Loading ...

Play interactive tourEdit tour

Analysis Report kS5hYPcgm8.dll

Overview

General Information

Sample Name:kS5hYPcgm8.dll
Analysis ID:408913
MD5:68fc6441db6c5539573adf08f210c39b
SHA1:c67a6a85716e0f1439cae1c1cdf259c271515e85
SHA256:802a752fca3ded051f0655c68012c769232d098d4a57c9887da39fa89070235a
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 2212 cmdline: loaddll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4356 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1556 cmdline: rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • cmd.exe (PID: 5700 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 6240 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 1140 cmdline: rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Connectdark MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 2576 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6204 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6324 cmdline: rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Mindlake MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6336 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6396 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6388 cmdline: rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Porthigh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6416 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6500 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6488 cmdline: rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Problemscale MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6524 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6936 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6720 cmdline: rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,WingGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6908 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 7060 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6888 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6944 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: kS5hYPcgm8.dllVirustotal: Detection: 51%Perma Link
Source: kS5hYPcgm8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: kS5hYPcgm8.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.608295285.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.534934724.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.619699878.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.537317652.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.575775840.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 00000014.00000002.619037007.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.574975507.000000006DD7A000.00000002.00020000.sdmp, kS5hYPcgm8.dll

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6dcf0000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6dcf0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DCF2485 NtQueryVirtualMemory,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD31C3C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD33E00
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD584BB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD667D9
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD45150
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD4E079
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD60396
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD702BC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD584BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD31C3C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD667D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD33E00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD45150
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD4E079
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD60396
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD702BC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DCF2264
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD584BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD31C3C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD33E00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD45150
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD60396
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DD30990 appears 34 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DD300AC appears 100 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DD30990 appears 56 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DD300AC appears 193 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DD300E0 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DD523A9 appears 33 times
Source: kS5hYPcgm8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engineClassification label: mal56.troj.winDLL@55/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
Source: kS5hYPcgm8.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Connectdark
Source: kS5hYPcgm8.dllVirustotal: Detection: 51%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Connectdark
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Mindlake
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Porthigh
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Problemscale
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,WingGrass
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Connectdark
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Mindlake
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Porthigh
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Problemscale
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,WingGrass
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: kS5hYPcgm8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kS5hYPcgm8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kS5hYPcgm8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kS5hYPcgm8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kS5hYPcgm8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kS5hYPcgm8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kS5hYPcgm8.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: kS5hYPcgm8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.608295285.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.534934724.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.619699878.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.537317652.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.575775840.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 00000014.00000002.619037007.000000006DD7A000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.574975507.000000006DD7A000.00000002.00020000.sdmp, kS5hYPcgm8.dll
Source: kS5hYPcgm8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kS5hYPcgm8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kS5hYPcgm8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kS5hYPcgm8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kS5hYPcgm8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DCF1F31 LoadLibraryA,GetProcAddress,
Source: kS5hYPcgm8.dllStatic PE information: real checksum: 0xf3990 should be: 0xf169d
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD309D6 push ecx; ret
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD30075 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD309D6 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD30075 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DCF2253 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DCF2200 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD309D6 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD30075 push ecx; ret

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6dcf0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD51F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DCF1F31 LoadLibraryA,GetProcAddress,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD5966F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD5966F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD5966F mov eax, dword ptr fs:[00000030h]
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD51F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD307A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD30288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD307A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD51F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DD30288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD51F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DD30288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: loaddll32.exe, 00000000.00000002.576781232.0000000000EE0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.534853952.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610554445.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.534015445.00000000030F0000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.526747254.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.610139527.00000000038A0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.525740389.0000000002D90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.576781232.0000000000EE0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.534853952.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610554445.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.534015445.00000000030F0000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.526747254.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.610139527.00000000038A0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.525740389.0000000002D90000.00000002.00000001.sdmpBinary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.576781232.0000000000EE0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.534853952.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610554445.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.534015445.00000000030F0000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.526747254.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.610139527.00000000038A0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.525740389.0000000002D90000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.576781232.0000000000EE0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.534853952.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610554445.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.534015445.00000000030F0000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.526747254.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.610139527.00000000038A0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.525740389.0000000002D90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.576781232.0000000000EE0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.534853952.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610554445.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.534015445.00000000030F0000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.526747254.0000000002D90000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.610139527.00000000038A0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.525740389.0000000002D90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD30604 cpuid
Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoEx,
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD309F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD68951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DCF146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6dcf0000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6dcf0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DCF16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6DCF16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery23Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408913 Sample: kS5hYPcgm8.dll Startdate: 09/05/2021 Architecture: WINDOWS Score: 56 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected  Ursnif 2->61 9 loaddll32.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 5 other processes 9->17 process5 19 rundll32.exe 11->19         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 cmd.exe 1 15->25         started        27 cmd.exe 1 15->27         started        29 cmd.exe 1 17->29         started        31 cmd.exe 1 17->31         started        33 cmd.exe 1 17->33         started        35 3 other processes 17->35 process6 51 2 other processes 19->51 37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        53 3 other processes 35->53 process7 55 conhost.exe 51->55         started        57 conhost.exe 51->57         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kS5hYPcgm8.dll51%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:408913
Start date:09.05.2021
Start time:08:08:08
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 5s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:kS5hYPcgm8.dll
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:37
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.troj.winDLL@55/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 10.2% (good quality ratio 9.5%)
  • Quality average: 73.1%
  • Quality standard deviation: 27.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .dll
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.790056221303965
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:kS5hYPcgm8.dll
File size:960000
MD5:68fc6441db6c5539573adf08f210c39b
SHA1:c67a6a85716e0f1439cae1c1cdf259c271515e85
SHA256:802a752fca3ded051f0655c68012c769232d098d4a57c9887da39fa89070235a
SHA512:e20656f24256170306d05c8604d8d22989304327993d0180a9e9e1d8d699fa6ff66d835c1fa5e120e4bfbd6c802b59f142d53dbb6e86844808b1338b301d5316
SSDEEP:24576:HQfpzjXPgf28CJV4X+IBIJ3cazaLwj1mCG9CpNiLi:IFDgyJV4OaIRj150CpNiLi
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0....{i.3...9...#...b...4...b...=...b...=....{r.&...0.......b.......b...1...b.b.1...0...1...b...1...Rich0..........

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x1040052
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x1000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5AC512FB [Wed Apr 4 18:01:31 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:7a79d10b1d4343a18a4f6e25e165b4ae

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F2D188B94F7h
call 00007F2D188B9ED2h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F2D188B939Fh
add esp, 0Ch
pop ebp
retn 000Ch
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F2D188B8D06h
jmp 00007F2D188B94D0h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007F2D188B8CF5h
jmp 00007F2D188B94BFh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [010E506Ch]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [010E506Ch]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
inc dword ptr fs:[eax]

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xe35b00x9c.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0xe364c0x8c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xfd0000x9d0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000x5074.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xde8200x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xde8780x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x8a0000x26c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x883dc0x88400False0.544626218463data6.71833205917IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x8a0000x5a4400x5a600False0.658643456086data5.95813601066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xe50000x17ebc0x1c00False0.184291294643data4.04646123564IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0xfd0000x9d00xa00False0.396484375data3.77819611332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xfe0000x50740x5200False0.726133765244data6.63977268899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_DIALOG0xfd1c00x10edataEnglishUnited States
RT_DIALOG0xfd2d00xc0dBase III DBT, next free block index 4294901761EnglishUnited States
RT_DIALOG0xfd3900x126dataEnglishUnited States
RT_DIALOG0xfd4b80xf0dataEnglishUnited States
RT_DIALOG0xfd5a80xbadataEnglishUnited States
RT_DIALOG0xfd6640xecdataEnglishUnited States
RT_DIALOG0xfd7500x124dataEnglishUnited States
RT_MANIFEST0xfd8740x15aASCII text, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
KERNEL32.dllSetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetProcessHeap, CreateFileW, SetStdHandle, ReadConsoleW, WriteConsoleW, HeapSize, SetEndOfFile, SetEnvironmentVariableW, GetOEMCP, IsValidCodePage, FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindClose, GetTimeZoneInformation, OutputDebugStringA, OutputDebugStringW, WaitForSingleObjectEx, CreateSemaphoreA, GetSystemTimeAsFileTime, TlsGetValue, VirtualProtectEx, TlsAlloc, GetSystemDirectoryA, GetTempPathA, Sleep, GetCommandLineA, GetModuleHandleA, InitializeCriticalSection, SetSystemPowerState, EnterCriticalSection, VirtualProtect, GetModuleFileNameA, MultiByteToWideChar, GetLastError, FormatMessageW, WideCharToMultiByte, GetStringTypeW, LeaveCriticalSection, DeleteCriticalSection, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, GetProcAddress, EncodePointer, DecodePointer, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, RtlUnwind, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetCurrentThread, GetACP, GetStdHandle, GetFileType, CloseHandle, WaitForSingleObject, GetExitCodeProcess, CreateProcessA, CreateProcessW, GetFileAttributesExW, WriteFile, GetConsoleCP, GetConsoleMode, GetDateFormatW, GetTimeFormatW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, ReadFile, SetFilePointerEx, HeapReAlloc, SetConsoleCtrlHandler, CreateThread
USER32.dllSetFocus, GetCursorPos, RegisterClassExA, GetFocus, GetClassInfoExA, GetKeyNameTextA, GetWindowTextLengthA, CallWindowProcA, IsDlgButtonChecked, DestroyIcon, AppendMenuA, DrawIconEx, DrawEdge
GDI32.dllBitBlt, DeleteDC, CreatePen, DeleteObject, CreateDCA, GetObjectA, DPtoLP
ole32.dllOleUninitialize, OleSetContainedObject, OleInitialize
SHLWAPI.dllPathFindFileNameA, PathAddBackslashW, PathStripToRootA
DCIMAN32.dllDCICreatePrimary, DCIOpenProvider, GetDCRegionData, DCISetDestination, DCICloseProvider, DCICreateOverlay, GetWindowRegionData, DCIEndAccess, WinWatchDidStatusChange, DCICreateOffscreen, DCISetSrcDestClip, DCIDestroy, DCIDraw, DCISetClipList, DCIEnum, DCIBeginAccess, WinWatchClose

Exports

NameOrdinalAddress
Connectdark10x1021c64
Mindlake20x1020de0
Porthigh30x1021c2c
Problemscale40x1021bf8
WingGrass50x1021b0a

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

General

Start time:08:08:58
Start date:09/05/2021
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll'
Imagebase:0xeb0000
File size:116736 bytes
MD5 hash:542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:08:58
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:08:59
Start date:09/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Connectdark
Imagebase:0xbe0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:08:59
Start date:09/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\kS5hYPcgm8.dll',#1
Imagebase:0xbe0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:08:59
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Island
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:08:59
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Island
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:08:59
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:08:59
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:09:00
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Matter m
Imagebase:0x7ff797770000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:09:00
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Matter m
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:09:00
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:09:00
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:09:02
Start date:09/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Mindlake
Imagebase:0xbe0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Start time:08:09:03
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Island
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:03
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:05
Start date:09/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Porthigh
Imagebase:0xbe0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:05
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Matter m
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:06
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:06
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Island
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:07
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:09
Start date:09/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,Problemscale
Imagebase:0xbe0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:10
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Matter m
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:10
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:10
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Island
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:13
Start date:09/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\kS5hYPcgm8.dll,WingGrass
Imagebase:0xbe0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:13
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:16
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Island
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:17
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Island
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:18
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:20
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Matter m
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:21
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Matter m
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:26
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:27
Start date:09/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c cd Matter m
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Start time:08:09:28
Start date:09/05/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Disassembly

Code Analysis

Reset < >