Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Win32.Generic.21737.11159.dll
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan.Win32.Generic.21737.11159.dllrenamed because original name is a hash value |
| Original sample name: | SecuriteInfo.com.Trojan.Win32.Generic.21737.11159.exe |
| Analysis ID: | 1377997 |
| MD5: | 283d9c455484f4da798129bbaf90c08e |
| SHA1: | cc55e2a017281e57a3dfa61712cba0c6fcef33ae |
| SHA256: | c071c27f628642437d24ef678ccfa72fe5b59972ade357851a16b58b68725c78 |
| Tags: | exe |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Classification
- System is w10x64
loaddll64.exe (PID: 5608 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\Sec uriteInfo. com.Trojan .Win32.Gen eric.21737 .11159.dll " MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 5712 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6804 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Sec uriteInfo. com.Trojan .Win32.Gen eric.21737 .11159.dll ",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 4220 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Trojan. Win32.Gene ric.21737. 11159.dll" ,#1 MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Process created: | Jump to behavior | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact | Resource Development | Reconnaissance |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 11 Virtualization/Sandbox Evasion | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Abuse Accessibility Features | Acquire Infrastructure | Gather Victim Identity Information |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Virtualization/Sandbox Evasion | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | SIM Card Swap | Obtain Device Cloud Backups | Network Denial of Service | Domains | Credentials |
| Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Data Encrypted for Impact | DNS Server | Email Addresses |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 11% | ReversingLabs | |||
| 12% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 38.0.0 Ammolite |
| Analysis ID: | 1377997 |
| Start date and time: | 2024-01-20 16:27:41 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 59s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Trojan.Win32.Generic.21737.11159.dllrenamed because original name is a hash value |
| Original Sample Name: | SecuriteInfo.com.Trojan.Win32.Generic.21737.11159.exe |
| Detection: | MAL |
| Classification: | mal48.winDLL@6/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, WM IADAP.exe, SIHClient.exe - Excluded domains from analysis
(whitelisted): ocsp.digicert. com, slscr.update.microsoft.co m, ctldl.windowsupdate.com, fe 3cr.delivery.mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.506776934978276 |
| TrID: |
|
| File name: | SecuriteInfo.com.Trojan.Win32.Generic.21737.11159.dll |
| File size: | 504'320 bytes |
| MD5: | 283d9c455484f4da798129bbaf90c08e |
| SHA1: | cc55e2a017281e57a3dfa61712cba0c6fcef33ae |
| SHA256: | c071c27f628642437d24ef678ccfa72fe5b59972ade357851a16b58b68725c78 |
| SHA512: | 40b9da72f8c2a8486822d33c69fd8c178b38e75c1ee68b42c3f1a9a1b072c63476f96b50204b7bf0be320216eb57b55459ecd4edfdbbb91341341b6cdce978e7 |
| SSDEEP: | 12288:EHbJ9gB/fN1YNMmvQGvyLsbbkCnODa8xa:4gB/fYhQJs0CnOu8Q |
| TLSH: | 6CB48D86B5A440F9D4B7903C569BAB07F67634490310D7CB33E8A9382FA77E46E7A350 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............O...O...O..JO...O...N...O...N...O...N...O...N...O...N...O...N...O...O0..O.".N...O."&O...O.".N...ORich...O............... |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x18005867c |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x180000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x65A01106 [Thu Jan 11 16:02:14 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d2b9cb530f587f7d88b38c1e87589631 |
| Instruction |
|---|
| dec eax |
| mov dword ptr [esp+08h], ebx |
| dec eax |
| mov dword ptr [esp+10h], esi |
| push edi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov edi, eax |
| mov ebx, edx |
| dec eax |
| mov esi, ecx |
| cmp edx, 01h |
| jne 00007F5214D2EC77h |
| call 00007F5214D2F064h |
| dec esp |
| mov eax, edi |
| mov edx, ebx |
| dec eax |
| mov ecx, esi |
| dec eax |
| mov ebx, dword ptr [esp+30h] |
| dec eax |
| mov esi, dword ptr [esp+38h] |
| dec eax |
| add esp, 20h |
| pop edi |
| jmp 00007F5214D2EB04h |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| dec ebp |
| mov eax, dword ptr [ecx+38h] |
| dec eax |
| mov ecx, edx |
| dec ecx |
| mov edx, ecx |
| call 00007F5214D2EC82h |
| mov eax, 00000001h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| inc ebp |
| mov ebx, dword ptr [eax] |
| dec eax |
| mov ebx, edx |
| inc ecx |
| and ebx, FFFFFFF8h |
| dec esp |
| mov ecx, ecx |
| inc ecx |
| test byte ptr [eax], 00000004h |
| dec esp |
| mov edx, ecx |
| je 00007F5214D2EC85h |
| inc ecx |
| mov eax, dword ptr [eax+08h] |
| dec ebp |
| arpl word ptr [eax+04h], dx |
| neg eax |
| dec esp |
| add edx, ecx |
| dec eax |
| arpl ax, cx |
| dec esp |
| and edx, ecx |
| dec ecx |
| arpl bx, ax |
| dec edx |
| mov edx, dword ptr [eax+edx] |
| dec eax |
| mov eax, dword ptr [ebx+10h] |
| mov ecx, dword ptr [eax+08h] |
| dec eax |
| mov eax, dword ptr [ebx+08h] |
| test byte ptr [ecx+eax+03h], 0000000Fh |
| je 00007F5214D2EC7Dh |
| movzx eax, byte ptr [ecx+eax+03h] |
| and eax, FFFFFFF0h |
| dec esp |
| add ecx, eax |
| dec esp |
| xor ecx, edx |
| dec ecx |
| mov ecx, ecx |
| pop ebx |
| jmp 00007F5214D2E0BEh |
| int3 |
| dec eax |
| mov dword ptr [esp+10h], ebx |
| dec eax |
| mov dword ptr [esp+18h], esi |
| push edi |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6f758 | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7f000 | 0xf8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x76000 | 0x42e4 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x80000 | 0x7fc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x657b0 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x65880 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x65670 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x5b000 | 0x650 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x59f8b | 0x5a000 | False | 0.5234483506944444 | data | 6.442755894983273 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x5b000 | 0x1640a | 0x16600 | False | 0.46297791550279327 | data | 5.919007052450304 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x72000 | 0x3ce0 | 0x3600 | False | 0.09483506944444445 | data | 5.051328710511333 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x76000 | 0x42e4 | 0x4400 | False | 0.4649011948529412 | data | 5.766772325875717 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .detourc | 0x7b000 | 0x21f0 | 0x2200 | False | 0.046875 | data | 2.2861063689710943 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .detourd | 0x7e000 | 0x18 | 0x200 | False | 0.037109375 | data | 0.11611507530476972 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x7f000 | 0xf8 | 0x200 | False | 0.3359375 | data | 2.5312981004807127 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x80000 | 0x7fc | 0x800 | False | 0.5068359375 | data | 5.3526877041417125 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x7f060 | 0x91 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.8689655172413793 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GlobalAlloc, GlobalFree, GlobalLock, WideCharToMultiByte, GlobalUnlock, VirtualProtect, InitializeCriticalSectionEx, GetLastError, GetCurrentThread, DeleteCriticalSection, GetModuleFileNameA, MultiByteToWideChar, RaiseException, QueryPerformanceCounter, GetCurrentProcess, K32GetModuleInformation, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, GetProcAddress, CloseHandle, LoadLibraryA, CreateEventW, GetModuleHandleA, QueryPerformanceFrequency, WaitForSingleObject, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, SetLastError, VirtualQuery, VirtualFree, VirtualAlloc, FlushInstructionCache, SetThreadContext, GetThreadContext, ResumeThread, SuspendThread, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, LocalFree, FormatMessageA, GetLocaleInfoEx, CreateFileW, FindClose, FindFirstFileW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx |
| USER32.dll | GetClientRect, SetClipboardData, GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard |
| D3DCOMPILER_47.dll | D3DCompile |
| IMM32.dll | ImmSetCandidateWindow, ImmSetCompositionWindow, ImmReleaseContext, ImmGetContext |
| MSVCP140.dll | ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?_Syserror_map@std@@YAPEBDH@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Xout_of_range@std@@YAXPEBD@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?_Winerror_map@std@@YAHH@Z, ?_Xbad_function_call@std@@YAXXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z |
| api-ms-win-core-winrt-l1-1-0.dll | RoInitialize, RoGetActivationFactory |
| api-ms-win-core-winrt-string-l1-1-0.dll | WindowsGetStringRawBuffer, WindowsCreateStringReference, WindowsDeleteString |
| VCRUNTIME140_1.dll | __CxxFrameHandler4 |
| VCRUNTIME140.dll | memchr, memcmp, __std_terminate, memmove, __std_type_info_destroy_list, _CxxThrowException, __current_exception_context, __current_exception, __C_specific_handler, memset, memcpy, __std_exception_copy, __std_exception_destroy, _purecall, strstr |
| api-ms-win-crt-stdio-l1-1-0.dll | ftell, fclose, _get_stream_buffer_pointers, __acrt_iob_func, fsetpos, ungetc, setvbuf, fgetpos, _fseeki64, fgetc, fputc, fflush, __stdio_common_vfprintf, fwrite, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, fseek |
| api-ms-win-crt-utility-l1-1-0.dll | qsort |
| api-ms-win-crt-string-l1-1-0.dll | strncmp, strcmp |
| api-ms-win-crt-heap-l1-1-0.dll | free, _callnewh, malloc |
| api-ms-win-crt-convert-l1-1-0.dll | wcstombs_s, strtoul, strtod, strtoll, strtoull |
| api-ms-win-crt-runtime-l1-1-0.dll | _errno, terminate, _seh_filter_dll, _configure_narrow_argv, _initterm_e, _initterm, _cexit, _crt_atexit, _execute_onexit_table, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _invalid_parameter_noinfo_noreturn |
| api-ms-win-crt-math-l1-1-0.dll | acosf, sqrtf, ceilf, cosf, floorf, sinf, _dsign, _dclass |
| api-ms-win-crt-filesystem-l1-1-0.dll | _unlock_file, _lock_file |
| api-ms-win-crt-locale-l1-1-0.dll | setlocale, localeconv, ___lc_codepage_func |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 16:28:26 |
| Start date: | 20/01/2024 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6be130000 |
| File size: | 165'888 bytes |
| MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 16:28:26 |
| Start date: | 20/01/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 16:28:26 |
| Start date: | 20/01/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff717520000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 16:28:27 |
| Start date: | 20/01/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6c3bb0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
⊘No disassembly
