Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
62724e14c3203.dll

Overview

General Information

Sample Name:62724e14c3203.dll
Analysis ID:620140
MD5:d8b1d46801506b84938f864365bc7c81
SHA1:af58e06fafcf944e800ac5029b5a40ce5326db3e
SHA256:ac633cc57571ff54a72dd8cac9236cddef488af8074e08a3b17b53983d3f0733
Tags:dllenelenelenergiagoziisfbitaursnif
Infos:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Tries to detect sandboxes and other dynamic analysis tools (window names)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Uses 32bit PE files
PE file contains an invalid checksum
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Contains capabilities to detect virtual machines
Registers a DLL
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections

Classification

  • System is w10x64
  • loaddll32.exe (PID: 2472 cmdline: loaddll32.exe "C:\Users\user\Desktop\62724e14c3203.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4760 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4612 cmdline: rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3556 cmdline: regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 1340 cmdline: rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
62724e14c3203.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 62724e14c3203.dllVirustotal: Detection: 29%Perma Link
    Source: 62724e14c3203.dllReversingLabs: Detection: 28%
    Source: 62724e14c3203.dllJoe Sandbox ML: detected
    Source: 62724e14c3203.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: 62724e14c3203.dllString found in binary or memory: http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07
    Source: 62724e14c3203.dllString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
    Source: 62724e14c3203.dllString found in binary or memory: http://pki-ocsp.symauth.com0

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE
    Source: 62724e14c3203.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: 62724e14c3203.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 62724e14c3203.dllVirustotal: Detection: 29%
    Source: 62724e14c3203.dllReversingLabs: Detection: 28%
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\62724e14c3203.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
    Source: classification engineClassification label: mal72.troj.evad.winDLL@9/0@0/0
    Source: 62724e14c3203.dllStatic file information: File size 3735060 > 1048576
    Source: 62724e14c3203.dllStatic PE information: Raw size of .themida is bigger than: 0x100000 < 0x384000
    Source: 62724e14c3203.dllStatic PE information: real checksum: 0x39f49d should be: 0x394d2c
    Source: 62724e14c3203.dllStatic PE information: section name: .exports
    Source: 62724e14c3203.dllStatic PE information: section name: .imports
    Source: 62724e14c3203.dllStatic PE information: section name: .themida
    Source: 62724e14c3203.dllStatic PE information: section name: .taggant
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE
    Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\System32\loaddll32.exeSystem information queried: FirmwareTableInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeSystem information queried: FirmwareTableInformation
    Source: C:\Windows\System32\loaddll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
    Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4944Thread sleep time: -1773297476s >= -30000s
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll32.exeSystem information queried: ModuleInformation
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000

    Anti Debugging

    barindex
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: regmonclass
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: procmon_window_class
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: filemonclass
    Source: C:\Windows\SysWOW64\rundll32.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 62724e14c3203.dll, type: SAMPLE
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    11
    Process Injection
    1
    Regsvr32
    OS Credential Dumping31
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Rundll32
    LSASS Memory221
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)221
    Virtualization/Sandbox Evasion
    Security Account Manager2
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Software Packing
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
    Process Injection
    LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    DLL Side-Loading
    Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    62724e14c3203.dll29%VirustotalBrowse
    62724e14c3203.dll29%ReversingLabsWin32.Trojan.Ursnif
    62724e14c3203.dll100%Joe Sandbox ML
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://pki-ocsp.symauth.com00%URL Reputationsafe
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr62724e14c3203.dllfalse
      high
      http://pki-ocsp.symauth.com062724e14c3203.dllfalse
      • URL Reputation: safe
      unknown
      http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl0762724e14c3203.dllfalse
        high
        No contacted IP infos
        Joe Sandbox Version:34.0.0 Boulder Opal
        Analysis ID:620140
        Start date and time: 04/05/202211:59:272022-05-04 11:59:27 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 6m 33s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:62724e14c3203.dll
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:19
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal72.troj.evad.winDLL@9/0@0/0
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .dll
        • Adjust boot time
        • Enable AMSI
        • Override analysis time to 240s for rundll32
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 20.40.129.122, 23.211.6.115
        • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, fs.microsoft.com, store-images.s-microsoft.com, arc.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, time.windows.com, iris-de-prod-azsc-frc.francecentral.cloudapp.azure.com, arc.msn.com
        • Not all processes where analyzed, report is missing behavior information
        TimeTypeDescription
        12:00:32API Interceptor1x Sleep call for process: regsvr32.exe modified
        12:00:32API Interceptor1x Sleep call for process: rundll32.exe modified
        12:00:36API Interceptor2x Sleep call for process: loaddll32.exe modified
        No context
        No context
        No context
        No context
        No context
        No created / dropped files found
        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Entropy (8bit):6.015061702913002
        TrID:
        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
        • Generic Win/DOS Executable (2004/3) 0.20%
        • DOS Executable Generic (2002/1) 0.20%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:62724e14c3203.dll
        File size:3735060
        MD5:d8b1d46801506b84938f864365bc7c81
        SHA1:af58e06fafcf944e800ac5029b5a40ce5326db3e
        SHA256:ac633cc57571ff54a72dd8cac9236cddef488af8074e08a3b17b53983d3f0733
        SHA512:672ae9a31d0d5a6c6c724d5ca22a408938a15729e8abc93036575062b6ea078e64f7ecd7d4ca2aece79b69520ade7727c0351bb7d6e904212d38f56dc20c30af
        SSDEEP:49152:3TeGCEZ8YnAM+OxCYxsk2GVybVpr7Vt+S/z/:3TBCEZXAM+O4msk2GV4Vprxt+SL/
        TLSH:36065AE1760AA5CFD09A5AF89813CF026B3C53F94A115D13EDA9787F6D63CC13289E24
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\o...............v.......v..........w............................v.......v.......v......Rich....................PE..L....Chb...
        Icon Hash:74f0e4ecccdce0e4
        Entrypoint:0x10394000
        Entrypoint Section:.taggant
        Digitally signed:false
        Imagebase:0x10000000
        Subsystem:windows gui
        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
        DLL Characteristics:
        Time Stamp:0x626843F2 [Tue Apr 26 19:11:46 2022 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:5
        OS Version Minor:0
        File Version Major:5
        File Version Minor:0
        Subsystem Version Major:5
        Subsystem Version Minor:0
        Import Hash:c846031d91edf5130318f0a56b358ac5
        Instruction
        jmp 00007FB628B3664Ah
        pmaxub mm7, qword ptr [eax]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add cl, ch
        add byte ptr [eax], ah
        add byte ptr [eax], al
        push esp
        inc ecx
        inc edi
        inc edi
        add byte ptr [eax], ah
        add byte ptr [eax], al
        loop 00007FB628B3664Eh
        add byte ptr [eax], al
        add dword ptr [eax], eax
        xor byte ptr [edx+0906DE0Ch], al
        sub al, byte ptr [esi+0DF78648h]
        add dword ptr [edi], eax
        add ah, byte ptr [eax+30CF0C82h]
        or byte ptr [ebx+ecx*8], 00000002h
        add dword ptr [ecx], eax
        xor dword ptr [09060B30h], ecx
        pushad
        xchg byte ptr [eax+01h], cl
        add eax, dword ptr [edx+eax]
        add dword ptr [eax], esi
        and ecx, 862A0906h
        dec eax
        xchg bh, dh
        or eax, A0010701h
        adc ebx, D0D08104h
        add byte ptr [ecx], al
        add byte ptr [ecx], al
        sal dword ptr [ecx+000003A1h], 00000000h
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [ecx], al
        add byte ptr [ecx+60h], bh
        xchg dword ptr [edx+edi*2], ebp
        xor byte ptr [edi-0Ch], ch
        insd
        jnbe 00007FB628B36691h
        pushfd
        push eax
        les esi, esp
        cmp dword ptr [1EFF9DD7h], eax
        stosd
        mov al, byte ptr [5C67BBA0h]
        cli
        pop ecx
        xor bh, bh
        add byte ptr [ecx], al
        add byte ptr [ecx], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [esi+edi*8], dl
        cmp byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        sub al, byte ptr [eax]
        add al, byte ptr [eax]
        add dword ptr [eax], eax
        imul ebp, dword ptr [edx], F0h
        Programming Language:
        • [ASM] VS2008 SP1 build 30729
        • [LNK] VS2008 SP1 build 30729
        • [IMP] VS2008 SP1 build 30729
        • [EXP] VS2008 SP1 build 30729
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0xe0000x4c.exports
        IMAGE_DIRECTORY_ENTRY_IMPORT0xf07b0x6c.imports
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x16b70x1800False0.700846354167data6.45396003483IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rdata0x30000x59c0x600False0.185546875data1.83732227468IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x40000x25c0x200False0.08984375data0.369416603835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .bss0x50000x2dc0x400False0.7626953125data6.25781926122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .reloc0x60000x80000x7200False0.970086348684data7.85482039795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .exports0xe0000x10000x200False0.140625data0.781993247616IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .imports0xf0000x10000x200False0.26171875data2.01907876474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .themida0x100000x3840000x384000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .taggant0x3940000x22000x2014False0.32976132489DOS executable (COM)3.88631067097IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        DLLImport
        kernel32.dllGetModuleHandleA
        ntdll.dll_snwprintf
        ADVAPI32.dllConvertStringSecurityDescriptorToSecurityDescriptorA
        NameOrdinalAddress
        DllRegisterServer10x100011c2
        No network behavior found

        Click to jump to process

        Target ID:0
        Start time:12:00:29
        Start date:04/05/2022
        Path:C:\Windows\System32\loaddll32.exe
        Wow64 process (32bit):true
        Commandline:loaddll32.exe "C:\Users\user\Desktop\62724e14c3203.dll"
        Imagebase:0x140000
        File size:116736 bytes
        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:1
        Start time:12:00:29
        Start date:04/05/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
        Imagebase:0x1190000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:2
        Start time:12:00:30
        Start date:04/05/2022
        Path:C:\Windows\SysWOW64\regsvr32.exe
        Wow64 process (32bit):true
        Commandline:regsvr32.exe /s C:\Users\user\Desktop\62724e14c3203.dll
        Imagebase:0xb70000
        File size:20992 bytes
        MD5 hash:426E7499F6A7346F0410DEAD0805586B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:3
        Start time:12:00:30
        Start date:04/05/2022
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\62724e14c3203.dll",#1
        Imagebase:0x970000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:4
        Start time:12:00:30
        Start date:04/05/2022
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\62724e14c3203.dll,DllRegisterServer
        Imagebase:0x970000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        No disassembly