Edit tour
Windows
Analysis Report
msimg32.dll
Overview
General Information
| Sample name: | msimg32.dll |
| Analysis ID: | 1528944 |
| MD5: | 26fc1bca08f774ae76ac140ada344686 |
| SHA1: | bc93c170f1b131d9fa8c7ae835e583eeef3cf885 |
| SHA256: | 63a8464636601279443580899d9d0bae931360251992af15f040d98e2f1f8118 |
| Tags: | dllTaxOrganizer2023user-JAMESWT_MHT |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll32.exe (PID: 7504 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\msi mg32.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 7512 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7556 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\msi mg32.dll", #1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 7580 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\msim g32.dll",# 1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7564 cmdline:
rundll32.e xe C:\User s\user\Des ktop\msimg 32.dll,Alp haBlend MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_10001804 | |
| Source: | Code function: | 0_2_1000521E | |
| Source: | Code function: | 0_2_100054A0 | |
| Source: | Code function: | 0_2_10008EA3 | |
| Source: | Code function: | 0_2_100054AB | |
| Source: | Code function: | 0_2_10004AF0 | |
| Source: | Code function: | 0_2_10004AFE | |
| Source: | Code function: | 0_2_10004B0E | |
| Source: | Code function: | 0_2_10004B31 | |
| Source: | Code function: | 0_2_10004F43 | |
| Source: | Code function: | 0_2_10001784 | |
| Source: | Code function: | 0_2_10004B8D | |
| Source: | Code function: | 0_2_10004B98 | |
| Source: | Code function: | 0_2_100017BB | |
| Source: | Code function: | 3_2_10001804 | |
| Source: | Code function: | 3_2_1000521E | |
| Source: | Code function: | 3_2_100054A0 | |
| Source: | Code function: | 3_2_10008EA3 | |
| Source: | Code function: | 3_2_100054AB | |
| Source: | Code function: | 3_2_10004AF0 | |
| Source: | Code function: | 3_2_10004AFE | |
| Source: | Code function: | 3_2_10004B0E | |
| Source: | Code function: | 3_2_10004B31 | |
| Source: | Code function: | 3_2_10004F43 | |
| Source: | Code function: | 3_2_10001784 | |
| Source: | Code function: | 3_2_10004B8D | |
| Source: | Code function: | 3_2_10004B98 | |
| Source: | Code function: | 3_2_100017BB | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_100AE26E | |
| Source: | Code function: | 0_2_10007B90 | |
| Source: | Code function: | 3_2_100AE26E | |
| Source: | Code function: | 3_2_10007B90 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Process created: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 1 System Information Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 18% | ReversingLabs | Win32.Infostealer.Tinba |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1528944 |
| Start date and time: | 2024-10-08 13:57:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 20s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | msimg32.dll |
| Detection: | MAL |
| Classification: | mal48.winDLL@8/0@0/0 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: msimg32.dll
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.928111133196447 |
| TrID: |
|
| File name: | msimg32.dll |
| File size: | 2'338'816 bytes |
| MD5: | 26fc1bca08f774ae76ac140ada344686 |
| SHA1: | bc93c170f1b131d9fa8c7ae835e583eeef3cf885 |
| SHA256: | 63a8464636601279443580899d9d0bae931360251992af15f040d98e2f1f8118 |
| SHA512: | 4c66a99f6b10544917b40d7e3bb8968c1324e2a7d66f688528108bf86a8ea2651492de81de0f944bf0174da4e3e983c5f27c86a1d6dd72a7d51cd9554da4931a |
| SSDEEP: | 49152:kVg6Rabpu4p1goweObvbeBiDw0u+45GPJ:kup7fweOriYDw0/DJ |
| TLSH: | 42B5BE41F7C3C4FEC19665B8502AB2F55726A7B01F2381C7B6849E2E4E357C26A3E316 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........J@ma.@ma.@ma.."..Bma.I...]ma.^?..Cma.g...Gma.g...Uma.@m`.Voa.vKk..ma.I....ma.I....ma.I...Ama.^?..Ama.I...Ama.Rich@ma........ |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x100aa3b6 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x5305DEC6 [Thu Feb 20 10:53:58 2014 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 4437bd0776f3b515fff5184512f096fe |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+0Ch], 01h |
| jne 00007FDDFC71AAF7h |
| call 00007FDDFC72BFF0h |
| push dword ptr [ebp+08h] |
| mov ecx, dword ptr [ebp+10h] |
| mov edx, dword ptr [ebp+0Ch] |
| call 00007FDDFC71A9E1h |
| pop ecx |
| pop ebp |
| retn 000Ch |
| ret |
| mov eax, 100BC477h |
| mov dword ptr [10154CF4h], eax |
| mov dword ptr [10154CF8h], 100BBB01h |
| mov dword ptr [10154CFCh], 100BBAB5h |
| mov dword ptr [10154D00h], 100BBAEEh |
| mov dword ptr [10154D04h], 100BBA57h |
| mov dword ptr [10154D08h], eax |
| mov dword ptr [10154D0Ch], 100BC3EFh |
| mov dword ptr [10154D10h], 100BBA73h |
| mov dword ptr [10154D14h], 100BB9D5h |
| mov dword ptr [10154D18h], 100BB962h |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov ecx, dword ptr [ebp+08h] |
| mov eax, dword ptr [1015A648h] |
| mov dword ptr [1015A648h], ecx |
| pop ebp |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| call 00007FDDFC71AA76h |
| call 00007FDDFC72CBBBh |
| cmp dword ptr [ebp+08h], 00000000h |
| mov dword ptr [1015A64Ch], eax |
| je 00007FDDFC71AAF7h |
| call 00007FDDFC72CB42h |
| fnclex |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x148500 | 0x163 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x15d000 | 0xdc | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x162000 | 0xe0f80 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x16ba98 | 0x3768 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x166000 | 0xc89c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x119ea0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x15dc7c | 0xba0 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x161000 | 0x40 | .didat |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x118000 | 0x117400 | be13da8ff662b623a3826b6ad834f0ae | False | 0.4294977828446732 | data | 6.139217151418847 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x119000 | 0x30000 | 0x2f800 | 3ebb4ae39b21d67ca99e9aab4f182595 | False | 0.2931794819078947 | data | 4.929547645604978 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x149000 | 0x14000 | 0xec00 | 445ab38254c12e3b8c79515e3c266b45 | False | 0.2839645127118644 | DIY-Thermocam raw data (Lepton 2.x), scale 9728-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset -0.000000, slope 11688517198388985585992515102703616.000000 | 4.635869792483619 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x15d000 | 0x4000 | 0x4000 | 64bfd27ef8d1ba6532854e3b35bb3447 | False | 0.32421875 | data | 5.041899968325136 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didat | 0x161000 | 0x1000 | 0x400 | 6a589aa1ebb09d8b2ec70b67ea0a478b | False | 0.11328125 | firmware cc10 v1600 (revision 3926922752) pM\023 (region 2953844224), 614731024 bytes or less, UNKNOWN1 0xb0101600, at 0xf3a30d10 0 bytes , at 0 0 bytes | 0.9998421395258815 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x162000 | 0xe0f80 | 0xe1000 | 996c5329ba4eb38b89024bc4e9133537 | False | 0.6308648003472223 | data | 7.448466677680904 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x162c18 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.4805194805194805 |
| RT_CURSOR | 0x162d4c | 0xb4 | Targa image data - Map 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.7 |
| RT_CURSOR | 0x162e00 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x162f34 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.36363636363636365 |
| RT_CURSOR | 0x163068 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
| RT_CURSOR | 0x16319c | 0x134 | data | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x1632d0 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.5422077922077922 |
| RT_CURSOR | 0x163404 | 0x134 | data | Chinese | China | 0.37337662337662336 |
| RT_CURSOR | 0x163538 | 0x134 | Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.38636363636363635 |
| RT_CURSOR | 0x16366c | 0x134 | Targa image data - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.35714285714285715 |
| RT_CURSOR | 0x1637a0 | 0x134 | Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
| RT_CURSOR | 0x1638d4 | 0x134 | data | Chinese | China | 0.44155844155844154 |
| RT_CURSOR | 0x163a08 | 0x134 | data | Chinese | China | 0.4155844155844156 |
| RT_CURSOR | 0x163b3c | 0x134 | data | Chinese | China | 0.2662337662337662 |
| RT_CURSOR | 0x163c70 | 0x134 | data | Chinese | China | 0.2824675324675325 |
| RT_CURSOR | 0x163da4 | 0x134 | data | Chinese | China | 0.3246753246753247 |
| RT_BITMAP | 0x163ed8 | 0x78c36 | PC bitmap, Windows 3.x format, 62769 x 2 x 48, image size 495095, cbSize 494646, bits offset 54 | 0.7540604796157252 | ||
| RT_BITMAP | 0x1dcb10 | 0xb8 | Device independent bitmap graphic, 12 x 10 x 4, image size 80 | Chinese | China | 0.44565217391304346 |
| RT_BITMAP | 0x1dcbc8 | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.37962962962962965 |
| RT_ICON | 0x1dcd0c | 0xb402 | PC bitmap, Windows 3.x format, 6559 x 2 x 53, image size 46225, cbSize 46082, bits offset 54 | 0.48383316696323947 | ||
| RT_ICON | 0x1e8110 | 0x79c5 | PC bitmap, Windows 3.x format, 3987 x 2 x 47, image size 31925, cbSize 31173, bits offset 54 | 0.46982966028293716 | ||
| RT_ICON | 0x1efad8 | 0x5834 | PC bitmap, Windows 3.x format, 3157 x 2 x 41, image size 23045, cbSize 22580, bits offset 54 | 0.3520814880425155 | ||
| RT_ICON | 0x1f530c | 0x2f6cb | PC bitmap, Windows 3.x format, 24623 x 2 x 40, image size 195167, cbSize 194251, bits offset 54 | 0.5134285022985725 | ||
| RT_ICON | 0x2249d8 | 0x1d22a | PC bitmap, Windows 3.x format, 15412 x 2 x 38, image size 119734, cbSize 119338, bits offset 54 | 0.4990782483366572 | ||
| RT_DIALOG | 0x241c04 | 0xe2 | data | Chinese | China | 0.6814159292035398 |
| RT_DIALOG | 0x241ce8 | 0x34 | data | Chinese | China | 0.9038461538461539 |
| RT_STRING | 0x241d1c | 0x4e | data | Chinese | China | 0.8461538461538461 |
| RT_STRING | 0x241d6c | 0x2c | data | Chinese | China | 0.5909090909090909 |
| RT_STRING | 0x241d98 | 0x82 | data | Chinese | China | 0.9307692307692308 |
| RT_STRING | 0x241e1c | 0x1d6 | data | Chinese | China | 0.8148936170212766 |
| RT_STRING | 0x241ff4 | 0x160 | data | Chinese | China | 0.4971590909090909 |
| RT_STRING | 0x242154 | 0x12e | data | Chinese | China | 0.652317880794702 |
| RT_STRING | 0x242284 | 0x50 | data | Chinese | China | 0.7125 |
| RT_STRING | 0x2422d4 | 0x44 | data | Chinese | China | 0.6764705882352942 |
| RT_STRING | 0x242318 | 0x68 | data | Chinese | China | 0.7019230769230769 |
| RT_STRING | 0x242380 | 0x1b8 | data | Chinese | China | 0.6568181818181819 |
| RT_STRING | 0x242538 | 0x104 | data | Chinese | China | 0.6038461538461538 |
| RT_STRING | 0x24263c | 0x24 | data | Chinese | China | 0.4722222222222222 |
| RT_STRING | 0x242660 | 0x30 | data | Chinese | China | 0.625 |
| RT_RCDATA | 0x242690 | 0x80 | data | English | United States | 1.0859375 |
| RT_GROUP_CURSOR | 0x242710 | 0x22 | data | Chinese | China | 1.1176470588235294 |
| RT_GROUP_CURSOR | 0x242734 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x242748 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x24275c | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x242770 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x242784 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x242798 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x2427ac | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x2427c0 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x2427d4 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x2427e8 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x2427fc | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x242810 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x242824 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x242838 | 0x14 | data | Chinese | China | 1.4 |
| RT_VERSION | 0x24284c | 0x5d4 | data | Chinese | China | 0.25335120643431636 |
| RT_MANIFEST | 0x242e20 | 0x15a | ASCII text, with CRLF line terminators | English | United States | 0.5491329479768786 |
| None | 0x242f7c | 0x4 | data | Chinese | China | 3.0 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CompareStringW, GlobalGetAtomNameW, GetAtomNameW, lstrcmpA, lstrlenA, GetThreadLocale, SystemTimeToFileTime, SetThreadPriority, ResumeThread, SetEvent, SuspendThread, CreateEventW, lstrcmpW, GlobalFlags, GlobalAddAtomW, MoveFileW, GetStringTypeExW, lstrcmpiW, DuplicateHandle, GetCurrentProcess, FindClose, FindFirstFileW, GetVolumeInformationW, GetShortPathNameW, GlobalDeleteAtom, GlobalFindAtomW, FreeResource, CompareStringA, GetLocaleInfoW, EnumResourceLanguagesW, ConvertDefaultLocale, GetCurrentThread, SetErrorMode, GetFileAttributesExW, LocalFileTimeToFileTime, InterlockedDecrement, SetFileAttributesW, GetFileSizeEx, GetFileTime, GetModuleHandleA, GetPrivateProfileIntW, WritePrivateProfileStringW, GetPrivateProfileStringW, GetCurrentDirectoryW, RtlUnwind, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetDriveTypeA, FindFirstFileA, GetCommandLineA, HeapAlloc, HeapFree, HeapReAlloc, ExitThread, CreateThread, HeapSize, ExitProcess, GetModuleFileNameA, GetTimeZoneInformation, GetCurrentDirectoryA, SetCurrentDirectoryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, LCMapStringW, SetHandleCount, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, VirtualFree, FatalAppExitA, VirtualAlloc, SetConsoleCtrlHandler, GetConsoleCP, GetConsoleMode, SetStdHandle, InitializeCriticalSectionAndSpinCount, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetProcessHeap, GetModuleHandleW, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, GetModuleFileNameW, GlobalFree, CopyFileW, GlobalSize, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageW, LocalFree, lstrlenW, MulDiv, SetLastError, GetVersionExA, GlobalMemoryStatus, GetStdHandle, GetFileType, GetVersion, InterlockedIncrement, CreateFileW, CreateFileA, GetSystemTimeAsFileTime, GetSystemTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, FreeLibrary, GetProcAddress, LoadLibraryW, LoadLibraryA, GetDiskFreeSpaceW, GetDiskFreeSpaceA, GetFullPathNameW, GetFullPathNameA, DeleteFileW, GetFileAttributesW, DeleteFileA, GetFileAttributesA, FormatMessageA, GetTempPathW, GetTempPathA, UnlockFile, LockFileEx, LockFile, GetFileSize, FlushFileBuffers, SetEndOfFile, WriteFile, SetFilePointer, GetLastError, ReadFile, Sleep, AreFileApisANSI, WideCharToMultiByte, MultiByteToWideChar, GetVersionExW, GetFileInformationByHandle, FileTimeToLocalFileTime, FileTimeToSystemTime, FindResourceW, LoadResource, LockResource, SizeofResource, GetCurrentThreadId, ReleaseSemaphore, WaitForSingleObject, CloseHandle, CreateSemaphoreW, InterlockedExchange, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, SetFileTime, InitializeCriticalSection |
