Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test2.dll

Overview

General Information

Sample Name:test2.dll
Original Sample Name:test2.bin
Analysis ID:828211
MD5:69a88f93c1ec9c8ecc66b7d19fb4a9aa
SHA1:74dca80be03ab4dcc6bac81e794b6a02b56c4574
SHA256:c825d867fb0bf1ba55b89f4bb1c6db13020792ceb175e84fac5f72cfa161726f
Infos:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1008 cmdline: loaddll32.exe "C:\Users\user\Desktop\test2.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 920 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 712 cmdline: rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 5184 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
test2.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.loaddll32.exe.10000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      3.2.rundll32.exe.10000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: test2.dllAvira: detected
        Multi AV Scanner detection for submitted file
        Source: test2.dllVirustotal: Detection: 39%Perma Link
        Machine Learning detection for sample
        Source: test2.dllJoe Sandbox ML: detected
        Source: 0.2.loaddll32.exe.10000000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
        Source: 3.2.rundll32.exe.10000000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
        Source: test2.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

        E-Banking Fraud

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: test2.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: test2.dllStatic PE information: No import functions for PE file found
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 656
        Source: test2.dllVirustotal: Detection: 39%
        Source: test2.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\test2.dll"
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 656
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:788:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess712
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DBB.tmpJump to behavior
        Source: classification engineClassification label: mal68.troj.winDLL@7/6@0/0
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032610A4 pushad ; retf 3_2_032610A5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0325DBB9 pushad ; iretd 3_2_0325DBC1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0325CFC8 pushad ; iretd 3_2_0325D015

        Hooking and other Techniques for Hiding and Protection

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: Amcache.hve.5.drBinary or memory string: VMware
        Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
        Source: Amcache.hve.5.drBinary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
        Source: Amcache.hve.5.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
        Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
        Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
        Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.5.drBinary or memory string: VMware7,1
        Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.me
        Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
        Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
        Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1Jump to behavior
        Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

        Stealing of Sensitive Information

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath Interception11
        Process Injection        		1
        Virtualization/Sandbox Evasion        		OS Credential Dumping21
        Security Software Discovery        		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Rundll32        		LSASS Memory1
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Software Packing        		Security Account Manager1
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Process Injection        		NTDS1
        Remote System Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 828211 Sample: test2.dll Startdate: 16/03/2023 Architecture: WINDOWS Score: 68 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected  Ursnif 2->22 24 Machine Learning detection for sample 2->24 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 conhost.exe 8->12         started        process5 14 rundll32.exe 10->14         started        process6 16 WerFault.exe 23 9 14->16         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        test2.dll39%VirustotalBrowse
        test2.dll100%AviraTR/Patched.Ren.Gen2
        test2.dll100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.2.loaddll32.exe.10000000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
        3.2.rundll32.exe.10000000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netAmcache.hve.5.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:37.0.0 Beryl
          Analysis ID:828211
          Start date and time:2023-03-16 20:53:16 +01:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 13s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:18
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:test2.dll
          Original Sample Name:test2.bin
          Detection:MAL
          Classification:mal68.troj.winDLL@7/6@0/0
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 56% (good quality ratio 34%)
          • Quality average: 45.1%
          • Quality standard deviation: 44%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .dll
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 20.42.65.92
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
          • Execution Graph export aborted for target loaddll32.exe, PID 1008 because there are no executed function
          • Execution Graph export aborted for target rundll32.exe, PID 712 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_14276a6d\Report.wer

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.8858102399344125
          Encrypted:false
          SSDEEP:192:2+Yi9k0oX/rHBUZMX4jed+y/u7sdS274ItWc:3YiAXDBUZMX4jeP/u7sdX4ItWc
          MD5:8AD9EA5F9B0EDB83100B66846F260F24
          SHA1:753E4BA84F276623968AEA502BAD2EA5BA8FBC51
          SHA-256:9B520199AC9C60D25942D28AF78DE7213ED89192DF85095285B05D596EAD44EE
          SHA-512:20D93EBE97B3A175D10C93E5629A45E8D2A74DB6251CB750A7C38660A6FFF511821467278675D653E44566E826EAC652B9C05B11645021327AA92EBD548A4206
          Malicious:false
          Reputation:low
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.4.9.8.8.5.3.7.3.4.2.4.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.4.9.8.8.5.4.4.3.7.3.6.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.d.e.c.a.3.d.-.4.8.d.b.-.4.1.6.3.-.b.b.1.0.-.b.3.f.c.e.f.5.5.3.7.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.c.4.a.4.3.1.-.2.3.2.b.-.4.e.a.4.-.9.3.1.2.-.f.b.0.3.b.5.4.e.4.2.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.c.8.-.0.0.0.1.-.0.0.1.a.-.8.7.8.5.-.8.6.2.2.8.4.5.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DBB.tmp.dmp

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Mini DuMP crash report, 14 streams, Fri Mar 17 03:54:14 2023, 0x1205a4 type
          Category:dropped
          Size (bytes):38784
          Entropy (8bit):2.3618089899280705
          Encrypted:false
          SSDEEP:192:4BqJ+UlqMO5Skb910smw1403+ThVRFy7U8ys:z65Lbb0sh+ThVqw8
          MD5:78A52530255963836C601E7C0FEF8139
          SHA1:B0294D2CD347A5B7B639DC46261397A159ABC987
          SHA-256:C94A9F532CD0E96509D122A9D3714212DCA5DDE854EF694A4C489AAC5EE37EE2
          SHA-512:DAFEE1D6E95DA7EA94A08D12A43423E2596BA1B716FDE3FB0E663EE9BC98027ED23B22E415D23809C78033D2B726AD97C62CC5182DFB29A5A22DA66A81E5F3D9
          Malicious:false
          Reputation:low
          Preview:MDMP....... .......f..d............d...........P...l...........P(..........T.......8...........T...........`... ~...........................................................................................U...........B......@.......GenuineIntelW...........T...........d..d.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F81.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):8238
          Entropy (8bit):3.6883317607179755
          Encrypted:false
          SSDEEP:192:Rrl7r3GLNiZF616Yog6ugmfTkn4SgCprq89bTTsffxm:RrlsNi7616Yf6ugmfTk4SLT4f0
          MD5:D7BF4784612285D933F7FB642B8C4AAF
          SHA1:B9D213190C7CE57D451DAB5BCA5D0408AE23CF56
          SHA-256:A2EF010CA4C5B93F20ACB888CE6BF9A69906C56C7484E542BAF9BCB888F40166
          SHA-512:589CBCA02C21A0D7C1479B225F625289CC53BA836B4D9F8EA1EB62D81112895A1CA87FE185480702551447A2BE6D9BCFE8FBD4A92C8F24A111FC6AE30548C954
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.<./.P.i.d.>.........

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER600E.tmp.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4630
          Entropy (8bit):4.448175078514849
          Encrypted:false
          SSDEEP:48:cvIwSD8zsYJgtWI9GYWgc8sqYj4O8fm8M4JCdsfFo+q8/594SrSsd:uITfexRgrsqYUrJUmDWsd
          MD5:822BC82388350414D48CEAE0CBB28C39
          SHA1:0BF1DFC2B8D1B0CA3ABCB5504560A94551C5AB7C
          SHA-256:4FD8BD10B1AD9048ABDDBEC93150155C7B13017E43DC2E5F5A8512D984AC2586
          SHA-512:0CB5BABF26D482EE1710E94C216C1D56FF3BDD2570C8D9D5981D04F4D6BBEEBF15A812705657C4A33C19A357BF7D32B90616D78D389C90AEC3B91BC8D16D3364
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1956304" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

          C:\Windows\appcompat\Programs\Amcache.hve

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):1572864
          Entropy (8bit):4.291736207677684
          Encrypted:false
          SSDEEP:12288:6wukrRng/KsOgz/oAwDo211bZktsYuVMLhFxwVbEHURmeiVSHK5hocSt:JukrRng/KsRz/o+s8wZ4
          MD5:BDEED12630C7D76F004038DCE3426ACF
          SHA1:173A640BC8C100852D32753BDA4E9835051C19D9
          SHA-256:3FF60A39A93BDE463E222D8FF934BC7518C0C87896879B96C89B29AB685C61E3
          SHA-512:17CE6EEBFA377F25AB3109EDD23EA0ACA8C0646A6E24B9F654170215EAAF4F06BAD70294F62B26B719FD6243E2F4FA847DA2DD92575D167B5D0A23090C64537F
          Malicious:false
          Preview:regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.).".X..............................................................................................................................................................................................................................................................................................................................................2...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\appcompat\Programs\Amcache.hve.LOG1

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):24576
          Entropy (8bit):3.7690802554793192
          Encrypted:false
          SSDEEP:384:FP5/+CllpBA+696rINn885TVgGKG+7ODvkZ0RUp/:Fx/+CllTA+FW88FVgGlFDvzUp
          MD5:34853AE164F38470843798AA4930418F
          SHA1:B280497AE426215E11DBFFE30863EB44FC9172B7
          SHA-256:F067A43E7B2BD1FD23251DA94402C77CCDE328756EC2BA5D1FCCEA32C652C0D8
          SHA-512:22FAF365F0F7E5626A224530DF6ACD920308651868EBB3A152C67EE8FE01C70EA9681C8894BA79C5BC543B6C95C6A1705BFC7D75D947704FE541370286748600
          Malicious:false
          Preview:regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.).".X..............................................................................................................................................................................................................................................................................................................................................4...HvLE.^......].............N8...eo..HhX.M............................. ..hbin................p.\..,..........nk,.7Q.".X......0........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .7Q.".X...... ........................... .......Z.......................Root........lf......Root....nk .7Q.".X...................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck...

          Static File Info

          General

          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Entropy (8bit):5.7778692211855445
          TrID:
          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
          • Generic Win/DOS Executable (2004/3) 0.20%
          • DOS Executable Generic (2002/1) 0.20%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:test2.dll
          File size:57344
          MD5:69a88f93c1ec9c8ecc66b7d19fb4a9aa
          SHA1:74dca80be03ab4dcc6bac81e794b6a02b56c4574
          SHA256:c825d867fb0bf1ba55b89f4bb1c6db13020792ceb175e84fac5f72cfa161726f
          SHA512:8ff818fa0e88774c7047f7c1b626931f2119fd00cc51bc5381b2466b3d9aec6edfd6abd7cd16b452f725937ee825e275d239f55aaddff027f56359d85aae0725
          SSDEEP:768:bZUYZZtva+c+wdCAXNnZ98baBXe13jtCs8sNaHXsSsGtj+WNAMTauI:TZACuCCZKt1z98scH8ucWBOP
          TLSH:AB43E195A62D04DACB63C1733B36937EC6FEC21975082CCAD0166A6E5EBA552D03D243
          File Content Preview:MZ.f.:..................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7...7...7.......7...O...7...7...7..;8...7..;8...7..;8...7.......7.......7.......7..Rich.7..................PE..L....T.b...

