Analysis Report 6vywr0yn.php
Overview
General Information
Detection
Score: | 23 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
Analysis Advice |
---|
Sample crashes during execution, try analyze it on another analysis machine |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Key value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | DLL Side-Loading1 | Process Injection1 | Modify Registry1 | OS Credential Dumping | Security Software Discovery11 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Virtualization/Sandbox Evasion1 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | DLL Side-Loading1 | NTDS | System Information Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 326344 |
Start date: | 03.12.2020 |
Start time: | 10:20:41 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 28s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | 6vywr0yn.php (renamed file extension from php to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 17 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | SUS |
Classification: | sus23.winDLL@3/8@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
10:21:44 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8500 |
Entropy (8bit): | 3.7585343342186524 |
Encrypted: | false |
SSDEEP: | 96:b4N88zCW0y9y9hTyf7uf5pXIQcQvc6QcEDMcw3DS+a+z+HbHg/8BRTf3FOyYc/N+:MuUIHBUZMX4jc//u7s1S274ItW0 |
MD5: | 1E0E517C2D0A46C09748898C2050DAD8 |
SHA1: | 9B3CE0A16AB3B879F488743AC8CA19DF62CE62E2 |
SHA-256: | 1DC958FF3F40E9AE3C39620D6E2895871A041A981B02D006E1504828E84DD1E8 |
SHA-512: | D7D8A5CD3DBCD41890CA12750922742FCA8BC67B4B1B304D9F877ACC0D917F15EC1E53BEF4C699C6C864C1A6CC6BE7ADCA359AC219FB0AB033D4D41349033CE2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8758 |
Entropy (8bit): | 3.758500655021495 |
Encrypted: | false |
SSDEEP: | 96:62VRRzCW0yuy9hTqz79fepXIQcQSc6mcEkcw3L+a+z+HbHgVVG4rmMoVazWbSmOq:3R4UkyHsieHjEq/u7s1S274ItWk |
MD5: | 02C86A7C66904914D22834E72CC79EED |
SHA1: | E6E43C77245186FF7D4DE0653DDB63865E38D926 |
SHA-256: | E19BF1B36FA28692D20EF77150FB0F4C98E0BDE16FA10D0E3AA3ADF49BFE0B63 |
SHA-512: | BF201BBAE1FDA9BC968064E5267BBB0F63D86ADD4380D3FC63FAA03EE831FC9BBF4ED3D6D9CD7FB42DD15287E8CA7E12CC3A11C1FA91BDFCBF44A2B2EF55B999 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 37314 |
Entropy (8bit): | 1.9910558024273979 |
Encrypted: | false |
SSDEEP: | 192:nfDTpt/U/QbB/VzA5L9702aXl6ZF+sX3826v2oTq95g2:7Tj/TB/q5L9o1XEfX3H+2oTm |
MD5: | 771C819AABAE7AF1767EC41C6FFAF597 |
SHA1: | C4ACC48E195F11AA315EB836163B205BCDCC3B1D |
SHA-256: | BD0540BDF38667648D4D89CE90ACFE212165E5C9D862ED44B3B4BE829A8AEB28 |
SHA-512: | B1A5DB4851DE00B9F57A0E8725B8E617B7F85F13A25BE1B3E8B9074856D10ED8D95B7C3F820FD1F7D037A69C3C7515251517ADBE7F3BFAEC0CECD21F6FDF28CB |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8280 |
Entropy (8bit): | 3.6934651482957968 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiU16eHI6YrJSUOvTgmfwSP+pBr89b0gGsfxRwGGm:RrlsNim6x6YVSUOvTgmfwSFjlfxR7 |
MD5: | F647F15321517ED5E2FD2A76F6B2CD76 |
SHA1: | 790561EC713D3564E4EA8A91B496B7C9D1586DE4 |
SHA-256: | B4BDF0EE5815C1795BDFD73F2037CFE1FA39E834CF4B91C6B96C14A79309A957 |
SHA-512: | 5AED7CD9BEB45B0A03ED51AF70EA2581375B99E1BF464A61BCA741B19C2EF225E28CAF505A21F7F2DFE0758775056F3570964F37448CC04C0E94344D2A71FEFA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4559 |
Entropy (8bit): | 4.431764953573035 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs4JgtWI9sCWSC8Bhl8fm8M4JO8F++q83QKcQIcQwv+89d:uITf+7DSNrSJ2rKkwv+Kd |
MD5: | 9497050975452F4680AA09AEC5E37567 |
SHA1: | B857D1A0336C340B3D0211CD19A49CB59A4455F0 |
SHA-256: | 3818442B0673868E62DD6E9F08B85242E1AE1B26F96AA763C3BA0C01BB67EFFC |
SHA-512: | 4A683AD0E50B4DC06BEB8C923383ECA6E767C78CEDD47C30497B9BC725FCE84445C9F23FB25AF3E5E447501A33E454874751BD876A38684CFE49925B9F6C3E06 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 36318 |
Entropy (8bit): | 1.9873876052427046 |
Encrypted: | false |
SSDEEP: | 192:0eYO60feNB/VzE7KGQ362ajx6hu5MxVEkkkO9iZP:72NB/FEeK1jo8eokPO9+ |
MD5: | 6BF96D6C1C550EF0AD442AE30A54A125 |
SHA1: | 6D0C44587B0CABAB209FCD6249638931A2771C96 |
SHA-256: | 759A98FD4D0703263F9FF134871C2E500C9432C3970F0B2E1AF9FE17491E7D24 |
SHA-512: | A79B237B6AAA042EBB00825A4312238A3F728E4953C410C24D486036B1DCD15A1EBFB31DFBF5EF08A22CBEDF648F9119F8AFF29604F1A50745F503A0C1B961D3 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8272 |
Entropy (8bit): | 3.6952714399644333 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiUH6X6YrlSUQvAgmfQSt+pry89b0NGsfXGVm:RrlsNiU6X6YJSUQvAgmfQSC+lfL |
MD5: | 27BB424056881AE77F3043D61DDAC3A9 |
SHA1: | C399A0662BAD559D10B88BF4D1631312E70D9C4D |
SHA-256: | 8FC8BA7D672F5EF302A32B5D0395E93B677276EA4AC038F82BE33934EB232763 |
SHA-512: | A5CF468837F10590BDBA005869DB6625D80FFDD9D569069437C36278D521802955257580F8B8CF98AA8EEB31532F5CCC0E6770EF897ED944281F15C52FFC896E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4555 |
Entropy (8bit): | 4.431340587639428 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs4JgtWI9sCWSC8BF/8fm8M4JOeFQi+q8I9KcQIcQwv+89d:uITf+7DSNcJ7zKkwv+Kd |
MD5: | 13F8649D72259129C3418689D987E4C8 |
SHA1: | 8F302186E37E984319F40265692EDC4450D4F508 |
SHA-256: | 46E7230C3AA97024EBAA2C6B95235D86A0D7CC4A6AD523BA8C24EA4A5DBD47E2 |
SHA-512: | 7FFDDB9D2F57C03F1E04613477627CCF295E7806A598D9F953B098B419398F59494518785C3B3483B9D814C05565195A03FB1B4A61A44A3053C58379A807AC6A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.133472914947941 |
TrID: |
|
File name: | 6vywr0yn.dll |
File size: | 167936 |
MD5: | 24af4121e268839125e7dc0a8cfe57bb |
SHA1: | 68e59497ecca420d7ee86cc708a3046f8f8da300 |
SHA256: | e101211fc11db8ac7365aea768c7a42fae6d6148d273923cc3271aceaf204365 |
SHA512: | 0ea5e36b5f65e6ea3797740da6b8997b2705d1740de3a322eb6ed3e30ce4630be3ea7e3d9750acf0b216c499c0a07162c15dd598cbe9e19b2c32f05414419640 |
SSDEEP: | 3072:nAkzrvTXX6m6acOf1QwRBsdeUb8Oy7YuLg0Gjj5D:nvvbLdRAesA7YU2 |
File Content Preview: | MZ......................@.......................................!P..e1..e1..e1..~.l.>0...h...0....>.!0....:..1..B.:..1...o..-1..fI(..0...o...1..{ct..1..~.j..1....9..1...h...1..Riche1..............PE..L...$.._...........!.....P...........C.......`....@.... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4043b3 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5FC8AC24 [Thu Dec 3 09:13:08 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 8c139089d78137abf164f71dfb6637c7 |
Authenticode Signature |
---|
Signature Valid: | |
Signature Issuer: | |
Signature Validation Error: | |
Error Number: | |
Not Before, Not After | |
Subject Chain | |
Version: | |
Thumbprint MD5: | |
Thumbprint SHA-1: | |
Thumbprint SHA-256: | |
Serial: |
Entrypoint Preview |
---|
Instruction |
---|
mov eax, dword ptr [00426A88h] |
jmp eax |
ret |
mov dword ptr [ebp-04h], eax |
push ebp |
mov ebp, esp |
push edi |
push ebx |
push esi |
and esp, FFFFFFF8h |
sub esp, 000000C0h |
lea eax, dword ptr [esp+3Eh] |
lea ecx, dword ptr [esp+1Eh] |
mov byte ptr [esp+000000B9h], FFFFFFFDh |
mov dword ptr [esp+000000ACh], 00000000h |
mov dword ptr [esp+000000A8h], 004508F2h |
mov dword ptr [esp+000000A4h], 00423F7Fh |
mov edx, dword ptr [esp+000000B4h] |
add edx, 1CB7DFC5h |
mov dword ptr [esp+000000B4h], edx |
mov bl, byte ptr [esp+000000B9h] |
mov bh, bl |
xor bh, FFFFFFBBh |
mov byte ptr [esp+7Fh], bh |
mov edx, dword ptr [esp+000000ACh] |
mov esi, dword ptr [esp+000000A8h] |
xor esi, 22125EFDh |
mov dword ptr [esp+00000094h], edx |
mov dword ptr [esp+00000090h], esi |
mov di, word ptr [esp+000000BAh] |
mov dword ptr [esp+000000A0h], 00000000h |
mov byte ptr [esp+1Dh], bl |
mov dword ptr [esp+18h], ecx |
mov dword ptr [esp+14h], eax |
mov word ptr [esp+12h], di |
mov eax, dword ptr [esp+000000A0h] |
mov dword ptr [esp+0000008Ch], eax |
mov eax, dword ptr [esp+00000090h] |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x683c | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x29000 | 0x3a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x800 | 0x1 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2a000 | 0x8c8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5030 | 0x38 | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6000 | 0x2c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4f85 | 0x5000 | False | 0.25498046875 | data | 3.0618180329 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x6000 | 0x976 | 0x1000 | False | 0.3779296875 | data | 3.35788598783 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x7000 | 0x21a5c | 0x20000 | False | 0.80460357666 | data | 7.8015542446 | IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0x29000 | 0x3a0 | 0x1000 | False | 0.110595703125 | data | 0.978897296822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x2a000 | 0x8c8 | 0x1000 | False | 0.393310546875 | data | 4.18296780206 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x29060 | 0x340 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetModuleHandleW, LoadLibraryW, GetModuleHandleA, GetFileAttributesA, CreateMailslotA |
USER32.dll | GetFocus |
ADVAPI32.dll | InitiateSystemShutdownW, RegSaveKeyExA |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2018 |
InternalName | oe2hrfl |
FileVersion | 40.488.0.00 |
Full Version | 40.488.0.00 |
CompanyName | Oracle Corporation |
ProductName | Oeoh(FL) Hnrtunon ID 8 O172 |
ProductVersion | 4.0.0000.00 |
FileDescription | Java(TM) Platform SE binary |
OriginalFilename | oe2hrfl.dll |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 3, 2020 10:21:22.361409903 CET | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:22.397263050 CET | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:23.193042040 CET | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:23.220293999 CET | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:23.966839075 CET | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:23.994029999 CET | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:25.384800911 CET | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:25.420495033 CET | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:26.221030951 CET | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:26.256730080 CET | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:29.410990953 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:29.438195944 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:31.884780884 CET | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:31.911600113 CET | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:38.581378937 CET | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:38.608447075 CET | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:46.783822060 CET | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:46.810828924 CET | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:51.873414040 CET | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:51.900713921 CET | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:52.884320974 CET | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:52.911521912 CET | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:21:59.895473957 CET | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:21:59.935596943 CET | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:00.653469086 CET | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:00.689213991 CET | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:01.129616976 CET | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:01.170221090 CET | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:01.938041925 CET | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:01.973737001 CET | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:02.911971092 CET | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:02.939086914 CET | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:03.479636908 CET | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:03.506762981 CET | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:03.542603016 CET | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:03.605911016 CET | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:04.046260118 CET | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:04.086601019 CET | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:04.608453989 CET | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:04.643954039 CET | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:05.935096979 CET | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:05.975624084 CET | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:06.052959919 CET | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:06.080168009 CET | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:06.309854984 CET | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:06.345160961 CET | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:07.377340078 CET | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:07.404370070 CET | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:12.311639071 CET | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:12.338881969 CET | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:22.862554073 CET | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:22.865567923 CET | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:22.889806986 CET | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:22.892560959 CET | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:25.968281031 CET | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:26.005064011 CET | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:39.716787100 CET | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:39.744007111 CET | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:40.634527922 CET | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:40.661731005 CET | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:42.311525106 CET | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:42.338712931 CET | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:46.350871086 CET | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:46.377978086 CET | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:47.377825022 CET | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:47.404897928 CET | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:48.021472931 CET | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:48.048834085 CET | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:49.161107063 CET | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:49.188321114 CET | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:50.246961117 CET | 64206 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:50.274126053 CET | 53 | 64206 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:51.394881010 CET | 50904 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:51.422116995 CET | 53 | 50904 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:22:58.634583950 CET | 57525 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:22:58.661519051 CET | 53 | 57525 | 8.8.8.8 | 192.168.2.4 |
Dec 3, 2020 10:23:02.312319040 CET | 53814 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 3, 2020 10:23:02.355468988 CET | 53 | 53814 | 8.8.8.8 | 192.168.2.4 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 10:21:27 |
Start date: | 03/12/2020 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 120832 bytes |
MD5 hash: | 2D39D4DFDE8F7151723794029AB8A034 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 10:21:28 |
Start date: | 03/12/2020 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x80000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 10:21:33 |
Start date: | 03/12/2020 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x80000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|