Windows
Analysis Report
test2.dll
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 1008 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\tes t2.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39) - conhost.exe (PID: 788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 920 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\tes t2.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 712 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\test 2.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - WerFault.exe (PID: 5184 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 12 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Gozi, Ursnif | 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Code function: | 3_2_032610A5 | |
Source: | Code function: | 3_2_0325DBC1 | |
Source: | Code function: | 3_2_0325D015 |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 11 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 21 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Rundll32 | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Software Packing | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
39% | Virustotal | Browse | ||
100% | Avira | TR/Patched.Ren.Gen2 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Patched.Ren.Gen2 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen2 | Download File |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 828211 |
Start date and time: | 2023-03-16 20:53:16 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 13s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | test2.dll |
Original Sample Name: | test2.bin |
Detection: | MAL |
Classification: | mal68.troj.winDLL@7/6@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92
- Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
- Execution Graph export aborted for target loaddll32.exe, PID 1008 because there are no executed function
- Execution Graph export aborted for target rundll32.exe, PID 712 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_14276a6d\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8858102399344125 |
Encrypted: | false |
SSDEEP: | 192:2+Yi9k0oX/rHBUZMX4jed+y/u7sdS274ItWc:3YiAXDBUZMX4jeP/u7sdX4ItWc |
MD5: | 8AD9EA5F9B0EDB83100B66846F260F24 |
SHA1: | 753E4BA84F276623968AEA502BAD2EA5BA8FBC51 |
SHA-256: | 9B520199AC9C60D25942D28AF78DE7213ED89192DF85095285B05D596EAD44EE |
SHA-512: | 20D93EBE97B3A175D10C93E5629A45E8D2A74DB6251CB750A7C38660A6FFF511821467278675D653E44566E826EAC652B9C05B11645021327AA92EBD548A4206 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 38784 |
Entropy (8bit): | 2.3618089899280705 |
Encrypted: | false |
SSDEEP: | 192:4BqJ+UlqMO5Skb910smw1403+ThVRFy7U8ys:z65Lbb0sh+ThVqw8 |
MD5: | 78A52530255963836C601E7C0FEF8139 |
SHA1: | B0294D2CD347A5B7B639DC46261397A159ABC987 |
SHA-256: | C94A9F532CD0E96509D122A9D3714212DCA5DDE854EF694A4C489AAC5EE37EE2 |
SHA-512: | DAFEE1D6E95DA7EA94A08D12A43423E2596BA1B716FDE3FB0E663EE9BC98027ED23B22E415D23809C78033D2B726AD97C62CC5182DFB29A5A22DA66A81E5F3D9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8238 |
Entropy (8bit): | 3.6883317607179755 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiZF616Yog6ugmfTkn4SgCprq89bTTsffxm:RrlsNi7616Yf6ugmfTk4SLT4f0 |
MD5: | D7BF4784612285D933F7FB642B8C4AAF |
SHA1: | B9D213190C7CE57D451DAB5BCA5D0408AE23CF56 |
SHA-256: | A2EF010CA4C5B93F20ACB888CE6BF9A69906C56C7484E542BAF9BCB888F40166 |
SHA-512: | 589CBCA02C21A0D7C1479B225F625289CC53BA836B4D9F8EA1EB62D81112895A1CA87FE185480702551447A2BE6D9BCFE8FBD4A92C8F24A111FC6AE30548C954 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4630 |
Entropy (8bit): | 4.448175078514849 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsYJgtWI9GYWgc8sqYj4O8fm8M4JCdsfFo+q8/594SrSsd:uITfexRgrsqYUrJUmDWsd |
MD5: | 822BC82388350414D48CEAE0CBB28C39 |
SHA1: | 0BF1DFC2B8D1B0CA3ABCB5504560A94551C5AB7C |
SHA-256: | 4FD8BD10B1AD9048ABDDBEC93150155C7B13017E43DC2E5F5A8512D984AC2586 |
SHA-512: | 0CB5BABF26D482EE1710E94C216C1D56FF3BDD2570C8D9D5981D04F4D6BBEEBF15A812705657C4A33C19A357BF7D32B90616D78D389C90AEC3B91BC8D16D3364 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.291736207677684 |
Encrypted: | false |
SSDEEP: | 12288:6wukrRng/KsOgz/oAwDo211bZktsYuVMLhFxwVbEHURmeiVSHK5hocSt:JukrRng/KsRz/o+s8wZ4 |
MD5: | BDEED12630C7D76F004038DCE3426ACF |
SHA1: | 173A640BC8C100852D32753BDA4E9835051C19D9 |
SHA-256: | 3FF60A39A93BDE463E222D8FF934BC7518C0C87896879B96C89B29AB685C61E3 |
SHA-512: | 17CE6EEBFA377F25AB3109EDD23EA0ACA8C0646A6E24B9F654170215EAAF4F06BAD70294F62B26B719FD6243E2F4FA847DA2DD92575D167B5D0A23090C64537F |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24576 |
Entropy (8bit): | 3.7690802554793192 |
Encrypted: | false |
SSDEEP: | 384:FP5/+CllpBA+696rINn885TVgGKG+7ODvkZ0RUp/:Fx/+CllTA+FW88FVgGlFDvzUp |
MD5: | 34853AE164F38470843798AA4930418F |
SHA1: | B280497AE426215E11DBFFE30863EB44FC9172B7 |
SHA-256: | F067A43E7B2BD1FD23251DA94402C77CCDE328756EC2BA5D1FCCEA32C652C0D8 |
SHA-512: | 22FAF365F0F7E5626A224530DF6ACD920308651868EBB3A152C67EE8FE01C70EA9681C8894BA79C5BC543B6C95C6A1705BFC7D75D947704FE541370286748600 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.7778692211855445 |
TrID: |
|
File name: | test2.dll |
File size: | 57344 |
MD5: | 69a88f93c1ec9c8ecc66b7d19fb4a9aa |
SHA1: | 74dca80be03ab4dcc6bac81e794b6a02b56c4574 |
SHA256: | c825d867fb0bf1ba55b89f4bb1c6db13020792ceb175e84fac5f72cfa161726f |
SHA512: | 8ff818fa0e88774c7047f7c1b626931f2119fd00cc51bc5381b2466b3d9aec6edfd6abd7cd16b452f725937ee825e275d239f55aaddff027f56359d85aae0725 |
SSDEEP: | 768:bZUYZZtva+c+wdCAXNnZ98baBXe13jtCs8sNaHXsSsGtj+WNAMTauI:TZACuCCZKt1z98scH8ucWBOP |
TLSH: | AB43E195A62D04DACB63C1733B36937EC6FEC21975082CCAD0166A6E5EBA552D03D243 |
File Content Preview: | MZ.f.:..................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7...7...7.......7...O...7...7...7..;8...7..;8...7..;8...7.......7.......7.......7..Rich.7..................PE..L....T.b... |
Icon Hash: | 74f0e4ecccdce0e4 |
Entrypoint: | 0x10001d4b |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x629654C0 [Tue May 31 17:47:44 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
in al, dx |
and ecx, 00000FFFh |
add ecx, esi |
add dword ptr [ecx], ebx |
mov ebx, dword ptr [ebp-08h] |
inc ebx |
inc ebx |
dec dword ptr [ebp-0Ch] |
mov dword ptr [ebp-08h], ebx |
jne 00007F71D0AD9323h |
mov ecx, dword ptr [edi+04h] |
sub dword ptr [ebp-04h], ecx |
add edi, ecx |
cmp dword ptr [ebp-04h], 08h |
jnbe 00007F71D0AD92EEh |
pop edi |
pop esi |
pop ebx |
leave |
retn 0004h |
cmp dword ptr [esp+08h], 00000000h |
je 00007F71D0AD9378h |
mov ecx, dword ptr [eax+0Ch] |
mov edx, ecx |
sub edx, dword ptr [esp+04h] |
mov dl, byte ptr [edx] |
mov byte ptr [ecx], dl |
inc dword ptr [eax+0Ch] |
dec dword ptr [esp+08h] |
jne 00007F71D0AD934Ch |
ret |
push ebp |
mov ebp, esp |
sub esp, 30h |
push ebx |
push esi |
push edi |
mov esi, eax |
xor eax, eax |
lea edi, dword ptr [ebp-28h] |
stosd |
stosd |
stosd |
stosd |
stosd |
xor ebx, ebx |
xor eax, eax |
push ebx |
push 08000000h |
push dword ptr [esi+08h] |
lea edi, dword ptr [ebp-10h] |
stosd |
mov eax, dword ptr [esi+04h] |
mov dword ptr [ebp-14h], eax |
lea eax, dword ptr [ebp-14h] |
push eax |
lea eax, dword ptr [ebp-2Ch] |
push eax |
push 000F001Fh |
lea eax, dword ptr [ebp-0Ch] |
push eax |
mov dword ptr [ebp-0Ch], ebx |
mov dword ptr [ebp-08h], ebx |
mov dword ptr [ebp-2Ch], 00000018h |
mov dword ptr [ebp-28h], ebx |
mov dword ptr [ebp-20h], 00000040h |
mov dword ptr [ebp-24h], ebx |
mov dword ptr [ebp-1Ch], ebx |
mov dword ptr [ebp-18h], ebx |
call dword ptr [esi+0Ch] |
cmp eax, ebx |
jl 00007F71D0AD9397h |
mov eax, dword ptr [ebp-0Ch] |
mov dword ptr [esi], eax |
lea eax, dword ptr [ebp-08h] |
push eax |
call 00007F71D0AD9E0Dh |
mov edi, eax |
cmp edi, ebx |
jne 00007F71D0AD937Bh |
push dword ptr [ebp-14h] |
push ebx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x35f0 | 0x4f | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x312c | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6000 | 0x154 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0xcc | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1797 | 0x1800 | False | 0.3787434895833333 | data | 4.031216120437235 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x63f | 0x800 | False | 0.7646484375 | data | 6.43669157518164 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.data | 0x4000 | 0x24c | 0x200 | False | 0.875 | data | 5.8293315768111045 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0x5000 | 0x26c | 0x400 | False | 0.3603515625 | data | 3.1797275657461412 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x6000 | 0x8000 | 0x7200 | False | 0.5503700657894737 | data | 5.31387674469581 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_OVER, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 20:54:11 |
Start date: | 16/03/2023 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xff0000 |
File size: | 116736 bytes |
MD5 hash: | 1F562FBF37040EC6C43C8D5EF619EA39 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 1 |
Start time: | 20:54:12 |
Start date: | 16/03/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 2 |
Start time: | 20:54:12 |
Start date: | 16/03/2023 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1b0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 20:54:12 |
Start date: | 16/03/2023 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 20:54:12 |
Start date: | 16/03/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x40000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |