Edit tour

Windows Analysis Report
Unconfirmed 739754.dll

Overview

General Information

Sample name:Unconfirmed 739754.dll
(renamed file extension from crdownload to dll)
Original sample name:Unconfirmed 739754.crdownload
Analysis ID:1671111
MD5:f62de98ee452ed4ea0543ee5129fd21d
SHA1:61578f17f4150998911457befb59aed431e393e3
SHA256:5bd74c996047c87917e5cea60eb924e8a63d64271a8787eb29eaee855cdfcd13
Infos:

Detection

Score:1
Range:0 - 100
Confidence:60%

Signatures

Creates a process in suspended mode (likely to inject code)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • loaddll32.exe (PID: 2680 cmdline: loaddll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 1888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2516 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2728 cmdline: rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Unconfirmed 739754.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\BuildAgent\work\eb14b679815cea5b\Core\Tools\Tyler.IMS.Publishing\obj\Release\Tyler.IMS.Publishing.pdb source: Unconfirmed 739754.dll
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: c.pki.goog
Source: Unconfirmed 739754.dllString found in binary or memory: http://schemas.tylertech.com/ims/packaging/2016/11/imssecure.xsd
Source: Unconfirmed 739754.dllString found in binary or memory: http://schemas.tylertech.com/ims/packaging/2016/11/imsspec.xsd
Source: Unconfirmed 739754.dllBinary or memory string: OriginalFilenameTyler.IMS.Publishing.dllJ vs Unconfirmed 739754.dll
Source: classification engineClassification label: clean1.winDLL@6/0@1/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: Unconfirmed 739754.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Unconfirmed 739754.dllStatic file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 49.81%
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: Unconfirmed 739754.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Unconfirmed 739754.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Unconfirmed 739754.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\BuildAgent\work\eb14b679815cea5b\Core\Tools\Tyler.IMS.Publishing\obj\Release\Tyler.IMS.Publishing.pdb source: Unconfirmed 739754.dll
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
1
Rundll32
OS Credential Dumping1
Virtualization/Sandbox Evasion
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1671111 Sample: Unconfirmed 739754.crdownload Startdate: 22/04/2025 Architecture: WINDOWS Score: 1 15 pki-goog.l.google.com 2->15 17 c.pki.goog 2->17 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://schemas.tylertech.com/ims/packaging/2016/11/imsspec.xsd0%Avira URL Cloudsafe
http://schemas.tylertech.com/ims/packaging/2016/11/imssecure.xsd0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    pki-goog.l.google.com
    142.250.68.227
    truefalse
      high
      c.pki.goog
      unknown
      unknownfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.tylertech.com/ims/packaging/2016/11/imssecure.xsdUnconfirmed 739754.dllfalse
        • Avira URL Cloud: safe
        unknown
        http://schemas.tylertech.com/ims/packaging/2016/11/imsspec.xsdUnconfirmed 739754.dllfalse
        • Avira URL Cloud: safe
        unknown
        No contacted IP infos
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1671111
        Start date and time:2025-04-22 16:46:50 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 52s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:4
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:Unconfirmed 739754.dll
        (renamed file extension from crdownload to dll)
        Original Sample Name:Unconfirmed 739754.crdownload
        Detection:CLEAN
        Classification:clean1.winDLL@6/0@1/0
        Cookbook Comments:
        • Stop behavior analysis, all processes terminated
        • Excluded IPs from analysis (whitelisted): 184.29.183.29
        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net
        • Not all processes where analyzed, report is missing behavior information
        TimeTypeDescription
        10:47:46API Interceptor1x Sleep call for process: loaddll32.exe modified
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        pki-goog.l.google.comhttp://www.pdf-fast.comGet hashmaliciousUnknownBrowse
        • 142.250.68.227
        1tron.vbsGet hashmaliciousUnknownBrowse
        • 142.250.68.227
        SecuriteInfo.com.Win64.MalwareX-gen.22561.9089.exeGet hashmaliciousLockBit ransomwareBrowse
        • 142.250.68.227
        1061__2025-04-08_21-35-16____client.exeGet hashmaliciousUnknownBrowse
        • 142.250.68.227
        SecuriteInfo.com.Win64.MalwareX-gen.15593.21621.exeGet hashmaliciousLockBit ransomwareBrowse
        • 142.250.68.227
        SecuriteInfo.com.Win32.MalwareX-gen.18946.15055.exeGet hashmaliciousUnknownBrowse
        • 142.250.68.227
        5VPZNNjklZ.exeGet hashmaliciousAmadey, LockBit ransomware, LummaC Stealer, VidarBrowse
        • 142.250.68.227
        pixel.exeGet hashmaliciousAsyncRAT, DcRatBrowse
        • 192.178.49.195
        USzqgDnms7.exeGet hashmaliciousBabukBrowse
        • 192.178.49.195
        xYlp4jBkIE.exeGet hashmaliciousBabukBrowse
        • 142.250.68.227
        bg.microsoft.map.fastly.nethttp://www.pdf-fast.comGet hashmaliciousUnknownBrowse
        • 199.232.210.172
        https://app.plangrid.com/projects/86007b55-3778-e02c-c33b-b705fc295425/staple/4c0da4e3-66c9-46a3-b563-49cff2a42bebGet hashmaliciousHTMLPhisherBrowse
        • 199.232.214.172
        https://free.teambeam.de/api/skp/v1/download/4svgq9jpl86letap5e63e0ijrlulmjw5hperu180/0/Driesmans%20en%20Co%20NV%20.pdfGet hashmaliciousUnknownBrowse
        • 199.232.210.172
        IDriveWinSetup.exeGet hashmaliciousPhisherBrowse
        • 199.232.214.172
        http://77.223.119.85/hglq2b/rxm.exeGet hashmaliciousAsyncRAT, DcRatBrowse
        • 199.232.214.172
        statement.exeGet hashmaliciousPureCrypterBrowse
        • 199.232.214.172
        ZXKkksctaZ.exeGet hashmaliciousPureCrypterBrowse
        • 199.232.210.172
        http://77.223.119.85/hglq2b/namen.ps1Get hashmaliciousAsyncRAT, DcRatBrowse
        • 199.232.210.172
        mYL13qkA7M.xlsxGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        RFQ No. M109241 22.04.2025.xlsxGet hashmaliciousUnknownBrowse
        • 199.232.210.172
        No context
        No context
        No context
        No created / dropped files found
        File type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):5.680936736950834
        TrID:
        • Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 49.81%
        • Win32 Dynamic Link Library (generic) (1002004/3) 49.34%
        • Windows Screen Saver (13104/52) 0.65%
        • Generic Win/DOS Executable (2004/3) 0.10%
        • DOS Executable Generic (2002/1) 0.10%
        File name:Unconfirmed 739754.dll
        File size:55'296 bytes
        MD5:f62de98ee452ed4ea0543ee5129fd21d
        SHA1:61578f17f4150998911457befb59aed431e393e3
        SHA256:5bd74c996047c87917e5cea60eb924e8a63d64271a8787eb29eaee855cdfcd13
        SHA512:d6faa30b286f8fafec0c74f3112e7062ca2e6909fdf6db3f46fcee641948dc4d9bfdcbe2f39a89592f7e91439cc673c90b4b1f2992845b969620c7d165c31293
        SSDEEP:1536:QwbusnuDZsztM4QMrjWtz6tXyo6bCBGF0qIxjF5:Qwi3DCztzQMrjW1vDCBFqmjr
        TLSH:7043C75033FCC33AE6FF2B7D75B0405106F6F689A531DA9D6E81649E2E22B404B61B63
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.~g.........." ..0.................. ........... .......................@............@................................
        Icon Hash:7ae282899bbab082
        Entrypoint:0x1000edfa
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x10000000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Time Stamp:0x677ED065 [Wed Jan 8 19:22:13 2025 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:dae02f32a21e03ce65412f6e56942daa
        Instruction
        jmp dword ptr [10002000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0xeda80x4f.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x42c.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0xec700x1c.text
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000xce000xce00b0ca68de35df2275b1ccdaab31fc5c3eFalse0.4386377427184466data5.805383443786634IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rsrc0x100000x42c0x600ac20157ed92d53922c92594ba79a8f8dFalse0.2734375data2.4469577481207856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x120000xc0x200225ee030e13978e0942d0939b4326e52False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_VERSION0x100580x3d0data0.3985655737704918
        DLLImport
        mscoree.dll_CorDllMain
        DescriptionData
        Translation0x0000 0x04b0
        Comments
        CompanyNameTyler Technologies
        FileDescriptionTyler.IMS.Publishing
        FileVersion1.4.5.0
        InternalNameTyler.IMS.Publishing.dll
        LegalCopyrightCopyright Tyler Technologies 2009-2021
        LegalTrademarks
        OriginalFilenameTyler.IMS.Publishing.dll
        ProductNameTyler.IMS.Publishing
        ProductVersion1.4.5.0
        Assembly Version1.4.5.0

        Download Network PCAP: filteredfull

        TimestampSource PortDest PortSource IPDest IP
        Apr 22, 2025 16:47:44.770390987 CEST6004453192.168.2.51.1.1.1
        Apr 22, 2025 16:47:44.910836935 CEST53600441.1.1.1192.168.2.5
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Apr 22, 2025 16:47:44.770390987 CEST192.168.2.51.1.1.10x4bd8Standard query (0)c.pki.googA (IP address)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Apr 22, 2025 16:47:43.994223118 CEST1.1.1.1192.168.2.50xd757No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
        Apr 22, 2025 16:47:43.994223118 CEST1.1.1.1192.168.2.50xd757No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
        Apr 22, 2025 16:47:44.910836935 CEST1.1.1.1192.168.2.50x4bd8No error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
        Apr 22, 2025 16:47:44.910836935 CEST1.1.1.1192.168.2.50x4bd8No error (0)pki-goog.l.google.com142.250.68.227A (IP address)IN (0x0001)false

        Click to jump to process

        Click to jump to process

        Target ID:0
        Start time:10:47:45
        Start date:22/04/2025
        Path:C:\Windows\System32\loaddll32.exe
        Wow64 process (32bit):true
        Commandline:loaddll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll"
        Imagebase:0x3e0000
        File size:126'464 bytes
        MD5 hash:51E6071F9CBA48E79F10C84515AAE618
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:1
        Start time:10:47:45
        Start date:22/04/2025
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7e2000000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:2
        Start time:10:47:46
        Start date:22/04/2025
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
        Imagebase:0x220000
        File size:236'544 bytes
        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:3
        Start time:10:47:46
        Start date:22/04/2025
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
        Imagebase:0x620000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        No disassembly