          File Icon

          Icon Hash:74f0e4ecccdce0e4

          Static PE Info

          General

          Entrypoint:0x10001d4b
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x10000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          DLL Characteristics:
          Time Stamp:0x629654C0 [Tue May 31 17:47:44 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:

          Entrypoint Preview

          Instruction
          in al, dx
          and ecx, 00000FFFh
          add ecx, esi
          add dword ptr [ecx], ebx
          mov ebx, dword ptr [ebp-08h]
          inc ebx
          inc ebx
          dec dword ptr [ebp-0Ch]
          mov dword ptr [ebp-08h], ebx
          jne 00007F71D0AD9323h
          mov ecx, dword ptr [edi+04h]
          sub dword ptr [ebp-04h], ecx
          add edi, ecx
          cmp dword ptr [ebp-04h], 08h
          jnbe 00007F71D0AD92EEh
          pop edi
          pop esi
          pop ebx
          leave
          retn 0004h
          cmp dword ptr [esp+08h], 00000000h
          je 00007F71D0AD9378h
          mov ecx, dword ptr [eax+0Ch]
          mov edx, ecx
          sub edx, dword ptr [esp+04h]
          mov dl, byte ptr [edx]
          mov byte ptr [ecx], dl
          inc dword ptr [eax+0Ch]
          dec dword ptr [esp+08h]
          jne 00007F71D0AD934Ch
          ret
          push ebp
          mov ebp, esp
          sub esp, 30h
          push ebx
          push esi
          push edi
          mov esi, eax
          xor eax, eax
          lea edi, dword ptr [ebp-28h]
          stosd
          stosd
          stosd
          stosd
          stosd
          xor ebx, ebx
          xor eax, eax
          push ebx
          push 08000000h
          push dword ptr [esi+08h]
          lea edi, dword ptr [ebp-10h]
          stosd
          mov eax, dword ptr [esi+04h]
          mov dword ptr [ebp-14h], eax
          lea eax, dword ptr [ebp-14h]
          push eax
          lea eax, dword ptr [ebp-2Ch]
          push eax
          push 000F001Fh
          lea eax, dword ptr [ebp-0Ch]
          push eax
          mov dword ptr [ebp-0Ch], ebx
          mov dword ptr [ebp-08h], ebx
          mov dword ptr [ebp-2Ch], 00000018h
          mov dword ptr [ebp-28h], ebx
          mov dword ptr [ebp-20h], 00000040h
          mov dword ptr [ebp-24h], ebx
          mov dword ptr [ebp-1Ch], ebx
          mov dword ptr [ebp-18h], ebx
          call dword ptr [esi+0Ch]
          cmp eax, ebx
          jl 00007F71D0AD9397h
          mov eax, dword ptr [ebp-0Ch]
          mov dword ptr [esi], eax
          lea eax, dword ptr [ebp-08h]
          push eax
          call 00007F71D0AD9E0Dh
          mov edi, eax
          cmp edi, ebx
          jne 00007F71D0AD937Bh
          push dword ptr [ebp-14h]
          push ebx

          Rich Headers

          Programming Language:
          • [ASM] VS2005 build 50727
          • [IMP] VS2008 SP1 build 30729
          • [EXP] VS2005 build 50727
          • [LNK] VS2005 build 50727

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x35f00x4f.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x312c0x64.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000x154.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x30000xcc.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x17970x1800False0.3787434895833333data4.031216120437235IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x30000x63f0x800False0.7646484375data6.43669157518164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
          .data0x40000x24c0x200False0.875data5.8293315768111045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .bss0x50000x26c0x400False0.3603515625data3.1797275657461412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc0x60000x80000x7200False0.5503700657894737data5.31387674469581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_OVER, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ

          Network Behavior

          Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:20:54:11
          Start date:16/03/2023
          Path:C:\Windows\System32\loaddll32.exe
          Wow64 process (32bit):true
          Commandline:loaddll32.exe "C:\Users\user\Desktop\test2.dll"
          Imagebase:0xff0000
          File size:116736 bytes
          MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:1
          Start time:20:54:12
          Start date:16/03/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6da640000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:2
          Start time:20:54:12
          Start date:16/03/2023
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
          Imagebase:0x1b0000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:3
          Start time:20:54:12
          Start date:16/03/2023
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
          Imagebase:0x3f0000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:5
          Start time:20:54:12
          Start date:16/03/2023
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 656
          Imagebase:0x40000
          File size:434592 bytes
          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Disassembly

          No disassembly