%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
Source: unknownHTTPS traffic detected: 172.67.69.236:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.69.236:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: stk.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 172.67.69.236 443Jump to behavior
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49703 -> 172.67.69.236:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49705 -> 172.67.69.236:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: auth.patched.to
Source: unknownHTTP traffic detected: POST /hmc HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAuthorization: User-Agent: PatchedAgent-v1Content-Length: 304Host: auth.patched.to
Source: rundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2277302967.000002501BD77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/088a8c70-dba9-4e0a-9bf3-879e0aef6a77.crl0
Source: rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2295176726.0000025022ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%3
Source: rundll32.exe, 00000007.00000002.2295176726.0000025022ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702(
Source: rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007024
Source: rundll32.exe, 00000006.00000002.2296471862.00000235A317B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007025
Source: rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702P
Source: rundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702ty
Source: rundll32.exe, 00000007.00000003.1902121125.0000025022B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: rundll32.exe, 00000007.00000002.2295176726.0000025022B09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512%0
Source: rundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512E
Source: rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512ifest
Source: rundll32.exe, 00000006.00000002.2304381812.00000235A357F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1902556440.0000025022A96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022A77000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2290886534.0000025020730000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2308103522.00000250230FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: rundll32.exe, 00000007.00000002.2295176726.00000250229A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: rundll32.exe, 00000007.00000003.1902556440.0000025022A96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022A77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdW
Source: rundll32.exe, 00000007.00000003.1902556440.0000025022A96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022A77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdX
Source: rundll32.exe, 00000006.00000002.2277487443.000002359C464000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1902121125.0000025022B1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2295176726.0000025022ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: rundll32.exe, 00000006.00000002.2277487443.000002359C464000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policygT
Source: rundll32.exe, 00000007.00000003.1899345625.00000250229F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1904440404.0000025022A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyx
Source: rundll32.exe, 00000007.00000003.1899345625.00000250229F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1904440404.0000025022A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: rundll32.exe, 00000007.00000002.2295176726.0000025022ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/
Source: rundll32.exe, 00000006.00000002.2277487443.000002359C464000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustGU
Source: rundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2295176726.0000025022B09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy61a
Source: rundll32.exe, 00000007.00000002.2295176726.0000025022B09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy80w
Source: rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicynp:
Source: rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyt
Source: rundll32.exe, 00000007.00000003.1899345625.0000025022B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: rundll32.exe, 00000007.00000002.2295176726.00000250229CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/3ws
Source: rundll32.exe, 00000007.00000002.2295176726.00000250229CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/B
Source: rundll32.exe, 00000006.00000003.1943852891.00000235A3533000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1939761812.00000235A352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/c
Source: rundll32.exe, 00000007.00000003.1899345625.0000025022B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: rundll32.exe, 00000007.00000002.2277302967.000002501BD77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/Z
Source: rundll32.exe, 00000006.00000003.1943852891.00000235A3533000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1939761812.00000235A352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/h
Source: rundll32.exe, 00000006.00000003.1943852891.00000235A3533000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1939761812.00000235A352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/u
Source: rundll32.exe, 00000007.00000003.1899345625.0000025022B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/wskL
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownHTTPS traffic detected: 172.67.69.236:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.69.236:443 -> 192.168.2.16:49705 version: TLS 1.2

System Summary

barindex
Source: stk.dllStatic PE information: section name: .>O"
Source: PTOAuthEx.dll.3.drStatic PE information: section name:
Source: PTOAuthEx.dll.3.drStatic PE information: section name:
Source: PTOAuthEx.dll.3.drStatic PE information: section name:
Source: PTOAuthEx.dll.3.drStatic PE information: Section: ZLIB complexity 0.991611328125
Source: classification engineClassification label: mal88.evad.winDLL@14/1@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
Source: C:\Windows\System32\loaddll64.exeFile created: C:\Users\user\AppData\Local\Temp\PTOAuthEx.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\stk.dll,Init
Source: stk.dllVirustotal: Detection: 41%
Source: stk.dllReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\stk.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\stk.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\stk.dll,Init
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\stk.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,6138
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,7295
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,5329
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\stk.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\stk.dll,InitJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,5329Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\stk.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,6138Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,7295Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96b42929-01f1-468c-b521-6294ab438f4a}\InProcServer32Jump to behavior
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SYSTEM32\msftedit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: stk.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: stk.dllStatic file information: File size 5388288 > 1048576
Source: stk.dllStatic PE information: Raw size of .pzT is bigger than: 0x100000 < 0x523000
Source: stk.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section where entry point is pointing to: .pzT
Source: stk.dllStatic PE information: section name: .IP3
Source: stk.dllStatic PE information: section name: .>O"
Source: stk.dllStatic PE information: section name: .pzT
Source: PTOAuthEx.dll.3.drStatic PE information: section name:
Source: PTOAuthEx.dll.3.drStatic PE information: section name:
Source: PTOAuthEx.dll.3.drStatic PE information: section name:
Source: PTOAuthEx.dll.3.drStatic PE information: section name: entropy: 7.916340828238215
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\PTOAuthEx.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\loaddll64.exeMemory written: PID: 2984 base: 7FF814A1000D value: E9 BB CB EC FF Jump to behavior
Source: C:\Windows\System32\loaddll64.exeMemory written: PID: 2984 base: 7FF8148DCBC0 value: E9 5A 34 13 00 Jump to behavior
Source: C:\Windows\System32\rundll32.exeMemory written: PID: 2092 base: 7FF814A1000D value: E9 BB CB EC FF Jump to behavior
Source: C:\Windows\System32\rundll32.exeMemory written: PID: 2092 base: 7FF8148DCBC0 value: E9 5A 34 13 00 Jump to behavior
Source: C:\Windows\System32\rundll32.exeMemory written: PID: 4448 base: 7FF814A1000D value: E9 BB CB EC FF Jump to behavior
Source: C:\Windows\System32\rundll32.exeMemory written: PID: 4448 base: 7FF8148DCBC0 value: E9 5A 34 13 00 Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\loaddll64.exeSpecial instruction interceptor: First address: 7FFFEEFD0773 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\PTOAuthEx.dllJump to dropped file
Source: C:\Windows\System32\rundll32.exe TID: 552Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6976Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: rundll32.exe, 00000007.00000002.2277302967.000002501BD77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
Source: rundll32.exe, 00000007.00000002.2308103522.00000250230FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
Source: rundll32.exe, 00000006.00000002.2296471862.00000235A317B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2006592710.00000235A36BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2296471862.00000235A315F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2295176726.0000025022B09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.2303997272.0000025022FC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Windows\System32\loaddll64.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll64.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll64.exeHandle closed: DEADC0DE
Source: C:\Windows\System32\rundll32.exeHandle closed: DEADC0DE
Source: C:\Windows\System32\rundll32.exeHandle closed: DEADC0DE
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 172.67.69.236 443Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtSetInformationThread: Direct from: 0x7FFFEEFB2772Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Direct from: 0x7FFFEEC3FD03Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtSetInformationThread: Direct from: 0x7FFFEEEAD53CJump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Direct from: 0x7FFFEEC383AFJump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Direct from: 0x7FFFEEEAE9D9Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Direct from: 0x7FFFEEC0A963Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Direct from: 0x7FFFEEBFC9D3Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtClose: Indirect: 0x7FFFEEFD0755
Source: C:\Windows\System32\loaddll64.exeNtSetInformationProcess: Direct from: 0x7FFFEEFAE013Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtQueryInformationProcess: Direct from: 0x7FFFEEFB30A6Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtQueryInformationProcess: Direct from: 0x7FFFEEFB4626Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Direct from: 0x7FFFEEC484C9Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtQueryInformationProcess: Direct from: 0x7FFFEEFA9310Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Direct from: 0x7FFFEEBF9167Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\stk.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
111
Process Injection
12
Virtualization/Sandbox Evasion
1
Credential API Hooking
311
Security Software Discovery
Remote Services1
Credential API Hooking
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism
111
Process Injection
LSASS Memory12
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS111
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Software Packing
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640273 Sample: stk.dll Startdate: 17/03/2025 Architecture: WINDOWS Score: 88 32 auth.patched.to 2->32 36 Multi AV Scanner detection for submitted file 2->36 38 PE file contains section with special chars 2->38 40 PE file has nameless sections 2->40 42 Joe Sandbox ML detected suspicious sample 2->42 9 loaddll64.exe 2 2->9         started        signatures3 process4 signatures5 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->44 46 Tries to evade analysis by execution special instruction (VM detection) 9->46 48 Tries to detect debuggers (CloseHandle check) 9->48 50 2 other signatures 9->50 12 rundll32.exe 1 9->12         started        16 cmd.exe 1 9->16         started        18 rundll32.exe 12 9->18         started        21 conhost.exe 9->21         started        process6 dnsIp7 30 C:\Users\user\AppData\Local\...\PTOAuthEx.dll, PE32+ 12->30 dropped 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->58 60 Tries to detect debuggers (CloseHandle check) 12->60 62 Hides threads from debuggers 12->62 23 rundll32.exe 12->23         started        25 rundll32.exe 16->25         started        34 auth.patched.to 172.67.69.236, 443, 49703, 49705 CLOUDFLARENETUS United States 18->34 64 System process connects to network (likely due to code injection or exploit) 18->64 file8 signatures9 process10 signatures11 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->52 54 Tries to detect debuggers (CloseHandle check) 25->54 56 Hides threads from debuggers 25->56 28 rundll32.exe 12 25->28         started        process12

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
stk.dll42%VirustotalBrowse
stk.dll22%ReversingLabs
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll7%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://crl.cloudflare.com/088a8c70-dba9-4e0a-9bf3-879e0aef6a77.crl00%Avira URL Cloudsafe
https://auth.patched.to/hmc0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
auth.patched.to
172.67.69.236
truetrue
    unknown
    NameMaliciousAntivirus DetectionReputation
    https://auth.patched.to/hmctrue
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://schemas.xmlsoap.org/ws/2005/07/securitypolicy80wrundll32.exe, 00000007.00000002.2295176726.0000025022B09000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2295176726.0000025022ACA000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        http://schemas.xmlsoap.org/ws/2004/09/policyrundll32.exe, 00000006.00000002.2277487443.000002359C464000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1902121125.0000025022B1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2295176726.0000025022ACA000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          http://schemas.xmlsoap.org/wsdl/soap12/hrundll32.exe, 00000006.00000003.1943852891.00000235A3533000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1939761812.00000235A352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://schemas.xmlsoap.org/ws/2004/09/policyxrundll32.exe, 00000007.00000003.1899345625.00000250229F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1904440404.0000025022A1A000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              http://schemas.xmlsoap.org/ws/2005/07/securitypolicy61arundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                http://schemas.xmlsoap.org/wsdl/crundll32.exe, 00000006.00000003.1943852891.00000235A3533000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1939761812.00000235A352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/ws/2005/02/trustGUrundll32.exe, 00000006.00000002.2277487443.000002359C464000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/ws/2005/02/trustrundll32.exe, 00000007.00000003.1899345625.00000250229F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1904440404.0000025022A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://docs.oasis-open.org/ws-sx/ws-trust/200512Erundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://docs.oasis-open.org/ws-sx/ws-trust/200512ifestrundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702(rundll32.exe, 00000007.00000002.2295176726.0000025022ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2004/09/policygTrundll32.exe, 00000006.00000002.2277487443.000002359C464000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007025rundll32.exe, 00000006.00000002.2296471862.00000235A317B000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007024rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdArundll32.exe, 00000007.00000002.2295176726.00000250229A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://schemas.xmlsoap.org/wsdl/urundll32.exe, 00000006.00000003.1943852891.00000235A3533000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1939761812.00000235A352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://schemas.xmlsoap.org/ws/2005/07/securitypolicyrundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2295176726.0000025022B09000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512%0rundll32.exe, 00000007.00000002.2295176726.0000025022B09000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://crl.cloudflare.com/088a8c70-dba9-4e0a-9bf3-879e0aef6a77.crl0rundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2277302967.000002501BD77000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://schemas.xmlsoap.org/wsdl/soap12/rundll32.exe, 00000007.00000003.1899345625.0000025022B43000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%3rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/wsdl/rundll32.exe, 00000007.00000003.1899345625.0000025022B43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702tyrundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdXrundll32.exe, 00000007.00000003.1902556440.0000025022A96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022A77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdWrundll32.exe, 00000007.00000003.1902556440.0000025022A96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022A77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/wsdl/Brundll32.exe, 00000007.00000002.2295176726.00000250229CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512rundll32.exe, 00000007.00000003.1902121125.0000025022B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdrundll32.exe, 00000006.00000002.2304381812.00000235A357F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2277487443.000002359C399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1902556440.0000025022A96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1899345625.0000025022A77000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2290886534.0000025020730000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2308103522.00000250230FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/wsdl/3wsrundll32.exe, 00000007.00000002.2295176726.00000250229CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/rundll32.exe, 00000007.00000002.2295176726.0000025022ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://schemas.xmlsoap.org/ws/2005/07/securitypolicytrundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://schemas.xmlsoap.org/ws/2005/07/securitypolicynp:rundll32.exe, 00000006.00000003.1936194539.00000235A34FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://schemas.xmlsoap.org/wsdl/soap12/Zrundll32.exe, 00000007.00000002.2277302967.000002501BD77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://schemas.xmlsoap.org/wsdl/wskLrundll32.exe, 00000007.00000003.1899345625.0000025022B43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702Prundll32.exe, 00000007.00000003.1899345625.0000025022B07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs
                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          172.67.69.236
                                                                          auth.patched.toUnited States
                                                                          13335CLOUDFLARENETUStrue
                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                          Analysis ID:1640273
                                                                          Start date and time:2025-03-17 02:47:48 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 4m 24s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:19
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:stk.dll
                                                                          Detection:MAL
                                                                          Classification:mal88.evad.winDLL@14/1@1/1
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .dll
                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 20.109.210.53, 23.199.214.10, 20.190.159.131, 2.19.122.30
                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          TimeTypeDescription
                                                                          21:49:48API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          172.67.69.236stk.vmp.dllGet hashmaliciousUnknownBrowse
                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            auth.patched.tostk.vmp.dllGet hashmaliciousUnknownBrowse
                                                                            • 172.67.69.236
                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSre.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            re.bot.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            re.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.48.1
                                                                            re.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.48.1
                                                                            RFQ_250037_S12_C01_R0_RU pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.48.1
                                                                            needagoodplanforsuccesstogetbackbest.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.48.1
                                                                            needagoodplanforsuccesstogetbackbest.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.96.1
                                                                            niceworkingskillgivenmebest.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.112.1
                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            a0e9f5d64349fb13191bc781f81f42e112Kp1xbcjv.exeGet hashmaliciousUnknownBrowse
                                                                            • 172.67.69.236
                                                                            SystemProcess18.exeGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                                                            • 172.67.69.236
                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                            • 172.67.69.236
                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                            • 172.67.69.236
                                                                            #Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exeGet hashmaliciousUnknownBrowse
                                                                            • 172.67.69.236
                                                                            2PFebPN0qK.exeGet hashmaliciousLatrodectus, LummaC StealerBrowse
                                                                            • 172.67.69.236
                                                                            #Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exeGet hashmaliciousUnknownBrowse
                                                                            • 172.67.69.236
                                                                            LaunchV.2.exeGet hashmaliciousLummaC StealerBrowse
                                                                            • 172.67.69.236
                                                                            16Vzai4jwT.exeGet hashmaliciousCobaltStrikeBrowse
                                                                            • 172.67.69.236
                                                                            Nexol.exe.bin.exeGet hashmaliciousLummaC StealerBrowse
                                                                            • 172.67.69.236
                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            C:\Users\user\AppData\Local\Temp\PTOAuthEx.dllstk.vmp.dllGet hashmaliciousUnknownBrowse
                                                                              Process:C:\Windows\System32\rundll32.exe
                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):923136
                                                                              Entropy (8bit):7.914890739598155
                                                                              Encrypted:false
                                                                              SSDEEP:24576:YorBV6NfBR73yzmt9hao0OvQ1Y6uInOyY:5ifB1yGaMQXnO
                                                                              MD5:CAE32DD0E5196AD1BBF0B3C49691EF28
                                                                              SHA1:6258071DDC5583B2CA96B3AFC04EF6F2148181F5
                                                                              SHA-256:E1D01ACA1736C2B469A92EBDBF1ED000169A357D83A7E1B9AADDA03E990C7BF7
                                                                              SHA-512:71B7029CFE7ECC5AE57C365565AFB4EAC8359E4BAE26C722E9CB18613E305A6E999F9D1E3E6544252CDBF1BA8CC60D1339CCA1F4731BCDC0424BE3CCDEFD5506
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 7%
                                                                              Joe Sandbox View:
                                                                              • Filename: stk.vmp.dll, Detection: malicious, Browse
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....tb.........." ................0........................................0............`..........................................!..H.... ..............................."..........................................@.......................................................................................................................@................ ......................@.............$...*.O.._5T...........I.......@SH.. H....H..%T...W..S.o...H...H.......a\..). [.vK.....Q.7....ma.H..H.E. E\$.Wc..6.%.S............X....t........H$.6.g.30o._E....B@...:w...A.Q'A..T.n.2..N.HL$.f. y.=.{..cx.B....S......)?..@r.R.Rdwe.=(7..&G......?.....kwJR....`t.9.`.p....D....7.....LU.m....*.):..?..... .........9.(8c....W.v..%@.4L...p.$..o..Y..C<D...4....(.......Y3.^....J...L.F..M...q.....D...1&......%.^.mu.c.O27...W.4..s.g........ ..},|Q.....%......*.8&.
                                                                              File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                              Entropy (8bit):7.869288162468326
                                                                              TrID:
                                                                              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                              • Win64 Executable (generic) (12005/4) 10.17%
                                                                              • Generic Win/DOS Executable (2004/3) 1.70%
                                                                              • DOS Executable Generic (2002/1) 1.70%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                              File name:stk.dll
                                                                              File size:5'388'288 bytes
                                                                              MD5:14e800e2bd120aa901d6ad64d4cb2e0d
                                                                              SHA1:1c0e573414c9203d21ffaaf0f0e1f7e1ac2c2ef1
                                                                              SHA256:fdb66a946c59598ecc3cb143c16582b442ec3642b0df1bb025d9eda304ca2236
                                                                              SHA512:81f6f28c1856a35ebae86ccf268ece3abc6a41386f363d919cee1b101af31bdf5a769975652d82d9d2df0e70494d2d1b6086b7341fe62e04476792b382377592
                                                                              SSDEEP:98304:P4BletPVjYYoBSOsxglL0vDtqZpFJrQe/lZbJquCKSY/j3bq2tAG5D8B+ZnPF:GOjUsx6L0vJqZL9QeLJqILqI5x
                                                                              TLSH:F04623CB18BBC2F5CC834964D65E1D449EE4D47CC3A9793830CA280BA5BBDA581CE776
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....,g.........." ...)..............x...................................................`................................
                                                                              Icon Hash:7ae282899bbab082
                                                                              Entrypoint:0x1807885b0
                                                                              Entrypoint Section:.pzT
                                                                              Digitally signed:false
                                                                              Imagebase:0x180000000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                              Time Stamp:0x672CBB9A [Thu Nov 7 13:07:38 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:0
                                                                              File Version Major:6
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:9e5b39b8c7d85940f81712ccd1ea65c6
                                                                              Instruction
                                                                              call 00007FC800C72A5Bh
                                                                              clc
                                                                              call 00007FC7D434FAFBh
                                                                              cmpsd
                                                                              hlt
                                                                              retf
                                                                              pop eax
                                                                              jmp 00007FC800DCD638h
                                                                              les ecx, ebx
                                                                              pop eax
                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x3e22480x3f.pzT
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6904f80x50.pzT
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x8f4b700x5418.pzT
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8fa0000x58.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8f4a300x140.pzT
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x3d60000x30.>O"
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x2e1740x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x300000xf20580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x1230000x2d380x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .pdata0x1260000x2b980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .IP30x1290000x2acfd80x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .>O"0x3d60000x600x200277e2cdb6f7b886b62331f45d26d79b9False0.05078125data0.1833387916558982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .pzT0x3d70000x522f880x523000547958910b75896f701a7c2178b33358unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .reloc0x8fa0000x580x20093a71c14cf058bb3d6cffb82726743fcFalse0.16796875data0.9708175080753592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                              DLLImport
                                                                              KERNEL32.dllWriteFile
                                                                              SHLWAPI.dllPathMatchSpecW
                                                                              ntdll.dllRtlCaptureContext
                                                                              NameOrdinalAddress
                                                                              Init10x18000dc00

                                                                              Download Network PCAP: filteredfull

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-03-17T02:49:48.761319+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649703172.67.69.236443TCP
                                                                              2025-03-17T02:49:51.725612+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649705172.67.69.236443TCP
                                                                              • Total Packets: 21
                                                                              • 443 (HTTPS)
                                                                              • 53 (DNS)
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 17, 2025 02:49:47.590724945 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:47.590764999 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:47.590852976 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.291430950 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.291462898 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:48.761219025 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:48.761318922 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.796641111 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.796662092 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:48.796854973 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:48.798948050 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.798974991 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.798979044 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:48.919038057 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:48.919095993 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:48.919153929 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.919399023 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.919408083 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:48.919420004 CET49703443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:48.919425011 CET44349703172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.248087883 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.248122931 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.248234034 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.250375032 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.250391960 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.725400925 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.725611925 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.775381088 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.775394917 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.775588036 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.777138948 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.777153969 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.777158976 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.912969112 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.913029909 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.913121939 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.915046930 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.915062904 CET44349705172.67.69.236192.168.2.16
                                                                              Mar 17, 2025 02:49:51.915111065 CET49705443192.168.2.16172.67.69.236
                                                                              Mar 17, 2025 02:49:51.915119886 CET44349705172.67.69.236192.168.2.16
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 17, 2025 02:49:47.577632904 CET5848553192.168.2.161.1.1.1
                                                                              Mar 17, 2025 02:49:47.586819887 CET53584851.1.1.1192.168.2.16
                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Mar 17, 2025 02:49:47.577632904 CET192.168.2.161.1.1.10x62cbStandard query (0)auth.patched.toA (IP address)IN (0x0001)false
                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Mar 17, 2025 02:49:47.586819887 CET1.1.1.1192.168.2.160x62cbNo error (0)auth.patched.to172.67.69.236A (IP address)IN (0x0001)false
                                                                              Mar 17, 2025 02:49:47.586819887 CET1.1.1.1192.168.2.160x62cbNo error (0)auth.patched.to104.26.14.16A (IP address)IN (0x0001)false
                                                                              Mar 17, 2025 02:49:47.586819887 CET1.1.1.1192.168.2.160x62cbNo error (0)auth.patched.to104.26.15.16A (IP address)IN (0x0001)false
                                                                              • auth.patched.to
                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.1649703172.67.69.2364433796C:\Windows\System32\rundll32.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-03-17 01:49:48 UTC176OUTPOST /hmc HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/octet-stream
                                                                              Authorization:
                                                                              User-Agent: PatchedAgent-v1
                                                                              Content-Length: 304
                                                                              Host: auth.patched.to
                                                                              2025-03-17 01:49:48 UTC304OUTData Raw: 11 10 48 71 b3 47 c6 5a 28 b3 e0 e8 68 38 48 28 77 ba 44 8c 2c 8d 61 5f 4f e6 53 ac e0 54 74 44 44 17 e4 f9 05 2a b6 40 12 91 b7 a9 90 29 b8 5a 37 a5 de 90 9a f7 bd d3 eb b8 50 11 93 d6 16 cb 50 6b b1 7b cd 26 7b fc 36 94 80 a0 c6 f2 99 c9 cb 25 82 12 89 c4 19 7d c2 f7 c5 b9 b7 21 8d b1 a2 4f 3a da 92 7a b9 c6 e4 2d 7b a7 6b 01 4d 4e 91 3a 3a aa 53 a9 7d b3 90 df 5b 3e a9 f7 27 0f 54 d1 b3 9a 8d 83 a1 d2 6a d8 37 89 db 76 54 f9 dc 7c 3b 31 4b cd 39 31 d4 d7 65 7b 50 a7 8e 2a 5e a8 5b 84 8e cb 8f 34 42 c0 17 b6 8b b2 5a 20 87 9d ba 41 80 4e 0b 6b f8 8a cd 23 fa ca e5 1f 12 fb 4e e0 79 3a 94 6f 56 9f 6f 82 35 78 a5 02 25 78 41 be e5 f0 50 89 eb 1f 1b 1b 2c 42 b4 51 67 54 8c 18 a1 ee 0c d1 e3 aa 82 e8 9b 2d 83 82 95 f3 87 ff 4c 51 8d b5 18 58 b7 ab 82 f9 0f
                                                                              Data Ascii: HqGZ(h8H(wD,a_OSTtDD*@)Z7PPk{&{6%}!O:z-{kMN::S}[>'Tj7vT|;1K91e{P*^[4BZ ANk#Ny:oVo5x%xAP,BQgT-LQX
                                                                              2025-03-17 01:49:48 UTC1038INHTTP/1.1 400 Bad Request
                                                                              Date: Mon, 17 Mar 2025 01:49:48 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 16
                                                                              Connection: close
                                                                              X-Auth-Code: 400
                                                                              X-Auth-Result: Bad request
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zlRGppMc2JTopqFY24UjQ6uf1ZjI7t9UWehMCrqEbShR3aX84y722U0JvEsJiTWU4HdrKnzMJlBvPcsYXF6NSa69Y0TReZ25HeGqh6KAINMAZGTETrJIGCUuB88XCBVAzw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
                                                                              expect-ct: max-age=86400, enforce
                                                                              referrer-policy: same-origin
                                                                              x-content-type-options: nosniff
                                                                              x-frame-options: SAMEORIGIN
                                                                              x-xss-protection: 1; mode=block
                                                                              Server: cloudflare
                                                                              CF-RAY: 9218d5fc4a1d8c39-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1996&min_rtt=1990&rtt_var=759&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2820&recv_bytes=1116&delivery_rate=1429270&cwnd=188&unsent_bytes=0&cid=98257ed8be6f24eb&ts=168&x=0"
                                                                              2025-03-17 01:49:48 UTC16INData Raw: 1f b0 11 99 ea 54 0e cb d3 53 ba 14 eb e7 75 df
                                                                              Data Ascii: TSu


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.1649705172.67.69.2364436016C:\Windows\System32\rundll32.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-03-17 01:49:51 UTC179OUTPOST /hmc HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/octet-stream
                                                                              Authorization: 900
                                                                              User-Agent: PatchedAgent-v1
                                                                              Content-Length: 304
                                                                              Host: auth.patched.to
                                                                              2025-03-17 01:49:51 UTC304OUTData Raw: 45 60 a1 34 b1 31 02 48 54 45 fd 9e d0 58 c0 17 7c 6e da 04 e8 ba fd d0 e1 45 f9 b3 bb 93 ae 37 9a 95 9d d3 07 c8 35 e4 56 21 ee c8 6f b7 11 8f e7 08 66 68 97 14 0a 1c f4 96 b7 6d 03 bc 0f df c7 ed 04 0e 9d 60 32 b9 94 cc 9e cc 22 13 e7 a7 4f 5c 8d a2 03 28 36 1e cd 1d ad 87 1c 51 2b be d2 61 e1 87 a9 e6 e7 78 d6 38 06 7d 44 c4 e5 8f a9 04 c3 d7 72 1d 1e e3 d9 bf 19 54 a7 a8 f0 a1 8e 36 58 1f 52 43 b2 b7 d4 e7 11 21 b9 57 07 28 e8 a5 d5 b1 94 17 9e 2e 17 67 17 71 ff 6e 70 f1 2b a8 08 99 ef 29 0a e0 c2 d7 c7 bd cf 75 27 61 1f a7 18 a2 95 5d 7a a4 63 19 fa bc fa f2 f1 fb 37 f2 c7 52 81 00 49 2b 2a ff 24 14 6d 5c 45 f0 1b 88 b6 bf d9 7f bf 8f 57 87 ea fb 26 d5 38 7f 52 f3 32 84 26 6d 11 9a 11 27 bf 71 d5 93 a6 57 a5 a2 ab 35 ab b9 f7 2a dc e2 5f fe c9 a4 2d
                                                                              Data Ascii: E`41HTEX|nE75V!ofhm`2"O\(6Q+ax8}DrT6XRC!W(.gqnp+)u'a]zc7RI+*$m\EW&8R2&m'qW5*_-
                                                                              2025-03-17 01:49:51 UTC1050INHTTP/1.1 400 Bad Request
                                                                              Date: Mon, 17 Mar 2025 01:49:51 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 16
                                                                              Connection: close
                                                                              X-Auth-Code: 400
                                                                              X-Auth-Result: Bad request
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=35YodwgdNDC7mvUxe%2FsfH%2FizOAIyl6rV1Xfkqnk%2BaWOpDeRA3JnkjWlCgXHnClwR%2BFnN4n7iLE5iF5q0K6ygWYmF9cRxd5fB6eBsFZZTr%2FLlDPg9LK9Nty6fjolm%2BZnkoA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
                                                                              expect-ct: max-age=86400, enforce
                                                                              referrer-policy: same-origin
                                                                              x-content-type-options: nosniff
                                                                              x-frame-options: SAMEORIGIN
                                                                              x-xss-protection: 1; mode=block
                                                                              Server: cloudflare
                                                                              CF-RAY: 9218d60eed0443a6-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1648&rtt_var=658&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2821&recv_bytes=1119&delivery_rate=1771844&cwnd=142&unsent_bytes=0&cid=ff933ee528b4d908&ts=198&x=0"
                                                                              2025-03-17 01:49:51 UTC16INData Raw: f9 84 57 18 22 11 63 ff 93 16 d4 8a 00 ec 7a b8
                                                                              Data Ascii: W"cz


                                                                              Target ID:0
                                                                              Start time:21:48:19
                                                                              Start date:16/03/2025
                                                                              Path:C:\Windows\System32\loaddll64.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:loaddll64.exe "C:\Users\user\Desktop\stk.dll"
                                                                              Imagebase:0x7ff76a5d0000
                                                                              File size:165'888 bytes
                                                                              MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Target ID:1
                                                                              Start time:21:48:19
                                                                              Start date:16/03/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6aa7d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Target ID:2
                                                                              Start time:21:48:19
                                                                              Start date:16/03/2025
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\stk.dll",#1
                                                                              Imagebase:0x7ff7d5190000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Target ID:3
                                                                              Start time:21:48:19
                                                                              Start date:16/03/2025
                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\stk.dll,Init
                                                                              Imagebase:0x7ff619460000
                                                                              File size:71'680 bytes
                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Target ID:4
                                                                              Start time:21:48:19
                                                                              Start date:16/03/2025
                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\stk.dll",#1
                                                                              Imagebase:0x7ff619460000
                                                                              File size:71'680 bytes
                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Target ID:5
                                                                              Start time:21:48:20
                                                                              Start date:16/03/2025
                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,6138
                                                                              Imagebase:0x7ff619460000
                                                                              File size:71'680 bytes
                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                              Target ID:6
                                                                              Start time:21:48:20
                                                                              Start date:16/03/2025
                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,7295
                                                                              Imagebase:0x7ff619460000
                                                                              File size:71'680 bytes
                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                              Target ID:7
                                                                              Start time:21:48:22
                                                                              Start date:16/03/2025
                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\rundll32.exe "C:\Users\user\AppData\Local\Temp\PTOAuthEx.dll",Init hmc,5329
                                                                              Imagebase:0x7ff619460000
                                                                              File size:71'680 bytes
                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                              No disassembly