Score: | 25 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Compliance: |
---|
Uses 32bit PE files |
Source: |
Static PE information: |
Uses new MSVCR Dlls |
Source: |
File opened: |
Binary contains paths to debug symbols |
Source: |
Binary string: |
||
Source: |
Binary string: |
Spreading: |
---|
Checks for available system drives (often done to infect USB drives) |
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior |
Source: |
Code function: |
0_2_004221BF | |
Source: |
Code function: |
0_2_0045CFFF |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
System Summary: |
---|
Contains functionality to shutdown / reboot the system |
Source: |
Code function: |
0_2_004480D2 |
Creates files inside the system directory |
Source: |
File created: |
Jump to behavior |
Detected potential crypto function |
Source: |
Code function: |
0_2_0042C46B | |
Source: |
Code function: |
0_2_0049BDC0 | |
Source: |
Code function: |
0_2_0048C43E | |
Source: |
Code function: |
0_2_0046C67B | |
Source: |
Code function: |
0_2_004606CF | |
Source: |
Code function: |
0_2_0048874C | |
Source: |
Code function: |
0_2_0049C7EC | |
Source: |
Code function: |
0_2_0046CB50 | |
Source: |
Code function: |
0_2_00478C6D | |
Source: |
Code function: |
0_2_0046CF24 | |
Source: |
Code function: |
0_2_00499140 | |
Source: |
Code function: |
0_2_0046D330 | |
Source: |
Code function: |
0_2_0046D750 | |
Source: |
Code function: |
0_2_00479A8E | |
Source: |
Code function: |
0_2_00475D76 | |
Source: |
Code function: |
0_2_00479D09 | |
Source: |
Code function: |
0_2_00475F74 | |
Source: |
Code function: |
0_2_0047A00E | |
Source: |
Code function: |
0_2_0048E7C3 | |
Source: |
Code function: |
0_2_004967A0 | |
Source: |
Code function: |
0_2_0047ABE4 | |
Source: |
Code function: |
2_3_007711A1 | |
Source: |
Code function: |
2_3_0077132F | |
Source: |
Code function: |
2_2_0227D700 | |
Source: |
Code function: |
2_3_00771645 |
Found potential string decryption / allocating functions |
PE file contains strange resources |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Sample file is different than original file name gathered from version info |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Tries to load missing DLLs |
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
Uses 32bit PE files |
Source: |
Static PE information: |
Source: |
Classification label: |
Source: |
Code function: |
0_2_004480D2 |
Source: |
Code function: |
0_2_004437CD |
Source: |
Code function: |
0_2_00449328 |
Source: |
Code function: |
0_2_00417786 |
Source: |
File created: |
Source: |
File created: |
Jump to behavior |
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
Source: |
File created: |
Jump to behavior |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 | |
Source: |
Command line argument: |
0_2_0043E4C0 |
Source: |
Static PE information: |
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
Source: |
File read: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
File read: |
Jump to behavior | ||
Source: |
File read: |
Jump to behavior |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
File read: |
Jump to behavior |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Source: |
Key value queried: |
Jump to behavior |
Source: |
File written: |
Jump to behavior |
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
Source: |
Window detected: |
Source: |
Static file information: |
Source: |
File opened: |
Source: |
Static PE information: |
Source: |
Binary string: |
||
Source: |
Binary string: |
Data Obfuscation: |
---|
Contains functionality to dynamically determine API calls |
Source: |
Code function: |
0_2_0042C46B |
PE file contains an invalid checksum |
Source: |
Static PE information: |
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
0_2_004481C4 | |
Source: |
Code function: |
0_2_0046A504 | |
Source: |
Code function: |
2_3_0076DB3D | |
Source: |
Code function: |
2_2_0074CE75 | |
Source: |
Code function: |
2_2_0074CF51 | |
Source: |
Code function: |
2_2_00754246 | |
Source: |
Code function: |
2_2_0074CE39 | |
Source: |
Code function: |
2_2_0074D745 | |
Source: |
Code function: |
2_2_0074D731 | |
Source: |
Code function: |
2_2_00750EB1 | |
Source: |
Code function: |
2_2_0074D905 | |
Source: |
Code function: |
2_2_0075AFD9 | |
Source: |
Code function: |
2_2_0074E779 | |
Source: |
Code function: |
2_2_007552A9 | |
Source: |
Code function: |
2_2_0076DB3D | |
Source: |
Code function: |
4_2_020D969A |
Persistence and Installation Behavior: |
---|
Drops PE files |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Source: |
Code function: |
0_2_00428BED |
Hooking and other Techniques for Hiding and Protection: |
---|
Extensive use of GetProcAddress (often used to hide API calls) |
Source: |
Code function: |
0_2_0045D179 |
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Source: |
Registry key monitored for changes: |
Jump to behavior |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
Malware Analysis System Evasion: |
---|
Contains capabilities to detect virtual machines |
Source: |
File opened / queried: |
Jump to behavior |
Found evasive API chain (may stop execution after checking a module file name) |
Source: |
Evasive API call chain: |
May sleep (evasive loops) to hinder dynamic analysis |
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
|||
Source: |
Thread sleep count: |
|||
Source: |
Thread sleep time: |
|||
Source: |
Thread sleep time: |
|||
Source: |
Thread sleep time: |
Queries disk information (often used to detect virtual machines) |
Source: |
File opened: |
Jump to behavior |
Sample execution stops while process was sleeping (likely an evasion) |
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
||
Source: |
Last function: |
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior | ||
Source: |
File Volume queried: |
Jump to behavior |
Source: |
Code function: |
0_2_004221BF | |
Source: |
Code function: |
0_2_0045CFFF |
Source: |
Code function: |
0_2_004404D3 |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Anti Debugging: |
---|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Source: |
Code function: |
0_2_004685B4 |
Contains functionality to dynamically determine API calls |
Source: |
Code function: |
0_2_0042C46B |
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Source: |
Code function: |
0_2_00409B54 |
Enables debug privileges |
Source: |
Process token adjusted: |
||
Source: |
Process token adjusted: |
Source: |
Code function: |
0_2_004685B4 | |
Source: |
Code function: |
0_2_0047D02D |
HIPS / PFW / Operating System Protection Evasion: |
---|
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
||
Source: |
Process created: |
||
Source: |
Process created: |
||
Source: |
Process created: |
||
Source: |
Process created: |
||
Source: |
Process created: |
Uses taskkill to terminate processes |
Source: |
Process created: |
||
Source: |
Process created: |
Source: |
Code function: |
0_2_0043C9DC |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query locales information (e.g. system language) |
Source: |
Code function: |
0_2_00480075 | |
Source: |
Code function: |
0_2_0048000E | |
Source: |
Code function: |
0_2_004800B1 | |
Source: |
Code function: |
0_2_00470458 | |
Source: |
Code function: |
0_2_0048D68F | |
Source: |
Code function: |
0_2_0048D923 | |
Source: |
Code function: |
0_2_0047D933 | |
Source: |
Code function: |
0_2_0047DFD4 | |
Source: |
Code function: |
0_2_0047E25F | |
Source: |
Code function: |
0_2_0047E525 | |
Source: |
Code function: |
0_2_00486BCC | |
Source: |
Code function: |
0_2_00486BE5 |
Queries the volume information (name, serial number etc) of a device |
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior |
Source: |
Code function: |
0_2_0042C46B |
Source: |
Code function: |
0_2_0048CC02 |
Source: |
Code function: |
0_2_00432AA2 |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
Changes security center settings (notifications, updates, antivirus, firewall) |
Source: |
Key value created or modified: |
AV process strings found (often used to terminate AV products) |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|
Private |
---|
IP |
---|
127.0.0.1 |