Loading ...

Play interactive tourEdit tour

Analysis Report ed6aa63a_by_Libranalysis

Overview

General Information

Sample Name:ed6aa63a_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:399795
MD5:ed6aa63a3efc778e6c3f40fb81fc4070
SHA1:ecc5fdc4db51e6db00a05128bdd8a28d1f15d39f
SHA256:53dfeaa26585a77816d74ce38b16c4b1d3db0cf346d968253eae4797db1ade10
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6484 cmdline: loaddll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6516 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6564 cmdline: rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6552 cmdline: rundll32.exe C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll,RtplDtpmimr67 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 7068 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 944 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7060 cmdline: rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsAddRef MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7076 cmdline: rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsVarRelease MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7092 cmdline: rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsStartProfiling MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7108 cmdline: rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsIdle MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7128 cmdline: rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsCreateArray MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 596 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["78.46.73.125:443", "185.148.168.26:2303", "66.113.160.126:8172"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.667101495.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    0000000A.00000002.678218398.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000000.00000002.648546988.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.loaddll32.exe.10000000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          10.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            4.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0.2.loaddll32.exe.10000000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["78.46.73.125:443", "185.148.168.26:2303", "66.113.160.126:8172"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: ed6aa63a_by_Libranalysis.dllReversingLabs: Detection: 40%
              Machine Learning detection for sampleShow sources
              Source: ed6aa63a_by_Libranalysis.dllJoe Sandbox ML: detected
              Source: 4.2.rundll32.exe.2540000.2.unpackAvira: Label: TR/ATRAPS.Gen2
              Source: 3.2.rundll32.exe.2b20000.2.unpackAvira: Label: TR/ATRAPS.Gen2
              Source: 10.2.rundll32.exe.2f50000.2.unpackAvira: Label: TR/ATRAPS.Gen2
              Source: 0.2.loaddll32.exe.870000.0.unpackAvira: Label: TR/ATRAPS.Gen2
              Source: ed6aa63a_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: ed6aa63a_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.693392606.0000000005184000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.454437973.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: }KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 0000000B.00000002.608501083.00000000007D2000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: FTBUP.pdb source: rundll32.exe, 0000000C.00000002.619356232.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.648756998.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662788531.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.655611713.0000000010025000.00000002.00020000.sdmp, ed6aa63a_by_Libranalysis.dll
              Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.454437973.000000004B280000.00000004.00000001.sdmp
              Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000011.00000002.616516704.0000000000D72000.00000004.00000001.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: KERNEL32C:\Windows\System32\KERNEL32.DLLC:\Windows\System32\KERNEL32.DLLRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.608501083.00000000007D2000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.616516704.0000000000D72000.00000004.00000001.sdmp

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorIPs: 78.46.73.125:443
              Source: Malware configuration extractorIPs: 185.148.168.26:2303
              Source: Malware configuration extractorIPs: 66.113.160.126:8172
              Source: Joe Sandbox ViewIP Address: 78.46.73.125 78.46.73.125
              Source: Joe Sandbox ViewIP Address: 185.148.168.26 185.148.168.26
              Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
              Source: Joe Sandbox ViewASN Name: EVERSCALE-ASDE EVERSCALE-ASDE
              Source: Joe Sandbox ViewASN Name: HOSTWAYUS HOSTWAYUS
              Source: rundll32.exe, 0000000C.00000002.619371426.000000001002C000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.648781863.000000001002C000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.664880240.000000001002C000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.657864001.000000001002C000.00000002.00020000.sdmp, ed6aa63a_by_Libranalysis.dllString found in binary or memory: http://ansicon.adoxa.vze.com/6

              E-Banking Fraud:

              barindex
              Yara detected Dridex unpacked fileShow sources
              Source: Yara matchFile source: 00000004.00000002.667101495.0000000010001000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.678218398.0000000010001000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.648546988.0000000010001000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100114600_2_10011460
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000846C0_2_1000846C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100014940_2_10001494
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A52C0_2_1000A52C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10011D580_2_10011D58
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100193480_2_10019348
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100107540_2_10010754
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100090CC0_2_100090CC
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 944
              Source: ed6aa63a_by_Libranalysis.dllBinary or memory string: OriginalFilenameGCNI32.dll0 vs ed6aa63a_by_Libranalysis.dll
              Source: ed6aa63a_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: ed6aa63a_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal80.troj.evad.winDLL@19/0@0/3
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6484
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9D5.tmpJump to behavior
              Source: ed6aa63a_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll,RtplDtpmimr67
              Source: ed6aa63a_by_Libranalysis.dllReversingLabs: Detection: 40%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll,RtplDtpmimr67
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsAddRef
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 944
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsVarRelease
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsStartProfiling
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsIdle
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsCreateArray
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 596
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll,RtplDtpmimr67Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsAddRefJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsVarReleaseJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsStartProfilingJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsIdleJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsCreateArrayJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: ed6aa63a_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: ed6aa63a_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.693392606.0000000005184000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.454437973.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: }KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 0000000B.00000002.608501083.00000000007D2000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: FTBUP.pdb source: rundll32.exe, 0000000C.00000002.619356232.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.648756998.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662788531.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.655611713.0000000010025000.00000002.00020000.sdmp, ed6aa63a_by_Libranalysis.dll
              Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.454437973.000000004B280000.00000004.00000001.sdmp
              Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000011.00000002.616516704.0000000000D72000.00000004.00000001.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp
              Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp
              Source: Binary string: KERNEL32C:\Windows\System32\KERNEL32.DLLC:\Windows\System32\KERNEL32.DLLRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.608501083.00000000007D2000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.616516704.0000000000D72000.00000004.00000001.sdmp
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000F6CC push esi; mov dword ptr [esp], 00000000h0_2_1000F6CD
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02713730 pushfd ; retf 0076h4_2_02713732
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1000508E push ecx; iretd 12_2_1000508F
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100070D5 push ebp; ret 12_2_100070D6
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10006212 push ebp; iretd 12_2_10006215
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10002E4C pushfd ; retf 12_2_10002E62
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10007340 pushfd ; retf 12_2_10007344
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10007351 pushfd ; iretd 12_2_1000735D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10002BC2 push eax; ret 12_2_10002BC4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10007BFD pushfd ; iretd 12_2_10007BFE
              Source: initial sampleStatic PE information: section name: .text entropy: 7.56767902916
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Tries to delay execution (extensive OutputDebugStringW loop)Show sources
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: OutputDebugStringW count: 109
              Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
              Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
              Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: WerFault.exe, 0000000B.00000002.688371233.0000000004E70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: WerFault.exe, 0000000B.00000002.688371233.0000000004E70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: WerFault.exe, 0000000B.00000002.688371233.0000000004E70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: WerFault.exe, 0000000B.00000002.688371233.0000000004E70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_10006D50
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1Jump to behavior
              Source: loaddll32.exe, 00000000.00000002.646263571.0000000000F30000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.681703669.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.646585353.0000000002B90000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.649980621.0000000003600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.646988818.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.619286869.0000000002E50000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.648668639.0000000003960000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.642836703.0000000002D70000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.653425413.00000000032B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.680481021.0000000003830000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: loaddll32.exe, 00000000.00000002.646263571.0000000000F30000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.681703669.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.646585353.0000000002B90000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.649980621.0000000003600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.646988818.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.619286869.0000000002E50000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.648668639.0000000003960000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.642836703.0000000002D70000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.653425413.00000000032B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.680481021.0000000003830000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: loaddll32.exe, 00000000.00000002.646263571.0000000000F30000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.681703669.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.646585353.0000000002B90000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.649980621.0000000003600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.646988818.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.619286869.0000000002E50000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.648668639.0000000003960000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.642836703.0000000002D70000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.653425413.00000000032B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.680481021.0000000003830000.00000002.00000001.sdmpBinary or memory string: &Program Manager
              Source: loaddll32.exe, 00000000.00000002.646263571.0000000000F30000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.681703669.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.646585353.0000000002B90000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.649980621.0000000003600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.646988818.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.619286869.0000000002E50000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.648668639.0000000003960000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.642836703.0000000002D70000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.653425413.00000000032B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.680481021.0000000003830000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\System32\loaddll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_10006D50
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_10006D50
              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery111Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing3LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 399795