Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Db5aU9VNyz.dll

Overview

General Information

Sample name:Db5aU9VNyz.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:ceea2771acee3957189b502f5e1b607d.dll.exe
Analysis ID:1561762
MD5:ceea2771acee3957189b502f5e1b607d
SHA1:ac79d2f79f00dcbf0116ab8b7268069927258549
SHA256:85dccf69b7fc24cf39f6d3821e963905005993a5036cbfbf6412dde5558df2bd
Tags:dllexeStrelaStealeruser-abuse_ch
Infos:

Detection

Strela Stealer
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Strela Stealer
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file does not import any functions
Program does not show much activity (idle)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7520 cmdline: loaddll64.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7572 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7596 cmdline: rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • regsvr32.exe (PID: 7580 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Db5aU9VNyz.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • rundll32.exe (PID: 7604 cmdline: rundll32.exe C:\Users\user\Desktop\Db5aU9VNyz.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
    00000004.00000002.1398710559.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
      00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
        00000000.00000002.1428573354.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
          00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.7ff8e83b6404.1.raw.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
              4.2.rundll32.exe.7ff8e83b6404.1.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
                0.2.loaddll64.exe.7ff8e83b6404.1.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
                  0.2.loaddll64.exe.7ff8e83b6404.1.raw.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
                    3.2.regsvr32.exe.7ff8e83b6404.1.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
                      Click to see the 7 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: Db5aU9VNyz.dllReversingLabs: Detection: 50%
                      Source: Db5aU9VNyz.dllVirustotal: Detection: 47%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.5% probability
                      Machine Learning detection for sample
                      Source: Db5aU9VNyz.dllJoe Sandbox ML: detected
                      Source: Db5aU9VNyz.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8E83B11B00_2_00007FF8E83B11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8E83B10000_2_00007FF8E83B1000
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F57F4E80_2_0000022A4F57F4E8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F5710900_2_0000022A4F571090
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F5772BC0_2_0000022A4F5772BC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F571A900_2_0000022A4F571A90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F5715A00_2_0000022A4F5715A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C210903_2_00C21090
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C21A903_2_00C21A90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C272BC3_2_00C272BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C2F4E83_2_00C2F4E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C215A03_2_00C215A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001A4D683F4E84_2_000001A4D683F4E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001A4D68310904_2_000001A4D6831090
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001A4D68315A04_2_000001A4D68315A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001A4D68372BC4_2_000001A4D68372BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001A4D6831A904_2_000001A4D6831A90
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000256F168F4E85_2_00000256F168F4E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000256F16810905_2_00000256F1681090
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000256F16872BC5_2_00000256F16872BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000256F16815A05_2_00000256F16815A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000256F1681A905_2_00000256F1681A90
                      Source: Db5aU9VNyz.dllStatic PE information: No import functions for PE file found
                      Source: classification engineClassification label: mal64.troj.winDLL@10/0@0/0
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                      Source: Db5aU9VNyz.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1
                      Source: Db5aU9VNyz.dllReversingLabs: Detection: 50%
                      Source: Db5aU9VNyz.dllVirustotal: Detection: 47%
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Db5aU9VNyz.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Db5aU9VNyz.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Db5aU9VNyz.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Db5aU9VNyz.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeAutomated click: OK
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: Db5aU9VNyz.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: Db5aU9VNyz.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Db5aU9VNyz.dll
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F57CC35 push cs; retf 0000h0_2_0000022A4F57CC59
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F57CC6C push esi; retf 0000h0_2_0000022A4F57CC6D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F57CCA8 push 6F0000CBh; retf 0_2_0000022A4F57CCAD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F57CC9C push ebx; retf 0_2_0000022A4F57CC9D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000022A4F57BBA2 push esp; ret 0_2_0000022A4F57BBA5
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C348D1 push esp; ret 3_2_00C348DA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C348E1 push ebp; ret 3_2_00C348EA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C348F0 push ebp; ret 3_2_00C348FA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34840 push esp; ret 3_2_00C3484A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34850 push ebp; ret 3_2_00C3492A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34861 push esp; ret 3_2_00C348AA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34800 push esp; ret 3_2_00C3480A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34810 push esp; ret 3_2_00C3481A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34828 push esp; ret 3_2_00C3482A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34838 push esp; ret 3_2_00C3483A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C349C9 push ebp; ret 3_2_00C349CA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C349D0 push ebp; ret 3_2_00C349DA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C361D8 push esi; ret 3_2_00C361F2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C349E0 push esi; ret 3_2_00C34A1A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34981 push ebp; ret 3_2_00C349BA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34968 push ebp; ret 3_2_00C3497A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34908 push ebp; ret 3_2_00C3491A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C31928 push ds; ret 3_2_00C31962
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C31938 push ds; ret 3_2_00C31962
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C2BBA2 push esp; ret 3_2_00C2BBA5
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C32B48 push eax; ret 3_2_00C32B49
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C32B58 pushad ; ret 3_2_00C32B59
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C324E9 push edx; retn 0000h3_2_00C324EA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C344F0 push eax; ret 3_2_00C344FA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C34490 push eax; ret 3_2_00C344AA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C2CC9C push ebx; retf 3_2_00C2CC9D
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeCode function: GetConsoleWindow,CreateThread,GetLocaleInfoA,0_2_0000022A4F5720E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: CreateThread,GetLocaleInfoA,3_2_00C220E0
                      Source: C:\Windows\System32\rundll32.exeCode function: CreateThread,GetLocaleInfoA,4_2_000001A4D68320E0
                      Source: C:\Windows\System32\rundll32.exeCode function: CreateThread,GetLocaleInfoA,5_2_00000256F16820E0

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Strela Stealer
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1398710559.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1428573354.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1397944483.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1399133207.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 7520, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7580, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7604, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Strela Stealer
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1398710559.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1428573354.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1397944483.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1399133207.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 7520, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7580, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7604, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Regsvr32                      		OS Credential Dumping11
                      System Information Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Rundll32                      		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                      Process Injection                      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      DLL Side-Loading                      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561762 Sample: Db5aU9VNyz.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected Strela Stealer 2->21 23 Machine Learning detection for sample 2->23 25 AI detected suspicious sample 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 7->11         started        13 rundll32.exe 7->13         started        15 conhost.exe 7->15         started        process5 17 rundll32.exe 9->17         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Db5aU9VNyz.dll50%ReversingLabsWin64.Trojan.StrelaStealer
                      Db5aU9VNyz.dll47%VirustotalBrowse
                      Db5aU9VNyz.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      s-part-0035.t-0009.t-msedge.net
                      		13.107.246.63
                      		truefalse
                        		high

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1561762
                        Start date and time:2024-11-24 08:42:05 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 2m 33s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:7
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Db5aU9VNyz.dll
                        (renamed file extension from exe to dll, renamed because original name is a hash value)
                        Original Sample Name:ceea2771acee3957189b502f5e1b607d.dll.exe
                        Detection:MAL
                        Classification:mal64.troj.winDLL@10/0@0/0
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 20
                        • Number of non-executed functions: 21
                        Cookbook Comments:
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        s-part-0035.t-0009.t-msedge.netfACYdCvub8.exeGet hashmaliciousUnknownBrowse
                        • 13.107.246.63
                        Payment Transfer Request Form.bat.exeGet hashmaliciousRemcosBrowse
                        • 13.107.246.63
                        Marine Energy Sdn Bhd Request for Quotation.exeGet hashmaliciousFormBookBrowse
                        • 13.107.246.63
                        purchase Order.exeGet hashmaliciousFormBookBrowse
                        • 13.107.246.63
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 13.107.246.63
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 13.107.246.63
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 13.107.246.63
                        4yOuoT4GFy.exeGet hashmaliciousAsyncRATBrowse
                        • 13.107.246.63
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 13.107.246.63
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 13.107.246.63

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Entropy (8bit):7.722707346854152
                        TrID:
                        • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                        • Win64 Executable (generic) (12005/4) 10.17%
                        • Generic Win/DOS Executable (2004/3) 1.70%
                        • DOS Executable Generic (2002/1) 1.70%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                        File name:Db5aU9VNyz.dll
                        File size:137'728 bytes
                        MD5:ceea2771acee3957189b502f5e1b607d
                        SHA1:ac79d2f79f00dcbf0116ab8b7268069927258549
                        SHA256:85dccf69b7fc24cf39f6d3821e963905005993a5036cbfbf6412dde5558df2bd
                        SHA512:e33754db175b5367d74937ce634ea8ec043f469fdf53d2c7721605486f1ddf826633d8c7fdb1ba127b83adeed308b4f64493d584ca295c3f0cf206a83c8deea1
                        SSDEEP:3072:+aFwDl+lMbh3Gm8CsqMRV9t5P7GpQuBMSlFhpvTPIaGWiME2MKK+HfK2u1Ep0xtO:+a2l+EGm8TTP7utJhIaR5ERjfb
                        TLSH:E6D3F22AA09EDE25E9FBD0B3AF1EF39094415107133E35C3C150B466697BAF4787AC92
                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....T1g.........." .....8..........@........................................`............`........................................

                        File Icon

                        Icon Hash:7ae282899bbab082

                        Static PE Info

                        General

                        Entrypoint:0x180001140
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x180000000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x67315488 [Mon Nov 11 00:49:12 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:

                        Entrypoint Preview

                        Instruction
                        mov eax, dword ptr [00022312h]
                        inc esp
                        mov eax, dword ptr [0002230Fh]
                        lea edx, dword ptr [eax-01h]
                        imul edx, eax
                        mov eax, edx
                        not eax
                        mov ecx, eax
                        and ecx, FFFFFFFEh
                        and edx, 01h
                        or edx, ecx
                        xor eax, edx
                        test eax, edx
                        inc ecx
                        setne cl
                        inc ecx
                        cmp eax, 09h
                        setnle al
                        inc ecx
                        cmp eax, 0Ah
                        setl cl
                        inc esp
                        xor cl, cl
                        xor cl, 00000001h
                        mov edx, eax
                        inc esp
                        and dl, cl
                        inc esp
                        xor al, cl
                        or al, dl
                        xor al, 01h
                        test cl, al
                        jne 00007FB090EFF907h
                        xor cl, al
                        jne 00007FB090EFF903h
                        nop word ptr [eax+eax+00000000h]
                        nop dword ptr [eax+eax+00h]
                        jmp 00007FB090EFF8F0h
                        mov eax, 00000001h
                        ret
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        inc ecx
                        push edi
                        inc ecx
                        push esi
                        inc ecx
                        push ebp
                        inc ecx
                        push esp
                        push esi
                        push edi
                        push ebp
                        push ebx
                        dec eax
                        sub esp, 00000168h
                        inc sp
                        movq qword ptr [esp+00000150h], mm7
                        inc sp
                        movq qword ptr [esp+00000140h], mm6
                        inc sp
                        movq qword ptr [esp+00000130h], mm5
                        inc sp
                        movq qword ptr [esp+00000120h], mm4
                        inc sp
                        movq qword ptr [esp+00000110h], mm3
                        inc sp
                        movq qword ptr [esp+00000100h], mm2
                        inc sp
                        movq qword ptr [esp+000000F0h], mm1

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x51900x51.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x1a8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x240000x18.pdata
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x377b0x38009cb4fa437e5714f9c5a0883dcf7e576aFalse0.6565290178571429data6.739143547521826IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x50000x22c0x400151ff0785ef7ca891f60c4faaab1bbabFalse0.2060546875data3.6901601485112017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x60000x1d4980x1d600b0e96fe640488746868e2c9bc52b4f19False0.8685837765957447data7.7372965211458675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .pdata0x240000x180x200c8be788ac23de7429f3bcb0881f569e4False0.064453125data0.2162069074398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .rsrc0x250000x1a80x200dc8a7a3ba49348b04c8bceefe511f730False0.482421875data4.1813331407993175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_MANIFEST0x250600x143XML 1.0 document, ASCII textEnglishUnited States0.628482972136223

                        Exports

                        NameOrdinalAddress
                        DllRegisterServer10x180001000

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 24, 2024 08:42:54.827896118 CET1.1.1.1192.168.2.90x76b7No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                        Nov 24, 2024 08:42:54.827896118 CET1.1.1.1192.168.2.90x76b7No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:02:42:57
                        Start date:24/11/2024
                        Path:C:\Windows\System32\loaddll64.exe
                        Wow64 process (32bit):false
                        Commandline:loaddll64.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll"
                        Imagebase:0x7ff62be80000
                        File size:165'888 bytes
                        MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.1428573354.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:1
                        Start time:02:42:57
                        Start date:24/11/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff70f010000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:02:42:57
                        Start date:24/11/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1
                        Imagebase:0x7ff7581d0000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:02:42:57
                        Start date:24/11/2024
                        Path:C:\Windows\System32\regsvr32.exe
                        Wow64 process (32bit):false
                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\Db5aU9VNyz.dll
                        Imagebase:0x7ff61d720000
                        File size:25'088 bytes
                        MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.1399133207.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:02:42:57
                        Start date:24/11/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1
                        Imagebase:0x7ff6ceee0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.1398710559.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:02:42:57
                        Start date:24/11/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe C:\Users\user\Desktop\Db5aU9VNyz.dll,DllRegisterServer
                        Imagebase:0x7ff6ceee0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.1397944483.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:4.8%
                          Dynamic/Decrypted Code Coverage:75%
                          Signature Coverage:37.5%
                          Total number of Nodes:40
                          Total number of Limit Nodes:6
                          execution_graph 5285 22a4f571000 5286 22a4f57101b __scrt_get_show_window_mode 5285->5286 5287 22a4f57103a GetVolumeNameForVolumeMountPointA 5286->5287 5288 22a4f571061 5287->5288 5289 22a4f5720b0 MessageBoxA 5290 22a4f572380 5300 22a4f572544 5290->5300 5292 22a4f572394 __scrt_get_show_window_mode __scrt_acquire_startup_lock __scrt_release_startup_lock 5292->5290 5294 22a4f5723df 5292->5294 5295 22a4f5720e0 GetConsoleWindow 5292->5295 5296 22a4f5720fe CreateThread 5295->5296 5298 22a4f572131 __scrt_get_show_window_mode 5296->5298 5297 22a4f5721cd GetLocaleInfoA 5299 22a4f572200 __scrt_get_show_window_mode __vcrt_freefls 5297->5299 5298->5297 5298->5299 5299->5292 5301 22a4f57254c 5300->5301 5302 22a4f572558 __scrt_dllmain_crt_thread_attach 5301->5302 5303 22a4f572561 5302->5303 5303->5292 5304 7ff8e83b1000 5305 7ff8e83b104d 5304->5305 5307 7ff8e83b1057 5305->5307 5311 7ff8e83b11b0 5305->5311 5307->5307 5313 7ff8e83b1281 5311->5313 5312 7ff8e83b1285 5313->5312 5314 7ff8e83b23da VirtualAlloc 5313->5314 5316 7ff8e83b2412 5314->5316 5315 7ff8e83b38cb LoadLibraryA 5315->5316 5316->5315 5317 7ff8e83b2db0 5316->5317 5317->5317 5318 22a4f576e99 5322 22a4f576e9e 5318->5322 5319 22a4f576f52 5322->5319 5323 22a4f576f68 5322->5323 5324 22a4f576f75 5323->5324 5325 22a4f576f91 ExitProcess 5324->5325 5326 22a4f57a984 5328 22a4f57a994 Concurrency::details::SchedulerProxy::DeleteThis 5326->5328 5327 22a4f57a9ab Concurrency::details::SchedulerProxy::DeleteThis 5328->5327 5330 22a4f57a87c 5328->5330 5331 22a4f57a89a 5330->5331 5332 22a4f57a969 5331->5332 5333 22a4f57a908 GetFileType 5331->5333 5332->5327 5333->5331

                          Executed Functions

                          Function 00007FF8E83B11B0 Relevance: 10.6, APIs: 2, Strings: 2, Instructions: 3573COMMON
                          Download Yara Rule
                          Strings
                          • VVlyjRSzFLmyrtahDwbFCWKFpmipmmhPoixaHfnPShaHPmTikLFaGRRaRwSJkGioOZEjauXgEoVWGTzlnoYCRHXLRHkcLUwtRLscGPXWipGllUEtDhAiCOyhKZXuXonRjlTtvAbzJruFwnzhSWetPSDcTFmsAsgrYOIzXiIDKCqQOgRteJATfscdvKJLkYJYDOTwQBCozHbjOwrsEfDahwtnRWrwUHtjMEWqiJcClQAKEWCldPXlFgTDWBnBzOOQehoy, xrefs: 00007FF8E83B163F
                          • kY-8h, xrefs: 00007FF8E83B300A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428459801.00007FF8E83B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E83B0000, based on PE: true
                          • Associated: 00000000.00000002.1428445245.00007FF8E83B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1428475513.00007FF8E83B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1428573354.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1428598925.00007FF8E83D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff8e83b0000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: kY-8h$VVlyjRSzFLmyrtahDwbFCWKFpmipmmhPoixaHfnPShaHPmTikLFaGRRaRwSJkGioOZEjauXgEoVWGTzlnoYCRHXLRHkcLUwtRLscGPXWipGllUEtDhAiCOyhKZXuXonRjlTtvAbzJruFwnzhSWetPSDcTFmsAsgrYOIzXiIDKCqQOgRteJATfscdvKJLkYJYDOTwQBCozHbjOwrsEfDahwtnRWrwUHtjMEWqiJcClQAKEWCldPXlFgTDWBnBzOOQehoy
                          • API String ID: 0-1072908350
                          • Opcode ID: 10b11ed2a2304671b516d60a121280c5060e799b5db61ee90563b79f09f6fa95
                          • Instruction ID: 77b6c870bf90a0bf1340979f39c824775911cdfa3568491ae559b3e70d236831
                          • Opcode Fuzzy Hash: 10b11ed2a2304671b516d60a121280c5060e799b5db61ee90563b79f09f6fa95
                          • Instruction Fuzzy Hash: 3243B7ABF296414AEB048B7598513FEA792ABA63E4F0CA331DE1D477D5DB3CD8058304
                          Function 0000022A4F5720E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: ConsoleCreateInfoLocaleThreadWindow
                          • String ID: 5
                          • API String ID: 1307802651-2226203566
                          • Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
                          • Instruction ID: bfbe4c00601275ad08f00fb4e5d63d53b927466702235e95b3dfb4306c284694
                          • Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
                          • Instruction Fuzzy Hash: 79419B30218A488BE729FFA4D99D7AA77E2FBD4305F40952DE147C25A6DE78C409CB43
                          Function 00007FF8E83B1000 Relevance: .1, Instructions: 103COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 355 7ff8e83b1000-7ff8e83b104b 356 7ff8e83b1062 call 7ff8e83b11b0 355->356 357 7ff8e83b104d-7ff8e83b1055 355->357 361 7ff8e83b1067-7ff8e83b10c5 356->361 357->356 358 7ff8e83b1057 357->358 360 7ff8e83b1060 358->360 360->360 362 7ff8e83b1133-7ff8e83b1139 361->362 363 7ff8e83b10c7-7ff8e83b10c9 361->363 363->362 364 7ff8e83b10cb 363->364 365 7ff8e83b10d0-7ff8e83b1128 call 7ff8e83b11b0 * 2 364->365 365->362 370 7ff8e83b112a-7ff8e83b1131 365->370 370->362 370->365
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428459801.00007FF8E83B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E83B0000, based on PE: true
                          • Associated: 00000000.00000002.1428445245.00007FF8E83B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1428475513.00007FF8E83B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1428573354.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1428598925.00007FF8E83D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff8e83b0000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8dfbe4637367382060e290bfafd52b1d6e20a2d28bb1cf39a7ae6ff589a5b6e1
                          • Instruction ID: 79c4b74d7f3aa0b6cf545b1f6d1fbb4bcb3d4116f7e1f53703c921d0fd6ede89
                          • Opcode Fuzzy Hash: 8dfbe4637367382060e290bfafd52b1d6e20a2d28bb1cf39a7ae6ff589a5b6e1
                          • Instruction Fuzzy Hash: 2731D53BF655124FFB0887B599523FF27D29BB1394F29A434C109C32D6DE3E68464604
                          Function 0000022A4F57A87C Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 319 22a4f57a87c-22a4f57a898 320 22a4f57a89a-22a4f57a8c3 319->320 321 22a4f57a8cf-22a4f57a8d8 320->321 322 22a4f57a8c5-22a4f57a8ca 320->322 324 22a4f57a8f0 321->324 325 22a4f57a8da-22a4f57a8dd 321->325 323 22a4f57a95a-22a4f57a963 322->323 323->320 327 22a4f57a969-22a4f57a983 323->327 326 22a4f57a8f5-22a4f57a906 324->326 328 22a4f57a8df-22a4f57a8e7 325->328 329 22a4f57a8e9-22a4f57a8ee 325->329 331 22a4f57a908-22a4f57a913 GetFileType 326->331 332 22a4f57a935-22a4f57a94d 326->332 328->326 329->326 331->332 333 22a4f57a915-22a4f57a920 331->333 332->323 334 22a4f57a94f-22a4f57a953 332->334 335 22a4f57a929-22a4f57a92c 333->335 336 22a4f57a922-22a4f57a927 333->336 334->323 335->323 337 22a4f57a92e-22a4f57a933 335->337 336->323 337->323
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileType
                          • String ID:
                          • API String ID: 3081899298-0
                          • Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
                          • Instruction ID: 0e43f891fef54fa49a8d10f9a4054c5497708d3dbdb099330c1d1e826c72ec25
                          • Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
                          • Instruction Fuzzy Hash: CD31D430508E1AAFE7B5EF6C8588760B6D0F70A360F661749E45AC75F5CA74D8A1C383
                          Function 0000022A4F571000 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: Volume$MountNamePoint
                          • String ID:
                          • API String ID: 1269602640-0
                          • Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
                          • Instruction ID: e9eb52202b6985ee66a0673e16d8a43802bfcd834c0969caff0cd16535c36ab4
                          • Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
                          • Instruction Fuzzy Hash: 530167305085448FFB06EB68D8987D677E1F769305F008569E0CAC72A6DEBCC558C742
                          Function 0000022A4F576F68 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
                          • Instruction ID: e2901d0284b1ff83d0292c35994997cca54112fa042e29cbd837e73517964d1a
                          • Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
                          • Instruction Fuzzy Hash: 36D062343007495BEA687BF55A9D26D26959745205F0028386502C6A9BDD7AD845C743
                          Function 0000022A4F5720B0 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 354 22a4f5720b0-22a4f5720d6 MessageBoxA
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message
                          • String ID:
                          • API String ID: 2030045667-0
                          • Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
                          • Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
                          • Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
                          • Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

                          Non-executed Functions

                          Function 0000022A4F57F4E8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: _clrfp
                          • String ID:
                          • API String ID: 3618594692-0
                          • Opcode ID: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
                          • Instruction ID: e5616e623f74021e54678726c7c0328a4fa9db219706b94d4e38e145385d4fd4
                          • Opcode Fuzzy Hash: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
                          • Instruction Fuzzy Hash: 34C19D30120A4DCFEBA8DF1CC98AB6677E0FF49304F198599E859CB6A1C775D852CB42
                          Function 0000022A4F5715A0 Relevance: .4, Instructions: 408COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
                          • Instruction ID: 730eb3a8c66bab684c1a5d1d214bb08d106af2949965580d09f63e9c9927e903
                          • Opcode Fuzzy Hash: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
                          • Instruction Fuzzy Hash: DEE13C70518B488FEB75EF58D8897EA77E1FB98305F00462EA48AC3560DF749A45CB83
                          Function 0000022A4F571A90 Relevance: .3, Instructions: 330COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
                          • Instruction ID: a50d50df4651f07b135352870d616b98b5f31bc349067e1f0540dc5645d76584
                          • Opcode Fuzzy Hash: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
                          • Instruction Fuzzy Hash: 15B15D31208A498FEB79FF68D8596EA73E1FB98311F00422AA45BC3591DF74D905CB82
                          Function 0000022A4F571090 Relevance: .3, Instructions: 260COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
                          • Instruction ID: 1df964e8a1ff07e20ab8a7b19530b6d40b068e8457e55b174bbc9b14b7670548
                          • Opcode Fuzzy Hash: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
                          • Instruction Fuzzy Hash: 4271A13061CB484BE768EF28984D3BA77E1FB89710F00956ED88BC3251EE74D946C782
                          Function 0000022A4F5772BC Relevance: .2, Instructions: 219COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
                          • Instruction ID: cd8dd15f45c52fada5e8434c1d6788a600f048968599c2cb9d510dd6848bc7a4
                          • Opcode Fuzzy Hash: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
                          • Instruction Fuzzy Hash: F151F632318E0C4FDB5CEF6CE49967573D2E7AC311B15822EE40AD72A5DEB1D8468782
                          Function 0000022A4F5740B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 387 22a4f5740b0-22a4f574117 call 22a4f575054 390 22a4f57411d-22a4f574120 387->390 391 22a4f574578-22a4f57457f call 22a4f577854 387->391 390->391 392 22a4f574126-22a4f57412c 390->392 395 22a4f5741fb-22a4f57420d 392->395 396 22a4f574132-22a4f574136 392->396 398 22a4f5744c8-22a4f5744cc 395->398 399 22a4f574213-22a4f574217 395->399 396->395 397 22a4f57413c-22a4f574147 396->397 397->395 401 22a4f57414d-22a4f574152 397->401 402 22a4f5744ce-22a4f5744d5 398->402 403 22a4f574505-22a4f57450f call 22a4f57319c 398->403 399->398 400 22a4f57421d-22a4f574228 399->400 400->398 404 22a4f57422e-22a4f574235 400->404 401->395 405 22a4f574158-22a4f574162 call 22a4f57319c 401->405 402->391 406 22a4f5744db-22a4f574500 call 22a4f574580 402->406 403->391 415 22a4f574511-22a4f574530 call 22a4f57fa80 403->415 408 22a4f57423b-22a4f574276 call 22a4f57385c 404->408 409 22a4f5743f9-22a4f574405 404->409 405->415 418 22a4f574168-22a4f574193 call 22a4f57319c * 2 call 22a4f573b64 405->418 406->403 408->409 423 22a4f57427c-22a4f574286 408->423 409->403 416 22a4f57440b-22a4f57440f 409->416 420 22a4f574411-22a4f57441d call 22a4f573b24 416->420 421 22a4f57441f-22a4f574427 416->421 456 22a4f574195-22a4f574199 418->456 457 22a4f5741b3-22a4f5741bd call 22a4f57319c 418->457 420->421 431 22a4f574440-22a4f574448 420->431 421->403 422 22a4f57442d-22a4f57443a call 22a4f5736fc 421->422 422->403 422->431 429 22a4f57428a-22a4f5742bc 423->429 433 22a4f5743e8-22a4f5743ef 429->433 434 22a4f5742c2-22a4f5742ce 429->434 436 22a4f57444e-22a4f574452 431->436 437 22a4f57455b-22a4f574577 call 22a4f57319c * 2 call 22a4f5777c8 431->437 433->429 440 22a4f5743f5-22a4f5743f6 433->440 434->433 438 22a4f5742d4-22a4f5742ed 434->438 441 22a4f574465-22a4f574466 436->441 442 22a4f574454-22a4f574463 call 22a4f573b24 436->442 437->391 444 22a4f5743e5-22a4f5743e6 438->444 445 22a4f5742f3-22a4f574338 call 22a4f573b38 * 2 438->445 440->409 450 22a4f574468-22a4f574472 call 22a4f5750ec 441->450 442->450 444->433 470 22a4f57433a-22a4f574360 call 22a4f573b38 call 22a4f5747f0 445->470 471 22a4f574376-22a4f57437c 445->471 450->403 466 22a4f574478-22a4f5744c6 call 22a4f57378c call 22a4f573990 450->466 456->457 462 22a4f57419b-22a4f5741a6 456->462 457->395 468 22a4f5741bf-22a4f5741df call 22a4f57319c * 2 call 22a4f5750ec 457->468 462->457 467 22a4f5741a8-22a4f5741ad 462->467 466->403 467->391 467->457 491 22a4f5741e1-22a4f5741eb call 22a4f5751dc 468->491 492 22a4f5741f6-22a4f5741f7 468->492 486 22a4f574387-22a4f5743db call 22a4f573fdc 470->486 487 22a4f574362-22a4f574374 470->487 475 22a4f5743e0-22a4f5743e1 471->475 476 22a4f57437e-22a4f574382 471->476 475->444 476->445 486->475 487->470 487->471 495 22a4f5741f1-22a4f574554 call 22a4f572f74 call 22a4f574bac call 22a4f5753d8 491->495 496 22a4f574555-22a4f57455a call 22a4f5777c8 491->496 492->395 495->496 496->437
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
                          • Instruction ID: 9c3dd0e45b213fa2b31c0e3e9e8e7621825ffc251b8536ce2d4cac9a3165cad7
                          • Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
                          • Instruction Fuzzy Hash: E1F16F30518B489BEB64FFA885897AA77E0FB59310F50165DE489C3696DF70D882CB83
                          Function 0000022A4F574930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 506 22a4f574930-22a4f574978 call 22a4f573144 call 22a4f57319c 511 22a4f57497a-22a4f574980 506->511 512 22a4f5749b2-22a4f5749b6 506->512 511->512 513 22a4f574982-22a4f574984 511->513 514 22a4f5749bc-22a4f5749c0 512->514 515 22a4f574a4a-22a4f574a4e 512->515 516 22a4f574996-22a4f574998 513->516 517 22a4f574986-22a4f57498a 513->517 518 22a4f574b41 514->518 519 22a4f5749c6-22a4f5749ce 514->519 520 22a4f574a50-22a4f574a5c 515->520 521 22a4f574a92-22a4f574a98 515->521 516->512 524 22a4f57499a-22a4f5749a6 516->524 523 22a4f57498c-22a4f574994 517->523 517->524 522 22a4f574b46-22a4f574b60 518->522 519->518 527 22a4f5749d4-22a4f5749d8 519->527 528 22a4f574a5e-22a4f574a62 520->528 529 22a4f574a72-22a4f574a7e 520->529 525 22a4f574a9a-22a4f574a9e 521->525 526 22a4f574b08-22a4f574b3c call 22a4f5740b0 521->526 523->512 523->516 524->512 534 22a4f5749a8-22a4f5749ac 524->534 525->526 533 22a4f574aa0-22a4f574aa7 525->533 526->518 535 22a4f5749da-22a4f5749dc 527->535 536 22a4f574a37-22a4f574a45 call 22a4f573728 527->536 528->529 531 22a4f574a64-22a4f574a70 call 22a4f573b24 528->531 529->518 532 22a4f574a84-22a4f574a8c 529->532 531->521 531->529 532->518 532->521 533->526 538 22a4f574aa9-22a4f574ab1 533->538 534->512 534->518 540 22a4f5749de-22a4f5749f0 call 22a4f573cb4 535->540 541 22a4f574a15-22a4f574a17 535->541 536->518 538->526 544 22a4f574ab3-22a4f574ac6 call 22a4f573b38 538->544 548 22a4f574b61-22a4f574b67 call 22a4f577854 540->548 551 22a4f5749f6-22a4f5749f9 540->551 541->536 543 22a4f574a19-22a4f574a21 541->543 543->548 549 22a4f574a27-22a4f574a2b 543->549 544->526 558 22a4f574ac8-22a4f574b06 544->558 549->548 553 22a4f574a31-22a4f574a35 549->553 551->548 555 22a4f5749ff-22a4f574a03 551->555 557 22a4f574a05-22a4f574a10 call 22a4f574ec8 553->557 555->557 557->518 558->522
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
                          • Instruction ID: 8587e5c60d7abffd470ea5663984c17744cdf597731c0088df89e798da08087e
                          • Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
                          • Instruction Fuzzy Hash: D4718F30114A48EFEBB8AF58818D76AB7D1FB94311F64665A948DC7A92DFB0DC80C743
                          Function 0000022A4F572CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 562 22a4f572cf0-22a4f572d36 call 22a4f573144 565 22a4f572e2d-22a4f572e34 562->565 566 22a4f572d3c-22a4f572d46 562->566 568 22a4f572ed8-22a4f572ede 565->568 567 22a4f572e19-22a4f572e1b 566->567 569 22a4f572e21 567->569 570 22a4f572d4b-22a4f572d59 567->570 571 22a4f572e39-22a4f572e47 568->571 572 22a4f572ee4 568->572 569->572 573 22a4f572d5f-22a4f572d66 570->573 574 22a4f572e17 570->574 575 22a4f572e4d-22a4f572e55 571->575 576 22a4f572ed6 571->576 577 22a4f572ee9-22a4f572f06 572->577 573->574 578 22a4f572d6c-22a4f572d71 573->578 574->567 575->576 579 22a4f572e57-22a4f572e5b 575->579 576->568 578->574 580 22a4f572d77-22a4f572d7c 578->580 581 22a4f572e5d-22a4f572e62 579->581 582 22a4f572e9c-22a4f572ead 579->582 583 22a4f572d7e-22a4f572d91 580->583 584 22a4f572d99-22a4f572d9f 580->584 587 22a4f572e98-22a4f572e9a 581->587 588 22a4f572e64-22a4f572e70 581->588 585 22a4f572ebf-22a4f572ed3 582->585 586 22a4f572eaf-22a4f572eb5 582->586 601 22a4f572d97 583->601 602 22a4f572e26-22a4f572e28 583->602 592 22a4f572da1-22a4f572da9 584->592 593 22a4f572dc9-22a4f572e12 call 22a4f573110 call 22a4f573140 584->593 585->576 586->576 591 22a4f572eb7-22a4f572ebb 586->591 587->572 587->582 589 22a4f572e91-22a4f572e96 588->589 590 22a4f572e72-22a4f572e79 588->590 589->587 589->588 590->589 594 22a4f572e7b-22a4f572e84 590->594 591->572 597 22a4f572ebd 591->597 592->593 598 22a4f572dab-22a4f572db9 call 22a4f57f940 592->598 593->574 594->589 599 22a4f572e86-22a4f572e8f 594->599 597->576 598->593 606 22a4f572dbb-22a4f572dc1 598->606 599->587 599->589 601->574 601->584 602->577 606->593
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm
                          • API String ID: 3242871069-1018135373
                          • Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
                          • Instruction ID: d9661826bdef111d29aca3a8bdc38f39d69ba13611a655a64317eff5246c40d3
                          • Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
                          • Instruction Fuzzy Hash: 6771A130218A049BEF78FA9CE58977473D1FB54350F10556EEC86C7696EA60EC51CA83
                          Function 0000022A4F574580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022A4F571000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_22a4f571000_loaddll64.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3163161869-2084237596
                          • Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
                          • Instruction ID: 91dc6c8820dc2fab247ff170a95012282c823bbfcb7df96b77c02f453c53e651
                          • Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
                          • Instruction Fuzzy Hash: FB71CF30518B489FE774EF58C54ABAAB7E0FB99310F041A5EE489C3552DBB4E481CB83

                          Execution Graph

                          Execution Coverage:1.1%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:23
                          Total number of Limit Nodes:2
                          execution_graph 6043 c21000 6044 c2101b __scrt_get_show_window_mode 6043->6044 6045 c2103a GetVolumeNameForVolumeMountPointA 6044->6045 6046 c21061 6045->6046 6047 c22380 6058 c22544 6047->6058 6049 c22394 __scrt_get_show_window_mode __scrt_acquire_startup_lock __scrt_release_startup_lock 6049->6047 6051 c223df 6049->6051 6052 c220e0 6049->6052 6053 c220f3 CreateThread 6052->6053 6055 c22131 __scrt_get_show_window_mode 6053->6055 6062 c220b0 MessageBoxA 6053->6062 6056 c221cd GetLocaleInfoA 6055->6056 6057 c22200 __std_exception_copy __scrt_get_show_window_mode 6055->6057 6056->6057 6057->6049 6059 c2254c 6058->6059 6060 c22558 __scrt_dllmain_crt_thread_attach 6059->6060 6061 c22561 6060->6061 6061->6049 6063 c26e99 6067 c26e9e 6063->6067 6064 c26f52 6067->6064 6068 c26f68 6067->6068 6069 c26f75 6068->6069 6070 c26f91 ExitProcess 6069->6070

                          Executed Functions

                          Function 00C220E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C21000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_c21000_regsvr32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateInfoLocaleThread
                          • String ID: 5
                          • API String ID: 899703944-2226203566
                          • Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
                          • Instruction ID: efaf2a98251720b824725e517d467c58327be51a43da97a20f891b84b8fdd102
                          • Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
                          • Instruction Fuzzy Hash: C2411330218A48CBE719EF64EC896BB73E2FBD8301F44853DE147C25A5DE388509CB42
                          Function 00C21000 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 00C2104B
                          Memory Dump Source
                          • Source File: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C21000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_c21000_regsvr32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Volume$MountNamePoint
                          • String ID:
                          • API String ID: 1269602640-0
                          • Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
                          • Instruction ID: cf10c49bbc0c5e18365bf51681048fda2ea57452e4e6cab05e5d41f84c2c763f
                          • Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
                          • Instruction Fuzzy Hash: 1F0162305086488FFB06EB68D898BE677E1F769305F008569E0CAC72A5DEBC8658C751
                          Function 00C26F68 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 47 c26f68-c26f77 call c26f9c 50 c26f8a-c26f9b call c26fc0 ExitProcess 47->50 51 c26f79-c26f82 47->51 51->50
                          APIs
                          • ExitProcess.KERNEL32(?,?,?,?,?,?,?,00C26F64), ref: 00C26F93
                          Memory Dump Source
                          • Source File: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C21000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_c21000_regsvr32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
                          • Instruction ID: f54295a1c19e35ac4967810fc126f89294d494d3bb623a14a47cd908928b6f06
                          • Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
                          • Instruction Fuzzy Hash: 15D09E343007195FEF18BBF97A9932D2665DB45205F0018386913CBEA6CD3A98498752
                          Function 00C220B0 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 55 c220b0-c220d6 MessageBoxA
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C21000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_c21000_regsvr32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message
                          • String ID:
                          • API String ID: 2030045667-0
                          • Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
                          • Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
                          • Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
                          • Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

                          Non-executed Functions

                          Function 00C240B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 56 c240b0-c24117 call c25054 59 c24578-c2457f call c27854 56->59 60 c2411d-c24120 56->60 60->59 61 c24126-c2412c 60->61 63 c24132-c24136 61->63 64 c241fb-c2420d 61->64 63->64 68 c2413c-c24147 63->68 66 c24213-c24217 64->66 67 c244c8-c244cc 64->67 66->67 69 c2421d-c24228 66->69 71 c24505-c2450f call c2319c 67->71 72 c244ce-c244d5 67->72 68->64 70 c2414d-c24152 68->70 69->67 74 c2422e-c24235 69->74 70->64 75 c24158-c24162 call c2319c 70->75 71->59 82 c24511-c24530 call c2fa80 71->82 72->59 76 c244db-c24500 call c24580 72->76 78 c2423b-c24276 call c2385c 74->78 79 c243f9-c24405 74->79 75->82 90 c24168-c24193 call c2319c * 2 call c23b64 75->90 76->71 78->79 94 c2427c-c24286 78->94 79->71 83 c2440b-c2440f 79->83 87 c24411-c2441d call c23b24 83->87 88 c2441f-c24427 83->88 87->88 103 c24440-c24448 87->103 88->71 93 c2442d-c2443a call c236fc 88->93 125 c241b3-c241bd call c2319c 90->125 126 c24195-c24199 90->126 93->71 93->103 99 c2428a-c242bc 94->99 100 c242c2-c242ce 99->100 101 c243e8-c243ef 99->101 100->101 105 c242d4-c242ed 100->105 101->99 107 c243f5-c243f6 101->107 108 c2455b-c24577 call c2319c * 2 call c277c8 103->108 109 c2444e-c24452 103->109 113 c242f3-c24338 call c23b38 * 2 105->113 114 c243e5-c243e6 105->114 107->79 108->59 110 c24454-c24463 call c23b24 109->110 111 c24465-c24466 109->111 119 c24468-c24472 call c250ec 110->119 111->119 138 c24376-c2437c 113->138 139 c2433a-c24360 call c23b38 call c247f0 113->139 114->101 119->71 134 c24478-c244c6 call c2378c call c23990 119->134 125->64 141 c241bf-c241df call c2319c * 2 call c250ec 125->141 126->125 130 c2419b-c241a6 126->130 130->125 135 c241a8-c241ad 130->135 134->71 135->59 135->125 145 c243e0-c243e1 138->145 146 c2437e-c24382 138->146 156 c24362-c24374 139->156 157 c24387-c243db call c23fdc 139->157 160 c241e1-c241eb call c251dc 141->160 161 c241f6-c241f7 141->161 145->114 146->113 156->138 156->139 157->145 164 c241f1-c24554 call c22f74 call c24bac call c253d8 160->164 165 c24555-c2455a call c277c8 160->165 161->64 164->165 165->108
                          APIs
                          • __FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00C2410C
                            • Part of subcall function 00C25054: __GetUnwindTryBlock.LIBCMT ref: 00C25097
                            • Part of subcall function 00C25054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00C250BC
                          • Is_bad_exception_allowed.LIBVCRUNTIME ref: 00C241E4
                          • __FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00C24433
                          • std::bad_alloc::bad_alloc.LIBCMT ref: 00C2453F
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C21000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_c21000_regsvr32.jbxd
                          Yara matches
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
                          • Instruction ID: 958918db846b1a3c3427b50af05c1a6e0884d5aa7d7506b5dd5be6cad7ff4d51
                          • Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
                          • Instruction Fuzzy Hash: 0CE1D630918B588FDB18EF6CE485AAD77E0FF59310F50065EE499C7A16DB34E981CB82
                          Function 00C24930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 175 c24930-c24978 call c23144 call c2319c 180 c249b2-c249b6 175->180 181 c2497a-c24980 175->181 183 c24a4a-c24a4e 180->183 184 c249bc-c249c0 180->184 181->180 182 c24982-c24984 181->182 187 c24996-c24998 182->187 188 c24986-c2498a 182->188 185 c24a92-c24a98 183->185 186 c24a50-c24a5c 183->186 189 c24b41 184->189 190 c249c6-c249ce 184->190 196 c24a9a-c24a9e 185->196 197 c24b08-c24b3c call c240b0 185->197 191 c24a72-c24a7e 186->191 192 c24a5e-c24a62 186->192 187->180 194 c2499a-c249a6 187->194 188->194 195 c2498c-c24994 188->195 193 c24b46-c24b60 189->193 190->189 198 c249d4-c249d8 190->198 191->189 203 c24a84-c24a8c 191->203 192->191 201 c24a64-c24a70 call c23b24 192->201 194->180 205 c249a8-c249ac 194->205 195->180 195->187 196->197 204 c24aa0-c24aa7 196->204 197->189 199 c24a37-c24a45 call c23728 198->199 200 c249da-c249dc 198->200 199->189 206 c24a15-c24a17 200->206 207 c249de-c249f0 call c23cb4 200->207 201->185 201->191 203->185 203->189 204->197 209 c24aa9-c24ab1 204->209 205->180 205->189 206->199 213 c24a19-c24a21 206->213 217 c24b61-c24b67 call c27854 207->217 220 c249f6-c249f9 207->220 209->197 214 c24ab3-c24ac6 call c23b38 209->214 213->217 218 c24a27-c24a2b 213->218 214->197 227 c24ac8-c24b06 214->227 218->217 222 c24a31-c24a35 218->222 220->217 224 c249ff-c24a03 220->224 226 c24a05-c24a10 call c24ec8 222->226 224->226 226->189 227->193
                          APIs
                          • __except_validate_context_record.LIBVCRUNTIME ref: 00C24958
                          • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00C24A40
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C21000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_c21000_regsvr32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
                          • Instruction ID: 05bac4a87143fee95b0ebbe5e57957ce69f911305faf1ef765d44fdd1e931966
                          • Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
                          • Instruction Fuzzy Hash: C961D030614B688FCB6CDF28A089329B7E1FB98311F64465EE499C7A91CB74DD80C786
                          Function 00C22CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 231 c22cf0-c22d36 call c23144 234 c22d3c-c22d46 231->234 235 c22e2d-c22e34 231->235 237 c22e19-c22e1b 234->237 236 c22ed8-c22ede 235->236 240 c22ee4 236->240 241 c22e39-c22e47 236->241 238 c22e21 237->238 239 c22d4b-c22d59 237->239 238->240 245 c22e17 239->245 246 c22d5f-c22d66 239->246 244 c22ee9-c22f06 240->244 242 c22ed6 241->242 243 c22e4d-c22e55 241->243 242->236 243->242 247 c22e57-c22e5b 243->247 245->237 246->245 248 c22d6c-c22d71 246->248 249 c22e9c-c22ead 247->249 250 c22e5d-c22e62 247->250 248->245 251 c22d77-c22d7c 248->251 256 c22ebf-c22ed3 249->256 257 c22eaf-c22eb5 249->257 252 c22e64-c22e70 250->252 253 c22e98-c22e9a 250->253 254 c22d99-c22d9f 251->254 255 c22d7e-c22d91 251->255 260 c22e72-c22e79 252->260 261 c22e91-c22e96 252->261 253->240 253->249 258 c22da1-c22da9 254->258 259 c22dc9-c22e12 call c23110 call c23140 254->259 268 c22e26-c22e28 255->268 269 c22d97 255->269 256->242 257->242 262 c22eb7-c22ebb 257->262 258->259 264 c22dab-c22db9 call c2f940 258->264 259->245 260->261 266 c22e7b-c22e84 260->266 261->252 261->253 262->240 263 c22ebd 262->263 263->242 264->259 274 c22dbb-c22dc1 264->274 266->261 272 c22e86-c22e8f 266->272 268->244 269->245 269->254 272->253 272->261 274->259
                          APIs
                          • __except_validate_context_record.LIBVCRUNTIME ref: 00C22D1B
                          • _IsNonwritableInCurrentImage.LIBCMT ref: 00C22DB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C21000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_c21000_regsvr32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm
                          • API String ID: 3242871069-1018135373
                          • Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
                          • Instruction ID: 0ceb3603224da18b8f9d403c6236cdcbe07a2dd95f0ffac442b07042c1305b39
                          • Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
                          • Instruction Fuzzy Hash: 8561D430208E289BCF28EE5CF485A7873D1FB54351F11456EE88AC3656EB34ED92DB85
                          Function 00C24580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 277 c24580-c245b3 278 c245b9-c245db call c2319c 277->278 279 c247cc-c247e6 277->279 282 c24638-c2464a 278->282 283 c245dd-c245f1 call c2319c 278->283 284 c24650-c24694 call c2385c 282->284 285 c247e7-c247ef call c27854 282->285 283->282 294 c245f3-c245f9 283->294 284->279 293 c2469a-c246a5 284->293 295 c246ac-c246e7 293->295 294->282 296 c245fb-c24601 294->296 297 c247ab-c247c6 295->297 298 c246ed-c246f9 295->298 296->282 300 c24603-c24632 call c23644 296->300 297->279 297->295 298->297 299 c246ff-c24724 298->299 301 c24726-c24732 call c23b24 299->301 302 c24757-c2475a 299->302 300->279 300->282 309 c24734-c24737 301->309 310 c2474f-c24750 301->310 302->297 306 c2475c-c247a6 call c23fdc 302->306 306->297 311 c24747 309->311 312 c24739-c24745 call c23b24 309->312 310->302 314 c24749-c2474d 311->314 312->314 314->297 314->310
                          APIs
                          • _CallSETranslator.LIBVCRUNTIME ref: 00C2462B
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C21000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_c21000_regsvr32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3163161869-2084237596
                          • Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
                          • Instruction ID: a0f311a800c72a468d37b79d553543ac9191221d3a9a83f218b5f31b1016c71f
                          • Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
                          • Instruction Fuzzy Hash: 5971C430518B988FD768EF18E446BAAB7E0FB99700F144A5EE49DC3611DB74E581CB83

                          Execution Graph

                          Execution Coverage:1.9%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:30
                          Total number of Limit Nodes:4

                          Executed Functions

                          Function 000001A4D68320E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateInfoLocaleThread
                          • String ID: 5
                          • API String ID: 899703944-2226203566
                          • Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
                          • Instruction ID: a5f16750a9e9fc9f9f7a3eaf286d85c742d6eeab3b047e7b3e207d5e0c5cb214
                          • Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
                          • Instruction Fuzzy Hash: 6441F3303266448BEB19EFA8D8987EBB3E1FBE5301F40952DF187D21A5DF789405C642
                          Function 000001A4D683A87C Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileType
                          • String ID:
                          • API String ID: 3081899298-0
                          • Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
                          • Instruction ID: 23261c0cd748f03db4831ab1a700d061e99fc1bc15b403a17d02e139bcbbabed
                          • Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
                          • Instruction Fuzzy Hash: 4731053061AE5A4FDBA5EF6C84846B0B7D0F76A320F251309F46AE71E0C771D8A1C382
                          Function 000001A4D6831000 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Volume$MountNamePoint
                          • String ID:
                          • API String ID: 1269602640-0
                          • Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
                          • Instruction ID: 131554bf4b83254fbbe966492331522e344d6e21e317e4a9541586a809bcc982
                          • Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
                          • Instruction Fuzzy Hash: 9301A7306095448FFB06EB68D8987D677E1F7A9301F008169E0CAD72A6DEBC8548C741
                          Function 000001A4D6836F68 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
                          • Instruction ID: 01730e56d1a8e7736312aa78cfdf3457d9c4a986c1407a91dab1d54fbef7c90f
                          • Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
                          • Instruction Fuzzy Hash: 29D017303522084BEE187BFC59882AD26618B96305F0028387903DA6A7CEBA88898703
                          Function 000001A4D68320B0 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 74 1a4d68320b0-1a4d68320d6 MessageBoxA
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message
                          • String ID:
                          • API String ID: 2030045667-0
                          • Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
                          • Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
                          • Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
                          • Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

                          Non-executed Functions

                          Function 000001A4D68340B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 91 1a4d68340b0-1a4d6834117 call 1a4d6835054 94 1a4d6834578-1a4d683457f call 1a4d6837854 91->94 95 1a4d683411d-1a4d6834120 91->95 95->94 96 1a4d6834126-1a4d683412c 95->96 98 1a4d68341fb-1a4d683420d 96->98 99 1a4d6834132-1a4d6834136 96->99 101 1a4d68344c8-1a4d68344cc 98->101 102 1a4d6834213-1a4d6834217 98->102 99->98 103 1a4d683413c-1a4d6834147 99->103 106 1a4d6834505-1a4d683450f call 1a4d683319c 101->106 107 1a4d68344ce-1a4d68344d5 101->107 102->101 104 1a4d683421d-1a4d6834228 102->104 103->98 105 1a4d683414d-1a4d6834152 103->105 104->101 109 1a4d683422e-1a4d6834235 104->109 105->98 110 1a4d6834158-1a4d6834162 call 1a4d683319c 105->110 106->94 117 1a4d6834511-1a4d6834530 call 1a4d683fa80 106->117 107->94 111 1a4d68344db-1a4d6834500 call 1a4d6834580 107->111 113 1a4d683423b-1a4d6834276 call 1a4d683385c 109->113 114 1a4d68343f9-1a4d6834405 109->114 110->117 125 1a4d6834168-1a4d6834193 call 1a4d683319c * 2 call 1a4d6833b64 110->125 111->106 113->114 129 1a4d683427c-1a4d6834286 113->129 114->106 118 1a4d683440b-1a4d683440f 114->118 122 1a4d683441f-1a4d6834427 118->122 123 1a4d6834411-1a4d683441d call 1a4d6833b24 118->123 122->106 128 1a4d683442d-1a4d683443a call 1a4d68336fc 122->128 123->122 136 1a4d6834440-1a4d6834448 123->136 159 1a4d6834195-1a4d6834199 125->159 160 1a4d68341b3-1a4d68341bd call 1a4d683319c 125->160 128->106 128->136 133 1a4d683428a-1a4d68342bc 129->133 138 1a4d68343e8-1a4d68343ef 133->138 139 1a4d68342c2-1a4d68342ce 133->139 143 1a4d683455b-1a4d6834577 call 1a4d683319c * 2 call 1a4d68377c8 136->143 144 1a4d683444e-1a4d6834452 136->144 138->133 142 1a4d68343f5-1a4d68343f6 138->142 139->138 140 1a4d68342d4-1a4d68342ed 139->140 146 1a4d68343e5-1a4d68343e6 140->146 147 1a4d68342f3-1a4d6834338 call 1a4d6833b38 * 2 140->147 142->114 143->94 149 1a4d6834465-1a4d6834466 144->149 150 1a4d6834454-1a4d6834463 call 1a4d6833b24 144->150 146->138 173 1a4d6834376-1a4d683437c 147->173 174 1a4d683433a-1a4d6834360 call 1a4d6833b38 call 1a4d68347f0 147->174 155 1a4d6834468-1a4d6834472 call 1a4d68350ec 149->155 150->155 155->106 170 1a4d6834478-1a4d68344c6 call 1a4d683378c call 1a4d6833990 155->170 159->160 164 1a4d683419b-1a4d68341a6 159->164 160->98 176 1a4d68341bf-1a4d68341df call 1a4d683319c * 2 call 1a4d68350ec 160->176 164->160 169 1a4d68341a8-1a4d68341ad 164->169 169->94 169->160 170->106 180 1a4d683437e-1a4d6834382 173->180 181 1a4d68343e0-1a4d68343e1 173->181 190 1a4d6834387-1a4d68343db call 1a4d6833fdc 174->190 191 1a4d6834362-1a4d6834374 174->191 195 1a4d68341f6-1a4d68341f7 176->195 196 1a4d68341e1-1a4d68341eb call 1a4d68351dc 176->196 180->147 181->146 190->181 191->173 191->174 195->98 199 1a4d6834555-1a4d683455a call 1a4d68377c8 196->199 200 1a4d68341f1-1a4d6834554 call 1a4d6832f74 call 1a4d6834bac call 1a4d68353d8 196->200 199->143 200->199
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
                          • Instruction ID: e8eb49f13a7e970506c8c7dc90cc66f5d498067f3f50763f99da6667166c39c2
                          • Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
                          • Instruction Fuzzy Hash: E9F15130A26A488BEF54EF9CC4457E9B7E0FBAA310F50165DF449E7296DB70D881C782
                          Function 000001A4D6834930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 210 1a4d6834930-1a4d6834978 call 1a4d6833144 call 1a4d683319c 215 1a4d683497a-1a4d6834980 210->215 216 1a4d68349b2-1a4d68349b6 210->216 215->216 219 1a4d6834982-1a4d6834984 215->219 217 1a4d6834a4a-1a4d6834a4e 216->217 218 1a4d68349bc-1a4d68349c0 216->218 222 1a4d6834a92-1a4d6834a98 217->222 223 1a4d6834a50-1a4d6834a5c 217->223 220 1a4d68349c6-1a4d68349ce 218->220 221 1a4d6834b41 218->221 224 1a4d6834996-1a4d6834998 219->224 225 1a4d6834986-1a4d683498a 219->225 220->221 229 1a4d68349d4-1a4d68349d8 220->229 232 1a4d6834b46-1a4d6834b60 221->232 226 1a4d6834a9a-1a4d6834a9e 222->226 227 1a4d6834b08-1a4d6834b3c call 1a4d68340b0 222->227 230 1a4d6834a5e-1a4d6834a62 223->230 231 1a4d6834a72-1a4d6834a7e 223->231 224->216 228 1a4d683499a-1a4d68349a6 224->228 225->228 233 1a4d683498c-1a4d6834994 225->233 226->227 234 1a4d6834aa0-1a4d6834aa7 226->234 227->221 228->216 235 1a4d68349a8-1a4d68349ac 228->235 236 1a4d6834a37-1a4d6834a45 call 1a4d6833728 229->236 237 1a4d68349da-1a4d68349dc 229->237 230->231 239 1a4d6834a64-1a4d6834a70 call 1a4d6833b24 230->239 231->221 240 1a4d6834a84-1a4d6834a8c 231->240 233->216 233->224 234->227 241 1a4d6834aa9-1a4d6834ab1 234->241 235->216 235->221 236->221 243 1a4d6834a15-1a4d6834a17 237->243 244 1a4d68349de-1a4d68349f0 call 1a4d6833cb4 237->244 239->222 239->231 240->221 240->222 241->227 247 1a4d6834ab3-1a4d6834ac6 call 1a4d6833b38 241->247 243->236 246 1a4d6834a19-1a4d6834a21 243->246 252 1a4d6834b61-1a4d6834b67 call 1a4d6837854 244->252 257 1a4d68349f6-1a4d68349f9 244->257 251 1a4d6834a27-1a4d6834a2b 246->251 246->252 247->227 260 1a4d6834ac8-1a4d6834b06 247->260 251->252 255 1a4d6834a31-1a4d6834a35 251->255 259 1a4d6834a05-1a4d6834a10 call 1a4d6834ec8 255->259 257->252 261 1a4d68349ff-1a4d6834a03 257->261 259->221 260->232 261->259
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
                          • Instruction ID: 919c08c927ca7448f18671597605992a73b968bd6ba0c102b61d9be77edbd554
                          • Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
                          • Instruction Fuzzy Hash: 03718330327A448BEFA49F9C80493A8F3D1FBE5311F546559A489E76A2CBB4D880C743
                          Function 000001A4D6832CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 266 1a4d6832cf0-1a4d6832d36 call 1a4d6833144 269 1a4d6832e2d-1a4d6832e34 266->269 270 1a4d6832d3c-1a4d6832d46 266->270 272 1a4d6832ed8-1a4d6832ede 269->272 271 1a4d6832e19-1a4d6832e1b 270->271 273 1a4d6832d4b-1a4d6832d59 271->273 274 1a4d6832e21 271->274 275 1a4d6832ee4 272->275 276 1a4d6832e39-1a4d6832e47 272->276 277 1a4d6832e17 273->277 278 1a4d6832d5f-1a4d6832d66 273->278 274->275 281 1a4d6832ee9-1a4d6832f06 275->281 279 1a4d6832ed6 276->279 280 1a4d6832e4d-1a4d6832e55 276->280 277->271 278->277 282 1a4d6832d6c-1a4d6832d71 278->282 279->272 280->279 283 1a4d6832e57-1a4d6832e5b 280->283 282->277 284 1a4d6832d77-1a4d6832d7c 282->284 285 1a4d6832e5d-1a4d6832e62 283->285 286 1a4d6832e9c-1a4d6832ead 283->286 287 1a4d6832d99-1a4d6832d9f 284->287 288 1a4d6832d7e-1a4d6832d91 284->288 291 1a4d6832e64-1a4d6832e70 285->291 292 1a4d6832e98-1a4d6832e9a 285->292 289 1a4d6832ebf-1a4d6832ed3 286->289 290 1a4d6832eaf-1a4d6832eb5 286->290 294 1a4d6832dc9-1a4d6832e12 call 1a4d6833110 call 1a4d6833140 287->294 295 1a4d6832da1-1a4d6832da9 287->295 305 1a4d6832d97 288->305 306 1a4d6832e26-1a4d6832e28 288->306 289->279 290->279 293 1a4d6832eb7-1a4d6832ebb 290->293 296 1a4d6832e72-1a4d6832e79 291->296 297 1a4d6832e91-1a4d6832e96 291->297 292->275 292->286 293->275 301 1a4d6832ebd 293->301 294->277 295->294 302 1a4d6832dab-1a4d6832db9 call 1a4d683f940 295->302 296->297 299 1a4d6832e7b-1a4d6832e84 296->299 297->291 297->292 299->297 304 1a4d6832e86-1a4d6832e8f 299->304 301->279 302->294 310 1a4d6832dbb-1a4d6832dc1 302->310 304->292 304->297 305->277 305->287 306->281 310->294
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm
                          • API String ID: 3242871069-1018135373
                          • Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
                          • Instruction ID: 33afbb498a14f84dd03a3e479683bc940dc537b28b03f8df01b605496ce78dd5
                          • Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
                          • Instruction Fuzzy Hash: FE71C63032AB048BDF68EEACD4967B4F3D0FBA5350F10556DF886D3197E764E8518682
                          Function 000001A4D6834580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A4D6831000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1a4d6831000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3163161869-2084237596
                          • Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
                          • Instruction ID: af51304011cd7c1b6a2c9470b4bea969e20eed39acb2c560ef655363157daf05
                          • Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
                          • Instruction Fuzzy Hash: 7B71713062AB488FEB649F5CD446BEAB7E0FBEA300F04565DE489D3251D7B4A581C783

                          Execution Graph

                          Execution Coverage:1.5%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:23
                          Total number of Limit Nodes:2

                          Executed Functions

                          Function 00000256F16820E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000256F1681000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_256f1681000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateInfoLocaleThread
                          • String ID: 5
                          • API String ID: 899703944-2226203566
                          • Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
                          • Instruction ID: 2064c82a523a92eaa310cb5f767335aac641ce8aa79d4a792e18bd63364c5d6b
                          • Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
                          • Instruction Fuzzy Hash: 5E41E030618A488BE718EB24EC9C7AA73E1FFC5356F84852DE147C35A5DE388485CA42
                          Function 00000256F1681000 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000256F1681000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_256f1681000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Volume$MountNamePoint
                          • String ID:
                          • API String ID: 1269602640-0
                          • Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
                          • Instruction ID: 298586c9a6518ae8f27d551410110a653ae590960d51f6ddbf6f1f81eeb42c58
                          • Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
                          • Instruction Fuzzy Hash: 4001443050C9448FFB06AB28DC9C7D677A1FB69305F008569E0CAC72A6DEBC8558C741
                          Function 00000256F1686F68 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000256F1681000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_256f1681000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
                          • Instruction ID: 8d00a4cf073707d8f916e81507c7ac66a974beb0fc161415a07d012f58d79eef
                          • Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
                          • Instruction Fuzzy Hash: 09D05B207047040FFB187BBDED8C32D2652CF46256F4018386903C7AE7CD3AC8858706
                          Function 00000256F16820B0 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 55 256f16820b0-256f16820d6 MessageBoxA
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000256F1681000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_256f1681000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message
                          • String ID:
                          • API String ID: 2030045667-0
                          • Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
                          • Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
                          • Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
                          • Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

                          Non-executed Functions

                          Function 00000256F16840B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 72 256f16840b0-256f1684117 call 256f1685054 75 256f1684578-256f168457f call 256f1687854 72->75 76 256f168411d-256f1684120 72->76 76->75 77 256f1684126-256f168412c 76->77 79 256f1684132-256f1684136 77->79 80 256f16841fb-256f168420d 77->80 79->80 84 256f168413c-256f1684147 79->84 82 256f1684213-256f1684217 80->82 83 256f16844c8-256f16844cc 80->83 82->83 85 256f168421d-256f1684228 82->85 87 256f16844ce-256f16844d5 83->87 88 256f1684505-256f168450f call 256f168319c 83->88 84->80 86 256f168414d-256f1684152 84->86 85->83 89 256f168422e-256f1684235 85->89 86->80 90 256f1684158-256f1684162 call 256f168319c 86->90 87->75 91 256f16844db-256f1684500 call 256f1684580 87->91 88->75 98 256f1684511-256f1684530 call 256f168fa80 88->98 94 256f16843f9-256f1684405 89->94 95 256f168423b-256f1684276 call 256f168385c 89->95 90->98 106 256f1684168-256f1684193 call 256f168319c * 2 call 256f1683b64 90->106 91->88 94->88 99 256f168440b-256f168440f 94->99 95->94 110 256f168427c-256f1684286 95->110 103 256f168441f-256f1684427 99->103 104 256f1684411-256f168441d call 256f1683b24 99->104 103->88 109 256f168442d-256f168443a call 256f16836fc 103->109 104->103 116 256f1684440-256f1684448 104->116 140 256f16841b3-256f16841bd call 256f168319c 106->140 141 256f1684195-256f1684199 106->141 109->88 109->116 114 256f168428a-256f16842bc 110->114 118 256f16842c2-256f16842ce 114->118 119 256f16843e8-256f16843ef 114->119 123 256f168444e-256f1684452 116->123 124 256f168455b-256f1684577 call 256f168319c * 2 call 256f16877c8 116->124 118->119 125 256f16842d4-256f16842ed 118->125 119->114 122 256f16843f5-256f16843f6 119->122 122->94 129 256f1684454-256f1684463 call 256f1683b24 123->129 130 256f1684465-256f1684466 123->130 124->75 126 256f16842f3-256f1684338 call 256f1683b38 * 2 125->126 127 256f16843e5-256f16843e6 125->127 154 256f1684376-256f168437c 126->154 155 256f168433a-256f1684360 call 256f1683b38 call 256f16847f0 126->155 127->119 135 256f1684468-256f1684472 call 256f16850ec 129->135 130->135 135->88 151 256f1684478-256f16844c6 call 256f168378c call 256f1683990 135->151 140->80 157 256f16841bf-256f16841df call 256f168319c * 2 call 256f16850ec 140->157 141->140 145 256f168419b-256f16841a6 141->145 145->140 150 256f16841a8-256f16841ad 145->150 150->75 150->140 151->88 161 256f168437e-256f1684382 154->161 162 256f16843e0-256f16843e1 154->162 171 256f1684362-256f1684374 155->171 172 256f1684387-256f16843db call 256f1683fdc 155->172 176 256f16841e1-256f16841eb call 256f16851dc 157->176 177 256f16841f6-256f16841f7 157->177 161->126 162->127 171->154 171->155 172->162 180 256f16841f1-256f1684554 call 256f1682f74 call 256f1684bac call 256f16853d8 176->180 181 256f1684555-256f168455a call 256f16877c8 176->181 177->80 180->181 181->124
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000256F1681000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_256f1681000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
                          • Instruction ID: 1036e3c4edf0542babd7cbda5c5379607e0844dc5bf13773b147de1d09d24d22
                          • Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
                          • Instruction Fuzzy Hash: EEF15230918F488BEB54EF58D84D7A977E0FF6A362F94065DD48AC3A52DB30D881C786
                          Function 00000256F1684930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 191 256f1684930-256f1684978 call 256f1683144 call 256f168319c 196 256f16849b2-256f16849b6 191->196 197 256f168497a-256f1684980 191->197 198 256f1684a4a-256f1684a4e 196->198 199 256f16849bc-256f16849c0 196->199 197->196 200 256f1684982-256f1684984 197->200 205 256f1684a50-256f1684a5c 198->205 206 256f1684a92-256f1684a98 198->206 203 256f1684b41 199->203 204 256f16849c6-256f16849ce 199->204 201 256f1684996-256f1684998 200->201 202 256f1684986-256f168498a 200->202 201->196 207 256f168499a-256f16849a6 201->207 202->207 208 256f168498c-256f1684994 202->208 214 256f1684b46-256f1684b60 203->214 204->203 211 256f16849d4-256f16849d8 204->211 212 256f1684a5e-256f1684a62 205->212 213 256f1684a72-256f1684a7e 205->213 209 256f1684b08-256f1684b3c call 256f16840b0 206->209 210 256f1684a9a-256f1684a9e 206->210 207->196 217 256f16849a8-256f16849ac 207->217 208->196 208->201 209->203 210->209 216 256f1684aa0-256f1684aa7 210->216 218 256f1684a37-256f1684a45 call 256f1683728 211->218 219 256f16849da-256f16849dc 211->219 212->213 221 256f1684a64-256f1684a70 call 256f1683b24 212->221 213->203 215 256f1684a84-256f1684a8c 213->215 215->203 215->206 216->209 222 256f1684aa9-256f1684ab1 216->222 217->196 217->203 218->203 224 256f16849de-256f16849f0 call 256f1683cb4 219->224 225 256f1684a15-256f1684a17 219->225 221->206 221->213 222->209 228 256f1684ab3-256f1684ac6 call 256f1683b38 222->228 232 256f1684b61-256f1684b67 call 256f1687854 224->232 239 256f16849f6-256f16849f9 224->239 225->218 227 256f1684a19-256f1684a21 225->227 227->232 233 256f1684a27-256f1684a2b 227->233 228->209 242 256f1684ac8-256f1684b06 228->242 233->232 237 256f1684a31-256f1684a35 233->237 241 256f1684a05-256f1684a10 call 256f1684ec8 237->241 239->232 243 256f16849ff-256f1684a03 239->243 241->203 242->214 243->241
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000256F1681000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_256f1681000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
                          • Instruction ID: 960fcf7b07b167074c14c109c38458511a3d680759cdad7954196b825fbc26b7
                          • Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
                          • Instruction Fuzzy Hash: B5718230918E048FEBB49B18D88D364B7D1FF65362F94465E948AC7AD6DB30D8C0C74A
                          Function 00000256F1682CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 247 256f1682cf0-256f1682d36 call 256f1683144 250 256f1682d3c-256f1682d46 247->250 251 256f1682e2d-256f1682e34 247->251 253 256f1682e19-256f1682e1b 250->253 252 256f1682ed8-256f1682ede 251->252 254 256f1682ee4 252->254 255 256f1682e39-256f1682e47 252->255 256 256f1682e21 253->256 257 256f1682d4b-256f1682d59 253->257 260 256f1682ee9-256f1682f06 254->260 258 256f1682ed6 255->258 259 256f1682e4d-256f1682e55 255->259 256->254 261 256f1682d5f-256f1682d66 257->261 262 256f1682e17 257->262 258->252 259->258 263 256f1682e57-256f1682e5b 259->263 261->262 264 256f1682d6c-256f1682d71 261->264 262->253 265 256f1682e9c-256f1682ead 263->265 266 256f1682e5d-256f1682e62 263->266 264->262 267 256f1682d77-256f1682d7c 264->267 272 256f1682ebf-256f1682ed3 265->272 273 256f1682eaf-256f1682eb5 265->273 268 256f1682e64-256f1682e70 266->268 269 256f1682e98-256f1682e9a 266->269 270 256f1682d7e-256f1682d91 267->270 271 256f1682d99-256f1682d9f 267->271 274 256f1682e91-256f1682e96 268->274 275 256f1682e72-256f1682e79 268->275 269->254 269->265 287 256f1682e26-256f1682e28 270->287 288 256f1682d97 270->288 277 256f1682da1-256f1682da9 271->277 278 256f1682dc9-256f1682e12 call 256f1683110 call 256f1683140 271->278 272->258 273->258 276 256f1682eb7-256f1682ebb 273->276 274->268 274->269 275->274 280 256f1682e7b-256f1682e84 275->280 276->254 283 256f1682ebd 276->283 277->278 279 256f1682dab-256f1682db9 call 256f168f940 277->279 278->262 279->278 290 256f1682dbb-256f1682dc1 279->290 280->274 285 256f1682e86-256f1682e8f 280->285 283->258 285->269 285->274 287->260 288->262 288->271 290->278
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000256F1681000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_256f1681000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm
                          • API String ID: 3242871069-1018135373
                          • Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
                          • Instruction ID: bf06d5b11f17532113324fba1e47f7106e255149bb1e48a34d0c456853930dbb
                          • Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
                          • Instruction Fuzzy Hash: C371A230A0CE048BDB28EE5CE88D77477D1FB553A6F50456EE887C36D6E630E891C689
                          Function 00000256F1684580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000256F1681000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_256f1681000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3163161869-2084237596
                          • Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
                          • Instruction ID: eb18e89e7fe324dd593fc75f5023e27facc1d2f2fa38d5649df3da4a2de5abb7
                          • Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
                          • Instruction Fuzzy Hash: 2C71A13091CB488FE764EF18D84ABA6B7E0FFAA351F44065DE48AC3151D774E4C18786