The process for running DLL’s on Windows. In normal usage the rundll32 process wil execute specific functions of DLL’s via the following format rundll32.exe <DLL>, <EntryPoint>
. Some DLL’s contain special function for running specific files. For example, rundll32 can be used to run .CPL
files via the shell32.dll
DLL and the Control_RunDLL
function. Malware author often abuse this by creating malicious .CPL
files and running them via the rundll32
utility.
Executable’s image path.
%SystemRoot%\System32\rundll32.exe
A process which spawned the analyzed process.
Depends from where the action was requested if a user clicks on something in the control panel, you'll see it running as a child of explorer.exe. If the user clicked the network settings from a browser like chrome or IE, you'll see it running as a child of those processes.
Expected number of processes running which may normally run on Windows.
Zero or more
Windows account with which the process was launched. This defines what privileges given process has.
Multiple.
Expected time of process to be launched.
Start times vary greatly