Loading ...

Play interactive tourEdit tour

Analysis Report 21a5f8d0000.dll

Overview

General Information

Sample Name:21a5f8d0000.dll
Analysis ID:403758
MD5:b8c176dc8ab0d768031014f95b8816e8
SHA1:97826adb6aac6340a74ca024a65065fa6fdb21ca
SHA256:cc79e66b24bfca1cd0ef27c63921737786dcdae02f871279800ea2c82939721a
Tags:Gozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Machine Learning detection for sample
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • loaddll64.exe (PID: 6304 cmdline: loaddll64.exe 'C:\Users\user\Desktop\21a5f8d0000.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 6312 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6336 cmdline: rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
      • MpCmdRun.exe (PID: 6588 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
        • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6324 cmdline: rundll32.exe C:\Users\user\Desktop\21a5f8d0000.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
21a5f8d0000.dllJoeSecurity_UrsnifYara detected UrsnifJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: 21a5f8d0000.dllAvira: detected
    Machine Learning detection for sampleShow sources
    Source: 21a5f8d0000.dllJoe Sandbox ML: detected
    Source: 21a5f8d0000.dllString found in binary or memory: http://constitution.org/usdeclar.txt
    Source: 21a5f8d0000.dllString found in binary or memory: http://constitution.org/usdeclar.txtC:
    Source: 21a5f8d0000.dllString found in binary or memory: http://https://file://USER.ID%lu.exe/upd

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 21a5f8d0000.dll, type: SAMPLE

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 21a5f8d0000.dll, type: SAMPLE
    Source: 21a5f8d0000.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dll
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dll
    Source: classification engineClassification label: mal60.troj.winDLL@9/1@0/0
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6596:120:WilError_01
    Source: 21a5f8d0000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\21a5f8d0000.dll,#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\21a5f8d0000.dll'
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\21a5f8d0000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\21a5f8d0000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: 21a5f8d0000.dllStatic PE information: Image base 0x180000000 > 0x60000000

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 21a5f8d0000.dll, type: SAMPLE
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: rundll32.exe, 00000002.00000002.246627027.00000195F9140000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.239760036.000001A4AE6A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: rundll32.exe, 00000002.00000002.246627027.00000195F9140000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.239760036.000001A4AE6A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: rundll32.exe, 00000002.00000002.246627027.00000195F9140000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.239760036.000001A4AE6A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: rundll32.exe, 00000002.00000002.246627027.00000195F9140000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.239760036.000001A4AE6A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1
    Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
    Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
    Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 21a5f8d0000.dll, type: SAMPLE

    Remote Access Functionality:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 21a5f8d0000.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery21Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 403758 Sample: 21a5f8d0000.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 60 20 Antivirus / Scanner detection for submitted sample 2->20 22 Yara detected  Ursnif 2->22 24 Machine Learning detection for sample 2->24 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        process5 14 MpCmdRun.exe 1 10->14         started        16 rundll32.exe 10->16         started        process6 18 conhost.exe 14->18         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    21a5f8d0000.dll100%AviraHEUR/AGEN.1108168
    21a5f8d0000.dll100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
    http://constitution.org/usdeclar.txt0%URL Reputationsafe
    http://constitution.org/usdeclar.txt0%URL Reputationsafe
    http://constitution.org/usdeclar.txt0%URL Reputationsafe
    http://constitution.org/usdeclar.txt0%URL Reputationsafe
    http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
    http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
    http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
    http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://https://file://USER.ID%lu.exe/upd21a5f8d0000.dllfalse
    • Avira URL Cloud: safe
    low
    http://constitution.org/usdeclar.txt21a5f8d0000.dllfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://constitution.org/usdeclar.txtC:21a5f8d0000.dllfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:403758
    Start date:04.05.2021
    Start time:11:41:53
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 0s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:21a5f8d0000.dll
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:29
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal60.troj.winDLL@9/1@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .dll

    Simulations

    Behavior and APIs

    TimeTypeDescription
    11:44:14API Interceptor1x Sleep call for process: MpCmdRun.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
    File Type:data
    Category:modified
    Size (bytes):906
    Entropy (8bit):3.1320890800881007
    Encrypted:false
    SSDEEP:12:58KRBubdpkoF1AG3rPWKk9+MlWlLehB4yAq7ejCMWH:OaqdmuF3rw+kWReH4yJ7M+
    MD5:CE1CC265AB67E3C997C2BD8A51DE492A
    SHA1:90E8A24EC0C49E555721FDE5A4000E1FC5FC867E
    SHA-256:E907A66E7EFFA5A9D710327C455CA0B3DD561E0146EA6F0B9A33682AC8CA4173
    SHA-512:384559B9381A90DB5729E2CE6B6D924D6E87C30991F4B7EAE92A6859D0D17C7D483733D3769F3220797381321D4DCE8210B4601DACF73FBDBCFBEC23335CADB4
    Malicious:false
    Reputation:low
    Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.u.e. .. M.a.y. .. 0.4. .. 2.0.2.1. .1.1.:.4.4.:.1.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.u.e. .. M.a.y. .. 0.4. .. 2.0.2.1. .1.1.:.4.4.:.1.4.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

    Static File Info

    General

    File type:MS-DOS executable
    Entropy (8bit):6.331169087847959
    TrID:
    • Win64 Dynamic Link Library (generic) (102004/3) 84.88%
    • Win64 Executable (generic) (12005/4) 9.99%
    • DOS Executable Borland Pascal 7.0x (2037/25) 1.69%
    • Generic Win/DOS Executable (2004/3) 1.67%
    • DOS Executable Generic (2002/1) 1.67%
    File name:21a5f8d0000.dll
    File size:223744
    MD5:b8c176dc8ab0d768031014f95b8816e8
    SHA1:97826adb6aac6340a74ca024a65065fa6fdb21ca
    SHA256:cc79e66b24bfca1cd0ef27c63921737786dcdae02f871279800ea2c82939721a
    SHA512:0e2f907a21f245784ea260c11b2eff428e892fc0c4b3594a0eac59cff127129896227676e4cc73be9af003ce5b2b496b3148119f1d7be35439e157aec53a2b44
    SSDEEP:3072:fWLHqJ4VtWYQUVpsPHQqdPFQ6l7Bz9DHzcUvNfxYPr9fGWg+Bm5kf7JDLm:4qO/rsPHN7Q6l7Bz9zhvNJYPrg1QNL
    File Content Preview:MZ......................................................................................................................................................................................................................................................PE..d..

    File Icon

    Icon Hash:74f0e4ecccdce0e4

    Static PE Info

    General

    Entrypoint:0x1800080e4
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x180000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
    DLL Characteristics:
    Time Stamp:0x60804A27 [Wed Apr 21 15:52:07 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:

    Entrypoint Preview

    Instruction
    inc eax
    push ebx
    dec eax
    sub esp, 20h
    test edx, edx
    mov ebx, 00000001h
    je 00007F9EF0987E76h
    cmp edx, ebx
    jne 00007F9EF0987E81h
    mov eax, ebx
    lock xadd dword ptr [0002B8AFh], eax
    add eax, ebx
    cmp eax, ebx
    jne 00007F9EF0987E71h
    dec ecx
    mov edx, eax
    call 00007F9EF099AC22h
    test eax, eax
    je 00007F9EF0987E65h
    xor ebx, ebx
    jmp 00007F9EF0987E61h
    lock add dword ptr [0002B891h], FFFFFFFFh
    jne 00007F9EF0987E57h
    call 00007F9EF0999CE3h
    mov eax, ebx
    dec eax
    add esp, 20h
    pop ebx
    ret
    int3
    int3
    dec eax
    mov dword ptr [esp+08h], ebx
    dec eax
    mov dword ptr [esp+10h], ebp
    dec eax
    mov dword ptr [esp+18h], esi
    push edi
    dec eax
    sub esp, 20h
    cmp dword ptr [0002BE31h], 00000000h
    inc ecx
    mov ebx, ecx
    dec ecx
    mov esi, eax
    dec eax
    mov eax, edx
    je 00007F9EF0987EF3h
    xor edx, edx
    dec eax
    mov ecx, eax
    call 00007F9EF0982475h
    dec eax
    mov ecx, dword ptr [0002B83Dh]
    dec esp
    lea eax, dword ptr [ebx+01h]
    xor edx, edx
    dec eax
    mov ebp, eax
    call dword ptr [00024F26h]
    dec eax
    test eax, eax
    dec eax
    mov edi, eax
    je 00007F9EF0987EC7h
    dec esp
    mov eax, ebx
    dec eax
    mov edx, esi
    dec eax
    mov ecx, eax
    call 00007F9EF099F36Bh
    dec eax
    lea ecx, dword ptr [0002BDB9h]
    mov byte ptr [ebx+edi], 00000000h
    call dword ptr [0002504Fh]
    lock add dword ptr [0002BDCFh], 01h
    dec eax
    lea ecx, dword ptr [00000000h]

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x31b100x38.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x30a200x3c.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x340000x17ac.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x390000x344.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x2d0000x530.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2eda40x1e0.rdata
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2ba460x2bc00False0.568303571429data6.33861296477IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rdata0x2d0000x4b480x4c00False0.403114720395data5.25264814147IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x320000x1f880x1a00False0.307992788462lif file3.73553845524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .pdata0x340000x17ac0x1800False0.53857421875data5.30366145469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .bss0x360000x21480x2200False0.427504595588data4.96451183531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .reloc0x390000x10000xa00False0.458984375data4.2959680462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:11:42:45
    Start date:04/05/2021
    Path:C:\Windows\System32\loaddll64.exe
    Wow64 process (32bit):false
    Commandline:loaddll64.exe 'C:\Users\user\Desktop\21a5f8d0000.dll'
    Imagebase:0x7ff69d4e0000
    File size:140288 bytes
    MD5 hash:A84133CCB118CF35D49A423CD836D0EF
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate

    General

    Start time:11:42:45
    Start date:04/05/2021
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1
    Imagebase:0x7ff7eef80000
    File size:273920 bytes
    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:11:42:45
    Start date:04/05/2021
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\21a5f8d0000.dll,#1
    Imagebase:0x7ff6c6b80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:11:42:45
    Start date:04/05/2021
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe 'C:\Users\user\Desktop\21a5f8d0000.dll',#1
    Imagebase:0x7ff6c6b80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:11:44:13
    Start date:04/05/2021
    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
    Imagebase:0x7ff6cf3a0000
    File size:455656 bytes
    MD5 hash:A267555174BFA53844371226F482B86B
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:11:44:13
    Start date:04/05/2021
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7ecfc0000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >