Edit tour

Windows Analysis Report
out.dll.dll

Overview

General Information

Sample Name:	out.dll.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	out.dll.exe
Analysis ID:	894471
MD5:	5a3ee07759e23c507915fb3d473154de
SHA1:	ef47ff06ad6a0db77183be19284dbe2c53b16a50
SHA256:	14009b05324320da1f4942c35d0cfd24b5dbc49773ce4618e6e070d74a7ffb6a
Tags:	exe
Infos:

Detection

Strela Stealer

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Strela Stealer

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

C2 URLs / IPs found in malware configuration

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

PE file contains more sections than normal

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 5764 cmdline: loaddll64.exe "C:\Users\user\Desktop\out.dll.dll" MD5: 67C05BFD8F41B3421FE285E2FE9641C7)

conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5696 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 2344 cmdline: rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4924 cmdline: rundll32.exe C:\Users\user\Desktop\out.dll.dll,f MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6964 cmdline: rundll32.exe "C:\Users\user\Desktop\out.dll.dll",f MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: Strela Stealer

{"C2 url": "91.215.85.209/server.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.389694685.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 4924	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2344	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 6964	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.6d7ed404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.6d7ed404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.rundll32.exe.6d7ed404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.6d7ed404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.6d7ed404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.rundll32.exe.6d7ed404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.rundll32.exe.6d7c0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.6d7c0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.6d7c0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 4 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.rundll32.exe.6d7ed404.1.raw.unpack

Malware Configuration Extractor: Strela Stealer {"C2 url": "91.215.85.209/server.php"}

Antivirus detection for URL or domain

Source: 91.215.85.209/server.php

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: 91.215.85.209/server.php

Virustotal: Detection: 17%

Perma Link

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C71770 FindFirstFileA,	3_2_0000018A52C71770
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023E74401770 FindFirstFileA,	4_2_0000023E74401770
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017FE20A1770 FindFirstFileA,	5_2_0000017FE20A1770

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 91.215.85.209/server.php

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_6D7C13B0	3_2_6D7C13B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C712C0	3_2_0000018A52C712C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C71770	3_2_0000018A52C71770
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C7667C	3_2_0000018A52C7667C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C7E8A8	3_2_0000018A52C7E8A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023E744012C0	4_2_0000023E744012C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023E74401770	4_2_0000023E74401770
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023E7440E8A8	4_2_0000023E7440E8A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023E7440667C	4_2_0000023E7440667C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017FE20A12C0	5_2_0000017FE20A12C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017FE20A1770	5_2_0000017FE20A1770
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017FE20AE8A8	5_2_0000017FE20AE8A8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017FE20A667C	5_2_0000017FE20A667C

Source: out.dll.dll

Static PE information: Number of sections : 17 > 10

Source: out.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,f

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\out.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",f
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,f	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01

Source: classification engine

Classification label: mal76.troj.winDLL@10/0@0/0

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: out.dll.dll

Static PE information: Image base 0x6d7c0000 > 0x60000000

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C7AF62 push esp; ret	3_2_0000018A52C7AF65
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C8652E push ecx; retf 003Fh	3_2_0000018A52C8658E
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023E7440AF62 push esp; ret	4_2_0000023E7440AF65
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017FE20B652E push ecx; retf 003Fh	5_2_0000017FE20B658E

Source: out.dll.dll	Static PE information: section name: .xdata
Source: out.dll.dll	Static PE information: section name: /4
Source: out.dll.dll	Static PE information: section name: /19
Source: out.dll.dll	Static PE information: section name: /31
Source: out.dll.dll	Static PE information: section name: /45
Source: out.dll.dll	Static PE information: section name: /57
Source: out.dll.dll	Static PE information: section name: /70

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 5676

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C71770 FindFirstFileA,	3_2_0000018A52C71770
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023E74401770 FindFirstFileA,	4_2_0000023E74401770
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017FE20A1770 FindFirstFileA,	5_2_0000017FE20A1770

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_6D7EADE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D7EADE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018A52C71C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	3_2_0000018A52C71C88
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023E74401C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	4_2_0000023E74401C88
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017FE20A1C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	5_2_0000017FE20A1C88

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_6D7EAD00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D7EAD00

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 4.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.389694685.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6964, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 4.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.389694685.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6964, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
91.215.85.209/server.php	18%	Virustotal		Browse
91.215.85.209/server.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
91.215.85.209/server.php	true	18%, Virustotal, Browse Avira URL Cloud: malware	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	894471
Start date and time:	2023-06-26 14:52:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	out.dll.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	out.dll.exe
Detection:	MAL
Classification:	mal76.troj.winDLL@10/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 65% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 98% Number of executed functions: 21 Number of non-executed functions: 24
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
14:53:07	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	7.034909599337373
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.41% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% VXD Driver (31/22) 0.03%
File name:	out.dll.dll
File size:	330475
MD5:	5a3ee07759e23c507915fb3d473154de
SHA1:	ef47ff06ad6a0db77183be19284dbe2c53b16a50
SHA256:	14009b05324320da1f4942c35d0cfd24b5dbc49773ce4618e6e070d74a7ffb6a
SHA512:	003b0fbe7599eca2736398ff56dc440cbecf3fd426944da199f92ea4d88f633476e0ba0536aed635b3cf57bb1acb69df154217454eeecb909bab4ede6216cd5a
SSDEEP:	6144:wkdK9Z31wC4HCzUI+krsKtZTWScGeDYNiaye0SWcCVTK/S:wkde4iqas+IScTUEC0LckKq
TLSH:	DD647DAD68DB690AFE6188342FF8BBA1C77734B9C757D7F154E8503029204A3AC46727
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....`.d..........& ................0.........\|m.............................................. ............................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x6d7c1330
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x6d7c0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:
Time Stamp:	0x649960C1 [Mon Jun 26 09:56:17 2023 UTC]
TLS Callbacks:	0x6d7eaf10
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fcfbe5457e76d2ac347d7db113c0ca3b

Entrypoint Preview

Instruction
dec eax
sub esp, 48h
dec eax
mov eax, dword ptr [00047F35h]
mov dword ptr [eax], 00000000h
cmp edx, 01h
je 00007F09449E0F2Ch
dec eax
add esp, 48h
jmp 00007F09449E0DD6h
nop
dec esp
mov dword ptr [esp+38h], eax
mov dword ptr [esp+34h], edx
dec eax
mov dword ptr [esp+28h], ecx
call 00007F0944A0A8C2h
call 00007F0944A0B1ADh
dec esp
mov eax, dword ptr [esp+38h]
mov edx, dword ptr [esp+34h]
dec eax
mov ecx, dword ptr [esp+28h]
dec eax
add esp, 48h
jmp 00007F09449E0DA6h
nop
dec eax
mov edx, ecx
dec eax
lea ecx, dword ptr [0004AC76h]
jmp 00007F0944A0BBA6h
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F09449E0F09h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push esi
push edi
push ebx
mov eax, 00001178h
call 00007F0944A0BA8Fh
dec eax
sub esp, eax
dec eax
lea ebp, dword ptr [esp+00000080h]
xor eax, eax
mov ecx, dword ptr [0004B537h]
mov edx, dword ptr [0004B539h]
sub eax, 01h
add eax, 00000000h
inc ecx
mov eax, ecx
inc ecx
sub eax, CCDAE09Dh
inc ecx
add eax, eax
inc ecx
add eax, 00DAE09Dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4d000	0x3c	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4e000	0x5b0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4a000	0x234	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x51000	0x64	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x49040	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e16c	0x130	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b2e8	0x2b400	False	0.3706816744942196	data	6.148486969707782	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2d000	0x1b8c0	0x1ba00	False	0.8710142109728507	data	7.731351321018186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x49000	0x280	0x400	False	0.275390625	data	2.4559837096468744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x4a000	0x234	0x400	False	0.3330078125	data	3.0085099518562815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x4b000	0x1d0	0x200	False	0.400390625	data	3.7977123677025686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x4c000	0x930	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x4d000	0x3c	0x200	False	0.111328125	data	0.5873405188610821	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x4e000	0x5b0	0x600	False	0.373046875	data	4.144029993089026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x4f000	0x58	0x200	False	0.05859375	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x50000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x51000	0x64	0x200	False	0.208984375	data	1.1768257918904406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/4	0x52000	0x50	0x200	False	0.072265625	data	0.23653878450968063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x53000	0x1f08	0x2000	False	0.459716796875	data	5.8268156910913795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0x55000	0x149	0x200	False	0.375	data	3.2872917906726884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x56000	0x222	0x400	False	0.2880859375	data	3.229342673799407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x57000	0x48	0x200	False	0.12109375	data	0.7133318848005825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x58000	0x9b	0x200	False	0.259765625	data	2.320780444544343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery

msvcrt.dll

__iob_func, _amsg_exit, _initterm, _lock, _unlock, abort, calloc, free, fwrite, realloc, signal, strlen, strncmp, vfprintf

Exports

Name	Ordinal	Address
f	1	0x6d7c13b0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 5764, Parent PID: 3324

General

Target ID:	0
Start time:	14:53:03
Start date:	26/06/2023
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\out.dll.dll"
Imagebase:	0x7ff74a650000
File size:	165888 bytes
MD5 hash:	67C05BFD8F41B3421FE285E2FE9641C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5748, Parent PID: 5764

General

Target ID:	1
Start time:	14:53:03
Start date:	26/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5696, Parent PID: 5764

General

Target ID:	2
Start time:	14:53:04
Start date:	26/06/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1
Imagebase:	0x7ff627730000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4924, Parent PID: 5764

General

Target ID:	3
Start time:	14:53:04
Start date:	26/06/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\out.dll.dll,f
Imagebase:	0x7ff7b71c0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2344, Parent PID: 5696

General

Target ID:	4
Start time:	14:53:04
Start date:	26/06/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1
Imagebase:	0x7ff7b71c0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.389694685.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6964, Parent PID: 5764

General

Target ID:	5
Start time:	14:53:07
Start date:	26/06/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\out.dll.dll",f
Imagebase:	0x7ff7b71c0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 4924, Parent PID: 5764COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	87.1%
Signature Coverage:	3.8%
Total number of Nodes:	1226
Total number of Limit Nodes:	12

Executed Functions

Function 6D7C13B0 Relevance: 17.4, APIs: 1, Instructions: 16133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.395310059.000000006D7C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000003.00000002.395304928.000000006D7C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395364082.000000006D809000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395371412.000000006D80E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D818000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2c65aa9d8fdb84e188641d441d8a8efd869f2063b41fe2a9811ea81d7ac98d
Instruction ID: c529e21995d59a7bba657c62df19e20bb1b31903ede5f35e1779d22f00c4d353
Opcode Fuzzy Hash: ca2c65aa9d8fdb84e188641d441d8a8efd869f2063b41fe2a9811ea81d7ac98d
Instruction Fuzzy Hash: AD44F5B77A1A810DF7264A3A8B207DF2F71A3527B8F167B01DE345B7F5DA7A82454200

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C712C0 Relevance: 7.9, APIs: 5, Instructions: 379
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 0000018A52C712F2
RegEnumKeyExA.KERNELBASE ref: 0000018A52C71407
RegOpenKeyExA.KERNELBASE ref: 0000018A52C71472

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID:
API String ID: 462099255-0
Opcode ID: 2a02730be39cc75ee99e02b240c38d7de0b4f72d589f073dcba7369fd32cc831
Instruction ID: 86a5bbd5675f779a4d8ca654bae9a4e932e112d87f69b8a45bac72a78f494882
Opcode Fuzzy Hash: 2a02730be39cc75ee99e02b240c38d7de0b4f72d589f073dcba7369fd32cc831
Instruction Fuzzy Hash: 29D17D30518B888FEB65DF18D8946EAB7E1FF98304F44462FA58BD3161DF749681CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C71C88 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 0000018A52C71C91
_invalid_parameter_noinfo.LIBCMT ref: 0000018A52C765E4

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: f95e01fbf38a281d9255cdf92b69475522e65d4a66deb1467f342da968b848f1
Instruction ID: fc0cfa88302a60eb51de5391cc5bb3da78542019ebfad39e4037d39490e1604e
Opcode Fuzzy Hash: f95e01fbf38a281d9255cdf92b69475522e65d4a66deb1467f342da968b848f1
Instruction Fuzzy Hash: BAE08C309156094BFA5833BA0C662EC22B0AF05320FEC821FB715C61D7ED6946D493A3

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C71770 Relevance: 1.8, APIs: 1, Instructions: 304
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 0000018A52C71807

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 81c7c7fd01d69da00775a62d13099b4ead950d999e7021fb467b756ffc4a194f
Instruction ID: d0e73f6234ad04f57327138251c2ea765eb5a4a18d8703d526dc42315709abb6
Opcode Fuzzy Hash: 81c7c7fd01d69da00775a62d13099b4ead950d999e7021fb467b756ffc4a194f
Instruction Fuzzy Hash: 36A1B531218A484BFB29EF24DC596EA73E1FF94310F54861EE54BC3192DF349A458B82

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C71AE0 Relevance: 4.6, APIs: 3, Instructions: 75
synchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32 ref: 0000018A52C71B11
CreateMutexExA.KERNEL32 ref: 0000018A52C71B74
MessageBoxA.USER32 ref: 0000018A52C71BA4

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: ComputerCreateMessageMutexName
String ID:
API String ID: 2342047096-0
Opcode ID: bf0b7409f839259ce88bb476a521653d71adaaef5a7294aa3565bebdb25f1347
Instruction ID: 2cb92e1e15504ec5edded03f872f3101e7c81fed2adecbf9bf8c7fb03497b1dc
Opcode Fuzzy Hash: bf0b7409f839259ce88bb476a521653d71adaaef5a7294aa3565bebdb25f1347
Instruction Fuzzy Hash: 9221CC30118A448BF719DB34DC995EA77E1FFD9305F44897EF14BC60A2EE7485458B42

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C77AFC Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 0000018A52C77B51

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30d4bf1e297d70a882b7f1add7ff9fded3996ca996f5e333fb51e94ed5290b56
Instruction ID: 689a3d0d4730cfc123b5929d6e45ca276ac6c26972bf04d2ca2a1aff431ec4cd
Opcode Fuzzy Hash: 30d4bf1e297d70a882b7f1add7ff9fded3996ca996f5e333fb51e94ed5290b56
Instruction Fuzzy Hash: D7011D30310A0E4BFB586BA948A93A572E5DF58301F98903F7605C61D3EE55CA984352

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C76328 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,0000018A52C76324), ref: 0000018A52C76353

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0c3185d8b51bac4eb50b0166e6d79b52d76e7ad81d5639061b00e529f1dc9730
Instruction ID: 27e1169f8f8c95238e20a0b3f0d4fec2882ad373c57a56ba2a120d3f26df5ad4
Opcode Fuzzy Hash: 0c3185d8b51bac4eb50b0166e6d79b52d76e7ad81d5639061b00e529f1dc9730
Instruction Fuzzy Hash: F0D017303012044BFB28BBB099A92B92B618B44305F54582DB66BCB697CD798C448752

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D7EADE0 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 6D7EADF4
RtlLookupFunctionEntry.KERNEL32 ref: 6D7EAE0B
RtlVirtualUnwind.KERNEL32 ref: 6D7EAE4D
SetUnhandledExceptionFilter.KERNEL32 ref: 6D7EAE91
UnhandledExceptionFilter.KERNEL32 ref: 6D7EAE9E
GetCurrentProcess.KERNEL32 ref: 6D7EAEA4
TerminateProcess.KERNEL32 ref: 6D7EAEB2
abort.MSVCRT ref: 6D7EAEB8

Memory Dump Source

Source File: 00000003.00000002.395310059.000000006D7C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000003.00000002.395304928.000000006D7C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395364082.000000006D809000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395371412.000000006D80E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D818000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 0df65104002afcf3a5308d72e2e55d3e2305cf2fbe05d96474d79cf730cac82b
Instruction ID: 7e7dc6ca435440cde9480edaf27f57701c5d8a51c7a772b8baa5bed59b50fc21
Opcode Fuzzy Hash: 0df65104002afcf3a5308d72e2e55d3e2305cf2fbe05d96474d79cf730cac82b
Instruction Fuzzy Hash: 9021E275B10B0089FB019F65F88939A33B6B749B99F448127EA4E93765EF39C168C310

Uniqueness

Uniqueness Score: -1.00%

Function 6D7EAD00 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6D7EAD45
GetCurrentProcessId.KERNEL32 ref: 6D7EAD50
GetCurrentThreadId.KERNEL32 ref: 6D7EAD59
GetTickCount.KERNEL32 ref: 6D7EAD61
QueryPerformanceCounter.KERNEL32 ref: 6D7EAD6E

Memory Dump Source

Source File: 00000003.00000002.395310059.000000006D7C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000003.00000002.395304928.000000006D7C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395364082.000000006D809000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395371412.000000006D80E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D818000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 67207b604c025b437f20d6c5347240990710dbd6181aa0d293a29e7a5e0b68e1
Instruction ID: c686f1a8d7b80d35322faf7e0a89bedf2ba13350a0edd1b317562447d65a69ac
Opcode Fuzzy Hash: 67207b604c025b437f20d6c5347240990710dbd6181aa0d293a29e7a5e0b68e1
Instruction Fuzzy Hash: 8911A026B15A1489FB119B25FD08316B3A1B7497F2F0846329E9C437A4EF3DC499C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C7E8A8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 0000018A52C7EAF7

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 366ece8fd4243e10d17ea9cc99fe40b0e0fe10ffefe9f6541844f2a7d48a03a3
Instruction ID: 92f63ea425edc4701ad2f6bf5a86d7bc6cfafa53da1d6856863cfe5b174957f8
Opcode Fuzzy Hash: 366ece8fd4243e10d17ea9cc99fe40b0e0fe10ffefe9f6541844f2a7d48a03a3
Instruction Fuzzy Hash: 67C17032510A5D8FEB98CF1CC49AB953BF0FF56314F58859AE85ACB2A2C735D891CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C7667C Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938e5dc5f931898c53ab94ddb6ba8926b6e3c4df36339bc41ef0f30e53ab89a1
Instruction ID: d870b2d8038ee176f6d7825ec935b1ec659e497c58a61ba7f923d1bf5e8b31a6
Opcode Fuzzy Hash: 938e5dc5f931898c53ab94ddb6ba8926b6e3c4df36339bc41ef0f30e53ab89a1
Instruction Fuzzy Hash: B451F732318E084FEB1CDF6CD4996B573D2EBA8310755822FF50AD72A6DE70D9868781

Uniqueness

Uniqueness Score: -1.00%

Function 6D7EB190 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E6D7EB190(int __eax, signed long long __rax, void* __rbx, signed short* __rcx, void* __rdi, void* __rsi, signed long long __r8, void* __r12, void* __r13, void* __r14, void* __r15) {
				int _t30;
				int _t33;
				intOrPtr _t37;
				signed int _t41;
				signed int _t53;
				int _t68;
				signed int _t78;
				void* _t81;
				void* _t82;
				signed long long _t85;
				intOrPtr* _t91;
				signed short* _t96;
				intOrPtr* _t98;
				signed long long _t100;
				int _t109;
				int _t114;
				void* _t116;
				void* _t118;
				void* _t120;
				void* _t121;
				signed long long _t130;
				intOrPtr _t135;
				intOrPtr _t142;
				void* _t147;
				intOrPtr _t151;
				intOrPtr _t152;
				int _t155;
				signed long long _t156;

				_t157 = __r15;
				_t130 = __r8;
				_t96 = __rcx;
				_t94 = __rbx;
				_t85 = __rax;
				_t30 = __eax;
				_push(__r15);
				_push(__rbx);
				_t121 = _t120 - 0x38;
				_t118 = _t121 + 0x80;
				_t53 =  *0x6d80c5e0;
				if(_t53 == 0) {
					 *0x6d80c5e0 = 1;
					E6D7EBCE0();
					_t30 = E6D7EBF30(_t85);
					_t142 =  *0x6d8091c0; // 0x6d809280
					 *0x6d80c5e4 = 0;
					_t114 =  *0x6d8091d0; // 0x6d809280
					 *0x6d80c5e8 = _t121 - (0x0000001e + (_t85 + _t85 * 0x00000004) * 0x00000008 & 0xfffffff0) + 0x20;
					_t91 = _t142 - _t114;
					__eflags = _t91 - 7;
					if(_t91 <= 7) {
						goto L1;
					} else {
						__eflags = _t91 - 0xb;
						_t68 =  *_t114;
						if(_t91 <= 0xb) {
							L18:
							__eflags = _t68;
							if(_t68 != 0) {
								goto L5;
							} else {
								_t20 = _t114 + 4; // 0x0
								_t30 =  *_t20;
								__eflags = _t30;
								if(_t30 != 0) {
									goto L5;
								} else {
									goto L20;
								}
							}
						} else {
							__eflags = _t68;
							if(_t68 == 0) {
								_t17 = _t114 + 4; // 0x0
								__eflags =  *_t17;
								if( *_t17 != 0) {
									goto L5;
								} else {
									_t18 = _t114 + 8; // 0x0
									__eflags =  *_t18;
									if( *_t18 != 0) {
										L20:
										_t21 = _t114 + 8; // 0x0
										__eflags =  *_t21 - 1;
										if(__eflags != 0) {
											L34:
											_t98 = "  Unknown pseudo relocation protocol version %d.\n";
											E6D7EC240(__eflags, _t98, _t100, _t130, _t135);
											_t37 =  *_t98;
											__eflags = _t37 - 0xc0000091;
											if(_t37 > 0xc0000091) {
												__eflags = _t37 - 0xc0000094;
												if(__eflags == 0) {
													L6D7EBFA8();
													__eflags = _t91 - 1;
													if(_t91 != 1) {
														goto L49;
													} else {
														L6D7EBFA8();
														_t41 = 0;
														goto L43;
													}
												} else {
													if(__eflags > 0) {
														__eflags = _t37 - 0xc0000095;
														if(_t37 == 0xc0000095) {
															goto L60;
														} else {
															__eflags = _t37 - 0xc0000096;
															if(_t37 != 0xc0000096) {
																goto L58;
															} else {
																goto L53;
															}
														}
													} else {
														__eflags = _t37 - 0xc0000092;
														if(_t37 == 0xc0000092) {
															goto L60;
														} else {
															__eflags = _t37 - 0xc0000093;
															if(_t37 != 0xc0000093) {
																goto L58;
															} else {
																goto L48;
															}
														}
													}
												}
											} else {
												__eflags = _t37 - 0xc000008d;
												if(_t37 >= 0xc000008d) {
													L48:
													L6D7EBFA8();
													__eflags = _t91 - 1;
													if(_t91 == 1) {
														L6D7EBFA8();
														E6D7EBF20(_t37);
														goto L60;
													} else {
														L49:
														__eflags = _t91;
														if(_t91 == 0) {
															goto L58;
														} else {
															 *_t91();
															__eflags = 0;
															return 0;
														}
													}
												} else {
													__eflags = _t37 - 0xc0000008;
													if(__eflags == 0) {
														L60:
														__eflags = 0;
														return 0;
													} else {
														if(__eflags > 0) {
															__eflags = _t37 - 0xc000001d;
															if(_t37 == 0xc000001d) {
																L53:
																L6D7EBFA8();
																__eflags = _t91 - 1;
																if(_t91 == 1) {
																	L6D7EBFA8();
																	_t41 = 0;
																	goto L43;
																} else {
																	__eflags = _t91;
																	if(_t91 == 0) {
																		goto L65;
																	} else {
																		 *_t91();
																		__eflags = 0;
																		return 0;
																	}
																}
															} else {
																__eflags = _t37 - 0xc000008c;
																if(_t37 == 0xc000008c) {
																	goto L60;
																} else {
																	goto L58;
																}
															}
														} else {
															__eflags = _t37 - 0x80000002;
															if(_t37 == 0x80000002) {
																goto L60;
															} else {
																__eflags = _t37 - 0xc0000005;
																if(_t37 != 0xc0000005) {
																	L58:
																	return 1;
																} else {
																	L6D7EBFA8();
																	__eflags = _t91 - 1;
																	if(_t91 == 1) {
																		L6D7EBFA8();
																		_t41 = 0;
																	} else {
																		__eflags = _t91;
																		if(_t91 == 0) {
																			L65:
																			_t41 = 4;
																		} else {
																			 *_t91();
																			_t41 = 0;
																			__eflags = 0;
																		}
																	}
																	L43:
																	return _t41;
																}
															}
														}
													}
												}
											}
										} else {
											_t152 =  *0x6d8091f0; // 0x6d7c0000
											_t116 = _t114 + 0xc;
											_t156 = _t118 - 0x58;
											__eflags = _t116 - _t142;
											if(_t116 < _t142) {
												do {
													_t25 = _t116 + 8; // 0x6d80c5d0
													_t78 =  *_t25 & 0x000000ff;
													_t96 = _t96 + _t152;
													_t91 = _t91 + _t152;
													__eflags = _t78 - 0x10;
													_t135 =  *_t91;
													if(__eflags != 0) {
														if(__eflags <= 0) {
															__eflags = _t78 - 8;
															if(__eflags != 0) {
																goto L33;
															} else {
																r8d =  *_t96 & 0x000000ff;
																_t100 = _t156;
																_t112 = _t156;
																__eflags = r8b;
																_t131 =  <  ? _t130 | 0xffffff00 : _t130;
																_t132 = ( <  ? _t130 | 0xffffff00 : _t130) - _t91;
																_t130 = ( <  ? _t130 | 0xffffff00 : _t130) - _t91 + _t135;
																 *(_t118 - 0x58) = _t130;
																r8d = 1;
																E6D7EAFC0(_t81, _t82, _t94, _t96, _t100, _t156, _t116, _t130, _t142, _t152, _t156, 0);
																goto L27;
															}
														} else {
															__eflags = _t78 - 0x20;
															if(_t78 == 0x20) {
																_t112 = _t156;
																_t130 = _t100;
																__eflags = r8d;
																_t104 =  >=  ? _t130 : _t100 | 0x00000000;
																r8d = 4;
																_t105 = ( >=  ? _t130 : _t100 | 0x00000000) - _t91;
																_t106 = ( >=  ? _t130 : _t100 | 0x00000000) - _t91 + _t135;
																 *(_t118 - 0x58) = ( >=  ? _t130 : _t100 | 0x00000000) - _t91 + _t135;
																_t100 = _t156;
																E6D7EAFC0(_t81, _t82, _t94, _t96, _t100, _t156, _t116, _t130, _t142, _t152, _t156, 0);
																goto L27;
															} else {
																__eflags = _t78 - 0x40;
																if(__eflags != 0) {
																	L33:
																	 *(_t118 - 0x58) = 0;
																	E6D7EC240(__eflags, "  Unknown pseudo relocation bit size %d.\n", _t100, _t130, _t135);
																	goto L34;
																} else {
																	r8d = 8;
																	_t112 = _t156;
																	_t109 =  *_t96 - _t91 + _t135;
																	__eflags = _t109;
																	 *(_t118 - 0x58) = _t109;
																	_t100 = _t156;
																	E6D7EAFC0(_t81, _t82, _t94, _t96, _t100, _t156, _t116, _t130, _t142, _t152, _t156, 0);
																	goto L27;
																}
															}
														}
													} else {
														r8d =  *_t96 & 0x0000ffff;
														_t100 = _t156;
														_t112 = _t156;
														__eflags = r8w;
														_t133 =  <  ? _t130 | 0xffff0000 : _t130;
														_t134 = ( <  ? _t130 | 0xffff0000 : _t130) - _t91;
														_t130 = ( <  ? _t130 | 0xffff0000 : _t130) - _t91 + _t135;
														 *(_t118 - 0x58) = _t130;
														r8d = 2;
														E6D7EAFC0(_t81, _t82, _t94, _t96, _t100, _t156, _t116, _t130, _t142, _t152, _t156, 0);
														goto L27;
													}
													goto L66;
													L27:
													_t114 = _t116 + 0xc;
													__eflags = _t114 - _t142;
												} while (_t114 < _t142);
												goto L9;
											} else {
												goto L1;
											}
										}
									} else {
										_t19 = _t114 + 0xc; // 0x0
										_t68 =  *_t19;
										_t114 = _t114 + 0xc;
										__eflags = _t114;
										goto L18;
									}
								}
							} else {
								L5:
								__eflags = _t114 - _t142;
								if(_t114 < _t142) {
									_t8 = _t114 + 8; // 0x6d809288
									_t155 = _t8;
									_t151 =  *0x6d8091f0; // 0x6d7c0000
									_t112 = _t118 - 0x58;
									_t11 = (_t142 + 7 - _t155 >> 3) * 8; // 0x6d809288
									_t147 = _t114 + _t11 + 8;
									while(1) {
										r8d = 4;
										_t33 =  *_t114;
										_t114 = _t155;
										_t96 = _t96 + _t151;
										 *(_t118 - 0x58) = _t33 +  *_t96;
										E6D7EAFC0(_t81, _t82, _t94, _t96, _t112, _t112, _t114, _t130, _t147, _t151, _t155, _t157);
										__eflags = _t155 - _t147;
										if(_t155 == _t147) {
											break;
										}
										_t155 = _t155 + 8;
										__eflags = _t155;
									}
									L9:
									_t30 =  *0x6d80c5e4;
									__eflags = _t30;
									if(_t30 > 0) {
										do {
											r8d =  *( *0x6d80c5e8 + _t114);
											__eflags = r8d;
											if(r8d != 0) {
												_t30 = VirtualProtect();
											}
											_t53 = _t53 + 1;
											_t114 = _t114 + 0x28;
											__eflags = _t53 -  *0x6d80c5e4;
										} while (_t53 <  *0x6d80c5e4);
									}
								}
								goto L1;
							}
						}
					}
				} else {
					L1:
					return _t30;
				}
				L66:
			}

0x6d7eb190
0x6d7eb190
0x6d7eb190
0x6d7eb190
0x6d7eb190
0x6d7eb190
0x6d7eb191
0x6d7eb19b
0x6d7eb19c
0x6d7eb1a0
0x6d7eb1a8
0x6d7eb1b0
0x6d7eb1c3
0x6d7eb1cd
0x6d7eb1e4
0x6d7eb1e9
0x6d7eb1f0
0x6d7eb1fa
0x6d7eb209
0x6d7eb213
0x6d7eb216
0x6d7eb21a
0x00000000
0x6d7eb21c
0x6d7eb21c
0x6d7eb220
0x6d7eb222
0x6d7eb2f0
0x6d7eb2f0
0x6d7eb2f2
0x00000000
0x6d7eb2f8
0x6d7eb2f8
0x6d7eb2f8
0x6d7eb2fb
0x6d7eb2fd
0x00000000
0x00000000
0x00000000
0x00000000
0x6d7eb2fd
0x6d7eb228
0x6d7eb228
0x6d7eb22a
0x6d7eb2d4
0x6d7eb2d7
0x6d7eb2d9
0x00000000
0x6d7eb2df
0x6d7eb2df
0x6d7eb2e2
0x6d7eb2e4
0x6d7eb303
0x6d7eb303
0x6d7eb306
0x6d7eb309
0x6d7eb43e
0x6d7eb43e
0x6d7eb445
0x6d7eb454
0x6d7eb456
0x6d7eb45b
0x6d7eb4c0
0x6d7eb4c5
0x6d7eb587
0x6d7eb58c
0x6d7eb590
0x00000000
0x6d7eb596
0x6d7eb5a0
0x6d7eb5a5
0x00000000
0x6d7eb5a5
0x6d7eb4cb
0x6d7eb4cb
0x6d7eb504
0x6d7eb509
0x00000000
0x6d7eb50b
0x6d7eb50b
0x6d7eb510
0x00000000
0x00000000
0x00000000
0x00000000
0x6d7eb510
0x6d7eb4cd
0x6d7eb4cd
0x6d7eb4d2
0x00000000
0x6d7eb4d8
0x6d7eb4d8
0x6d7eb4dd
0x00000000
0x00000000
0x00000000
0x00000000
0x6d7eb4dd
0x6d7eb4d2
0x6d7eb4cb
0x6d7eb45d
0x6d7eb45d
0x6d7eb462
0x6d7eb4df
0x6d7eb4e6
0x6d7eb4eb
0x6d7eb4ef
0x6d7eb56a
0x6d7eb56f
0x00000000
0x6d7eb4f1
0x6d7eb4f1
0x6d7eb4f1
0x6d7eb4f4
0x00000000
0x6d7eb4f6
0x6d7eb4fb
0x6d7eb4fd
0x6d7eb503
0x6d7eb503
0x6d7eb4f4
0x6d7eb464
0x6d7eb464
0x6d7eb469
0x6d7eb574
0x6d7eb574
0x6d7eb57a
0x6d7eb46f
0x6d7eb46f
0x6d7eb540
0x6d7eb545
0x6d7eb512
0x6d7eb519
0x6d7eb51e
0x6d7eb522
0x6d7eb5ba
0x6d7eb5bf
0x00000000
0x6d7eb528
0x6d7eb528
0x6d7eb52b
0x00000000
0x6d7eb531
0x6d7eb536
0x6d7eb538
0x6d7eb53e
0x6d7eb53e
0x6d7eb52b
0x6d7eb547
0x6d7eb547
0x6d7eb54c
0x00000000
0x00000000
0x00000000
0x00000000
0x6d7eb54c
0x6d7eb475
0x6d7eb475
0x6d7eb47a
0x00000000
0x6d7eb480
0x6d7eb480
0x6d7eb485
0x6d7eb54e
0x6d7eb557
0x6d7eb48b
0x6d7eb492
0x6d7eb497
0x6d7eb49b
0x6d7eb5da
0x6d7eb5df
0x6d7eb4a1
0x6d7eb4a1
0x6d7eb4a4
0x6d7eb5e6
0x6d7eb5e6
0x6d7eb4aa
0x6d7eb4af
0x6d7eb4b1
0x6d7eb4b1
0x6d7eb4b1
0x6d7eb4a4
0x6d7eb4b3
0x6d7eb4b7
0x6d7eb4b7
0x6d7eb485
0x6d7eb47a
0x6d7eb46f
0x6d7eb469
0x6d7eb462
0x6d7eb30f
0x6d7eb30f
0x6d7eb316
0x6d7eb324
0x6d7eb328
0x6d7eb32b
0x6d7eb375
0x6d7eb37a
0x6d7eb37a
0x6d7eb37e
0x6d7eb381
0x6d7eb384
0x6d7eb387
0x6d7eb38a
0x6d7eb332
0x6d7eb3f0
0x6d7eb3f3
0x00000000
0x6d7eb3f5
0x6d7eb3f5
0x6d7eb3f9
0x6d7eb3fc
0x6d7eb409
0x6d7eb40c
0x6d7eb410
0x6d7eb413
0x6d7eb416
0x6d7eb41a
0x6d7eb420
0x00000000
0x6d7eb420
0x6d7eb338
0x6d7eb338
0x6d7eb33b
0x6d7eb3c2
0x6d7eb3c5
0x6d7eb3cb
0x6d7eb3ce
0x6d7eb3d2
0x6d7eb3d8
0x6d7eb3db
0x6d7eb3de
0x6d7eb3e2
0x6d7eb3e5
0x00000000
0x6d7eb341
0x6d7eb341
0x6d7eb344
0x6d7eb42a
0x6d7eb431
0x6d7eb439
0x00000000
0x6d7eb34a
0x6d7eb34d
0x6d7eb353
0x6d7eb359
0x6d7eb359
0x6d7eb35c
0x6d7eb360
0x6d7eb363
0x00000000
0x6d7eb363
0x6d7eb344
0x6d7eb33b
0x6d7eb38c
0x6d7eb38c
0x6d7eb390
0x6d7eb393
0x6d7eb3a0
0x6d7eb3a4
0x6d7eb3a8
0x6d7eb3ab
0x6d7eb3ae
0x6d7eb3b2
0x6d7eb3b8
0x00000000
0x6d7eb3b8
0x00000000
0x6d7eb368
0x6d7eb368
0x6d7eb36c
0x6d7eb36c
0x00000000
0x6d7eb32d
0x00000000
0x6d7eb32d
0x6d7eb32b
0x6d7eb2e6
0x6d7eb2e6
0x6d7eb2e6
0x6d7eb2e9
0x6d7eb2e9
0x00000000
0x6d7eb2e9
0x6d7eb2e4
0x6d7eb230
0x6d7eb230
0x6d7eb230
0x6d7eb233
0x6d7eb239
0x6d7eb239
0x6d7eb241
0x6d7eb248
0x6d7eb253
0x6d7eb253
0x6d7eb264
0x6d7eb267
0x6d7eb270
0x6d7eb272
0x6d7eb275
0x6d7eb27a
0x6d7eb27d
0x6d7eb282
0x6d7eb285
0x00000000
0x00000000
0x6d7eb260
0x6d7eb260
0x6d7eb260
0x6d7eb287
0x6d7eb287
0x6d7eb296
0x6d7eb298
0x6d7eb2a0
0x6d7eb2aa
0x6d7eb2ad
0x6d7eb2b0
0x6d7eb2bd
0x6d7eb2bd
0x6d7eb2c0
0x6d7eb2c3
0x6d7eb2c7
0x6d7eb2c7
0x6d7eb2cf
0x6d7eb298
0x00000000
0x6d7eb233
0x6d7eb22a
0x6d7eb222
0x6d7eb1b2
0x6d7eb1b2
0x6d7eb1c2
0x6d7eb1c2
0x00000000

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,6D7C1278), ref: 6D7EB2BD

Strings

Unknown pseudo relocation bit size %d., xrefs: 6D7EB42A
Unknown pseudo relocation protocol version %d., xrefs: 6D7EB43E

Memory Dump Source

Source File: 00000003.00000002.395310059.000000006D7C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000003.00000002.395304928.000000006D7C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395364082.000000006D809000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395371412.000000006D80E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D818000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 95223d1137b75e46f2554debcc49d3619d8e7e1de36342d529655317680d5494
Instruction ID: da2461e26f7999454393f07e082508ae2b376d1b157602e95129a658e2a58f83
Opcode Fuzzy Hash: 95223d1137b75e46f2554debcc49d3619d8e7e1de36342d529655317680d5494
Instruction Fuzzy Hash: E6916B71B103428AEB148BA5DB4572D6B62BB453F8F518523CF2887798DB3DE485C743

Uniqueness

Uniqueness Score: -1.00%

Function 6D7EB6E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 6D7EB739
signal.MSVCRT ref: 6D7EB792
signal.MSVCRT ref: 6D7EB7EE
signal.MSVCRT ref: 6D7EB8A3

Strings

CCG , xrefs: 6D7EB6F5

Memory Dump Source

Source File: 00000003.00000002.395310059.000000006D7C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000003.00000002.395304928.000000006D7C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395364082.000000006D809000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395371412.000000006D80E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D818000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 510415687b53fdd25d11655551667f340b59ec9c6ebe74d298f09f1eda2ae476
Instruction ID: b2bbc8561d5baf325b58bf9692c8fe2e0579aed71f046c77a07e83de23c1fe6c
Opcode Fuzzy Hash: 510415687b53fdd25d11655551667f340b59ec9c6ebe74d298f09f1eda2ae476
Instruction Fuzzy Hash: 2831702071572646FB19427947943342C02AF8A7F9F258A3BCA7DC7BE4CE58F4C00A53

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C74418 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000018A52C74475

Part of subcall function 0000018A52C75374: __GetUnwindTryBlock.LIBCMT ref: 0000018A52C753B7
Part of subcall function 0000018A52C75374: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000018A52C753DC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000018A52C7454D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000018A52C747A2
std::bad_alloc::bad_alloc.LIBCMT ref: 0000018A52C748AE

Strings

csm, xrefs: 0000018A52C7448F
csm, xrefs: 0000018A52C74570
csm, xrefs: 0000018A52C744F6

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2ed4cc99f58428dff43d3f01cc5e852e5bb786ad8812c5a133ade536f624ce79
Instruction ID: 8c43a929d2cb89db2134866c58729d6d6136eae4995cf05e501582196454ddfc
Opcode Fuzzy Hash: 2ed4cc99f58428dff43d3f01cc5e852e5bb786ad8812c5a133ade536f624ce79
Instruction Fuzzy Hash: 5AF13E30518A488BEB64EB6884957E977F0FF55310F98869EE549C7293DB30D9C1CB83

Uniqueness

Uniqueness Score: -1.00%

Function 6D7EAFC0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 6D7EB06B
VirtualProtect.KERNEL32 ref: 6D7EB112
GetLastError.KERNEL32 ref: 6D7EB120

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6D7EB167
Address %p has no image-section, xrefs: 6D7EB17D
VirtualProtect failed with code 0x%x, xrefs: 6D7EB126

