Windows
Analysis Report
Ua58ViPBl3.dll
Overview
General Information
Sample name: | Ua58ViPBl3.dll (renamed file extension from none to dll, renamed because original name is a hash value) |
Original sample name: | F9DBFCD2DC16A7BCC5EB463F14348EB7441B3E23326CC1DD9AAD702A85FD5588 |
Analysis ID: | 1524301 |
MD5: | de0f1964d8da47bbfc8263a02219bc1e |
SHA1: | 06e54b1491915badf093a57e7e43a9a4afa93b1f |
SHA256: | f9dbfcd2dc16a7bcc5eb463f14348eb7441b3e23326cc1dd9aad702a85fd5588 |
Infos: | |
Detection
Score: | 3 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 6496 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\Ua5 8ViPBl3.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 6500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6720 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Ua5 8ViPBl3.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 4696 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Ua58 ViPBl3.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6448 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Ua58V iPBl3.dll, CheckPwd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2120 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Ua58V iPBl3.dll, GetKey MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3452 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Ua58V iPBl3.dll, GetPwd MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: |
Source: | Process queried: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Rundll32 | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
198.187.3.20.in-addr.arpa | unknown | unknown | false | unknown | |
197.87.175.4.in-addr.arpa | unknown | unknown | false | unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1524301 |
Start date and time: | 2024-10-02 17:10:33 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Ua58ViPBl3.dll (renamed file extension from none to dll, renamed because original name is a hash value) |
Original Sample Name: | F9DBFCD2DC16A7BCC5EB463F14348EB7441B3E23326CC1DD9AAD702A85FD5588 |
Detection: | CLEAN |
Classification: | clean3.winDLL@12/0@2/0 |
EGA Information: | Failed |
HCA Information: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: Ua58ViPBl3.dll
File type: | |
Entropy (8bit): | 6.685576661039729 |
TrID: |
|
File name: | Ua58ViPBl3.dll |
File size: | 2'788'352 bytes |
MD5: | de0f1964d8da47bbfc8263a02219bc1e |
SHA1: | 06e54b1491915badf093a57e7e43a9a4afa93b1f |
SHA256: | f9dbfcd2dc16a7bcc5eb463f14348eb7441b3e23326cc1dd9aad702a85fd5588 |
SHA512: | aaf199898e33c3274f24859a69b87b1dffaab47fc3a119392c9b50b40bbc953d29663c838ab7fe5d6a47004924d09881955d1d66deb84c322e30f16a504e66f8 |
SSDEEP: | 49152:784X/fFTXMMvaSjLlWSFqrowPecCdayaKx6r4:78iF7jRRZdaVKxE4 |
TLSH: | D9D55B23B384753EC0AF1A3A4837E254993BB7512A239D9B57F00C4CDF255817E7A68B |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x64dc20 |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x65E6B664 [Tue Mar 5 06:06:28 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | fb482bf59d198bbcb3e1f7bccc5782bd |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFC0h |
mov eax, 00643950h |
call 00007FBB14908A21h |
call 00007FBB14901148h |
lea eax, dword ptr [eax+00h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x260000 | 0xd4 | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x25b000 | 0x36c4 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x297000 | 0x1c400 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x262000 | 0x34e94 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x25b9d0 | 0x87c | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x25f000 | 0xc38 | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x24ac48 | 0x24ae00 | ca486c5474c03862356d3e1438d7a824 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0x24c000 | 0x1c38 | 0x1e00 | db23797c8d536f65ad06f05440569fef | False | 0.533984375 | data | 6.211388531506638 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x24e000 | 0x5c74 | 0x5e00 | f7a8fcf4c582bdfa1f909e5fb90434f3 | False | 0.41451961436170215 | data | 5.163493895025928 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0x254000 | 0x6fa4 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x25b000 | 0x36c4 | 0x3800 | ec0fc8e5b96370303c9dcce9054f3314 | False | 0.33028738839285715 | data | 5.211253742754911 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0x25f000 | 0xc38 | 0xe00 | 5ac9a92328e385489174b51ee4d837db | False | 0.318359375 | data | 4.016149403218201 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0x260000 | 0xd4 | 0x200 | 2844867e56bef898c328fbaed812d66e | False | 0.353515625 | data | 2.447644221041293 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rdata | 0x261000 | 0x45 | 0x200 | cc685774f70a302d351a395c5b0886a2 | False | 0.158203125 | ASCII text, with no line terminators | 1.1765792772212422 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x262000 | 0x34e94 | 0x35000 | c4b7de8998c9090a6f14eae2ba9426b8 | False | 0.5695985038325472 | data | 6.7216851895563074 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x297000 | 0x1c400 | 0x1c400 | a5aa055a0e91c13f26e1580d41bc41a4 | False | 0.2469233960176991 | data | 7.18140204804703 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x298300 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
RT_CURSOR | 0x298434 | 0x134 | data | English | United States | 0.4642857142857143 |
RT_CURSOR | 0x298568 | 0x134 | data | English | United States | 0.4805194805194805 |
RT_CURSOR | 0x29869c | 0x134 | data | English | United States | 0.38311688311688313 |
RT_CURSOR | 0x2987d0 | 0x134 | data | English | United States | 0.36038961038961037 |
RT_CURSOR | 0x298904 | 0x134 | data | English | United States | 0.4090909090909091 |
RT_CURSOR | 0x298a38 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4967532467532468 |
RT_BITMAP | 0x298b6c | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.5208333333333334 |
RT_BITMAP | 0x298c2c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.42857142857142855 |
RT_BITMAP | 0x298d0c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.4955357142857143 |
RT_BITMAP | 0x298dec | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.38392857142857145 |
RT_BITMAP | 0x298ecc | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.4947916666666667 |
RT_BITMAP | 0x298f8c | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.484375 |
RT_BITMAP | 0x29904c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.42410714285714285 |
RT_BITMAP | 0x29912c | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.5104166666666666 |
RT_BITMAP | 0x2991ec | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.5 |
RT_BITMAP | 0x2992cc | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.4895833333333333 |
RT_BITMAP | 0x29938c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.3794642857142857 |
RT_STRING | 0x29946c | 0x4a0 | data | 0.38260135135135137 | ||
RT_STRING | 0x29990c | 0x34c | data | 0.40165876777251186 | ||
RT_STRING | 0x299c58 | 0x390 | data | 0.3355263157894737 | ||
RT_STRING | 0x299fe8 | 0x288 | data | 0.4737654320987654 | ||
RT_STRING | 0x29a270 | 0x45c | data | 0.3611111111111111 | ||
RT_STRING | 0x29a6cc | 0x2c8 | data | 0.40168539325842695 | ||
RT_STRING | 0x29a994 | 0x458 | data | 0.39928057553956836 | ||
RT_STRING | 0x29adec | 0xa0 | data | 0.7 | ||
RT_STRING | 0x29ae8c | 0xe0 | data | 0.6473214285714286 | ||
RT_STRING | 0x29af6c | 0x110 | data | 0.625 | ||
RT_STRING | 0x29b07c | 0x3a0 | data | 0.39762931034482757 | ||
RT_STRING | 0x29b41c | 0x3f0 | data | 0.3819444444444444 | ||
RT_STRING | 0x29b80c | 0x3e4 | data | 0.39558232931726905 | ||
RT_STRING | 0x29bbf0 | 0x430 | data | 0.2947761194029851 | ||
RT_STRING | 0x29c020 | 0x308 | data | 0.38788659793814434 | ||
RT_STRING | 0x29c328 | 0x3b8 | data | 0.4096638655462185 | ||
RT_STRING | 0x29c6e0 | 0x4e8 | data | 0.3877388535031847 | ||
RT_STRING | 0x29cbc8 | 0x4d8 | data | 0.3233870967741935 | ||
RT_STRING | 0x29d0a0 | 0x37c | data | 0.39349775784753366 | ||
RT_STRING | 0x29d41c | 0x3a8 | data | 0.327991452991453 | ||
RT_STRING | 0x29d7c4 | 0x40c | data | 0.3735521235521235 | ||
RT_STRING | 0x29dbd0 | 0xd0 | data | 0.5288461538461539 | ||
RT_STRING | 0x29dca0 | 0xb8 | data | 0.6467391304347826 | ||
RT_STRING | 0x29dd58 | 0x298 | data | 0.4819277108433735 | ||
RT_STRING | 0x29dff0 | 0x438 | data | 0.3212962962962963 | ||
RT_STRING | 0x29e428 | 0x344 | data | 0.4043062200956938 | ||
RT_STRING | 0x29e76c | 0x2dc | data | 0.3770491803278688 | ||
RT_STRING | 0x29ea48 | 0x318 | data | 0.33080808080808083 | ||
RT_RCDATA | 0x29ed60 | 0xd5d | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032154340836013 |
RT_RCDATA | 0x29fac0 | 0xd57 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003221083455344 |
RT_RCDATA | 0x2a0818 | 0xcfc | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003309265944645 |
RT_RCDATA | 0x2a1514 | 0xcd9 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033444816053512 |
RT_RCDATA | 0x2a21f0 | 0xd5d | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032154340836013 |
RT_RCDATA | 0x2a2f50 | 0xd57 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003221083455344 |
RT_RCDATA | 0x2a3ca8 | 0xc4e | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0034920634920634 |
RT_RCDATA | 0x2a48f8 | 0xc4e | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0034920634920634 |
RT_RCDATA | 0x2a5548 | 0xcb5 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033814940055334 |
RT_RCDATA | 0x2a6200 | 0xcb0 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033866995073892 |
RT_RCDATA | 0x2a6eb0 | 0xd56 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032220269478618 |
RT_RCDATA | 0x2a7c08 | 0xd47 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032362459546926 |
RT_RCDATA | 0x2a8950 | 0xdc2 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031232254400908 |
RT_RCDATA | 0x2a9714 | 0xdc5 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031205673758865 |
RT_RCDATA | 0x2aa4dc | 0xcf3 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003318250377074 |
RT_RCDATA | 0x2ab1d0 | 0xced | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033242671501965 |
RT_RCDATA | 0x2abec0 | 0xda9 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031455533314269 |
RT_RCDATA | 0x2acc6c | 0xda6 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031482541499714 |
RT_RCDATA | 0x2ada14 | 0xcf3 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003318250377074 |
RT_RCDATA | 0x2ae708 | 0xced | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033242671501965 |
RT_RCDATA | 0x2af3f8 | 0x10 | data | 1.5 | ||
RT_RCDATA | 0x2af408 | 0x148b | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0020916524054002 |
RT_RCDATA | 0x2b0894 | 0x111e | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0025102692834322 |
RT_RCDATA | 0x2b19b4 | 0xd8c | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031718569780854 |
RT_RCDATA | 0x2b2740 | 0x8d4 | data | 0.5154867256637168 | ||
RT_RCDATA | 0x2b3014 | 0x2 | data | English | United States | 5.0 |
RT_RCDATA | 0x2b3018 | 0xf9 | Delphi compiled form 'TdmMain' | 0.7068273092369478 | ||
RT_GROUP_CURSOR | 0x2b3114 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x2b3128 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x2b313c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x2b3150 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x2b3164 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x2b3178 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x2b318c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_VERSION | 0x2b31a0 | 0x218 | data | English | United States | 0.47388059701492535 |
DLL | Import |
---|---|
borlndmm.dll | @Borlndmm@SysGetMem$qqri |
winspool.drv | DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW |
comdlg32.dll | FindTextW |
comctl32.dll | ImageList_GetImageInfo, FlatSB_SetScrollInfo, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage |
shell32.dll | SHBrowseForFolderW, SHGetMalloc, SHGetDesktopFolder, Shell_NotifyIconW, SHGetPathFromIDListW |
user32.dll | CopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, CreateAcceleratorTableW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, ShowOwnedPopups, GetSystemMenu, GetScrollRange, SetScrollPos, GetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, GetClipboardData, SetClipboardData, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, DrawTextW, SetScrollRange, MonitorFromRect, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, RemovePropW, UpdateWindow, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, EmptyClipboard, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, RemoveMenu, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, OpenClipboard, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CloseClipboard, DestroyCursor, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, CopyIcon, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, FindWindowW, DeleteMenu, GetKeyboardLayout |
version.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
oleaut32.dll | SysFreeString, VariantClear, VariantInit, GetErrorInfo, SysReAllocStringLen, SafeArrayCreate, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType |
advapi32.dll | RegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, GetUserNameW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW |
netapi32.dll | NetWkstaGetInfo, NetApiBufferFree |
kernel32.dll | GetFileType, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TlsAlloc, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, TlsFree, GetConsoleOutputCP, GetConsoleCP, lstrlenW, SetEndOfFile, QueryPerformanceCounter, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, EnumResourceNamesW, DeleteFileW, IsDBCSLeadByteEx, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, ExpandEnvironmentStringsA, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale |
SHFolder.dll | SHGetFolderPathW |
wsock32.dll | gethostbyaddr, WSACleanup, gethostbyname, bind, gethostname, closesocket, WSAGetLastError, connect, inet_addr, getpeername, WSAAsyncSelect, WSAAsyncGetServByName, WSACancelAsyncRequest, send, ntohs, htons, WSAStartup, getservbyname, getsockname, listen, socket, recv, inet_ntoa, ioctlsocket, WSAAsyncGetHostByName |
ole32.dll | IsEqualGUID, OleInitialize, CLSIDFromProgID, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc |
iphlpapi.dll | GetAdaptersInfo |
gdi32.dll | Pie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, SetAbortProc, SetTextColor, StretchBlt, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, FrameRgn, BitBlt, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries |
Name | Ordinal | Address |
---|---|---|
CheckPwd | 6 | 0x63e390 |
GetKey | 5 | 0x63eaf0 |
GetPwd | 4 | 0x63ec50 |
TMethodImplementationIntercept | 3 | 0x46bafc |
__dbk_fcall_wrapper | 2 | 0x4129a0 |
dbkFCallWrapperAddr | 1 | 0x657640 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 2, 2024 17:12:06.250624895 CEST | 53 | 64038 | 162.159.36.2 | 192.168.2.7 |
Oct 2, 2024 17:12:06.945024014 CEST | 55160 | 53 | 192.168.2.7 | 1.1.1.1 |
Oct 2, 2024 17:12:06.952516079 CEST | 53 | 55160 | 1.1.1.1 | 192.168.2.7 |
Oct 2, 2024 17:12:15.041474104 CEST | 51233 | 53 | 192.168.2.7 | 1.1.1.1 |
Oct 2, 2024 17:12:15.049247980 CEST | 53 | 51233 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 2, 2024 17:12:06.945024014 CEST | 192.168.2.7 | 1.1.1.1 | 0x86e1 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
Oct 2, 2024 17:12:15.041474104 CEST | 192.168.2.7 | 1.1.1.1 | 0xb121 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 2, 2024 17:12:06.952516079 CEST | 1.1.1.1 | 192.168.2.7 | 0x86e1 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
Oct 2, 2024 17:12:15.049247980 CEST | 1.1.1.1 | 192.168.2.7 | 0xb121 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 11:11:29 |
Start date: | 02/10/2024 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb80000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 11:11:29 |
Start date: | 02/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75da10000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 11:11:29 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x410000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 11:11:29 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x380000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 11:11:29 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x380000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 11:11:32 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x380000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 11:11:35 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe40000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |