Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
diaoyu.dll.dll

Overview

General Information

Sample name:diaoyu.dll.dll
(renamed file extension from exe to dll)
Original sample name:diaoyu.dll.exe
Analysis ID:1467152
MD5:58756f1c3fbac3f9a951ca8ca42e84f4
SHA1:57f6ea4fc934b743279eeacd08ccf0220a776be3
SHA256:68be640f730963cae039a3877d462931e6e92a4e03797788d08589b8bae4f43e
Tags:dllexe
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7308 cmdline: loaddll64.exe "C:\Users\user\Desktop\diaoyu.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7360 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7384 cmdline: rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7368 cmdline: rundll32.exe C:\Users\user\Desktop\diaoyu.dll.dll,VMProtectSDK32 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7448 cmdline: rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",VMProtectSDK32 MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: diaoyu.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: E:\dome\VS2022\LostKR\LostKr\x64\Release\LostKr.pdb%% source: diaoyu.dll.dll
Source: Binary string: E:\dome\VS2022\LostKR\LostKr\x64\Release\LostKr.pdb source: diaoyu.dll.dll
Source: classification engineClassification label: clean2.winDLL@10/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: diaoyu.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\diaoyu.dll.dll,VMProtectSDK32
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\diaoyu.dll.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\diaoyu.dll.dll,VMProtectSDK32
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",VMProtectSDK32
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\diaoyu.dll.dll,VMProtectSDK32Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",VMProtectSDK32Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: diaoyu.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: diaoyu.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: diaoyu.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: diaoyu.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: diaoyu.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: diaoyu.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: diaoyu.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: diaoyu.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: diaoyu.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\dome\VS2022\LostKR\LostKr\x64\Release\LostKr.pdb%% source: diaoyu.dll.dll
Source: Binary string: E:\dome\VS2022\LostKR\LostKr\x64\Release\LostKr.pdb source: diaoyu.dll.dll
Source: diaoyu.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: diaoyu.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: diaoyu.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: diaoyu.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: diaoyu.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 7312Thread sleep time: -120000s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping11
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1467152 Sample: diaoyu.dll.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 2 6 loaddll64.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        14 conhost.exe 6->14         started        process4 16 rundll32.exe 8->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467152
Start date and time:2024-07-03 19:18:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:diaoyu.dll.dll
(renamed file extension from exe to dll)
Original Sample Name:diaoyu.dll.exe
Detection:CLEAN
Classification:clean2.winDLL@10/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Warnings

  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: diaoyu.dll.dll

Simulations

Behavior and APIs

TimeTypeDescription
13:18:54API Interceptor1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):6.02979581178866
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:diaoyu.dll.dll
File size:78'336 bytes
MD5:58756f1c3fbac3f9a951ca8ca42e84f4
SHA1:57f6ea4fc934b743279eeacd08ccf0220a776be3
SHA256:68be640f730963cae039a3877d462931e6e92a4e03797788d08589b8bae4f43e
SHA512:50372108dc734d5cea39ebfbc4da835228cfffe55fa3c47a5d2fec401d97f41100f8738f628b1a0a39d5759b68a40b5fa328718d7e9d33b155eec85bb443fe31
SSDEEP:1536:YQsKBoWXIjODh+16vprFrjCkIgnu6qQRX+NHScdtqfrRTe:YQ7oWXfDzvprlW56rRX+9ScdtANe
TLSH:B1732A1AA3E904B8D5A9E07EE6375727C3EAB0291B7183DF07A408952F632D47F7D241
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q...)n..Q.......Q.......Q.......Q.......Q...#...Q...Q...Q..:....Q..:....Q..:....Q..:....Q..Rich.Q..........PE..d..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x18000cc3c
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x6680B02A [Sun Jun 30 01:08:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:ebab41e756341412add1c0b62396dc83

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F8F0D0BFF87h
call 00007F8F0D0C047Ch
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F8F0D0BFE14h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00002423h]
dec eax
mov ecx, ebx
call dword ptr [00002412h]
call dword ptr [0000241Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00002410h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00002404h]
test eax, eax
je 00007F8F0D0BFF89h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [000078FAh]
call 00007F8F0D0C002Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [000079E1h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00007971h], eax
dec eax
mov eax, dword ptr [000079CAh]
dec eax
mov dword ptr [0000783Bh], eax

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x126400x4c.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x1268c0xf0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000xf8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x150000xcd8.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x170000x90.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x106e00x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x105a00x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xf0000x2d8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xd2b60xd4000b45995c97e935cace0e716a54724006False0.4736328125data6.2026418485656825IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xf0000x416c0x4200099fb47ad578488b3fdbedee7851bc22False0.39021070075757575OpenPGP Public Key5.269880404724423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x140000xf880x60028f1ec188c33c13b6ffc4393f7e9a947False0.10091145833333333DOS executable (block device driver)0.8979567695737576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x150000xcd80xe0067ad610fc416eef5c55e0f479bb37d3cFalse0.4321986607142857data4.593398200615921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x160000xf80x2000c1657ceac066c9d4e3de083e3be8ea9False0.3359375data2.5210537401333757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x170000x900x20029fc0ba012c7967f6e21985b87b5d3e2False0.28515625data1.880256504800022IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x160600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793

Imports

DLLImport
KERNEL32.dllVirtualQuery, Sleep, IsBadReadPtr, GetCurrentProcessId, FreeLibraryAndExitThread, RtlAddFunctionTable, CreateFileMappingA, MapViewOfFile, CloseHandle, UnmapViewOfFile, CreateEventA, SetEvent, WaitForSingleObject, ResetEvent, CreateThread, OutputDebugStringA, GetModuleHandleA, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, QueryPerformanceCounter, GetCurrentThreadId, RtlCaptureContext, GetSystemTimeAsFileTime, InitializeSListHead, GetModuleFileNameA
USER32.dllRegisterWindowMessageA, GetWindowThreadProcessId, SetWindowsHookExA, UnhookWindowsHookEx, SendMessageA, PostMessageA, SetForegroundWindow, SendMessageTimeoutA, FindWindowExA, GetWindowTextA, IsWindowVisible
ADVAPI32.dllRegSetValueExA
MSVCP140.dll?_Xout_of_range@std@@YAXPEBD@Z, ?_Xlength_error@std@@YAXPEBD@Z
VCRUNTIME140.dll__std_type_info_destroy_list, memset, _CxxThrowException, strstr, wcsstr, __std_exception_destroy, __std_exception_copy, memmove, __C_specific_handler, memcpy
VCRUNTIME140_1.dll__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll_initterm_e, _seh_filter_dll, _initterm, _crt_atexit, _configure_narrow_argv, _initialize_narrow_environment, _execute_onexit_table, _register_onexit_function, _invalid_parameter_noinfo_noreturn, _cexit, _invalid_parameter_noinfo, _errno, _initialize_onexit_table
api-ms-win-crt-string-l1-1-0.dllstrcat_s, _stricmp, wcscpy_s, strcpy_s
api-ms-win-crt-math-l1-1-0.dllsqrt, round, pow
api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf_s
api-ms-win-crt-heap-l1-1-0.dll_callnewh, malloc, free

Exports

NameOrdinalAddress
VMProtectSDK3210x180009430

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:18:51
Start date:03/07/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\diaoyu.dll.dll"
Imagebase:0x7ff729780000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:13:18:51
Start date:03/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:13:18:51
Start date:03/07/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1
Imagebase:0x7ff60b870000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:13:18:51
Start date:03/07/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\diaoyu.dll.dll,VMProtectSDK32
Imagebase:0x7ff6d37d0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:13:18:51
Start date:03/07/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",#1
Imagebase:0x7ff6d37d0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:13:18:54
Start date:03/07/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\diaoyu.dll.dll",VMProtectSDK32
Imagebase:0x7ff6d37d0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly