Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
_psutil_windows.cp311-win_amd64.dll

Overview

General Information

Sample name:_psutil_windows.cp311-win_amd64.dll
(renamed file extension from pyd to dll)
Original sample name:_psutil_windows.cp311-win_amd64.pyd
Analysis ID:1529377
MD5:ea3af106c6c0093933a36d330a97b432
SHA1:871bd52c248c3ff1df7588ff6beccb686a27a4ef
SHA256:ebb8f1be9f25693eb8108f3c7474953b36a69e09ba41edd1d562943ac5c91c85
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

AI detected suspicious sample
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4764 cmdline: loaddll64.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1224 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 2800 cmdline: rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1628 cmdline: rundll32.exe C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll,PyInit__psutil_windows MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.7% probability
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: classification engineClassification label: sus22.winDLL@8/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll,PyInit__psutil_windows
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll,PyInit__psutil_windows
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll,PyInit__psutil_windowsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: python311.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: _psutil_windows.cp311-win_amd64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1529377 Sample: _psutil_windows.cp311-win_a... Startdate: 08/10/2024 Architecture: WINDOWS Score: 22 17 AI detected suspicious sample 2->17 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 conhost.exe 7->13         started        process5 15 rundll32.exe 9->15         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
_psutil_windows.cp311-win_amd64.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1529377
Start date and time:2024-10-08 22:51:45 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 53s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:_psutil_windows.cp311-win_amd64.dll
(renamed file extension from pyd to dll)
Original Sample Name:_psutil_windows.cp311-win_amd64.pyd
Detection:SUS
Classification:sus22.winDLL@8/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: _psutil_windows.cp311-win_amd64.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):5.949329995850665
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:_psutil_windows.cp311-win_amd64.dll
File size:69'120 bytes
MD5:ea3af106c6c0093933a36d330a97b432
SHA1:871bd52c248c3ff1df7588ff6beccb686a27a4ef
SHA256:ebb8f1be9f25693eb8108f3c7474953b36a69e09ba41edd1d562943ac5c91c85
SHA512:62595793ff795fd59ee0ddec9f95094b345a29197348d94897331f92e579dc2c99b9cb8937e002cb2934f3e520ddf6efe7d94d06bad12051309f03784b2b7707
SSDEEP:768:yapejfTv56hvTLS5ykJmEDO0+XrWEvgary5WcKkY59Ajwl4/YqWYADdEQqPEKzhV:9pM56hvqckJJ/+iE4aryTYx4iQYTjM
TLSH:16633A86B35410F4D95A827D8AB35A33E8A1F4211326939F49A0C69E0F66FD7A37DF01
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J\.3.=.`.=.`.=.`.E!`.=.`.F.a.=.`.F.a.=.`.F.a.=.`.F.a.=.`.@.a.=.`EE.a.=.`.=.`.=.`.F.a.=.`.F.a.=.`.FM`.=.`.F.a.=.`Rich.=.`.......

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x18000a4dc
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x65396FC5 [Wed Oct 25 19:43:01 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:f4e3ae35da76aa7c9f926dbeaae5152b

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F8850523EE7h
call 00007F8850523F04h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F8850523D74h
int3
int3
int3
dec eax
mov dword ptr [esp+20h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00006AD8h]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007F8850523F56h
dec eax
and dword ptr [ebp+18h], 00000000h
dec eax
lea ecx, dword ptr [ebp+18h]
call dword ptr [00000BAAh]
dec eax
mov eax, dword ptr [ebp+18h]
dec eax
mov dword ptr [ebp+10h], eax
call dword ptr [00000D6Ch]
mov eax, eax
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [00000D68h]
mov eax, eax
dec eax
lea ecx, dword ptr [ebp+20h]
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [00000D60h]
mov eax, dword ptr [ebp+20h]
dec eax
lea ecx, dword ptr [ebp+10h]
dec eax
shl eax, 20h
dec eax
xor eax, dword ptr [ebp+20h]
dec eax
xor eax, dword ptr [ebp+10h]
dec eax
xor eax, ecx
dec eax
mov ecx, FFFFFFFFh

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xeb800x70.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0xebf00x140.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000xf8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x120000xa14.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000x194.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xdb400x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xda000x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xb0000x5a8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x9ef80xa0003a78f3f4b9391bb8ffb89081eea24f09False0.52646484375data6.030061859130005IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xb0000x50f20x520023fe9ad794fe687c7431987026aa25cdFalse0.37580983231707316data5.140257565009995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x110000xf380x8003776967b627692eae123c9008dbe4938False0.2607421875data2.5832088073596546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x120000xa140xc0046ed2c77abf34439fa1e536aafa6d104False0.3974609375PEX Binary Archive4.008091712375497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x130000xf80x2002de7a7e5655807213f61edcfc2c273bcFalse0.3359375data2.5186218797860387IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x140000x1940x200678c3958825609d13e90d50033f2c679False0.591796875data4.403319667238883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x130600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793

Imports

DLLImport
PSAPI.DLLEnumProcesses, GetMappedFileNameW, GetProcessMemoryInfo
KERNEL32.dllCreateToolhelp32Snapshot, Process32Next, CloseHandle, GetProcessIoCounters, HeapAlloc, GetPriorityClass, GetProcessHeap, GlobalMemoryStatusEx, GetThreadTimes, GetSystemTimeAsFileTime, GetProcessHandleCount, GetProcessTimes, OpenThread, VirtualQueryEx, GetExitCodeProcess, GetSystemTimes, LocalAlloc, LocalFree, SetLastError, WaitForSingleObject, DeviceIoControl, GetDriveTypeA, SetErrorMode, QueryDosDeviceA, GetVolumeInformationA, FindNextVolumeMountPointA, FindFirstVolumeMountPointA, CreateFileA, GetDiskFreeSpaceExW, GetLogicalDriveStringsA, lstrcmpA, EnterCriticalSection, GetCurrentProcess, LeaveCriticalSection, DuplicateHandle, GetExitCodeThread, TerminateThread, CreateThread, GetFileType, ReadProcessMemory, RegisterWaitForSingleObject, CreateEventW, OpenProcess, Thread32First, GetSystemPowerStatus, Thread32Next, GetProcessAffinityMask, TerminateProcess, SetProcessAffinityMask, SetPriorityClass, HeapFree, Process32First, FreeLibrary, GetProcAddress, GetSystemInfo, LoadLibraryA, GetLastError, GetModuleHandleA, InitializeCriticalSection, FindVolumeMountPointClose, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, DisableThreadLibraryCalls, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent
ADVAPI32.dllQueryServiceConfig2W, LookupAccountSidW, OpenProcessToken, ImpersonateSelf, CloseServiceHandle, OpenSCManagerA, ControlService, StartServiceA, EnumServicesStatusExW, QueryServiceConfigW, GetTokenInformation, QueryServiceStatusEx, OpenServiceA, AdjustTokenPrivileges, RevertToSelf, LookupPrivilegeValueA
SHELL32.dllCommandLineToArgvW
WS2_32.dllinet_ntop
POWRPROF.dllCallNtPowerInformation
pdh.dllPdhGetFormattedCounterValue, PdhAddEnglishCounterW, PdhOpenQueryW, PdhCollectQueryDataEx
python311.dllPyErr_Format, PyExc_TypeError, _Py_FalseStruct, PySequence_Check, PySequence_Contains, PyUnicode_FromWideChar, PyErr_SetFromWindowsErr, PyTuple_New, PyObject_IsTrue, PyExc_RuntimeWarning, PyErr_WarnEx, PyUnicode_FromString, PyDict_SetItemString, PyArg_ParseTuple, _Py_TrueStruct, PyArg_ParseTupleAndKeywords, PyErr_NoMemory, PyDict_New, PyDict_SetItem, PyList_Append, PyErr_NewException, PyEval_RestoreThread, PyModule_Create2, PyList_New, PyBool_FromLong, PyModule_AddObject, PyExc_OSError, PyErr_SetFromWindowsErrWithFilename, PyErr_Clear, _Py_Dealloc, PyObject_CallFunction, _Py_NoneStruct, PyErr_SetObject, PyErr_SetString, PyModule_AddIntConstant, PyExc_RuntimeError, PyLong_FromLong, PyModule_GetState, Py_BuildValue, PyEval_SaveThread
IPHLPAPI.DLLGetAdaptersAddresses, GetIfTable, ConvertLengthToIpv4Mask, GetIfEntry2
VCRUNTIME140.dllstrchr, __C_specific_handler, __std_type_info_destroy_list, memset, memcpy
api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf, __stdio_common_vsprintf_s, __acrt_iob_func, __stdio_common_vfprintf
api-ms-win-crt-environment-l1-1-0.dllgetenv
api-ms-win-crt-heap-l1-1-0.dllmalloc, calloc, free
api-ms-win-crt-string-l1-1-0.dllstrcat_s, wcscpy_s, strcpy_s
api-ms-win-crt-runtime-l1-1-0.dll_initialize_onexit_table, _execute_onexit_table, _seh_filter_dll, _initterm_e, _initterm, _cexit, _initialize_narrow_environment, _configure_narrow_argv

Exports

NameOrdinalAddress
PyInit__psutil_windows10x180004620

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:16:52:41
Start date:08/10/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll"
Imagebase:0x7ff7e2020000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:16:52:41
Start date:08/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:16:52:41
Start date:08/10/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1
Imagebase:0x7ff7ebad0000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:16:52:41
Start date:08/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll,PyInit__psutil_windows
Imagebase:0x7ff67be70000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:16:52:41
Start date:08/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\_psutil_windows.cp311-win_amd64.dll",#1
Imagebase:0x7ff67be70000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly