Windows
Analysis Report
Scan.api
Overview
General Information
Detection
Score: | 26 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
Analysis Advice
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample crashes during execution, try analyze it on another analysis machine |
- System is w10x64
- loaddll32.exe (PID: 6256 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\Sca n.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 6264 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Sca n.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 6284 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Scan .dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - regsvr32.exe (PID: 6272 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\Sc an.dll MD5: 426E7499F6A7346F0410DEAD0805586B) - rundll32.exe (PID: 6292 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Scan. dll,DllReg isterServe r MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 6364 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Scan. dll,DllUnr egisterSer ver MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 6384 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Scan. dll,PlugIn Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - WerFault.exe (PID: 6488 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 384 -s 680 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
System Summary |
---|
Source: | Author: Florian Roth: |
Click to jump to signature section
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Process created: |
Source: | Section loaded: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | API coverage: |
Source: | Thread delayed: |
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Regsvr32 | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Rundll32 | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 11 Virtualization/Sandbox Evasion | Security Account Manager | 2 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 612084 |
Start date and time: 20/04/202214:53:38 | 2022-04-20 14:53:38 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 36s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Scan.api (renamed file extension from api to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 38 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | SUS |
Classification: | sus26.winDLL@14/4@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.20
- Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, time.windows.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: Scan.dll
Time | Type | Description |
---|---|---|
14:54:53 | API Interceptor | |
14:55:25 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_857268874fb81feb3bb95a5bbe71d6fa48e6822_82810a17_190f7671\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9267713673821354 |
Encrypted: | false |
SSDEEP: | 192:R9ui/0oXaHBUZMX4jed+KH/u7s+S274ItWc:7uiBXyBUZMX4jef/u7s+X4ItWc |
MD5: | 80016EEDD03889DCD069D8CE22085453 |
SHA1: | 3D30BAC1A68A2468659F37992EF118DEBF4333BE |
SHA-256: | 226E4DAF87BE663170BB11AED9329990BA3B3C45E511400C196FFC0F047593CF |
SHA-512: | F3826DEB64A6E0F4B2F7601A25A0CF3CD076D0C5F3E8A04A96D4D1982207ECC589975D9ED53E4AA13F91E44B79D44A75A28B21FEA8F0C0CA83D604FA4906B7CD |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 43014 |
Entropy (8bit): | 2.227445643981794 |
Encrypted: | false |
SSDEEP: | 192:AJ6SOhJsOTu5s7O5Skbgzv+qf8fYvcJzxPM9gelN/zQ/Q+3YtdD:j25LbMv+qf8fDzqqelJBn |
MD5: | DBAD40013C1AFA1118E57E816EBB9648 |
SHA1: | AC5557EE0DEAA86638A500D9E6A6DDEBEF2C0658 |
SHA-256: | 6A1D6F940C841381A31F433A58D6309407408E2A51258AC8A7A15761E65E3B4D |
SHA-512: | 532EE5CD2A8FB3B4C7B4F078999FDE372B3AF5AB4682B6575DCC6351FC28C7875D48B203496B776D6F6EBA640542C9C9D57AE48D80709DF25F93E4F165EA4A35 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8252 |
Entropy (8bit): | 3.691169938962547 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNisJ6K6Y9F6CgmfTFS/+prz89b9HsfTfm:RrlsNii6K6Y/6CgmfTFS/9Mfy |
MD5: | 14C28549EE961DE4BC44C55684660707 |
SHA1: | 63D7322F319FE789A8D7A1DC9391735F66D99208 |
SHA-256: | BB7300F8D88F8DBD7C531D83AA99FC0454AA314416B5E524BCF4CF6BAE560DD5 |
SHA-512: | 79A9AB998663FB13D2A8FBB33301B0BE2B8B78D32DC1EBC81F6FF4C8E799E7D9555707A34B0DF75956F12BF5A105DC9E5EEC72761B0357CFB0973692F6A7CB46 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4638 |
Entropy (8bit): | 4.460272600493463 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zskJgtWI9NJWgc8sqYjiu8fm8M4JCdsIEFj+q8/nXGGYH4SrSpd:uITfiS4grsqYaJK66/YHDWpd |
MD5: | 1A5E2AEB0BEE72B30831DC22E2FD54D9 |
SHA1: | 87A12323C1EBA5CFF374F3A2112E6EC6F27116D2 |
SHA-256: | 779193BB0E5B8A6D21A6CDCE5C1A3883CF14CB9B0BF5FC0D8C46140011A4D96A |
SHA-512: | ADD61A019ABB84B85410BA477BF2D959A9EAC322C6A42B39964942E826EF33F98E19820E9A26A85B2A6F3BB455A8FEA260D78C99F416176ED377AC902B9C93F7 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.978679045996824 |
TrID: |
|
File name: | Scan.dll |
File size: | 1282659 |
MD5: | 997e64e4d24d881dd5905f7271976fff |
SHA1: | fd2aadd2aa4089f4cb471b28fc9a17bf13eda4e3 |
SHA256: | 2f09f817d6663b7ca96959e0ef136751099f53047535a99b4eb0cd6347a422d5 |
SHA512: | 74f7dd59160564f01c8d6182b1aa75f5a52ac46b81bbd6c7655e0bd3cc9f2de206dd35bffdefb296074285b7a5bf3a07ff404132a523c6767cc7be6b01e8859d |
SSDEEP: | 24576:JKwEn0T01c19yckPIcRzAPaC3DHzgBAyjK+1FyjpOU:rEn0T01eKIKzAPaCgWSK+1FSL |
TLSH: | B3557B11FA55C42AE6E05970EA3DA7EF45797D300B2140EBF3C43A99A934BE31A32753 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@1..!_..!_..!_..Y...!_.*L[..!_.*L\..!_.*LZ..!_.*L^..!_..!_..!_..I[..!_..I^..!_..!^.. _.cOZ..!_.cO_..!_.cO...!_.cO]..!_.Rich.!_ |
Icon Hash: | 92b1b39b9e9e9ad9 |
Entrypoint: | 0x2f91a9c0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x2f900000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x6251F67F [Sat Apr 9 21:11:27 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 089ca559e81ce694a096450dedbe28a2 |
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FC400C39667h |
call 00007FC400C3967Ah |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007FC400CD073Fh |
add esp, 0Ch |
pop ebp |
retn 000Ch |
mov ecx, dword ptr [2FA123E4h] |
push esi |
push edi |
mov edi, BB40E64Eh |
mov esi, FFFF0000h |
cmp ecx, edi |
je 00007FC400C39666h |
test esi, ecx |
jne 00007FC400C39688h |
call 00007FC400CD0A8Eh |
mov ecx, eax |
cmp ecx, edi |
jne 00007FC400C39669h |
mov ecx, BB40E64Fh |
jmp 00007FC400C39670h |
test esi, ecx |
jne 00007FC400C3966Ch |
or eax, 00004711h |
shl eax, 10h |
or ecx, eax |
mov dword ptr [2FA123E4h], ecx |
not ecx |
pop edi |
mov dword ptr [2FA123E0h], ecx |
pop esi |
ret |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+08h], 00000000h |
jne 00007FC400C39669h |
mov byte ptr [2FA2A304h], 00000001h |
call 00007FC400C39689h |
call 00007FC400C3985Dh |
test al, al |
jne 00007FC400C39666h |
xor al, al |
pop ebp |
ret |
call 00007FC400C39850h |
test al, al |
jne 00007FC400C3966Ch |
push 00000000h |
call 00007FC400C39845h |
pop ecx |
jmp 00007FC400C3964Bh |
mov al, 01h |
pop ebp |
ret |
push ebp |
mov ebp, esp |
and dword ptr [2FA2A670h], 00000000h |
sub esp, 24h |
or dword ptr [2FA123F0h], 01h |
push 0000000Ah |
call 00007FC400C3981Ah |
test eax, eax |
je 00007FC400C3980Fh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xdf830 | 0x80 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xdf8b0 | 0x1a4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x12b000 | 0x1bce0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x147000 | 0xaab4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xd4110 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xd420c | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xd4168 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xb8000 | 0x4f8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb6ff6 | 0xb7000 | False | 0.446019573941 | data | 6.55578943265 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0xb8000 | 0x29db2 | 0x29e00 | False | 0.253078358209 | data | 6.3401647093 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xe2000 | 0x486c8 | 0x31400 | False | 0.781854774746 | data | 7.43382146663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x12b000 | 0x1bce0 | 0x1be00 | False | 0.33248668722 | data | 6.22052692507 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x147000 | 0xaab4 | 0xac00 | False | 0.733148619186 | data | 6.74199501615 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
EVEF | 0x131068 | 0xc5c | ASCII text, with CRLF line terminators | English | United States |
EVEF | 0x12f608 | 0x82b | ASCII text, with CRLF line terminators | English | United States |
EVEF | 0x131cc8 | 0x4bb | ASCII text, with CRLF line terminators | English | United States |
EVEF | 0x1328d8 | 0xa4 | ASCII text, with CRLF line terminators | English | United States |
EXTSCHEMA_XMP | 0x12c940 | 0x948 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12e160 | 0x385 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12f258 | 0x3aa | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12fe38 | 0xcd | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12ff08 | 0x3a7 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x1338c0 | 0xfe4 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x1302b0 | 0x3a3 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x130658 | 0x5a6 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12e4e8 | 0xd6d | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x130c00 | 0x467 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12df28 | 0x232 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x132188 | 0x5ed | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x132778 | 0x15d | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x132980 | 0xf3d | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x1348a8 | 0xd70 | ASCII text, with CRLF line terminators | English | United States |
PNGI | 0x145cd8 | 0xe46 | PNG image data, 18 x 17, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x1417c8 | 0xdbb | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x142588 | 0xc9e | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x143228 | 0x357 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x143580 | 0x408 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x143988 | 0x5da | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x143f68 | 0x4e5 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x144bc8 | 0x110f | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x140a90 | 0x643 | PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x1410d8 | 0x367 | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x141440 | 0x386 | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x144450 | 0x773 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
REGISTRY | 0x12d288 | 0x222 | ASCII text, with CRLF line terminators | English | United States |
TYPELIB | 0x12d4b0 | 0x708 | data | English | United States |
ZDCT | 0x135618 | 0xe5 | data | English | United States |
ZDCT | 0x135700 | 0xb38a | data | English | United States |
RT_ICON | 0x12bd40 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294964223, next used block 4043309055 | English | United States |
RT_ICON | 0x12c040 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2147516416, next used block 126386176 | English | United States |
RT_ICON | 0x12c340 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2566914048, next used block 2576980377 | English | United States |
RT_ICON | 0x12c640 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 8452095, next used block 4043308807 | English | United States |
RT_RCDATA | 0x146b20 | 0x80 | data | English | United States |
RT_RCDATA | 0x146ba0 | 0x40 | data | English | United States |
RT_RCDATA | 0x146be0 | 0x80 | data | English | United States |
RT_RCDATA | 0x146c60 | 0x80 | data | English | United States |
RT_GROUP_ICON | 0x12c928 | 0x14 | data | English | United States |
RT_GROUP_ICON | 0x12c028 | 0x14 | data | English | United States |
RT_GROUP_ICON | 0x12c628 | 0x14 | data | English | United States |
RT_GROUP_ICON | 0x12c328 | 0x14 | data | English | United States |
RT_VERSION | 0x12dbb8 | 0x36c | data | English | United States |
DLL | Import |
---|---|
USER32.dll | SetActiveWindow, SendMessageA, FindWindowA, CharNextW, CharNextA, SetForegroundWindow, UnregisterClassA, GetPropW, GetFocus, GetWindowRect, TranslateMessage, DispatchMessageA, PeekMessageA, ShowWindow, MoveWindow, SetFocus, MsgWaitForMultipleObjects, PostThreadMessageA, ValidateRgn, ValidateRect, EndPaint, BeginPaint, DestroyWindow, CreateWindowExA, RegisterClassA, DefWindowProcA, GetMessageA, SetPropW |
GDI32.dll | CreateDIBSection, SelectObject, DeleteObject, EnumFontsA, DeleteDC, CreateCompatibleDC |
ADVAPI32.dll | RegQueryValueExW, RegSetValueExA, RegQueryInfoKeyW, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegQueryValueExA, RegCreateKeyA, RegOpenKeyExW, RegCloseKey |
KERNEL32.dll | CreateFileA, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, LoadLibraryA, WaitForSingleObject, SleepConditionVariableCS, InitializeCriticalSection, WakeAllConditionVariable, CloseHandle, WaitForSingleObjectEx, InitOnceExecuteOnce, QueryPerformanceCounter, IsDBCSLeadByte, WideCharToMultiByte, MultiByteToWideChar, lstrcmpiA, LoadLibraryExA, FreeLibrary, LeaveCriticalSection, GetWindowsDirectoryA, GlobalSize, GetDiskFreeSpaceExW, GetTempFileNameW, SetEvent, ResetEvent, ReleaseMutex, CreateMutexA, CreateEventA, CreateThread, OpenEventA, CreateEventW, UnhandledExceptionFilter, OutputDebugStringW, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, InitializeConditionVariable, GetLongPathNameA, IsValidLocale, DeleteFileW, GetTempPathW, GetLongPathNameW, LoadResource, LockResource, SizeofResource, FindResourceA, Sleep, lstrcatA, GetModuleFileNameA, OutputDebugStringA, FreeResource, GetACP, lstrcpyA, lstrlenA, GetTickCount, DisableThreadLibraryCalls, FindAtomW, DecodePointer, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, LoadLibraryW, EnterCriticalSection |
SHELL32.dll | ShellExecuteExA |
ole32.dll | CLSIDFromProgID, CoRegisterClassObject, CoRevokeClassObject, CoResumeClassObjects, CoCreateInstanceEx, StringFromGUID2, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, CoCreateInstance |
OLEAUT32.dll | UnRegisterTypeLib, RegisterTypeLib, LoadRegTypeLib, LoadTypeLib, VarUI4FromStr, SysStringLen, SysAllocString, SysFreeString |
MSVCP140.dll | ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z, ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Fiopen@std@@YAPAU_iobuf@@PBGHH@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?always_noconv@codecvt_base@std@@QBE_NXZ, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??Bid@locale@std@@QAEIXZ, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@H@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@G@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?_Xlength_error@std@@YAXPBD@Z, ?_Xout_of_range@std@@YAXPBD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, _Thrd_join, _Thrd_hardware_concurrency, _Thrd_id, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exception@std@@YA_NXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z |
VCRUNTIME140.dll | _purecall, __std_terminate, __std_exception_copy, __std_exception_destroy, _CxxThrowException, __CxxFrameHandler3, memset, _except_handler4_common, memmove, memcpy, __std_type_info_destroy_list, __current_exception_context, memchr, strchr, strrchr, strstr, __RTDynamicCast, __current_exception |
api-ms-win-crt-runtime-l1-1-0.dll | _beginthreadex, abort, terminate, _invalid_parameter_noinfo_noreturn, _errno, _initterm_e, _invalid_parameter_noinfo, _resetstkoflw, _initterm, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _cexit, _set_invalid_parameter_handler |
api-ms-win-crt-string-l1-1-0.dll | wcsncpy_s, _strnicmp, wcscpy_s, strtok, isalnum, strpbrk, strlen, tolower, isdigit, strcat_s, isalpha, strncmp, strcpy_s, _stricmp, wcscat_s |
api-ms-win-crt-stdio-l1-1-0.dll | ungetc, fwrite, putc, setvbuf, _fseeki64, fread, fsetpos, fgetpos, fflush, _get_stream_buffer_pointers, _wfopen_s, __stdio_common_vfprintf, fopen, fclose, fgetc, __stdio_common_vsprintf, fputc, _write, _open, _close, __stdio_common_vsprintf_s, __stdio_common_vfscanf |
api-ms-win-crt-math-l1-1-0.dll | floor, ceil, _libm_sse2_cos_precise, _libm_sse2_sin_precise, lround, _libm_sse2_log10_precise, _libm_sse2_sqrt_precise, _libm_sse2_pow_precise |
api-ms-win-crt-convert-l1-1-0.dll | mbstowcs, wcstombs_s, atof, wcstombs, atoi, _itoa |
api-ms-win-crt-time-l1-1-0.dll | clock |
api-ms-win-crt-heap-l1-1-0.dll | free, malloc, _recalloc, _callnewh |
api-ms-win-crt-multibyte-l1-1-0.dll | _mbsstr, _mbsnbcpy_s |
api-ms-win-crt-filesystem-l1-1-0.dll | _lock_file, _unlock_file |
api-ms-win-crt-environment-l1-1-0.dll | getenv |
api-ms-win-crt-utility-l1-1-0.dll | rand |
Name | Ordinal | Address |
---|---|---|
DllRegisterServer | 6 | 0x2f96aa30 |
DllUnregisterServer | 7 | 0x2f96aae0 |
PlugInMain | 5 | 0x2f91af80 |
Description | Data |
---|---|
LegalCopyright | Copyright 1984-2021 Adobe Systems Incorporated and its licensors. All rights reserved. |
FileVersion | 17.12.30229.10229 |
CompanyName | Adobe Systems Incorporated |
ProductName | Adobe Acrobat |
ProductVersion | 17.12.30229.10229 |
FileDescription | Adobe Acrobat Scan Plug-in |
OriginalFilename | Scan.api |
Translation | 0x0409 0x04e4 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Target ID: | 0 |
Start time: | 14:54:42 |
Start date: | 20/04/2022 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1270000 |
File size: | 116736 bytes |
MD5 hash: | 7DEB5DB86C0AC789123DEC286286B938 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 1 |
Start time: | 14:54:42 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1190000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 2 |
Start time: | 14:54:42 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x130000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 14:54:43 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc60000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 4 |
Start time: | 14:54:43 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc60000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 14:54:46 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc60000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 6 |
Start time: | 14:54:50 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc60000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 9 |
Start time: | 14:54:52 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3f0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |