Edit tour
Windows
Analysis Report
EACore.dll
Overview
General Information
| Sample name: | EACore.dll |
| Analysis ID: | 1524375 |
| MD5: | 2554e4864294dc96a5b4548dd42c7189 |
| SHA1: | 8e3b3c600ab812537a84409adfc5169518862fd3 |
| SHA256: | b25c79ba507a256c9ca12a9bd34def6a33f9c087578c03d083d7863c708eca21 |
| Tags: | CeranaKeeperdlluser-JAMESWT_MHT |
| Infos: | |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll32.exe (PID: 7472 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\EAC ore.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 7480 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7520 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\EAC ore.dll",# 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 7548 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7532 cmdline:
rundll32.e xe C:\User s\user\Des ktop\EACor e.dll,Agen tAdd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7596 cmdline:
rundll32.e xe C:\User s\user\Des ktop\EACor e.dll,Agen tRemove MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7620 cmdline:
rundll32.e xe C:\User s\user\Des ktop\EACor e.dll,Agen tTaskAdd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7644 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Ag entAdd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7652 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Ag entRemove MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7660 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Ag entTaskAdd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7668 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Vi ewSetConte ntFilters MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7684 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Us erLogout MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7692 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Us erLogin MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7712 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Us erIsLogged In MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7724 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Us erGetNames MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7736 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Us erGetEntit lements MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7748 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Us erEnumCont ent MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7760 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",St ateSetTag MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7772 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",St ateSetProp erty MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7784 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",St ateGet MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7836 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emUse MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7844 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emUnpackSt art MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7860 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emUnpackCa ncel MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7872 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emInstallS tartBatch MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7904 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emInstallS tart MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7916 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emGetStatu s MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7924 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emEnumPatc hes MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7932 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emDownload TogglePaus eState MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7940 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emDownload Start MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7948 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emDownload Cancel MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7960 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emDecryptS tart MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7972 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emDecryptC ancel MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8000 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",It emClearCac he MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8012 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Is Connected MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8024 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Di sconnect MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8040 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Co nnect3 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8052 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Co nnect MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8060 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Co mmand MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8124 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Ag entTaskSta tusSet MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8136 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Ag entTaskSta tusGet MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8164 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EACo re.dll",Ag entTaskRem ove MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | DNS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 33_2_6E349A60 | |
| Source: | DNS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 33_2_6E343915 | |
| Source: | Code function: | 33_2_6E342E03 | |
| Source: | Code function: | 33_2_6E351E53 | |
| Source: | Code function: | 33_2_6E344EA2 | |
| Source: | Code function: | 33_2_6E342EF3 | |
| Source: | Code function: | 33_2_6E34E4D3 | |
| Source: | Code function: | 33_2_6E342F63 | |
| Source: | Code function: | 33_2_6E349585 | |
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Decision node followed by non-executed suspicious API: | graph_33-6222 | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_33-5453 | ||
| Source: | Code function: | 33_2_6E352F3A | |
| Source: | Code function: | 33_2_6E352F3A | |
| Source: | Code function: | 33_2_6E3527F0 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 33_2_6E353127 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 33_2_6E352BC6 | |
| Source: | Code function: | 33_2_6E349F20 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 21 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Rundll32 | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 22 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 39% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Avira | TR/Agent.tcdnf |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| www.toptipvideo.com | unknown | unknown | false | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1524375 |
| Start date and time: | 2024-10-02 18:24:26 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 10s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 42 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | EACore.dll |
| Detection: | MAL |
| Classification: | mal56.winDLL@80/0@35/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- VT rate limit hit for: EACore.dll
| Time | Type | Description |
|---|---|---|
| 12:25:28 | API Interceptor | |
| 12:25:34 | API Interceptor |
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.7858962988515925 |
| TrID: |
|
| File name: | EACore.dll |
| File size: | 90'624 bytes |
| MD5: | 2554e4864294dc96a5b4548dd42c7189 |
| SHA1: | 8e3b3c600ab812537a84409adfc5169518862fd3 |
| SHA256: | b25c79ba507a256c9ca12a9bd34def6a33f9c087578c03d083d7863c708eca21 |
| SHA512: | d8074bb68791560027d6e391110a36b6de604d6b73829bd1b1b89476f2e0a53398d6611129f3782a92b935115589763248fb90b6ba74ec5abb6d81dec3c12c1a |
| SSDEEP: | 1536:9gSxD3zFkkt0h0BJVSIKMDSiAJtaNQ2hyAr+u6IHnQz0SuRPeJPqHO4LyFffbGqS:9gSNxkka0BRKMDSiAJtChyAr+u6IHnQq |
| TLSH: | DB934C8676C3B0FBD38F40F5102AD22BA7256A309B101EF3E694DD7899A13C15971B7B |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...*..d...........!.....&...8......X+....................................................@.........................$O.......R..... |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x10012b58 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x64EEB12A [Wed Aug 30 03:02:02 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d7b40c7a58929630429c343781a071bd |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+0Ch], 01h |
| jne 00007F13D4ABADF7h |
| call 00007F13D4ABAE0Ah |
| push dword ptr [ebp+10h] |
| push dword ptr [ebp+0Ch] |
| push dword ptr [ebp+08h] |
| call 00007F13D4ABACCEh |
| add esp, 0Ch |
| pop ebp |
| retn 000Ch |
| mov ecx, dword ptr [10017330h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F13D4ABADF6h |
| test esi, ecx |
| jne 00007F13D4ABAE18h |
| call 00007F13D4ABAE21h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F13D4ABADF9h |
| mov ecx, BB40E64Fh |
| jmp 00007F13D4ABAE00h |
| test esi, ecx |
| jne 00007F13D4ABADFCh |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [10017330h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [1001732Ch], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [10015540h] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [10015538h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [10015534h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [10015560h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| push 10017698h |
| call dword ptr [1001554Ch] |
| ret |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x14f24 | 0x386 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x152aa | 0xc8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19000 | 0xe8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1a000 | 0x740 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x14e54 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x147d8 | 0xbc | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x15514 | 0x1a0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x12470 | 0x12600 | 9165d72b02e63e520899156da7d23d1f | False | 0.5031090561224489 | data | 6.9068504888777 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x14000 | 0x262c | 0x2800 | b90072950bf4f3684e5e89fb65cf945d | False | 0.34951171875 | data | 5.066255958576898 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x17000 | 0x6ec | 0x400 | 0ade64011f16b75e4e262084d81defc4 | False | 0.2451171875 | data | 3.955903511120874 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x18000 | 0x4 | 0x200 | 55b14440e19e0e31e878405a13dfbbf9 | False | 0.033203125 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x19000 | 0xe8 | 0x200 | d8d5560c7c0e8b679ab25180f1113416 | False | 0.306640625 | data | 2.344915704357875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x1a000 | 0x740 | 0x800 | f2064fe2de19efe9376d521d83d87cbf | False | 0.775390625 | data | 6.016678031703543 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x19060 | 0x87 | XML 1.0 document, ASCII text | English | United States | 0.8222222222222222 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CreateMutexA, CreateProcessW, DeleteCriticalSection, EnterCriticalSection, ExitProcess, GetComputerNameA, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetSystemTimeAsFileTime, GetVolumeInformationA, InitializeCriticalSection, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, LeaveCriticalSection, OpenMutexA, QueryPerformanceCounter, SetUnhandledExceptionFilter, Sleep, TerminateProcess, UnhandledExceptionFilter, WaitForSingleObject, lstrlenA |
| ADVAPI32.dll | GetUserNameA |
| MSVCP140.dll | ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0ios_base@std@@IAE@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1ios_base@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?_Random_device@std@@YAIXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Xinvalid_argument@std@@YAXPBD@Z, ?_Xlength_error@std@@YAXPBD@Z, ?_Xout_of_range@std@@YAXPBD@Z, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?good@ios_base@std@@QBE_NXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?uncaught_exception@std@@YA_NXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z |
| WS2_32.dll | WSAStartup, closesocket, connect, gethostbyname, htons, inet_addr, inet_ntoa, recv, send, setsockopt, shutdown, socket |
| VCRUNTIME140.dll | _CxxThrowException, __CxxFrameHandler3, __std_exception_copy, __std_exception_destroy, __std_terminate, __std_type_info_destroy_list, _except_handler4_common, _purecall, memchr, memcmp, memcpy, memmove, memset |
| api-ms-win-crt-heap-l1-1-0.dll | _callnewh, free, malloc |
| api-ms-win-crt-runtime-l1-1-0.dll | _beginthread, _cexit, _configure_narrow_argv, _endthread, _errno, _execute_onexit_table, _initialize_narrow_environment, _initialize_onexit_table, _initterm, _initterm_e, _invalid_parameter_noinfo_noreturn, _seh_filter_dll |
| api-ms-win-crt-convert-l1-1-0.dll | strtol |
| api-ms-win-crt-string-l1-1-0.dll | strlen, wcslen |
| Name | Ordinal | Address |
|---|---|---|
| AgentAdd | 1 | 0x10001000 |
| AgentRemove | 2 | 0x10001000 |
| AgentTaskAdd | 3 | 0x10001000 |
| AgentTaskRemove | 4 | 0x10001000 |
| AgentTaskStatusGet | 5 | 0x10001000 |
| AgentTaskStatusSet | 6 | 0x10001000 |
| Command | 7 | 0x10001000 |
| Connect | 8 | 0x10001000 |
| Connect3 | 9 | 0x10001000 |
| Disconnect | 10 | 0x10001000 |
| IsConnected | 11 | 0x10001010 |
| ItemClearCache | 12 | 0x10001000 |
| ItemDecryptCancel | 13 | 0x10001000 |
| ItemDecryptStart | 14 | 0x10001000 |
| ItemDownloadCancel | 15 | 0x10001000 |
| ItemDownloadStart | 16 | 0x10001000 |
| ItemDownloadTogglePauseState | 17 | 0x10001000 |
| ItemEnumPatches | 18 | 0x10001000 |
| ItemGetStatus | 19 | 0x10001000 |
| ItemInstallStart | 20 | 0x10001000 |
| ItemInstallStartBatch | 21 | 0x10001000 |
| ItemUnpackCancel | 22 | 0x10001000 |
| ItemUnpackStart | 23 | 0x10001000 |
| ItemUse | 24 | 0x10001000 |
| StateGet | 25 | 0x10001000 |
| StateSetProperty | 26 | 0x10001000 |
| StateSetTag | 27 | 0x10001000 |
| UserEnumContent | 28 | 0x10001000 |
| UserGetEntitlements | 29 | 0x10001000 |
| UserGetNames | 30 | 0x10001000 |
| UserIsLoggedIn | 31 | 0x10001000 |
| UserLogin | 32 | 0x10001000 |
| UserLogout | 33 | 0x10001000 |
| ViewSetContentFilters | 34 | 0x10001000 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 2, 2024 18:25:29.308029890 CEST | 64297 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:25:29.321520090 CEST | 53 | 64297 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:25:35.491889000 CEST | 52067 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:25:35.502222061 CEST | 53 | 52067 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:25:41.648597956 CEST | 51037 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:25:41.659759998 CEST | 53 | 51037 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:25:47.804610968 CEST | 65327 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:25:47.822385073 CEST | 53 | 65327 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:25:53.977952003 CEST | 53236 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:25:53.990899086 CEST | 53 | 53236 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:26:00.172275066 CEST | 49524 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:00.202981949 CEST | 53 | 49524 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:26:04.226437092 CEST | 52108 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:04.342066050 CEST | 53 | 52108 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:26:10.492182970 CEST | 54794 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:10.502648115 CEST | 53 | 54794 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:26:16.648518085 CEST | 59636 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:17.039787054 CEST | 53 | 59636 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:26:23.195262909 CEST | 56951 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:24.211215973 CEST | 56951 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:25.210892916 CEST | 56951 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:27.231678009 CEST | 56951 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:31.226234913 CEST | 56951 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:35.243419886 CEST | 55369 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:36.257520914 CEST | 55369 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:36.361794949 CEST | 53 | 55369 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:26:37.368302107 CEST | 58159 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:38.382728100 CEST | 58159 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:39.398127079 CEST | 58159 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:41.413738012 CEST | 58159 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:45.429389000 CEST | 58159 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:49.430061102 CEST | 52683 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:50.445240021 CEST | 52683 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:51.445679903 CEST | 52683 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:53.445229053 CEST | 52683 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:53.670322895 CEST | 53 | 52683 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:26:57.804871082 CEST | 56073 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:58.804619074 CEST | 56073 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:26:59.804692984 CEST | 56073 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:27:01.804570913 CEST | 56073 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:27:05.820949078 CEST | 56073 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:27:09.836880922 CEST | 63904 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:27:10.836477995 CEST | 63904 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:27:11.852399111 CEST | 63904 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:27:11.910135031 CEST | 53 | 63904 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:27:18.056669950 CEST | 63941 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:27:18.123241901 CEST | 53 | 63941 | 1.1.1.1 | 192.168.2.4 |
| Oct 2, 2024 18:27:22.259082079 CEST | 56838 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 2, 2024 18:27:22.290612936 CEST | 53 | 56838 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 2, 2024 18:25:29.308029890 CEST | 192.168.2.4 | 1.1.1.1 | 0xa2f7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:25:35.491889000 CEST | 192.168.2.4 | 1.1.1.1 | 0xacc5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:25:41.648597956 CEST | 192.168.2.4 | 1.1.1.1 | 0x9cd1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:25:47.804610968 CEST | 192.168.2.4 | 1.1.1.1 | 0x91d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:25:53.977952003 CEST | 192.168.2.4 | 1.1.1.1 | 0xada6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:00.172275066 CEST | 192.168.2.4 | 1.1.1.1 | 0xacea | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:04.226437092 CEST | 192.168.2.4 | 1.1.1.1 | 0xe08d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:10.492182970 CEST | 192.168.2.4 | 1.1.1.1 | 0x16ed | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:16.648518085 CEST | 192.168.2.4 | 1.1.1.1 | 0x3878 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:23.195262909 CEST | 192.168.2.4 | 1.1.1.1 | 0x1779 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:24.211215973 CEST | 192.168.2.4 | 1.1.1.1 | 0x1779 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:25.210892916 CEST | 192.168.2.4 | 1.1.1.1 | 0x1779 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:27.231678009 CEST | 192.168.2.4 | 1.1.1.1 | 0x1779 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:31.226234913 CEST | 192.168.2.4 | 1.1.1.1 | 0x1779 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:35.243419886 CEST | 192.168.2.4 | 1.1.1.1 | 0x5cbf | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:36.257520914 CEST | 192.168.2.4 | 1.1.1.1 | 0x5cbf | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:37.368302107 CEST | 192.168.2.4 | 1.1.1.1 | 0xd52e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:38.382728100 CEST | 192.168.2.4 | 1.1.1.1 | 0xd52e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:39.398127079 CEST | 192.168.2.4 | 1.1.1.1 | 0xd52e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:41.413738012 CEST | 192.168.2.4 | 1.1.1.1 | 0xd52e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:45.429389000 CEST | 192.168.2.4 | 1.1.1.1 | 0xd52e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:49.430061102 CEST | 192.168.2.4 | 1.1.1.1 | 0xd9ff | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:50.445240021 CEST | 192.168.2.4 | 1.1.1.1 | 0xd9ff | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:51.445679903 CEST | 192.168.2.4 | 1.1.1.1 | 0xd9ff | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:53.445229053 CEST | 192.168.2.4 | 1.1.1.1 | 0xd9ff | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:57.804871082 CEST | 192.168.2.4 | 1.1.1.1 | 0x9c58 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:58.804619074 CEST | 192.168.2.4 | 1.1.1.1 | 0x9c58 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:59.804692984 CEST | 192.168.2.4 | 1.1.1.1 | 0x9c58 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:01.804570913 CEST | 192.168.2.4 | 1.1.1.1 | 0x9c58 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:05.820949078 CEST | 192.168.2.4 | 1.1.1.1 | 0x9c58 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:09.836880922 CEST | 192.168.2.4 | 1.1.1.1 | 0x6bde | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:10.836477995 CEST | 192.168.2.4 | 1.1.1.1 | 0x6bde | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:11.852399111 CEST | 192.168.2.4 | 1.1.1.1 | 0x6bde | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:18.056669950 CEST | 192.168.2.4 | 1.1.1.1 | 0x4808 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:22.259082079 CEST | 192.168.2.4 | 1.1.1.1 | 0x7ddb | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 2, 2024 18:25:29.321520090 CEST | 1.1.1.1 | 192.168.2.4 | 0xa2f7 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:25:35.502222061 CEST | 1.1.1.1 | 192.168.2.4 | 0xacc5 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:25:41.659759998 CEST | 1.1.1.1 | 192.168.2.4 | 0x9cd1 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:25:47.822385073 CEST | 1.1.1.1 | 192.168.2.4 | 0x91d | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:25:53.990899086 CEST | 1.1.1.1 | 192.168.2.4 | 0xada6 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:00.202981949 CEST | 1.1.1.1 | 192.168.2.4 | 0xacea | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:04.342066050 CEST | 1.1.1.1 | 192.168.2.4 | 0xe08d | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:10.502648115 CEST | 1.1.1.1 | 192.168.2.4 | 0x16ed | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:17.039787054 CEST | 1.1.1.1 | 192.168.2.4 | 0x3878 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:36.361794949 CEST | 1.1.1.1 | 192.168.2.4 | 0x5cbf | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:26:53.670322895 CEST | 1.1.1.1 | 192.168.2.4 | 0xd9ff | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:11.910135031 CEST | 1.1.1.1 | 192.168.2.4 | 0x6bde | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:18.123241901 CEST | 1.1.1.1 | 192.168.2.4 | 0x4808 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 2, 2024 18:27:22.290612936 CEST | 1.1.1.1 | 192.168.2.4 | 0x7ddb | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:25:17 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x340000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 12:25:17 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 12:25:17 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 12:25:17 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 12:25:17 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 12:25:20 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 12:25:23 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 12:25:26 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 12:25:26 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 12:25:26 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 12:25:26 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 12:25:26 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 12:25:26 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 24 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 28 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 30 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 31 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 32 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 34 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 35 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 36 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 37 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 38 |
| Start time: | 12:25:27 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 39 |
| Start time: | 12:25:28 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 40 |
| Start time: | 12:25:28 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x690000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 2% |
| Total number of Nodes: | 840 |
| Total number of Limit Nodes: | 5 |
Graph
Function 6E349F20 Relevance: 3.0, APIs: 2, Instructions: 40stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E3525CA Relevance: 9.1, APIs: 6, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E3410D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E349680 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E341010 Relevance: 3.0, APIs: 2, Instructions: 3COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E3497C0 Relevance: 1.5, APIs: 1, Instructions: 46networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E343910 Relevance: 1.3, APIs: 1, Instructions: 60sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E349A60 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E349930 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 81networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E348E60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E34D9E0 Relevance: 9.2, APIs: 6, Instructions: 153stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E347810 Relevance: 8.0, APIs: 5, Instructions: 475stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E349FB0 Relevance: 7.7, APIs: 5, Instructions: 234COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E352190 Relevance: 7.6, APIs: 5, Instructions: 136COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E344020 Relevance: 6.4, APIs: 5, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E34DC40 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E3523C0 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|