Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NTADMD.DLL.dll

Overview

General Information

Sample name:NTADMD.DLL.dll
Analysis ID:1417475
MD5:9f20c2b5aa2b65e1f762b6f07c0c9d7a
SHA1:322aa24faad3da5bcd4a199be68f9b47a518dfa1
SHA256:bee6c5541620dd45c081dc019d11cde1981cdcb8b16714dfb871c17c0cd0907c
Tags:dll
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6868 cmdline: loaddll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4500 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3400 cmdline: rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3592 cmdline: rundll32.exe C:\Users\user\Desktop\NTADMD.DLL.dll,ServiceMain MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5664 cmdline: rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",ServiceMain MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: NTADMD.DLL.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: NTADMD.DLL.dllReversingLabs: Detection: 37%
Source: NTADMD.DLL.dllVirustotal: Detection: 50%Perma Link
Machine Learning detection for sample
Source: NTADMD.DLL.dllJoe Sandbox ML: detected
Source: NTADMD.DLL.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: rundll32.exe, rundll32.exe, 00000005.00000002.1646761312.000000000341D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://registrationeasy.com/tucson/info.html
Source: NTADMD.DLL.dllBinary or memory string: OriginalFilenameNTADMD.DLLr) vs NTADMD.DLL.dll
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: NTADMD.DLL.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal60.winDLL@10/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: NTADMD.DLL.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NTADMD.DLL.dll,ServiceMain
Source: NTADMD.DLL.dllReversingLabs: Detection: 37%
Source: NTADMD.DLL.dllVirustotal: Detection: 50%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NTADMD.DLL.dll,ServiceMain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",ServiceMain
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NTADMD.DLL.dll,ServiceMainJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",ServiceMainJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0322D860 pushfd ; ret 5_2_0322D89D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0322D566 push C80322CAh; retf 5_2_0322D56D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0322D255 pushfd ; ret 5_2_0322D265
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0322C3BB pushad ; ret 5_2_0322C3D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0322D88B pushfd ; ret 5_2_0322D89D
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417475 Sample: NTADMD.DLL.dll Startdate: 29/03/2024 Architecture: WINDOWS Score: 60 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Machine Learning detection for sample 2->23 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 conhost.exe 7->15         started        process5 17 rundll32.exe 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NTADMD.DLL.dll38%ReversingLabsWin32.Trojan.Doris
NTADMD.DLL.dll51%VirustotalBrowse
NTADMD.DLL.dll100%AviraTR/Downloader.Gen
NTADMD.DLL.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://registrationeasy.com/tucson/info.html0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://registrationeasy.com/tucson/info.htmlrundll32.exe, rundll32.exe, 00000005.00000002.1646761312.000000000341D000.00000004.00000010.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1417475
Start date and time:2024-03-29 12:16:03 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 42s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:NTADMD.DLL.dll
Detection:MAL
Classification:mal60.winDLL@10/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Stop behavior analysis, all processes terminated

Warnings

  • Execution Graph export aborted for target rundll32.exe, PID 5664 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
12:16:51API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.277313563039299
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:NTADMD.DLL.dll
File size:10'240 bytes
MD5:9f20c2b5aa2b65e1f762b6f07c0c9d7a
SHA1:322aa24faad3da5bcd4a199be68f9b47a518dfa1
SHA256:bee6c5541620dd45c081dc019d11cde1981cdcb8b16714dfb871c17c0cd0907c
SHA512:a25209057aae709a80b16dad60650b300e27c5ab65d2f7d01fbdda2d31bfe10c8c2b819bfd83409689d5c11066f58b4e38a0a432d118a701294b685b76ef0ec6
SSDEEP:192:QAJ1cTIJ1weh7CNQ9qjDKNWpNWYZWAWG8xbWf:RAMJ1waONKsDtZWG8xbWf
TLSH:7B22090187D610F7F674067921DB0B3BEB3677A1C2168A579B00DD261C3222AEE77B46
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.....................u...............................u.......%.......u.......Rich............................PE..L...Q{.C...

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x1000227a
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:0x43FD7B51 [Thu Feb 23 09:07:29 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:10fd9ed9c5e737ca0b37a031edc8ca46

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FC1415B5FCBh
cmp dword ptr [100040C0h], 00000000h
jmp 00007FC1415B5FE8h
cmp esi, 01h
je 00007FC1415B5FC7h
cmp esi, 02h
jne 00007FC1415B5FE4h
mov eax, dword ptr [100040D0h]
test eax, eax
je 00007FC1415B5FCBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FC1415B5FCEh
push edi
push esi
push ebx
call 00007FC1415B5EDAh
test eax, eax
jne 00007FC1415B5FC6h
xor eax, eax
jmp 00007FC1415B6010h
push edi
push esi
push ebx
call 00007FC1415B6019h
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FC1415B5FCEh
test eax, eax
jne 00007FC1415B5FF9h
push edi
push eax
push ebx
call 00007FC1415B5EB6h
test esi, esi
je 00007FC1415B5FC7h
cmp esi, 03h
jne 00007FC1415B5FE8h
push edi
push esi
push ebx
call 00007FC1415B5EA5h
test eax, eax
jne 00007FC1415B5FC5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FC1415B5FD3h
mov eax, dword ptr [100040D0h]
test eax, eax
je 00007FC1415B5FCAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
int3
jmp dword ptr [10003064h]
cmp dword ptr [esp+08h], 01h
jne 00007FC1415B5FD5h
cmp dword ptr [100040D0h], 00000000h
jne 00007FC1415B5FCCh
push dword ptr [esp+04h]
call dword ptr [10003040h]
push 00000001h
pop eax
retn 000Ch
jmp dword ptr [000030C8h]

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) build 8168
  • [C++] VS98 (6.0) build 8168
  • [RES] VS98 (6.0) cvtres build 1720
  • [LNK] VS98 (6.0) imp/exp build 8168

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x35c00x46.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x31d80x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x50000x3f8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xfc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x30000xd0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x13440x1400a6cf13176d5e3f9cbf7ec793eace1492False0.5962890625data6.202217354728628IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x30000x6060x8001fc725ec6738bd51edc0fc697143fdfeFalse0.34814453125data3.5589634522507603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x40000xd40x2003ad82fe8435a91db4f17667ab888e82fFalse0.306640625Matlab v4 mat-file (little endian) ,@, numeric, rows 0, columns 02.6054269007039728IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x50000x3f80x4002fb70251ccec23e12b9c9f152cb50759False0.4638671875data3.4052056931231256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x60000x1480x200f626a15fe507f087316121c2669c7e59False0.515625data3.6604795213471966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x50600x394OpenPGP Secret KeyEnglishGreat Britain0.47707423580786024

Imports

DLLImport
KERNEL32.dllCloseHandle, CreateProcessA, GetCurrentDirectoryA, Sleep, CreatePipe, DisconnectNamedPipe, TerminateProcess, WaitForMultipleObjects, TerminateThread, CreateThread, DuplicateHandle, GetCurrentProcess, ExitThread, ReadFile, PeekNamedPipe, WriteFile, DisableThreadLibraryCalls
WININET.dllInternetGetConnectedState, InternetOpenA, InternetOpenUrlA, InternetReadFile, InternetCloseHandle
WS2_32.dllWSAStartup, socket, closesocket, inet_addr, connect, recv, send, htons
MSVCRT.dll??3@YAXPAX@Z, _strnicmp, strrchr, strncat, ??2@YAPAXI@Z, _adjust_fdiv, strstr, _initterm, _itoa, malloc, free, _beginthread, atoi, atof, strchr, _ftol
urlmon.dllURLDownloadToFileA

Exports

NameOrdinalAddress
ServiceMain10x10001330

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishGreat Britain

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:12:16:48
Start date:29/03/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll"
Imagebase:0x8c0000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:12:16:48
Start date:29/03/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:12:16:48
Start date:29/03/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1
Imagebase:0x240000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:12:16:48
Start date:29/03/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\NTADMD.DLL.dll,ServiceMain
Imagebase:0x550000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:12:16:48
Start date:29/03/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",#1
Imagebase:0x550000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:12:16:51
Start date:29/03/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\NTADMD.DLL.dll",ServiceMain
Imagebase:0x550000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly