Windows Analysis Report
libpkcs11-helper-1.dll.dll

Overview

General Information

Sample name: libpkcs11-helper-1.dll.dll
(renamed file extension from exe to dll)
Original sample name: libpkcs11-helper-1.dll.exe
Analysis ID: 1562676
MD5: 923f2b061c22b2de64f2b228f676fe95
SHA1: 40830c37101ed4f779955c8d0e1718d51714eb83
SHA256: 5d15ca989acd53de9e458bca2ac226ece6c3e1cf97b070c930a9f3f4b6144a21
Tags: exeuser-johnk3r
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (might use process or thread times for sandbox detection)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: libpkcs11-helper-1.dll.dll ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.9% probability
Machine Learning detection for sample
Source: libpkcs11-helper-1.dll.dll Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C578C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect, 0_2_00007FF8A8C578C0
Source: libpkcs11-helper-1.dll.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C5AC80 GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA, 0_2_00007FF8A8C5AC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C578C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect, 0_2_00007FF8A8C578C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8D901C0 FindFirstFileNameW, 0_2_00007FF8A8D901C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CFC1EC FindFirstFileExW, 0_2_00007FF8A8CFC1EC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C56670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct 0_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW, 0_2_00007FF8A8C59790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C533F0 GetTempPathA,GetTempFileNameA,QueryFullProcessImageNameW,CommConfigDialogW,CallbackMayRunLong,lstrcatW,UnregisterApplicationRestart,GetThreadSelectorEntry,BuildCommDCBW,SetConsoleHistoryInfo,PtVisible,CreatePrivateNamespaceW,GetConsoleSelectionInfo,WakeConditionVariable,PeekNamedPipe,EnumCalendarInfoExEx,Polygon,OpenWaitableTimerW,GetLogicalDrives,EnumResourceTypesExW,GetPhysicallyInstalledSystemMemory,SetEventWhenCallbackReturns,CopyFileW,GetFirmwareType,GetStartupInfoW,GetColorAdjustment,CreateMetaFileW,CancelWaitableTimer,BackupRead,GetCommState,GetCommandLineW,GetWindowsDirectoryW,GetConsoleCursorInfo,GetNamedPipeServerProcessId,GetMaximumProcessorGroupCount,OpenWaitableTimerW,SetFileAttributesTransactedW,DeleteTimerQueueEx,SetFileAttributesW,MoveFileExW,WaitForThreadpoolTimerCallbacks,CreateThreadpoolWait,CopyFileW,ReadConsoleOutputCharacterW,SetFirmwareEnvironmentVariableW,GetTempFileNameW,AddScopedPolicyIDAce,GetCPInfoExW,QueryInformationJobObject,FatalExit,CreateThreadpoolWork,RegOpenKeyExA,GetLongPathNameW,SetConsoleCP,VerifyScripts,CreateThreadpoolIo,EnumResourceLanguagesW,FindNLSString,CancelThreadpoolIo,UpdateResourceW,CheckNameLegalDOS8Dot3W,ScrollConsoleScreenBufferW,GetVolumeNameForVolumeMountPointW,TransactNamedPipe,ReadFile,CreateEventW,GetLogicalDriveStringsW,CreateDirectoryExW,EnumResourceTypesW,RegQueryValueExA,GetThreadGroupAffinity,CreateWaitableTimerW,GetNamedPipeClientComputerNameW,VirtualFreeEx,TerminateThread,SetDynamicTimeZoneInformation,GetLogicalDriveStringsW,CloseThreadpoolWork,GetThreadIdealProcessorEx,CreateJobObjectW,UnregisterWait,OpenFileById,MapViewOfFile,UnregisterWait,AddIntegrityLabelToBoundaryDescriptor,CancelIo,SetThreadPriorityBoost,QueryPerformanceFrequency,RegCloseKey,OutputDebugStringA, 0_2_00007FF8A8C533F0
Installs a raw input device (often for capturing keystrokes)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C56670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct 0_2_00007FF8A8C56670
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C5AC80 0_2_00007FF8A8C5AC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59CD0 0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C54090 0_2_00007FF8A8C54090
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C533F0 0_2_00007FF8A8C533F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C555A0 0_2_00007FF8A8C555A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C578C0 0_2_00007FF8A8C578C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C54B70 0_2_00007FF8A8C54B70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C58CB0 0_2_00007FF8A8C58CB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF8C24 0_2_00007FF8A8CF8C24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8D02ED0 0_2_00007FF8A8D02ED0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE4EC0 0_2_00007FF8A8CE4EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE8EA8 0_2_00007FF8A8CE8EA8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CECE98 0_2_00007FF8A8CECE98
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8D00FE0 0_2_00007FF8A8D00FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CFC1EC 0_2_00007FF8A8CFC1EC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF815C 0_2_00007FF8A8CF815C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE4210 0_2_00007FF8A8CE4210
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF83D8 0_2_00007FF8A8CF83D8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF24AC 0_2_00007FF8A8CF24AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE4414 0_2_00007FF8A8CE4414
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF0588 0_2_00007FF8A8CF0588
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF66E8 0_2_00007FF8A8CF66E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C5E6A0 0_2_00007FF8A8C5E6A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C56670 0_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CFE614 0_2_00007FF8A8CFE614
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE39F0 0_2_00007FF8A8CE39F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF5BD4 0_2_00007FF8A8CF5BD4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE3BF4 0_2_00007FF8A8CE3BF4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CEBB2C 0_2_00007FF8A8CEBB2C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE5C58 0_2_00007FF8A8CE5C58
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE3E00 0_2_00007FF8A8CE3E00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CEE0CC 0_2_00007FF8A8CEE0CC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF6068 0_2_00007FF8A8CF6068
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE4004 0_2_00007FF8A8CE4004
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CEF108 0_2_00007FF8A8CEF108
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CEB2E0 0_2_00007FF8A8CEB2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE93B4 0_2_00007FF8A8CE93B4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C57460 0_2_00007FF8A8C57460
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CFB410 0_2_00007FF8A8CFB410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CED53C 0_2_00007FF8A8CED53C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8D0356C 0_2_00007FF8A8D0356C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C5F530 0_2_00007FF8A8C5F530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CFF790 0_2_00007FF8A8CFF790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59790 0_2_00007FF8A8C59790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CE5854 0_2_00007FF8A8CE5854
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll64.exe Code function: String function: 00007FF8A8CDDAAC appears 216 times
Source: classification engine Classification label: mal56.winDLL@12/0@0/0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CAAD30 GetDiskFreeSpaceExA, 0_2_00007FF8A8CAAD30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: libpkcs11-helper-1.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLS_get_data_mtu
Source: libpkcs11-helper-1.dll.dll ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLS_get_data_mtu
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_client_method
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_listen
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLS_get_data_mtu Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_client_method Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_listen Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: cryptbase.dll Jump to behavior
Source: libpkcs11-helper-1.dll.dll Static PE information: More than 118 > 100 exports found
Source: libpkcs11-helper-1.dll.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: libpkcs11-helper-1.dll.dll Static file information: File size 1396736 > 1048576
Source: libpkcs11-helper-1.dll.dll Static PE information: More than 200 imports for KERNEL32.dll
Source: libpkcs11-helper-1.dll.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: libpkcs11-helper-1.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains sections with non-standard names
Source: libpkcs11-helper-1.dll.dll Static PE information: section name: .hdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8D94745 push rsi; ret 0_2_00007FF8A8D94746
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (might use process or thread times for sandbox detection)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C555A0 GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,GetLocalTime,GetDateFormatW,VirtualQuery,FormatMessageW,FindClose,WinExec,ReadThreadProfilingData,WriteConsoleOutputCharacterW,SetThreadpoolThreadMaximum,GetCurrentConsoleFontEx,SetHandleInformation,GetCurrentThreadId,GetEnvironmentVariableW,RegisterWaitForSingleObject,OffsetClipRgn,FindNLSStringEx,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleAliasesW,GetConsoleCursorInfo,RegisterApplicationRecoveryCallback,lstrcmpiW,CreateThreadpool,GetSystemPowerStatus,BeginUpdateResourceW,LoadResource,UnlockFileEx,CreateMutexExW,CreateMemoryResourceNotification,FindResourceW,GetCalendarInfoEx,DosDateTimeToFileTime,CreateThreadpoolWork,UnlockFileEx,GetFirmwareEnvironmentVariableW,DeleteProcThreadAttributeList,EnumTimeFormatsW,GetSystemFileCacheSize,CreateFileW,CancelThreadpoolIo,BackupSeek,SetStdHandle,CreateThreadpoolWork,FreeEnvironmentStringsW,GetUserDefaultLangID,EnumResourceNamesExW,IsDBCSLeadByte,GetConsoleProcessList,CloseThreadpoolIo,OpenFileById,RtlCaptureStackBackTrace,GetThreadPreferredUILanguages,TerminateThread,FatalExit, 0_2_00007FF8A8C555A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C5AC80 GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA, 0_2_00007FF8A8C5AC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C578C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect, 0_2_00007FF8A8C578C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8D901C0 FindFirstFileNameW, 0_2_00007FF8A8D901C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CFC1EC FindFirstFileExW, 0_2_00007FF8A8CFC1EC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C56670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct 0_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW, 0_2_00007FF8A8C59790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C533F0 GetTempPathA,GetTempFileNameA,QueryFullProcessImageNameW,CommConfigDialogW,CallbackMayRunLong,lstrcatW,UnregisterApplicationRestart,GetThreadSelectorEntry,BuildCommDCBW,SetConsoleHistoryInfo,PtVisible,CreatePrivateNamespaceW,GetConsoleSelectionInfo,WakeConditionVariable,PeekNamedPipe,EnumCalendarInfoExEx,Polygon,OpenWaitableTimerW,GetLogicalDrives,EnumResourceTypesExW,GetPhysicallyInstalledSystemMemory,SetEventWhenCallbackReturns,CopyFileW,GetFirmwareType,GetStartupInfoW,GetColorAdjustment,CreateMetaFileW,CancelWaitableTimer,BackupRead,GetCommState,GetCommandLineW,GetWindowsDirectoryW,GetConsoleCursorInfo,GetNamedPipeServerProcessId,GetMaximumProcessorGroupCount,OpenWaitableTimerW,SetFileAttributesTransactedW,DeleteTimerQueueEx,SetFileAttributesW,MoveFileExW,WaitForThreadpoolTimerCallbacks,CreateThreadpoolWait,CopyFileW,ReadConsoleOutputCharacterW,SetFirmwareEnvironmentVariableW,GetTempFileNameW,AddScopedPolicyIDAce,GetCPInfoExW,QueryInformationJobObject,FatalExit,CreateThreadpoolWork,RegOpenKeyExA,GetLongPathNameW,SetConsoleCP,VerifyScripts,CreateThreadpoolIo,EnumResourceLanguagesW,FindNLSString,CancelThreadpoolIo,UpdateResourceW,CheckNameLegalDOS8Dot3W,ScrollConsoleScreenBufferW,GetVolumeNameForVolumeMountPointW,TransactNamedPipe,ReadFile,CreateEventW,GetLogicalDriveStringsW,CreateDirectoryExW,EnumResourceTypesW,RegQueryValueExA,GetThreadGroupAffinity,CreateWaitableTimerW,GetNamedPipeClientComputerNameW,VirtualFreeEx,TerminateThread,SetDynamicTimeZoneInformation,GetLogicalDriveStringsW,CloseThreadpoolWork,GetThreadIdealProcessorEx,CreateJobObjectW,UnregisterWait,OpenFileById,MapViewOfFile,UnregisterWait,AddIntegrityLabelToBoundaryDescriptor,CancelIo,SetThreadPriorityBoost,QueryPerformanceFrequency,RegCloseKey,OutputDebugStringA, 0_2_00007FF8A8C533F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 0_2_00007FF8A8C59CD0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C54090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount, 0_2_00007FF8A8C54090
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 0_2_00007FF8A8C59CD0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C54090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount, 0_2_00007FF8A8C54090
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8D90DA0 SetUnhandledExceptionFilter, 0_2_00007FF8A8D90DA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CEC8B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF8A8CEC8B4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CDC808 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF8A8CDC808
Contains functionality to simulate mouse events
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW, 0_2_00007FF8A8C59790
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8D05D60 cpuid 0_2_00007FF8A8D05D60
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll64.exe Code function: GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA, 0_2_00007FF8A8C5AC80
Source: C:\Windows\System32\loaddll64.exe Code function: AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount, 0_2_00007FF8A8C54090
Source: C:\Windows\System32\loaddll64.exe Code function: EnumSystemLocalesW, 0_2_00007FF8A8CF4C50
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF8A8D001E4
Source: C:\Windows\System32\loaddll64.exe Code function: EnumSystemLocalesW, 0_2_00007FF8A8D0014C
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoEx, 0_2_00007FF8A8D903A8
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoW, 0_2_00007FF8A8D0042C
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF8A8D00584
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoW, 0_2_00007FF8A8D904F8
Source: C:\Windows\System32\loaddll64.exe Code function: GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunction,EnumSystemLocales 0_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoW, 0_2_00007FF8A8D00634
Source: C:\Windows\System32\loaddll64.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF8A8D00768
Source: C:\Windows\System32\loaddll64.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF8A8CFFD20
Source: C:\Windows\System32\loaddll64.exe Code function: EnumSystemLocalesW, 0_2_00007FF8A8D0007C
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoW, 0_2_00007FF8A8CF51E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8CF815C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF8A8CF815C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 0_2_00007FF8A8C59CD0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562676 Sample: libpkcs11-helper-1.dll.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 23 AI detected suspicious sample 2->23 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos