Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3.dll

Overview

General Information

Sample name:3.dll
Analysis ID:1524657
MD5:9e4e3ae279401f9e0b2d2818d422081d
SHA1:ae134efc864b5b8af1c7d2dee50c8542521ff109
SHA256:93fca55f68b6d490087850b8f321f108ca4aa193ee8312b3c6bcf727828e965d
Tags:dllMekotiouser-Merlax_
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4916 cmdline: loaddll32.exe "C:\Users\user\Desktop\3.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6192 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3576 cmdline: rundll32.exe "C:\Users\user\Desktop\3.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3608 cmdline: rundll32.exe C:\Users\user\Desktop\3.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6420 cmdline: rundll32.exe C:\Users\user\Desktop\3.dll,__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1408 cmdline: rundll32.exe C:\Users\user\Desktop\3.dll,b1oc1ab00u045627q07f MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 736 cmdline: rundll32.exe "C:\Users\user\Desktop\3.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5360 cmdline: rundll32.exe "C:\Users\user\Desktop\3.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7036 cmdline: rundll32.exe "C:\Users\user\Desktop\3.dll",b1oc1ab00u045627q07f MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1352 cmdline: rundll32.exe "C:\Users\user\Desktop\3.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 3.dllAvira: detected
Multi AV Scanner detection for domain / URL
Source: strogonoff.xyzVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted file
Source: 3.dllReversingLabs: Detection: 13%
Source: 3.dllVirustotal: Detection: 23%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: 3.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Networking

barindex
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Performs DNS queries to domains with low reputation
Source: DNS query: strogonoff.xyz
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: paradoxine.sbs
Source: global trafficDNS traffic detected: DNS query: strogonoff.xyz
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: 3.dllString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004B2A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000617A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005F0A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4008990503.00000000060AA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
Source: rundll32.exe, 00000004.00000002.4072050972.0000000005DD5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4107198361.0000000006685000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.4123516856.00000000058A5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.4071921649.0000000005D45000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008436389.0000000005ED5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000005FEA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.4070707435.00000000060B5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://tempuri.org/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://tempuri.org/U
Source: rundll32.exe, 0000000A.00000002.4008990503.0000000006094000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/iY
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: rundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.000000000608D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.borland.com/namespaces/Types
Source: rundll32.exe, 0000000A.00000002.4008990503.0000000006017000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAP
Source: rundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAPU
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004A97000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.00000000060E7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005E77000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAPq
Source: rundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000006017000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.borland.com/namespaces/Types-IWSDLPublish
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004B0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000615D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesA
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004B0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000615D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesa
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.borland.com/rootpart.xml
Source: 3.dllString found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000003.2218000145.00000000060E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005E70000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000006010000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllString found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS

System Summary

barindex
PE file contains section with special chars
Source: 3.dllStatic PE information: section name: ,V8h(]j
Source: 3.dllStatic PE information: section name: 2Oi.bZ"
Source: 3.dllStatic PE information: section name: -1T<]EC
Source: 3.dllStatic PE information: section name: gPH9iZ]
Source: 3.dllStatic PE information: section name: o8`CYVL)
Source: 3.dllStatic PE information: section name: :87,Pg0>
Source: 3.dllStatic PE information: section name: 4&WkOMbO
Source: 3.dllStatic PE information: section name: [m(rRncT
Source: 3.dllStatic PE information: section name: aR_M S9
Source: 3.dllStatic PE information: section name: N2D,95K
Source: 3.dllStatic PE information: section name: JlJ T26
Source: 3.dllStatic PE information: section name: X=<];BL+
Source: 3.dllStatic PE information: Number of sections : 13 > 10
Source: 3.dllBinary or memory string: OriginalFileName vs 3.dll
Source: 3.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: mal96.troj.evad.winDLL@20/0@3/0
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\b1oc1ab00u045627q07f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_03
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",#1
Source: 3.dllReversingLabs: Detection: 13%
Source: 3.dllVirustotal: Detection: 23%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\3.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,b1oc1ab00u045627q07f
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",b1oc1ab00u045627q07f
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,b1oc1ab00u045627q07fJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",b1oc1ab00u045627q07fJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
Source: 3.dllStatic file information: File size 25784320 > 1048576
Source: 3.dllStatic PE information: Raw size of ,V8h(]j is bigger than: 0x100000 < 0x510c00
Source: 3.dllStatic PE information: Raw size of 0VRn0YJr is bigger than: 0x100000 < 0x98aa00
Source: 3.dllStatic PE information: Raw size of N2D,95K is bigger than: 0x100000 < 0x934000
Source: initial sampleStatic PE information: section where entry point is pointing to: N2D,95K
Source: 3.dllStatic PE information: section name: ,V8h(]j
Source: 3.dllStatic PE information: section name: 2Oi.bZ"
Source: 3.dllStatic PE information: section name: -1T<]EC
Source: 3.dllStatic PE information: section name: gPH9iZ]
Source: 3.dllStatic PE information: section name: o8`CYVL)
Source: 3.dllStatic PE information: section name: :87,Pg0>
Source: 3.dllStatic PE information: section name: 4&WkOMbO
Source: 3.dllStatic PE information: section name: [m(rRncT
Source: 3.dllStatic PE information: section name: 0VRn0YJr
Source: 3.dllStatic PE information: section name: aR_M S9
Source: 3.dllStatic PE information: section name: N2D,95K
Source: 3.dllStatic PE information: section name: JlJ T26
Source: 3.dllStatic PE information: section name: X=<];BL+

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 4916 base: 13E0007 value: E9 EB DF FD 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 4916 base: 773BDFF0 value: E9 1E 20 02 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3608 base: 35B0007 value: E9 EB DF E0 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3608 base: 773BDFF0 value: E9 1E 20 1F 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6420 base: 2D50007 value: E9 EB DF 66 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6420 base: 773BDFF0 value: E9 1E 20 99 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1408 base: 510007 value: E9 EB DF EA 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1408 base: 773BDFF0 value: E9 1E 20 15 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5360 base: 2A30007 value: E9 EB DF 98 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5360 base: 773BDFF0 value: E9 1E 20 67 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7036 base: 2AD0007 value: E9 EB DF 8E 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7036 base: 773BDFF0 value: E9 1E 20 71 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2938FB0
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2E3C81F
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2E297E9
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 269395B
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2752D75
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2785812
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2777AE9
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 28120A2
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 274C188
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2E5D978
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 27F15DC
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2EA6987
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Windows\System32\loaddll32.exeSpecial instruction interceptor: First address: 281D61F instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: rundll32.exe, 0000000A.00000002.3998007562.0000000002CAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		1
Credential API Hooking		311
Security Software Discovery		Remote Services1
Credential API Hooking		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager111
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS21
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
3.dll13%ReversingLabs
3.dll24%VirustotalBrowse
3.dll100%AviraHEUR/AGEN.1327619

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
strogonoff.xyz7%VirustotalBrowse
paradoxine.sbs0%VirustotalBrowse
pastebin.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
http://www.indyproject.org/0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
http://www.borland.com/namespaces/Types-IWSDLPublish0%VirustotalBrowse
http://tempuri.org/iY1%VirustotalBrowse
http://www.borland.com/rootpart.xml0%VirustotalBrowse
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf0%VirustotalBrowse
http://tempuri.org/0%VirustotalBrowse
http://www.schneier.com/paper-blowfish-fse.htmlS0%VirustotalBrowse
http://tools.ietf.org/html/rfc13210%VirustotalBrowse
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS0%VirustotalBrowse
http://tools.ietf.org/html/rfc4648S0%VirustotalBrowse
http://www.borland.com/namespaces/TypesA0%VirustotalBrowse
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/soap/0%VirustotalBrowse
http://www.borland.com/namespaces/Types-IAppServerSOAP0%VirustotalBrowse
http://www.borland.com/namespaces/Types-IAppServerSOAPq0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/soap12/SV0%VirustotalBrowse
http://www.itl.nist.gov/fipspubs/fip180-1.htm0%VirustotalBrowse
http://www.borland.com/namespaces/Types0%VirustotalBrowse
http://www.movable-type.co.uk/scripts/xxtea.pdfS0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/http/0%VirustotalBrowse
http://tempuri.org/U1%VirustotalBrowse
http://www.schneier.com/paper-twofish-paper.pdfS0%VirustotalBrowse
http://schemas.xmlsoap.org/soap/http0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/soap/#0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
strogonoff.xyz
141.98.169.154
truetrueunknown
paradoxine.sbs
95.164.37.66
truefalseunknown
pastebin.com
104.20.3.235
truetrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.borland.com/namespaces/Types-IWSDLPublishrundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000006017000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://schemas.xmlsoap.org/soap/encoding/loaddll32.exe, 00000000.00000003.3489486246.0000000004B2A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000617A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005F0A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4008990503.00000000060AA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
  • URL Reputation: safe
unknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf3.dllfalseunknown
http://tools.ietf.org/html/rfc1321rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://schemas.xmlsoap.org/soap/envelope/rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
  • URL Reputation: safe
unknown
http://www.borland.com/rootpart.xmlrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://tempuri.org/iYrundll32.exe, 0000000A.00000002.4008990503.0000000006094000.00000004.00001000.00020000.00000000.sdmpfalseunknown
http://www.schneier.com/paper-blowfish-fse.htmlSrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://tempuri.org/rundll32.exe, 00000004.00000002.4072050972.0000000005DD5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4107198361.0000000006685000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.4123516856.00000000058A5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.4071921649.0000000005D45000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008436389.0000000005ED5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000005FEA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.4070707435.00000000060B5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfSrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://www.indyproject.org/loaddll32.exe, 00000000.00000003.3489486246.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000003.2218000145.00000000060E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005E70000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000006010000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
  • URL Reputation: safe
unknown
http://tools.ietf.org/html/rfc4648Srundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://www.borland.com/namespaces/Types-IAppServerSOAPqloaddll32.exe, 00000000.00000003.3489486246.0000000004A97000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.00000000060E7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005E77000.00000004.00001000.00020000.00000000.sdmpfalseunknown
http://schemas.xmlsoap.org/wsdl/soap12/SVrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://www.itl.nist.gov/fipspubs/fip180-1.htmrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfSrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/soap/rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://www.borland.com/namespaces/TypesAloaddll32.exe, 00000000.00000003.3489486246.0000000004B0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000615D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmpfalseunknown
http://www.borland.com/namespaces/Types-IAppServerSOAPrundll32.exe, 0000000A.00000002.4008990503.0000000006017000.00000004.00001000.00020000.00000000.sdmpfalseunknown
http://www.movable-type.co.uk/scripts/xxtea.pdfSrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://www.borland.com/namespaces/Typesrundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.000000000608D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://schemas.xmlsoap.org/soap/httprundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/soap/#rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://www.schneier.com/paper-twofish-paper.pdfSrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/http/rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://tempuri.org/Urundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
  • URL Reputation: safe
unknown
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfUrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
    		unknown
    http://www.componentace.com3.dllfalse
      		unknown
      http://schemas.xmlsoap.org/wsdl/mime/rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
        		unknown
        http://www.borland.com/namespaces/Types-IAppServerSOAPUrundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
          		unknown
          http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfSrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
            		unknown
            http://www.borland.com/namespaces/Typesaloaddll32.exe, 00000000.00000003.3489486246.0000000004B0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000615D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmpfalse
              		unknown
              http://www.ietf.org/rfc/rfc3447.txtSrundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dllfalse
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1524657
                Start date and time:2024-10-03 03:38:54 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 7s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Run name:Run with higher sleep bypass
                Number of analysed new started processes analysed:15
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:3.dll
                Detection:MAL
                Classification:mal96.troj.evad.winDLL@20/0@3/0
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .dll
                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                paradoxine.sbsfblXRRCHON.pos.dllGet hashmaliciousUnknownBrowse
                • 95.164.37.66
                GmsiIZXruf.hos.dllGet hashmaliciousUnknownBrowse
                • 95.164.37.66
                FETBMCbtmD.mup.dllGet hashmaliciousUnknownBrowse
                • 95.164.37.66
                pastebin.com5.dllGet hashmaliciousUnknownBrowse
                • 104.20.3.235
                dropbox.exeGet hashmaliciousUnknownBrowse
                • 172.67.19.24
                dropbox.exeGet hashmaliciousUnknownBrowse
                • 172.67.19.24
                inject.exeGet hashmaliciousRedLine, XmrigBrowse
                • 104.20.3.235
                q71n2VrEY3.exeGet hashmaliciousDCRatBrowse
                • 172.67.19.24
                lvHIHLt0b2.exeGet hashmaliciousDCRatBrowse
                • 104.20.3.235
                SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exeGet hashmaliciousUnknownBrowse
                • 104.20.3.235
                envifa.vbsGet hashmaliciousUnknownBrowse
                • 172.67.19.24
                SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse
                • 104.20.4.235
                AS5AB7c08n.exeGet hashmaliciousMicroClipBrowse
                • 172.67.19.24
                strogonoff.xyzfblXRRCHON.pos.dllGet hashmaliciousUnknownBrowse
                • 141.98.169.154
                GmsiIZXruf.hos.dllGet hashmaliciousUnknownBrowse
                • 141.98.169.154
                FETBMCbtmD.mup.dllGet hashmaliciousUnknownBrowse
                • 141.98.169.154

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.3914599455310785
                TrID:
                • Win32 Dynamic Link Library (generic) (1002004/3) 99.40%
                • Win16/32 Executable Delphi generic (2074/23) 0.21%
                • Generic Win/DOS Executable (2004/3) 0.20%
                • DOS Executable Generic (2002/1) 0.20%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:3.dll
                File size:25'784'320 bytes
                MD5:9e4e3ae279401f9e0b2d2818d422081d
                SHA1:ae134efc864b5b8af1c7d2dee50c8542521ff109
                SHA256:93fca55f68b6d490087850b8f321f108ca4aa193ee8312b3c6bcf727828e965d
                SHA512:efa0763296dd3a46c51132527c07fa70dc362b3914ca7ba241f7457b908fcab1b7f0c1dce7964f7fb40b8d5cb75b8c4673ec38b4f12c3d14d2450687e55fea4b
                SSDEEP:196608:lqOlK4t0Zss6yDdAV8EZGKUJe4fHdIpPSaPh9/C6bks9DwwGR1/RtjFGWZw/hhN0:lql4+as6Qw3Ujfbqs/5IdJxwi1Z
                TLSH:0A470257B68A80FEC0820D79863BE7D2163BF67119068C677BC0290C5F71EB1663E697
                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                File Icon

                Icon Hash:7ae282899bbab082

                Static PE Info

                General

                Entrypoint:0x14e3427
                Entrypoint Section:N2D,95K
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
                DLL Characteristics:
                Time Stamp:0x66FDCD03 [Wed Oct 2 22:45:23 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:0
                File Version Major:5
                File Version Minor:0
                Subsystem Version Major:5
                Subsystem Version Minor:0
                Import Hash:9a6d12fce3bb7f25c3b57d1fb6ad19d7

                Entrypoint Preview

                Instruction
                push ebx
                pushfd
                mov ebx, A32141B0h
                lea ebx, dword ptr [8484098Dh+ebx*4]
                shr ebx, 14h
                lea ebx, dword ptr [F6997D88h+ebx*8]
                mov ebx, dword ptr [esp+ebx*8+4B33CFC4h]
                mov dword ptr [esp+04h], 4E6C29D8h
                push dword ptr [esp+00h]
                popfd
                lea esp, dword ptr [esp+04h]
                call 00007F89F9683B97h
                inc ecx
                ror ch, 1
                call 00007F89F9AE5688h
                sar cl, FFFFFFE3h
                dec edx
                mov ebx, dword ptr [esp+08h]
                dec edx
                mov dword ptr [esp+08h], 32162B17h
                inc esp
                movsx edx, al
                inc esp
                movsx eax, dl
                dec ebp
                arpl bp, bp
                pop esi
                dec ecx
                add edi, ebp
                inc cx
                sal ecx, cl
                inc cx
                xadd ecx, ecx
                inc ecx
                mov eax, dword ptr [esp+ebp]
                inc ecx
                inc dl
                inc ecx
                push eax
                dec esi
                lea eax, dword ptr [esp+000000D4h]
                inc ecx
                btr esp, 25h
                inc ebx
                mov dword ptr [esp+eax], eax
                inc ecx
                mov ebp, 018E879Ah
                dec esi
                lea eax, dword ptr [esp+68h]
                dec edx
                sub dword ptr [esp+08h], esi
                dec esp
                lea esi, dword ptr [ecx+21B01890h]
                dec edi
                mov ecx, dword ptr [esp+eax]
                inc ecx
                bts edi, FFFFFFADh
                dec esi
                mov dword ptr [ebp-04h], ecx
                inc esp
                xadd esi, edx
                dec edx
                lea esi, dword ptr [1F98F92Dh+edi*2]
                dec ecx
                lea ebp, dword ptr [esp+ebp-04h]
                inc esi
                movzx eax, word ptr [esp+03h]
                pop esi
                inc ecx
                pop ebp
                jbe 00007F89F9B64606h
                inc ecx
                dec al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x5430000xbe4&WkOMbO
                IMAGE_DIRECTORY_ENTRY_IMPORT0x17de85c0x168N2D,95K
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x18050000x2ed54JlJ T26
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x18340000x746f8X=<];BL+
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0xed00000x8caR_M S9
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xf7af2c0x1e0N2D,95K
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                ,V8h(]j0x10000x510ad80x510c00bfb7d0dba95f4e0c6f491bbb2a76197dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                2Oi.bZ"0x5120000x40ac0x4200a1583c9198a13e830acda224006c8b90False0.4950875946969697data6.076925604998549IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                -1T<]EC0x5170000x1a59c0x1a6000e94d09bd88e2a04a000615ad7347609False0.4634737855450237data6.751263581985054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                gPH9iZ]0x5320000xa0800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                o8`CYVL)0x53d0000x42400x4400ddfc43336e843f68a0cccead079adb3bFalse0.9511144301470589data7.81430795283375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                :87,Pg0>0x5420000xd7c0xe00734a3c1d3e7a6ebc0958b92a8966d4cdFalse0.3443080357142857data4.287121561304592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                4&WkOMbO0x5430000xbe0x200f26463f99406a9878c1cb149384d34f2False0.328125data2.384639178597468IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                [m(rRncT0x5440000x450x2004ae75964954652113b5bc6e6bf8e2eecFalse0.158203125ASCII text, with no line terminators1.1775367479159162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                0VRn0YJr0x5450000x98a8b60x98aa00bd5ee95c033f08f2a20f82e91579c6beunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                aR_M S90xed00000xa40x200784801326915359943ad0109105dbf33False0.193359375data1.2022146162546936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                N2D,95K0xed10000x933e400x934000103decbea7eaba79a41d16a1dc2cfcc4unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                JlJ T260x18050000x2ed540x2ee00a199f6d6efb15bfdaf143e101e2af2eeFalse0.22091145833333334data5.250419495997808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                X=<];BL+0x18340000x746f80x74800459e1c87d9562cc04c70549cc3d26f80False0.5586188975321889data6.720500604160903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_CURSOR0x18075cc0x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x18077000x134dataEnglishUnited States0.4642857142857143
                RT_CURSOR0x18078340x134dataEnglishUnited States0.4805194805194805
                RT_CURSOR0x18079680x134dataEnglishUnited States0.38311688311688313
                RT_CURSOR0x1807a9c0x134dataEnglishUnited States0.36038961038961037
                RT_CURSOR0x1807bd00x134dataEnglishUnited States0.4090909090909091
                RT_CURSOR0x1807d040x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                RT_CURSOR0x1807e380x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x1807f6c0x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x18080a00x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x18081d40x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x18083080x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x180843c0x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x18085700x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x18086a40x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x18087d80x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x180890c0x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x1808a400x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x1808b740x134dataPortugueseBrazil0.12012987012987013
                RT_CURSOR0x1808ca80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                RT_BITMAP0x1808ddc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                RT_BITMAP0x1808fac0x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                RT_BITMAP0x18091900x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                RT_BITMAP0x18093600x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                RT_BITMAP0x18095300x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                RT_BITMAP0x18097000x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                RT_BITMAP0x18098d00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                RT_BITMAP0x1809aa00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                RT_BITMAP0x1809c700x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                RT_BITMAP0x1809e400x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                RT_BITMAP0x180a0100xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
                RT_BITMAP0x180a0d00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
                RT_BITMAP0x180a1b00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
                RT_BITMAP0x180a2900xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
                RT_BITMAP0x180a3700xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
                RT_BITMAP0x180a4300xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
                RT_BITMAP0x180a4f00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
                RT_BITMAP0x180a5d00xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
                RT_BITMAP0x180a6900xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
                RT_BITMAP0x180a7700xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
                RT_BITMAP0x180a8300xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
                RT_STRING0x180a9100x3e8data0.4
                RT_STRING0x180acf80x538data0.34505988023952094
                RT_STRING0x180b2300x654data0.2580246913580247
                RT_STRING0x180b8840xa38data0.27446483180428133
                RT_STRING0x180c2bc0x974data0.2756198347107438
                RT_STRING0x180cc300x50cdata0.34365325077399383
                RT_STRING0x180d13c0x440data0.4108455882352941
                RT_STRING0x180d57c0x46cdata0.39399293286219084
                RT_STRING0x180d9e80x3f0data0.38591269841269843
                RT_STRING0x180ddd80x488data0.30689655172413793
                RT_STRING0x180e2600x494data0.32849829351535836
                RT_STRING0x180e6f40x604data0.30324675324675326
                RT_STRING0x180ecf80x414data0.407088122605364
                RT_STRING0x180f10c0x31cdata0.46608040201005024
                RT_STRING0x180f4280x43cdata0.34870848708487084
                RT_STRING0x180f8640x768data0.36550632911392406
                RT_STRING0x180ffcc0x438data0.39814814814814814
                RT_STRING0x18104040x4c4data0.37540983606557377
                RT_STRING0x18108c80x44cdata0.3927272727272727
                RT_STRING0x1810d140x574data0.37822349570200575
                RT_STRING0x18112880x3f4data0.4150197628458498
                RT_STRING0x181167c0xe04data0.24442586399108138
                RT_STRING0x18124800xb40data0.2635416666666667
                RT_STRING0x1812fc00xae4data0.3134863701578192
                RT_STRING0x1813aa40x8acdata0.3063063063063063
                RT_STRING0x18143500x798data0.2890946502057613
                RT_STRING0x1814ae80x4d0data0.4082792207792208
                RT_STRING0x1814fb80x44cdata0.3836363636363636
                RT_STRING0x18154040x4b0data0.365
                RT_STRING0x18158b40x43cdata0.39206642066420666
                RT_STRING0x1815cf00x3a8data0.4230769230769231
                RT_STRING0x18160980x3a0data0.4040948275862069
                RT_STRING0x18164380x40cdata0.4015444015444015
                RT_STRING0x18168440x3f8data0.42322834645669294
                RT_STRING0x1816c3c0x374data0.39819004524886875
                RT_STRING0x1816fb00x378data0.33783783783783783
                RT_STRING0x18173280x2e0data0.4470108695652174
                RT_STRING0x18176080x3ecdata0.3396414342629482
                RT_STRING0x18179f40x3f4data0.3824110671936759
                RT_STRING0x1817de80x448data0.38321167883211676
                RT_STRING0x18182300x3e8data0.427
                RT_STRING0x18186180x134data0.6006493506493507
                RT_STRING0x181874c0xccdata0.6764705882352942
                RT_STRING0x18188180x23cdata0.486013986013986
                RT_STRING0x1818a540x2a0data0.48214285714285715
                RT_STRING0x1818cf40x3f4data0.3705533596837945
                RT_STRING0x18190e80x3b8data0.38130252100840334
                RT_STRING0x18194a00x560data0.32848837209302323
                RT_STRING0x1819a000x2b4data0.30057803468208094
                RT_STRING0x1819cb40x37cdata0.4327354260089686
                RT_STRING0x181a0300x49cdata0.39152542372881355
                RT_STRING0x181a4cc0x4f8data0.39544025157232704
                RT_STRING0x181a9c40x404data0.3667315175097276
                RT_STRING0x181adc80x384data0.33666666666666667
                RT_STRING0x181b14c0x410data0.3836538461538462
                RT_STRING0x181b55c0x2f0data0.3896276595744681
                RT_STRING0x181b84c0xc0data0.625
                RT_STRING0x181b90c0x9cdata0.6282051282051282
                RT_STRING0x181b9a80x380data0.4341517857142857
                RT_STRING0x181bd280x498data0.29336734693877553
                RT_STRING0x181c1c00x2f8data0.45263157894736844
                RT_STRING0x181c4b80x2f0data0.3776595744680851
                RT_STRING0x181c7a80x3c0data0.259375
                RT_RCDATA0x181cb680x10data1.5
                RT_RCDATA0x181cb780x1c24data0.5448362021099389
                RT_RCDATA0x181e79c0x2dataEnglishUnited States5.0
                RT_RCDATA0x181e7a00x556Delphi compiled form 'Tah1s1zi0j45ibpzqnfsi07j8zl6277i80c2z'0.5629575402635432
                RT_RCDATA0x181ecf80x15bDelphi compiled form 'Tauip045ybf08p0t03xn6sn37o9rh381n7h18dad'0.7348703170028819
                RT_RCDATA0x181ee540x100aDelphi compiled form 'Tbcjm9zs1p0il4350yjd1hcy3m0pdra5hq85'0.29201169020944956
                RT_RCDATA0x181fe600x132Delphi compiled form 'Tbf9c20s46354qp4up3ex347w31o3ac1854e'0.7549019607843137
                RT_RCDATA0x181ff940x168cDelphi compiled form 'Tel0a93kfiy4xfu6h1ex021iwsyg'0.29504504504504503
                RT_RCDATA0x18216200x430eDelphi compiled form 'Tem4k3b0ifeilpk71y3l62l2iz903j0'0.20866829779797275
                RT_RCDATA0x18259300x1490Delphi compiled form 'Tfy907jem8l3h1i64thb872t0ss8wcgg26d1s74qg'0.2693768996960486
                RT_RCDATA0x1826dc00xaddDelphi compiled form 'Tgqz106039np0h23wjxj3tlms7ytm3kcgc652f5440'0.414599065084502
                RT_RCDATA0x18278a00x126eDelphi compiled form 'Tgtzgid10h43t0nfwh09dd745f0c7'0.31475201356506993
                RT_RCDATA0x1828b100x1dedDelphi compiled form 'Tjk42gmd452t90tr65q2s4mqcpbp20at'0.4695209502675891
                RT_RCDATA0x182a9000x455Delphi compiled form 'Tkhkb1ne8qk46e9516xf0li8am1rese5n1ydak'0.5536519386834986
                RT_RCDATA0x182ad580xcf8Delphi compiled form 'Tnwrsa168k69lp6py222c5pfl4r7y39i'0.3545180722891566
                RT_RCDATA0x182ba500xf65Delphi compiled form 'Todp9uq21udd85uja0253xr4c66xn0rl8f'0.3521948743973611
                RT_RCDATA0x182c9b80x1de0Delphi compiled form 'Tof741gcknpqj4ri8y3o5cp81hs1tub468rer6yjj'0.26908995815899583
                RT_RCDATA0x182e7980xba6Delphi compiled form 'Tpg0x4ew0sz502i1t3epk6j9cj8k87u1j'0.3876592890677398
                RT_RCDATA0x182f3400x813Delphi compiled form 'Tpp5710tq6n652x7ki5bwr75ykugey705q792'0.49733913884857284
                RT_RCDATA0x182fb540x116bDelphi compiled form 'Trjk7e5615ykye703dn3sy32w28s7c50'0.3110562906481274
                RT_RCDATA0x1830cc00x3a6Delphi compiled form 'Twy732ql8l5913il7qjkp0n2x3243ah659z1ag28g3'0.5899357601713062
                RT_RCDATA0x18310680x109cDelphi compiled form 'Txx0iz313wmx49chasfu2f60k7yn6430a'0.3179680150517404
                RT_RCDATA0x18321040x15acDelphi compiled form 'Tycnqyr019g40z27r7gc70m21pwa23ce1'0.2939798125450613
                RT_RCDATA0x18336b00x2f9Delphi compiled form 'Tzg61c95p7p9o4uejp0jaq92x8y5r416mdym'0.6097240473061761
                RT_GROUP_CURSOR0x18339ac0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.25
                RT_GROUP_CURSOR0x18339c00x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x18339d40x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x18339e80x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x18339fc0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833a100x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833a240x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833a380x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833a4c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833a600x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833a740x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833a880x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833a9c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                RT_GROUP_CURSOR0x1833ab00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                RT_GROUP_CURSOR0x1833ac40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                RT_GROUP_CURSOR0x1833ad80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                RT_GROUP_CURSOR0x1833aec0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                RT_GROUP_CURSOR0x1833b000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                RT_GROUP_CURSOR0x1833b140x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                RT_GROUP_CURSOR0x1833b280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                RT_VERSION0x1833b3c0x218dataEnglishUnited States0.47574626865671643

                Imports

                DLLImport
                winmm.dllPlaySoundW
                wininet.dllInternetCloseHandle
                comctl32.dllFlatSB_SetScrollInfo
                shell32.dllShell_NotifyIconW
                user32.dllDdeSetUserHandle
                version.dllGetFileVersionInfoSizeW
                oleaut32.dllSafeArrayPutElement
                advapi32.dllRegSetValueExW
                netapi32.dllNetWkstaGetInfo
                msvcrt.dllmemcpy
                winhttp.dllWinHttpGetIEProxyConfigForCurrentUser
                kernel32.dllGetVersion, GetVersionExW
                SHFolder.dllSHGetFolderPathW
                wsock32.dllgethostbyaddr
                ole32.dllIsAccelerator
                gdi32.dllPie
                ntdll.dllRtlCompressBuffer

                Exports

                NameOrdinalAddress
                TMethodImplementationIntercept30x46a0b4
                __dbk_fcall_wrapper20x412460
                b1oc1ab00u045627q07f40x902584
                dbkFCallWrapperAddr10x935640

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                PortugueseBrazil
                EnglishUnited States

                Network Behavior

                Network Port Distribution

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 3, 2024 03:42:55.569783926 CEST5228153192.168.2.61.1.1.1
                Oct 3, 2024 03:42:55.583667040 CEST53522811.1.1.1192.168.2.6
                Oct 3, 2024 03:42:55.749996901 CEST6233553192.168.2.61.1.1.1
                Oct 3, 2024 03:42:55.784858942 CEST53623351.1.1.1192.168.2.6
                Oct 3, 2024 03:42:57.503473043 CEST5358353192.168.2.61.1.1.1
                Oct 3, 2024 03:42:57.509912014 CEST53535831.1.1.1192.168.2.6

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Oct 3, 2024 03:42:55.569783926 CEST192.168.2.61.1.1.10x4078Standard query (0)paradoxine.sbsA (IP address)IN (0x0001)false
                Oct 3, 2024 03:42:55.749996901 CEST192.168.2.61.1.1.10x3f0Standard query (0)strogonoff.xyzA (IP address)IN (0x0001)false
                Oct 3, 2024 03:42:57.503473043 CEST192.168.2.61.1.1.10xb942Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Oct 3, 2024 03:42:55.583667040 CEST1.1.1.1192.168.2.60x4078No error (0)paradoxine.sbs95.164.37.66A (IP address)IN (0x0001)false
                Oct 3, 2024 03:42:55.784858942 CEST1.1.1.1192.168.2.60x3f0No error (0)strogonoff.xyz141.98.169.154A (IP address)IN (0x0001)false
                Oct 3, 2024 03:42:57.509912014 CEST1.1.1.1192.168.2.60xb942No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                Oct 3, 2024 03:42:57.509912014 CEST1.1.1.1192.168.2.60xb942No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                Oct 3, 2024 03:42:57.509912014 CEST1.1.1.1192.168.2.60xb942No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:21:39:47
                Start date:02/10/2024
                Path:C:\Windows\System32\loaddll32.exe
                Wow64 process (32bit):true
                Commandline:loaddll32.exe "C:\Users\user\Desktop\3.dll"
                Imagebase:0xdf0000
                File size:126'464 bytes
                MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Borland Delphi
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:21:39:47
                Start date:02/10/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff66e660000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:3
                Start time:21:39:47
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3.dll",#1
                Imagebase:0x1c0000
                File size:236'544 bytes
                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:4
                Start time:21:39:47
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe "C:\Users\user\Desktop\3.dll",#1
                Imagebase:0x620000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:5
                Start time:21:39:47
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe C:\Users\user\Desktop\3.dll,TMethodImplementationIntercept
                Imagebase:0x620000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:6
                Start time:21:39:50
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe C:\Users\user\Desktop\3.dll,__dbk_fcall_wrapper
                Imagebase:0x620000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Borland Delphi
                Reputation:high
                Has exited:true

                General

                Target ID:7
                Start time:21:39:54
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe C:\Users\user\Desktop\3.dll,b1oc1ab00u045627q07f
                Imagebase:0x620000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:8
                Start time:21:40:00
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe "C:\Users\user\Desktop\3.dll",TMethodImplementationIntercept
                Imagebase:0x620000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:9
                Start time:21:40:00
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe "C:\Users\user\Desktop\3.dll",__dbk_fcall_wrapper
                Imagebase:0x620000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Borland Delphi
                Reputation:high
                Has exited:false

                General

                Target ID:10
                Start time:21:40:00
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe "C:\Users\user\Desktop\3.dll",b1oc1ab00u045627q07f
                Imagebase:0x620000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Borland Delphi
                Reputation:high
                Has exited:false

                General

                Target ID:11
                Start time:21:40:01
                Start date:02/10/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe "C:\Users\user\Desktop\3.dll",dbkFCallWrapperAddr
                Imagebase:0x620000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:false

                Disassembly

                No disassembly