Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
svcmsi_32.dll.dll

Overview

General Information

Sample name:svcmsi_32.dll.dll
(renamed file extension from exe to dll)
Original sample name:svcmsi_32.dll.exe
Analysis ID:1446224
MD5:a297976b28412278a000392bc670cc16
SHA1:7b9bcde6a509566214169056190330a7b7ea4598
SHA256:2e0871af9cc539acb513e8afc795c2dab01febd688f2754c6a551485184070dc
Tags:aptDuqu2exeHUN
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 2128 cmdline: loaddll64.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 3968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6312 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7016 cmdline: rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7052 cmdline: rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5292 cmdline: rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",StartAction MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
svcmsi_32.dll.dllDuqu2_Sample1Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi)Florian Roth
  • 0x3a30:$x1: SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'
  • 0x3bf2:$s2: MSI.dll
svcmsi_32.dll.dllapt_duqu2_loadersRule to detect Duqu 2.0 samplesunknown
  • 0x3a30:$a8: SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'
  • 0x3bf2:$b1: MSI.dll
  • 0x3d30:$b2: msi.dll
  • 0x3bfa:$b3: StartAction
svcmsi_32.dll.dllAPT_Kaspersky_Duqu2_procexpKaspersky APT Report - Duqu2 Sample - Malicious MSIFlorian Roth
  • 0x4558:$x1: svcmsi_32.dll
  • 0x3bf2:$x4: MSI.dll
  • 0x3a30:$s1: SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'
  • 0x4410:$s2: Sysinternals installer
  • 0x43a2:$s3: Process Explorer
  • 0x4594:$s3: Process Explorer

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: svcmsi_32.dll.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: svcmsi_32.dll.dllReversingLabs: Detection: 84%
Source: svcmsi_32.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: svcmsi_32.dll.dll, type: SAMPLEMatched rule: Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi) Author: Florian Roth
Source: svcmsi_32.dll.dll, type: SAMPLEMatched rule: Rule to detect Duqu 2.0 samples Author: unknown
Source: svcmsi_32.dll.dll, type: SAMPLEMatched rule: Kaspersky APT Report - Duqu2 Sample - Malicious MSI Author: Florian Roth
Source: svcmsi_32.dll.dllBinary or memory string: OriginalFilenamesvcmsi_32.dllB vs svcmsi_32.dll.dll
Source: svcmsi_32.dll.dll, type: SAMPLEMatched rule: Duqu2_Sample1 date = 2016-07-02, hash4 = 5559fcc93eef38a1c22db66a3e0f9e9f026c99e741cc8b1a4980d166f2696188, hash3 = 2796a119171328e91648a73d95eb297edc220e8768f4bbba5fb7237122a988fc, hash2 = 8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192, author = Florian Roth, description = Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi), score = 6b146e3a59025d7085127b552494e8aaf76450a19c249bfed0b4c09f328e564f, reference = https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: svcmsi_32.dll.dll, type: SAMPLEMatched rule: apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: svcmsi_32.dll.dll, type: SAMPLEMatched rule: APT_Kaspersky_Duqu2_procexp date = 2015-06-10, hash3 = 288ebfe21a71f83b5575dfcc92242579fb13910d, hash2 = b120620b5d82b05fee2c2153ceaf305807fa9f79, hash1 = 2422835716066b6bcecb045ddd4f1fbc9486667a, author = Florian Roth, description = Kaspersky APT Report - Duqu2 Sample - Malicious MSI, reference = https://goo.gl/7yKyOj
Source: classification engineClassification label: mal64.winDLL@10/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03
Source: svcmsi_32.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction
Source: svcmsi_32.dll.dllReversingLabs: Detection: 84%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",StartAction
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartActionJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",StartActionJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: svcmsi_32.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: svcmsi_32.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 1596Thread sleep time: -120000s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping11
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446224 Sample: svcmsi_32.dll.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 64 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 conhost.exe 7->13         started        15 rundll32.exe 7->15         started        process5 17 rundll32.exe 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
svcmsi_32.dll.dll84%ReversingLabsWin64.Trojan.Duqu
svcmsi_32.dll.dll100%AviraTR/Duqu.fbqvj

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1446224
Start date and time:2024-05-23 01:12:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:svcmsi_32.dll.dll
(renamed file extension from exe to dll)
Original Sample Name:svcmsi_32.dll.exe
Detection:MAL
Classification:mal64.winDLL@10/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: svcmsi_32.dll.dll

Simulations

Behavior and APIs

TimeTypeDescription
19:12:54API Interceptor1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):1.9440373449324344
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:svcmsi_32.dll.dll
File size:65'536 bytes
MD5:a297976b28412278a000392bc670cc16
SHA1:7b9bcde6a509566214169056190330a7b7ea4598
SHA256:2e0871af9cc539acb513e8afc795c2dab01febd688f2754c6a551485184070dc
SHA512:3c07ef9dd9d6e6117d63e2d46e38675fe0c6b57accd6481a0945541617bda1ac9f075fac68a5ac0659ac1eb15f62476b51bd605a7fa0ca195cede18ebf721429
SSDEEP:384:qftfsIczWxxdJHmgDVvkpzF4YuygFc51u8:qtf6zWxxdpZFrY9B4
TLSH:E05385C1EAAB50F4D4F6E779A62A531BF6BD7805DB774F468710401A0EB6B30882C3D9
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F...............m.(.....%2................................b.......^.......Y.......\.....Rich............................PE..d..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x1800012d8
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x40144D5F [Sun Jan 25 23:12:31 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:648f2e0978686ef5cec5d47a5fb7fd2b

Entrypoint Preview

Instruction
inc esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
mov eax, 00000001h
ret
dec esp
mov dword ptr [esp+20h], ecx
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 48h
xor edx, edx
dec eax
mov eax, dword ptr [esp+60h]
mov ecx, 00000010h
dec eax
div ecx
dec eax
mov eax, edx
dec eax
test eax, eax
je 00007F95652144CCh
mov eax, FFFFFFDAh
jmp 00007F956521464Ch
cmp dword ptr [esp+58h], 00000000h
jne 00007F9565214590h
dec eax
cmp dword ptr [esp+60h], 00000000h
jbe 00007F956521457Fh
inc ecx
mov eax, 00000010h
dec eax
mov edx, dword ptr [esp+70h]
dec eax
lea ecx, dword ptr [esp+28h]
call 00007F9565216D8Dh
dec esp
mov ecx, dword ptr [esp+78h]
dec esp
mov eax, dword ptr [esp+70h]
mov edx, dword ptr [esp+58h]
dec eax
mov ecx, dword ptr [esp+50h]
call 00007F956521460Dh
mov dword ptr [esp+20h], 00000000h
jmp 00007F95652144CCh
mov eax, dword ptr [esp+20h]
inc eax
mov dword ptr [esp+20h], eax
cmp dword ptr [esp+20h], 10h
jnl 00007F95652144EFh
dec eax
arpl word ptr [esp+20h], ax
dec eax
mov ecx, dword ptr [esp+78h]
movzx eax, byte ptr [ecx+eax]
dec eax
arpl word ptr [esp+20h], cx
dec eax
mov edx, dword ptr [esp+68h]
movzx ecx, byte ptr [edx+ecx]

Rich Headers

Programming Language:
  • [ C ] VS2010 build 30319
  • [ASM] VS2005 build 50727
  • [ C ] VS2008 build 21022
  • [IMP] VS2008 SP1 build 30729
  • [ C ] VS2013 build 21005
  • [EXP] VS2013 build 21005
  • [RES] VS2013 build 21005
  • [LNK] VS2013 build 21005

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x47c00x46.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x48080x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x70000x430.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x60000xb4.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000xc0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2efb0x3000f70837d008acccedb715744cda03f198False0.3063151041666667data5.367657343069401IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x40000xa140xc009e12fb98c5e0c1751ff3cb45e08da635False0.5983072916666666data5.465144271877469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x60000xb40x200964efa7201b0489a0107504b52944022False0.26171875data1.533357050320643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x70000x4300x600adb7129aeb60f41d8fcb6a51c195ce90False0.2903645833333333data2.481002905363128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x70600x3ccdataEnglishUnited States0.4218106995884774

Imports

DLLImport
msi.dll
KERNEL32.dllRtlUnwindEx, CloseHandle, WaitForSingleObject, SetLastError, TerminateThread, CreateThread, VirtualProtect, VirtualAlloc, VirtualFree
USER32.dllwsprintfW
ADVAPI32.dllRegQueryValueExW

Exports

NameOrdinalAddress
StartAction10x180001234

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:19:12:51
Start date:22/05/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll"
Imagebase:0x7ff7c9500000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:19:12:51
Start date:22/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:19:12:51
Start date:22/05/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1
Imagebase:0x7ff77db70000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:19:12:51
Start date:22/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\svcmsi_32.dll.dll,StartAction
Imagebase:0x7ff788880000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:19:12:51
Start date:22/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",#1
Imagebase:0x7ff788880000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:19:12:54
Start date:22/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\svcmsi_32.dll.dll",StartAction
Imagebase:0x7ff788880000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly