Edit tour

Windows Analysis Report
useMyDll.exe

Overview

General Information

Sample name:	useMyDll.exe
Analysis ID:	1670381
MD5:	212f0efc91a56fe8f71f24d1a26d0b33
SHA1:	3055dd5f872864b8cd0dacbe32c32ba19ec11309
SHA256:	a5f0e7d43a141152c7b28d2d62abfd9a73e1def764c05e0b3d6228e4e44ab77a
Tags:	exeuser-FelloBoiYuuka
Infos:

Detection

Score:	52
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to inject threads in other processes

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

useMyDll.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\useMyDll.exe" MD5: 212F0EFC91A56FE8F71F24D1A26D0B33)

conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: useMyDll.exe	Virustotal: Detection: 23%			Perma Link
Source: useMyDll.exe	ReversingLabs: Detection: 19%

Source: useMyDll.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Magshimim\Architecture\FinalProject\Project_OS\x64\Debug\useMyDll.pdb source: useMyDll.exe
Source:	Binary string: C:\Magshimim\Architecture\FinalProject\Project_OS\x64\Debug\useMyDll.pdb** source: useMyDll.exe

Source: C:\Users\user\Desktop\useMyDll.exe	Code function: 0_2_00007FF7C1F99850		0_2_00007FF7C1F99850
Source: C:\Users\user\Desktop\useMyDll.exe	Code function: 0_2_00007FF7C1F98EE0		0_2_00007FF7C1F98EE0

Source: classification engine

Classification label: mal52.evad.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03

Source: C:\Users\user\Desktop\useMyDll.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: useMyDll.exe	Virustotal: Detection: 23%
Source: useMyDll.exe	ReversingLabs: Detection: 19%

Source: unknown	Process created: C:\Users\user\Desktop\useMyDll.exe "C:\Users\user\Desktop\useMyDll.exe"
Source: C:\Users\user\Desktop\useMyDll.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\useMyDll.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\useMyDll.exe	Section loaded: msvcp140d.dll	Jump to behavior
Source: C:\Users\user\Desktop\useMyDll.exe	Section loaded: vcruntime140d.dll	Jump to behavior
Source: C:\Users\user\Desktop\useMyDll.exe	Section loaded: vcruntime140_1d.dll	Jump to behavior
Source: C:\Users\user\Desktop\useMyDll.exe	Section loaded: ucrtbased.dll	Jump to behavior

Source: useMyDll.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: useMyDll.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: useMyDll.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: useMyDll.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: useMyDll.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: useMyDll.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: useMyDll.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: useMyDll.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: useMyDll.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Magshimim\Architecture\FinalProject\Project_OS\x64\Debug\useMyDll.pdb source: useMyDll.exe
Source:	Binary string: C:\Magshimim\Architecture\FinalProject\Project_OS\x64\Debug\useMyDll.pdb** source: useMyDll.exe

Source: useMyDll.exe	Static PE information: section name: .textbss
Source: useMyDll.exe	Static PE information: section name: .msvcjmc
Source: useMyDll.exe	Static PE information: section name: .00cfg

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\useMyDll.exe

Code function: 0_2_00007FF7C1F96C90 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,WideCharToMultiByte,WideCharToMultiByte,

0_2_00007FF7C1F96C90

Source: C:\Users\user\Desktop\useMyDll.exe

Code function: 0_2_00007FF7C1F99390 VirtualQuery,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00007FF7C1F99390

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\useMyDll.exe	Code function: 0_2_00007FF7C1F97230 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7C1F97230
Source: C:\Users\user\Desktop\useMyDll.exe	Code function: 0_2_00007FF7C1F9140B SetUnhandledExceptionFilter,	0_2_00007FF7C1F9140B
Source: C:\Users\user\Desktop\useMyDll.exe	Code function: 0_2_00007FF7C1F982E0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C1F982E0

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\useMyDll.exe

Code function: 0_2_00007FF7C1F91460 GetFullPathNameA,GetModuleHandleA,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,GetProcAddress,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,OpenProcess,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualAllocEx,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,CloseHandle,WriteProcessMemory,GetLastError,CreateRemoteThread,GetLastError,WaitForSingleObject,CloseHandle,

0_2_00007FF7C1F91460

Source: C:\Users\user\Desktop\useMyDll.exe

Code function: 0_2_00007FF7C1F97FA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7C1F97FA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
useMyDll.exe	24%	Virustotal		Browse
useMyDll.exe	19%	ReversingLabs	Win64.Trojan.Barys

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1670381
Start date and time:	2025-04-21 17:20:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	useMyDll.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target useMyDll.exe, PID 6768 because there are no executed function
Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	4.06755516296969
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	useMyDll.exe
File size:	94'208 bytes
MD5:	212f0efc91a56fe8f71f24d1a26d0b33
SHA1:	3055dd5f872864b8cd0dacbe32c32ba19ec11309
SHA256:	a5f0e7d43a141152c7b28d2d62abfd9a73e1def764c05e0b3d6228e4e44ab77a
SHA512:	07462ba5365ce6d583e2922518721e7745c7ba299ae61400b3b5e4cce308cda0aebc9efcfa102a8375febf034e43fc742a03d9f91aa20a50101ba64e818e95f7
SSDEEP:	768:3DlEDcCHRRmD71fUyU9/RofGrFBXlrROYT8VAH9:CDTRRQ1fYRRkGRBX5PT8V
TLSH:	6E93C61A37A510B3D0B6C039A9864326FEB17055133916EF9141CAFDAF207ECBE3DA55
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H.bl..bl..bl...o..bl...h..bl...i..bl...m..bl...m..bl..bm..bl...i..bl......bl...n..bl.Rich.bl.................PE..d......g...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14001146a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67CDBCB1 [Sun Mar 9 16:07:13 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	484170e12eeb66f9a9b2955dfd39b967

Entrypoint Preview

Instruction
jmp 00007FD92C8DD2B6h
jmp 00007FD92C8DF1A1h
jmp 00007FD92C8DF68Ch
jmp 00007FD92C8E0CD7h
jmp 00007FD92C8DECA2h
jmp 00007FD92C8DC70Bh
jmp 00007FD92C8DF778h
jmp 00007FD92C8DC68Fh
jmp 00007FD92C8D9A3Eh
jmp 00007FD92C8E0C79h
jmp 00007FD92C8E0BFAh
jmp 00007FD92C8DEE8Fh
jmp 00007FD92C8DED9Ah
jmp 00007FD92C8DDF75h
jmp 00007FD92C8DAB30h
jmp 00007FD92C8DF8EBh
jmp 00007FD92C8DFF66h
jmp 00007FD92C8E0AE7h
jmp 00007FD92C8DE71Ch
jmp 00007FD92C8E0B5Bh
jmp 00007FD92C8E0BCEh
jmp 00007FD92C8DE5EDh
jmp 00007FD92C8E0B22h
jmp 00007FD92C8DB2D3h
jmp 00007FD92C8DEE5Eh
jmp 00007FD92C8D9FA9h
jmp 00007FD92C8E0C24h
jmp 00007FD92C8DB1FFh
jmp 00007FD92C8E0B28h
jmp 00007FD92C8DB745h
jmp 00007FD92C8DEDA0h
jmp 00007FD92C8DB11Bh
jmp 00007FD92C8DBB76h
jmp 00007FD92C8DC5E3h
jmp 00007FD92C8DEE3Ch
jmp 00007FD92C8E0B89h
jmp 00007FD92C8DF612h
jmp 00007FD92C8DF43Dh
jmp 00007FD92C8DE528h
jmp 00007FD92C8DB573h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x275e0	0x78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b000	0x43c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x24000	0x2274	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2c000	0xbc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x201e0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20060	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x27000	0x5e0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.textbss	0x1000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x11000	0xc976	0xca00	125dd4ddd2a965242b6a40ac6ce5a6ee	False	0.2558400371287129	data	4.109668123987941	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1e000	0x46e1	0x4800	2531f8b3048e86fb373ee4e23ec64264	False	0.1882595486111111	data	2.69378051477315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x23000	0xc58	0x600	a9c019a1d7ab14bc3fd6866206a43191	False	0.08658854166666667	data	0.8868125986240956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x24000	0x270c	0x2800	3fdf853a37464114a7d02e70a4e14bfb	False	0.1435546875	data	1.875979271598377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x27000	0x1a90	0x1c00	b9a41175462e915d46e9b26c7ada719c	False	0.25069754464285715	data	3.930200548644312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.msvcjmc	0x29000	0x22c	0x400	67e715e67f01845815a650b2c7c22a4a	False	0.017578125	Targa image data - Map (257-257) 257 x 257 x 1 +257 +257 - 1-bit alpha "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001"	0.8018584546667038	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x2a000	0x175	0x200	11afae137f4cc0ec99f62127aded9257	False	0.06640625	data	0.46864890609345855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2b000	0x43c	0x600	2d04ecc71bfa8f9bda3db6654f8bb1d7	False	0.18229166666666666	data	2.1429708819311997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2c000	0x304	0x400	4ab3b71d181c2a31c5d2c9e32f00b6ab	False	0.1806640625	data	1.340683595052557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x2b170	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetFullPathNameA, CloseHandle, GetLastError, WaitForSingleObject, CreateRemoteThread, OpenProcess, VirtualAllocEx, WriteProcessMemory, GetModuleHandleA, GetProcAddress, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, VirtualQuery, GetProcessHeap, HeapFree, HeapAlloc, GetModuleHandleW, GetStartupInfoW, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, WideCharToMultiByte, MultiByteToWideChar, RaiseException, IsDebuggerPresent, GetCurrentThreadId, FreeLibrary
MSVCP140D.dll	?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ??1_Lockit@std@@QEAA@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?_Xlength_error@std@@YAXPEBD@Z, ?uncaught_exception@std@@YA_NXZ, ?good@ios_base@std@@QEBA_NXZ, ?flags@ios_base@std@@QEBAHXZ, ?width@ios_base@std@@QEBA_JXZ, ?width@ios_base@std@@QEAA_J_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??0_Lockit@std@@QEAA@H@Z
VCRUNTIME140D.dll	__vcrt_GetModuleHandleW, __vcrt_GetModuleFileNameW, __current_exception_context, __current_exception, __vcrt_LoadLibraryExW, __C_specific_handler_noexcept, __C_specific_handler, _CxxThrowException, __std_exception_destroy, __std_exception_copy, __std_type_info_destroy_list, memcpy
VCRUNTIME140_1D.dll	__CxxFrameHandler4
ucrtbased.dll	_cexit, __p__commode, _free_dbg, strcpy_s, strcat_s, __stdio_common_vsprintf_s, _seh_filter_dll, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _crt_at_quick_exit, terminate, _wmakepath_s, _wsplitpath_s, wcscpy_s, __p___argv, _register_thread_local_exe_atexit_callback, _set_fmode, _exit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, __setusermatherr, _set_app_type, _seh_filter_exe, malloc, _callnewh, strlen, wcslen, _CrtDbgReport, _invalid_parameter, _configthreadlocale, __p___argc, _c_exit, _set_new_mode, _CrtDbgReportW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• useMyDll.exe
• conhost.exe

Click to jump to process

Click to jump to process

Behavior

• useMyDll.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	11:21:06
Start date:	21/04/2025
Path:	C:\Users\user\Desktop\useMyDll.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\useMyDll.exe"
Imagebase:	0x7ff7c1f80000
File size:	94'208 bytes
MD5 hash:	212F0EFC91A56FE8F71F24D1A26D0B33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	11:21:06
Start date:	21/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF7C1F91460 Relevance: 57.9, APIs: 25, Strings: 8, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32 ref: 00007FF7C1F954C1
GetModuleHandleA.KERNEL32 ref: 00007FF7C1F954D4
GetLastError.KERNEL32 ref: 00007FF7C1F954EB
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140D ref: 00007FF7C1F95515
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140D ref: 00007FF7C1F95525
GetProcAddress.KERNEL32 ref: 00007FF7C1F95544
GetLastError.KERNEL32 ref: 00007FF7C1F9555B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z.MSVCP140D ref: 00007FF7C1F95585
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140D ref: 00007FF7C1F95595

Strings

Error opening process (87 - you need the process to be working): , xrefs: 00007FF7C1F95611
Failed to get LoadLibraryA address. Error: , xrefs: 00007FF7C1F95567
kernel32.dll, xrefs: 00007FF7C1F954CD
Failed to get handle to kernel32.dll. Error: , xrefs: 00007FF7C1F954F7
LoadLibraryA, xrefs: 00007FF7C1F95536
Notepad.exe, xrefs: 00007FF7C1F955A6
Project_OS.dll, xrefs: 00007FF7C1F954BA
Failed to allocate memory in remote process. Error: , xrefs: 00007FF7C1F956B0

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@$ErrorLastV01@@$AddressFullHandleModuleNamePathProc
String ID: Error opening process (87 - you need the process to be working): $Failed to allocate memory in remote process. Error: $Failed to get LoadLibraryA address. Error: $Failed to get handle to kernel32.dll. Error: $LoadLibraryA$Notepad.exe$Project_OS.dll$kernel32.dll
API String ID: 4242837936-3885072109
Opcode ID: f33e0f1f7115e45b275368a85fc4cd2df4b1bf4d52e9a3604aec74140d246b9d
Instruction ID: a2dc03ac0ac26c7a03616d91f9bd4bd906598ef013710e748b718ab1ce3ce287
Opcode Fuzzy Hash: f33e0f1f7115e45b275368a85fc4cd2df4b1bf4d52e9a3604aec74140d246b9d
Instruction Fuzzy Hash: 9AB13C75A0AAC28AE730FF24D8547E973A1FB85768F801135C60E4B669DFBDA644C720

Function 00007FF7C1F99390 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF7C1F993CC
GetProcAddress.KERNEL32 ref: 00007FF7C1F994AF
GetProcessHeap.KERNEL32 ref: 00007FF7C1F99627
HeapAlloc.KERNEL32 ref: 00007FF7C1F9963A
GetProcessHeap.KERNEL32 ref: 00007FF7C1F996E3
HeapFree.KERNEL32 ref: 00007FF7C1F996F1

Strings

PDBOpenValidate5, xrefs: 00007FF7C1F994A5

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: Heap$Process$AddressAllocFreeProcQueryVirtual
String ID: PDBOpenValidate5
API String ID: 1898765391-413491164
Opcode ID: 99f1c4a318417b25c10739738f8050c79264c2b018c3f640629d8698bb2b40ef
Instruction ID: fb46c7572e4548a1364878600b3fa0e789064d6374a85ae451946a1a5b7b5ba2
Opcode Fuzzy Hash: 99f1c4a318417b25c10739738f8050c79264c2b018c3f640629d8698bb2b40ef
Instruction Fuzzy Hash: A3B18036B0AB4686EB10EF69E48066DB3A1FB88B98F919135DE4D53B64DF7CD409C310

Function 00007FF7C1F982E0 Relevance: 10.6, APIs: 7, Instructions: 83COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7C1F982F1
RtlCaptureContext.KERNEL32 ref: 00007FF7C1F9832C
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7C1F9834C
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C1F9839A
IsDebuggerPresent.KERNEL32 ref: 00007FF7C1F983FF
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C1F9843B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7C1F98446

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 17dda1f00b622d4178bc9a0028d3145cdaf992d647b7572fb4f72e5fdeab2351
Instruction ID: 925e52492ee4d2d01aee592d692f6674a62c61edb50cc6b790608b0fd3716b4b
Opcode Fuzzy Hash: 17dda1f00b622d4178bc9a0028d3145cdaf992d647b7572fb4f72e5fdeab2351
Instruction Fuzzy Hash: 7941343660DB8586E760AF14F4403ABB7A4FB89760F90413AD68D43BA9EF7DC458CB10

Function 00007FF7C1F97230 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C1F9723B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7C1F97246
GetCurrentProcess.KERNEL32 ref: 00007FF7C1F9724C
TerminateProcess.KERNEL32 ref: 00007FF7C1F9725A

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: db6a8ecf07ad2ef5111a8cf63022636eb0e9a2a61a501f077ca738ff79ad58ba
Instruction ID: 5ec1a97db2b967f199efd0f1a3b735d25b768a49891a456524d1ad35f0e6fa53
Opcode Fuzzy Hash: db6a8ecf07ad2ef5111a8cf63022636eb0e9a2a61a501f077ca738ff79ad58ba
Instruction Fuzzy Hash: 29D05E28E5AB42C2EB047F31FC4942AA320BF89B11FA0E134CA0F02260CF7DD44E8710

Function 00007FF7C1F99850 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

$, xrefs: 00007FF7C1F99ADC

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 5e94cbb2dee9a96bb79b0a5074c1bc956fbd4f937435c41fc997a4cd7f4ff09b
Instruction ID: cf10449a6973d2df061710d9748e964a0990a67f549e2be2135774215210850f
Opcode Fuzzy Hash: 5e94cbb2dee9a96bb79b0a5074c1bc956fbd4f937435c41fc997a4cd7f4ff09b
Instruction Fuzzy Hash: B8D11E7260A7428BE754DF19E842326F6E0FB44364F909135E69DCB7E4DBBCE4448B11

Function 00007FF7C1F9140B Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C1F9865B

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 417357237fcf004ed15076d82cc0b7d6523f53161cc114424a79e71386b4c8c2
Instruction ID: c58769c4d4d7e793cff0d1913e3b36a77bba76188ec65cf950d393041c6155c2
Opcode Fuzzy Hash: 417357237fcf004ed15076d82cc0b7d6523f53161cc114424a79e71386b4c8c2
Instruction Fuzzy Hash: BBB09295E0F906E1E704BF21EC8A03892256B6A361FE19930C20E405604F9DA6AA8720

Function 00007FF7C1F91E30 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 219COMMON

Download Yara Rule

APIs

?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF7C1F91EB4
?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF7C1F91EDD
?width@ios_base@std@@QEBA_JXZ.MSVCP140D ref: 00007FF7C1F91F07
?flags@ios_base@std@@QEBAHXZ.MSVCP140D ref: 00007FF7C1F91F7D
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140D ref: 00007FF7C1F91FC7
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF7C1F91FEE
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140D ref: 00007FF7C1F92001
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF7C1F9205A
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140D ref: 00007FF7C1F9206E
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140D ref: 00007FF7C1F920D1
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF7C1F920F8
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140D ref: 00007FF7C1F9210B
?width@ios_base@std@@QEAA_J_J@Z.MSVCP140D ref: 00007FF7C1F92160
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140D ref: 00007FF7C1F9218D

Strings

:, xrefs: 00007FF7C1F9201A, 00007FF7C1F92124

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
String ID: :
API String ID: 4125389999-3157689729
Opcode ID: e702005695af6e21fafe54a0031883493122fa2bf4fdefdb5d74277bb98a1716
Instruction ID: 3659470c89bd4978f169261b0df50fb39c6080e9b0d7569ac2e9f55f87910135
Opcode Fuzzy Hash: e702005695af6e21fafe54a0031883493122fa2bf4fdefdb5d74277bb98a1716
Instruction Fuzzy Hash: 4EB1FE3670AB8589EB24EF25D8942F877A0FB89BA9F804036DA4E4B765DF7DD540C310

Function 00007FF7C1F96840 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

failwithmessage.LIBCMTD ref: 00007FF7C1F9688B

Part of subcall function 00007FF7C1F96C90: MultiByteToWideChar.KERNEL32 ref: 00007FF7C1F96D01
Part of subcall function 00007FF7C1F96C90: MultiByteToWideChar.KERNEL32 ref: 00007FF7C1F96D2F
Part of subcall function 00007FF7C1F96C90: DebuggerProbe.LIBCMTD ref: 00007FF7C1F96D4D
Part of subcall function 00007FF7C1F96C90: DebuggerRuntime.LIBCMTD ref: 00007FF7C1F96D68
Part of subcall function 00007FF7C1F96C90: IsDebuggerPresent.KERNEL32 ref: 00007FF7C1F96D8B

failwithmessage.LIBCMTD ref: 00007FF7C1F9696D

Strings

Size: , xrefs: 00007FF7C1F96938
Data: <, xrefs: 00007FF7C1F9690E
Stack area around _alloca memory reserved by this function is corrupted, xrefs: 00007FF7C1F968D1
Allocation number within this function: , xrefs: 00007FF7C1F9691A
Address: 0x, xrefs: 00007FF7C1F96944
Stack area around _alloca memory reserved by this function is corrupted, xrefs: 00007FF7C1F9687C
%s%s%p%s%zd%s%d%s%s%s%s%s, xrefs: 00007FF7C1F968E9

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: Debugger$ByteCharMultiWidefailwithmessage$PresentProbeRuntime
String ID: Address: 0x$Allocation number within this function: $Data: <$Size: $%s%s%p%s%zd%s%d%s%s%s%s%s$Stack area around _alloca memory reserved by this function is corrupted$Stack area around _alloca memory reserved by this function is corrupted
API String ID: 3941055102-3301296223
Opcode ID: 62f418b7470cf76cece319367262c7154dbaa546e73d9087d4ce461606560181
Instruction ID: 2ab6f5fce620ed043f359e52ba3837fd58f20cb71157e224a1fdc9b6db950374
Opcode Fuzzy Hash: 62f418b7470cf76cece319367262c7154dbaa546e73d9087d4ce461606560181
Instruction Fuzzy Hash: CC313936609A8691EB21EF50E4503EAB764FB883A4F844132DA9D03B58DF7CD159C710

Function 00007FF7C1F91168 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_CrtDbgReport.UCRTBASED ref: 00007FF7C1F94152
_invalid_parameter.UCRTBASED ref: 00007FF7C1F9418A
_CrtDbgReport.UCRTBASED ref: 00007FF7C1F94201
_invalid_parameter.UCRTBASED ref: 00007FF7C1F94239

Strings

invalid argument, xrefs: 00007FF7C1F94128, 00007FF7C1F941D7
"invalid argument", xrefs: 00007FF7C1F94183, 00007FF7C1F94232
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory, xrefs: 00007FF7C1F94146, 00007FF7C1F941F5
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory, xrefs: 00007FF7C1F94175, 00007FF7C1F94224

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: Report_invalid_parameter
String ID: "invalid argument"$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory$invalid argument
API String ID: 4134963321-3991650627
Opcode ID: c3022504ced10027b1f408bc5a6d14bb3b91f462ceeb451910f09cdbcedea7de
Instruction ID: d6051b28d87991a1b90f9e801165862d49beff7b719a8a0118a693bec580671a
Opcode Fuzzy Hash: c3022504ced10027b1f408bc5a6d14bb3b91f462ceeb451910f09cdbcedea7de
Instruction Fuzzy Hash: E0518072609B4685EB21FF24E8403A9B7A0FB997A8FD05132D98D87764DFBCE184C350

Function 00007FF7C1F913F2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_CrtDbgReport.UCRTBASED ref: 00007FF7C1F92535
_invalid_parameter.UCRTBASED ref: 00007FF7C1F92567

Strings

invalid argument, xrefs: 00007FF7C1F92508
"invalid argument", xrefs: 00007FF7C1F92560
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory, xrefs: 00007FF7C1F92529
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory, xrefs: 00007FF7C1F92552

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: Report_invalid_parameter
String ID: "invalid argument"$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory$invalid argument
API String ID: 4134963321-3991650627
Opcode ID: d3d3677d7e7a726a98beeb76b8965c56435e57cef571e544404305723ab739d4
Instruction ID: ff670fbcbba54e3fbe8464035df634b9e56de51dbe905a7e34805a812ab18264
Opcode Fuzzy Hash: d3d3677d7e7a726a98beeb76b8965c56435e57cef571e544404305723ab739d4
Instruction Fuzzy Hash: 46316F31606F4294EB20BF29E8507E9A7A4EF843B8F905131E64D877A4EF7CD594C360

Function 00007FF7C1F91668 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

_CrtDbgReport.UCRTBASED ref: 00007FF7C1F94F0D
_invalid_parameter.UCRTBASED ref: 00007FF7C1F94F3F

Strings

"null pointer cannot point to a block of non-zero size", xrefs: 00007FF7C1F94F38
null pointer cannot point to a block of non-zero size, xrefs: 00007FF7C1F94EE0
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory, xrefs: 00007FF7C1F94F01
C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory, xrefs: 00007FF7C1F94F2A

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: Report_invalid_parameter
String ID: "null pointer cannot point to a block of non-zero size"$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory$C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\include\xmemory$null pointer cannot point to a block of non-zero size
API String ID: 4134963321-2612606465
Opcode ID: 020c072d8a49cf6db1f53ef7d4518ac4833d0d1583c11a308945e959566487de
Instruction ID: 20961338c834438e1727e2d9f2aeb00a6e0fc58f80f8221ce0e970fc181dd8ca
Opcode Fuzzy Hash: 020c072d8a49cf6db1f53ef7d4518ac4833d0d1583c11a308945e959566487de
Instruction Fuzzy Hash: 6D216321A0AA8395F770FF24E9447B9A3A4FB953A8FC05531D58C83694EFBCE644C760

Function 00007FF7C1F98D20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetPdbDllFromInstallPath.LIBCMTD ref: 00007FF7C1F98D4D

Part of subcall function 00007FF7C1F98EE0: GetLastError.KERNEL32 ref: 00007FF7C1F98F4D
Part of subcall function 00007FF7C1F98EE0: GetProcAddress.KERNEL32 ref: 00007FF7C1F98F7F
Part of subcall function 00007FF7C1F98EE0: GetProcAddress.KERNEL32 ref: 00007FF7C1F98F97
Part of subcall function 00007FF7C1F98EE0: GetProcAddress.KERNEL32 ref: 00007FF7C1F98FAF
Part of subcall function 00007FF7C1F98EE0: FreeLibrary.KERNEL32 ref: 00007FF7C1F98FEE

GetLastError.KERNEL32 ref: 00007FF7C1F98DBD
GetLastError.KERNEL32 ref: 00007FF7C1F98DFC

Strings

VCRUNTIME140D.dll, xrefs: 00007FF7C1F98D5B
MSPDB140, xrefs: 00007FF7C1F98DE5

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: AddressErrorLastProc$FreeFromInstallLibraryPath
String ID: MSPDB140$VCRUNTIME140D.dll
API String ID: 3575457754-1916464790
Opcode ID: dbfa167dad0d587cda03ba51390c935cb4bdf1df8d110d135ed2a741d07536ce
Instruction ID: 0ca9150e6a9aa24ad5c0830e5c3f4275633446cbe9b0a671a745c860156d2abb
Opcode Fuzzy Hash: dbfa167dad0d587cda03ba51390c935cb4bdf1df8d110d135ed2a741d07536ce
Instruction Fuzzy Hash: E131AD51F1E68A42FB70BF21D4613B9A390AF95764FC44036DA4D826D6EEECE214CB30

Function 00007FF7C1F91014 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140D ref: 00007FF7C1F950EB
CloseHandle.KERNEL32 ref: 00007FF7C1F95128

Strings

Failed to take process snapshot, xrefs: 00007FF7C1F950CE

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@CloseD@std@@@std@@HandleU?$char_traits@V01@@
String ID: Failed to take process snapshot
API String ID: 3076007902-3394000207
Opcode ID: 4007f88775639b4347f4ce1dc779782cc6343f8d88a2cee20590106f97c58f38
Instruction ID: 041d2bf6848d295a7ba3090188a994ba82aa130d0a0ba4a70c6337eba4369ac5
Opcode Fuzzy Hash: 4007f88775639b4347f4ce1dc779782cc6343f8d88a2cee20590106f97c58f38
Instruction Fuzzy Hash: 4131A861B0DA8294E760FF25D8542F9A360FB857B4FC01232D91D476A5DFBCE545C320

Function 00007FF7C1F9112C Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140D ref: 00007FF7C1F93947
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00007FF7C1F93982

Memory Dump Source

Source File: 00000000.00000002.2434705759.00007FF7C1F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C1F80000, based on PE: true

Associated: 00000000.00000002.2434658340.00007FF7C1F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434705759.00007FF7C1F9C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434789363.00007FF7C1F9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434835035.00007FF7C1FA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434874552.00007FF7C1FA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434914417.00007FF7C1FA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434951797.00007FF7C1FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2434991320.00007FF7C1FAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c1f80000_useMyDll.jbxd

Similarity

API ID: U?$char_traits@$?good@ios_base@std@@?tie@?$basic_ios@D@std@@@2@D@std@@@std@@V?$basic_ostream@
String ID:
API String ID: 136917557-0
Opcode ID: 4e2c944fefe0361fe2b1017756ceb35b61de9a0ad7049ee475c025dba157a522
Instruction ID: 12bea9bc84d3faf20247ad15d2cf34c00fa480dd50bd45c7fdffc213042b8822
Opcode Fuzzy Hash: 4e2c944fefe0361fe2b1017756ceb35b61de9a0ad7049ee475c025dba157a522
Instruction Fuzzy Hash: A231FD3260ABC5C8DB71EF25D8843E867A0FB98B98F448036DA8E47764DFB8D584C350

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report useMyDll.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: useMyDll.exePID: 6768, Parent PID: 496

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Windows Analysis Report
useMyDll.exe