| USER32.dll | GetNextDlgTabItem, CreateDialogIndirectParamW, SetCursor, ShowOwnedPopups, DeleteMenu, SetRectEmpty, InvalidateRect, GetDialogBaseUnits, TranslateAcceleratorW, BringWindowToTop, CreatePopupMenu, InsertMenuItemW, LoadAcceleratorsW, ReleaseCapture, GetMenuBarInfo, LoadMenuW, ReuseDDElParam, UnpackDDElParam, SetRect, SetTimer, KillTimer, WindowFromPoint, GetKeyNameTextW, MapVirtualKeyW, IsRectEmpty, GetSystemMenu, SetParent, UnionRect, GetDCEx, LockWindowUpdate, SetCapture, FillRect, PostQuitMessage, RegisterWindowMessageW, LoadIconW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassLongW, SetPropW, GetPropW, RemovePropW, GetForegroundWindow, SetActiveWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, ScrollWindow, TrackPopupMenuEx, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetForegroundWindow, ShowScrollBar, UpdateWindow, GetClientRect, PostMessageW, CreateWindowExW, GetClassInfoExW, EndDialog, RegisterClassW, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, DefWindowProcW, CallWindowProcW, CopyRect, GetMenu, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, ModifyMenuW, EnableMenuItem, CheckMenuItem, SetWindowPos, ScrollWindowEx, ShowWindow, MoveWindow, IsWindow, IsDialogMessageW, IsDlgButtonChecked, SetDlgItemTextW, SetDlgItemInt, SendDlgItemMessageW, GetDlgItemTextW, GetDlgItemInt, GetDlgItem, CheckRadioButton, CheckDlgButton, GetScrollPos, SetScrollPos, SetFocus, CharUpperW, DestroyIcon, GetFocus, ClientToScreen, GetWindow, GetUserObjectInformationW, GetProcessWindowStation, GetDesktopWindow, MessageBoxA, GetDlgCtrlID, GetWindowRect, GetClassNameW, PtInRect, SetWindowTextW, UnregisterClassW, SetWindowsHookExW, CallNextHookEx, GetMessageW, TranslateMessage, DispatchMessageW, GetActiveWindow, IsWindowVisible, GetKeyState, SystemParametersInfoW, DestroyMenu, GetMenuItemInfoW, InflateRect, EndPaint, BeginPaint, GetWindowDC, GrayStringW, DrawTextExW, DrawTextW, GetClassInfoW, TabbedTextOutW, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuW, GetMenuItemID, AppendMenuW, GetMenuStringW, GetMenuState, MessageBoxW, EnableWindow, IsWindowEnabled, GetLastActivePopup, PeekMessageW, GetCursorPos, ValidateRect, GetWindowTextLengthW, GetWindowTextW, LoadCursorW, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageW, GetParent, GetWindowLongW, SetWindowLongW |
| GDI32.dll | PlayMetaFileRecord, GetObjectType, Escape, EnumMetaFile, PlayMetaFile, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, CreateFontIndirectW, GetTextExtentPoint32W, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, GetCharWidthW, CreateFontW, StretchDIBits, GetTextMetricsW, GetBkColor, SelectPalette, GetStockObject, CreatePatternBrush, CreateDIBPatternBrushPt, ExtSelectClipRgn, PolyBezierTo, PolylineTo, PolyDraw, ArcTo, GetCurrentPositionEx, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ExtTextOutW, TextOutW, RectVisible, PtVisible, StartDocW, GetPixel, GetWindowExtEx, CreateDCW, CreateBitmap, GetDCOrgEx, GetClipBox, SetTextColor, DeleteDC, DeleteObject, GetBitmapBits, BitBlt, GetObjectA, SelectObject, CreateCompatibleBitmap, GetDeviceCaps, CreateCompatibleDC, CreateDCA, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CopyMetaFileW, SetBkColor, GetObjectW, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, GetViewportExtEx, SelectClipPath, CreateRectRgn, GetClipRgn, SelectClipRgn, SetColorAdjustment, SetArcDirection, SetMapperFlags, SetTextCharacterExtra, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, ModifyWorldTransform, SetWorldTransform, SetGraphicsMode, SetStretchBltMode, SetViewportOrgEx |
| ADVAPI32.dll | RegisterEventSourceA, ReportEventA, DeregisterEventSource, RegQueryValueExW, RegDeleteValueW, RegSetValueExW, RegEnumKeyW, RegDeleteKeyW, RegQueryValueW, RegOpenKeyExW, RegOpenKeyW, RegCreateKeyW, RegCreateKeyExW, RegSetValueW, RegCloseKey |
| SHLWAPI.dll | PathStripToRootW, PathIsUNCW, PathFindExtensionW, PathRemoveExtensionW, PathFindFileNameW, PathRemoveFileSpecW |
| WINSPOOL.DRV | DocumentPropertiesW, OpenPrinterW, ClosePrinter |
| COMDLG32.dll | GetFileTitleW |
| SHELL32.dll | ExtractIconW, DragFinish, DragQueryFileW, SHGetFileInfoW |
| ole32.dll | StringFromGUID2, CoDisconnectObject, OleDuplicateData, CoTreatAsClass, StringFromCLSID, CoTaskMemAlloc, ReleaseStgMedium, CoCreateInstance, ReadClassStg, ReadFmtUserTypeStg, OleRegGetUserType, WriteClassStg, WriteFmtUserTypeStg, SetConvertStg, CoTaskMemFree, CLSIDFromString, CoUninitialize, CoInitializeEx, CreateBindCtx |
| OLEAUT32.dll | SysStringLen, SysFreeString, SysAllocStringByteLen, SysStringByteLen, RegisterTypeLib, LoadTypeLib, LoadRegTypeLib, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, VariantClear, SafeArrayRedim, VariantChangeType, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocStringLen, VarDateFromStr, SysReAllocStringLen, VarCyFromStr, VarBstrFromCy, VarBstrFromDec, VarDecFromStr, VarBstrFromDate, VariantInit |
| Name | Ordinal | Address |
|---|---|---|
| AlphaBlend | 1 | 0x1000133e |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 07:57:59 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa20000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 07:57:59 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 07:57:59 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 07:57:59 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa00000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 07:57:59 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa00000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 46 |
| Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100088E5 Relevance: 1.7, APIs: 1, Instructions: 190memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10008898 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100088BA Relevance: 1.6, APIs: 1, Instructions: 107COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100084E5 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100084ED Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100080A5 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10008EA3 Relevance: 82.7, Strings: 66, Instructions: 225COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004AF0 Relevance: 5.2, Strings: 4, Instructions: 202COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004AFE Relevance: 5.2, Strings: 4, Instructions: 200COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004B0E Relevance: 5.2, Strings: 4, Instructions: 198COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004B31 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100017BB Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001804 Relevance: .2, Instructions: 178COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004B8D Relevance: .2, Instructions: 177COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004B98 Relevance: .2, Instructions: 172COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001784 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004F43 Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000521E Relevance: .1, Instructions: 113COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100054A0 Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100054AB Relevance: .1, Instructions: 102COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 46 |
| Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100088E5 Relevance: 1.7, APIs: 1, Instructions: 190memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10008898 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100088BA Relevance: 1.6, APIs: 1, Instructions: 107COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100084E5 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100084ED Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100080A5 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|