Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PDR26PM4x64.DLL

Overview

General Information

Sample name:PDR26PM4x64.DLL
Analysis ID:1430715
MD5:69b558aada989a3ffc3d4d4e6582fe33
SHA1:76246de15a1a17e25027b531a3623f6678a532d0
SHA256:155663b3e949db31958e7a6affff14beb783fedb22bc336977e1c7840aa78195
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6960 cmdline: loaddll64.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7124 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 6236 cmdline: rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6276 cmdline: rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,DllMain MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7104 cmdline: rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,InitializePrintMonitor2 MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Binary string: e:\temp\pm_source_900_20190226\src\objfre_wnet_amd64\amd64\PDR26PM4x64.pdbH source: PDR26PM4x64.DLL
Source: Binary string: e:\temp\pm_source_900_20190226\src\objfre_wnet_amd64\amd64\PDR26PM4x64.pdb source: PDR26PM4x64.DLL
Source: PDR26PM4x64.DLLBinary or memory string: OriginalFilenamePDR26PM4.DLLP vs PDR26PM4x64.DLL
Source: classification engineClassification label: clean2.winDLL@10/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: PDR26PM4x64.DLLStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,DllMain
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,DllMain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,InitializePrintMonitor2
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,DllMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,InitializePrintMonitor2Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: pdr26pm4_rt64.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: spoolss.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: pcp26ct64.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: PDR26PM4x64.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: e:\temp\pm_source_900_20190226\src\objfre_wnet_amd64\amd64\PDR26PM4x64.pdbH source: PDR26PM4x64.DLL
Source: Binary string: e:\temp\pm_source_900_20190226\src\objfre_wnet_amd64\amd64\PDR26PM4x64.pdb source: PDR26PM4x64.DLL
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1430715 Sample: PDR26PM4x64.DLL Startdate: 24/04/2024 Architecture: WINDOWS Score: 2 6 loaddll64.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        14 conhost.exe 6->14         started        process4 16 rundll32.exe 8->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PDR26PM4x64.DLL0%ReversingLabs
PDR26PM4x64.DLL0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1430715
Start date and time:2024-04-24 04:26:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 3s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:PDR26PM4x64.DLL
Detection:CLEAN
Classification:clean2.winDLL@10/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .DLL
  • Stop behavior analysis, all processes terminated

Warnings

  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):5.458005773380869
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:PDR26PM4x64.DLL
File size:88'064 bytes
MD5:69b558aada989a3ffc3d4d4e6582fe33
SHA1:76246de15a1a17e25027b531a3623f6678a532d0
SHA256:155663b3e949db31958e7a6affff14beb783fedb22bc336977e1c7840aa78195
SHA512:04bc34457815e82ba377268d739690e8588a22c73fe98279f8434ae5b78541b45f78f09b515e9439783acfd89d43ba332d7bcd0e6026b736e785e1ebf386c046
SSDEEP:1536:sDQtZvicvvjXyXtwWyx0p4isFORamMdOITf8K3:sDQTzjXy9wZOp4von+h8i
TLSH:01831912B3E911A9E0F7A37485B24336AA72FC54673886CF0350966D5E33BE09D39363
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................w.......,........:.......,.......+.........&.....<......w........=.......&......,........;.......>.....Rich...

File Icon

Icon Hash:d8c6c6d2c0406024

Static PE Info

General

Entrypoint:0x5040ce30
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x50400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:DYNAMIC_BASE
Time Stamp:0x5C752043 [Tue Feb 26 11:17:23 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:d5d466faac4db1fd0d131557c1186ddf

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F027CC419E7h
call 00007F027CC41D3Ch
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F027CC417B4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00003279h]
jne 00007F027CC419F4h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F027CC419E5h
retn 0000h
dec eax
ror ecx, 10h
jmp 00007F027CC41DA9h
int3
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 00000530h
dec eax
lea ecx, dword ptr [esp+60h]
call dword ptr [FFFF4194h]
dec eax
mov ebx, dword ptr [esp+00000158h]
dec eax
lea edx, dword ptr [esp+40h]
dec eax
mov ecx, ebx
inc ebp
xor eax, eax
call dword ptr [FFFF4173h]
dec eax
test eax, eax
je 00007F027CC41A1Bh
dec eax
and dword ptr [esp+38h], 00000000h
dec eax
mov edx, dword ptr [esp+40h]
dec eax
lea ecx, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], ecx
dec eax
lea ecx, dword ptr [esp+50h]
dec esp
mov ecx, eax

Rich Headers

Programming Language:
  • [IMP] VS2005 build 50727
  • [ASM] VS2008 SP1 build 30729
  • [ C ] VS2008 SP1 build 30729
  • [C++] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
  • [EXP] VS2008 SP1 build 30729
  • [LNK] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xfcc00x6c.text
IMAGE_DIRECTORY_ENTRY_IMPORT0xf0f00xc8.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000xeb8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x160000x648.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x13d00x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x10000x3a0.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xed2c0xee0067e8fc4c71b5668968ef4877abf2b50aFalse0.5041852678571429OpenPGP Public Key6.25321631724239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x100000x53b00x4c00321849396a3e8ed30ecc0ae7b801d7dcFalse0.12772409539473684data2.235376843921145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x160000x6480x800f8346d205a92cbbe8833674e5c33dba7False0.439453125data3.709847727502004IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x170000xeb80x100099c85e11f57fdbc5b04c76bcefaa9be9False0.281982421875data3.345125004318238IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x180000x1580x200d9327bf90fa67bff1621aac503fa87c1False0.189453125GLS_BINARY_LSB_FIRST1.1523070270284397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x172100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.23790322580645162
RT_ICON0x175100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.29301075268817206
RT_DIALOG0x178100x194dataEnglishUnited States0.5297029702970297
RT_DIALOG0x179a80xc6dataEnglishUnited States0.5707070707070707
RT_STRING0x17d880x130dataEnglishUnited States0.5427631578947368
RT_GROUP_ICON0x174f80x14dataEnglishUnited States1.2
RT_GROUP_ICON0x177f80x14dataEnglishUnited States1.25
RT_VERSION0x17a700x318dataEnglishUnited States0.48737373737373735

Imports

DLLImport
msvcrt.dll_isatty, _write, _lseeki64, _fileno, __pioinfo, __badioinfo, ferror, _itoa, _snprintf, _iob, isleadbyte, __mb_cur_max, mbtowc, memset, memcpy, __C_specific_handler, _amsg_exit, free, _initterm, malloc, _XcptFilter, _errno, _wcsicmp, wcsncpy
PDR26PM4_RT64.DLLRtouSendMessage, RtouOpenSessionByAddrW, RtouCloseSession
KERNEL32.dllRtlVirtualUnwind, OutputDebugStringA, RtlLookupFunctionEntry, RtlCaptureContext, DeleteFileW, SetFilePointer, OutputDebugStringW, CloseHandle, GetLocalTime, CreateFileW, QueryPerformanceCounter, Sleep, WriteFile, GlobalFree, DisableThreadLibraryCalls, EnterCriticalSection, GetProcAddress, SetLastError, GetLastError, GetTempPathW, LeaveCriticalSection, GetVersionExW, LoadLibraryW, GlobalAlloc, InitializeCriticalSection, GetTickCount, FreeLibrary, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, ReadFile
ADVAPI32.dllRegSetValueExW, RegCloseKey, RegOpenKeyExW, GetUserNameW
USER32.dllMessageBoxW, LoadStringW, wvsprintfW
SPOOLSS.DLLRevertToPrinterSelf, ImpersonatePrinterClient, SetJobW, ClosePrinter, OpenPrinterW, SetPortW, GetJobW
PCP26CT64.dllU_Set1stSettingValue, P_KeepAlive, P_CheckReply, P_FlushStatusReq, U_Set1stPrinterInfo, P_ICControl, P_TestUnitReady, U_SetNextPrinterInfo, P_FlushPropertyReq, P_Close, P_ReadMG, P_RezeroUnit, U_SetNextSettingValue, P_FlushSettingValue, P_ImageOut, P_WriteMG, P_LoadCard, P_SecurityPrint, P_MoveCard, P_Connect, U_InitializeSettingValue, P_FlushSettingReq, P_CheckGoAhead, P_PrintOnCard, P_PrintOnFilm, P_SendPrintJob, P_ReadPosition
COMCTL32.dll
WTSAPI32.dllWTSFreeMemory, WTSEnumerateSessionsW, WTSSendMessageW

Exports

NameOrdinalAddress
DllMain10x50401b28
InitializePrintMonitor220x50401b7c

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:04:26:54
Start date:24/04/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL"
Imagebase:0x7ff7273e0000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:1
Start time:04:26:54
Start date:24/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:04:26:54
Start date:24/04/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1
Imagebase:0x7ff64a110000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:04:26:54
Start date:24/04/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,DllMain
Imagebase:0x7ff7b8730000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:04:26:54
Start date:24/04/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\PDR26PM4x64.DLL",#1
Imagebase:0x7ff7b8730000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:04:26:57
Start date:24/04/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\PDR26PM4x64.DLL,InitializePrintMonitor2
Imagebase:0x7ff7b8730000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly