Windows Analysis Report 2gyA5uNl6VPQUA.dll
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Emotet |
---|
{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
Click to see the 17 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
Click to see the 35 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Emotet RunDLL32 Process Creation | Show sources |
Source: | Author: FPT.EagleEye: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | Network traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
E-Banking Fraud: |
---|
Yara detected Emotet | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Source: | Static PE information: |
Source: | Process created: |
Source: | File deleted: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | PE file moved: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread sleep time: |
Source: | Process information queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File Volume queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information: |
---|
Yara detected Emotet | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | Path Interception | Process Injection112 | Masquerading21 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel11 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion2 | LSASS Memory | Security Software Discovery41 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection112 | Security Account Manager | Virtualization/Sandbox Evasion2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Deobfuscate/Decode Files or Information1 | NTDS | Process Discovery3 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol12 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Hidden Files and Directories1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information2 | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Rundll321 | DCSync | System Information Discovery24 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | File Deletion1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | Virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
4% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
195.154.133.20 | unknown | France | 12876 | OnlineSASFR | true | |
212.237.17.99 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
110.232.117.186 | unknown | Australia | 56038 | RACKCORP-APRackCorpAU | true | |
104.245.52.73 | unknown | United States | 63251 | METRO-WIRELESSUS | true | |
138.185.72.26 | unknown | Brazil | 264343 | EmpasoftLtdaMeBR | true | |
81.0.236.90 | unknown | Czech Republic | 15685 | CASABLANCA-ASInternetCollocationProviderCZ | true | |
45.118.115.99 | unknown | Indonesia | 131717 | IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID | true | |
103.75.201.2 | unknown | Thailand | 133496 | CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH | true | |
216.158.226.206 | unknown | United States | 19318 | IS-AS-1US | true | |
107.182.225.142 | unknown | United States | 32780 | HOSTINGSERVICES-INCUS | true | |
45.118.135.203 | unknown | Japan | 63949 | LINODE-APLinodeLLCUS | true | |
50.116.54.215 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
51.68.175.8 | unknown | France | 16276 | OVHFR | true | |
103.8.26.102 | unknown | Malaysia | 132241 | SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY | true | |
46.55.222.11 | unknown | Bulgaria | 34841 | BALCHIKNETBG | true | |
41.76.108.46 | unknown | South Africa | 327979 | DIAMATRIXZA | true | |
103.8.26.103 | unknown | Malaysia | 132241 | SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY | true | |
178.79.147.66 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | true | |
212.237.5.209 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
176.104.106.96 | unknown | Serbia | 198371 | NINETRS | true | |
207.38.84.195 | unknown | United States | 30083 | AS-30083-GO-DADDY-COM-LLCUS | true | |
212.237.56.116 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
45.142.114.231 | unknown | Germany | 44066 | DE-FIRSTCOLOwwwfirst-colonetDE | true | |
203.114.109.124 | unknown | Thailand | 131293 | TOT-LLI-AS-APTOTPublicCompanyLimitedTH | true | |
210.57.217.132 | unknown | Indonesia | 38142 | UNAIR-AS-IDUniversitasAirlanggaID | true | |
58.227.42.236 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
185.184.25.237 | unknown | Turkey | 209711 | MUVHOSTTR | true | |
158.69.222.101 | unknown | Canada | 16276 | OVHFR | true | |
104.251.214.46 | unknown | United States | 54540 | INCERO-HVVCUS | true |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 532048 |
Start date: | 01.12.2021 |
Start time: | 17:14:16 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 12m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 2gyA5uNl6VPQUA.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.evad.winDLL@37/14@0/29 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
17:18:19 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
195.154.133.20 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
212.237.17.99 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ARUBA-ASNIT | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
OnlineSASFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
51c64c77e60f3980eea90869b68c58a8 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6756505752882381 |
Encrypted: | false |
SSDEEP: | 96:x8ogZqyzy9hko97JfEpXIQcQ6c6ucEccw3yh+a+z+HbHg0VG4rmMOyWZAXGng5Fs:iBvHkqmcjgq/u7sjS274ItW |
MD5: | E83A379E3F886DDE0737C94E50929972 |
SHA1: | DA440B10630A1447F76F6C2862518D9160FDCEAD |
SHA-256: | A74B68A5207DE2A571DEB46A8BB4D2697847550544A48C245EBAF1143003FEFE |
SHA-512: | 8EFEA6B3D174472C8EB15EDE4ADCBC333B36B537D61A6FEB90F88FFA66EFD4CE3C0321B33B2156EF0B0EC320D54FA8897E09FC5651C54F5000363E9AEF5F08CD |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1060568 |
Entropy (8bit): | 1.3778018531387082 |
Encrypted: | false |
SSDEEP: | 1536:jSFSLgVhMP5ZPkxMDrxjXiCnz26fOpOSEirIGM21V:jS4ui5ZPkQdXiCSBV |
MD5: | 670CEBD327DDCA577AC879415816A643 |
SHA1: | 766C3E525ACD73736895C152C4625F3BC7374358 |
SHA-256: | E8684DD3A530CE34589F57A65BC112B6731FD48CC1D0AEB3C460F6DFC042C1F2 |
SHA-512: | 03A911D656DC523F4B0DC7498226BE5489FF5684D2C4DA413A372E1BB7F5FBF630AB2F6463F0AB70265B6B037FC8CABE32FBD37D877E2F2D0DEBC20ECF5FAE08 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8342 |
Entropy (8bit): | 3.698469333487002 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiWJ6Jo6YFGSU/Osgmf7SkCpBM89biOsf+Wm:RrlsNiI6W6YkSUmsgmf7SXiNfm |
MD5: | E2B2081F14B077D36894F2FBFE2DE9A1 |
SHA1: | 8D9897122DBA59B590D5C6EB3C68FEAA19125CAD |
SHA-256: | 21255234A624CE66D5028E8CF5A3F7DBBA484C3B317D25479E38A5ADCA916DB8 |
SHA-512: | 970B7AE1A213F77A617A5F7480C3FE48E4CAC8AFE9C35E12CA529112A744FB6BACE669B6A30515349490574331E928A55A0000A332EDBCD13B0B85D22995A262 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4598 |
Entropy (8bit): | 4.475615349739502 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsyJgtWI9NRWSC8BN8fm8M4J2yeFV+q845o3KcQIcQwQ2d:uITfAqASNoJ0S3KkwQ2d |
MD5: | 77292526940A2CED31107FF887CF478D |
SHA1: | 5A5EF4621DB426B1C1AAA50CCB671D827939DB6C |
SHA-256: | 0E439CD01CFB1E0C2F8A007628584A04407C49A280EB46342061B64E9CA89142 |
SHA-512: | A59669399730711B37F82E8676237DCA0C94CA645785A6701814F444DB8D9912112B0F760D1406A31685E4D361605E46B6F4E546C9AA162A796BA106155919F1 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 52334 |
Entropy (8bit): | 3.0557498672298893 |
Encrypted: | false |
SSDEEP: | 1536:cBH00vOY/i64EJ0Xxaztxa/rGwK6eF1c+j8:cBH00vOY/i64EJ0XxaztxMrGwK6eF1cb |
MD5: | 8FEF32FC113E0BCF8D366D66F16EC790 |
SHA1: | 37A22ADB628537B727D8539FCCB33C85C214DFB8 |
SHA-256: | 1D95DBAE0901FF25A3D05638B69A7512E3CAD0D307184455AEBBC20C1C48C3BD |
SHA-512: | 76CD26FD51F58B05E0D16A3EED2D9BA654F0FFBEE32D4DB73B427AA2347C0CD3B6616D74DABB5968D4F5DDAA80A37BEF9A326E57399BB1253989168A6EA50B89 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13340 |
Entropy (8bit): | 2.695977367932866 |
Encrypted: | false |
SSDEEP: | 96:9GiZYWXwi0W//XyYPYcW+HDUYEZ9ltFi0OqulJw4Xaadt6Mn5oNIF53:9jZDXRXyIOsDqadt6Mn5oSF53 |
MD5: | 68FAB6CF0A1C67CFDA5D7D3172021128 |
SHA1: | 7973B130C320119EFA6FCD2F5B8147D9BD67F297 |
SHA-256: | 8F75ADED1A75A89914048407334B829B9423A00B2C712593584F317C4089CB96 |
SHA-512: | 2361130FCE475AD64B66A490AA8B2157D2C214FEA636E47A42B21D3EDF58869C5443C77D0217DF18440ED3130CB48B42F6F5BDFD2C0D6691F9851FFFC6C1A222 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.11015467012570174 |
Encrypted: | false |
SSDEEP: | 12:26sw0zXm/Ey6q9995ym0RVq3qQ10nMCldimE8eawHjcKRv:26hl68cm0eLyMCldzE9BHjc8 |
MD5: | 304F8E8A64A52D1042A868BF53A274A9 |
SHA1: | 34794F576562C1B52503BE3DB1A3A3C06FFFA4DC |
SHA-256: | E0B53FD64378D8D6C08182571B8348AB0E6FABE16E1039EEA88BF81D8D28FB17 |
SHA-512: | D3D26DA964D20B8863DE90E292FE9E2886B12E21EAC71C987C9E3974DFC451BDE518CB8B2D4C758909F556B5ECF07965E65440B32351911EE0C16F559AA8850D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.11239974699573353 |
Encrypted: | false |
SSDEEP: | 12:YFXm/Ey6q9995ym07h1miM3qQ10nMCldimE8eawHza1miI72d:fl68cm07h1tMLyMCldzE9BHza1tIqd |
MD5: | 254EF8903F3E46FE33D061FA09DB6F91 |
SHA1: | A2EEB09AA95C9B63CC6CC7BF8E15C5FE1524ADA7 |
SHA-256: | 49855F5818E1B7C04CBC2B1B240B87366CC342BEAFD52A7D1072C151B91924DA |
SHA-512: | DAFB84FD9692BDC0DFEDA69B3EC2AF7946AF77A7482C7681C4A6949B70B0CC6FB82951162CEC7BF42FF8043A47A51A18C0229173274FEBAA5A63D7E83CFDE09E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.1124192532464876 |
Encrypted: | false |
SSDEEP: | 12:YHXm/Ey6q9995ym07h1mK2P3qQ10nMCldimE8eawHza1mKAvd:xl68cm07h1iPLyMCldzE9BHza1cd |
MD5: | C515E0C260990B027D1F7FEBEF240EE1 |
SHA1: | FD40240D458157A83466D10DD178839CFDA17DC5 |
SHA-256: | 46AA93A0B18E3B4E2450FE9D9C9C68771EBBB88A1BF3706EE5153F143BF9F114 |
SHA-512: | DFE7E9A406A0AB256ECCF3D6A534DF1A17649A0B7E4FA7948135114C56718E655B5068218799184263F038874BC263138911AB622F03EDE0C7E99360EA0CE87D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.11015467012570174 |
Encrypted: | false |
SSDEEP: | 12:26sw0zXm/Ey6q9995ym0RVq3qQ10nMCldimE8eawHjcKRv:26hl68cm0eLyMCldzE9BHjc8 |
MD5: | 304F8E8A64A52D1042A868BF53A274A9 |
SHA1: | 34794F576562C1B52503BE3DB1A3A3C06FFFA4DC |
SHA-256: | E0B53FD64378D8D6C08182571B8348AB0E6FABE16E1039EEA88BF81D8D28FB17 |
SHA-512: | D3D26DA964D20B8863DE90E292FE9E2886B12E21EAC71C987C9E3974DFC451BDE518CB8B2D4C758909F556B5ECF07965E65440B32351911EE0C16F559AA8850D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.11239974699573353 |
Encrypted: | false |
SSDEEP: | 12:YFXm/Ey6q9995ym07h1miM3qQ10nMCldimE8eawHza1miI72d:fl68cm07h1tMLyMCldzE9BHza1tIqd |
MD5: | 254EF8903F3E46FE33D061FA09DB6F91 |
SHA1: | A2EEB09AA95C9B63CC6CC7BF8E15C5FE1524ADA7 |
SHA-256: | 49855F5818E1B7C04CBC2B1B240B87366CC342BEAFD52A7D1072C151B91924DA |
SHA-512: | DAFB84FD9692BDC0DFEDA69B3EC2AF7946AF77A7482C7681C4A6949B70B0CC6FB82951162CEC7BF42FF8043A47A51A18C0229173274FEBAA5A63D7E83CFDE09E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.1124192532464876 |
Encrypted: | false |
SSDEEP: | 12:YHXm/Ey6q9995ym07h1mK2P3qQ10nMCldimE8eawHza1mKAvd:xl68cm07h1iPLyMCldzE9BHza1cd |
MD5: | C515E0C260990B027D1F7FEBEF240EE1 |
SHA1: | FD40240D458157A83466D10DD178839CFDA17DC5 |
SHA-256: | 46AA93A0B18E3B4E2450FE9D9C9C68771EBBB88A1BF3706EE5153F143BF9F114 |
SHA-512: | DFE7E9A406A0AB256ECCF3D6A534DF1A17649A0B7E4FA7948135114C56718E655B5068218799184263F038874BC263138911AB622F03EDE0C7E99360EA0CE87D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.27200860359444 |
Encrypted: | false |
SSDEEP: | 12288:++xGt/B/0cpVBWRJEMXkhjlatIvt/VJkQy5XR9o+M1HfiwElbWF31:vxGt/B/0cpVBWRa9 |
MD5: | 305D4C175594DF05FB83B45660590C29 |
SHA1: | 01F281B8B203EFB2DDB2BC2844C383455CB37A14 |
SHA-256: | A5DFB5C0E762FF548CDAA3BB4E47BB467810EEFCB8E7C777AA83623D2EAF0D12 |
SHA-512: | B90E8CD82B16F0CD20BE9567D0AADE0C7A3AA608AE52A4E6F4F3CAF2931338B21DF526D37397A2482F937F0C4A8AA5D965B491A48F5407B59DD4FB5443C696CA |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 3.399358853964409 |
Encrypted: | false |
SSDEEP: | 192:qKVgI51XWJvoCbYJ5FSEsWftx13xgoJ4XEaJNSdkyFn6yvRrsfkWfYjdsiDoXzCz:fjT5Rftx13PJ4XE7FFn7bZd1DoXzCz |
MD5: | 5BB0E539B72B081DABC6C8198F44E54F |
SHA1: | 6BB4C4196D6EEAFC231496D782B34FAE6F1E99E2 |
SHA-256: | 849E684F49774DF0D027715B8421B45779C556BD0E7CC471CFB0A115BCA94E0D |
SHA-512: | D1848DB6AE05565BB9B56E6149EE11F600FD101ECBB6959C8CE6B2A3A09CA5DE381C058880517F4E39F205D66DAE6B0A6F089550754C496B028D57634EFCF280 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.970960867517191 |
TrID: |
|
File name: | 2gyA5uNl6VPQUA.dll |
File size: | 387072 |
MD5: | 5e20cb3466b66a9cdeac1ac74d9862e4 |
SHA1: | 28ef4facb366de1fc7da62b975c8967997527c36 |
SHA256: | 208939e34f46846c7c95383c6fea7813038b4dea87ea3819c157ccfbbf8aa09a |
SHA512: | 594039a003ac0c22a0a91c219c5cf50520994ead32f02efcfd8d79e57313c8ae041376fd0c3dcdfadf0472bee87363b28242a1d677e29cecb69127411fc6e722 |
SSDEEP: | 6144:zBYrPMTsY8GR3j4fubnY6Zs/Bv6yM6aSTsfA2qL6jpXNcc6CEteuQJPIgtlpZ5L:yhmT4GbnYks/BJNWo2LjpScDEteuOIoZ |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q......... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1001cac1 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x61A73B52 [Wed Dec 1 09:07:30 2021 UTC] |
TLS Callbacks: | 0x1000c340 |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 609402ef170a35cc0e660d7d95ac10ce |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007F234CEF81A7h |
call 00007F234CEF8538h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007F234CEF8053h |
add esp, 0Ch |
pop ebp |
retn 000Ch |
push ebp |
mov ebp, esp |
push dword ptr [ebp+08h] |
call 00007F234CEF8A4Eh |
pop ecx |
pop ebp |
ret |
push ebp |
mov ebp, esp |
jmp 00007F234CEF81AFh |
push dword ptr [ebp+08h] |
call 00007F234CEFC534h |
pop ecx |
test eax, eax |
je 00007F234CEF81B1h |
push dword ptr [ebp+08h] |
call 00007F234CEFC5B0h |
pop ecx |
test eax, eax |
je 00007F234CEF8188h |
pop ebp |
ret |
cmp dword ptr [ebp+08h], FFFFFFFFh |
je 00007F234CEF8B13h |
jmp 00007F234CEF8AF0h |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [1002A08Ch] |
push dword ptr [ebp+08h] |
call dword ptr [1002A088h] |
push C0000409h |
call dword ptr [1002A040h] |
push eax |
call dword ptr [1002A090h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call dword ptr [1002A094h] |
test eax, eax |
je 00007F234CEF81A7h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [1005E278h], eax |
mov dword ptr [1005E274h], ecx |
mov dword ptr [1005E270h], edx |
mov dword ptr [1005E26Ch], ebx |
mov dword ptr [1005E268h], esi |
mov dword ptr [1005E264h], edi |
mov word ptr [eax], es |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x5b590 | 0x614 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5bba4 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x60000 | 0x1bc0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5a1dc | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x5a300 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5a230 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2a000 | 0x154 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x28bb4 | 0x28c00 | False | 0.53924822661 | data | 6.1540438823 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x2a000 | 0x32362 | 0x32400 | False | 0.817805503731 | data | 7.40645381596 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x5d000 | 0x1ba4 | 0x1200 | False | 0.287109375 | data | 2.60484752417 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.pdata | 0x5f000 | 0x4c4 | 0x600 | False | 0.360677083333 | AmigaOS bitmap font | 2.17228109861 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.reloc | 0x60000 | 0x1bc0 | 0x1c00 | False | 0.7880859375 | data | 6.62631718459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer |
USER32.dll | GetDC, ReleaseDC, GetWindowRect |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Control_RunDLL | 1 | 0x100010a0 |
axamexdrqyrgb | 2 | 0x100017b0 |
bhramccfbdd | 3 | 0x10001690 |
bptyjtyr | 4 | 0x10001640 |
bxoqrnuua | 5 | 0x100016c0 |
cegjceivzmgdcffk | 6 | 0x100014e0 |
cgxpyqfkocm | 7 | 0x10001480 |
chjbtsnqmvl | 8 | 0x10001540 |
crfsijq | 9 | 0x10001730 |
empxfws | 10 | 0x10001590 |
fbgcvvbrlowsjsj | 11 | 0x10001550 |
fjhmprw | 12 | 0x10001660 |
gfqdajfucnxrv | 13 | 0x10001850 |
hcloldazhuvj | 14 | 0x10001790 |
idcumrbybo | 15 | 0x10001500 |
ihvpwdsfllpvrzy | 16 | 0x10001750 |
iuzqizpdhxqkmf | 17 | 0x100014c0 |
jaarlqsruhrwpipt | 18 | 0x100016e0 |
jndshbhgxdkvvtj | 19 | 0x10001600 |
jniijdleqsyajeis | 20 | 0x10001650 |
jtjqgma | 21 | 0x100016f0 |
kffxtbzhfgbqlu | 22 | 0x10001630 |
kwxkzdhqe | 23 | 0x100016d0 |
lidhnvsukgiuabh | 24 | 0x100016b0 |
ltcrkednwfkup | 25 | 0x10001820 |
lvrmqgtvhsegpbvmq | 26 | 0x10001770 |
mxvwvnerswyylp | 27 | 0x10001520 |
ndlmbjceavqdintmv | 28 | 0x100017d0 |
nvnriipkwrmxwsu | 29 | 0x10001510 |
oafxfavxmi | 30 | 0x10001570 |
ocwutlohg | 31 | 0x100014b0 |
olcklbdvo | 32 | 0x10001680 |
pawvqfmiz | 33 | 0x100015e0 |
pdmomnjmmryopqza | 34 | 0x10001560 |
plzkvjcbz | 35 | 0x10001710 |
poasqvltrkgvepng | 36 | 0x10001840 |
psjoyjhsrkg | 37 | 0x100015b0 |
qdimtzieldbl | 38 | 0x10001620 |
qzvngjfyuxpjag | 39 | 0x10001580 |
relsounb | 40 | 0x100016a0 |
rykebhcisi | 41 | 0x10001670 |
snrvgvzpjh | 42 | 0x100017c0 |
sqnfcfmocgbg | 43 | 0x10001740 |
sxgllzweihxqxi | 44 | 0x10001760 |
tgagxhhcfj | 45 | 0x10001780 |
thjyvtvttwpah | 46 | 0x10001830 |
uvypobslemtipv | 47 | 0x10001640 |
vgidwtjsbwpxkdxj | 48 | 0x100017a0 |
wahhdker | 49 | 0x100014a0 |
wamqmispvbxt | 50 | 0x100015f0 |
witvsjavqyw | 51 | 0x10001720 |
wopabadcwdizvwlgk | 52 | 0x10001490 |
wpzyecljz | 53 | 0x10001800 |
wukgfirfwilhu | 54 | 0x100015d0 |
xntbmrrxs | 55 | 0x100017f0 |
xsxwxreryufxwuhh | 56 | 0x10001700 |
xvgdevijtw | 57 | 0x10001610 |
ydvqidso | 58 | 0x100015c0 |
yggdjrsewuw | 59 | 0x100015a0 |
zaeqdmhaky | 60 | 0x100017e0 |
zakvwkjnk | 61 | 0x10001700 |
zqbggkzy | 62 | 0x100014f0 |
zqtdpertk | 63 | 0x100014d0 |
zshfybkvzv | 64 | 0x10001810 |
zxxopqyvfoesyhmup | 65 | 0x10001530 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 1, 2021 17:19:08.011106968 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:08.011153936 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
Dec 1, 2021 17:19:08.011275053 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:08.044857979 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:08.044895887 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
Dec 1, 2021 17:19:08.215882063 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
Dec 1, 2021 17:19:08.215986013 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:08.643136978 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:08.643177032 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
Dec 1, 2021 17:19:08.643601894 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
Dec 1, 2021 17:19:08.643733025 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:08.648392916 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:08.692873955 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
Dec 1, 2021 17:19:09.097501040 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
Dec 1, 2021 17:19:09.097637892 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
Dec 1, 2021 17:19:09.097688913 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:09.097750902 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:09.104707003 CET | 49806 | 443 | 192.168.2.3 | 46.55.222.11 |
Dec 1, 2021 17:19:09.104743958 CET | 443 | 49806 | 46.55.222.11 | 192.168.2.3 |
HTTP Request Dependency Graph |
---|
|
HTTPS Proxied Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49806 | 46.55.222.11 | 443 | C:\Windows\SysWOW64\rundll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-12-01 16:19:08 UTC | 0 | OUT | |
2021-12-01 16:19:09 UTC | 0 | IN | |
2021-12-01 16:19:09 UTC | 0 | IN |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 17:15:10 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff70d6e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:15:11 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x330000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 17:15:11 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd80000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:15:11 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 17:15:11 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 17:15:16 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 17:15:24 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 17:16:56 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:16:59 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 17:17:14 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:18 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff70d6e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:19 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13b0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:20 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:28 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13b0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:29 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff70d6e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:29 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13b0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:33 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13b0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:38 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff70d6e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:17:56 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff70d6e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:18:06 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1340000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
General |
---|
Start time: | 17:18:16 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff70d6e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|