Windows
Analysis Report
newadvsplash.dll
Overview
General Information
Detection
Score: | 0 |
Range: | 0 - 100 |
Whitelisted: | true |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 6372 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\new advsplash. dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 6388 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6600 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\new advsplash. dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 6672 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\newa dvsplash.d ll",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6628 cmdline:
rundll32.e xe C:\User s\user\Des ktop\newad vsplash.dl l,hwnd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6764 cmdline:
rundll32.e xe C:\User s\user\Des ktop\newad vsplash.dl l,play MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7020 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 764 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 2996 cmdline:
rundll32.e xe C:\User s\user\Des ktop\newad vsplash.dl l,show MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 6504 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 996 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 3756 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\newa dvsplash.d ll",hwnd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6968 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\newa dvsplash.d ll",play MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 5664 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 968 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 1060 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\newa dvsplash.d ll",show MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 6972 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 060 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 6992 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\newa dvsplash.d ll",stop MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | String found in binary or memory: |
Source: | Process created: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 21 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
1% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1428518 |
Start date and time: | 2024-04-19 05:14:50 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 13s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | newadvsplash.dll |
Detection: | CLEAN |
Classification: | clean3.winDLL@24/17@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target rundll32.exe, PID 2996 because there are no executed function
- Execution Graph export aborted for target rundll32.exe, PID 6764 because there are no executed function
- Execution Graph export aborted for target rundll32.exe, PID 6968 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
Time | Type | Description |
---|---|---|
05:15:51 | API Interceptor | |
05:15:58 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_14ad5693-eaaf-4133-8ad1-39eb02a7164f\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8703206497046432 |
Encrypted: | false |
SSDEEP: | 192:QaeGiNO8w0BU/wjeTRlzuiFZZ24IO8dci:QAiE8LBU/wjenzuiFZY4IO8dci |
MD5: | B28A1714CADC51BD89E2EE8B56090B89 |
SHA1: | 0330333806A5EDA6705A5ACB5746497E80A48F8B |
SHA-256: | 5EEF31A3E0E2971552D29E4551CCC96E172CA53C4F8B46F6D21113E44004DE3C |
SHA-512: | 0783042266D6C314756F8D193A87D8868D40BFDA5EEEADF0E5FCEA786DFC78FD5879B2B396536D676D82C3FEA4E4E65DAE49949D37081A03F40A9CBE55043060 |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_168b1b20-02fd-4d70-93d2-09995b142d16\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8702045524156913 |
Encrypted: | false |
SSDEEP: | 96:qLp7FQx6i2hVyIsj94sJ7gof0QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyN0:CNi2OIw0BU/wjeTRlzuiFZZ24IO8dci |
MD5: | 30C6D36CF02FFA98CD0D5DAF498C46F2 |
SHA1: | E15A184C9F9B3612DAF9640B52B2EA7F901176FB |
SHA-256: | BAE6C3769E21BFBCE2BC48C30984B76F48BDA376383178625495A4E754BE16B0 |
SHA-512: | 9B35AE03B879F845F28F8771E5727B1FE92612DBACA23C3A92040E2B6D2DC81AAEEE52B1F8C5642152D23370713C5CF51452F737E587E195EBD3429369E18EFE |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_f447ed26-44b0-4145-a12b-d0b00b85de75\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.869992645087777 |
Encrypted: | false |
SSDEEP: | 96:q1ApYFn6i0hVyLsj94sJ7gof0QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNJ:Kci0OLw0BU/wjeTRlzuiFZZ24IO8dci |
MD5: | ACA9F65AE62762E30CAD2CA0FEE2F9D8 |
SHA1: | 80CA1A273A80BDECB5D89438E434FDC1CCFDF81E |
SHA-256: | CEC4F8C206606E4A3180524F46F0670045EE63020AC405B96067A303082CC6A3 |
SHA-512: | B38336BD074D097F394CFAB8FB36C4D4AA5A1E0207ADAE95623F716A40BA58DACC030B44278825F825D8DD55A4C01A1ECB17973EF19AC197E48DC2DD77B24E29 |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_fefad15e-02a6-45e0-8ba1-606216b2d276\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8700258423352261 |
Encrypted: | false |
SSDEEP: | 96:qdp8F9k6i4hVyDsj94sJ7gof0QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNh:XNi4ODw0BU/wjeT5lzuiFZZ24IO8dci |
MD5: | 9A2FF4AEAC2F5AD6061F69D99CA13D39 |
SHA1: | B478BC05A2414F0800D93198F5A9A2ED9420F7CB |
SHA-256: | 99F07A3FF6ABCC54AA5D6C239BDC022FF702569E84FF1C8DE035F377C1F83019 |
SHA-512: | 17F01F5454A7CFC269D8A150641BE42B05761DE57CE7E1DAFCF31E254DDD855413AF45649B9E4653F392E66A9D0CB5D8AE9F776CFB213C5378DE3ACDE8B5AA11 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 41828 |
Entropy (8bit): | 2.0310785327941896 |
Encrypted: | false |
SSDEEP: | 192:M+5eRS0o/qNJgO5H44vfWn2nxaaNYeyJR1HL:P5eAsNJ35HFvfiCxaaYekL |
MD5: | 04E3691EC8CBE6370A7081636243AC62 |
SHA1: | 9563C59887F2216A3570F8D42C6D844751B671CB |
SHA-256: | 3551621F8601772208B9D9B3EBCECEFBED5DF329E5B9C25D75D263EE0F0549A0 |
SHA-512: | F0E86D45E7900D44783DA9BCB732673CBBBA2B86FCC0D8E00B3210C6A739C6CA8E8CA5CBD1B247B7412B2ABBCB78DF9CDC7E717C0B2F831EABBAE028C1963718 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8264 |
Entropy (8bit): | 3.6907729111254546 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJmL606YSso67gmfTsVprT89bHhsfztm:R6lXJC606Y+67gmfTsMHafU |
MD5: | 0F9CB2E0409C90494ACED4FEF593ED76 |
SHA1: | A2BD5A4ADD04D6152D5CF03475E5B5DC7EDC3786 |
SHA-256: | 81DDC7A1884737136FE521670980E2EEB56C98C244A2302211A19B3F3F128990 |
SHA-512: | F3EB2FE3B6C145E5E2443B78E3F5EB4625321208BD1F32A95366E4025C0C6AB0B8DDD67C372ADC540C7247DA8851AAB6CD2F4D644232E70CF4B09A60CCE5FD45 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4654 |
Entropy (8bit): | 4.45689474131313 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsVJg77aI9wrWpW8VYuYm8M4JCdPVFW+q8/fMGScSld:uIjfvI7+a7VmJ5VJ3ld |
MD5: | 9C05E34840052D6E81F73E87FC6AFC04 |
SHA1: | EC8623B4CF90C9D37D1737DA5BDFB7944C019E49 |
SHA-256: | 9CC013FB1661C99B6B39F8D6D782AF644293FF243D7183F335A237D4199B4798 |
SHA-512: | A6E6C2F8BFD1E026133FA8BCA04CCEC9D6A7454C06004CAAF9C2382989BE084D8FBEC897FCDD73CB6DFC3AF4FCDEB1222C8D0AD5A37D0D39C34DADE6D84E286F |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44156 |
Entropy (8bit): | 2.0016977091669785 |
Encrypted: | false |
SSDEEP: | 192:P8t5eRSMo5qAESO5H4Cg9SGQODdyLCfeEjG26wqoeTw:Y5eAuLt5H9g9SGQAdyaeEjGt |
MD5: | 8258FFCDB554121220FDDF0B50C68BE4 |
SHA1: | 35CAEC24AF628F1B51E2F6BF7A83E6187924318E |
SHA-256: | 7CE73A56FE6CDC01895FF7251862BE30341EDA406CF5E6BCB7A21CA5DF8FEBAB |
SHA-512: | F26F301A3880AEDAE6B8D08AFBE69668DBEF2ECE211D8C4F8991A35C57B1B086956EA8BEA5CE061B015F14B11B8E833EC0F3A79964709A7B35D48E13EF0F6E9D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8264 |
Entropy (8bit): | 3.6929275909402537 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJx763u6YSM6zgmfTsVprT89bwbsfsQm:R6lXJ963u6Yp6zgmfTsMwgfK |
MD5: | 53CBB5DAA02675AD6F8260738EA82278 |
SHA1: | 4ECF3C0F1B610EF5441D5D495E7225602F5DD31C |
SHA-256: | D87FC40F0B646097B0D244462334AFD448BC13401BAEE3D320FA43B3DAFDF84C |
SHA-512: | F7937106DAF4BA56D9BFA1A45C2C4810A0CD8CC2E32B8E8A4A84DB2BC9AF82BB2D6AE8BD73B09545E3BD60FD2C0CA4D56AD940DD51F213FD2B759FB04F6704D8 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4654 |
Entropy (8bit): | 4.459612200668822 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsVJg77aI9wrWpW8VYeYm8M4JCdPVFln+q8/fSGScS0d:uIjfvI7+a7V6Jm/J30d |
MD5: | C0531A974D9BB182A997C2E544985660 |
SHA1: | A8F58004B41E4A64EA03B5892A9434C15DFBDCCD |
SHA-256: | 7FA56710E85F9493A51B69B3D9BAB01B692C30B5C20DACA5365B80D14DAD1485 |
SHA-512: | 6837142BA21D0B92ADFA8DA20FBEF7BAE31DDE2F35488643C3AC20C8D485D2D5942C77F905B9808238F5059DFE4DD918041680D3759A2B39F1DA896120793C2C |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 43336 |
Entropy (8bit): | 1.9768896939932683 |
Encrypted: | false |
SSDEEP: | 192:OJD5eRSNo5qcoO5H4xBf+JXCzMG5HFHqe1MHeuz:e5eAVu5HgBfQCgG5Hme |
MD5: | FE7B6A757BBC6080840C82E611BE272F |
SHA1: | D4490F867E15B8B72073C8139474AAC4492AB6F5 |
SHA-256: | 8B96CAE1C5ED72C9FAB5F6F138AADFD941C4F6441215BC545E05DADC1672980D |
SHA-512: | C681458F391B3C2C7769A97E2A98089EBFD738A5EAF729B5C3EF6A1711BDA82ECD021230FA8041461322CDAD216F1A50E80D6FC1444510D8A520DF78845230FD |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44436 |
Entropy (8bit): | 1.9777458033276236 |
Encrypted: | false |
SSDEEP: | 192:OL5eRSvo5quO5H4N+cTMMSOQ9MPtpARmehxjWt0:o5eALp5HI+cTpSOQ9MPtaNU0 |
MD5: | 7C79B93CB4C8CDE39A512B83BE08FD5E |
SHA1: | CD6C0A6569665492DC3C78E685ECEA87BD5E30AC |
SHA-256: | B3EBF9BA9A3042E19B97F722B9444D8E134834FC4F365DC13B36D5FA5BD8A1EA |
SHA-512: | FB18B11A7984EB3B7B128927E091A043399E106D0AB64276D2AAFE494438ED0EDDCA69384EC74CC4A37F7257D8F3F1F82FDF3AF481741694323F1D2022FB07BC |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8256 |
Entropy (8bit): | 3.690782308869914 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJUA6Yt6Yiv6FgmfTsVprt89byNsfXymm:R6lXJL6Yt6Ya6FgmfTsSyGfq |
MD5: | 08CD8251F2934479C3583235ADF2FB88 |
SHA1: | 8032BE3AF7CFC6AEE26EE16196A37CD50C3D4737 |
SHA-256: | 1F42067A0F93B81DF26A38E9077A765FB337229DF6FAD0D752E0F892A15ADA39 |
SHA-512: | C5FC41874E5672AECC6068DCD935909C9D0DBAF4407BB7BFF7E73589E4531FF2CA247AA24B547C4458AFEAC6E19D61280CC0E9890F24EB99D5F1188562DD0FC3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8256 |
Entropy (8bit): | 3.6922530688472937 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJMLx6w6YiZ6FgmfTsVprO89byKsfzmm:R6lXJMd6w6Y86FgmfTsfypfb |
MD5: | 47E291FCE32E5806E10077F5CF93BCAE |
SHA1: | 1B76153604BBD44B9F2A08A0F2993111C928859E |
SHA-256: | D4B235610DF85DDDE844B3240D6DE2F37E5A2EF6CBE1C981FE3C78C20BAEDD29 |
SHA-512: | EDE21E59D0457D08314D9900182C78C5F7B065163141844BDFFC3CD91C71AF36DA9D0A19600CD6E7C539270F865EF6C1073096DFF5D994769C4412121603793B |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4654 |
Entropy (8bit): | 4.460083656139062 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsVJg77aI9wrWpW8VYFYm8M4JCdPVFd+q8/fITAGScStd:uIjfvI7+a7VNJSlcJ3td |
MD5: | 827DD6199841128D75CA8D7D4CE9E077 |
SHA1: | 54992F1165DB0E9373A2AB15ACCE5C6B7B48A382 |
SHA-256: | A1F688C1AA6F30EFC46102E0BBF034E87F7F07D61B011D9B94308C2F9278624F |
SHA-512: | 70AB0E8F27DFCDCD0CB0C8AB3486214FB381FF57AD9BFA69E3762441B44151982EEAA4D19E85616177BE3F2EE76B2BADE88C94DDDC634B9E58AB3B6F33080EF9 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4654 |
Entropy (8bit): | 4.458561017867401 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsVJg77aI9wrWpW8VYeAYm8M4JCdPVFrQa+q8/f4GScSad:uIjfvI7+a7VXNJza5J3ad |
MD5: | D6AB9549AFB87C33DACE9996B7BB9BE2 |
SHA1: | 8332BB0F1FD6B2C70DA9023DE02E27D0B925833D |
SHA-256: | BB4A4501B092849A39CC64BA40FE1ABB52D82C62E1B0033B51899E3369BAA64E |
SHA-512: | C09749F7FBDD633C4BAAC46A76D2757BF16C5A6A1DEC34AF5C4B8044BD9F83337B80D095A84DAC2A65DB21F6D428006480F7975504FDBE310B7C394ACC351390 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.46624935486006 |
Encrypted: | false |
SSDEEP: | 6144:WIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:bXD94+WlLZMM6YFHT+G |
MD5: | 9BEAAB76FF412629985B984DB1E6F6E6 |
SHA1: | 97343B87B2DAD05464CB7596922AEBE46843CDF7 |
SHA-256: | 3D1A07B10A15ECE3AB4B7649FD88A9FF1008AFDC0366B124159CA82C9D2F24BA |
SHA-512: | 58EE1BFC4BD77D393732FD82F5EC9409A4BB3154F7E435A39C4973BCD61070C98B5844F640BFCB1969A2040B5A81075F5B7AD51733CDA8BD3DCC809EF548EBB7 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.429592886706823 |
TrID: |
|
File name: | newadvsplash.dll |
File size: | 8'704 bytes |
MD5: | 9bc6c411efa742a5de7d8372afafa2fa |
SHA1: | 2b57865e87c7ca2db97d0296d8cbe0183df2c2cf |
SHA256: | 0cac914c87d4e73875dea8544391e383f441d624ea5ec9a4864d056db161206c |
SHA512: | 092ef3f13a71a46df0f78a3b5eb4492bee32f1a12be27e0c534638ec7723b2a9aac23391768c352289df6a8988cbc6cf96ea22d8f1983b5ccf609e08d1db4bde |
SSDEEP: | 192:7p/MyET9lrRyFJb9kSw/T6rz91YrLV1hiI:7p/MyET90k7/T6rB1Yk |
TLSH: | CA02C53671C166F3D3BA51F859836B1D4FEDA0352351A0218B7391D62CA4297FEA7703 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Fq..("..("..("..,"..("..("..("..;"..("..)"..("..;"..("..#"..("@.,"..("Rich..("................PE..L....)CG...........!....... |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x10001bac |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x474329B3 [Tue Nov 20 18:38:43 2007 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | eee37c14e102da3f62385f9796c701ce |
Instruction |
---|
mov eax, dword ptr [esp+04h] |
push 00000001h |
mov dword ptr [10003090h], eax |
pop eax |
retn 000Ch |
push ebp |
mov ebp, esp |
sub esp, 24h |
push ebx |
push esi |
push edi |
mov edi, dword ptr [ebp+08h] |
mov esi, dword ptr [ebp+0Ch] |
or dword ptr [ebp-08h], FFFFFFFFh |
push 00000006h |
lea eax, dword ptr [ebp-10h] |
pop ebx |
push ebx |
push eax |
push edi |
call 00007F87E911A9CFh |
add esp, 0Ch |
cmp eax, ebx |
jne 00007F87E911A6C6h |
push ebx |
lea eax, dword ptr [ebp-10h] |
push 10003074h |
push eax |
call 00007F87E911A9B3h |
add esp, 0Ch |
test eax, eax |
je 00007F87E911A66Ch |
push ebx |
lea eax, dword ptr [ebp-10h] |
push 1000307Ch |
push eax |
call 00007F87E911A99Dh |
add esp, 0Ch |
test eax, eax |
je 00007F87E911A656h |
push 00000005h |
jmp 00007F87E911A698h |
push 00000007h |
lea eax, dword ptr [ebp-18h] |
pop ebx |
push ebx |
push eax |
push edi |
call 00007F87E911A98Ah |
add esp, 0Ch |
cmp eax, ebx |
je 00007F87E911A659h |
mov eax, ebx |
jmp 00007F87E911A8C2h |
mov al, byte ptr [ebp-14h] |
and eax, ebx |
test byte ptr [ebp-14h], FFFFFF80h |
lea ecx, dword ptr [eax+01h] |
mov dword ptr [esi+10h], ecx |
je 00007F87E911A671h |
push 00000003h |
lea eax, dword ptr [esi+14h] |
pop ebx |
shl ebx, cl |
push ebx |
push eax |
push edi |
call 00007F87E911A95Bh |
add esp, 0Ch |
cmp eax, ebx |
je 00007F87E911A67Ah |
push 00000007h |
pop eax |
jmp 00007F87E911A892h |
push 00000003h |
lea eax, dword ptr [esi+14h] |
pop edx |
shl edx, cl |
push edx |
push 00000000h |
push eax |
call 00007F87E911A92Fh |
or byte ptr [esi+19h], FFFFFFFFh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2700 | 0x75 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2130 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4000 | 0x1fc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x114 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xf6e | 0x1000 | 078394702e3b33a4b0e7ce21f6a314ca | False | 0.613525390625 | data | 5.993634441845734 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0x775 | 0x800 | 2eecb7662addefb4920dadc9b170fa79 | False | 0.482421875 | data | 4.766760155626801 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0x121 | 0x200 | 57ee42191345a6bad71ea355af516c36 | False | 0.248046875 | Matlab v4 mat-file (little endian) p, sparse, rows 257, columns 2036427888 | 1.633861647378341 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x4000 | 0x27a | 0x400 | 7272a7e17e27606a17b7d4f452582835 | False | 0.4853515625 | data | 4.072715018730573 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
KERNEL32.dll | MultiByteToWideChar, GetProcAddress, GetModuleHandleA, CloseHandle, CreateThread, lstrcpynA, lstrlenA, GetCurrentThreadId, Sleep, lstrcpyA, lstrcmpiA, lstrcatA, GlobalAlloc, GlobalFree, WaitForSingleObject |
USER32.dll | DefWindowProcA, DestroyWindow, IsWindowVisible, UnregisterClassA, EnumDisplaySettingsA, wsprintfA, SetWindowPos, LoadCursorA, BeginPaint, CreateWindowExA, GetMessageA, TranslateMessage, DispatchMessageA, IsWindow, GetClientRect, SetWindowLongA, SetForegroundWindow, AttachThreadInput, GetWindowThreadProcessId, GetForegroundWindow, RegisterClassA, SystemParametersInfoA, SendMessageA, ShowWindow, PostMessageA, SetWindowRgn, EndPaint |
GDI32.dll | CombineRgn, GetObjectA, CreateCompatibleDC, SelectObject, GetDIBits, CreateRectRgn, DeleteObject |
MSVFW32.dll | MCIWndCreateA |
WINMM.dll | timeSetEvent, PlaySoundA, timeKillEvent |
OLEAUT32.dll | OleLoadPicturePath |
MSVCRT.dll | _lseek, memset, memcmp, _read, memcpy, _close, _open, strtol |
Name | Ordinal | Address |
---|---|---|
hwnd | 1 | 0x10001b5e |
play | 2 | 0x1000127f |
show | 3 | 0x100016dc |
stop | 4 | 0x100019ac |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 05:15:42 |
Start date: | 19/04/2024 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc0000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 05:15:42 |
Start date: | 19/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 05:15:42 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 05:15:42 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 05:15:42 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 05:15:45 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 05:15:45 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd60000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 05:15:48 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 05:15:48 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd60000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 05:15:51 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 05:15:51 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 14 |
Start time: | 05:15:51 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 15 |
Start time: | 05:15:51 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 18 |
Start time: | 05:15:52 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd60000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 19 |
Start time: | 05:15:52 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd60000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100016DC Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 200stringthreadcomCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000103C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100013CB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129windowregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100019AC Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 104synchronizationstringsleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000127F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001579 Relevance: 15.1, APIs: 10, Instructions: 129COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001EA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001000 Relevance: 9.0, APIs: 6, Instructions: 25threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100016DC Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 200stringthreadcomCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000103C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100013CB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129windowregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100019AC Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 104synchronizationstringsleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000127F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001579 Relevance: 15.1, APIs: 10, Instructions: 129COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001EA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001000 Relevance: 9.0, APIs: 6, Instructions: 25threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100016DC Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 200stringthreadcomCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000103C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100013CB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129windowregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100019AC Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 104synchronizationstringsleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000127F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001579 Relevance: 15.1, APIs: 10, Instructions: 129COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001EA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001000 Relevance: 9.0, APIs: 6, Instructions: 25threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |