Windows
Analysis Report
msimg32.dll
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 7504 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\msi mg32.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 7512 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7556 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\msi mg32.dll", #1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 7580 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\msim g32.dll",# 1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7564 cmdline:
rundll32.e xe C:\User s\user\Des ktop\msimg 32.dll,Alp haBlend MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_10001804 | |
Source: | Code function: | 0_2_1000521E | |
Source: | Code function: | 0_2_100054A0 | |
Source: | Code function: | 0_2_10008EA3 | |
Source: | Code function: | 0_2_100054AB | |
Source: | Code function: | 0_2_10004AF0 | |
Source: | Code function: | 0_2_10004AFE | |
Source: | Code function: | 0_2_10004B0E | |
Source: | Code function: | 0_2_10004B31 | |
Source: | Code function: | 0_2_10004F43 | |
Source: | Code function: | 0_2_10001784 | |
Source: | Code function: | 0_2_10004B8D | |
Source: | Code function: | 0_2_10004B98 | |
Source: | Code function: | 0_2_100017BB | |
Source: | Code function: | 3_2_10001804 | |
Source: | Code function: | 3_2_1000521E | |
Source: | Code function: | 3_2_100054A0 | |
Source: | Code function: | 3_2_10008EA3 | |
Source: | Code function: | 3_2_100054AB | |
Source: | Code function: | 3_2_10004AF0 | |
Source: | Code function: | 3_2_10004AFE | |
Source: | Code function: | 3_2_10004B0E | |
Source: | Code function: | 3_2_10004B31 | |
Source: | Code function: | 3_2_10004F43 | |
Source: | Code function: | 3_2_10001784 | |
Source: | Code function: | 3_2_10004B8D | |
Source: | Code function: | 3_2_10004B98 | |
Source: | Code function: | 3_2_100017BB |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_100AE26E | |
Source: | Code function: | 0_2_10007B90 | |
Source: | Code function: | 3_2_100AE26E | |
Source: | Code function: | 3_2_10007B90 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 1 System Information Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | ReversingLabs | Win32.Infostealer.Tinba |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false |
| unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1528944 |
Start date and time: | 2024-10-08 13:57:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 20s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | msimg32.dll |
Detection: | MAL |
Classification: | mal48.winDLL@8/0@0/0 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: msimg32.dll
File type: | |
Entropy (8bit): | 6.928111133196447 |
TrID: |
|
File name: | msimg32.dll |
File size: | 2'338'816 bytes |
MD5: | 26fc1bca08f774ae76ac140ada344686 |
SHA1: | bc93c170f1b131d9fa8c7ae835e583eeef3cf885 |
SHA256: | 63a8464636601279443580899d9d0bae931360251992af15f040d98e2f1f8118 |
SHA512: | 4c66a99f6b10544917b40d7e3bb8968c1324e2a7d66f688528108bf86a8ea2651492de81de0f944bf0174da4e3e983c5f27c86a1d6dd72a7d51cd9554da4931a |
SSDEEP: | 49152:kVg6Rabpu4p1goweObvbeBiDw0u+45GPJ:kup7fweOriYDw0/DJ |
TLSH: | 42B5BE41F7C3C4FEC19665B8502AB2F55726A7B01F2381C7B6849E2E4E357C26A3E316 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........J@ma.@ma.@ma.."..Bma.I...]ma.^?..Cma.g...Gma.g...Uma.@m`.Voa.vKk..ma.I....ma.I....ma.I...Ama.^?..Ama.I...Ama.Rich@ma........ |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x100aa3b6 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5305DEC6 [Thu Feb 20 10:53:58 2014 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 4437bd0776f3b515fff5184512f096fe |
Signature Valid: | |
Signature Issuer: | |
Signature Validation Error: | |
Error Number: | |
Not Before, Not After | |
Subject Chain | |
Version: | |
Thumbprint MD5: | |
Thumbprint SHA-1: | |
Thumbprint SHA-256: | |
Serial: |
Instruction |
---|
mov edi, edi |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FDDFC71AAF7h |
call 00007FDDFC72BFF0h |
push dword ptr [ebp+08h] |
mov ecx, dword ptr [ebp+10h] |
mov edx, dword ptr [ebp+0Ch] |
call 00007FDDFC71A9E1h |
pop ecx |
pop ebp |
retn 000Ch |
ret |
mov eax, 100BC477h |
mov dword ptr [10154CF4h], eax |
mov dword ptr [10154CF8h], 100BBB01h |
mov dword ptr [10154CFCh], 100BBAB5h |
mov dword ptr [10154D00h], 100BBAEEh |
mov dword ptr [10154D04h], 100BBA57h |
mov dword ptr [10154D08h], eax |
mov dword ptr [10154D0Ch], 100BC3EFh |
mov dword ptr [10154D10h], 100BBA73h |
mov dword ptr [10154D14h], 100BB9D5h |
mov dword ptr [10154D18h], 100BB962h |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
mov ecx, dword ptr [ebp+08h] |
mov eax, dword ptr [1015A648h] |
mov dword ptr [1015A648h], ecx |
pop ebp |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
call 00007FDDFC71AA76h |
call 00007FDDFC72CBBBh |
cmp dword ptr [ebp+08h], 00000000h |
mov dword ptr [1015A64Ch], eax |
je 00007FDDFC71AAF7h |
call 00007FDDFC72CB42h |
fnclex |
pop ebp |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x148500 | 0x163 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x15d000 | 0xdc | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x162000 | 0xe0f80 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x16ba98 | 0x3768 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x166000 | 0xc89c | .rsrc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x119ea0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x15dc7c | 0xba0 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x161000 | 0x40 | .didat |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x118000 | 0x117400 | be13da8ff662b623a3826b6ad834f0ae | False | 0.4294977828446732 | data | 6.139217151418847 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x119000 | 0x30000 | 0x2f800 | 3ebb4ae39b21d67ca99e9aab4f182595 | False | 0.2931794819078947 | data | 4.929547645604978 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x149000 | 0x14000 | 0xec00 | 445ab38254c12e3b8c79515e3c266b45 | False | 0.2839645127118644 | DIY-Thermocam raw data (Lepton 2.x), scale 9728-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset -0.000000, slope 11688517198388985585992515102703616.000000 | 4.635869792483619 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x15d000 | 0x4000 | 0x4000 | 64bfd27ef8d1ba6532854e3b35bb3447 | False | 0.32421875 | data | 5.041899968325136 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didat | 0x161000 | 0x1000 | 0x400 | 6a589aa1ebb09d8b2ec70b67ea0a478b | False | 0.11328125 | firmware cc10 v1600 (revision 3926922752) pM\023 (region 2953844224), 614731024 bytes or less, UNKNOWN1 0xb0101600, at 0xf3a30d10 0 bytes , at 0 0 bytes | 0.9998421395258815 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x162000 | 0xe0f80 | 0xe1000 | 996c5329ba4eb38b89024bc4e9133537 | False | 0.6308648003472223 | data | 7.448466677680904 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x162c18 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.4805194805194805 |
RT_CURSOR | 0x162d4c | 0xb4 | Targa image data - Map 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.7 |
RT_CURSOR | 0x162e00 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.37662337662337664 |
RT_CURSOR | 0x162f34 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.36363636363636365 |
RT_CURSOR | 0x163068 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
RT_CURSOR | 0x16319c | 0x134 | data | Chinese | China | 0.37662337662337664 |
RT_CURSOR | 0x1632d0 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.5422077922077922 |
RT_CURSOR | 0x163404 | 0x134 | data | Chinese | China | 0.37337662337662336 |
RT_CURSOR | 0x163538 | 0x134 | Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.38636363636363635 |
RT_CURSOR | 0x16366c | 0x134 | Targa image data - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.35714285714285715 |
RT_CURSOR | 0x1637a0 | 0x134 | Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
RT_CURSOR | 0x1638d4 | 0x134 | data | Chinese | China | 0.44155844155844154 |
RT_CURSOR | 0x163a08 | 0x134 | data | Chinese | China | 0.4155844155844156 |
RT_CURSOR | 0x163b3c | 0x134 | data | Chinese | China | 0.2662337662337662 |
RT_CURSOR | 0x163c70 | 0x134 | data | Chinese | China | 0.2824675324675325 |
RT_CURSOR | 0x163da4 | 0x134 | data | Chinese | China | 0.3246753246753247 |
RT_BITMAP | 0x163ed8 | 0x78c36 | PC bitmap, Windows 3.x format, 62769 x 2 x 48, image size 495095, cbSize 494646, bits offset 54 | 0.7540604796157252 | ||
RT_BITMAP | 0x1dcb10 | 0xb8 | Device independent bitmap graphic, 12 x 10 x 4, image size 80 | Chinese | China | 0.44565217391304346 |
RT_BITMAP | 0x1dcbc8 | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.37962962962962965 |
RT_ICON | 0x1dcd0c | 0xb402 | PC bitmap, Windows 3.x format, 6559 x 2 x 53, image size 46225, cbSize 46082, bits offset 54 | 0.48383316696323947 | ||
RT_ICON | 0x1e8110 | 0x79c5 | PC bitmap, Windows 3.x format, 3987 x 2 x 47, image size 31925, cbSize 31173, bits offset 54 | 0.46982966028293716 | ||
RT_ICON | 0x1efad8 | 0x5834 | PC bitmap, Windows 3.x format, 3157 x 2 x 41, image size 23045, cbSize 22580, bits offset 54 | 0.3520814880425155 | ||
RT_ICON | 0x1f530c | 0x2f6cb | PC bitmap, Windows 3.x format, 24623 x 2 x 40, image size 195167, cbSize 194251, bits offset 54 | 0.5134285022985725 | ||
RT_ICON | 0x2249d8 | 0x1d22a | PC bitmap, Windows 3.x format, 15412 x 2 x 38, image size 119734, cbSize 119338, bits offset 54 | 0.4990782483366572 | ||
RT_DIALOG | 0x241c04 | 0xe2 | data | Chinese | China | 0.6814159292035398 |
RT_DIALOG | 0x241ce8 | 0x34 | data | Chinese | China | 0.9038461538461539 |
RT_STRING | 0x241d1c | 0x4e | data | Chinese | China | 0.8461538461538461 |
RT_STRING | 0x241d6c | 0x2c | data | Chinese | China | 0.5909090909090909 |
RT_STRING | 0x241d98 | 0x82 | data | Chinese | China | 0.9307692307692308 |
RT_STRING | 0x241e1c | 0x1d6 | data | Chinese | China | 0.8148936170212766 |
RT_STRING | 0x241ff4 | 0x160 | data | Chinese | China | 0.4971590909090909 |
RT_STRING | 0x242154 | 0x12e | data | Chinese | China | 0.652317880794702 |
RT_STRING | 0x242284 | 0x50 | data | Chinese | China | 0.7125 |
RT_STRING | 0x2422d4 | 0x44 | data | Chinese | China | 0.6764705882352942 |
RT_STRING | 0x242318 | 0x68 | data | Chinese | China | 0.7019230769230769 |
RT_STRING | 0x242380 | 0x1b8 | data | Chinese | China | 0.6568181818181819 |
RT_STRING | 0x242538 | 0x104 | data | Chinese | China | 0.6038461538461538 |
RT_STRING | 0x24263c | 0x24 | data | Chinese | China | 0.4722222222222222 |
RT_STRING | 0x242660 | 0x30 | data | Chinese | China | 0.625 |
RT_RCDATA | 0x242690 | 0x80 | data | English | United States | 1.0859375 |
RT_GROUP_CURSOR | 0x242710 | 0x22 | data | Chinese | China | 1.1176470588235294 |
RT_GROUP_CURSOR | 0x242734 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x242748 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x24275c | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x242770 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x242784 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x242798 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x2427ac | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x2427c0 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x2427d4 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x2427e8 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x2427fc | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x242810 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x242824 | 0x14 | data | Chinese | China | 1.4 |
RT_GROUP_CURSOR | 0x242838 | 0x14 | data | Chinese | China | 1.4 |
RT_VERSION | 0x24284c | 0x5d4 | data | Chinese | China | 0.25335120643431636 |
RT_MANIFEST | 0x242e20 | 0x15a | ASCII text, with CRLF line terminators | English | United States | 0.5491329479768786 |
None | 0x242f7c | 0x4 | data | Chinese | China | 3.0 |
DLL | Import |
---|---|
KERNEL32.dll | CompareStringW, GlobalGetAtomNameW, GetAtomNameW, lstrcmpA, lstrlenA, GetThreadLocale, SystemTimeToFileTime, SetThreadPriority, ResumeThread, SetEvent, SuspendThread, CreateEventW, lstrcmpW, GlobalFlags, GlobalAddAtomW, MoveFileW, GetStringTypeExW, lstrcmpiW, DuplicateHandle, GetCurrentProcess, FindClose, FindFirstFileW, GetVolumeInformationW, GetShortPathNameW, GlobalDeleteAtom, GlobalFindAtomW, FreeResource, CompareStringA, GetLocaleInfoW, EnumResourceLanguagesW, ConvertDefaultLocale, GetCurrentThread, SetErrorMode, GetFileAttributesExW, LocalFileTimeToFileTime, InterlockedDecrement, SetFileAttributesW, GetFileSizeEx, GetFileTime, GetModuleHandleA, GetPrivateProfileIntW, WritePrivateProfileStringW, GetPrivateProfileStringW, GetCurrentDirectoryW, RtlUnwind, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetDriveTypeA, FindFirstFileA, GetCommandLineA, HeapAlloc, HeapFree, HeapReAlloc, ExitThread, CreateThread, HeapSize, ExitProcess, GetModuleFileNameA, GetTimeZoneInformation, GetCurrentDirectoryA, SetCurrentDirectoryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, LCMapStringW, SetHandleCount, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, VirtualFree, FatalAppExitA, VirtualAlloc, SetConsoleCtrlHandler, GetConsoleCP, GetConsoleMode, SetStdHandle, InitializeCriticalSectionAndSpinCount, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetProcessHeap, GetModuleHandleW, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, GetModuleFileNameW, GlobalFree, CopyFileW, GlobalSize, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageW, LocalFree, lstrlenW, MulDiv, SetLastError, GetVersionExA, GlobalMemoryStatus, GetStdHandle, GetFileType, GetVersion, InterlockedIncrement, CreateFileW, CreateFileA, GetSystemTimeAsFileTime, GetSystemTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, FreeLibrary, GetProcAddress, LoadLibraryW, LoadLibraryA, GetDiskFreeSpaceW, GetDiskFreeSpaceA, GetFullPathNameW, GetFullPathNameA, DeleteFileW, GetFileAttributesW, DeleteFileA, GetFileAttributesA, FormatMessageA, GetTempPathW, GetTempPathA, UnlockFile, LockFileEx, LockFile, GetFileSize, FlushFileBuffers, SetEndOfFile, WriteFile, SetFilePointer, GetLastError, ReadFile, Sleep, AreFileApisANSI, WideCharToMultiByte, MultiByteToWideChar, GetVersionExW, GetFileInformationByHandle, FileTimeToLocalFileTime, FileTimeToSystemTime, FindResourceW, LoadResource, LockResource, SizeofResource, GetCurrentThreadId, ReleaseSemaphore, WaitForSingleObject, CloseHandle, CreateSemaphoreW, InterlockedExchange, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, SetFileTime, InitializeCriticalSection |
USER32.dll | GetNextDlgTabItem, CreateDialogIndirectParamW, SetCursor, ShowOwnedPopups, DeleteMenu, SetRectEmpty, InvalidateRect, GetDialogBaseUnits, TranslateAcceleratorW, BringWindowToTop, CreatePopupMenu, InsertMenuItemW, LoadAcceleratorsW, ReleaseCapture, GetMenuBarInfo, LoadMenuW, ReuseDDElParam, UnpackDDElParam, SetRect, SetTimer, KillTimer, WindowFromPoint, GetKeyNameTextW, MapVirtualKeyW, IsRectEmpty, GetSystemMenu, SetParent, UnionRect, GetDCEx, LockWindowUpdate, SetCapture, FillRect, PostQuitMessage, RegisterWindowMessageW, LoadIconW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassLongW, SetPropW, GetPropW, RemovePropW, GetForegroundWindow, SetActiveWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, ScrollWindow, TrackPopupMenuEx, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetForegroundWindow, ShowScrollBar, UpdateWindow, GetClientRect, PostMessageW, CreateWindowExW, GetClassInfoExW, EndDialog, RegisterClassW, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, DefWindowProcW, CallWindowProcW, CopyRect, GetMenu, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, ModifyMenuW, EnableMenuItem, CheckMenuItem, SetWindowPos, ScrollWindowEx, ShowWindow, MoveWindow, IsWindow, IsDialogMessageW, IsDlgButtonChecked, SetDlgItemTextW, SetDlgItemInt, SendDlgItemMessageW, GetDlgItemTextW, GetDlgItemInt, GetDlgItem, CheckRadioButton, CheckDlgButton, GetScrollPos, SetScrollPos, SetFocus, CharUpperW, DestroyIcon, GetFocus, ClientToScreen, GetWindow, GetUserObjectInformationW, GetProcessWindowStation, GetDesktopWindow, MessageBoxA, GetDlgCtrlID, GetWindowRect, GetClassNameW, PtInRect, SetWindowTextW, UnregisterClassW, SetWindowsHookExW, CallNextHookEx, GetMessageW, TranslateMessage, DispatchMessageW, GetActiveWindow, IsWindowVisible, GetKeyState, SystemParametersInfoW, DestroyMenu, GetMenuItemInfoW, InflateRect, EndPaint, BeginPaint, GetWindowDC, GrayStringW, DrawTextExW, DrawTextW, GetClassInfoW, TabbedTextOutW, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuW, GetMenuItemID, AppendMenuW, GetMenuStringW, GetMenuState, MessageBoxW, EnableWindow, IsWindowEnabled, GetLastActivePopup, PeekMessageW, GetCursorPos, ValidateRect, GetWindowTextLengthW, GetWindowTextW, LoadCursorW, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageW, GetParent, GetWindowLongW, SetWindowLongW |
GDI32.dll | PlayMetaFileRecord, GetObjectType, Escape, EnumMetaFile, PlayMetaFile, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, CreateFontIndirectW, GetTextExtentPoint32W, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, GetCharWidthW, CreateFontW, StretchDIBits, GetTextMetricsW, GetBkColor, SelectPalette, GetStockObject, CreatePatternBrush, CreateDIBPatternBrushPt, ExtSelectClipRgn, PolyBezierTo, PolylineTo, PolyDraw, ArcTo, GetCurrentPositionEx, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ExtTextOutW, TextOutW, RectVisible, PtVisible, StartDocW, GetPixel, GetWindowExtEx, CreateDCW, CreateBitmap, GetDCOrgEx, GetClipBox, SetTextColor, DeleteDC, DeleteObject, GetBitmapBits, BitBlt, GetObjectA, SelectObject, CreateCompatibleBitmap, GetDeviceCaps, CreateCompatibleDC, CreateDCA, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CopyMetaFileW, SetBkColor, GetObjectW, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, GetViewportExtEx, SelectClipPath, CreateRectRgn, GetClipRgn, SelectClipRgn, SetColorAdjustment, SetArcDirection, SetMapperFlags, SetTextCharacterExtra, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, ModifyWorldTransform, SetWorldTransform, SetGraphicsMode, SetStretchBltMode, SetViewportOrgEx |
ADVAPI32.dll | RegisterEventSourceA, ReportEventA, DeregisterEventSource, RegQueryValueExW, RegDeleteValueW, RegSetValueExW, RegEnumKeyW, RegDeleteKeyW, RegQueryValueW, RegOpenKeyExW, RegOpenKeyW, RegCreateKeyW, RegCreateKeyExW, RegSetValueW, RegCloseKey |
SHLWAPI.dll | PathStripToRootW, PathIsUNCW, PathFindExtensionW, PathRemoveExtensionW, PathFindFileNameW, PathRemoveFileSpecW |
WINSPOOL.DRV | DocumentPropertiesW, OpenPrinterW, ClosePrinter |
COMDLG32.dll | GetFileTitleW |
SHELL32.dll | ExtractIconW, DragFinish, DragQueryFileW, SHGetFileInfoW |
ole32.dll | StringFromGUID2, CoDisconnectObject, OleDuplicateData, CoTreatAsClass, StringFromCLSID, CoTaskMemAlloc, ReleaseStgMedium, CoCreateInstance, ReadClassStg, ReadFmtUserTypeStg, OleRegGetUserType, WriteClassStg, WriteFmtUserTypeStg, SetConvertStg, CoTaskMemFree, CLSIDFromString, CoUninitialize, CoInitializeEx, CreateBindCtx |
OLEAUT32.dll | SysStringLen, SysFreeString, SysAllocStringByteLen, SysStringByteLen, RegisterTypeLib, LoadTypeLib, LoadRegTypeLib, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, VariantClear, SafeArrayRedim, VariantChangeType, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocStringLen, VarDateFromStr, SysReAllocStringLen, VarCyFromStr, VarBstrFromCy, VarBstrFromDec, VarDecFromStr, VarBstrFromDate, VariantInit |
Name | Ordinal | Address |
---|---|---|
AlphaBlend | 1 | 0x1000133e |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China | |
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 07:57:59 |
Start date: | 08/10/2024 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa20000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 07:57:59 |
Start date: | 08/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 07:57:59 |
Start date: | 08/10/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 07:57:59 |
Start date: | 08/10/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa00000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 07:57:59 |
Start date: | 08/10/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa00000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 46 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100088E5 Relevance: 1.7, APIs: 1, Instructions: 190memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008898 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100088BA Relevance: 1.6, APIs: 1, Instructions: 107COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100084E5 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100084ED Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100080A5 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008EA3 Relevance: 82.7, Strings: 66, Instructions: 225COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004AF0 Relevance: 5.2, Strings: 4, Instructions: 202COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004AFE Relevance: 5.2, Strings: 4, Instructions: 200COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004B0E Relevance: 5.2, Strings: 4, Instructions: 198COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004B31 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100017BB Relevance: .2, Instructions: 189COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001804 Relevance: .2, Instructions: 178COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004B8D Relevance: .2, Instructions: 177COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004B98 Relevance: .2, Instructions: 172COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001784 Relevance: .2, Instructions: 170COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004F43 Relevance: .2, Instructions: 166COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000521E Relevance: .1, Instructions: 113COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100054A0 Relevance: .1, Instructions: 108COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100054AB Relevance: .1, Instructions: 102COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 46 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100088E5 Relevance: 1.7, APIs: 1, Instructions: 190memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008898 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100088BA Relevance: 1.6, APIs: 1, Instructions: 107COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100084E5 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100084ED Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100080A5 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|