Windows
Analysis Report
u9R1HA4M7B.dll
Overview
General Information
Sample name: | u9R1HA4M7B.dll (renamed file extension from exe to dll, renamed because original name is a hash value) |
Original sample name: | f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d.exe |
Analysis ID: | 1431871 |
MD5: | 180669dd53e9169c7775d5acc4b79a9f |
SHA1: | faf9e7a6bfd0e766230f6c615693829c86fa7ff3 |
SHA256: | f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d |
Tags: | exewineloader |
Infos: | |
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll64.exe (PID: 6716 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\u9R 1HA4M7B.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) - conhost.exe (PID: 6740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5596 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\u9R 1HA4M7B.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - rundll32.exe (PID: 2336 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\u9R1 HA4M7B.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7140 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 336 -s 140 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 6432 cmdline:
rundll32.e xe C:\User s\user\Des ktop\u9R1H A4M7B.dll, _CreateFra meInfo MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 6648 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 432 -s 232 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7296 cmdline:
rundll32.e xe C:\User s\user\Des ktop\u9R1H A4M7B.dll, _CxxThrowE xception MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7332 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 296 -s 128 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7424 cmdline:
rundll32.e xe C:\User s\user\Des ktop\u9R1H A4M7B.dll, _FindAndUn linkFrame MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7460 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 424 -s 236 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
WINELOADER |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_WineLoader | Yara detected WineLoader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_WineLoader | Yara detected WineLoader | Joe Security | ||
JoeSecurity_WineLoader | Yara detected WineLoader | Joe Security | ||
JoeSecurity_WineLoader | Yara detected WineLoader | Joe Security | ||
JoeSecurity_WineLoader | Yara detected WineLoader | Joe Security | ||
JoeSecurity_WineLoader | Yara detected WineLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FFE1463A45A | |
Source: | Code function: | 0_2_00007FFE146394D4 | |
Source: | Code function: | 0_2_00007FFE146385AC | |
Source: | Code function: | 0_2_00007FFE14637957 |
Source: | Process created: |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Window detected: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | API coverage: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00007FFE14640338 |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00007FFE1464028C |
Source: | Code function: | 0_2_00007FFE1463AC8A |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Timestomp | Security Account Manager | 1 Account Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 System Owner/User Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 2 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
39% | ReversingLabs | Win64.Trojan.Generic |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431871 |
Start date and time: | 2024-04-25 22:12:04 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | u9R1HA4M7B.dll (renamed file extension from exe to dll, renamed because original name is a hash value) |
Original Sample Name: | f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d.exe |
Detection: | MAL |
Classification: | mal60.troj.winDLL@16/17@0/0 |
EGA Information: |
|
HCA Information: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: u9R1HA4M7B.dll
Time | Type | Description |
---|---|---|
22:13:02 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_315cf41d-180d-42fe-9df9-a19be070e75b\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.691507820725168 |
Encrypted: | false |
SSDEEP: | 96:YMpeF5V7iEyKyQsjC4Rv1yHpSsQXIDcQZc6McEPcw3m/XaXz+HbHgSQgJjNZAX/F:YtFiEyQU03IFiXjMzuiFt+Z24lO8S |
MD5: | 8A3A2203271203DB330AE235CD9C2780 |
SHA1: | 798FD9639100DFF358338774EB6B2343D718EC62 |
SHA-256: | 7EEC08F070B28CB54416DFE842FE9093C419EDB1F306D76A7D437C3668FD4D79 |
SHA-512: | A189F7E6A2AF5C9844373707EBCFC9C03B2CE704D080B52089F4CED935B08E35B3CBBB1773AEB5344FD46385FD624494BE49ECDBD4F4124AF7EFD60E7CB8ECCE |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_4d33789e-b009-45d7-956c-442afac19bec\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.69145670916839 |
Encrypted: | false |
SSDEEP: | 96:cfgFQ4G7iX3yKyOsjC4Rv1yHpSsQXIDcQZc6McEPcw3m/XaXz+HbHgSQgJjNZAX9:xuTiX3yOU03IFiXjMzuiFt+Z24lO8S |
MD5: | 47CA43A527FAB44968E7BCFFC3E686D9 |
SHA1: | F793A344B6B3C08DCA83ADDA6395C3A4FB53DB26 |
SHA-256: | 7B1C00B8E9977C7AF71D5C803C303AC157BBBF383FDF23D20C1515305BCE166A |
SHA-512: | F92B08388227F27E5B8DF685CFEECFEC6E13316A70A4F8DA80EF69F66E35EB06BE56E1D5FBEAFD2BDD1C695CD4240044427DF64EF12E6054972BC8F704ABE14E |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_ab11d3bd-b6ac-4ab3-b71a-426236c34122\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6915812318575917 |
Encrypted: | false |
SSDEEP: | 96:EJ0FkRF7iIyKyUsjC4Rv1yHpSsQXIDcQZc6McEPcw3m/XaXz+HbHgSQgJjNZAX/F:q0CRZiIyUU03IFiXjMzuiFt+Z24lO8S |
MD5: | 8BEA8537656AC778C06A92E0DAD1BC18 |
SHA1: | 228A1EA00B56ACBDD9089CDF06DACDE68B1501D8 |
SHA-256: | 72EE33AFF0DCAF01CB3FB66D74D064EF35294FC30F5DC60693BE526A6E8D72DB |
SHA-512: | 336BE3AF55177E90D14882587BE3E42B5539B29DECE651D0661B58ACCA3A2A24F1EFDD330482F4E9BE5DF01F4261357F061B92C135C53F7F71E012E100E6E886 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_b8be7178-c123-40e8-8433-717dd469d09c\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6913971916977464 |
Encrypted: | false |
SSDEEP: | 96:Q0FRyr7i6yKydsjC4Rv1yHpSsQXIDcQZc6McEPcw3m/XaXz+HbHgSQgJjNZAX/df:ZGi6ydU03IFiXjMzuiFt+Z24lO8S |
MD5: | 8933077FD0D2AD3EA2A9077E3385F1B9 |
SHA1: | 121781D6D8E6933B254EFAD919053EC36232D639 |
SHA-256: | E8F9436E32E277A23A68F68EB1284749216C149A997A85E2BFB7FD538907D7BB |
SHA-512: | 9B37D2153B3B27D56DE2AEC75DD1BE01E3DB991A2CBA3181E08985D5718F8F28BF00E43853CFC429C1FF4D8D682D3825DC96C96BFD4B2B6C52F18ED133F351D4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 49298 |
Entropy (8bit): | 1.4305543567010404 |
Encrypted: | false |
SSDEEP: | 96:508RE3noYFvmtUFVzzGVoi7MTZW3l+2VFw7w0WIOnIpgYrvnnW:1+LJOMT92L3YDnW |
MD5: | 3C0C952B0F3CE49F3485708BCA29679C |
SHA1: | C7C077B05CD6FFBFFB46369A310B2555792DCE12 |
SHA-256: | EB85B071341B1C1A21CADAFA50847DA6D7D6F6D1A1857E4FFF442A32B983574E |
SHA-512: | B939FD445335A21AE282EA9AA73DF1A84CA4976EC2C44D5D79A09A095E81DDFA0FEE4BA8F13D07FBD664D0B28CCFF5DEE64D5822D7C9FB31E237765CDB64B4A0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 49006 |
Entropy (8bit): | 1.4446868138846818 |
Encrypted: | false |
SSDEEP: | 96:508nE3O9dYFvmtUFVm9VRoi7MjIq5sK/uiVZVVQnf+ftBH0cAvA6LLQRooo+fWIC:1Np9wOMjT/uiVZVVQnGf/A |
MD5: | D318BDAA4287A58C5D335EDC7C42AB51 |
SHA1: | 2822B9C34CFB1FEB46531233A90C8B3BE69853D5 |
SHA-256: | 60B288116C9410E08536908CC8343FE92931BC1ABE4C3CC10127416025123975 |
SHA-512: | 85A422F1E754E1A871AD6DCE459883D7B027EC0806B0321C290582C783B7F022C887331CD732D682453800C7B02A760CBD0D5529A0E9402E4488EAF091142134 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8600 |
Entropy (8bit): | 3.694221789035244 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJBVyIj9s6Y0HLD80gmfDiNa/pD+89bLj0fdZm:R6lXJzyd6YIzgmfDiNeLwfq |
MD5: | 399F7C22B5FBF82A1497F8750D68E549 |
SHA1: | 4C1D61EFDC5C7B68F8FF08C2427A905E185CD496 |
SHA-256: | 7AE622F09E795D9B45D4CF4A8D191453BCBE996C39EDAF3F91BADCF0F5CB8F67 |
SHA-512: | 4B767542314E7AD43619A685DFBFF91F014036E03A01F6FE9E411BAB0393E9E1BAD0D603F11E3A2AEE7233C24F9840B5161A72A3DAB9AC53D86BE5CCF927CAEA |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8592 |
Entropy (8bit): | 3.692518340943735 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJeqyO9I6YPEmgmfDiNa/pDy89bL/0fxFZm:R6lXJzyb6YsmgmfDiNSLMfxC |
MD5: | 661BEBB211BF8C149958FA50CC4AC0BE |
SHA1: | 1998505010E5B30504B715BF242553DCF224836C |
SHA-256: | 35FD8F87DEB0C70A1C33FFB850C5723E09AA5B6DCCB83340317BF85F5EE2AF18 |
SHA-512: | C1BF005C2026BB4406A0894351CE3D251B1758774CB0254B0D7ED419752EA7FAF80D521997BF47553000E7D515C475A0D3F9C6E08B4E7A835341B9C4510938F4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4878 |
Entropy (8bit): | 4.4745465336272705 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsaJg771I9QzWpW8VYIYm8M4JCJChYgFVyq8vhhYlptSTSmd:uIjfoI7XC7VMJHW0poOmd |
MD5: | 9F854996CCA1AEA2C513E1593B2E17FA |
SHA1: | 5888BF02473EE4E29EAAFD2C92BC09999F19EC2D |
SHA-256: | C38F9884E6808791C18F306D5F7889D9A1C8DD8BEC98EBC59619F5705972737D |
SHA-512: | DC6AFD63B73F42A7D755F2FAE3DAC4CD690B24603F7E02FB158D24781ECE3F645B93376F7972712D82A3F2472679056C71DBD21F301ADEBB8CA7339A5266D21D |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4878 |
Entropy (8bit): | 4.476671377387129 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsaJg771I9QzWpW8VY3Ym8M4JCJChYgFdyq8vhhY92ptSTSDd:uIjfoI7XC7V3JTWK2poODd |
MD5: | B0B4A6445D4614F69B180861F1EF0557 |
SHA1: | CC2D4756E93415B32B57234D6F4DA2F07898B925 |
SHA-256: | 2DC7646ECC73A8EF7C9717C2ED6F9C4D718185FE2BB4FE4CEA0E74A84F90C8C5 |
SHA-512: | F7A47A74FEB7AF879E6AD7D00026C16490DB387FBD243A6BCD2FCA20358021012C92A695DBAFCC4D95E9182319FB65B87C0CED8DD58FADFDAD8B56917AA006EA |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 49954 |
Entropy (8bit): | 1.4161045119296658 |
Encrypted: | false |
SSDEEP: | 96:57S8VE3lMwhCYFvmtUFVpKDdoi7MTLh4W+jC/ViuPU0HYuYWI1zGI5gVvx:Fhovhu2OMTwGpzAgj |
MD5: | 3EF44344739E09B50E7B0BC371D814E8 |
SHA1: | 81ADCA826E2D835D6B80189D7665058AC10449BD |
SHA-256: | 71C4105DE28805D4C1186CC076529FAFEE1951C1CB5EC6EE0D1412679E99B2F7 |
SHA-512: | 3A8D60F2C19A847144DF206DAB7E0B6BFF974C20205B04BE2387A3B6FEF0F2D58893E91560E0449D59063E03E0F2C573CA241EC43FD96C4FF507DD5138FBB002 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8590 |
Entropy (8bit): | 3.6926324025637376 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJHtuy49u6YPWmgmfDiNa/pDl89b9Ecf0c8/m:R6lXJkyL6YOmgmfDiNj9Xfj |
MD5: | 239D3584078842354ACECA5ED2026EB3 |
SHA1: | 11C96A9C4795F9854264A65A6C55BE1CFC879910 |
SHA-256: | 5D978513B12FB320F76117BA8D0B92AEABF0A5D27CF1F589B42D1F3DC42801A3 |
SHA-512: | EC979E551EF24E0A99D6179D916785A66FB941F46CC91124B670ADE156F0618FB0D25CA010BFA3F1FA23DED3DC9B3FD5C1B3B85260DCBD9B86E885CDB6334E59 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4878 |
Entropy (8bit): | 4.474782354737111 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsaJg771I9QzWpW8VYqYm8M4JCJChYgFaAyyq8vhhYNptSTShhd:uIjfoI7XC7V6JGW8poOhhd |
MD5: | 56F62AFEDF619D829397221D1DB45761 |
SHA1: | BBC0C7824E44A3635CE4F32DC528CEF6606822A9 |
SHA-256: | AEAD2B780CFCA1D88457E1A81CA836D9863AA9E9EE4C906ADFE138E2FCC8291F |
SHA-512: | 6BE1E7175CB186BC9621A58FAF9B0F9845EE81621A402E7ED1D04A6A5E933A89104488F1AB629BD83526CA7D7FEE60207A3F40C0C735FC716623CFC6763BD2EF |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 50338 |
Entropy (8bit): | 1.3941467383715735 |
Encrypted: | false |
SSDEEP: | 192:UVzNSOMf5Nl7UHkowVFLhLaQDudKnzHqH+:anEVIHkowVFLRaQydKnzKe |
MD5: | DDD663A0176BCB6357D1D93C8FC299E3 |
SHA1: | 4176B2C1208340E5F3C9293870E46685754A20E0 |
SHA-256: | 4C05ECF502625038D5859E2D8CAD26863B574DFEA8789912B79CAACA8575F312 |
SHA-512: | C1DA62825BC2AA8C03C3F276EE9A828AFB273781F74318E9E848D93F4C7AE90326D3CD949E3EF6DD862319F8C65409700FC970FEBF4C506AEDFD6CBD78FAC61C |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8592 |
Entropy (8bit): | 3.692121538124629 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJY9BX9HZ6YP5mgmfDiNa/pDP89bmXNf0im:R6lXJyBVZ6YxmgmfDiN5m9fQ |
MD5: | A9FC48A7F4469AAF4597781D052C31C2 |
SHA1: | 6449996442DB3FD57720646750A8468C80B4BD73 |
SHA-256: | 98A8208FF6CAA3F48C371F2E67A0236E6396AB98334E22C1EFFB3D355C6F7E22 |
SHA-512: | C5EFC8C077DE27AFF823D9C64CC4E99E10807C6E185671737A5D736116D22D25AC1C99D5820D824F78856B2FBCD35A994CF5693DE0AA8D9A9D7E913FC6B2630A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4878 |
Entropy (8bit): | 4.477570678344253 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsaJg771I9QzWpW8VY4Ym8M4JCJChYgFhyq8vhhYJzptSTSvd:uIjfoI7XC7VcJPWYpoOvd |
MD5: | D5F2562CD3CDE7EF958BE7090239F038 |
SHA1: | 8001EE7044F02E27D9434DB2C59E027E4E1D0CA3 |
SHA-256: | 53CCBE6DA668C56BE2CF0178B6D6CA3ED038677046C0C400E67CB7795FCA4115 |
SHA-512: | 3098D38457197A7688022747B7BF1A3395343815538DF860416AF8B8F758B6D9F1BA31C5173CC235B89E0FE67E220733C3BA8F6597AC001FCC4597CB9572B50A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.46638485134926 |
Encrypted: | false |
SSDEEP: | 6144:AIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:FXD94zWlLZMM6YFHa+9 |
MD5: | 77C80B1F231AF4272027EF8B96C953EC |
SHA1: | 14630FA9BF17B9359A5B20D77190E2843A8CB220 |
SHA-256: | CB12DE3570333B9AA5BED6CA5AB49B3FEBF7B47E51DF379A4D87AD98106A8772 |
SHA-512: | E95913C1991D9B6DC88F8C9C33A57F08C0259672BFAB3D9B285863FB3279A0A74FCD73EEA7F29516167CD07B8F609686560C4923304CB9BD15421236366D81DA |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.4592932953759785 |
TrID: |
|
File name: | u9R1HA4M7B.dll |
File size: | 98'736 bytes |
MD5: | 180669dd53e9169c7775d5acc4b79a9f |
SHA1: | faf9e7a6bfd0e766230f6c615693829c86fa7ff3 |
SHA256: | f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d |
SHA512: | f77036135f9dde670b56d9ba3ae644c0232adadf657583e17ec45274dc619d0f31a5b2c96b9cf1729251361942c65f62a8cf97cddced472d48e3b0e53d3bce5c |
SSDEEP: | 1536:zxhUIePlHhRUzXyNC6+iv7u0/7eAD4AALuXvycecbni10DWZz:zvcUzXyNbhS0/7vD4Ax3ecbnG1 |
TLSH: | C4A33802F2A940B9D09EC2B48396E727B7B074089B6077CF17A54B251E97F909F3935B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8..I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9..... |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x7fffe43ccf2a |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x7fffe43c0000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
Time Stamp: | 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 7f07fd94e5bb907093556781cc464017 |
Signature Valid: | false |
Signature Issuer: | CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 550C27BE6F1184B6CC93B4B4E2EA9D58 |
Thumbprint SHA-1: | C9CAEDC2CECF953E812C6446D41927B9864BB880 |
Thumbprint SHA-256: | 63E8D95BCEE4522E6380E7F9305A676C0880AD93AD3BA9CB53FE43D6081A1025 |
Serial: | 3300000255181DA42EE086FC15000000000255 |
Instruction |
---|
inc ecx |
push edi |
inc ecx |
push esi |
inc ecx |
push ebp |
inc ecx |
push esp |
push esi |
push edi |
push ebp |
push ebx |
dec eax |
sub esp, 00000158h |
movaps esp+00000140h, dqword ptr [xmm7] |
movaps esp+00000130h, dqword ptr [xmm6] |
dec eax |
mov esi, ecx |
dec eax |
lea edi, dword ptr [esp+000000C0h] |
dec eax |
mov dword ptr [edi-08h], 0000000Ch |
dec eax |
mov eax, 00F7D404h |
in eax, dx |
js 00007FD858BB780Ch |
outsd |
dec eax |
mov dword ptr [edi], eax |
mov dword ptr [edi+08h], FCF1BF11h |
inc ecx |
mov esi, 00000001h |
dec esp |
mov dword ptr [edi+0Ch], esi |
mov edx, 0000000Ch |
dec eax |
mov ecx, edi |
call 00007FD858BB1960h |
xor ebp, ebp |
mov dword ptr [edi+0Ch], ebp |
dec eax |
lea ebx, dword ptr [esp+78h] |
dec eax |
mov dword ptr [ebx-08h], 0000001Ah |
movups xmm6, dqword ptr [FFFF9EF2h] |
movups dqword ptr [ebx], xmm6 |
movups xmm7, dqword ptr [FFFF9EF2h] |
movups dqword ptr [ebx+0Ah], xmm7 |
dec esp |
mov dword ptr [ebx+1Ch], esi |
mov edx, 0000001Ah |
dec eax |
mov ecx, ebx |
call 00007FD858BB1928h |
mov dword ptr [ebx+1Ch], ebp |
dec eax |
mov ecx, ebx |
call 00007FD858BB1AE7h |
dec eax |
mov ecx, eax |
dec eax |
mov edx, edi |
call 00007FD858BB1B4Dh |
call eax |
dec eax |
cmp dword ptr [esi], 00000000h |
je 00007FD858BB78EEh |
dec esp |
lea esi, dword ptr [esp+70h] |
dec ecx |
mov dword ptr [esi+08h], 00000000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x14330 | 0x834 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14b64 | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19000 | 0x3d0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x17000 | 0xb70 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x15a00 | 0x27b0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1a000 | 0x1a0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x12df0 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x12cb0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x10000 | 0xfc00 | 04eb33aa9e6b038b535164fd05125e11 | False | 0.5051773313492064 | data | 6.435321041244554 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x11000 | 0x5000 | 0x4200 | 8fcb1166becbcee82e5ade4c005ba659 | False | 0.3974313446969697 | SysEx File - ADA | 4.843091866116115 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.data | 0x16000 | 0x1000 | 0x400 | 317b92eb9b8980fbb7e3d768cb5131e1 | False | 0.1953125 | DOS executable (block device driver =\344\377\177) | 2.6154988641607586 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x17000 | 0x1000 | 0xc00 | fc0281b543ce69732b9e511c59978715 | False | 0.4811197916666667 | PEX Binary Archive | 4.6976656411659 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x18000 | 0x1000 | 0x200 | 16cc8eb01a68a62dea3ee2c7c598cd9f | False | 0.390625 | data | 2.7869372198389426 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x19000 | 0x1000 | 0x400 | d461d102eb9f793e52452eca0d0f2a5c | False | 0.412109375 | data | 3.195335377178025 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1a000 | 0x1000 | 0x200 | e2c21ce14270df72445259f3b4a18a3b | False | 0.642578125 | data | 4.614856328897942 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x19060 | 0x36c | data | English | United States | 0.4406392694063927 |
DLL | Import |
---|---|
api-ms-win-crt-runtime-l1-1-0.dll | terminate, abort |
api-ms-win-crt-heap-l1-1-0.dll | calloc, malloc, free |
api-ms-win-crt-string-l1-1-0.dll | strcpy_s, strncmp, wcsncmp |
api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vsprintf, __stdio_common_vsprintf_s |
api-ms-win-crt-convert-l1-1-0.dll | atol |
KERNEL32.dll | GetLastError, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlCaptureContext, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, RtlLookupFunctionEntry, RtlUnwindEx, GetModuleHandleW, GetModuleFileNameW, RtlUnwind, EncodePointer, RaiseException, RtlPcToFileHeader, InterlockedPushEntrySList, InterlockedFlushSList, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetProcAddress, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW |
Name | Ordinal | Address |
---|---|---|
_CreateFrameInfo | 1 | 0x7fffe43cfba0 |
_CxxThrowException | 2 | 0x7fffe43c6630 |
_FindAndUnlinkFrame | 3 | 0x7fffe43cfbe0 |
_IsExceptionObjectToBeDestroyed | 4 | 0x7fffe43c25a0 |
_SetWinRTOutOfMemoryExceptionCallback | 5 | 0x7fffe43c25d0 |
__AdjustPointer | 6 | 0x7fffe43c25e0 |
__BuildCatchObject | 7 | 0x7fffe43c56e0 |
__BuildCatchObjectHelper | 8 | 0x7fffe43c56f0 |
__C_specific_handler | 9 | 0x7fffe43cef20 |
__C_specific_handler_noexcept | 10 | 0x7fffe43cecd0 |
__CxxDetectRethrow | 11 | 0x7fffe43c5710 |
__CxxExceptionFilter | 12 | 0x7fffe43c5760 |
__CxxFrameHandler | 13 | 0x7fffe43cfc90 |
__CxxFrameHandler2 | 14 | 0x7fffe43cfc90 |
__CxxFrameHandler3 | 15 | 0x7fffe43cfca0 |
__CxxQueryExceptionSize | 16 | 0x7fffe43c5950 |
__CxxRegisterExceptionObject | 17 | 0x7fffe43c5960 |
__CxxUnregisterExceptionObject | 18 | 0x7fffe43c5a10 |
__DestructExceptionObject | 19 | 0x7fffe43c2520 |
__FrameUnwindFilter | 20 | 0x7fffe43c2610 |
__GetPlatformExceptionInfo | 21 | 0x7fffe43c2680 |
__NLG_Dispatch2 | 22 | 0x7fffe43c1140 |
__NLG_Return2 | 23 | 0x7fffe43c1150 |
__RTCastToVoid | 24 | 0x7fffe43c6110 |
__RTDynamicCast | 25 | 0x7fffe43c6170 |
__RTtypeid | 26 | 0x7fffe43c62e0 |
__TypeMatch | 27 | 0x7fffe43c5700 |
__current_exception | 28 | 0x7fffe43c26e0 |
__current_exception_context | 29 | 0x7fffe43c2700 |
__intrinsic_setjmp | 30 | 0x7fffe43d05f0 |
__intrinsic_setjmpex | 31 | 0x7fffe43d06b0 |
__processing_throw | 32 | 0x7fffe43c2720 |
__report_gsfailure | 33 | 0x7fffe43d0370 |
__std_exception_copy | 34 | 0x7fffe43c6390 |
__std_exception_destroy | 35 | 0x7fffe43c6420 |
__std_terminate | 36 | 0x7fffe43c2740 |
__std_type_info_compare | 37 | 0x7fffe43c6470 |
__std_type_info_destroy_list | 38 | 0x7fffe43c64a0 |
__std_type_info_hash | 39 | 0x7fffe43c64d0 |
__std_type_info_name | 40 | 0x7fffe43c6510 |
__telemetry_main_invoke_trigger | 41 | 0x7fffe43c1d30 |
__telemetry_main_return_trigger | 42 | 0x7fffe43c1d30 |
__unDName | 43 | 0x7fffe43ceac0 |
__unDNameEx | 44 | 0x7fffe43ceaf0 |
__uncaught_exception | 45 | 0x7fffe43c66d0 |
__uncaught_exceptions | 46 | 0x7fffe43c66f0 |
__vcrt_GetModuleFileNameW | 47 | 0x7fffe43c6df0 |
__vcrt_GetModuleHandleW | 48 | 0x7fffe43c6e00 |
__vcrt_InitializeCriticalSectionEx | 49 | 0x7fffe43c6d80 |
__vcrt_LoadLibraryExW | 50 | 0x7fffe43c6e10 |
_get_purecall_handler | 51 | 0x7fffe43c6e20 |
_get_unexpected | 52 | 0x7fffe43c6710 |
_is_exception_typeof | 53 | 0x7fffe43c2750 |
_local_unwind | 54 | 0x7fffe43c1de0 |
_purecall | 55 | 0x7fffe43c6e30 |
_set_purecall_handler | 56 | 0x7fffe43c6e50 |
_set_se_translator | 57 | 0x7fffe43c5652 |
longjmp | 58 | 0x7fffe43c1db0 |
memchr | 59 | 0x7fffe43c1170 |
memcmp | 60 | 0x7fffe43c11f0 |
memcpy | 61 | 0x7fffe43c12f0 |
memmove | 62 | 0x7fffe43c12f0 |
memset | 63 | 0x7fffe43c19a0 |
set_unexpected | 64 | 0x7fffe43c6740 |
strchr | 65 | 0x7fffe43c1e10 |
strrchr | 66 | 0x7fffe43c1e90 |
strstr | 67 | 0x7fffe43c1fd0 |
unexpected | 68 | 0x7fffe43c6770 |
wcschr | 69 | 0x7fffe43c21d0 |
wcsrchr | 70 | 0x7fffe43c2250 |
wcsstr | 71 | 0x7fffe43c2300 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 22:12:51 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\loaddll64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7db9a0000 |
File size: | 165'888 bytes |
MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 1 |
Start time: | 22:12:51 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 22:12:51 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff73f970000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 22:12:51 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6696e0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 22:12:51 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6696e0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 22:12:51 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff799a50000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 22:12:51 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff799a50000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 22:12:54 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6696e0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 22:12:54 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff799a50000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 22:12:57 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6696e0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 15 |
Start time: | 22:12:57 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff799a50000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 6.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 14.6% |
Total number of Nodes: | 492 |
Total number of Limit Nodes: | 3 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE14637957 Relevance: .2, Instructions: 235COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE14632EF4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE146333C0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE1463E600 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 194COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE14633ACC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE146338B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE14634268 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE14634040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE1463EF20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE14632610 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE14634930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFE1463ECD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |