Windows
Analysis Report
A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll
Overview
General Information
Sample name: | A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllrenamed because original name is a hash value |
Original sample name: | A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.old |
Analysis ID: | 1587544 |
MD5: | fd24cb5b446cc7a79d8e1613c1ec5379 |
SHA1: | 934ab58c4084a8ceccadc85349e203494449d143 |
SHA256: | 4f40a1038d72638de81648c9ce7904c93e413eebe4f02b972e69f5817acb65d0 |
Infos: | |
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 7504 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\A58 15BC0-FA26 -4ECC-9A97 -EE9DB3127 3CA_122720 2415410484 7.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 7512 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7556 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\A58 15BC0-FA26 -4ECC-9A97 -EE9DB3127 3CA_122720 2415410484 7.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 7580 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\A581 5BC0-FA26- 4ECC-9A97- EE9DB31273 CA_1227202 4154104847 .dll",#1 MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7724 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 580 -s 616 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 7564 cmdline:
rundll32.e xe C:\User s\user\Des ktop\A5815 BC0-FA26-4 ECC-9A97-E E9DB31273C A_12272024 154104847. dll,Initia lize MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7744 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 564 -s 612 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 7900 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\A581 5BC0-FA26- 4ECC-9A97- EE9DB31273 CA_1227202 4154104847 .dll",Init ialize MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7936 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 900 -s 608 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Window detected: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Special instruction interceptor: |
Source: | Registry key queried: | Jump to behavior | ||
Source: | Registry key queried: | Jump to behavior | ||
Source: | Registry key queried: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 331 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 121 Virtualization/Sandbox Evasion | LSASS Memory | 121 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Software Packing | Security Account Manager | 11 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.210.172 | true | false | high | |
241.42.69.40.in-addr.arpa | unknown | unknown | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1587544 |
Start date and time: | 2025-01-10 14:45:18 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 21s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllrenamed because original name is a hash value |
Original Sample Name: | A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.old |
Detection: | MAL |
Classification: | mal60.evad.winDLL@13/13@1/0 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WerFault.exe, WMIA DAP.exe, SIHClient.exe, conhos t.exe, backgroundTaskHost.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 199.232.210.172, 5 2.168.117.173, 13.107.246.45, 20.190.160.17, 20.12.23.50, 40 .69.42.241, 20.109.210.53 - Excluded domains from analysis
(whitelisted): onedsblobprdeu s16.eastus.cloudapp.azure.com, otelrules.azureedge.net, logi n.live.com, slscr.update.micro soft.com, ctldl.windowsupdate. com.delivery.microsoft.com, bl obcollector.events.data.traffi cmanager.net, ctldl.windowsupd ate.com, umwatson.events.data. microsoft.com, time.windows.co m, wu-b-net.trafficmanager.net , fe3cr.delivery.mp.microsoft. com - Execution Graph export aborted
for target rundll32.exe, PID 7564 because there are no exec uted function - Execution Graph export aborted
for target rundll32.exe, PID 7580 because there are no exec uted function - Execution Graph export aborted
for target rundll32.exe, PID 7900 because there are no exec uted function - Not all processes where analyz
ed, report is missing behavior information
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
bg.microsoft.map.fastly.net | Get hash | malicious | Strela Downloader | Browse |
| |
Get hash | malicious | Strela Downloader | Browse |
| ||
Get hash | malicious | Strela Downloader | Browse |
| ||
Get hash | malicious | Strela Downloader | Browse |
| ||
Get hash | malicious | Strela Downloader | Browse |
| ||
Get hash | malicious | Strela Downloader | Browse |
| ||
Get hash | malicious | Strela Downloader | Browse |
| ||
Get hash | malicious | Strela Downloader | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Strela Downloader | Browse |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | modified |
Size (bytes): | 65536 |
Entropy (8bit): | 0.850955653308338 |
Encrypted: | false |
SSDEEP: | 192:OniuOYZZ0BU/wjeTPIzuiFcnZ24IO8dci:+ivYkBU/wjeEzuiFcnY4IO8dci |
MD5: | 6D478CAE235747801BB08067166B5575 |
SHA1: | 03C79DDFA885B4965EC808E355B8CC5C4278D3ED |
SHA-256: | 54EA2DE6B99D04AE72691738851B3CBD72D80680D140D57FBB259098CEFF79C7 |
SHA-512: | 685D2D9C0B29249FA3C3DDA66A3F869D6F450BBDDD98812C55CF06B32FE7B278C8757423ABEEFCDE7538045978F32C26F48ED434C257860A5B297FC9C3420B04 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8507853011592911 |
Encrypted: | false |
SSDEEP: | 192:siiGOsZZ0BU/wjeTPIzuiFcnZ24IO8dci:diHskBU/wjeEzuiFcnY4IO8dci |
MD5: | D0D2DF1A2B43FCC071C2D789D233DFB9 |
SHA1: | 658A99DBB8A9F2C7ADDC1185CDBC54F2CC15AC3E |
SHA-256: | 751F4A86F3704934B37254019AC9A2E737BDAC25C4717CE6D353F7EECA718C5B |
SHA-512: | BACB301F9000A2E6A185401582E8D7CA2B21611BD9C265F6B01C753C1A828EC9B91C1699B93AFC87A142438B69DB65B233B17350FA0FFF29257A6E72C3C57854 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8510536910460818 |
Encrypted: | false |
SSDEEP: | 192:gzSiKOuZZ0BU/wjeTPIzuiFcnZ24IO8dci:guirukBU/wjeEzuiFcnY4IO8dci |
MD5: | 55E21D22D4FDB31F8CA2AECE57139D31 |
SHA1: | 3C304F4CE55A962CC9FF3698AB83A393181B9CC7 |
SHA-256: | F992B243292AA3B7A89DDDB7319DE1AB6962426857B70F9666AC67D5D7B3C0F5 |
SHA-512: | C71CD1FBC9D6B67195AE879091622D0FF79EAF5DFEB3E8E9299CF92B83DCBE2DA60A79D28ADC699021AEC576D98B2A96C6F5165A04C9FD9122816AD5F556126C |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 43576 |
Entropy (8bit): | 1.939344151224375 |
Encrypted: | false |
SSDEEP: | 192:hanhlia2XNmO5H4h6YTklNR3MGRiQpXNpsc:8LgNx5H78ciQT9 |
MD5: | C36093824D159BB2F3701A0BB6E4977E |
SHA1: | 1819EBC63AEF8AA61110D1EA39DA4E57FB77B8E1 |
SHA-256: | 6244F444D39FFA4FA81DA192184C69BCBB8644BA3CFFFF5DB77189D2BEFBE933 |
SHA-512: | E242606E1B9B0871B946A9F9180B4C35C66FAC59256FAE050E63D468D39B8985BF31CC3C2837D1D871AE9291E05EFDD43B915C1CF322F35E777E59375D9DBB8D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 43228 |
Entropy (8bit): | 1.9187569701436427 |
Encrypted: | false |
SSDEEP: | 192:hCnhlxa2XKqcO5H4h1p7Np5e30dALYlORpr:MLdV5H6e3mALr |
MD5: | 09BD0D245E0BD6EC29892E536EE94CAC |
SHA1: | 82525F8F35F930C9EFB06A16CEE95A79B76BDAE2 |
SHA-256: | BFD604D2108136BE249426BA42857A08D97653FE4C95A62AEAEEFBF5F15002DC |
SHA-512: | 5E454B67EB38D93A13E41CA7012B02BBA7C86DB58A6E495D948CBF2096B089256E5E07BFA25F3992CF52AE5E32B7BFB31F93C48825652E70A15DF6CCC29254BB |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8350 |
Entropy (8bit): | 3.705825551017608 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJPX6Ip96YqT6YgmfTHp3prt89bPYsfvlm:R6lXJP6Ip96Ym6YgmfTJgPLfQ |
MD5: | EF7E279830F1BF393F657183BE08C8C1 |
SHA1: | B111E842850603811FEBF7AEC81F439146761A56 |
SHA-256: | CF2D48FAA1DF30823DEDC691C533EC27BBD31BD6DB2988BB8ABDCF0DF8139252 |
SHA-512: | 1385AB67D08B6D1ABCCBEEEDFA2C48805769FC6DDD529635E68021C895BB18720D816FDFF710DEA38D8FA6F654B69AD4D4587192738C9E5E4583439E0E92C664 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8362 |
Entropy (8bit): | 3.7038047433907604 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJFj/6IoQ6Y4rZ6mZgmfTHp3pru89bPLsfIlm:R6lXJ5/6IoQ6Y66ggmfTJ9PQfn |
MD5: | 25ABE3A196588B3E15D7AEA4D1951B14 |
SHA1: | F28F470E71E2836CF6C09D23F470D98A73030DC1 |
SHA-256: | 23421151DF35648C00C539E4AD28227A47081414317493B0D0D91F0FA973F4C2 |
SHA-512: | 1FEADE52AA861CD0232227EE94E29E5FFE54FFA3DDBCAF0B962F03D0B11E4C939D08B24414FE3BCAD3B655C671ED3E234AB844B54E8CD22D0705276E58141017 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4738 |
Entropy (8bit): | 4.520346982044893 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zs4Jg77aI9PC1WpW8VYxPYm8M4JCdPUry+FAv+q8/mHqPpGScSNd:uIjf+I7IE7V1JIvvapJ3Nd |
MD5: | 33D91E9EF1E04A34438C0E2054E1C97B |
SHA1: | 3B56273BA075AD9C804D11714D44090B3EAFED76 |
SHA-256: | 61714BD0FFC3B969876FD4D8587F0DE1B73E8A3392E581B966C4B23F9DAA64C0 |
SHA-512: | 27F5179952894089B6546F35158DF4FF41D10BF7BAB64A85ED8379DF1C63BB5F6CA2155D977C0F948FA07F2492EC9C6A3B29FE13E1ED1F7B7B41F33BF15E5A6C |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4738 |
Entropy (8bit): | 4.521841968583321 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zs4Jg77aI9PC1WpW8VYxqYm8M4JCdPUry+FXe+q8/mHqPTGScS6d:uIjf+I7IE7VQJI0eaTJ36d |
MD5: | 0938B56F1BEEA195A941C0CA221B9045 |
SHA1: | C3CB887460C2589785AA70D4032F7E44E3D15FE7 |
SHA-256: | E8969AC4A68863EE1FA1B2EB6BB6C4D70160A9585320172141D1329B7E236F4C |
SHA-512: | 5A31BC410F2587977FF93D171224334796A7EA04B30238D7F56BE5F9D7F0666A80AB70F734F326A52C2ECDF2522F9633213FE1D0B6D7668B8EB7BAD64C1C85E8 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 43896 |
Entropy (8bit): | 1.926178295986295 |
Encrypted: | false |
SSDEEP: | 96:5B8QEYj88WyhY4ofzLUmbUT2OwJZ08bugoi75I4v4avEXJi5cvwA/IGLZ4MPBp2V:w4jnhl6a2Xjb6O5H4hRwIN1OB61Bj8Y |
MD5: | E9A66116D33470F5E182B469418CC9D0 |
SHA1: | 7A7DA5B7BB7DE2A3B2D56616AF32A3C9F6EA0A90 |
SHA-256: | EF687CA475F496B9A79F207E0CAB294EDA414936A9A134608636B9D9519ACF41 |
SHA-512: | C8094050162C670A2BBD30A6500C1066C09F6888AC01AECD7BB593DF09FF8E579B02150288F974A2C593B824D30C8EE4C5A9A70E6829CB6F550ABDBFD1620E68 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8372 |
Entropy (8bit): | 3.7017145957364095 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJbV6Ipe6Y4rJ6OxJgmfTHp3prw89b//sfuVm:R6lXJ56Ipe6YK6O/gmfTJH/kf9 |
MD5: | EE57621FEBB0F01C13F3ACA3B7FBA1F0 |
SHA1: | B3299E786175A6A6B2E4C407358FFF3D20B54A79 |
SHA-256: | 0EC6857D27E78B308C62219DBD4C8FBD4A6FD4312DB39C2DE9E03B6432DF6D88 |
SHA-512: | CA51B698D12617A0D87D951205940DDB70E3571BC8DA5EE6E84D6A139788C066F8FD43933EA95D3977D87116A397BEC7B95C707BD53F3AE63649EF25C9E6A726 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4738 |
Entropy (8bit): | 4.522487570417745 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zs4Jg77aI9PC1WpW8VYxaYm8M4JCdPUry+FPS+q8/mHqPjGScSid:uIjf+I7IE7VcJIBajJ3id |
MD5: | 2C82DEBB52DFCA4849DE637A5E9456D5 |
SHA1: | 9C830CBD6449236E13F23E23FBC52159EF6CFB01 |
SHA-256: | 2DBC60A50FBACB955676281E9D8663709F3789AA80D5594E1316615025EEE511 |
SHA-512: | D545BCBD8B882F66A284647DAC4084E6E1FEA95E6D49CF28817E63917511693DB97FC75A9B4A6D69BB470875A8D4CA800B1CBC39046408AEC4C93165B418A3D3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.417440877241827 |
Encrypted: | false |
SSDEEP: | 6144:Dcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:4i58oSWIZBk2MM6AFBWo |
MD5: | 6BFCC2B7AAC6C5ECA4B0C9117CAEC4F7 |
SHA1: | 45C2B23135D5797580CCE949E8472CEA4475FCA6 |
SHA-256: | F29DC08F2C2C6D67795D1421EB60D67A9135C937AAF31610D566C3B89FD6B8E5 |
SHA-512: | C774975A2813379E1634AE6BF11688EBD36D1050F4FAF38C5DD610919DA3F58169032084EC45EEFF410D0362019CD02D3FC348ED3640B446A366E7B582F8B326 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.929062252311108 |
TrID: |
|
File name: | A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll |
File size: | 1'884'920 bytes |
MD5: | fd24cb5b446cc7a79d8e1613c1ec5379 |
SHA1: | 934ab58c4084a8ceccadc85349e203494449d143 |
SHA256: | 4f40a1038d72638de81648c9ce7904c93e413eebe4f02b972e69f5817acb65d0 |
SHA512: | f8ea8023c95846ed4a7607915cbcee16ce33862ab92ab5ea43e8f48a5edfd9923a1c42d09ed3b5f72e4f8edc0b0787e881a27eaebad9acf307b1509af89af41a |
SSDEEP: | 49152:lkuS+piUmtOswQDL+qAFqNrayY0Qc0mx6DaDlU:7S+MU3sTOqAFUXXQjc6olU |
TLSH: | 299533F5B5C8F15BC896DC7AC9B9811764B8180188FDC3EC686CE6C7E955A3D03E62C8 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.8$9.Vw9.Vw9.VwK3Uv2.VwK3Sv..VwK3Rv*.Vw(4Uv-.Vw(4Rv6.Vw(4Sv..VwK3Wv:.Vw9.Wwa.Vw.4_v8.Vw.4Vv8.Vw.4.w8.Vw.4Tv8.VwRich9.Vw....... |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x102ac058 |
Entrypoint Section: | .boot |
Digitally signed: | true |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x676670F3 [Sat Dec 21 07:40:35 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | a56f115ee5ef2625bd949acaeec66b76 |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | A7CD84C41EE06DB0DAFCA785A17E4DAC |
Thumbprint SHA-1: | 519E11C560A4A2A641CBEE67AD06B098D45C3ECA |
Thumbprint SHA-256: | FEBD20DCECC00083FDD7BCD1627DF973C6D80FF2405301BB987D4108ABE52D46 |
Serial: | 0D8BA5F7457123DB75515AD17F6375F5 |
Instruction |
---|
call 00007F270CB08110h |
push ebx |
mov ebx, esp |
push ebx |
mov esi, dword ptr [ebx+08h] |
mov edi, dword ptr [ebx+10h] |
cld |
mov dl, 80h |
mov al, byte ptr [esi] |
inc esi |
mov byte ptr [edi], al |
inc edi |
mov ebx, 00000002h |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jnc 00007F270CB07FACh |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jnc 00007F270CB08013h |
xor eax, eax |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jnc 00007F270CB080A7h |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
je 00007F270CB07FCAh |
push edi |
mov eax, eax |
sub edi, eax |
mov al, byte ptr [edi] |
pop edi |
mov byte ptr [edi], al |
inc edi |
mov ebx, 00000002h |
jmp 00007F270CB07F5Bh |
mov eax, 00000001h |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jc 00007F270CB07FACh |
sub eax, ebx |
mov ebx, 00000001h |
jne 00007F270CB07FEAh |
mov ecx, 00000001h |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc ecx, ecx |
add dl, dl |
jne 00007F270CB07FC7h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jc 00007F270CB07FACh |
push esi |
mov esi, edi |
sub esi, ebp |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1f000 | 0x49 | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x20020 | 0x34 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x21000 | 0x1d8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1c9c00 | 0x26f8 | .wemod |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
0x1000 | 0xe949 | 0x8a00 | eae6c96dfc9f22e38008ae706d29670e | False | 0.988875679347826 | data | 7.959611465365893 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | |
0x10000 | 0x81fa | 0x2e00 | eee6e0a86c91828da0980071cea1d0cd | False | 0.9858186141304348 | data | 7.892359903119882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
0x19000 | 0x15c0 | 0x400 | 064cd50f16b7ce89240e0ce56fcc9091 | False | 0.619140625 | data | 5.3761717928772494 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
0x1b000 | 0x80 | 0x200 | c5f8b924da0b4c2bc0533079849018c9 | False | 0.525390625 | data | 3.4081500494081083 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
0x1c000 | 0x1e0 | 0x200 | 4ce15926ccab8ec88ac94da7d98d6359 | False | 0.900390625 | data | 6.6940262969367845 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
0x1d000 | 0x1238 | 0x1000 | 04788fc2d0f5b9936c93d120971d74b9 | False | 0.9970703125 | data | 7.8514926357312085 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | |
.edata | 0x1f000 | 0x1000 | 0x200 | 544c5eab7820086fa3d9b5c7f0816b86 | False | 0.134765625 | data | 0.7863599620683352 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0x20000 | 0x1000 | 0x200 | f23d42a2f5ed2acbc3aaf845cbcea5af | False | 0.107421875 | data | 0.5982647264436897 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x21000 | 0x1000 | 0x200 | 90c2ca9daed06afbfb6effc89c6999bb | False | 0.525390625 | data | 4.720822661998389 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.wemod | 0x22000 | 0x28a000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.boot | 0x2ac000 | 0x1bc200 | 0x1bc200 | c17f921028b72273768ddae6037ee9e3 | False | 0.9940867532718829 | data | 7.929755837502866 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x21058 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
kernel32.dll | GetModuleHandleA |
Name | Ordinal | Address |
---|---|---|
Initialize | 1 | 0x10001bd0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 10, 2025 14:46:52.314333916 CET | 57423 | 53 | 192.168.2.7 | 162.159.36.2 |
Jan 10, 2025 14:46:52.319183111 CET | 53 | 57423 | 162.159.36.2 | 192.168.2.7 |
Jan 10, 2025 14:46:52.319257021 CET | 57423 | 53 | 192.168.2.7 | 162.159.36.2 |
Jan 10, 2025 14:46:52.324153900 CET | 53 | 57423 | 162.159.36.2 | 192.168.2.7 |
Jan 10, 2025 14:46:52.802062035 CET | 57423 | 53 | 192.168.2.7 | 162.159.36.2 |
Jan 10, 2025 14:46:52.807073116 CET | 53 | 57423 | 162.159.36.2 | 192.168.2.7 |
Jan 10, 2025 14:46:52.807131052 CET | 57423 | 53 | 192.168.2.7 | 162.159.36.2 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 10, 2025 14:46:52.313828945 CET | 53 | 54730 | 162.159.36.2 | 192.168.2.7 |
Jan 10, 2025 14:46:52.853636026 CET | 57513 | 53 | 192.168.2.7 | 1.1.1.1 |
Jan 10, 2025 14:46:52.860894918 CET | 53 | 57513 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 10, 2025 14:46:52.853636026 CET | 192.168.2.7 | 1.1.1.1 | 0xddd1 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 10, 2025 14:46:23.815408945 CET | 1.1.1.1 | 192.168.2.7 | 0x8a2f | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Jan 10, 2025 14:46:23.815408945 CET | 1.1.1.1 | 192.168.2.7 | 0x8a2f | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Jan 10, 2025 14:46:41.842065096 CET | 1.1.1.1 | 192.168.2.7 | 0x4ea | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Jan 10, 2025 14:46:41.842065096 CET | 1.1.1.1 | 192.168.2.7 | 0x4ea | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Jan 10, 2025 14:46:52.860894918 CET | 1.1.1.1 | 192.168.2.7 | 0xddd1 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
Jan 10, 2025 14:46:56.503145933 CET | 1.1.1.1 | 192.168.2.7 | 0xa165 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Jan 10, 2025 14:46:56.503145933 CET | 1.1.1.1 | 192.168.2.7 | 0xa165 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Jan 10, 2025 14:47:36.900595903 CET | 1.1.1.1 | 192.168.2.7 | 0x578b | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Jan 10, 2025 14:47:36.900595903 CET | 1.1.1.1 | 192.168.2.7 | 0x578b | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 1 |
Start time: | 08:46:18 |
Start date: | 10/01/2025 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd20000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 08:46:18 |
Start date: | 10/01/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75da10000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 08:46:18 |
Start date: | 10/01/2025 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x410000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 08:46:18 |
Start date: | 10/01/2025 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x640000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 08:46:18 |
Start date: | 10/01/2025 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x640000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 08:46:18 |
Start date: | 10/01/2025 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 08:46:19 |
Start date: | 10/01/2025 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 08:46:21 |
Start date: | 10/01/2025 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x640000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 15 |
Start time: | 08:46:22 |
Start date: | 10/01/2025 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |