Edit tour

Windows Analysis Report
YmAxTGvrQk.dll

Overview

General Information

Sample name:	YmAxTGvrQk.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	b5814ee79455d77e2c48f889493fc3d8.dll.exe
Analysis ID:	1561763
MD5:	b5814ee79455d77e2c48f889493fc3d8
SHA1:	03c82c5c3c7f4584f4ddb8001b29b26f1b7d864d
SHA256:	cbb4f3d3777de27d21d97ac1e77e202630f4c35e39765d7e82bc10a58d3ee833
Tags:	dllexeStrelaStealeruser-abuse_ch
Infos:

Detection

Strela Stealer

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Strela Stealer

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file does not import any functions

Program does not show much activity (idle)

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7328 cmdline: loaddll64.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7380 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7404 cmdline: rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

regsvr32.exe (PID: 7388 cmdline: regsvr32.exe /s C:\Users\user\Desktop\YmAxTGvrQk.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

rundll32.exe (PID: 7412 cmdline: rundll32.exe C:\Users\user\Desktop\YmAxTGvrQk.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.1751948158.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.1751884781.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000000.00000002.1778400098.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.1750393412.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: loaddll64.exe PID: 7328	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 7388	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 7404	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 7412	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll64.exe.7ffe13246404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.7ffe13240000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ffe13240000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffe13246404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.7ffe13246404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ffe13246404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.regsvr32.exe.7ffe13246404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.7ffe13246404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.regsvr32.exe.7ffe13246404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffe13246404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffe13240000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.regsvr32.exe.7ffe13240000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: YmAxTGvrQk.dll

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.5% probability

Machine Learning detection for sample

Source: YmAxTGvrQk.dll

Joe Sandbox ML: detected

Source: YmAxTGvrQk.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE13241160	0_2_00007FFE13241160
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBA1A90	0_2_000001F3AEBA1A90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBA15A0	0_2_000001F3AEBA15A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBA72BC	0_2_000001F3AEBA72BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBA1090	0_2_000001F3AEBA1090
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBAF4E8	0_2_000001F3AEBAF4E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026C72BC	3_2_026C72BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026C1A90	3_2_026C1A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026CF4E8	3_2_026CF4E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026C1090	3_2_026C1090
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026C15A0	3_2_026C15A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021509031090	4_2_0000021509031090
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002150903F4E8	4_2_000002150903F4E8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021509031A90	4_2_0000021509031A90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215090372BC	4_2_00000215090372BC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215090315A0	4_2_00000215090315A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA651090	5_2_000001A3CA651090
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA65F4E8	5_2_000001A3CA65F4E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA6515A0	5_2_000001A3CA6515A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA6572BC	5_2_000001A3CA6572BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA651A90	5_2_000001A3CA651A90

Source: YmAxTGvrQk.dll

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal64.troj.winDLL@10/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03

Source: YmAxTGvrQk.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1

Source: YmAxTGvrQk.dll

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YmAxTGvrQk.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\YmAxTGvrQk.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YmAxTGvrQk.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\YmAxTGvrQk.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: YmAxTGvrQk.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: YmAxTGvrQk.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YmAxTGvrQk.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBACC35 push cs; retf 0000h	0_2_000001F3AEBACC59
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBACC6C push esi; retf 0000h	0_2_000001F3AEBACC6D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBABBA2 push esp; ret	0_2_000001F3AEBABBA5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBACCA8 push 6F0000CBh; retf	0_2_000001F3AEBACCAD
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F3AEBACC9C push ebx; retf	0_2_000001F3AEBACC9D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026CBBA2 push esp; ret	3_2_026CBBA5
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026CCC6C push esi; retf 0000h	3_2_026CCC6D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026CCC35 push cs; retf 0000h	3_2_026CCC59
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026CCCA8 push 6F0000CBh; retf	3_2_026CCCAD
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026CCC9C push ebx; retf	3_2_026CCC9D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_026D75DE push ecx; retf 003Fh	3_2_026D763E
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002150903CC9C push ebx; retf	4_2_000002150903CC9D
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002150903CCA8 push 6F0000CBh; retf	4_2_000002150903CCAD
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002150903BBA2 push esp; ret	4_2_000002150903BBA5
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002150903CC35 push cs; retf 0000h	4_2_000002150903CC59
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002150903CC6C push esi; retf 0000h	4_2_000002150903CC6D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA65BBA2 push esp; ret	5_2_000001A3CA65BBA5
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA65CC35 push cs; retf 0000h	5_2_000001A3CA65CC59
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA65CCA8 push 6F0000CBh; retf	5_2_000001A3CA65CCAD
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA65CC9C push ebx; retf	5_2_000001A3CA65CC9D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A3CA65CC6C push esi; retf 0000h	5_2_000001A3CA65CC6D

Source: YmAxTGvrQk.dll

Static PE information: section name: .text entropy: 6.80425120895919

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: GetConsoleWindow,CreateThread,GetLocaleInfoA,	0_2_000001F3AEBA20E0
Source: C:\Windows\System32\regsvr32.exe	Code function: CreateThread,GetLocaleInfoA,	3_2_026C20E0
Source: C:\Windows\System32\rundll32.exe	Code function: CreateThread,GetLocaleInfoA,	4_2_00000215090320E0
Source: C:\Windows\System32\rundll32.exe	Code function: CreateThread,GetLocaleInfoA,	5_2_000001A3CA6520E0

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 0.2.loaddll64.exe.7ffe13246404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffe13240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffe13240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffe13246404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffe13246404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffe13246404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffe13246404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffe13246404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffe13246404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffe13246404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffe13240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffe13240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1751948158.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1751884781.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778400098.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1750393412.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7412, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 0.2.loaddll64.exe.7ffe13246404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffe13240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffe13240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffe13246404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffe13246404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffe13246404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffe13246404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffe13246404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffe13246404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffe13246404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffe13240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffe13240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1751948158.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1751884781.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778400098.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1750393412.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7412, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Regsvr32	OS Credential Dumping	11 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YmAxTGvrQk.dll	53%	ReversingLabs	Win64.Trojan.Generic
YmAxTGvrQk.dll	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561763
Start date and time:	2024-11-24 08:42:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YmAxTGvrQk.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	b5814ee79455d77e2c48f889493fc3d8.dll.exe
Detection:	MAL
Classification:	mal64.troj.winDLL@10/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 21
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: YmAxTGvrQk.dll

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.7349656611412065
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	YmAxTGvrQk.dll
File size:	136'192 bytes
MD5:	b5814ee79455d77e2c48f889493fc3d8
SHA1:	03c82c5c3c7f4584f4ddb8001b29b26f1b7d864d
SHA256:	cbb4f3d3777de27d21d97ac1e77e202630f4c35e39765d7e82bc10a58d3ee833
SHA512:	59ca1f36e590f20f8fd825b7f50c522f2955d258588fb34b7c2cdcb019b062327f31a6da99a12ed800a1c0d0def2f9a9a6ab4b43be85a07d9133cd761f886e57
SSDEEP:	3072:A3MtG/TbqMhqHvxRd5yrGUu8uVvLn4rrMJr2viskMdth:SyG6MKZ5ygVznCrasvd
TLSH:	96D301BD840C702BDD071AB4A779F953A0120836FF2666DF696C546A71B2BC602F2F17
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...?.1g.........." .....4..........P........................................`............`........................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180001150
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67310B3F [Sun Nov 10 19:36:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
mov eax, 00000001h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push esi
push edi
push ebx
dec eax
sub esp, 00000128h
dec eax
lea ebp, dword ptr [esp+00000080h]
inc sp
movq qword ptr [ebp+00000090h], mm7
inc sp
movq qword ptr [ebp+00000080h], mm6
inc sp
movq qword ptr [ebp+70h], mm5
inc sp
movq qword ptr [ebp+60h], mm4
inc sp
movq qword ptr [ebp+50h], mm3
inc sp
movq qword ptr [ebp+40h], mm2
inc sp
movq qword ptr [ebp+30h], mm1
inc sp
movq qword ptr [ebp+20h], mm0
movdqa dqword ptr [ebp+10h], xmm7
movdqa dqword ptr [ebp+00h], xmm6
mov eax, dword ptr [00022297h]
lea ecx, dword ptr [eax-01h]
imul ecx, eax
mov eax, ecx
not eax
mov edx, eax
and edx, 755544E9h
and ecx, 8AAABB16h
or ecx, edx
xor ecx, 8AAABB17h
xor eax, ecx
test eax, ecx
sete cl
setne al
cmp dword ptr [0002226Ah], 0Ah
setl dl
xor al, dl
mov ebx, eax
xor bl, 00000001h
or cl, dl
xor cl, 00000001h
or cl, bl
mov edi, dword ptr [00022257h]
inc esp
mov ebx, dword ptr [00022254h]
cmp al, cl
jne 00007FF4C090833Ch
or al, cl
xor al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5110	0x53	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25000	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x24000	0x18	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3324	0x3400	c951d59bceba236e65aa2a136690dc68	False	0.6690955528846154	data	6.80425120895919	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x1b0	0x200	01cc483b695dc3c06e4c1a7debd7d853	False	0.37109375	data	4.806020279669037	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x1d498	0x1d600	7965c8831c584641baf5f46be9fbc4f1	False	0.8682014627659574	data	7.734752166341349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x24000	0x18	0x200	2a84d5350ed83c0ac2c2298e473ddc3a	False	0.064453125	data	0.23653878450968063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x25000	0x1a8	0x200	dc8a7a3ba49348b04c8bceefe511f730	False	0.482421875	data	4.1813331407993175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x25060	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180001070

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:43:26
Start date:	24/11/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll"
Imagebase:	0x7ff7ea3f0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.1778400098.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:43:26
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:43:26
Start date:	24/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1
Imagebase:	0x7ff7d0ff0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:43:26
Start date:	24/11/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\YmAxTGvrQk.dll
Imagebase:	0x7ff70d9b0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.1750393412.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:43:26
Start date:	24/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\YmAxTGvrQk.dll",#1
Imagebase:	0x7ff7aff90000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.1751884781.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:43:26
Start date:	24/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\YmAxTGvrQk.dll,DllRegisterServer
Imagebase:	0x7ff7aff90000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.1751948158.00007FFE13246000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	88.2%
Signature Coverage:	14.7%
Total number of Nodes:	34
Total number of Limit Nodes:	5

Executed Functions

Function 00007FFE13241160 Relevance: 8.8, APIs: 2, Strings: 1, Instructions: 3546COMMON

Download Yara Rule

Strings

8'j{g"?, xrefs: 00007FFE13243E36

Memory Dump Source

Source File: 00000000.00000002.1778346735.00007FFE13241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE13240000, based on PE: true

Associated: 00000000.00000002.1778334424.00007FFE13240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1778359802.00007FFE13245000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1778400098.00007FFE13246000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1778506164.00007FFE13265000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe13240000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 8'j{g"?
API String ID: 0-1733800758
Opcode ID: 9996f6b7db0b9050f8d1a28a97124f105651b95835a44efc6454be03b1d52e44
Instruction ID: 49aabf409af6e626942a2922b3f5e214d6ec0cc02e5164b53930c55db34934f8
Opcode Fuzzy Hash: 9996f6b7db0b9050f8d1a28a97124f105651b95835a44efc6454be03b1d52e44
Instruction Fuzzy Hash: 3643AD6BF64A114BFB04CB3658513FA6792ABA63A4F15A335DE1DA77E4CA3CD805C300

Function 000001F3AEBA20E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 000001F3AEBA20ED
CreateThread.KERNELBASE ref: 000001F3AEBA211D
GetLocaleInfoA.KERNELBASE ref: 000001F3AEBA21E5

Strings

5, xrefs: 000001F3AEBA225D

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: ConsoleCreateInfoLocaleThreadWindow
String ID: 5
API String ID: 1307802651-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 0d61047ad34aa5343cf0b2d4d6be91779ddc44574dad1f1362b1338b7c94ba13
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: FA41E1302186458BEB48EF26D88C7FB7BE2FBC4301F40853DE597C31A5DE3885858A52

Function 000001F3AEBAA87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000001F3AEBAA90B

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction ID: 5db93398ed9a1a477c002c305f548c87fb20e53e05974e51a53cb95ee2195bc5
Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction Fuzzy Hash: 3F31C43050CE1B5FEBA59F2E848C6B47AD0FB09360F650759E8AAC71E4C634D9E1C3A1

Function 000001F3AEBA1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 000001F3AEBA104B

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 291fd9b4db61abd797c5e00082d1742aeb5a7782c7a45097cb13ef4b527ad07d
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: A801627050C6448FFB06EB28D898BE67BE1F769305F008569E0CAC72A6DEBD8658C751

Function 000001F3AEBA6F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,000001F3AEBA6F64), ref: 000001F3AEBA6F93

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 007a152592362a0a9f15fb10fd707c6c5064bcf5de19b0f92bef5652970f6441
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 34D0177030420A0BEF187BBA599C2BD3A61CB45305F00183869A2CB6ABCD3B88898712

Function 000001F3AEBA20B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 000001F3AEBA20CA

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 000001F3AEBAF4E8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000001F3AEBAF737

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
Instruction ID: 0d71102d7ed708b8591b76b2d609e91575ddaa1e1e15d57f75d2ce779c994bea
Opcode Fuzzy Hash: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
Instruction Fuzzy Hash: 6DC18330514A4E8FEF99DF1DC48A7A57BE0FF45304F158599E8A9CB2A1C335D892CB11

Function 000001F3AEBA15A0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
Instruction ID: 3912bd90ef17f46149319d1b4ff4abb38bf8f233b1e2ba2ed4b840c8182ab3a5
Opcode Fuzzy Hash: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
Instruction Fuzzy Hash: AEE1327051CB498FEB75DF19D8897EA7BE1FB94305F00462EA89AC3160DF349685CB82

Function 000001F3AEBA1A90 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
Instruction ID: 5fe456cfab758e53be144d11e384c6bfee8e9011b49a72bf116409a6a69c01c5
Opcode Fuzzy Hash: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
Instruction Fuzzy Hash: 6DB1503120CA494FEB69EF29DC596FA77E1FB94301F00463AD89BC31A1DF349A458B91

Function 000001F3AEBA1090 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
Instruction ID: 0c4a280f9222ef0f3c49620b14a88378595b5e94beaa33e1956e4836505cd35e
Opcode Fuzzy Hash: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
Instruction Fuzzy Hash: AD71B17061CB494BEB68DF29984D3BA7BD1FB89310F00856ED8DAC3261EF34D9468781

Function 000001F3AEBA72BC Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
Instruction ID: 8ca4913763e7c85d29a54cc19168581374dd118b4398d1c7ad5e2a2f97c5bb12
Opcode Fuzzy Hash: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
Instruction Fuzzy Hash: C251223231CE194FDB4CDF6DD4986B577D2E7AC310B15822EE84AC72A5DE70D9868780

Function 000001F3AEBA40B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F3AEBA410C

Part of subcall function 000001F3AEBA5054: __GetUnwindTryBlock.LIBCMT ref: 000001F3AEBA5097
Part of subcall function 000001F3AEBA5054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F3AEBA50BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F3AEBA41E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F3AEBA4433
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F3AEBA453F

Strings

csm, xrefs: 000001F3AEBA418D
csm, xrefs: 000001F3AEBA4126
csm, xrefs: 000001F3AEBA4207

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 078e961f3ee6b0b6aa41641df68cd494610150f6d7eb0ef908ace1670475ebc1
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 8FF16030518A498BEF54EF6A84897FD7BE1FB59310F50066DE899C3292DB30DAC1C792

Function 000001F3AEBA4930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F3AEBA4958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F3AEBA4A40

Strings

csm, xrefs: 000001F3AEBA497A
csm, xrefs: 000001F3AEBA4A92

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: cb23877f9556358b9b10bad489f09df4a44f1efa8eb892a3d63233132b316df7
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: 80716030118A068FEFA49F1B808D3F8BBD1FB54311F54456A98E9C7692DB709AC1C792

Function 000001F3AEBA4580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001F3AEBA462B

Strings

RCC, xrefs: 000001F3AEBA45FB
MOC, xrefs: 000001F3AEBA45F3

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 5a48b8cdfe4455fffb287c5926f0f6bf3f36b9d6dd20d02d2dc960c66302b461
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: B971A13051CB898FEB649F1AC44ABFABBE0FB99300F044A6DE9D9C3151D774A581C792

Function 000001F3AEBA2CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F3AEBA2D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F3AEBA2DB2

Strings

csm, xrefs: 000001F3AEBA2D99

Memory Dump Source

Source File: 00000000.00000002.1777872156.000001F3AEBA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F3AEBA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3aeba1000_loaddll64.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: cc51aefbf87b98f7334da5d7a50b796fd068a6ff8e9f5ba41ec0688a1b8a7cab
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: E471B53020CA068BDF68EE5EE4897B87BD1FB54350F10457EECD6C3296E624EDD18691

Analysis Process: regsvr32.exePID: 7388, Parent PID: 7328COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 026C20E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 026C211D
GetLocaleInfoA.KERNELBASE ref: 026C21E5

Strings

5, xrefs: 026C225D

Memory Dump Source

Source File: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 6034dbff75e9a2d3b067c661b2b9541b4c91a6f4fdc813cad3614db7e31534ea
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: 3241C131218A488BE719FF64DC986BB77E2FBD4305F64852DE54BC22A4DF38C449CA46

Function 026C1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 026C104B

Memory Dump Source

Source File: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 8e91bbef3289f137f0d27dfe89088027c1a18b0e6d15e3d920e47b4ac544e46b
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: AA0167305085448FFB06EB28D8987E677E1F769305F00856DE0CAC72A5DEBC8558C745

Function 026C6F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,026C6F64), ref: 026C6F93

Memory Dump Source

Source File: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 9ab3fc0b8f37eb385109b6046d0fcafef9bca943df7da07433090a263520dc42
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 8FD09B243007055FDB187BB5999813D3657D785105F10183C5513C7665CD3A9445874A

Function 026C20B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 026C20CA

Memory Dump Source

Source File: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 026C40B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 026C410C

Part of subcall function 026C5054: __GetUnwindTryBlock.LIBCMT ref: 026C5097
Part of subcall function 026C5054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 026C50BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 026C41E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 026C4433
std::bad_alloc::bad_alloc.LIBCMT ref: 026C453F

Strings

csm, xrefs: 026C418D
csm, xrefs: 026C4207
csm, xrefs: 026C4126

Memory Dump Source

Source File: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 2a13cf19db65b1d4340d999af5cf44cde75323d6efa88afa41d7da3c4a1126f3
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 5AE19D30918B488FDB24FF68C495AB9B7E1FB99314F64465ED489D3315DB30E882CB86

Function 026C4930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 026C4958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 026C4A40

Strings

csm, xrefs: 026C497A
csm, xrefs: 026C4A92

Memory Dump Source

Source File: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: 2409464ffd4a23be32f22ae5c0a36ccecbe7038950560539414714f5e92c4842
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: 64618930618A498FCB68EF2880A8374B7E2FB98315F64565ED48DC7795DF34D880CB86

Function 026C2CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 026C2D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 026C2DB2

Strings

csm, xrefs: 026C2D99

Memory Dump Source

Source File: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: a745198ae24e614a948d9c41872d28acf9bbf699e128422956de0e1ae2de320c
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 13619F70208A098BCB28FE5CD495A7477D1FB58354F20456EEC8AD7256EB34E8A28BC5

Function 026C4580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 026C462B

Strings

RCC, xrefs: 026C45FB
MOC, xrefs: 026C45F3

Memory Dump Source

Source File: 00000003.00000002.1749542743.00000000026C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 7bd34ad701cfda8d6a99c7677680722cbbe5739581d3ec79476ec5e0ee6fc73a
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: A8719030518B488FD768FF18D446BBAB7E0FB99314F244A6EE489C3211DB74E591CB86

Analysis Process: rundll32.exePID: 7404, Parent PID: 7380COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	4

Executed Functions

Function 00000215090320E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 000002150903211D
GetLocaleInfoA.KERNELBASE ref: 00000215090321E5

Strings

5, xrefs: 000002150903225D

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: e94d36a8184ffa52bc378b0c8c00e8c6f4e63aacc591919bcd8526c23dc6a2a8
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: 1B41B131218A44CBE769EFA4D8AD7EA73E5FBEC305F40856DE14BC21A9DE3884058642

Function 000002150903A87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000002150903A90B

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction ID: 47fe8be5137c17e398d499d16787c3e75f311fb7443531ceb1521b2bdf287e63
Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction Fuzzy Hash: E7310631608E2A8EDBB5DF6C84986A077D0F76D320F65438AE09ED71E8C630D891C380

Function 0000021509031000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 000002150903104B

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 505af98fa65b3c0237cd151bac0fa39a56765c930d45426e58f7338a4ef3d8f7
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 200167305089448FFB06EB68D8987D677E1F7AD305F008569E0CAC72A6DE7D8558C741

Function 0000021509036F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,0000021509036F64), ref: 0000021509036F93

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 8571ed7081cebb75c77b0a6be39570f39ae411fef5cd5518809ae1b5c0b8158f
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 27D012303006085FEA28FFF4599D36D265587AD305F0058786506C769BCD3B88458702

Function 00000215090320B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 00000215090320CA

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 00000215090340B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002150903410C

Part of subcall function 0000021509035054: __GetUnwindTryBlock.LIBCMT ref: 0000021509035097
Part of subcall function 0000021509035054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000215090350BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000215090341E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000021509034433
std::bad_alloc::bad_alloc.LIBCMT ref: 000002150903453F

Strings

csm, xrefs: 000002150903418D
csm, xrefs: 0000021509034126
csm, xrefs: 0000021509034207

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 539983bcb0787b6259aca059c56405352482bb0f43dbf45b0d7c1c4c517198c1
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 98F15130918E588BEB64EF9884997E977E4FBBD310F50469DE44DC72AADB30D881C781

Function 0000021509034930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000021509034958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000021509034A40

Strings

csm, xrefs: 000002150903497A
csm, xrefs: 0000021509034A92

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: be03610db37e6b95334e39cbcb96de9d7f0f2114a2adc2b5e8695eeaadd940ec
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: 97717230114E14CBEBB4DF5980AD3A5B7D5FBBC311F54869E948DCB6AADB349880C782

Function 0000021509032CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000021509032D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 0000021509032DB2

Strings

csm, xrefs: 0000021509032D99

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 5c04dc8f9c455f9c8bbe24bbd420291e63dc6830f10797215b968f20d489cea0
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 82718530208E14CBDB78EE9CD49A7B473D5F7BC350F1085AEE89AC319AE734E8518685

Function 0000021509034580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002150903462B

Strings

MOC, xrefs: 00000215090345F3
RCC, xrefs: 00000215090345FB

Memory Dump Source

Source File: 00000004.00000002.1751707509.0000021509031000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021509031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21509031000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: e3ea0cc47cb28b9789629e92e28d379dfa623a187bea7c03e513401400f63989
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: FE71A030518B488FE764DF58C44ABEAB7E4FBAD300F048A9DE48DC7265D774A4818782

Analysis Process: rundll32.exePID: 7412, Parent PID: 7328COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 000001A3CA6520E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 000001A3CA65211D
GetLocaleInfoA.KERNELBASE ref: 000001A3CA6521E5

Strings

5, xrefs: 000001A3CA65225D

Memory Dump Source

Source File: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A3CA651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a3ca651000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 4d0a82759b82f4b9eba3225ad3ed46b247ac373cdd74ad4c9c1dc3ea4b1651e8
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: C041C030B15A448BE799FB24DC997EB73E2FB85311F40852EF157D31A9DE3885068B42

Function 000001A3CA651000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 000001A3CA65104B

Memory Dump Source

Source File: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A3CA651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a3ca651000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 4639c0cc78a43a2481afa9310d4975abae4cc67177af8415ca6f3c8213485f4a
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: C801A7306085448FFB46EB28DC987D637E1F769301F008169E0CAD72A6DEBC8658C741

Function 000001A3CA656F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,000001A3CA656F64), ref: 000001A3CA656F93

Memory Dump Source

Source File: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A3CA651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a3ca651000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 33b72960e24bf217522e80ce18d04672761bf5b145c04851f7e536035e268d0f
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 53D01234B012040BFA587BF55D883AD26538746315F041C397513D76ABCD3A8856C703

Function 000001A3CA6520B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 000001A3CA6520CA

Memory Dump Source

Source File: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A3CA651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a3ca651000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 000001A3CA6540B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001A3CA65410C

Part of subcall function 000001A3CA655054: __GetUnwindTryBlock.LIBCMT ref: 000001A3CA655097
Part of subcall function 000001A3CA655054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001A3CA6550BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001A3CA6541E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001A3CA654433
std::bad_alloc::bad_alloc.LIBCMT ref: 000001A3CA65453F

Strings

csm, xrefs: 000001A3CA65418D
csm, xrefs: 000001A3CA654207
csm, xrefs: 000001A3CA654126

Memory Dump Source

Source File: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A3CA651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a3ca651000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: af9b4efd419048e5164fdacc7d2b0135171d847509022744acf294cd766f6a25
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: B7F17430E15A088BEB94FF68C8497E977E2FB56320F50065EE459D329ADB30D952C783

Function 000001A3CA654930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001A3CA654958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001A3CA654A40

Strings

csm, xrefs: 000001A3CA654A92
csm, xrefs: 000001A3CA65497A

Memory Dump Source

Source File: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A3CA651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a3ca651000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: 8eeab1d44490eb8cc37624885216192a9de97be6a9aeea31d72daae0498eb173
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: EC71C530B05A088FDBE8AB18884D394B3D3FB55321F14459FB4A9D7299DB30D9A2D743

Function 000001A3CA652CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001A3CA652D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 000001A3CA652DB2

Strings

csm, xrefs: 000001A3CA652D99

Memory Dump Source

Source File: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A3CA651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a3ca651000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 4059e070ac63de2618c4c35cd6cbe5a039592818ad7ae94cb560fb86a10c800a
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 5E71D830B09A058BDFA8FF2DD8857B473D6F755320F10456FF896D319AE620ED628682

Function 000001A3CA654580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001A3CA65462B

Strings

RCC, xrefs: 000001A3CA6545FB
MOC, xrefs: 000001A3CA6545F3

Memory Dump Source

Source File: 00000005.00000002.1751603344.000001A3CA651000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A3CA651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a3ca651000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 4bcaeeca63c2bfa30fb163f94a98d50bae920a7f79c341ebb5c9c56163b9e793
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: 3971F530919B488FE7A5EF18C846BE6B3E1FB9A310F000A5EE499D3155D774E592C783

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YmAxTGvrQk.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 7328, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7336, Parent PID: 7328

General

Windows Analysis Report
YmAxTGvrQk.dll

Function 000001F3AEBA20E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
threadCOMMON

Function 000001F3AEBAA87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 000001F3AEBA1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 000001F3AEBA6F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 000001F3AEBA20B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 000001F3AEBA40B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 000001F3AEBA4930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 000001F3AEBA4580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 000001F3AEBA2CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 026C20E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Function 026C1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 026C6F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 026C20B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 026C40B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 026C4930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 026C2CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 026C4580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 00000215090320E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON