Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll

Overview

General Information

Sample name:2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll
renamed because original name is a hash value
Original sample name:2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.old
Analysis ID:1579741
MD5:06b154e85860ee36d395d05773a2a47e
SHA1:38ec6351215e316c2910df59411ec090d7145d0c
SHA256:5fcfacbc3b2c171883908ac2fdb2bd370ecdfb88318a944db754aa9fa3dceaec
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

  • System is w10x64
  • loaddll32.exe (PID: 7320 cmdline: loaddll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7456 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7484 cmdline: rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllVirustotal: Detection: 15%Perma Link
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: certificate valid
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: Binary string: goopdateres_unsigned_mr.pdb source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://ocsp.digicert.com0C
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://ocsp.digicert.com0H
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://ocsp.digicert.com0I
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://ocsp.digicert.com0O
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://www.digicert.com/CPS0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllString found in binary or memory: https://www.digicert.com/CPS0
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllBinary or memory string: OriginalFilenamegoopdateres_mr.dllD vs 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal48.winDLL@6/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllVirustotal: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: certificate valid
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: goopdateres_unsigned_mr.pdb source: 2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
1
Rundll32
OS Credential Dumping1
Virtualization/Sandbox Evasion
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579741 Sample: 2E814B7D-3F0B-4AF7-8C7C-C8A... Startdate: 23/12/2024 Architecture: WINDOWS Score: 48 15 Multi AV Scanner detection for submitted file 2->15 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll15%VirustotalBrowse
2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
ax-0001.ax-msedge.net
150.171.28.10
truefalse
    high
    No contacted IP infos
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1579741
    Start date and time:2024-12-23 08:00:02 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 54s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Run with higher sleep bypass
    Number of analysed new started processes analysed:25
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll
    renamed because original name is a hash value
    Original Sample Name:2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.old
    Detection:MAL
    Classification:mal48.winDLL@6/0@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .dll
    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 23.218.208.109, 104.102.63.47, 40.126.53.12, 20.199.58.43, 2.16.158.192, 13.107.246.63, 172.202.163.200, 150.171.28.10, 2.16.158.27, 20.86.201.138
    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, e15275.d.akamaiedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
    • Not all processes where analyzed, report is missing behavior information
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    ax-0001.ax-msedge.netfKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
    • 150.171.27.10
    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
    • 150.171.28.10
    uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
    • 150.171.27.10
    BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
    • 150.171.28.10
    hvm4oOzDaX.exeGet hashmaliciousUnknownBrowse
    • 150.171.27.10
    SWIFT.xlsGet hashmaliciousUnknownBrowse
    • 150.171.27.10
    https://click.pstmrk.it/3s/veed.io%2Fshare-video-link%3Ftoken%3DeyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MzQ2MzE2NDgsImlhdCI6MTczNDYzMDc0OCwic3ViIjoiZmY0NTdiM2MtYjI3MC00YzA0LWEwOTEtYjY3ZDJkOGQ3ZTU1Iiwicm9sZXMiOltdLCJraWQiOiJwcm9qZWN0cy92ZWVkLXByb2Qtc2VydmVyL2xvY2F0aW9ucy9ldXJvcGUtd2VzdDEva2V5UmluZ3MvdmVlZC1wcm9kLWtleXJpbmcvY3J5cHRvS2V5cy92ZWVkLXByb2QtandrLWtleS9jcnlwdG9LZXlWZXJzaW9ucy8xIiwiZmVhdHVyZXMiOnt9LCJzY29wZXMiOltdfQ.f-EtSCYYeQiR4cEb8w5ABF3koXpbxl8QeFIarADkLP6q32DzsnFZl76Y98Uad7M8RBPPuOQOV9SUbCY1hRa4IbqV9_4cTm0v7DuBTCKOZbHN1NiATZOGw2BzdEMqIEfnNo5A_H2_DLVQZLtd6sZzcRoNBzbmcq2_xlzWgmqIErGV0VYXIb-Vac1b-3wmAgIyE-VS7Cd5aHYtVyiV9T5HfrpjPl7-M6dLIaQqm6103z7gO_qoKow1qbFmNgGaUsQED1CHbqo-hCgXzib7NToyu0Qq4kSl-2NEzgLMKy1zFR2J0E0vr9FHirjR9fmmDF2nk76Ht8L2WbV-dRyXZBZaUikfojo56vYWI9cfSQrG_awuFNR0M1s6dpPwumDM8sXlMZYt4u5WZaNcRZynPHXeqNZcdwKhlZrFN0U3B3U7B69avz_FlMxw6Or_0aeJkUP5YZP3wH-IIbwwa6es37u8G7gWYINEfp-pJlKV7klV1CcskLf_53iNx7MtxgvAXLMNZJ2tnuxY8W6w_E-pchjpNP2I5NV2Ui2_bNSgl3kBuX3oWsX0m_wL3MZ39pE3paPp2FAIgQPpZ5a0BhmPYsMk2IPPel2dll8j1IYBwHsZ5a1IHsHA6gTMWkJl-uhAjN4mnXo7Om0NWRZvfFvatgA4YCoTXdntM31GIZxAyWF9a14%26postLoginUrl%3D%252Fview%252F3ab9b7be-178c-4289-b29e-75921856f7f5%252F/oMlP/0SC6AQ/AQ/15f5e010-d260-490a-9e5d-79f5643b5481/1/HSOO9aL291Get hashmaliciousUnknownBrowse
    • 150.171.27.10
    https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2FpaymentGet hashmaliciousHTMLPhisherBrowse
    • 150.171.27.10
    ktyihkdfesf.exeGet hashmaliciousVidarBrowse
    • 150.171.27.10
    ep_setup.exeGet hashmaliciousUnknownBrowse
    • 150.171.28.10
    No context
    No context
    No context
    No created / dropped files found
    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Entropy (8bit):5.023769631466241
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll
    File size:49'184 bytes
    MD5:06b154e85860ee36d395d05773a2a47e
    SHA1:38ec6351215e316c2910df59411ec090d7145d0c
    SHA256:5fcfacbc3b2c171883908ac2fdb2bd370ecdfb88318a944db754aa9fa3dceaec
    SHA512:3a1a274459cacc08d5dc984aa9c774f4209b772f09d4221547b8a3ae052cbb01343c1bfab539735b4e08b0d6468e0164cd1e0813b7490245414eee7ca2de27e2
    SSDEEP:384:PI1Cd4/7JK7bABkAhnqeZsHLMFqeZsHLsTJVhu3:P8Y4/7JK7b5Ahq3Krhu3
    TLSH:DF23313842481D0AE72DBA70B0A44A3F0D97248077ECF39656C4B178DEB473765ADE6E
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.....@...@...@.e.D...@...A...@...A...@...I...@...@...@.......@...B...@.Rich..@.........................PE..L...`..a...........
    Icon Hash:7ae282899bbab082
    Entrypoint:0x19001294
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x19000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH
    Time Stamp:0x61849560 [Fri Nov 5 02:22:24 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:1
    File Version Major:5
    File Version Minor:1
    Subsystem Version Major:5
    Subsystem Version Minor:1
    Import Hash:6c8408bb5d7d5a5b75b9314f94e68763
    Signature Valid:true
    Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
    Signature Validation Error:The operation completed successfully
    Error Number:0
    Not Before, Not After
    • 26/05/2021 02:00:00 03/06/2022 01:59:59
    Subject Chain
    • CN=Blaze Media Inc., O=Blaze Media Inc., L=Panama City, S=Panama, C=PA, SERIALNUMBER=155704406, OID.1.3.6.1.4.1.311.60.2.1.3=PA, OID.2.5.4.15=Private Organization
    Version:3
    Thumbprint MD5:9F48057D38B49672F5C4AD08C1C799FD
    Thumbprint SHA-1:BC461FAAFBCDDB53BBD950A2DA62E4264E2B7FFC
    Thumbprint SHA-256:28C3331E99899B4E994ECDCFD693375F46C541080C1E3A0FE2F3B218E884CC75
    Serial:0A97F6188700B6BE969185C4C0E472F8
    Instruction
    push ebp
    mov ebp, esp
    cmp dword ptr [ebp+0Ch], 01h
    jne 00007F657D08A88Bh
    push dword ptr [ebp+08h]
    call dword ptr [19003000h]
    xor eax, eax
    inc eax
    pop ebp
    retn 000Ch
    retn 0000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x12b00x44.text
    IMAGE_DIRECTORY_ENTRY_IMPORT0x300c0x28.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x79a0.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x88000x3820
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x20.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x10080x54.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10600x40.text
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x30000x8.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2f40x400c445decacd41106ec615cf7e61a0a91cFalse0.333984375data2.6200356360122243IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x20000x3280x20081c3ad2179d63c737193143995ffe71dFalse0.041015625data0.16299007530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata0x30000x660x2001fd6e46d6632754a3585e7a5d367355cFalse0.1484375data0.9312708125215587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0x40000x79a00x7a007f2f723b01fe4dc22abb8326601449ccFalse0.11760373975409837data3.2913747937184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0xc0000x200x200e2cebef07f2af40d2433e1f112672e5fFalse0.078125data0.31563338102933974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_BITMAP0x42800x4678Device independent bitmap graphic, 100 x 60 x 24, image size 18000, resolution 3780 x 3780 px/mMarathiIndia0.020343680709534368
    RT_DIALOG0x88f80x204dataMarathiIndia0.45930232558139533
    RT_DIALOG0x8b000xc0dataMarathiIndia0.5625
    RT_DIALOG0x8bc00xc0dataMarathiIndia0.5625
    RT_STRING0x8fb00x1aaMatlab v4 mat-file (little endian) e, numeric, rows 0, columns 0MarathiIndia0.568075117370892
    RT_STRING0x91600xf56dataMarathiIndia0.26591951095262356
    RT_STRING0xa0b80x562dataMarathiIndia0.3925979680696662
    RT_STRING0xa6200x4d6dataMarathiIndia0.28109854604200324
    RT_STRING0xaaf80x938dataMarathiIndia0.3419491525423729
    RT_STRING0xb4300x56cdataMarathiIndia0.3595100864553314
    RT_VERSION0x8c800x32cdataMarathiIndia0.4433497536945813
    DLLImport
    KERNEL32.dllDisableThreadLibraryCalls
    Language of compilation systemCountry where language is spokenMap
    MarathiIndia
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 23, 2024 08:01:22.261379957 CET1.1.1.1192.168.2.60xac51No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
    Dec 23, 2024 08:01:22.261379957 CET1.1.1.1192.168.2.60xac51No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
    Dec 23, 2024 08:01:22.261379957 CET1.1.1.1192.168.2.60xac51No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false

    Click to jump to process

    Click to jump to process

    Click to jump to process

    Target ID:0
    Start time:02:00:54
    Start date:23/12/2024
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll"
    Imagebase:0x240000
    File size:126'464 bytes
    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:2
    Start time:02:00:54
    Start date:23/12/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:4
    Start time:02:00:54
    Start date:23/12/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1
    Imagebase:0x1c0000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:5
    Start time:02:00:54
    Start date:23/12/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll",#1
    Imagebase:0x9b0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    No disassembly