Memory Dump Source

Source File: 00000003.00000002.395310059.000000006D7C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000003.00000002.395304928.000000006D7C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395364082.000000006D809000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395371412.000000006D80E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D818000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: 66db1a8f00c5bf92c22be664163873b503bc839fe269d61d8950b9a0737bf724
Instruction ID: 6f69fe01bd496c6dc4025131fc83259c25de86d837172212a77ffc67528a88a8
Opcode Fuzzy Hash: 66db1a8f00c5bf92c22be664163873b503bc839fe269d61d8950b9a0737bf724
Instruction Fuzzy Hash: 94512277B007418AEB158F2AEA4475D7B61B785BF4F848122DE2D873A4EF38E545C301

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C72630 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000018A52C7265B
_IsNonwritableInCurrentImage.LIBCMT ref: 0000018A52C726F0

Strings

csm, xrefs: 0000018A52C726D6
f, xrefs: 0000018A52C7266E

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: cbb6678aba45670b62180b90d032deeebbb74b39f1951d1e686324c8961a414a
Instruction ID: f141ebcc0462de4ca6433704b09fc38813e2bab9c796e25613bce687d93f173b
Opcode Fuzzy Hash: cbb6678aba45670b62180b90d032deeebbb74b39f1951d1e686324c8961a414a
Instruction Fuzzy Hash: 2861A430608A058BEB28AF1CD5956A473E5FF54350F98815EF947C7187DA30ED828787

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C74C4C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000018A52C74C74
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000018A52C74D5C

Strings

csm, xrefs: 0000018A52C74C96
csm, xrefs: 0000018A52C74DAE

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 179d466ca7e911971df6fec40f864e8670ee48de26d9b50b7fdfc5552c99cf0b
Instruction ID: e52c888dd0c5a232ae2e8e941ed4ee23de696e6d6e66649ae28d9b02638d5a5d
Opcode Fuzzy Hash: 179d466ca7e911971df6fec40f864e8670ee48de26d9b50b7fdfc5552c99cf0b
Instruction Fuzzy Hash: 31713C30214A448BFFB89B1884A47A5B7F1EF68715F98869FE599C6693CF3099C0C743

Uniqueness

Uniqueness Score: -1.00%

Function 6D7C1010 Relevance: 6.1, APIs: 4, Instructions: 131
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 6D7C1057
_amsg_exit.MSVCRT ref: 6D7C1081

Memory Dump Source

Source File: 00000003.00000002.395310059.000000006D7C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000003.00000002.395304928.000000006D7C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395364082.000000006D809000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395371412.000000006D80E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D818000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: e27fe5a8971d6827a824ceaca1c9c04ab70d9526602116c550646743b90f6313
Instruction ID: ab5cf6504fecb38ecfa05007e94ff7ccef8b92edce53eeaa8f06038a63debbbb
Opcode Fuzzy Hash: e27fe5a8971d6827a824ceaca1c9c04ab70d9526602116c550646743b90f6313
Instruction Fuzzy Hash: 08419F32B456458EE7029B1AEE543656266B7897E5F898037CE2C47350DE3DC4D6C302

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C71CA4 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 0000018A52C71CB3

Part of subcall function 0000018A52C71E68: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000018A52C71E8A

__scrt_acquire_startup_lock.LIBCMT ref: 0000018A52C71CC8
__scrt_release_startup_lock.LIBCMT ref: 0000018A52C71D36
__scrt_get_show_window_mode.LIBCMT ref: 0000018A52C71D89

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 02bd2f8f1202d19f588490249a19570c034d6b83775ef71651d1b56b0c06cdeb
Instruction ID: a4ce496bb267104f9e8ad8d7e2f1ff0087a29053a21f0503dd8feb613489cfb5
Opcode Fuzzy Hash: 02bd2f8f1202d19f588490249a19570c034d6b83775ef71651d1b56b0c06cdeb
Instruction Fuzzy Hash: 9041AD306006048BF759AB7898753E933B1AF65340F9CC52EB647872D7CEA94B848743

Uniqueness

Uniqueness Score: -1.00%

Function 0000018A52C748F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000018A52C7498B

Strings

MOC, xrefs: 0000018A52C74951
RCC, xrefs: 0000018A52C7495A

Memory Dump Source

Source File: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018A52C71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18a52c71000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 837fe712d1c841b9689310fb0e3b5e3a97da388e70ee50221832e68052b7cfc4
Instruction ID: 81bde4c076e1e1b1733f59470ed6b74a6f25149c309c0ba2c8b6186eda907934
Opcode Fuzzy Hash: 837fe712d1c841b9689310fb0e3b5e3a97da388e70ee50221832e68052b7cfc4
Instruction Fuzzy Hash: 30715A30518A0C8FEB68EF58D452BE9B7F0FF58310F58429EE549D3152DA74EA81CB86

Uniqueness

Uniqueness Score: -1.00%

Function 6D7EB9C0 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6D7EB9E7
free.MSVCRT ref: 6D7EBA38
LeaveCriticalSection.KERNEL32 ref: 6D7EBA44

Memory Dump Source

Source File: 00000003.00000002.395310059.000000006D7C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000003.00000002.395304928.000000006D7C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395364082.000000006D809000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395371412.000000006D80E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.395377221.000000006D818000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 850590f39cbab215475ea261977678cee1c56e4dda0905269a505c2f615f3b60
Instruction ID: bb1f2ce6b23d4df659204ec08620020be86bc7e7ed139501eec4f72df4f5847c
Opcode Fuzzy Hash: 850590f39cbab215475ea261977678cee1c56e4dda0905269a505c2f615f3b60
Instruction Fuzzy Hash: 79017172B14705CAEF09DF6AE9C432927E2F784B90F408426C91983350EF39D469C751

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 2344, Parent PID: 5696COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1041
Total number of Limit Nodes:	14

Executed Functions

Function 0000023E744012C0 Relevance: 7.9, APIs: 5, Instructions: 379
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 0000023E744012F2
RegEnumKeyExA.KERNELBASE ref: 0000023E74401407
RegOpenKeyExA.KERNELBASE ref: 0000023E74401472

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID:
API String ID: 462099255-0
Opcode ID: 2a02730be39cc75ee99e02b240c38d7de0b4f72d589f073dcba7369fd32cc831
Instruction ID: de3d4758aca3cf4c16084ddb2ca82a40c8023e1a9589ae1236b2693d0edcdebe
Opcode Fuzzy Hash: 2a02730be39cc75ee99e02b240c38d7de0b4f72d589f073dcba7369fd32cc831
Instruction Fuzzy Hash: B3D15431618B888FEB65DF18DC896DAB7E1FF94304F00465EE44AD71A0EF349A55CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74401C88 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 0000023E74401C91
_invalid_parameter_noinfo.LIBCMT ref: 0000023E744065E4

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: f95e01fbf38a281d9255cdf92b69475522e65d4a66deb1467f342da968b848f1
Instruction ID: 6aec0a9db2d8784e590509387ff1d882cc94a85cb697c8bcdc867a85c7399a41
Opcode Fuzzy Hash: f95e01fbf38a281d9255cdf92b69475522e65d4a66deb1467f342da968b848f1
Instruction Fuzzy Hash: CEE08630F155055AFD1B32B93C4E2ACB080BF15320F920295B412851F6F96D4EBC7E63

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74401770 Relevance: 1.8, APIs: 1, Instructions: 304
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 0000023E74401807

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 81c7c7fd01d69da00775a62d13099b4ead950d999e7021fb467b756ffc4a194f
Instruction ID: 4e1e1e3e254a9111b3c2134d41c1f3ebac822f345be21d4e5aaa30e495a74e45
Opcode Fuzzy Hash: 81c7c7fd01d69da00775a62d13099b4ead950d999e7021fb467b756ffc4a194f
Instruction Fuzzy Hash: 5BA1A731618A484BEB25EF24EC596EA73E1FF94301F11465AE44BD31E1EF389E198F81

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74401AE0 Relevance: 4.6, APIs: 3, Instructions: 75
synchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32 ref: 0000023E74401B11
CreateMutexExA.KERNEL32 ref: 0000023E74401B74
MessageBoxA.USER32 ref: 0000023E74401BA4

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: ComputerCreateMessageMutexName
String ID:
API String ID: 2342047096-0
Opcode ID: bf0b7409f839259ce88bb476a521653d71adaaef5a7294aa3565bebdb25f1347
Instruction ID: 9f77004288b2eee607d68843c466d522ed202f7b259a1cd2de01f79405e53001
Opcode Fuzzy Hash: bf0b7409f839259ce88bb476a521653d71adaaef5a7294aa3565bebdb25f1347
Instruction Fuzzy Hash: 2421C930618A448BE719EB34EC8D5AAB7F1FFD9305F45497DF08BC60A1FE7985058A41

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74409C3C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 0000023E74409CCB

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 39dc1a5228bf1e06e61612b5fff79bc4169a93c7aa8ff714042cd5f5cd4a771e
Instruction ID: a46beccc6ea7d252a6377e1d517694b9d0ed0ce9402e9ba96b66e73af81ccdd2
Opcode Fuzzy Hash: 39dc1a5228bf1e06e61612b5fff79bc4169a93c7aa8ff714042cd5f5cd4a771e
Instruction Fuzzy Hash: 1631F631908E595FDBA69F2C9888660B6C0FF06320F210389E41AC71F4D638DDA5EB80

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74407AFC Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 0000023E74407B51

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30d4bf1e297d70a882b7f1add7ff9fded3996ca996f5e333fb51e94ed5290b56
Instruction ID: cd90a9c2b81a5109d353a5afc8d016f5f7efdfc98a7a584ac98fa61c9e8d5842
Opcode Fuzzy Hash: 30d4bf1e297d70a882b7f1add7ff9fded3996ca996f5e333fb51e94ed5290b56
Instruction Fuzzy Hash: 8101A420B10E0A0FFF5A6BB9688D375B1D4FF68301F5640B56405C61F1FD5DCE68AA62

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74406328 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,0000023E74406324), ref: 0000023E74406353

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0c3185d8b51bac4eb50b0166e6d79b52d76e7ad81d5639061b00e529f1dc9730
Instruction ID: 0658f419da243905a560682eda60c9ab19abe282b0dba0f49a48e21cc09d6628
Opcode Fuzzy Hash: 0c3185d8b51bac4eb50b0166e6d79b52d76e7ad81d5639061b00e529f1dc9730
Instruction Fuzzy Hash: 90D05E207012045BFF2CBBB0AD8D26D66528F44205F00186CA947CB6E7DD7D8C1E8B81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000023E74404418 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023E74404475

Part of subcall function 0000023E74405374: __GetUnwindTryBlock.LIBCMT ref: 0000023E744053B7
Part of subcall function 0000023E74405374: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023E744053DC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023E7440454D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023E744047A2
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023E744048AE

Strings

csm, xrefs: 0000023E744044F6
csm, xrefs: 0000023E7440448F
csm, xrefs: 0000023E74404570

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2ed4cc99f58428dff43d3f01cc5e852e5bb786ad8812c5a133ade536f624ce79
Instruction ID: 600d82a612ddb50816f3332c61958366e95c0b0d3da3835875c150543bdccc75
Opcode Fuzzy Hash: 2ed4cc99f58428dff43d3f01cc5e852e5bb786ad8812c5a133ade536f624ce79
Instruction Fuzzy Hash: 14F1A330A18B088BEF65EF5894897A9B7E0FF55310F110699D449C32E2EB34DE95DB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74402630 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023E7440265B
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023E744026F0

Strings

f, xrefs: 0000023E7440266E
csm, xrefs: 0000023E744026D6

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: cbb6678aba45670b62180b90d032deeebbb74b39f1951d1e686324c8961a414a
Instruction ID: 8a0ae7ae3f61cdac43a9df49b57c57a21490e03fb4e8819b834722079fcd058d
Opcode Fuzzy Hash: cbb6678aba45670b62180b90d032deeebbb74b39f1951d1e686324c8961a414a
Instruction Fuzzy Hash: 6561C530B18A058BEF69AF1CE889724B3D1FF54350F5141ADE84AC31E2F634EE659E85

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74404C4C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023E74404C74
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023E74404D5C

Strings

csm, xrefs: 0000023E74404DAE
csm, xrefs: 0000023E74404C96

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 179d466ca7e911971df6fec40f864e8670ee48de26d9b50b7fdfc5552c99cf0b
Instruction ID: 5be523eaa13b5c78e7e1f61555636035a90755f1a1d8ab7bb81fe9b9b4280a84
Opcode Fuzzy Hash: 179d466ca7e911971df6fec40f864e8670ee48de26d9b50b7fdfc5552c99cf0b
Instruction Fuzzy Hash: 8371C030B54A048FEFA99B189088764B3D0FF54311F16469AD449C76F2EB389DA8DB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E74401CA4 Relevance: 6.1, APIs: 4, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 0000023E74401CB3

Part of subcall function 0000023E74401E68: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000023E74401E8A

__scrt_acquire_startup_lock.LIBCMT ref: 0000023E74401CC8
__scrt_release_startup_lock.LIBCMT ref: 0000023E74401D36
__scrt_get_show_window_mode.LIBCMT ref: 0000023E74401D89

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 02bd2f8f1202d19f588490249a19570c034d6b83775ef71651d1b56b0c06cdeb
Instruction ID: b7b2ae1d30f5d94b2c93b8c79fb690bd498079225ed35077708972a1574ef83f
Opcode Fuzzy Hash: 02bd2f8f1202d19f588490249a19570c034d6b83775ef71651d1b56b0c06cdeb
Instruction Fuzzy Hash: 8041B320F002044AFF5AA774B45D3E9B2E1AF55304F0645A9A546872F3FE2E5F2CAE41

Uniqueness

Uniqueness Score: -1.00%

Function 0000023E744048F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000023E7440498B

Strings

RCC, xrefs: 0000023E7440495A
MOC, xrefs: 0000023E74404951

Memory Dump Source

Source File: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023E74401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23e74401000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 837fe712d1c841b9689310fb0e3b5e3a97da388e70ee50221832e68052b7cfc4
Instruction ID: 822f80332b5d4f6feab5aecb2d9ebca9d4db58e707d42be5f189512b25cc7340
Opcode Fuzzy Hash: 837fe712d1c841b9689310fb0e3b5e3a97da388e70ee50221832e68052b7cfc4
Instruction Fuzzy Hash: 25718F30A18B0C8FEB55EF98E4457A9B7E0FF58300F11029EE445D31A2E778EA55CB82

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6964, Parent PID: 5764COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1217
Total number of Limit Nodes:	17

Executed Functions

Function 0000017FE20A12C0 Relevance: 7.9, APIs: 5, Instructions: 379
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 0000017FE20A12F2
RegEnumKeyExA.KERNELBASE ref: 0000017FE20A1407
RegOpenKeyExA.KERNELBASE ref: 0000017FE20A1472

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID:
API String ID: 462099255-0
Opcode ID: 2a02730be39cc75ee99e02b240c38d7de0b4f72d589f073dcba7369fd32cc831
Instruction ID: 1650cd3d390e8e7035f6f10f2e980de524e5cb151bb46ce795e2d47ddd19235f
Opcode Fuzzy Hash: 2a02730be39cc75ee99e02b240c38d7de0b4f72d589f073dcba7369fd32cc831
Instruction Fuzzy Hash: 1BD1607551CB888FEB65DF18D8846DAB7F1FB98304F440A2EE54AD71A0EF349641CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A1C88 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 0000017FE20A1C91
_invalid_parameter_noinfo.LIBCMT ref: 0000017FE20A65E4

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: f95e01fbf38a281d9255cdf92b69475522e65d4a66deb1467f342da968b848f1
Instruction ID: 6572cfa8874fb3a77c6edb6255f64c7cf0398ffde2039b02a1f6e3f29b4cff45
Opcode Fuzzy Hash: f95e01fbf38a281d9255cdf92b69475522e65d4a66deb1467f342da968b848f1
Instruction Fuzzy Hash: A8E086BA81DD054DEE1932B90C462EE21B0AB45310FD2023EB71D851F6FD5900934353

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A1770 Relevance: 1.8, APIs: 1, Instructions: 304
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 0000017FE20A1807

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 81c7c7fd01d69da00775a62d13099b4ead950d999e7021fb467b756ffc4a194f
Instruction ID: 6569fdba2705a4124a08383941aba246e3b510c0e48607633bb89f4ced615e0e
Opcode Fuzzy Hash: 81c7c7fd01d69da00775a62d13099b4ead950d999e7021fb467b756ffc4a194f
Instruction Fuzzy Hash: 7CA1B33560CE484FEB29EF24DC596EA73E1FBA4300F45462ED54BD71A1EF3499068B81

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A1AE0 Relevance: 4.6, APIs: 3, Instructions: 75
synchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32 ref: 0000017FE20A1B11
CreateMutexExA.KERNEL32 ref: 0000017FE20A1B74
MessageBoxA.USER32 ref: 0000017FE20A1BA4

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: ComputerCreateMessageMutexName
String ID:
API String ID: 2342047096-0
Opcode ID: bf0b7409f839259ce88bb476a521653d71adaaef5a7294aa3565bebdb25f1347
Instruction ID: f18c293d85774e1aceabed22703f4ffbc1c4273379d17f09c823fcc400833fc1
Opcode Fuzzy Hash: bf0b7409f839259ce88bb476a521653d71adaaef5a7294aa3565bebdb25f1347
Instruction Fuzzy Hash: 4021D73121CA448FE719DB24DC895EAB3F1FBD9305F84497DE18BC60A1EE3881068A41

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A7AFC Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 0000017FE20A7B51

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30d4bf1e297d70a882b7f1add7ff9fded3996ca996f5e333fb51e94ed5290b56
Instruction ID: a704109736c16e79124bdb5f81691e8fef33bd4145f9813a13c2983128dfeafe
Opcode Fuzzy Hash: 30d4bf1e297d70a882b7f1add7ff9fded3996ca996f5e333fb51e94ed5290b56
Instruction Fuzzy Hash: A1016DF632EE0A4EFB6A6BB948993AB31F4DB68301F95803D560AC61F2FD15C8464251

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A6EE4 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 0000017FE20A6F22

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c29eb4a6d2c213a181199b5d01373da4079d59e2d89cd9e4ad03217af82161b8
Instruction ID: e61765dc0f73711e3868e3033218e2ba56d76872504ba0ec92578473f8336edc
Opcode Fuzzy Hash: c29eb4a6d2c213a181199b5d01373da4079d59e2d89cd9e4ad03217af82161b8
Instruction Fuzzy Hash: C0F030BA22CE054EFF68A77908A53F726B0EB58751FC2413C660EC21F1FE18C8428511

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A6328 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,0000017FE20A6324), ref: 0000017FE20A6353

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0c3185d8b51bac4eb50b0166e6d79b52d76e7ad81d5639061b00e529f1dc9730
Instruction ID: 2e5c48bfd54b69ac723a0b0f95c19481c9cd2d957bf106c4e7bf7a1a5e1ed4b5
Opcode Fuzzy Hash: 0c3185d8b51bac4eb50b0166e6d79b52d76e7ad81d5639061b00e529f1dc9730
Instruction Fuzzy Hash: 47D012753095044FFF18BB7099CD2AA27718744305F40183C665BCB6E7DD798C064741

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000017FE20A4418 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000017FE20A4475

Part of subcall function 0000017FE20A5374: __GetUnwindTryBlock.LIBCMT ref: 0000017FE20A53B7
Part of subcall function 0000017FE20A5374: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000017FE20A53DC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000017FE20A454D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000017FE20A47A2
std::bad_alloc::bad_alloc.LIBCMT ref: 0000017FE20A48AE

Strings

csm, xrefs: 0000017FE20A44F6
csm, xrefs: 0000017FE20A4570
csm, xrefs: 0000017FE20A448F

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2ed4cc99f58428dff43d3f01cc5e852e5bb786ad8812c5a133ade536f624ce79
Instruction ID: ae170397396fb04f6deabf8d3fad83d4c2a6cd633ea3a5462b11b35de2024571
Opcode Fuzzy Hash: 2ed4cc99f58428dff43d3f01cc5e852e5bb786ad8812c5a133ade536f624ce79
Instruction Fuzzy Hash: B1F14F7951CE488FEB54EB5884817EAB7F0FB55710F91066DE549C72A2EF30D882C782

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A2630 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017FE20A265B
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017FE20A26F0

Strings

f, xrefs: 0000017FE20A266E
csm, xrefs: 0000017FE20A26D6

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: cbb6678aba45670b62180b90d032deeebbb74b39f1951d1e686324c8961a414a
Instruction ID: 3ba9174a26c3736a8e62b2abe72b3a7f03946c74cb5a7914321de1ac7a0310d4
Opcode Fuzzy Hash: cbb6678aba45670b62180b90d032deeebbb74b39f1951d1e686324c8961a414a
Instruction Fuzzy Hash: 2461B27660CE048FEB68AF1CD8857AA73E1F754350F91417DE94AC36E2EE30ED428685

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A4C4C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017FE20A4C74
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000017FE20A4D5C

Strings

csm, xrefs: 0000017FE20A4C96
csm, xrefs: 0000017FE20A4DAE

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 179d466ca7e911971df6fec40f864e8670ee48de26d9b50b7fdfc5552c99cf0b
Instruction ID: 343430ed44d61f442571e92259ec0e336acdca74ddeccbe3499baebf7ef9b054
Opcode Fuzzy Hash: 179d466ca7e911971df6fec40f864e8670ee48de26d9b50b7fdfc5552c99cf0b
Instruction Fuzzy Hash: 7E71807A11CE048FEBA8DB1880847A673E0FB54325FA5466ED55DC76F2EF309882C742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A1CA4 Relevance: 6.1, APIs: 4, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 0000017FE20A1CB3

Part of subcall function 0000017FE20A1E68: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000017FE20A1E8A

__scrt_acquire_startup_lock.LIBCMT ref: 0000017FE20A1CC8
__scrt_release_startup_lock.LIBCMT ref: 0000017FE20A1D36
__scrt_get_show_window_mode.LIBCMT ref: 0000017FE20A1D89

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 02bd2f8f1202d19f588490249a19570c034d6b83775ef71651d1b56b0c06cdeb
Instruction ID: 96a50d855ca8ffb394238b778b3e7155d75672598e88626b535b21dd2c65a41b
Opcode Fuzzy Hash: 02bd2f8f1202d19f588490249a19570c034d6b83775ef71651d1b56b0c06cdeb
Instruction Fuzzy Hash: 984180BA60CE444EFB58A77894553EB73B1AB55340F8A493CA74E872F7EE6848078241

Uniqueness

Uniqueness Score: -1.00%

Function 0000017FE20A48F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000017FE20A498B

Strings

MOC, xrefs: 0000017FE20A4951
RCC, xrefs: 0000017FE20A495A

Memory Dump Source

Source File: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017FE20A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17fe20a1000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 837fe712d1c841b9689310fb0e3b5e3a97da388e70ee50221832e68052b7cfc4
Instruction ID: 289aa48ca244c2d061e61f2fb14d675c65377b47aa0420ec229f835381221ba6
Opcode Fuzzy Hash: 837fe712d1c841b9689310fb0e3b5e3a97da388e70ee50221832e68052b7cfc4
Instruction Fuzzy Hash: 50716D7551CA0C8FEB54EF58D4427EAB7F0FB58310F51026DE54AD31A2EB74E9828B82

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report out.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Strela Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 5764, Parent PID: 3324

General

Chronological Activities

Windows Analysis Report
out.dll.dll

Function 0000018A52C712C0 Relevance: 7.9, APIs: 5, Instructions: 379
registryCOMMON

Function 0000018A52C71C88 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Function 0000018A52C71770 Relevance: 1.8, APIs: 1, Instructions: 304
fileCOMMON

Function 0000018A52C71AE0 Relevance: 4.6, APIs: 3, Instructions: 75
synchronizationwindowCOMMON

Function 0000018A52C77AFC Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Function 0000018A52C76328 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 6D7EADE0 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Function 6D7EAD00 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Function 6D7EB190 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283
memoryCOMMON

Function 6D7EB6E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111
COMMON

Function 0000018A52C74418 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 472
COMMON

Function 6D7EAFC0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON

Function 0000018A52C72630 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219
COMMON

Function 0000018A52C74C4C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 6D7C1010 Relevance: 6.1, APIs: 4, Instructions: 131
sleepCOMMON

Function 0000023E744012C0 Relevance: 7.9, APIs: 5, Instructions: 379
registryCOMMON

Function 0000023E74401C88 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Function 0000023E74401770 Relevance: 1.8, APIs: 1, Instructions: 304
fileCOMMON

Function 0000023E74401AE0 Relevance: 4.6, APIs: 3, Instructions: 75
synchronizationwindowCOMMON

Function 0000023E74409C3C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON