Windows
Analysis Report
Scan.dll
Overview
General Information
Detection
Score: | 25 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
Analysis Advice
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample crashes during execution, try analyze it on another analysis machine |
- System is w10x64
- loaddll32.exe (PID: 6180 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\Sca n.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 2912 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Sca n.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 5520 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Scan .dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - regsvr32.exe (PID: 4852 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\Sc an.dll MD5: 426E7499F6A7346F0410DEAD0805586B) - rundll32.exe (PID: 4916 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Scan. dll,DllReg isterServe r MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 6616 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Scan. dll,DllUnr egisterSer ver MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 6136 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Scan. dll,PlugIn Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - WerFault.exe (PID: 2356 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 136 -s 680 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
System Summary |
---|
Source: | Author: Florian Roth: |
Click to jump to signature section
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Process created: |
Source: | Section loaded: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | API coverage: |
Source: | Thread delayed: |
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Regsvr32 | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Rundll32 | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 11 Virtualization/Sandbox Evasion | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 612084 |
Start date and time: 20/04/202215:03:23 | 2022-04-20 15:03:23 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 3s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Scan.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | SUS |
Classification: | sus25.winDLL@14/4@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
- Not all processes where analyzed, report is missing behavior information
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_857268874fb81feb3bb95a5bbe71d6fa48e6822_82810a17_09097fb6\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9274815221163117 |
Encrypted: | false |
SSDEEP: | 192:jvEfiv0oXVHBUZMX4jed+3n/u7srS274ItWc:7EfiRXFBUZMX4jeS/u7srX4ItWc |
MD5: | 77B2468461629231907F828F0D24D40F |
SHA1: | 3BEBFBB9C9417F81F7C90220267A6B096505DE8E |
SHA-256: | 26685C4506AB85D229774025EA2BB35F0B52A38E77AC4D0FA65D8BD3AE29E71A |
SHA-512: | F8B0043AC95679415E0AD71712497D42F42A4126717EE6664B9AD65DE73FAFE3409EF566EBAE0684A7E6F31D61E730611B8A825976E666A7F74898F8234761D9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 51226 |
Entropy (8bit): | 2.010910473628768 |
Encrypted: | false |
SSDEEP: | 192:tM+64SW972lwBO5Skbp8PiIsEziph0nSbxU1QzhDiGaAZaXU/MG4rOWJbpns:7Ky05LbKPXs2iph0nSbSQVObAtWOMJ |
MD5: | 685B2B4D8E1EFCAEBFB4C9F7233D66D4 |
SHA1: | 4648F6B3F65CCD718803E5E2AD45DB0EF8FED813 |
SHA-256: | F3BAA968656EAB289A4B868D323D2AF2BCAD50C1F32E8921108DAAFF629C55B7 |
SHA-512: | AED669365DE9D9C444AB19961346C1AD4D8B8C8EFF86972246684271B1C52F52FD6643E9F285FF57B55B7C433E1C4C9A12FB75E6836C2EF08799DAE114E99C79 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8276 |
Entropy (8bit): | 3.6922283824903093 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiX56Lel76YFr6F5pGgmfTFSwCprq89b50Fsf0+Tm:RrlsNip6Le56Y560gmfTFSb50efe |
MD5: | 91861666C1EB1967AFAF2A0F09A293BB |
SHA1: | 0B4C5E865120F67E6494615683C75752FB0ABDA0 |
SHA-256: | D3308241D477CF8185C81F4D8C4BC1E20753B9A308B35CBEE16AEE15D2EF08C4 |
SHA-512: | 035FA71B0E88BE311C2ADD982F64E3CAA4A5F3A84326F2976DAAA311544AA68522CD92B4141D38DFD4D9E7BA3577B3D392684042CCC051445BAD267FAC11796F |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4638 |
Entropy (8bit): | 4.459099232012371 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs2JgtWI9SEWgc8sqYjd8fm8M4JCdsIEFJ+q8/nXC4SrSDd:uITfMFdgrsqYOJK86yDWDd |
MD5: | EF2D6487C0E44992FE0A0827C62CB076 |
SHA1: | 7AD46F19B16CDB5AF23F6ADBF72A8B53B34EACBA |
SHA-256: | BFF215ECDED5398EA0AE28DE7FF3C0608C32DB274262881C3A8F6B3773A044C7 |
SHA-512: | 66649566880A22285565CAB1E0D649847E812BA0F3DA13B48623DB688A0BB02CED4F4318B184B234EF8234D742B72F40B589283D037402081E01BAD37CACB38F |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.978679045996824 |
TrID: |
|
File name: | Scan.dll |
File size: | 1282659 |
MD5: | 997e64e4d24d881dd5905f7271976fff |
SHA1: | fd2aadd2aa4089f4cb471b28fc9a17bf13eda4e3 |
SHA256: | 2f09f817d6663b7ca96959e0ef136751099f53047535a99b4eb0cd6347a422d5 |
SHA512: | 74f7dd59160564f01c8d6182b1aa75f5a52ac46b81bbd6c7655e0bd3cc9f2de206dd35bffdefb296074285b7a5bf3a07ff404132a523c6767cc7be6b01e8859d |
SSDEEP: | 24576:JKwEn0T01c19yckPIcRzAPaC3DHzgBAyjK+1FyjpOU:rEn0T01eKIKzAPaCgWSK+1FSL |
TLSH: | B3557B11FA55C42AE6E05970EA3DA7EF45797D300B2140EBF3C43A99A934BE31A32753 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@1..!_..!_..!_..Y...!_.*L[..!_.*L\..!_.*LZ..!_.*L^..!_..!_..!_..I[..!_..I^..!_..!^.. _.cOZ..!_.cO_..!_.cO...!_.cO]..!_.Rich.!_ |
Icon Hash: | 92b1b39b9e9e9ad9 |
Entrypoint: | 0x2f91a9c0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x2f900000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x6251F67F [Sat Apr 9 21:11:27 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 089ca559e81ce694a096450dedbe28a2 |
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FE0E0C351E7h |
call 00007FE0E0C351FAh |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007FE0E0CCC2BFh |
add esp, 0Ch |
pop ebp |
retn 000Ch |
mov ecx, dword ptr [2FA123E4h] |
push esi |
push edi |
mov edi, BB40E64Eh |
mov esi, FFFF0000h |
cmp ecx, edi |
je 00007FE0E0C351E6h |
test esi, ecx |
jne 00007FE0E0C35208h |
call 00007FE0E0CCC60Eh |
mov ecx, eax |
cmp ecx, edi |
jne 00007FE0E0C351E9h |
mov ecx, BB40E64Fh |
jmp 00007FE0E0C351F0h |
test esi, ecx |
jne 00007FE0E0C351ECh |
or eax, 00004711h |
shl eax, 10h |
or ecx, eax |
mov dword ptr [2FA123E4h], ecx |
not ecx |
pop edi |
mov dword ptr [2FA123E0h], ecx |
pop esi |
ret |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+08h], 00000000h |
jne 00007FE0E0C351E9h |
mov byte ptr [2FA2A304h], 00000001h |
call 00007FE0E0C35209h |
call 00007FE0E0C353DDh |
test al, al |
jne 00007FE0E0C351E6h |
xor al, al |
pop ebp |
ret |
call 00007FE0E0C353D0h |
test al, al |
jne 00007FE0E0C351ECh |
push 00000000h |
call 00007FE0E0C353C5h |
pop ecx |
jmp 00007FE0E0C351CBh |
mov al, 01h |
pop ebp |
ret |
push ebp |
mov ebp, esp |
and dword ptr [2FA2A670h], 00000000h |
sub esp, 24h |
or dword ptr [2FA123F0h], 01h |
push 0000000Ah |
call 00007FE0E0C3539Ah |
test eax, eax |
je 00007FE0E0C3538Fh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xdf830 | 0x80 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xdf8b0 | 0x1a4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x12b000 | 0x1bce0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x147000 | 0xaab4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xd4110 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xd420c | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xd4168 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xb8000 | 0x4f8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb6ff6 | 0xb7000 | False | 0.446019573941 | data | 6.55578943265 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0xb8000 | 0x29db2 | 0x29e00 | False | 0.253078358209 | data | 6.3401647093 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xe2000 | 0x486c8 | 0x31400 | False | 0.781854774746 | data | 7.43382146663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x12b000 | 0x1bce0 | 0x1be00 | False | 0.33248668722 | data | 6.22052692507 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x147000 | 0xaab4 | 0xac00 | False | 0.733148619186 | data | 6.74199501615 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
EVEF | 0x131068 | 0xc5c | ASCII text, with CRLF line terminators | English | United States |
EVEF | 0x12f608 | 0x82b | ASCII text, with CRLF line terminators | English | United States |
EVEF | 0x131cc8 | 0x4bb | ASCII text, with CRLF line terminators | English | United States |
EVEF | 0x1328d8 | 0xa4 | ASCII text, with CRLF line terminators | English | United States |
EXTSCHEMA_XMP | 0x12c940 | 0x948 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12e160 | 0x385 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12f258 | 0x3aa | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12fe38 | 0xcd | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12ff08 | 0x3a7 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x1338c0 | 0xfe4 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x1302b0 | 0x3a3 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x130658 | 0x5a6 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12e4e8 | 0xd6d | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x130c00 | 0x467 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x12df28 | 0x232 | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x132188 | 0x5ed | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x132778 | 0x15d | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x132980 | 0xf3d | ASCII text, with CRLF line terminators | English | United States |
EXVW | 0x1348a8 | 0xd70 | ASCII text, with CRLF line terminators | English | United States |
PNGI | 0x145cd8 | 0xe46 | PNG image data, 18 x 17, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x1417c8 | 0xdbb | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x142588 | 0xc9e | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x143228 | 0x357 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x143580 | 0x408 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x143988 | 0x5da | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x143f68 | 0x4e5 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x144bc8 | 0x110f | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x140a90 | 0x643 | PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x1410d8 | 0x367 | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x141440 | 0x386 | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States |
PNGI | 0x144450 | 0x773 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States |
REGISTRY | 0x12d288 | 0x222 | ASCII text, with CRLF line terminators | English | United States |
TYPELIB | 0x12d4b0 | 0x708 | data | English | United States |
ZDCT | 0x135618 | 0xe5 | data | English | United States |
ZDCT | 0x135700 | 0xb38a | data | English | United States |
RT_ICON | 0x12bd40 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294964223, next used block 4043309055 | English | United States |
RT_ICON | 0x12c040 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2147516416, next used block 126386176 | English | United States |
RT_ICON | 0x12c340 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2566914048, next used block 2576980377 | English | United States |
RT_ICON | 0x12c640 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 8452095, next used block 4043308807 | English | United States |
RT_RCDATA | 0x146b20 | 0x80 | data | English | United States |
RT_RCDATA | 0x146ba0 | 0x40 | data | English | United States |
RT_RCDATA | 0x146be0 | 0x80 | data | English | United States |
RT_RCDATA | 0x146c60 | 0x80 | data | English | United States |
RT_GROUP_ICON | 0x12c928 | 0x14 | data | English | United States |
RT_GROUP_ICON | 0x12c028 | 0x14 | data | English | United States |
RT_GROUP_ICON | 0x12c628 | 0x14 | data | English | United States |
RT_GROUP_ICON | 0x12c328 | 0x14 | data | English | United States |
RT_VERSION | 0x12dbb8 | 0x36c | data | English | United States |
DLL | Import |
---|---|
USER32.dll | SetActiveWindow, SendMessageA, FindWindowA, CharNextW, CharNextA, SetForegroundWindow, UnregisterClassA, GetPropW, GetFocus, GetWindowRect, TranslateMessage, DispatchMessageA, PeekMessageA, ShowWindow, MoveWindow, SetFocus, MsgWaitForMultipleObjects, PostThreadMessageA, ValidateRgn, ValidateRect, EndPaint, BeginPaint, DestroyWindow, CreateWindowExA, RegisterClassA, DefWindowProcA, GetMessageA, SetPropW |
GDI32.dll | CreateDIBSection, SelectObject, DeleteObject, EnumFontsA, DeleteDC, CreateCompatibleDC |
ADVAPI32.dll | RegQueryValueExW, RegSetValueExA, RegQueryInfoKeyW, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegQueryValueExA, RegCreateKeyA, RegOpenKeyExW, RegCloseKey |
KERNEL32.dll | CreateFileA, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, LoadLibraryA, WaitForSingleObject, SleepConditionVariableCS, InitializeCriticalSection, WakeAllConditionVariable, CloseHandle, WaitForSingleObjectEx, InitOnceExecuteOnce, QueryPerformanceCounter, IsDBCSLeadByte, WideCharToMultiByte, MultiByteToWideChar, lstrcmpiA, LoadLibraryExA, FreeLibrary, LeaveCriticalSection, GetWindowsDirectoryA, GlobalSize, GetDiskFreeSpaceExW, GetTempFileNameW, SetEvent, ResetEvent, ReleaseMutex, CreateMutexA, CreateEventA, CreateThread, OpenEventA, CreateEventW, UnhandledExceptionFilter, OutputDebugStringW, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, InitializeConditionVariable, GetLongPathNameA, IsValidLocale, DeleteFileW, GetTempPathW, GetLongPathNameW, LoadResource, LockResource, SizeofResource, FindResourceA, Sleep, lstrcatA, GetModuleFileNameA, OutputDebugStringA, FreeResource, GetACP, lstrcpyA, lstrlenA, GetTickCount, DisableThreadLibraryCalls, FindAtomW, DecodePointer, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, LoadLibraryW, EnterCriticalSection |
SHELL32.dll | ShellExecuteExA |
ole32.dll | CLSIDFromProgID, CoRegisterClassObject, CoRevokeClassObject, CoResumeClassObjects, CoCreateInstanceEx, StringFromGUID2, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, CoCreateInstance |
OLEAUT32.dll | UnRegisterTypeLib, RegisterTypeLib, LoadRegTypeLib, LoadTypeLib, VarUI4FromStr, SysStringLen, SysAllocString, SysFreeString |
MSVCP140.dll | ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z, ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Fiopen@std@@YAPAU_iobuf@@PBGHH@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?always_noconv@codecvt_base@std@@QBE_NXZ, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??Bid@locale@std@@QAEIXZ, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@H@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@G@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?_Xlength_error@std@@YAXPBD@Z, ?_Xout_of_range@std@@YAXPBD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, _Thrd_join, _Thrd_hardware_concurrency, _Thrd_id, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exception@std@@YA_NXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z |
VCRUNTIME140.dll | _purecall, __std_terminate, __std_exception_copy, __std_exception_destroy, _CxxThrowException, __CxxFrameHandler3, memset, _except_handler4_common, memmove, memcpy, __std_type_info_destroy_list, __current_exception_context, memchr, strchr, strrchr, strstr, __RTDynamicCast, __current_exception |
api-ms-win-crt-runtime-l1-1-0.dll | _beginthreadex, abort, terminate, _invalid_parameter_noinfo_noreturn, _errno, _initterm_e, _invalid_parameter_noinfo, _resetstkoflw, _initterm, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _cexit, _set_invalid_parameter_handler |
api-ms-win-crt-string-l1-1-0.dll | wcsncpy_s, _strnicmp, wcscpy_s, strtok, isalnum, strpbrk, strlen, tolower, isdigit, strcat_s, isalpha, strncmp, strcpy_s, _stricmp, wcscat_s |
api-ms-win-crt-stdio-l1-1-0.dll | ungetc, fwrite, putc, setvbuf, _fseeki64, fread, fsetpos, fgetpos, fflush, _get_stream_buffer_pointers, _wfopen_s, __stdio_common_vfprintf, fopen, fclose, fgetc, __stdio_common_vsprintf, fputc, _write, _open, _close, __stdio_common_vsprintf_s, __stdio_common_vfscanf |
api-ms-win-crt-math-l1-1-0.dll | floor, ceil, _libm_sse2_cos_precise, _libm_sse2_sin_precise, lround, _libm_sse2_log10_precise, _libm_sse2_sqrt_precise, _libm_sse2_pow_precise |
api-ms-win-crt-convert-l1-1-0.dll | mbstowcs, wcstombs_s, atof, wcstombs, atoi, _itoa |
api-ms-win-crt-time-l1-1-0.dll | clock |
api-ms-win-crt-heap-l1-1-0.dll | free, malloc, _recalloc, _callnewh |
api-ms-win-crt-multibyte-l1-1-0.dll | _mbsstr, _mbsnbcpy_s |
api-ms-win-crt-filesystem-l1-1-0.dll | _lock_file, _unlock_file |
api-ms-win-crt-environment-l1-1-0.dll | getenv |
api-ms-win-crt-utility-l1-1-0.dll | rand |
Name | Ordinal | Address |
---|---|---|
DllRegisterServer | 6 | 0x2f96aa30 |
DllUnregisterServer | 7 | 0x2f96aae0 |
PlugInMain | 5 | 0x2f91af80 |
Description | Data |
---|---|
LegalCopyright | Copyright 1984-2021 Adobe Systems Incorporated and its licensors. All rights reserved. |
FileVersion | 17.12.30229.10229 |
CompanyName | Adobe Systems Incorporated |
ProductName | Adobe Acrobat |
ProductVersion | 17.12.30229.10229 |
FileDescription | Adobe Acrobat Scan Plug-in |
OriginalFilename | Scan.api |
Translation | 0x0409 0x04e4 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Target ID: | 0 |
Start time: | 15:04:34 |
Start date: | 20/04/2022 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe20000 |
File size: | 116736 bytes |
MD5 hash: | 7DEB5DB86C0AC789123DEC286286B938 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 1 |
Start time: | 15:04:34 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xdd0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 2 |
Start time: | 15:04:35 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 15:04:35 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 4 |
Start time: | 15:04:35 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 15:04:39 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 7 |
Start time: | 15:04:42 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 10 |
Start time: | 15:04:45 |
Start date: | 20/04/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf10000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |