Windows Analysis Report SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Dridex |
---|
{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
Click to see the 10 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
Click to see the 10 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | String found in binary or memory: |
E-Banking Fraud: |
---|
Yara detected Dridex unpacked file | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Found detection on Joe Sandbox Cloud Basic with higher score | Show sources |
Source: | Joe Sandbox Cloud Basic: | Perma Link |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Process created: |
Source: | Code function: | 0_2_6ED00754 | |
Source: | Code function: | 0_2_6ED09348 | |
Source: | Code function: | 0_2_6ECF1494 | |
Source: | Code function: | 0_2_6ECF846C | |
Source: | Code function: | 0_2_6ED01460 | |
Source: | Code function: | 0_2_6ED01D58 | |
Source: | Code function: | 0_2_6ECFA52C | |
Source: | Code function: | 0_2_6ECF90CC |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_6ECFF6CD |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to delay execution (extensive OutputDebugStringW loop) | Show sources |
Source: | Section loaded: |
Source: | Window / User API: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_6ECF6D50 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_6ECF6D50 |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_6ECF6D50 |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Disable or Modify Tools1 | OS Credential Dumping | Security Software Discovery11 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion11 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection12 | Security Account Manager | Virtualization/Sandbox Evasion11 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Rundll321 | LSA Secrets | Account Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing1 | Cached Domain Credentials | System Owner/User Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery12 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
21% | Virustotal | Browse | ||
32% | ReversingLabs | Win32.Trojan.Drixed | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
66.147.235.11 | unknown | United States | 23535 | HOSTROCKETUS | true | |
149.202.179.100 | unknown | France | 16276 | OVHFR | true | |
81.0.236.89 | unknown | Czech Republic | 15685 | CASABLANCA-ASInternetCollocationProviderCZ | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 510686 |
Start date: | 28.10.2021 |
Start time: | 05:00:21 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal84.troj.evad.winDLL@28/11@0/3 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
66.147.235.11 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
149.202.179.100 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
81.0.236.89 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HOSTROCKETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.916995120338525 |
Encrypted: | false |
SSDEEP: | 192:keiD0oXZHBUZMX4jed+9/u7sWS274ItWc:BidXJBUZMX4je4/u7sWX4ItWc |
MD5: | CCEA7058269A40866547402C32B0E12A |
SHA1: | 638C28D714E87A2B1FB9CB76E65AD4D2B4590188 |
SHA-256: | F6F42848EC901990E01446A63B6D3C218D982C9EDE770F8F2EF969F89DFA9784 |
SHA-512: | C88C4C7127119932C467C805ADBB1734E22A5ED95DFB0DB38C938753A2C9298587ECE7632EE76EA87C2F0DAE6EA138546075730D2B58A382EDBFA9E1FD60EE0E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9165833115381509 |
Encrypted: | false |
SSDEEP: | 192:GMi00oX+HBUZMX4jed+9/u7sWS274ItWc:RiCX2BUZMX4je4/u7sWX4ItWc |
MD5: | F9E87888FA317EC87A8C755DABBD2C66 |
SHA1: | 2585D9C93809CA4DCAAC39D1043DDC702B304E7B |
SHA-256: | 4E8B0739F101D95B13071B6D33751157C8C63543C2DB4E3284FEEFBFADC7FC76 |
SHA-512: | E41FAC32750B76F7F9AEE6FCE30129B6187B40EA0D0315858A4DC5DE962F7AEF28B5A409728E54038664AEF30671B7A10006524267F61043E57A020E0E90A9AD |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 46524 |
Entropy (8bit): | 2.079389502299483 |
Encrypted: | false |
SSDEEP: | 192:Hf9C04q8A0nO5SkbhnpLh6dBpu8ESz3yyPWt/nfV:9B8q5LbF58d7u8ESz3yya/f |
MD5: | 8CF91AF0FC9D82647FF152F00E0ABB6D |
SHA1: | 103DBA4D056EFF05F8345517C2BA7AC414F26D9E |
SHA-256: | 29ECC9C3001CD194DCF145DFFB73DBCA4B837C4B2149C17D71D53116565AA066 |
SHA-512: | 8B76EC2219B01EBAD5BA871CBC0469A1D8AE6D52063DFE79E838DA35E617104F1F4C51523A96D947DBE828B081F76361352C5173A39572F7400C5FE8E9E5935D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44140 |
Entropy (8bit): | 2.1497069393561423 |
Encrypted: | false |
SSDEEP: | 192:7CJC04Dvo4bMO5Skb9reDNQkGJfKAsek1I6+REP1V9yyaul1fnTcTu:szC5Lb9gzKnT6+RE/9yillwT |
MD5: | 468455B7C32BF823B1C70B241AE47E54 |
SHA1: | 223BDB9E503CFD93134F2C6E483E2C4DF8988DF1 |
SHA-256: | 34F7C9D2E1A24E6AAB9B70238812FF524DDFEBF19831518AC382D043E8840695 |
SHA-512: | 9C8017A749F8DC524D0C90FF78057872A72E78398F3F4216C5CB9D7541633AACB53CF3A550E7F1B9B7142C8F4338F9FF48B48DB9BA4A090C2AEA6E6AA0049AC8 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8352 |
Entropy (8bit): | 3.7002846079489355 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNip1P6JV6YYO+6MgmfT5S8Cprt89bq1sfjAOm:RrlsNipN6L6YK6MgmfT5SuqOfM |
MD5: | 4151D17A289312C107FEF6FE5FA3E5FF |
SHA1: | 2B297AAFA3784FC32650B8CFE6DF8BD196458B99 |
SHA-256: | 71ADDB34D643ADE60DDD00AC3AC9E33196DD3B07BDA0F076A9ED80DE939E5735 |
SHA-512: | A4945E2416E774DF330782D6F4840D36067E8B00B345F76ECD4A42A6466F48C3391B72CB8CF4D9A6CC0541D379EC60AD6DE1BE10A83ED770BD95D7267A916007 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4700 |
Entropy (8bit): | 4.500623001118657 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsKJgtWI9ouWSC8B8dtS8fm8M4JCdsPFW+q8/hL4SrSWd:uITfY7PSNq/HJqKDWWd |
MD5: | 06579D1301DAEF503B82F588180B029A |
SHA1: | C263EDC496EF1D914E283FBDFC88A5B65F0922E3 |
SHA-256: | 35DDB8B7C1A4B7876F5A16764FCAF68C294059CCEC731170EAC34F83CD188FD3 |
SHA-512: | DF727E13820797CF31458E7B9AEA574C93F3DDC1E6594807B566DF1E7DFEF50788E8923EBF92D52AFDDF16F452263BFB951AD964380F0FAC2F1D1B875D5F73EE |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 45380 |
Entropy (8bit): | 2.1265025958030526 |
Encrypted: | false |
SSDEEP: | 192:pFCC04pe0NCGO5Skb9K5TyquxTLogGlBra6C5iOVXZn7:Eaa5LbATyquFogGjra66i4J7 |
MD5: | BB604FE41CE924CB88F14A53F73D55EB |
SHA1: | 8C9E0289CF2584A1CF5AB36BB03075A58F241973 |
SHA-256: | A6CC4560B4BA9D45267FD3DF8F74416B64E369987F5A2714692B993350E5A305 |
SHA-512: | 3CFE9393C19870116FA3BADB28E3CCFD2BF94B89568A02E54FE38835FFD7B3C8E29F3057AAB597279D967247C3E0B33BB2C2CE09557A046454214BE4DB89251D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8352 |
Entropy (8bit): | 3.6982586181853225 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiO66Fba6YYOS96MgmfTYS8CprLQ89bdfsfo/m:RrlsNiL6xa6YC6MgmfTYSPtdEfN |
MD5: | 24BAA055B5D6B7C373D05EC5658733A3 |
SHA1: | 548FA50C505A0568902159D4532345A14DD29058 |
SHA-256: | 703245EC3E5129BACCE3A5A8344AC60EFF8A9C6CBB8F1578523A447EA77D4317 |
SHA-512: | C74EB9A6A3FDE93B10B51A99B2596F4A99CA24E7C08A09D15BD2BC760E99BF2C0919C224A752A60087D4E471AE1215040CE40B47D0BDAF68E9A5E13AC0CABADD |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4700 |
Entropy (8bit): | 4.502820788645054 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsKJgtWI9ouWSC8Bz8fm8M4JCdsCF4+q8/hT4SrScH6d:uITfY7PSNyJ92DWi6d |
MD5: | B54095CE6F524F7234526A5F8CC44462 |
SHA1: | 649092155215605C275D23D39E1749BA88889D22 |
SHA-256: | B7BFD695CB733D64A69960D5193D097DBEC835C9E65B0BA53CB35050F2259A1B |
SHA-512: | 9E4756A0796D064D2067A619727C834748FC4B64DBF82DB1AC1D7CA4324EB3434B26EB3163ADD3C373D6C6C2BA1C598F6F076B5B73301D718CF3051EA70A36CD |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8352 |
Entropy (8bit): | 3.701073180602495 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiQk6gG36YYOC68gmfT3SsCprRg89bG1qsftim:RrlsNir6h6YW68gmfT3StdG1Jf5 |
MD5: | 645AA25DE0930D788B806E66F3BD8FDC |
SHA1: | 49906A9C0683FD3C7112C33BB658CF67496BAC68 |
SHA-256: | 1B8281F03FDEAEB82D724B9838916FA84F40878B832A7348C4863CBCBF2D5EC4 |
SHA-512: | 96523A5B3B017455F37335C83D4312795294269DF1D778E88A50175D347A19CED81A679FCFA7968299FDE23B29BA6102781387BC2C66CB32372708A4DF7D2BA2 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4700 |
Entropy (8bit): | 4.508329223101191 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsRJgtWI9wkckWSC8Bn8fm8M4JCds7FvT+q8/h8r4SrSEd:uITfjyc9SNqJnJrDWEd |
MD5: | 8985C591066C23F260D51139922D93A9 |
SHA1: | 3BD08EC8716978765CA63D79685DF0EBD3FA1C35 |
SHA-256: | 26DBEF706EF369902902A44D2E952AB5484953AE03146F4735DBF84793E16EF7 |
SHA-512: | 39C2CBFAFDCA2597F0366E02B10769F675E18AC8F8FF7A5A09FF555D375B116A2C7945B0DAD3B6334C4AA63368069F6D47A25C9465A018E7A8CC2D1B876E21A4 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.159938943426644 |
TrID: |
|
File name: | SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll |
File size: | 1093632 |
MD5: | e53a16bea7918b1f7d4c0e659febc766 |
SHA1: | 10d4d3d7fac35f6492cda2fb04aebf46903481f0 |
SHA256: | 212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb |
SHA512: | 014561ee3d96f09222cb1187c8b0a785e59e2d7dd1d3bec234088c2c382da693acc5cee4b21252462939574c1c666da8f09e45161b0856b0b413f7b687567eb5 |
SSDEEP: | 24576:ljsXggYiykQsMy2GSuCAaimSQws2yyq+YoWEUK6ES0wOyeSGwswWquEQq2GiMciL:+ |
File Content Preview: | MZ......................@........................................IZ..(4..(4..(4..z..&)4.....Z)4..Q...)4..u5..(4.....K(4..v6."(4.7....(4. ...,(4.....i(4.....Z(4..(5.f)4.Rich.(4.........................PE..L...&.ya...........!.... `...P.......K.......p..... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x10004b90 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x61798526 [Wed Oct 27 16:58:14 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | ae858e1bcf44b240b65263bbd6945db2 |
Entrypoint Preview |
---|
Instruction |
---|
mov eax, dword ptr [10106128h] |
call eax |
mov edx, eax |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push ebx |
push edi |
push esi |
and esp, FFFFFFF8h |
sub esp, 000000A8h |
mov eax, dword ptr [ebp+08h] |
mov dword ptr [esp+0000009Ch], 008A6C3Fh |
mov byte ptr [esp+00000083h], 00000072h |
mov dword ptr [esp+6Ch], 6C57D91Ch |
mov dword ptr [esp+00000094h], 00000000h |
mov dword ptr [esp+00000090h], 0093F6B2h |
mov ecx, dword ptr [ebp+08h] |
mov edx, esp |
mov dword ptr [edx], ecx |
mov dword ptr [esp+38h], eax |
call 00007F5CF8BC9262h |
movzx ecx, word ptr [esp+000000A2h] |
mov si, cx |
mov word ptr [esp+000000A2h], B4E5h |
mov byte ptr [esp+37h], al |
mov dword ptr [esp+30h], ecx |
mov word ptr [esp+2Eh], si |
call 00007F5CF8BC95DBh |
mov ecx, dword ptr [esp+0000008Ch] |
mov edx, ecx |
add edx, DE3924BAh |
mov dword ptr [esp+0000008Ch], edx |
mov dword ptr [esp+70h], eax |
mov eax, dword ptr [esp+30h] |
add eax, eax |
mov si, ax |
mov word ptr [esp+000000A2h], si |
mov eax, dword ptr [esp+70h] |
mov edx, dword ptr [esp+00000090h] |
mov edi, dword ptr [esp+00000094h] |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xfad60 | 0x5f | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xfae3c | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x108000 | 0x3e8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x109000 | 0x2a38 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x705c | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x44 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5dfe | 0x6000 | False | 0.379720052083 | data | 4.39803113711 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0xf4032 | 0xf5000 | False | 0.135154257015 | data | 7.11996019927 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xfc000 | 0xbd1c | 0xb000 | False | 0.234153053977 | data | 5.69509557044 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x108000 | 0x3e8 | 0x1000 | False | 0.119873046875 | data | 1.03136554304 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x109000 | 0x2a38 | 0x3000 | False | 0.231608072917 | data | 5.67874721692 | IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x108060 | 0x388 | data |
Imports |
---|
DLL | Import |
---|---|
SHELL32.dll | SHGetDesktopFolder |
IPHLPAPI.DLL | GetIfTable |
ADVAPI32.dll | RegOverridePredefKey |
msvcrt.dll | memset |
OLEAUT32.dll | VarR4FromI2 |
KERNEL32.dll | CreateFileW, GetModuleFileNameW |
SETUPAPI.dll | SetupDiEnumDeviceInfo |
USER32.dll | ShowOwnedPopups |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
FFRgpmdlwwWde | 1 | 0x100fadb0 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2004 |
InternalName | ddlb |
FileVersion | 5.2.00.0 |
Full Version | 5.2.0_00-b00 |
CompanyName | Sun Microsystems, Inc. |
ProductName | Ddlb(EA) 2 Tsyfezyt Bidibhex Ernseqa 5.0 Urdate 6 |
ProductVersion | 5.2.00.0 |
FileDescription | Java(TM) 2 Platform Standard Edition binary |
OriginalFilename | ddlb.dll |
Translation | 0x0000 0x04b0 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 05:01:18 |
Start date: | 28/10/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x120000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 05:01:18 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x150000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 05:01:18 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 05:01:18 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 05:02:42 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 05:02:43 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 05:02:43 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 05:02:43 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 05:02:44 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 05:04:05 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x340000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 05:04:07 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x340000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 05:04:11 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x340000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 05:04:14 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x340000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 05:04:14 |
Start date: | 28/10/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x340000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 01252062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187memoryCOMMON
C-Code - Quality: 42% |
|
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 012521EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
C-Code - Quality: 78% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 31% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6ED01460, Relevance: .6, Instructions: 572COMMONCrypto
C-Code - Quality: 90% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6ED01D58, Relevance: .3, Instructions: 282COMMONCrypto
C-Code - Quality: 89% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6ECF6D50, Relevance: .0, Instructions: 36COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6ECFC218, Relevance: 5.1, Strings: 4, Instructions: 53COMMON
C-Code - Quality: 83% |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
Function 00FC2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187memoryCOMMON
C-Code - Quality: 42% |
|
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Executed Functions |
---|
Function 00F72062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187memoryCOMMON
C-Code - Quality: 42% |
|
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F721EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|