Windows Analysis Report
eNtYgxj1lX.dll

Overview

General Information

Sample name: eNtYgxj1lX.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name: f5cc2afb777c4ecc05f78b5e3556a2b3e508bdb9ce4ff570da68c10a1c6785b5.exe
Analysis ID: 1522598
MD5: 149ebe286468f64c8ca0fb329d1aa5f3
SHA1: 7b300b5956ada21b150926851bc297434fb1e59b
SHA256: f5cc2afb777c4ecc05f78b5e3556a2b3e508bdb9ce4ff570da68c10a1c6785b5
Tags: exeRavinAcademyuser-JAMESWT_MHT
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Found potential dummy code loops (likely to delay analysis)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: eNtYgxj1lX.dll ReversingLabs: Detection: 28%
Source: eNtYgxj1lX.dll Virustotal: Detection: 45% Perma Link
Source: eNtYgxj1lX.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\08\03-ACG\x64\Release\EnableACG.pdb source: loaddll64.exe, 00000000.00000002.3719697980.00007FFB226C8000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3719799949.00007FFB226C8000.00000002.00000001.01000000.00000003.sdmp, eNtYgxj1lX.dll

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: eNtYgxj1lX.dll, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: eNtYgxj1lX.dll, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0.2.loaddll64.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.loaddll64.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 4.2.rundll32.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 4.2.rundll32.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000000.00000002.3719303951.0000020FFA250000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3719303951.0000020FFA250000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000004.00000002.3719759282.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3719759282.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000000.00000002.3719632649.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3719632649.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000004.00000002.3719520350.0000026F84150000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3719520350.0000026F84150000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C6860 NtCreateThreadEx, 0_2_00007FFB226C6860
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C6820 NtMapViewOfSection, 0_2_00007FFB226C6820
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C498F 0_2_00007FFB226C498F
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C3D67 0_2_00007FFB226C3D67
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C51E7 0_2_00007FFB226C51E7
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C4DAF 0_2_00007FFB226C4DAF
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C566F 0_2_00007FFB226C566F
Yara signature match
Source: eNtYgxj1lX.dll, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: eNtYgxj1lX.dll, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0.2.loaddll64.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.loaddll64.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 4.2.rundll32.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 4.2.rundll32.exe.7ffb226c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000000.00000002.3719303951.0000020FFA250000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3719303951.0000020FFA250000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000004.00000002.3719759282.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3719759282.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000000.00000002.3719632649.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3719632649.00007FFB226C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000004.00000002.3719520350.0000026F84150000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3719520350.0000026F84150000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: eNtYgxj1lX.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal64.evad.winDLL@6/0@0/0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C6250 CreateToolhelp32Snapshot,Process32First,tolower,tolower,tolower,tolower,tolower,tolower,Process32Next,CloseHandle,printf,GetCurrentProcess,printf,OpenProcess,printf,memset,memcpy,printf,GetCurrentProcess,GetProcessMitigationPolicy,printf,printf,SetProcessMitigationPolicy,GetProcessMitigationPolicy,printf,SetProcessMitigationPolicy,SleepEx, 0_2_00007FFB226C6250
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: eNtYgxj1lX.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1
Source: eNtYgxj1lX.dll ReversingLabs: Detection: 28%
Source: eNtYgxj1lX.dll Virustotal: Detection: 45%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: vcruntime140.dll Jump to behavior
Source: eNtYgxj1lX.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: eNtYgxj1lX.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eNtYgxj1lX.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eNtYgxj1lX.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eNtYgxj1lX.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eNtYgxj1lX.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eNtYgxj1lX.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: eNtYgxj1lX.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: eNtYgxj1lX.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\08\03-ACG\x64\Release\EnableACG.pdb source: loaddll64.exe, 00000000.00000002.3719697980.00007FFB226C8000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3719799949.00007FFB226C8000.00000002.00000001.01000000.00000003.sdmp, eNtYgxj1lX.dll
Source: eNtYgxj1lX.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eNtYgxj1lX.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eNtYgxj1lX.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eNtYgxj1lX.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eNtYgxj1lX.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C16B5 push FFFFFFB0h; retf 0_2_00007FFB226C16CD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C257A push rdx; iretd 0_2_00007FFB226C2585
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C1925 push rsp; ret 0_2_00007FFB226C192C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C266C push rax; retf 0_2_00007FFB226C266D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C3639 push rbx; ret 0_2_00007FFB226C3643
Source: eNtYgxj1lX.dll Static PE information: section name: .text entropy: 7.170792866984555
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\loaddll64.exe Window / User API: threadDelayed 5946 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Window / User API: threadDelayed 4053 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 6468 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 3531 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 6732 Thread sleep time: -11892000s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 6732 Thread sleep time: -8106000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2412 Thread sleep count: 6468 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2412 Thread sleep time: -12936000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2412 Thread sleep count: 3531 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2412 Thread sleep time: -7062000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll64.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\System32\rundll32.exe Process Stats: CPU usage > 42% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C71D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFB226C71D8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C71D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFB226C71D8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C6C34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FFB226C6C34

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\System32\loaddll64.exe NtMapViewOfSection: Direct from: 0x7FFB226C685F Jump to behavior
Source: C:\Windows\System32\loaddll64.exe NtCreateThreadEx: Direct from: 0x7FFB226C689F Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eNtYgxj1lX.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFB226C6DB0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FFB226C6DB0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522598 Sample: eNtYgxj1lX.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 64 17 Malicious sample detected (through community Yara rule) 2->17 19 Multi AV Scanner detection for submitted file 2->19 7 loaddll64.exe 1 2->7         started        process3 signatures4 21 Found direct / indirect Syscall (likely to bypass EDR) 7->21 10 cmd.exe 1 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 rundll32.exe 10->14         started        signatures7 23 Found potential dummy code loops (likely to delay analysis) 14->23
No contacted IP infos