Windows
Analysis Report
ZlucX8xpYB.dll
Overview
General Information
Sample name: | ZlucX8xpYB.dllrenamed because original name is a hash value |
Original sample name: | f33f55bc2eeb3926459be0ee9dcb024f27e31b752a5dbb753c546ce46684503c.dll |
Analysis ID: | 1447643 |
MD5: | 36ae45161a9e2b60025b91fae42f1352 |
SHA1: | 8e0faf735dfbed33027803db4fbb99321b3a25fb |
SHA256: | f33f55bc2eeb3926459be0ee9dcb024f27e31b752a5dbb753c546ce46684503c |
Tags: | dllvenomrat |
Infos: | |
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 6808 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\Zlu cX8xpYB.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 3328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4588 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Zlu cX8xpYB.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 4416 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Zluc X8xpYB.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DarkTortilla | DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
|
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: |
System Summary |
---|
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Static PE information: |
Boot Survival |
---|
Source: | File source: |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File source: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Timestomp | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1447643 |
Start date and time: | 2024-05-26 09:53:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 58s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | ZlucX8xpYB.dllrenamed because original name is a hash value |
Original Sample Name: | f33f55bc2eeb3926459be0ee9dcb024f27e31b752a5dbb753c546ce46684503c.dll |
Detection: | MAL |
Classification: | mal80.troj.evad.winDLL@6/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Not all processes where analyzed, report is missing behavior information
Time | Type | Description |
---|---|---|
03:53:54 | API Interceptor |
File type: | |
Entropy (8bit): | 5.118282097496742 |
TrID: |
|
File name: | ZlucX8xpYB.dll |
File size: | 2'513'743 bytes |
MD5: | 36ae45161a9e2b60025b91fae42f1352 |
SHA1: | 8e0faf735dfbed33027803db4fbb99321b3a25fb |
SHA256: | f33f55bc2eeb3926459be0ee9dcb024f27e31b752a5dbb753c546ce46684503c |
SHA512: | b69b55d8e0b9e5ec85dee62c5a146362c7f735e3d1b85b13841357b9d9fd22c7aeff21b118965d12b906cde642b12c3cc339b7931672ee508774ea4988dff1ce |
SSDEEP: | 24576:BLYWtE02Ew7cnLt3t7tPEI2qasfsFQwusvB+jW8eydsvTj+pZBuZBDZBqZBp:B3dpsQwL8eK3A7I |
TLSH: | B3C56B0CEE69851CED3D43F0CCF506719773A689A9258B0F1BE411992BA224EBF935F1 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..P.................. ........... ... ..................O[&...........`................................ |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x1003f8be |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0xD3B90B0C [Fri Jul 24 11:52:44 2082 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 82d7ac56626e8ad4c66fc376101214b1 |
Instruction |
---|
add byte ptr [eax], al |
sub ah, byte ptr [ecx] |
pop es |
add byte ptr [eax], al |
add byte ptr [eax], al |
sub byte ptr [ebx], 00000021h |
pop es |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
jo 00007F9A24DAB23Fh |
cdq |
and dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add ah, ah |
push esp |
retf |
cmp eax, 01D81D7Bh |
add eax, dword ptr [eax+eax] |
add byte ptr [eax], al |
add byte ptr [eax], al |
jo 00007F9A24DAB1F1h |
fstp tbyte ptr [ebp+00007FF8h] |
cld |
add al, 00h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax+ecx], dh |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
or dword ptr [eax], eax |
add byte ptr [eax], al |
or byte ptr [eax], al |
add byte ptr [eax], al |
xor eax, 05000000h |
add byte ptr [eax], al |
add byte ptr [edi], cl |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add al, bl |
mov cl, 9Ah |
and dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax-11h], dh |
fstp tbyte ptr [ebp+00007FF8h] |
xor al, 08h |
add byte ptr [eax], al |
cld |
add al, 00h |
add byte ptr [eax], cl |
add byte ptr [eax], al |
add byte ptr [ecx], cl |
add byte ptr [eax], al |
add byte ptr [08000000h], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax+3Dh], dh |
cdq |
and dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [ecx-7Ch], cl |
aam 3Dh |
jnp 00007F9A24DAB21Fh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x25eed8 | 0x4d40 | .reloc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x40000 | 0x388 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x42000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x3e000 | 0x3e000 | 15dabdb963da0d2216045d664b96cc35 | False | 0.22340836063508066 | data | 3.548432326683568 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x40000 | 0x2000 | 0x2000 | 11389f87ddb3f5620d6c6b5aa0726c77 | False | 0.2283935546875 | Matlab v4 mat-file (little endian) \370\177, numeric, rows 0, columns 563786200 | 2.819623851037314 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x42000 | 0x223b4f | 0x223b4f | 5f672960c322e148227b3c6f32a6d442 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
gdi32.dll | CreateHatchBrush |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | CreateHardLinkTransactedA |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | Basep8BitStringToDynamicUnicodeString |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | RegEnumValueW |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
mscoree.dll | StrongNameErrorInfo |
mscoree.dll | StrongNameErrorInfo |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | BeginUpdateResourceA |
kernel32.dll | CreateHardLinkTransactedA |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | IsValidLocale |
kernel32.dll | IsValidLocale, TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | ConvertFiberToThread |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | GetMemoryErrorHandlingCapabilities |
kernel32.dll | BasepCopyEncryption |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | BuildCommDCBW |
kernel32.dll | CreateHardLinkTransactedA |
kernel32.dll | SetTimerQueueTimer |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | BeginUpdateResourceA |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
KERNELBASE.dll | DeleteTimerQueueEx |
KERNELBASE.dll | DeleteTimerQueueEx |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
mscoree.dll | ND_WI8 |
mscoree.dll | ND_WI8 |
kernel32.dll | SetLocaleInfoW |
gdi32.dll | GdiTrackHDelete |
gdi32.dll | GdiTrackHDelete |
gdi32.dll | GdiTrackHDelete |
gdi32.dll | GdiTrackHDelete |
kernel32.dll | GetMemoryErrorHandlingCapabilities |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | GetFullPathNameA |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | CreateWaitableTimerExW |
kernel32.dll | CreateWaitableTimerExW |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
advapi32.dll | AuditLookupCategoryIdFromCategoryGuid |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | BaseVerifyUnicodeString |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
mscoree.dll | GetHashFromAssemblyFileW |
mscoree.dll | GetHashFromAssemblyFileW |
mscoree.dll | GetHashFromBlob |
mscoree.dll | GetHashFromFile |
mscoree.dll | GetHashFromFile |
mscoree.dll | GetHashFromFile |
mscoree.dll | GetHashFromFile |
mscoree.dll | GetHashFromFile |
mscoree.dll | GetHashFromFile |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
mscoree.dll | GetHashFromFileW |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
mscoree.dll | StrongNameGetBlob |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
mscoree.dll | StrongNameKeyDelete |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
gdi32.dll | CreateHatchBrush |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | CreateHardLinkTransactedA |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | TermsrvSetValueKey |
mscoree.dll | StrongNameSignatureVerificationEx |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | Basep8BitStringToDynamicUnicodeString |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | RegEnumValueW |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | BeginUpdateResourceA |
kernel32.dll | CreateHardLinkTransactedA |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | IsValidLocale |
kernel32.dll | IsValidLocale, TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | TermsrvSetValueKey |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | ConvertFiberToThread |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | GetMemoryErrorHandlingCapabilities |
kernel32.dll | BasepCopyEncryption |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | BuildCommDCBW |
kernel32.dll | CreateHardLinkTransactedA |
kernel32.dll | SetTimerQueueTimer |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | BeginUpdateResourceA |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
KERNELBASE.dll | DeleteTimerQueueEx |
KERNELBASE.dll | DeleteTimerQueueEx |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
mscoree.dll | ND_WI8 |
mscoree.dll | ND_WI8 |
kernel32.dll | SetLocaleInfoW |
gdi32.dll | GdiTrackHDelete |
gdi32.dll | GdiTrackHDelete |
gdi32.dll | GdiTrackHDelete |
gdi32.dll | GdiTrackHDelete |
kernel32.dll | GetMemoryErrorHandlingCapabilities |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | GetFullPathNameA |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | CreateWaitableTimerExW |
kernel32.dll | CreateWaitableTimerExW |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
advapi32.dll | AuditLookupCategoryIdFromCategoryGuid |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
kernel32.dll | BaseVerifyUnicodeString |
kernel32.dll | SystemTimeToTzSpecificLocalTime |
mscoree.dll | StrongNameTokenFromAssembly |
mscoree.dll | StrongNameTokenFromAssembly |
mscoree.dll | StrongNameTokenFromAssembly |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 03:53:54 |
Start date: | 26/05/2024 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x460000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 03:53:54 |
Start date: | 26/05/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 03:53:54 |
Start date: | 26/05/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 03:53:54 |
Start date: | 26/05/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x560000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |