Windows
Analysis Report
dllhostex.exe
Overview
General Information
Sample name: | dllhostex.exe |
Analysis ID: | 1431569 |
MD5: | 56da116d25207847797fe5f8b085c1b1 |
SHA1: | d2b0399fabc842374af1c01195320640ca81abf0 |
SHA256: | 2d6a5eb8a78cddee8ce90321aab80f85784b11a87b00fde75c4c457998a5aebd |
Infos: |
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- dllhostex.exe (PID: 2992 cmdline:
"C:\Users\ user\Deskt op\dllhost ex.exe" MD5: 56DA116D25207847797FE5F8B085C1B1)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
XMRIG_Monero_Miner | Detects Monero mining software | Florian Roth |
| |
MINER_monero_mining_detection | Monero mining software | Christiaan Beek | McAfee ATR Team |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Memory allocated: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
94% | ReversingLabs | Win32.Coinminer.Malxmr | ||
80% | Virustotal | Browse | ||
100% | Avira | PUA/GM.Miner.OW | ||
100% | Joe Sandbox ML |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431569 |
Start date and time: | 2024-04-25 13:18:48 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | dllhostex.exe |
Detection: | MAL |
Classification: | mal80.mine.winEXE@1/0@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 6.2758528235918085 |
TrID: |
|
File name: | dllhostex.exe |
File size: | 2'859'008 bytes |
MD5: | 56da116d25207847797fe5f8b085c1b1 |
SHA1: | d2b0399fabc842374af1c01195320640ca81abf0 |
SHA256: | 2d6a5eb8a78cddee8ce90321aab80f85784b11a87b00fde75c4c457998a5aebd |
SHA512: | 5847709c012836a56d1514de539525f40f1073d9ac382e2a7ed43ec79d1b9c7e9f592d08809649c6577fb2e87865616b8986b671279f9f472cda6b2ae2ace81e |
SSDEEP: | 49152:Nx2RyWADkFL21kRRvJ9lSnRB/NyIhsgY3rhCuLkmSJ5:GzFL215n/NyJhCj |
TLSH: | B6D53B98F64360E0C6530EB1905EEA3BDA343E0D8030FABBEFD6EA48E473755B549156 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..\..................#...+...............#...@.......................... ,.....<f,....... .......................*.~.. |
Icon Hash: | aaf3e3e3918382a0 |
Entrypoint: | 0x401500 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x5C80D42D [Thu Mar 7 08:19:57 2019 UTC] |
TLS Callbacks: | 0x499260, 0x499210, 0x4ac2e0 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 596a050a7a2a7f0667fea5148e07ccc2 |
Instruction |
---|
sub esp, 0Ch |
mov dword ptr [006ABCB8h], 00000000h |
call 00007F277C597C43h |
add esp, 0Ch |
jmp 00007F277C4FFCDBh |
nop |
nop |
nop |
nop |
nop |
nop |
push ebp |
mov ebp, esp |
push edi |
push esi |
push ebx |
sub esp, 1Ch |
mov dword ptr [esp], 0063C000h |
call dword ptr [006AE700h] |
sub esp, 04h |
test eax, eax |
je 00007F277C5000F5h |
mov ebx, eax |
mov dword ptr [esp], 0063C000h |
call dword ptr [006AE770h] |
sub esp, 04h |
mov edi, dword ptr [006AE710h] |
mov dword ptr [006AC760h], eax |
mov dword ptr [esp+04h], 0063C013h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov esi, eax |
mov dword ptr [esp+04h], 0063C029h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov dword ptr [0063A004h], eax |
test esi, esi |
je 00007F277C500093h |
mov dword ptr [esp+04h], 006AB01Ch |
mov dword ptr [esp], 006590C8h |
call esi |
mov dword ptr [esp], 004015D0h |
call 00007F277C597AC3h |
lea esp, dword ptr [ebp-0Ch] |
pop ebx |
pop esi |
pop edi |
pop ebp |
ret |
lea esi, dword ptr [esi+00000000h] |
mov dword ptr [0063A004h], 0049DE80h |
mov esi, 0049DC40h |
jmp 00007F277C500042h |
jmp 00007F277C50008Fh |
nop |
nop |
nop |
nop |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2ad000 | 0x57e | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2ae000 | 0x2558 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2b3000 | 0xaf7 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2b4000 | 0xd75c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x2b2004 | 0x18 | .tls |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2ae5f0 | 0x53c | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x238c9c | 0x238e00 | a7005a84899ceefb78ca17d2588a17e3 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x23a000 | 0x17a4 | 0x1800 | 7b4eb83696c3819a81515f673380b877 | False | 0.13981119791666666 | data | 1.2564638748343255 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x23c000 | 0x1cf40 | 0x1d000 | a4649bbcdf49d4d3809c2b38703e668d | False | 0.3849255792025862 | data | 6.173856952555778 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.eh_fram | 0x259000 | 0x51094 | 0x51200 | dca8c20ea382cbf250289ad714861e43 | False | 0.21369715427580893 | data | 4.943483255212455 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.bss | 0x2ab000 | 0x1900 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0x2ad000 | 0x57e | 0x600 | 9ba80acf159689ac9b3bd369d12cb51c | False | 0.42578125 | data | 4.9451405183508985 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.idata | 0x2ae000 | 0x2558 | 0x2600 | 4dbfdbaec009b606082e4c89a038e499 | False | 0.3617393092105263 | data | 5.492049970064249 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0x2b1000 | 0x38 | 0x200 | 84115bc1dbef2efde70508ca74df30e1 | False | 0.080078125 | Matlab v4 mat-file (little endian) \260\220I, numeric, rows 4198704, columns 0 | 0.3398375245953951 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x2b2000 | 0x20 | 0x200 | c86cd5bc388a04800f801ee4f7409142 | False | 0.056640625 | data | 0.20544562813451883 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x2b3000 | 0xaf7 | 0xc00 | eaefd9d3538037b14b26e290c145bf29 | False | 0.3375651041666667 | data | 4.338974057081514 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x2b4000 | 0xd75c | 0xd800 | 827557035cb21cf479b9daddae3bb33e | False | 0.6793981481481481 | data | 6.707810614985702 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x2b30b8 | 0x31c | data | 0.4472361809045226 | ||
RT_VERSION | 0x2b33d4 | 0x294 | OpenPGP Secret Key | English | United States | 0.4909090909090909 |
RT_MANIFEST | 0x2b3668 | 0x48f | XML 1.0 document, ASCII text | 0.40102827763496146 |
DLL | Import |
---|---|
ADVAPI32.dll | AdjustTokenPrivileges, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetTokenInformation, GetUserNameW, LookupPrivilegeValueW, LsaAddAccountRights, LsaClose, LsaOpenPolicy, OpenProcessToken, RegCloseKey, RegOpenKeyExW, RegQueryValueExW |
IPHLPAPI.DLL | GetAdaptersAddresses |
KERNEL32.dll | AddVectoredExceptionHandler, AssignProcessToJobObject, CancelIo, CloseHandle, ConnectNamedPipe, CopyFileW, CreateDirectoryW, CreateEventA, CreateFileA, CreateFileW, CreateHardLinkW, CreateIoCompletionPort, CreateJobObjectW, CreateNamedPipeA, CreateNamedPipeW, CreateProcessW, CreateSemaphoreA, CreateSemaphoreW, CreateToolhelp32Snapshot, DebugBreak, DeleteCriticalSection, DeviceIoControl, DuplicateHandle, EnterCriticalSection, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterW, FlushFileBuffers, FlushInstructionCache, FormatMessageA, FreeConsole, FreeLibrary, GetConsoleCursorInfo, GetConsoleMode, GetConsoleScreenBufferInfo, GetConsoleTitleW, GetConsoleWindow, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileType, GetHandleInformation, GetLastError, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetNamedPipeHandleStateA, GetNumberOfConsoleInputEvents, GetProcAddress, GetProcessAffinityMask, GetProcessIoCounters, GetProcessTimes, GetQueuedCompletionStatus, GetShortPathNameW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetSystemInfo, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GlobalMemoryStatusEx, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, IsDBCSLeadByteEx, IsDebuggerPresent, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LocalAlloc, LocalFree, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryPerformanceCounter, QueryPerformanceFrequency, QueueUserWorkItem, RaiseException, ReadConsoleInputW, ReadConsoleW, ReadDirectoryChangesW, ReadFile, RegisterWaitForSingleObject, ReleaseSemaphore, RemoveDirectoryW, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleMode, SetConsoleTextAttribute, SetConsoleTitleW, SetCurrentDirectoryW, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFilePointerEx, SetFileTime, SetHandleInformation, SetInformationJobObject, SetLastError, SetNamedPipeHandleState, SetPriorityClass, SetProcessAffinityMask, SetSystemTime, SetThreadAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, UnregisterWait, UnregisterWaitEx, VerSetConditionMask, VerifyVersionInfoA, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeW, WideCharToMultiByte, WriteConsoleInputW, WriteConsoleW, WriteFile |
msvcrt.dll | __argv, __dllonexit, __doserrno, __getmainargs, __initenv, __lconv_init, __mb_cur_max, __set_app_type, __setusermatherr, _acmdln, _aligned_free, _aligned_malloc, _amsg_exit, _beginthreadex, _cexit, _close, _endthreadex, _errno, _close, _exit, _fdopen, _fileno, _fmode, _fstat64, _get_osfhandle, _initterm, _iob, _lock, _lseeki64, _onexit, _open_osfhandle, _read, _read, _setjmp3, _snwprintf, _strdup, _stricmp, _strnicmp, _ultoa, _umask, _unlock, _vsnprintf, _wchmod, _wcsdup, _wcsnicmp, _wcsrev, _wmkdir, _wopen, _write, _write, _wrmdir, abort, atoi, calloc, exit, fclose, fflush, fopen, fprintf, fputc, fputs, free, fwprintf, fwrite, getenv, gmtime, islower, isspace, isupper, iswctype, localeconv, localtime, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, qsort, raise, rand, realloc, setlocale, setvbuf, signal, sprintf, srand, strchr, strcmp, strcoll, strcpy, strerror, strftime, strlen, strncmp, strncpy, strrchr, strstr, strtol, strtoul, strxfrm, time, towlower, towupper, vfprintf, wcschr, wcscoll, wcscpy, wcsftime, wcslen, wcsncmp, wcsncpy, wcspbrk, wcsrchr, wcstombs, wcsxfrm |
PSAPI.DLL | GetProcessMemoryInfo |
USER32.dll | DispatchMessageA, GetMessageA, MapVirtualKeyW, MessageBoxW, SetWinEventHook, ShowWindow, TranslateMessage |
USERENV.dll | GetUserProfileDirectoryW |
WS2_32.dll | FreeAddrInfoW, GetAddrInfoW, WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSAIoctl, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSASetLastError, WSASocketW, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, gethostname, getpeername, getsockname, getsockopt, htonl, htons, ioctlsocket, listen, ntohs, recv, select, send, setsockopt, shutdown, socket |
Name | Ordinal | Address |
---|---|---|
MHD_add_connection | 1 | 0x487c30 |
MHD_add_response_footer | 2 | 0x48cde0 |
MHD_add_response_header | 3 | 0x48ccc0 |
MHD_create_response_for_upgrade | 4 | 0x48d810 |
MHD_create_response_from_buffer | 5 | 0x48d5e0 |
MHD_create_response_from_callback | 6 | 0x48d0f0 |
MHD_create_response_from_data | 7 | 0x48d4f0 |
MHD_create_response_from_fd | 8 | 0x48d390 |
MHD_create_response_from_fd64 | 9 | 0x48d430 |
MHD_create_response_from_fd_at_offset | 10 | 0x48d1d0 |
MHD_create_response_from_fd_at_offset64 | 11 | 0x48d2b0 |
MHD_del_response_header | 12 | 0x48cf00 |
MHD_destroy_response | 13 | 0x48d980 |
MHD_free | 14 | 0x48b320 |
MHD_get_connection_info | 15 | 0x481960 |
MHD_get_connection_values | 16 | 0x480a80 |
MHD_get_daemon_info | 17 | 0x48ad10 |
MHD_get_fdset | 18 | 0x487790 |
MHD_get_fdset2 | 19 | 0x487800 |
MHD_get_reason_phrase_for | 20 | 0x484c30 |
MHD_get_response_header | 21 | 0x48d020 |
MHD_get_response_headers | 22 | 0x48cfb0 |
MHD_get_timeout | 23 | 0x488560 |
MHD_get_version | 24 | 0x48ade0 |
MHD_http_unescape | 25 | 0x48af70 |
MHD_is_feature_supported | 26 | 0x48adf0 |
MHD_lookup_connection_value | 27 | 0x480b70 |
MHD_queue_response | 28 | 0x481b50 |
MHD_quiesce_daemon | 29 | 0x488d60 |
MHD_resume_connection | 30 | 0x487b60 |
MHD_run | 31 | 0x488d10 |
MHD_run_from_select | 32 | 0x488c50 |
MHD_set_connection_option | 33 | 0x4819e0 |
MHD_set_connection_value | 34 | 0x480b00 |
MHD_set_panic_func | 35 | 0x48adc0 |
MHD_set_response_options | 36 | 0x48d1a0 |
MHD_start_daemon | 37 | 0x489f90 |
MHD_start_daemon_va | 38 | 0x489200 |
MHD_stop_daemon | 39 | 0x488ed0 |
MHD_suspend_connection | 40 | 0x4879c0 |
MHD_upgrade_action | 41 | 0x48d6d0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 13:19:47 |
Start date: | 25/04/2024 |
Path: | C:\Users\user\Desktop\dllhostex.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 2'859'008 bytes |
MD5 hash: | 56DA116D25207847797FE5F8B085C1B1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |