Edit tour
Windows
Analysis Report
vulkan-1.dll
Overview
General Information
| Sample name: | vulkan-1.dll |
| Analysis ID: | 1431065 |
| MD5: | 5e162bcda79c966d63a15e49c8bf8c13 |
| SHA1: | 2f2c77e120b66a34648c22fa23d525b1ead0df67 |
| SHA256: | 25d6b4ef0a74f1a04476dc2944def16d4ca2b015277add2ebcfbc1c3df13793c |
| Infos: | |
 | |
Detection
| Score: | 6 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 40% |
Signatures
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Classification
Analysis Advice
| Sample searches for specific file, try point organization specific fake files to the analysis machine |
| Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
| Sample crashes during execution, try analyze it on another analysis machine |
- System is w10x64
loaddll64.exe (PID: 7292 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\vul kan-1.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 7300 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7344 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\vul kan-1.dll" ,#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 7368 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", #1 MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 7480 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 368 -s 348 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7352 cmdline:
rundll32.e xe C:\User s\user\Des ktop\vulka n-1.dll,vk AcquireNex tImage2KHR MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7472 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 352 -s 316 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7632 cmdline:
rundll32.e xe C:\User s\user\Des ktop\vulka n-1.dll,vk AcquireNex tImageKHR MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7680 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 632 -s 340 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7776 cmdline:
rundll32.e xe C:\User s\user\Des ktop\vulka n-1.dll,vk AllocateCo mmandBuffe rs MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7832 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 776 -s 348 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7888 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkAcquireN extImage2K HR MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7896 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkAcquireN extImageKH R MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7920 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkAllocate CommandBuf fers MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7956 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkWaitSema phores MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7992 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkWaitForF ences MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 8024 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkUpdateDe scriptorSe ts MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 8064 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkUpdateDe scriptorSe tWithTempl ate MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 8100 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkUnmapMem ory MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 8132 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkTrimComm andPool MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 8172 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkSignalSe maphore MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1432 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkSetPriva teData MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5780 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkSetEvent MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7028 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkResetQue ryPool MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1360 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkResetFen ces MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 180 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\vulk an-1.dll", vkResetEve nt MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00007FFDFF284804 | |
| Source: | Code function: | 0_2_00007FFDFF2A8000 | |
| Source: | Code function: | 0_2_00007FFDFF28B7E8 | |
| Source: | Code function: | 0_2_00007FFDFF225830 | |
| Source: | Code function: | 0_2_00007FFDFF227F50 | |
| Source: | Code function: | 0_2_00007FFDFF295740 | |
| Source: | Code function: | 0_2_00007FFDFF227F30 | |
| Source: | Code function: | 0_2_00007FFDFF228610 | |
| Source: | Code function: | 0_2_00007FFDFF2A2618 | |
| Source: | Code function: | 0_2_00007FFDFF284E10 | |
| Source: | Code function: | 0_2_00007FFDFF222613 | |
| Source: | Code function: | 0_2_00007FFDFF284600 | |
| Source: | Code function: | 0_2_00007FFDFF222620 | |
| Source: | Code function: | 0_2_00007FFDFF222490 | |
| Source: | Code function: | 0_2_00007FFDFF2834C0 | |
| Source: | Code function: | 0_2_00007FFDFF2A3504 | |
| Source: | Code function: | 0_2_00007FFDFF2234F0 | |
| Source: | Code function: | 0_2_00007FFDFF29D4EC | |
| Source: | Code function: | 0_2_00007FFDFF227D30 | |
| Source: | Code function: | 0_2_00007FFDFF231D20 | |
| Source: | Code function: | 0_2_00007FFDFF28D3B4 | |
| Source: | Code function: | 0_2_00007FFDFF284C0C | |
| Source: | Code function: | 0_2_00007FFDFF2843FC | |
| Source: | Code function: | 0_2_00007FFDFF285C50 | |
| Source: | Code function: | 0_2_00007FFDFF294C28 | |
| Source: | Code function: | 0_2_00007FFDFF282420 | |
| Source: | Code function: | 0_2_00007FFDFF2AB294 | |
| Source: | Code function: | 0_2_00007FFDFF241990 | |
| Source: | Code function: | 0_2_00007FFDFF2829D0 | |
| Source: | Code function: | 0_2_00007FFDFF2219B0 | |
| Source: | Code function: | 0_2_00007FFDFF2281A0 | |
| Source: | Code function: | 0_2_00007FFDFF2ABA14 | |
| Source: | Code function: | 0_2_00007FFDFF284A08 | |
| Source: | Code function: | 0_2_00007FFDFF29D204 | |
| Source: | Code function: | 0_2_00007FFDFF283A58 | |
| Source: | Code function: | 0_2_00007FFDFF23787C | |
| Source: | Code function: | 0_2_00007FFDFF29D8E4 | |
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FFDFF234C6D | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Last function: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Code function: | 0_2_00007FFDFF29C85C | |
| Source: | Code function: | 0_2_00007FFDFF29C85C | |
| Source: | Code function: | 0_2_00007FFDFF27EC38 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FFDFF29AF84 | |
| Source: | Code function: | 0_2_00007FFDFF29B7B8 | |
| Source: | Code function: | 0_2_00007FFDFF2A07EC | |
| Source: | Code function: | 0_2_00007FFDFF2A0D98 | |
| Source: | Code function: | 0_2_00007FFDFF2A04EC | |
| Source: | Code function: | 0_2_00007FFDFF2A0B08 | |
| Source: | Code function: | 0_2_00007FFDFF27EFE0 | |
| Source: | Code function: | 0_2_00007FFDFF2AA5B4 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Rundll32 | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1431065 |
| Start date and time: | 2024-04-24 14:39:32 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 5s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Potential for more IOCs and behavior |
| Number of analysed new started processes analysed: | 42 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | vulkan-1.dll |
| Detection: | CLEAN |
| Classification: | clean6.winDLL@102/17@0/0 |
| EGA Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92
- Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target loaddll64.exe, PID 7292 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
| Time | Type | Description |
|---|---|---|
| 14:40:35 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vul_8a98533a1ee59e3066e2be1dd9ba698f1f7c53_20b95fe6_efed0deb-ab6a-419b-abdf-f64dadf15c15\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7758381445230415 |
| Encrypted: | false |
| SSDEEP: | 96:9QFWwjiCyKyesjwK4RvtpQa8foQXIDcQGc6zHcEDcw3CXaXz+HbHgSQgJjAdo8Fr:eriCyeU0Y/pUjGUzuiFyZ24lO85 |
| MD5: | 446EA6C9E4CE1F8813DBEDC4B79BCB2F |
| SHA1: | 3B520A79D0DDCAFB62F7AA94EA5B0A3CEEB9801A |
| SHA-256: | D45991B0FDDDC0AA9E49545F6B9726757F0BA10655F70FF6A24E9F5B0B1D0859 |
| SHA-512: | 72FAE908423AB27FBEC8DE29DCC03AE850BF9C9F19842A07619B59322538697A9EFC26EE231E0F75AB84DC89F272FDD0CA401143DE079AFFF09C061B6262ED2F |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vul_8a98533a1ee59e3066e2be1dd9ba698f1f7c53_20b95fe6_f1d6bd2e-9a5c-402a-bf9b-fffb0991a373\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7761060808634885 |
| Encrypted: | false |
| SSDEEP: | 96:gsFm7pwjiIyKyXsjwK4RvtpQa8foQXIDcQGc6zHcEDcw3CXaXz+HbHgSQgJjAdoa:hhiIyXU0Y/pUjGUzuiFyZ24lO85 |
| MD5: | 0B93DBAC07B584DBA9E81C6222B42294 |
| SHA1: | AF08BB520883BFE0C3246ED6630F48B4FCAB9AC7 |
| SHA-256: | 9F7A8042D4091AD1254BDC62D4885A4BEA6CDC229479314D12A09B3C9E4F07A5 |
| SHA-512: | 0F8CDB15764F5D29F671A6B646C3D160C7E8B556A794A344472FEA178804DE8C1EAEE8D9802AF04FF2D7F74A7F7EB04EE9A4A3AD157238E2BB80655DEB4DD346 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vul_d2be42f9ca26f5b1c98ace275864247822806def_20b95fe6_fb6bb36d-6fd7-4e37-9ac7-808a63498779\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7758654923958672 |
| Encrypted: | false |
| SSDEEP: | 96:+spFVAtwjivyKytsjwK4RvtpQa8fNQXIDcQGc6zHcEBzcw3BzUXaXz+HbHgSQgJ/:tfAKivytJ0Y/rzVmjGUzuiFyZ24lO85 |
| MD5: | 86801B2537950342C7BE3EB7E7829C4A |
| SHA1: | 32CDD3B5B597834E0FBCBC361DD6FCC36EB710BD |
| SHA-256: | 211E612CFE6BF7D51DCA71E7291031FF9339B1BEE3CE1706868356CA67FEE507 |
| SHA-512: | E0B908AB9C687FF481A1695C8839D02E79209206BF6F38811BFC0A1A014408FDA4361E59933A092F3913269ECACC46E4ADFFBBD9D16A9E4A1E3170326B161681 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vul_f81a78fb38adc0648cfeb4514965597f248381b_20b95fe6_2b7c5b8b-ad79-4160-9e69-1ee53bd9092b\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7760779009045959 |
| Encrypted: | false |
| SSDEEP: | 96:tRgFPOFwjioyKyxsjwK4RvtpQa8ftQXIDcQGc6zHcE+cw32XaXz+HbHgSQgJjAdd:ty91ioyx50Y/kYjGUzuiFyZ24lO85 |
| MD5: | AEAA6BE9D473AFD4DD80E4BDE9B5EFE6 |
| SHA1: | 4FA0978EA7417124B45E8E07D172B318ECD73539 |
| SHA-256: | 9BE5D5BE48EDBEB6A31D94216586DC68539BC1DB196EEE5DC078D8488EEC3CB2 |
| SHA-512: | 254D8699112B2936E62201F0132FD6964A66D00C100DCBCB4CDAD18BA3CBA4D131D086112B8F364ABE46EB51C350D7A0C9F5E0679BD57CCD3A1F809721E468A4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56868 |
| Entropy (8bit): | 1.6468263471947209 |
| Encrypted: | false |
| SSDEEP: | 192:99Svf/ScOMOOyNbnKwYMHsHwXpS9keJ9nHN:wSTVOyNbnEoIgY7JhH |
| MD5: | BE11AECC61A673314A74DA96B9351BC9 |
| SHA1: | A0A3C9718FEC93E1CBB582D84296860F02C222C0 |
| SHA-256: | 589F8A785D8FF44B414C375068FD02D23177C5F88E3C496E29165B7798BD61AD |
| SHA-512: | 3D00AE0AC3608F588BF483F30EFDB28AF7E22F508BAF4524D58672ACCD7F417C07E80E55DEF6FC518E93BC8D2397E3F732AFDF424A5CBF5BEB510250AA1E5882 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 57856 |
| Entropy (8bit): | 1.6334161064102024 |
| Encrypted: | false |
| SSDEEP: | 192:95amqBKScOMOpZEaJFpS9o0wU/4m9gWXqQ:5vSTVpZEaJFYGi/4XW3 |
| MD5: | DD77C4E6272B337BEFD030D054EBCA00 |
| SHA1: | 028DF128D64217BD3F87979A9286E13C6F297B09 |
| SHA-256: | 9EF60A7D81E22CD0D4D3838F89532424FF59AD32937A2DD1B525A31119B0363E |
| SHA-512: | 837CE1E98BCCF883D531361A5D690CC98DCCAC1BBA4A74F4BB870FBE1D61E82FE0713FAB9B3AD0F1A130403BE5EE261F524123344FB738BE9717603EEAB23DD5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8758 |
| Entropy (8bit): | 3.7027820897932333 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJWIHW6b6YfEjngmfRHGtprr89bj5DfABm:R6lXJJ26b6Y8jngmfRmcjNfb |
| MD5: | F5F15550724C3D2D7B55F47A249330A7 |
| SHA1: | 1352031D3010C4B52A154195D2A6D33EACE7E582 |
| SHA-256: | 47AD4CD577BBF9B2E2053DEC69ED49D59DE0669F6E7CEF719A1F029B5147E600 |
| SHA-512: | E71D39364836F193ACE14599A2C6BA24B93E4A1B53ED75D2054972A35892BFD2C8EE93E32948AA57D4F171DFE6F95F1494A2A37448AB77E8CFE6CE15DC97120F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4748 |
| Entropy (8bit): | 4.475725015046485 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsWJg771I9P8WpW8VYkZYm8M4JCcC6kFeDyq85mhQptSTSsd:uIjfsI7A17VoJXDspoOsd |
| MD5: | 9A67378BE35E1FE831897A02E69050BC |
| SHA1: | 725DCE708A5644F300FE724E21F502F5BB1F684F |
| SHA-256: | D5C3A11F36BE839340ECC402EC32258DA58BB93B1B89BE836FD2348A2AB65612 |
| SHA-512: | F5B6844738854651AB3286D7E11242DC5BF0FC419CDF3416167C16B7FB681840CAC3BF19A9624E5223099213E68889F741435656B88A94C15554B66080633CEA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8766 |
| Entropy (8bit): | 3.7027665211747043 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJPYHS6K6Y3i8fgmfRHGtprr89bjRDfhBm:R6lXJgy6K6YycgmfRmcjlf2 |
| MD5: | 2E960BEF620DCB9FE8E24D94D929B8F2 |
| SHA1: | 98516525C9B7EEEBAA871057021EE058396CDD6D |
| SHA-256: | 66BC261C35D5818CFE9F8AD24729301994FA79C99038E0B2EDD61C3B70DEF1A8 |
| SHA-512: | C82CD9C5462930BFAE09A4E9EFD4734B625E692FC75EDA2CA30492D557F7B3BE527DDAC4E940D19933DFA5849006902FB3807D131CF62B06021AB4D4A50E5D93 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4748 |
| Entropy (8bit): | 4.477105197641119 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsWJg771I9P8WpW8VYWYm8M4JCcC6kFUYyq85mhl4ptSTSRd:uIjfsI7A17VWJ1YCpoORd |
| MD5: | 399D73FFB3CB2E28FCE4AFA0FAD867E5 |
| SHA1: | 1DA797FE81DA4E9C7331141FC0D09DEAA04CB65B |
| SHA-256: | E69E89B6BFF3B7F656E1B0815CE6508A6C19FAE654A352DFB8F8CEDE2096EBA0 |
| SHA-512: | 0DEAF72DA107263F2359B561335BFBD8F7B03B77586635772E71047F28B3AF900884CF5833D1B65B2B909E8F770580555BDB37E1E5D191FA915BCEE1F675AD20 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56508 |
| Entropy (8bit): | 1.6567185660001948 |
| Encrypted: | false |
| SSDEEP: | 192:2vh1+40eOMOSJBCi30YWvP44K3CuwsMwGal197z:C/T0ZV6BCa0YWvCy0MwGav97 |
| MD5: | D1955C363F665A5C1F86C253B5B82AA2 |
| SHA1: | D8BE876D448534EA4CA90E7E41BA32B6ED234B21 |
| SHA-256: | 615515938DE0322CAC84AB6AECE4097C01DAE030466AFE2B94E7A45260F887F6 |
| SHA-512: | F6D25EA4EA0882A72338A0D8D55FCB8D4B3F1716881B9D78325BD4E9433AB25A808D4046BB181136315B4695041A05836FE150AAF651E870FEB8739F4CEEE58F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8764 |
| Entropy (8bit): | 3.7026596669900953 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJNjHu6g6YfjjngmfRH9nprQ89bMoDfWbkm:R6lXJ5O6g6Y7jngmfRdHMkfWd |
| MD5: | D21AA428429882919156E6CD652EF1D4 |
| SHA1: | 77EFEF2BFA195CEC3743129B430909E7863642E8 |
| SHA-256: | B356DBC299CF3BFE1D4670D540ED1AB9C012B25D6C113DB2A6542CBC6235EF05 |
| SHA-512: | B815A54F15054229CD13462EF5D85929C4E468F20A3481C08BC6855DAD22ED9E3946D93909A3942F1CC2FAB248092A3985649781EB7238171A07B483E15F949E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4748 |
| Entropy (8bit): | 4.475044827652875 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsWJg771I9P8WpW8VY3Ym8M4JCcC6HFO7Pyq85mhoPptSTSYd:uIjfsI7A17VXJgDQpoOYd |
| MD5: | F9AB8F2BFDD90CA26C6076E683CE250B |
| SHA1: | F80A1B2CA8354EE848E37C03273D629B18A566DF |
| SHA-256: | B589A73926D17F25D2DD25B1DB747CFFF2D21223BEA0147072BF0EC3D78F582E |
| SHA-512: | 071738F693DDD0160232B1A29773B9DE510431C81F8B4AB0475FDC5422F3962BCE5DEF9F5E7397C839352EB405BC21F7CA1BE28CA1D016D3ACABCD3DDFA9A8D8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 57068 |
| Entropy (8bit): | 1.6550227507184851 |
| Encrypted: | false |
| SSDEEP: | 192:PNk42OOMObPq7VLqahnw5nohywMQHZlA:h2JVbPq7VHWnohFM |
| MD5: | 0F990E3CC7F646C7972E3D3C0A42488B |
| SHA1: | 0AA6458E0696F2BF43C6A6B1E5B6DD98BF3F9DCE |
| SHA-256: | 077784AE0FF87C0B81DAE51800CBEB2D7E82A471E178C4F7B34F7E8D360A31D0 |
| SHA-512: | D5D0F606A817ABFF0C506351C5C8AB80F83691235F45C4505EB628B9B57F99F9E547670982A711149AF0D1D74824E843A189D44A13D744432FC1A22FBA78B225 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8760 |
| Entropy (8bit): | 3.7011777789555023 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJ0RH56V6YfnjngmfRH9spr+89b5drfabzm:R6lXJCZ6V6YPjngmfRd+5Rf7 |
| MD5: | ED8C4E06F2E88754052FD371BE8CC0FE |
| SHA1: | 7F20C9D21C61E5C4FA5B2D3BCFABBD890D92C8A1 |
| SHA-256: | D6CBB64FC9FDA6C9F4B106F173A41894168E773B787A650AD8B6CD8655D1B5AE |
| SHA-512: | A25CBB2727F3168CAA2FC722CEC6FFD7705F0F3B2B618A04007CD16AAA2806DFD0888914C202C5915B8AB33692E70E74A5D2BB2838B98D84389A1DFB5C988C07 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4748 |
| Entropy (8bit): | 4.473697913127928 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsWJg771I9P8WpW8VYIYm8M4JCcC61F4W2yq85mh5ptSTSMd:uIjfsI7A17VUJ8tpoOMd |
| MD5: | FC5524F047DC7AEFAA377B348D20D680 |
| SHA1: | D33CF3518EC45EED6E5EE79E2B2E2B0F9C282947 |
| SHA-256: | 149E3EA6B93932CEA57DBC886F27D1232CB123DD3F65D4CC9669637BEE48EB3B |
| SHA-512: | A3905F18D526288B523E7FDB69F336140FA28AE671A1ACC9174E01DA67C551C6B76A897E8AC4438B9AB2BDC5FA60448CD20AC427D21495A108E371DA59F3DA3C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.466397250677987 |
| Encrypted: | false |
| SSDEEP: | 6144:1IXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:2XD94zWlLZMM6YFHa+9 |
| MD5: | 1DD49A2EA0F5C601AFDAAB4B05D3AAAE |
| SHA1: | E54B47B1643073129A7EC63244A9ECA6DF394FB8 |
| SHA-256: | 0E080DD746D27C2D4CA75D3FF6A62121784AD2C030F332B252C79722CAB20638 |
| SHA-512: | D583EDC6CCB1DB5BB3A6C2C45B57C4F6A0A8FF9532180EE97DB97CD20606F112CE719737472BFD56B23C504AC3923BB97AAEB2AFCD4D246AA534BFBA3CEFBF5C |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.5737856921703965 |
| TrID: |
|
| File name: | vulkan-1.dll |
| File size: | 939'520 bytes |
| MD5: | 5e162bcda79c966d63a15e49c8bf8c13 |
| SHA1: | 2f2c77e120b66a34648c22fa23d525b1ead0df67 |
| SHA256: | 25d6b4ef0a74f1a04476dc2944def16d4ca2b015277add2ebcfbc1c3df13793c |
| SHA512: | 10a89f1618b9aa96fd524f92b29506045cac8f00ee846e950591d59f6fb49a79268044424e2497e3c75815c140a458c9fb27e781a2fe1949f5eed408abe3326d |
| SSDEEP: | 24576:WV9nIy2kwpHHPDnCo3A1XpQ66Z5WoDYsHs6g3P0zAk7IG3:it2zNLnxA1+66Z5WoDYsHs6g3P0zAk7z |
| TLSH: | 28155E139A944569D476C034C9C28607CA7178921B25B9CF03A85B09BFAFBF43B7D73A |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....t.e.........." ......................................................................`A....................................... |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x18005efa0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x180000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| Time Stamp: | 0x65BA74B4 [Wed Jan 31 16:26:28 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 2 |
| File Version Major: | 5 |
| File Version Minor: | 2 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 2 |
| Import Hash: | 49ed29c3ff417b26c7cd92ecc9b7dcb3 |
| Instruction |
|---|
| dec eax |
| mov dword ptr [esp+08h], ebx |
| dec eax |
| mov dword ptr [esp+10h], esi |
| push edi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov edi, eax |
| mov ebx, edx |
| dec eax |
| mov esi, ecx |
| cmp edx, 01h |
| jne 00007F4149346FB7h |
| call 00007F4149346FD4h |
| dec esp |
| mov eax, edi |
| mov edx, ebx |
| dec eax |
| mov ecx, esi |
| dec eax |
| mov ebx, dword ptr [esp+30h] |
| dec eax |
| mov esi, dword ptr [esp+38h] |
| dec eax |
| add esp, 20h |
| pop edi |
| jmp 00007F4149346E38h |
| int3 |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+20h], ebx |
| push ebp |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov eax, dword ptr [0007A034h] |
| dec eax |
| mov ebx, 2DDFA232h |
| cdq |
| sub eax, dword ptr [eax] |
| add byte ptr [eax+3Bh], cl |
| ret |
| jne 00007F4149347026h |
| dec eax |
| and dword ptr [ebp+18h], 00000000h |
| dec eax |
| lea ecx, dword ptr [ebp+18h] |
| call dword ptr [00070726h] |
| dec eax |
| mov eax, dword ptr [ebp+18h] |
| dec eax |
| mov dword ptr [ebp+10h], eax |
| call dword ptr [00070668h] |
| mov eax, eax |
| dec eax |
| xor dword ptr [ebp+10h], eax |
| call dword ptr [00070654h] |
| mov eax, eax |
| dec eax |
| lea ecx, dword ptr [ebp+20h] |
| dec eax |
| xor dword ptr [ebp+10h], eax |
| call dword ptr [000707BCh] |
| mov eax, dword ptr [ebp+20h] |
| dec eax |
| lea ecx, dword ptr [ebp+10h] |
| dec eax |
| shl eax, 20h |
| dec eax |
| xor eax, dword ptr [ebp+20h] |
| dec eax |
| xor eax, dword ptr [ebp+10h] |
| dec eax |
| xor eax, ecx |
| dec eax |
| mov ecx, FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0xcd018 | 0x213c | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xcf154 | 0x50 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xed000 | 0x2c8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xde000 | 0x714c | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xee000 | 0xd4c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xcb39c | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xcb280 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x9a140 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xcf5a0 | 0x3f8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x98c56 | 0x98e00 | 7d9459c034a2b1e77524de6601155da1 | False | 0.4289464942763696 | data | 6.428057492996419 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x9a000 | 0x3ec24 | 0x3ee00 | 48da9fc4753d70b961a0d1a3f98930cd | False | 0.28377780193836977 | data | 5.872584339924801 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xd9000 | 0x4d08 | 0x2000 | 85cd634b0cd291bef9250c92b0b07ec5 | False | 0.135986328125 | data | 3.7115356666419217 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0xde000 | 0x714c | 0x7200 | eac2c977073d252368a24ecff480d0e6 | False | 0.45405016447368424 | data | 5.697387191345565 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .00cfg | 0xe6000 | 0x38 | 0x200 | 0eabc74ee2b74be0000d5307c6bfc109 | False | 0.07421875 | data | 0.5091857957461216 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .gxfg | 0xe7000 | 0x2850 | 0x2a00 | f7f00c585fb61b195ca74ce323e3c88a | False | 0.41824776785714285 | data | 5.0826292433871645 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .retplne | 0xea000 | 0x8c | 0x200 | 8c950f651287cbc1296bcb4e8cd7e990 | False | 0.126953125 | data | 1.050583247971927 | |
| .tls | 0xeb000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| _RDATA | 0xec000 | 0x15c | 0x200 | 0dc89475c6b7258f116c09e2902e949c | False | 0.41015625 | data | 3.3020016390485534 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0xed000 | 0x2c8 | 0x400 | 3989971319ec05c0ebf165ce2cdf2c89 | False | 0.318359375 | data | 2.4313997086474464 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xee000 | 0xd4c | 0xe00 | b202b89afd3f26da910e8dfc7e3cb950 | False | 0.45926339285714285 | data | 5.334857138296712 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0xed060 | 0x268 | MS Windows COFF Motorola 68000 object file | English | United States | 0.47564935064935066 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateEventW, CreateFileW, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDateFormatW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetFileAttributesExW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryW, GetSystemTimeAsFileTime, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSListHead, InterlockedFlushSList, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, IsWow64Process, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, MultiByteToWideChar, OutputDebugStringA, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, ResetEvent, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SystemTimeToTzSpecificLocalTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| ADVAPI32.dll | GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, OpenProcessToken, RegCloseKey, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA |
| CFGMGR32.dll | CM_Get_Child, CM_Get_DevNode_Registry_PropertyW, CM_Get_DevNode_Status, CM_Get_Device_IDW, CM_Get_Device_ID_ListW, CM_Get_Device_ID_List_SizeW, CM_Get_Sibling, CM_Locate_DevNodeW, CM_Open_DevNode_Key |
| Name | Ordinal | Address |
|---|---|---|
| vkAcquireNextImage2KHR | 1 | 0x1800428b0 |
| vkAcquireNextImageKHR | 2 | 0x180041730 |
| vkAllocateCommandBuffers | 3 | 0x180032e70 |
| vkAllocateDescriptorSets | 4 | 0x180032a50 |
| vkAllocateMemory | 5 | 0x1800315e0 |
| vkBeginCommandBuffer | 6 | 0x180032f60 |
| vkBindBufferMemory | 7 | 0x180031810 |
| vkBindBufferMemory2 | 8 | 0x1800346d0 |
| vkBindImageMemory | 9 | 0x180031860 |
| vkBindImageMemory2 | 10 | 0x180034730 |
| vkCmdBeginQuery | 11 | 0x180033d40 |
| vkCmdBeginRenderPass | 12 | 0x180033f80 |
| vkCmdBeginRenderPass2 | 13 | 0x180034d40 |
| vkCmdBeginRendering | 14 | 0x1800351f0 |
| vkCmdBindDescriptorSets | 15 | 0x180033440 |
| vkCmdBindIndexBuffer | 16 | 0x1800334a0 |
| vkCmdBindPipeline | 17 | 0x180033080 |
| vkCmdBindVertexBuffers | 18 | 0x180033500 |
| vkCmdBindVertexBuffers2 | 19 | 0x180035230 |
| vkCmdBlitImage | 20 | 0x180033860 |
| vkCmdBlitImage2 | 21 | 0x180035270 |
| vkCmdClearAttachments | 22 | 0x180033b00 |
| vkCmdClearColorImage | 23 | 0x180033a40 |
| vkCmdClearDepthStencilImage | 24 | 0x180033aa0 |
| vkCmdCopyBuffer | 25 | 0x1800337a0 |
| vkCmdCopyBuffer2 | 26 | 0x1800352b0 |
| vkCmdCopyBufferToImage | 27 | 0x1800338c0 |
| vkCmdCopyBufferToImage2 | 28 | 0x1800352f0 |
| vkCmdCopyImage | 29 | 0x180033800 |
| vkCmdCopyImage2 | 30 | 0x180035330 |
| vkCmdCopyImageToBuffer | 31 | 0x180033920 |
| vkCmdCopyImageToBuffer2 | 32 | 0x180035370 |
| vkCmdCopyQueryPoolResults | 33 | 0x180033ec0 |
| vkCmdDispatch | 34 | 0x1800336e0 |
| vkCmdDispatchBase | 35 | 0x180034850 |
| vkCmdDispatchIndirect | 36 | 0x180033740 |
| vkCmdDraw | 37 | 0x180033560 |
| vkCmdDrawIndexed | 38 | 0x1800335c0 |
| vkCmdDrawIndexedIndirect | 39 | 0x180033680 |
| vkCmdDrawIndexedIndirectCount | 40 | 0x180034ec0 |
| vkCmdDrawIndirect | 41 | 0x180033620 |
| vkCmdDrawIndirectCount | 42 | 0x180034e60 |
| vkCmdEndQuery | 43 | 0x180033da0 |
| vkCmdEndRenderPass | 44 | 0x180034040 |
| vkCmdEndRenderPass2 | 45 | 0x180034e00 |
| vkCmdEndRendering | 46 | 0x1800353b0 |
| vkCmdExecuteCommands | 47 | 0x1800340a0 |
| vkCmdFillBuffer | 48 | 0x1800339e0 |
| vkCmdNextSubpass | 49 | 0x180033fe0 |
| vkCmdNextSubpass2 | 50 | 0x180034da0 |
| vkCmdPipelineBarrier | 51 | 0x180033ce0 |
| vkCmdPipelineBarrier2 | 52 | 0x1800353f0 |
| vkCmdPushConstants | 53 | 0x180033f20 |
| vkCmdResetEvent | 54 | 0x180033c20 |
| vkCmdResetEvent2 | 55 | 0x180035430 |
| vkCmdResetQueryPool | 56 | 0x180033e00 |
| vkCmdResolveImage | 57 | 0x180033b60 |
| vkCmdResolveImage2 | 58 | 0x180035470 |
| vkCmdSetBlendConstants | 59 | 0x180033260 |
| vkCmdSetCullMode | 60 | 0x1800354b0 |
| vkCmdSetDepthBias | 61 | 0x180033200 |
| vkCmdSetDepthBiasEnable | 62 | 0x1800354f0 |
| vkCmdSetDepthBounds | 63 | 0x1800332c0 |
| vkCmdSetDepthBoundsTestEnable | 64 | 0x180035530 |
| vkCmdSetDepthCompareOp | 65 | 0x180035570 |
| vkCmdSetDepthTestEnable | 66 | 0x1800355b0 |
| vkCmdSetDepthWriteEnable | 67 | 0x1800355f0 |
| vkCmdSetDeviceMask | 68 | 0x1800347f0 |
| vkCmdSetEvent | 69 | 0x180033bc0 |
| vkCmdSetEvent2 | 70 | 0x180035630 |
| vkCmdSetFrontFace | 71 | 0x180035670 |
| vkCmdSetLineWidth | 72 | 0x1800331a0 |
| vkCmdSetPrimitiveRestartEnable | 73 | 0x1800356b0 |
| vkCmdSetPrimitiveTopology | 74 | 0x1800356f0 |
| vkCmdSetRasterizerDiscardEnable | 75 | 0x180035730 |
| vkCmdSetScissor | 76 | 0x180033140 |
| vkCmdSetScissorWithCount | 77 | 0x180035770 |
| vkCmdSetStencilCompareMask | 78 | 0x180033320 |
| vkCmdSetStencilOp | 79 | 0x1800357b0 |
| vkCmdSetStencilReference | 80 | 0x1800333e0 |
| vkCmdSetStencilTestEnable | 81 | 0x1800357f0 |
| vkCmdSetStencilWriteMask | 82 | 0x180033380 |
| vkCmdSetViewport | 83 | 0x1800330e0 |
| vkCmdSetViewportWithCount | 84 | 0x180035830 |
| vkCmdUpdateBuffer | 85 | 0x180033980 |
| vkCmdWaitEvents | 86 | 0x180033c80 |
| vkCmdWaitEvents2 | 87 | 0x180035870 |
| vkCmdWriteTimestamp | 88 | 0x180033e60 |
| vkCmdWriteTimestamp2 | 89 | 0x1800358b0 |
| vkCreateBuffer | 90 | 0x180032030 |
| vkCreateBufferView | 91 | 0x1800320f0 |
| vkCreateCommandPool | 92 | 0x180032d50 |
| vkCreateComputePipelines | 93 | 0x180032630 |
| vkCreateDescriptorPool | 94 | 0x180032930 |
| vkCreateDescriptorSetLayout | 95 | 0x180032870 |
| vkCreateDescriptorUpdateTemplate | 96 | 0x180034bc0 |
| vkCreateDevice | 97 | 0x1800311d0 |
| vkCreateDisplayModeKHR | 98 | 0x180042040 |
| vkCreateDisplayPlaneSurfaceKHR | 99 | 0x180042200 |
| vkCreateEvent | 100 | 0x180031d30 |
| vkCreateFence | 101 | 0x180031a90 |
| vkCreateFramebuffer | 102 | 0x180032b70 |
| vkCreateGraphicsPipelines | 103 | 0x1800325d0 |
| vkCreateHeadlessSurfaceEXT | 104 | 0x180041ac0 |
| vkCreateImage | 105 | 0x1800321b0 |
| vkCreateImageView | 106 | 0x1800322d0 |
| vkCreateInstance | 107 | 0x180030750 |
| vkCreatePipelineCache | 108 | 0x180032450 |
| vkCreatePipelineLayout | 109 | 0x1800326f0 |
| vkCreatePrivateDataSlot | 110 | 0x1800358f0 |
| vkCreateQueryPool | 111 | 0x180031f10 |
| vkCreateRenderPass | 112 | 0x180032c30 |
| vkCreateRenderPass2 | 113 | 0x180034ce0 |
| vkCreateSampler | 114 | 0x1800327b0 |
| vkCreateSamplerYcbcrConversion | 115 | 0x180034aa0 |
| vkCreateSemaphore | 116 | 0x180031c70 |
| vkCreateShaderModule | 117 | 0x180032390 |
| vkCreateSharedSwapchainsKHR | 118 | 0x180042430 |
| vkCreateSwapchainKHR | 119 | 0x1800414a0 |
| vkCreateWin32SurfaceKHR | 120 | 0x1800417f0 |
| vkDestroyBuffer | 121 | 0x180032090 |
| vkDestroyBufferView | 122 | 0x180032150 |
| vkDestroyCommandPool | 123 | 0x180032db0 |
| vkDestroyDescriptorPool | 124 | 0x180032990 |
| vkDestroyDescriptorSetLayout | 125 | 0x1800328d0 |
| vkDestroyDescriptorUpdateTemplate | 126 | 0x180034c20 |
| vkDestroyDevice | 127 | 0x180031260 |
| vkDestroyEvent | 128 | 0x180031d90 |
| vkDestroyFence | 129 | 0x180031af0 |
| vkDestroyFramebuffer | 130 | 0x180032bd0 |
| vkDestroyImage | 131 | 0x180032210 |
| vkDestroyImageView | 132 | 0x180032330 |
| vkDestroyInstance | 133 | 0x180030d20 |
| vkDestroyPipeline | 134 | 0x180032690 |
| vkDestroyPipelineCache | 135 | 0x1800324b0 |
| vkDestroyPipelineLayout | 136 | 0x180032750 |
| vkDestroyPrivateDataSlot | 137 | 0x180035930 |
| vkDestroyQueryPool | 138 | 0x180031f70 |
| vkDestroyRenderPass | 139 | 0x180032c90 |
| vkDestroySampler | 140 | 0x180032810 |
| vkDestroySamplerYcbcrConversion | 141 | 0x180034b00 |
| vkDestroySemaphore | 142 | 0x180031cd0 |
| vkDestroyShaderModule | 143 | 0x1800323f0 |
| vkDestroySurfaceKHR | 144 | 0x180040f30 |
| vkDestroySwapchainKHR | 145 | 0x180041670 |
| vkDeviceWaitIdle | 146 | 0x180031590 |
| vkEndCommandBuffer | 147 | 0x180032fc0 |
| vkEnumerateDeviceExtensionProperties | 148 | 0x1800312f0 |
| vkEnumerateDeviceLayerProperties | 149 | 0x180031380 |
| vkEnumerateInstanceExtensionProperties | 150 | 0x18002fff0 |
| vkEnumerateInstanceLayerProperties | 151 | 0x180030260 |
| vkEnumerateInstanceVersion | 152 | 0x1800304d0 |
| vkEnumeratePhysicalDeviceGroups | 153 | 0x180034100 |
| vkEnumeratePhysicalDevices | 154 | 0x180030ec0 |
| vkFlushMappedMemoryRanges | 155 | 0x180031720 |
| vkFreeCommandBuffers | 156 | 0x180032f00 |
| vkFreeDescriptorSets | 157 | 0x180032ab0 |
| vkFreeMemory | 158 | 0x180031630 |
| vkGetBufferDeviceAddress | 159 | 0x180035040 |
| vkGetBufferMemoryRequirements | 160 | 0x1800318b0 |
| vkGetBufferMemoryRequirements2 | 161 | 0x180034910 |
| vkGetBufferOpaqueCaptureAddress | 162 | 0x1800350a0 |
| vkGetDescriptorSetLayoutSupport | 163 | 0x180034b60 |
| vkGetDeviceBufferMemoryRequirements | 164 | 0x180035970 |
| vkGetDeviceGroupPeerMemoryFeatures | 165 | 0x180034790 |
| vkGetDeviceGroupPresentCapabilitiesKHR | 166 | 0x180042630 |
| vkGetDeviceGroupSurfacePresentModesKHR | 167 | 0x180042690 |
| vkGetDeviceImageMemoryRequirements | 168 | 0x1800359b0 |
| vkGetDeviceImageSparseMemoryRequirements | 169 | 0x1800359f0 |
| vkGetDeviceMemoryCommitment | 170 | 0x1800317c0 |
| vkGetDeviceMemoryOpaqueCaptureAddress | 171 | 0x180035100 |
| vkGetDeviceProcAddr | 172 | 0x18002ff70 |
| vkGetDeviceQueue | 173 | 0x180031480 |
| vkGetDeviceQueue2 | 174 | 0x180034a30 |
| vkGetDisplayModeProperties2KHR | 175 | 0x180042d10 |
| vkGetDisplayModePropertiesKHR | 176 | 0x180041f60 |
| vkGetDisplayPlaneCapabilities2KHR | 177 | 0x180042f30 |
| vkGetDisplayPlaneCapabilitiesKHR | 178 | 0x180042110 |
| vkGetDisplayPlaneSupportedDisplaysKHR | 179 | 0x180041e80 |
| vkGetEventStatus | 180 | 0x180031df0 |
| vkGetFenceStatus | 181 | 0x180031bb0 |
| vkGetImageMemoryRequirements | 182 | 0x180031910 |
| vkGetImageMemoryRequirements2 | 183 | 0x1800348b0 |
| vkGetImageSparseMemoryRequirements | 184 | 0x180031970 |
| vkGetImageSparseMemoryRequirements2 | 185 | 0x180034970 |
| vkGetImageSubresourceLayout | 186 | 0x180032270 |
| vkGetInstanceProcAddr | 187 | 0x18002fe60 |
| vkGetPhysicalDeviceDisplayPlaneProperties2KHR | 188 | 0x180042b20 |
| vkGetPhysicalDeviceDisplayPlanePropertiesKHR | 189 | 0x180041da0 |
| vkGetPhysicalDeviceDisplayProperties2KHR | 190 | 0x180042910 |
| vkGetPhysicalDeviceDisplayPropertiesKHR | 191 | 0x180041cc0 |
| vkGetPhysicalDeviceExternalBufferProperties | 192 | 0x180034550 |
| vkGetPhysicalDeviceExternalFenceProperties | 193 | 0x180034650 |
| vkGetPhysicalDeviceExternalSemaphoreProperties | 194 | 0x1800345d0 |
| vkGetPhysicalDeviceFeatures | 195 | 0x180030f90 |
| vkGetPhysicalDeviceFeatures2 | 196 | 0x1800341d0 |
| vkGetPhysicalDeviceFormatProperties | 197 | 0x180030ff0 |
| vkGetPhysicalDeviceFormatProperties2 | 198 | 0x1800342d0 |
| vkGetPhysicalDeviceImageFormatProperties | 199 | 0x180031050 |
| vkGetPhysicalDeviceImageFormatProperties2 | 200 | 0x180034350 |
| vkGetPhysicalDeviceMemoryProperties | 201 | 0x180031170 |
| vkGetPhysicalDeviceMemoryProperties2 | 202 | 0x180034450 |
| vkGetPhysicalDevicePresentRectanglesKHR | 203 | 0x1800427d0 |
| vkGetPhysicalDeviceProperties | 204 | 0x1800310b0 |
| vkGetPhysicalDeviceProperties2 | 205 | 0x180034250 |
| vkGetPhysicalDeviceQueueFamilyProperties | 206 | 0x180031110 |
| vkGetPhysicalDeviceQueueFamilyProperties2 | 207 | 0x1800343d0 |
| vkGetPhysicalDeviceSparseImageFormatProperties | 208 | 0x1800319d0 |
| vkGetPhysicalDeviceSparseImageFormatProperties2 | 209 | 0x1800344d0 |
| vkGetPhysicalDeviceSurfaceCapabilities2KHR | 210 | 0x180043050 |
| vkGetPhysicalDeviceSurfaceCapabilitiesKHR | 211 | 0x180041160 |
| vkGetPhysicalDeviceSurfaceFormats2KHR | 212 | 0x180043290 |
| vkGetPhysicalDeviceSurfaceFormatsKHR | 213 | 0x180041280 |
| vkGetPhysicalDeviceSurfacePresentModesKHR | 214 | 0x180041390 |
| vkGetPhysicalDeviceSurfaceSupportKHR | 215 | 0x180041050 |
| vkGetPhysicalDeviceToolProperties | 216 | 0x1800351c0 |
| vkGetPhysicalDeviceWin32PresentationSupportKHR | 217 | 0x180041a00 |
| vkGetPipelineCacheData | 218 | 0x180032510 |
| vkGetPrivateData | 219 | 0x180035a30 |
| vkGetQueryPoolResults | 220 | 0x180031fd0 |
| vkGetRenderAreaGranularity | 221 | 0x180032cf0 |
| vkGetSemaphoreCounterValue | 222 | 0x180034f20 |
| vkGetSwapchainImagesKHR | 223 | 0x1800416d0 |
| vkInvalidateMappedMemoryRanges | 224 | 0x180031770 |
| vkMapMemory | 225 | 0x180031680 |
| vkMergePipelineCaches | 226 | 0x180032570 |
| vkQueueBindSparse | 227 | 0x180031a30 |
| vkQueuePresentKHR | 228 | 0x180041790 |
| vkQueueSubmit | 229 | 0x1800314f0 |
| vkQueueSubmit2 | 230 | 0x180035ab0 |
| vkQueueWaitIdle | 231 | 0x180031540 |
| vkResetCommandBuffer | 232 | 0x180033020 |
| vkResetCommandPool | 233 | 0x180032e10 |
| vkResetDescriptorPool | 234 | 0x1800329f0 |
| vkResetEvent | 235 | 0x180031eb0 |
| vkResetFences | 236 | 0x180031b50 |
| vkResetQueryPool | 237 | 0x180035160 |
| vkSetEvent | 238 | 0x180031e50 |
| vkSetPrivateData | 239 | 0x180035a70 |
| vkSignalSemaphore | 240 | 0x180034fe0 |
| vkTrimCommandPool | 241 | 0x1800349d0 |
| vkUnmapMemory | 242 | 0x1800316d0 |
| vkUpdateDescriptorSetWithTemplate | 243 | 0x180034c80 |
| vkUpdateDescriptorSets | 244 | 0x180032b10 |
| vkWaitForFences | 245 | 0x180031c10 |
| vkWaitSemaphores | 246 | 0x180034f80 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:40:21 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff69ffc0000 |
| File size: | 165'888 bytes |
| MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 14:40:21 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 2 |
| Start time: | 14:40:21 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7f0850000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 14:40:21 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 14:40:21 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 14:40:22 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff718b90000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 14:40:22 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff718b90000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 14:40:25 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 14:40:25 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff718b90000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 14:40:28 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 14:40:28 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff718b90000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 14:40:31 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 14:40:31 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 14:40:31 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 14:40:31 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 14:40:31 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 14:40:31 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 31 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 34 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 35 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 36 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 38 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 40 |
| Start time: | 14:40:32 |
| Start date: | 24/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a9480000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2A8000 Relevance: 25.7, APIs: 9, Strings: 5, Instructions: 1226COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2234F0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2AA5B4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF29AF84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF222613 Relevance: .4, Instructions: 440COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2829D0 Relevance: .4, Instructions: 351COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF28B7E8 Relevance: .3, Instructions: 339COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF283A58 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF282420 Relevance: .2, Instructions: 250COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2834C0 Relevance: .2, Instructions: 241COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF294C28 Relevance: .2, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF29D204 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2ABA14 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF284804 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF284E10 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF284600 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF284C0C Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2843FC Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF284A08 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF295740 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF28D3B4 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2219B0 Relevance: .1, Instructions: 111COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF24C070 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 248COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF29B5BC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2A7364 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2902D8 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2ACC28 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2A4AD0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF29FAC8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 167COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2AA634 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF28B148 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2A3D6C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2A5AB4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF2A5168 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFDFF27F144 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |