Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
unpacked (1).dll

Overview

General Information

Sample Name:unpacked (1).dll
Original Sample Name:unpacked (1).bin
Analysis ID:828171
MD5:895004ddaa3758ac453d73e3d8c1f45f
SHA1:0fb1a2c06513134ff699f4f286a71f1671918180
SHA256:74ef237a5145c0d85ee7575c283493a2bd0ae116590c06749cf1ed72f655b997
Infos:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 5984 cmdline: loaddll32.exe "C:\Users\user\Desktop\unpacked (1).dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6032 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6092 cmdline: rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 1236 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
No configs have been found
SourceRuleDescriptionAuthorStrings
unpacked (1).dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    SourceRuleDescriptionAuthorStrings
    0.2.loaddll32.exe.10000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      3.2.rundll32.exe.10000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: unpacked (1).dllAvira: detected
        Source: unpacked (1).dllReversingLabs: Detection: 43%
        Source: unpacked (1).dllJoe Sandbox ML: detected
        Source: 0.2.loaddll32.exe.10000000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
        Source: 3.2.rundll32.exe.10000000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
        Source: unpacked (1).dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: loaddll32.exe, 00000000.00000002.308072090.0000000000DFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: unpacked (1).dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: unpacked (1).dllStatic PE information: No import functions for PE file found
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 636
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F410963_2_02F41096
        Source: unpacked (1).dllReversingLabs: Detection: 43%
        Source: unpacked (1).dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\unpacked (1).dll"
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 636
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6092
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER962D.tmpJump to behavior
        Source: classification engineClassification label: mal68.troj.winDLL@7/6@0/0
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F490F8 push 00000078h; ret 3_2_02F490FA
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F490C0 pushad ; ret 3_2_02F490C1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F46646 push ds; iretd 3_2_02F4664B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F3B826 push ds; retf 3_2_02F3B827
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F3B816 push ds; ret 3_2_02F3B817
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F3B80E push ds; iretd 3_2_02F3B813

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: Amcache.hve.6.drBinary or memory string: VMware
        Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
        Source: Amcache.hve.6.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.6.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
        Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
        Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.6.drBinary or memory string: VMware7,1
        Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.me
        Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
        Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
        Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1Jump to behavior
        Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath Interception11
        Process Injection
        1
        Virtualization/Sandbox Evasion
        1
        Input Capture
        21
        Security Software Discovery
        Remote Services1
        Input Capture
        Exfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Rundll32
        LSASS Memory1
        Virtualization/Sandbox Evasion
        Remote Desktop Protocol1
        Archive Collected Data
        Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Software Packing
        Security Account Manager1
        System Information Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Process Injection
        NTDS1
        Remote System Discovery
        Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information
        LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 828171 Sample: unpacked (1).dll Startdate: 16/03/2023 Architecture: WINDOWS Score: 68 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected  Ursnif 2->22 24 Machine Learning detection for sample 2->24 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 conhost.exe 8->12         started        process5 14 rundll32.exe 10->14         started        process6 16 WerFault.exe 24 9 14->16         started       

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        unpacked (1).dll44%ReversingLabsWin32.Trojan.Razy
        unpacked (1).dll100%AviraTR/Patched.Ren.Gen2
        unpacked (1).dll100%Joe Sandbox ML
        No Antivirus matches
        SourceDetectionScannerLabelLinkDownload
        0.2.loaddll32.exe.10000000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
        3.2.rundll32.exe.10000000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
        No Antivirus matches
        No Antivirus matches
        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netAmcache.hve.6.drfalse
          high
          No contacted IP infos
          Joe Sandbox Version:37.0.0 Beryl
          Analysis ID:828171
          Start date and time:2023-03-16 20:01:31 +01:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 26s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:12
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:unpacked (1).dll
          Original Sample Name:unpacked (1).bin
          Detection:MAL
          Classification:mal68.troj.winDLL@7/6@0/0
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 56% (good quality ratio 34%)
          • Quality average: 45.1%
          • Quality standard deviation: 44%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 1
          Cookbook Comments:
          • Found application associated with file extension: .dll
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 13.89.179.12
          • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
          • Execution Graph export aborted for target loaddll32.exe, PID 5984 because there are no executed function
          • Execution Graph export aborted for target rundll32.exe, PID 6092 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: unpacked (1).dll
          No simulations
          No context
          No context
          No context
          No context
          No context
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.8868049200890971
          Encrypted:false
          SSDEEP:192:21ApTiH0oXNrHBUZMX4jed+5/u7sgS274ItWc:4ETi5XBBUZMX4jeU/u7sgX4ItWc
          MD5:791B98C1D41CDBB9E8401A80B62072AD
          SHA1:146DB5409523BEBA3953609BA10A1FC53D634E44
          SHA-256:052E7F6D7C5AE8DE41C8C24DAC0AD59884B5FC3150FD68BD83A3A5F3F5D5B075
          SHA-512:E7A66912A2C8D9FB94CCC0F80F3AC423D4C18F227255FE0C01247F601C770E6D1E088DE93D80861F267EC7469461E8B13A0220751203F3B0752F4D8AD2572DAA
          Malicious:false
          Reputation:low
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.4.6.6.9.4.9.4.0.2.3.0.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.4.6.6.9.5.0.1.9.9.1.7.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.e.7.8.a.1.5.-.6.9.4.e.-.4.c.8.5.-.b.e.0.6.-.b.5.4.1.3.3.1.3.0.0.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.f.8.6.f.e.d.-.f.b.e.e.-.4.3.2.4.-.b.2.a.d.-.5.4.8.6.4.1.6.f.a.b.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.c.c.-.0.0.0.1.-.0.0.1.f.-.6.5.5.0.-.f.f.d.9.3.9.5.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Mini DuMP crash report, 14 streams, Thu Mar 16 19:02:29 2023, 0x1205a4 type
          Category:dropped
          Size (bytes):39202
          Entropy (8bit):2.316888820521251
          Encrypted:false
          SSDEEP:192:6nKRf/ecypO5Skb2wrCu7pm8bE+VTiUfCndFGlCPLXHnbxf:yQ5LbG2HDVTYGlCLH
          MD5:0AD73DC60EDD50DB8DDC7FAD8E3F91AE
          SHA1:5553AF467C52AC4EA657C1F253626ADFC4BA278B
          SHA-256:5B0968FE44D3F5C5C78FF317DAB298F7F3BEEB9CB3465F25A0C27C936034E292
          SHA-512:BCD802EFFD600B99C37E789A9714F87B77411C8FE02AB81B35615943B7CE89F9A1F405659A23CD793E9755536A91B0BA7209D424609A98FF532C1B703E4AE38F
          Malicious:false
          Reputation:low
          Preview:MDMP....... ........g.d............d...........P...l...........^(..........T.......8...........T...........`................................................................................................U...........B......@.......GenuineIntelW...........T............g.d.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):8246
          Entropy (8bit):3.6909810241404664
          Encrypted:false
          SSDEEP:192:Rrl7r3GLNiwa6W6Y0m6GgmfTkn4SI+prq89bERsfRsm:RrlsNid6W6Yl6GgmfTk4SXEKfP
          MD5:CD4570E2073BF6C8A1E5705D73EFF621
          SHA1:72171B897357A9F22F439BA595619B4F15D5421D
          SHA-256:CA3CF2DB083B990896C5DFBE1479AF83E327FE91D1CA1C923F037AADA9C608CB
          SHA-512:5843D00BCD0C0B3FB58BA41E72AD765D6900E380E60153A98C293780C84B8A7BBB55E7BF806B2280747AA40F926DA26FAE365DD13760FD8AE8100DB775BB20D8
          Malicious:false
          Reputation:low
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.9.2.<./.P.i.d.>.......
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4630
          Entropy (8bit):4.455035274816969
          Encrypted:false
          SSDEEP:48:cvIwSD8zshJgtWI959Wgc8sqYjU8fm8M4JCdsfFT+q8/5z04SrS3d:uITfz2MgrsqYVJvzDW3d
          MD5:FF91CF9461FA80350704067CBF0C3B5A
          SHA1:2DC002BB1C23B873D69CA96B9B59075D4F620250
          SHA-256:45A8DE7B90BFE2518B3DCBE949912A316B0EE18CA06572E5FD21AE4EFC14EB52
          SHA-512:E69DF9B30BE9BC15FA7949E8CB3A88CA6D49BFE55E809D57B6DEED6525F6CBE9F802F96F975E4A9DC739474DC9F60F44B352E4D63ABE7959EAEF19C3BFB7EBBA
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1955773" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):1572864
          Entropy (8bit):4.310468455996301
          Encrypted:false
          SSDEEP:12288:8Tu4PpvwTNUQz3PUnV9KGSWLE0CLrO83oNl3BHQEF9RO7zQ48y:su4PpvwTNUY3PUyaE6
          MD5:26D44A0A3BCA99378D5E6850CC754389
          SHA1:C35933FB4E53943C040B518B7A639F743280A129
          SHA-256:A6EB65562FBA59BA8BA6C2DC728C029F529AA61148766237BA994DC21370FC92
          SHA-512:F2886BDEC8C62BE832870D4C8850218B87FB80136AEBB660C790176815CA3D5B6FB02D3851DE1B6FF3B923EB057AF1D83E9851B2FC86AE5CFC19D48F336A294B
          Malicious:false
          Preview:regfQ...Q...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm:.i.9X..............................................................................................................................................................................................................................................................................................................................................C.`.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):24576
          Entropy (8bit):3.943670216014598
          Encrypted:false
          SSDEEP:384:xHd5K5kjaM1gnVVeeDzeP1NKZtjnexFa1tsoSwXXha4i/qfZ/DWwsfWe0NZpu+:5DKCg/eeDzetNYtjeHaHsoSwha4i/qfO
          MD5:07126390C1555BCC0D8F3498F88C5615
          SHA1:4DCCE05195C761099F1624BC47B7EDB31770D096
          SHA-256:87B5D5E8F05BC3CB7D9B3C88E621FB1C9BE1900923E846A5326C4825610C3BED
          SHA-512:6B64271CE8EA49A2ACD5C92FAD2E4B5927F611A9574241463DF8B156FB1F4F0F16AF89105E6AAB5EA27CCE42955994BE24505237FA423BE1AED9C6A46A3F9E1F
          Malicious:false
          Preview:regfP...P...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm:.i.9X..............................................................................................................................................................................................................................................................................................................................................E.`.HvLE.^......P.... ......n.d.FW1.|@t..7X.............................. ..hbin................p.\..,..........nk,...l.9X.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...l.9X...... ........................... .......Z.......................Root........lf......Root....nk ...l.9X.................................. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...
          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Entropy (8bit):5.765721775191744
          TrID:
          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
          • Generic Win/DOS Executable (2004/3) 0.20%
          • DOS Executable Generic (2002/1) 0.20%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:unpacked (1).dll
          File size:57344
          MD5:895004ddaa3758ac453d73e3d8c1f45f
          SHA1:0fb1a2c06513134ff699f4f286a71f1671918180
          SHA256:74ef237a5145c0d85ee7575c283493a2bd0ae116590c06749cf1ed72f655b997
          SHA512:af92b8bfe841b460373a9145dd30419f275751ee1edb2bf8c7af42629be6a48db7e0cc06abd10af3937a6e8a6b2b25994547541b4a21e65ea2398ba992f2aed9
          SSDEEP:768:L5UoJZS2vK+c+wdCAXNnZ98baBXe13jtCs8sNaHXsSsGtj+WNAMTauI:DZKCuCCZKt1z98scH8ucWBOP
          TLSH:0F43E155AE1D04FBC16781773735933AC2F7C22691182CCAC513AA6E6EBA613EC7D243
          File Content Preview:MZ.f.:..................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7...7...7.......7...O...7...7...7..;8...7..;8...7..;8...7.......7.......7.......7..Rich.7..................PE..L....T.b...
          Icon Hash:74f0e4ecccdce0e4
          Entrypoint:0x10001d4b
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x10000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          DLL Characteristics:
          Time Stamp:0x629654C0 [Tue May 31 17:47:44 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:
          Instruction
          in al, dx
          and ecx, 00000FFFh
          add ecx, esi
          add dword ptr [ecx], ebx
          mov ebx, dword ptr [ebp-08h]
          inc ebx
          inc ebx
          dec dword ptr [ebp-0Ch]
          mov dword ptr [ebp-08h], ebx
          jne 00007F377CCD8233h
          mov ecx, dword ptr [edi+04h]
          sub dword ptr [ebp-04h], ecx
          add edi, ecx
          cmp dword ptr [ebp-04h], 08h
          jnbe 00007F377CCD81FEh
          pop edi
          pop esi
          pop ebx
          leave
          retn 0004h
          cmp dword ptr [esp+08h], 00000000h
          je 00007F377CCD8288h
          mov ecx, dword ptr [eax+0Ch]
          mov edx, ecx
          sub edx, dword ptr [esp+04h]
          mov dl, byte ptr [edx]
          mov byte ptr [ecx], dl
          inc dword ptr [eax+0Ch]
          dec dword ptr [esp+08h]
          jne 00007F377CCD825Ch
          ret
          push ebp
          mov ebp, esp
          sub esp, 30h
          push ebx
          push esi
          push edi
          mov esi, eax
          xor eax, eax
          lea edi, dword ptr [ebp-28h]
          stosd
          stosd
          stosd
          stosd
          stosd
          xor ebx, ebx
          xor eax, eax
          push ebx
          push 08000000h
          push dword ptr [esi+08h]
          lea edi, dword ptr [ebp-10h]
          stosd
          mov eax, dword ptr [esi+04h]
          mov dword ptr [ebp-14h], eax
          lea eax, dword ptr [ebp-14h]
          push eax
          lea eax, dword ptr [ebp-2Ch]
          push eax
          push 000F001Fh
          lea eax, dword ptr [ebp-0Ch]
          push eax
          mov dword ptr [ebp-0Ch], ebx
          mov dword ptr [ebp-08h], ebx
          mov dword ptr [ebp-2Ch], 00000018h
          mov dword ptr [ebp-28h], ebx
          mov dword ptr [ebp-20h], 00000040h
          mov dword ptr [ebp-24h], ebx
          mov dword ptr [ebp-1Ch], ebx
          mov dword ptr [ebp-18h], ebx
          call dword ptr [esi+0Ch]
          cmp eax, ebx
          jl 00007F377CCD82A7h
          mov eax, dword ptr [ebp-0Ch]
          mov dword ptr [esi], eax
          lea eax, dword ptr [ebp-08h]
          push eax
          call 00007F377CCD8D1Dh
          mov edi, eax
          cmp edi, ebx
          jne 00007F377CCD828Bh
          push dword ptr [ebp-14h]
          push ebx
          Programming Language:
          • [ASM] VS2005 build 50727
          • [IMP] VS2008 SP1 build 30729
          • [EXP] VS2005 build 50727
          • [LNK] VS2005 build 50727
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x35f00x4f.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x312c0x64.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000x154.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x30000xcc.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x17970x1800False0.3787434895833333data4.019765538082408IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x30000x63f0x800False0.7646484375data6.425623877611753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
          .data0x40000x24c0x200False0.875data5.824857955609047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .bss0x50000x26c0x400False0.3603515625data3.17724172343837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc0x60000x80000x7200False0.5444078947368421data5.290169344471963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_OVER, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
          Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Click to jump to process

          Target ID:0
          Start time:20:02:27
          Start date:16/03/2023
          Path:C:\Windows\System32\loaddll32.exe
          Wow64 process (32bit):true
          Commandline:loaddll32.exe "C:\Users\user\Desktop\unpacked (1).dll"
          Imagebase:0x890000
          File size:116736 bytes
          MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Target ID:1
          Start time:20:02:27
          Start date:16/03/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7c72c0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Target ID:2
          Start time:20:02:27
          Start date:16/03/2023
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
          Imagebase:0xd90000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Target ID:3
          Start time:20:02:27
          Start date:16/03/2023
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
          Imagebase:0x870000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Target ID:6
          Start time:20:02:28
          Start date:16/03/2023
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 636
          Imagebase:0x1310000
          File size:434592 bytes
          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Reset < >
            Memory Dump Source
            • Source File: 00000003.00000002.398544591.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp, Offset: 02F3A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_2f3a000_rundll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 627738fdbb0a72b7860bd1408811b6156e0056ce7a0405e3665eacde263e0f9a
            • Instruction ID: 53fcebec011edb4a1e13c6454fe022d704d9ef84fc6bef9ff7798bb479f7ba7f
            • Opcode Fuzzy Hash: 627738fdbb0a72b7860bd1408811b6156e0056ce7a0405e3665eacde263e0f9a
            • Instruction Fuzzy Hash: 1231CC6299F2D42FD31347B14879AE67FB08F0B164F8F42EBC8C04F0ABE548084A9365
            Uniqueness

            Uniqueness Score: -1.00%