Loading... Additional Content is being loaded
Windows Analysis Report vZ1WZMpxTY
Overview
General Information
| Sample Name: | vZ1WZMpxTY (renamed file extension from none to dll) |
| Analysis ID: | 492780 |
| MD5: | c10ee36fe08388fce375f320660bc91c |
| SHA1: | 6477666e70f87ff53040e98f324660a5167eb4f4 |
| SHA256: | d8bc15335ca8daa9a8a67fc2261636775be4dde332d8a0944017676926236da3 |
| Tags: | Dridexexe |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
Dridex
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Regsvr32 Command Line Without DLL
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Potential key logger detected (key state polling based)
Registers a DLL
PE file contains more sections than normal
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
AV Detection: |
  |
|---|
| Multi AV Scanner detection for submitted file |
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Metadefender: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Antivirus / Scanner detection for submitted sample |
| Source: |
Avira: |
||
| Antivirus detection for dropped file |
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Machine Learning detection for sample |
| Source: |
Joe Sandbox ML: |
||
| Machine Learning detection for dropped file |
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
Static PE information: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
0_2_000000014005D290 | |
| Source: |
Code function: |
26_2_000001B52155D290 | |
| Source: |
Code function: |
26_2_00007FF6D6061280 | |
| Source: |
Code function: |
26_2_00007FF6D606B2F4 | |
| Source: |
Memory has grown: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
Code function: |
26_2_00007FF6D606BB2C | |
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
|
|---|
| Potential key logger detected (key state polling based) |
| Source: |
Code function: |
32_2_00007FF7A1D15700 | |
| Contains functionality to retrieve information about pressed keystrokes |
| Source: |
Code function: |
32_2_00007FF7A1CF2950 | |
E-Banking Fraud: |
|
|---|
| Yara detected Dridex unpacked file |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
System Summary: |
|
|---|
| Detected potential crypto function |
| Source: |
Code function: |
0_2_0000000140034870 | |
| Source: |
Code function: |
0_2_0000000140035270 | |
| Source: |
Code function: |
0_2_0000000140048AC0 | |
| Source: |
Code function: |
0_2_000000014005C340 | |
| Source: |
Code function: |
0_2_0000000140065B80 | |
| Source: |
Code function: |
0_2_000000014006A4B0 | |
| Source: |
Code function: |
0_2_00000001400524B0 | |
| Source: |
Code function: |
0_2_0000000140026CC0 | |
| Source: |
Code function: |
0_2_000000014004BD40 | |
| Source: |
Code function: |
0_2_00000001400495B0 | |
| Source: |
Code function: |
0_2_0000000140036F30 | |
| Source: |
Code function: |
0_2_0000000140069010 | |
| Source: |
Code function: |
0_2_0000000140001010 | |
| Source: |
Code function: |
0_2_0000000140066020 | |
| Source: |
Code function: |
0_2_000000014002F840 | |
| Source: |
Code function: |
0_2_000000014005D850 | |
| Source: |
Code function: |
0_2_0000000140064080 | |
| Source: |
Code function: |
0_2_0000000140010880 | |
| Source: |
Code function: |
0_2_00000001400688A0 | |
| Source: |
Code function: |
0_2_000000014002D0D0 | |
| Source: |
Code function: |
0_2_00000001400018D0 | |
| Source: |
Code function: |
0_2_0000000140016100 | |
| Source: |
Code function: |
0_2_000000014001D100 | |
| Source: |
Code function: |
0_2_000000014002A110 | |
| Source: |
Code function: |
0_2_000000014001D910 | |
| Source: |
Code function: |
0_2_0000000140015120 | |
| Source: |
Code function: |
0_2_000000014000B120 | |
| Source: |
Code function: |
0_2_000000014004F940 | |
| Source: |
Code function: |
0_2_0000000140039140 | |
| Source: |
Code function: |
0_2_0000000140023140 | |
| Source: |
Code function: |
0_2_0000000140057950 | |
| Source: |
Code function: |
0_2_000000014001E170 | |
| Source: |
Code function: |
0_2_0000000140002980 | |
| Source: |
Code function: |
0_2_00000001400611A0 | |
| Source: |
Code function: |
0_2_00000001400389A0 | |
| Source: |
Code function: |
0_2_00000001400381A0 | |
| Source: |
Code function: |
0_2_000000014002E1B0 | |
| Source: |
Code function: |
0_2_00000001400139D0 | |
| Source: |
Code function: |
0_2_00000001400319F0 | |
| Source: |
Code function: |
0_2_000000014002EA00 | |
| Source: |
Code function: |
0_2_0000000140022A00 | |
| Source: |
Code function: |
0_2_000000014003B220 | |
| Source: |
Code function: |
0_2_0000000140067A40 | |
| Source: |
Code function: |
0_2_0000000140069A50 | |
| Source: |
Code function: |
0_2_0000000140007A60 | |
| Source: |
Code function: |
0_2_000000014003AAC0 | |
| Source: |
Code function: |
0_2_000000014003A2E0 | |
| Source: |
Code function: |
0_2_0000000140062B00 | |
| Source: |
Code function: |
0_2_0000000140018300 | |
| Source: |
Code function: |
0_2_000000014002FB20 | |
| Source: |
Code function: |
0_2_0000000140031340 | |
| Source: |
Code function: |
0_2_0000000140022340 | |
| Source: |
Code function: |
0_2_0000000140017B40 | |
| Source: |
Code function: |
0_2_000000014000BB40 | |
| Source: |
Code function: |
0_2_000000014004EB60 | |
| Source: |
Code function: |
0_2_0000000140005370 | |
| Source: |
Code function: |
0_2_000000014002CB80 | |
| Source: |
Code function: |
0_2_000000014006B390 | |
| Source: |
Code function: |
0_2_0000000140054BA0 | |
| Source: |
Code function: |
0_2_0000000140033BB0 | |
| Source: |
Code function: |
0_2_00000001400263C0 | |
| Source: |
Code function: |
0_2_00000001400123C0 | |
| Source: |
Code function: |
0_2_0000000140063BD0 | |
| Source: |
Code function: |
0_2_00000001400663F0 | |
| Source: |
Code function: |
0_2_0000000140023BF0 | |
| Source: |
Code function: |
0_2_000000014006B41B | |
| Source: |
Code function: |
0_2_000000014006B424 | |
| Source: |
Code function: |
0_2_000000014006B42D | |
| Source: |
Code function: |
0_2_000000014006B436 | |
| Source: |
Code function: |
0_2_000000014006B43D | |
| Source: |
Code function: |
0_2_0000000140024440 | |
| Source: |
Code function: |
0_2_0000000140005C40 | |
| Source: |
Code function: |
0_2_000000014006B446 | |
| Source: |
Code function: |
0_2_000000014005F490 | |
| Source: |
Code function: |
0_2_0000000140022D00 | |
| Source: |
Code function: |
0_2_0000000140035520 | |
| Source: |
Code function: |
0_2_0000000140019D20 | |
| Source: |
Code function: |
0_2_0000000140030530 | |
| Source: |
Code function: |
0_2_0000000140023530 | |
| Source: |
Code function: |
0_2_0000000140031540 | |
| Source: |
Code function: |
0_2_0000000140033540 | |
| Source: |
Code function: |
0_2_000000014007BD50 | |
| Source: |
Code function: |
0_2_0000000140078570 | |
| Source: |
Code function: |
0_2_0000000140019580 | |
| Source: |
Code function: |
0_2_00000001400205A0 | |
| Source: |
Code function: |
0_2_0000000140025DB0 | |
| Source: |
Code function: |
0_2_0000000140071DC0 | |
| Source: |
Code function: |
0_2_000000014000C5C0 | |
| Source: |
Code function: |
0_2_000000014002DDE0 | |
| Source: |
Code function: |
0_2_0000000140031DF0 | |
| Source: |
Code function: |
0_2_000000014000DDF0 | |
| Source: |
Code function: |
0_2_0000000140001620 | |
| Source: |
Code function: |
0_2_0000000140018630 | |
| Source: |
Code function: |
0_2_0000000140032650 | |
| Source: |
Code function: |
0_2_0000000140064E80 | |
| Source: |
Code function: |
0_2_0000000140016E80 | |
| Source: |
Code function: |
0_2_0000000140007EA0 | |
| Source: |
Code function: |
0_2_00000001400286B0 | |
| Source: |
Code function: |
0_2_0000000140006EB0 | |
| Source: |
Code function: |
0_2_00000001400276C0 | |
| Source: |
Code function: |
0_2_000000014002FEC0 | |
| Source: |
Code function: |
0_2_000000014002EED0 | |
| Source: |
Code function: |
0_2_000000014002B6E0 | |
| Source: |
Code function: |
0_2_0000000140053F20 | |
| Source: |
Code function: |
0_2_0000000140022730 | |
| Source: |
Code function: |
0_2_0000000140029780 | |
| Source: |
Code function: |
0_2_0000000140018F80 | |
| Source: |
Code function: |
0_2_000000014003EFB0 | |
| Source: |
Code function: |
0_2_00000001400067B0 | |
| Source: |
Code function: |
0_2_00000001400667D0 | |
| Source: |
Code function: |
0_2_0000000140060FE0 | |
| Source: |
Code function: |
20_2_00007FF69ED331D0 | |
| Source: |
Code function: |
20_2_00007FF69ED52128 | |
| Source: |
Code function: |
20_2_00007FF69ED356F4 | |
| Source: |
Code function: |
20_2_00007FF69ED362F4 | |
| Source: |
Code function: |
20_2_00007FF69ED346C0 | |
| Source: |
Code function: |
20_2_00007FF69ED342A0 | |
| Source: |
Code function: |
20_2_00007FF69ED31A80 | |
| Source: |
Code function: |
26_2_000001B52156A4B0 | |
| Source: |
Code function: |
26_2_000001B5215524B0 | |
| Source: |
Code function: |
26_2_000001B521526CC0 | |
| Source: |
Code function: |
26_2_000001B521565B80 | |
| Source: |
Code function: |
26_2_000001B52155C340 | |
| Source: |
Code function: |
26_2_000001B521535520 | |
| Source: |
Code function: |
26_2_000001B52154BD40 | |
| Source: |
Code function: |
26_2_000001B5215495B0 | |
| Source: |
Code function: |
26_2_000001B521534870 | |
| Source: |
Code function: |
26_2_000001B521536F30 | |
| Source: |
Code function: |
26_2_000001B521535270 | |
| Source: |
Code function: |
26_2_000001B52153B220 | |
| Source: |
Code function: |
26_2_000001B52153A2E0 | |
| Source: |
Code function: |
26_2_000001B521548AC0 | |
| Source: |
Code function: |
26_2_000001B52155F490 | |
| Source: |
Code function: |
26_2_000001B52156B42D | |
| Source: |
Code function: |
26_2_000001B52156B41B | |
| Source: |
Code function: |
26_2_000001B52156B424 | |
| Source: |
Code function: |
26_2_000001B52156B446 | |
| Source: |
Code function: |
26_2_000001B52156B436 | |
| Source: |
Code function: |
26_2_000001B521524440 | |
| Source: |
Code function: |
26_2_000001B521505C40 | |
| Source: |
Code function: |
26_2_000001B52156B43D | |
| Source: |
Code function: |
26_2_000001B521522D00 | |
| Source: |
Code function: |
26_2_000001B521505370 | |
| Source: |
Code function: |
26_2_000001B521579360 | |
| Source: |
Code function: |
26_2_000001B52154EB60 | |
| Source: |
Code function: |
26_2_000001B52156B390 | |
| Source: |
Code function: |
26_2_000001B52152CB80 | |
| Source: |
Code function: |
26_2_000001B52152FB20 | |
| Source: |
Code function: |
26_2_000001B521531340 | |
| Source: |
Code function: |
26_2_000001B521522340 | |
| Source: |
Code function: |
26_2_000001B521517B40 | |
| Source: |
Code function: |
26_2_000001B52150BB40 | |
| Source: |
Code function: |
26_2_000001B521523BF0 | |
| Source: |
Code function: |
26_2_000001B5215663F0 | |
| Source: |
Code function: |
26_2_000001B521533BB0 | |
| Source: |
Code function: |
26_2_000001B521554BA0 | |
| Source: |
Code function: |
26_2_000001B521563BD0 | |
| Source: |
Code function: |
26_2_000001B5215263C0 | |
| Source: |
Code function: |
26_2_000001B5215123C0 | |
| Source: |
Code function: |
26_2_000001B521550E60 | |
| Source: |
Code function: |
26_2_000001B521516E80 | |
| Source: |
Code function: |
26_2_000001B521579681 | |
| Source: |
Code function: |
26_2_000001B521564E80 | |
| Source: |
Code function: |
26_2_000001B521518630 | |
| Source: |
Code function: |
26_2_000001B521501620 | |
| Source: |
Code function: |
26_2_000001B521532650 | |
| Source: |
Code function: |
26_2_000001B52152B6E0 | |
| Source: |
Code function: |
26_2_000001B5215286B0 | |
| Source: |
Code function: |
26_2_000001B521506EB0 | |
| Source: |
Code function: |
26_2_000001B521507EA0 | |
| Source: |
Code function: |
26_2_000001B52152EED0 | |
| Source: |
Code function: |
26_2_000001B521578EBB | |
| Source: |
Code function: |
26_2_000001B52152FEC0 | |
| Source: |
Code function: |
26_2_000001B5215276C0 | |
| Source: |
Code function: |
26_2_000001B521578570 | |
| Source: |
Code function: |
26_2_000001B521519580 | |
| Source: |
Code function: |
26_2_000001B521530530 | |
| Source: |
Code function: |
26_2_000001B521523530 | |
| Source: |
Code function: |
26_2_000001B521519D20 | |
| Source: |
Code function: |
26_2_000001B52157BD50 | |
| Source: |
Code function: |
26_2_000001B521531540 | |
| Source: |
Code function: |
26_2_000001B521533540 | |
| Source: |
Code function: |
26_2_000001B521578D3F | |
| Source: |
Code function: |
26_2_000001B52157D5F0 | |
| Source: |
Code function: |
26_2_000001B521531DF0 | |
| Source: |
Code function: |
26_2_000001B52150DDF0 | |
| Source: |
Code function: |
26_2_000001B52152DDE0 | |
| Source: |
Code function: |
26_2_000001B521525DB0 | |
| Source: |
Code function: |
26_2_000001B5215205A0 | |
| Source: |
Code function: |
26_2_000001B52150C5C0 | |
| Source: |
Code function: |
26_2_000001B521571DC0 | |
| Source: |
Code function: |
26_2_000001B521510880 | |
| Source: |
Code function: |
26_2_000001B521564080 | |
| Source: |
Code function: |
26_2_000001B521566020 | |
| Source: |
Code function: |
26_2_000001B52155D850 | |
| Source: |
Code function: |
26_2_000001B52152F840 | |
| Source: |
Code function: |
26_2_000001B52151D910 | |
| Source: |
Code function: |
26_2_000001B52152A110 | |
| Source: |
Code function: |
26_2_000001B52151D100 | |
| Source: |
Code function: |
26_2_000001B521516100 | |
| Source: |
Code function: |
26_2_000001B5215688A0 | |
| Source: |
Code function: |
26_2_000001B52152D0D0 | |
| Source: |
Code function: |
26_2_000001B5215018D0 | |
| Source: |
Code function: |
26_2_000001B521529780 | |
| Source: |
Code function: |
26_2_000001B521518F80 | |
| Source: |
Code function: |
26_2_000001B521522730 | |
| Source: |
Code function: |
26_2_000001B521553F20 | |
| Source: |
Code function: |
26_2_000001B521560FE0 | |
| Source: |
Code function: |
26_2_000001B521501010 | |
| Source: |
Code function: |
26_2_000001B521569010 | |
| Source: |
Code function: |
26_2_000001B5215067B0 | |
| Source: |
Code function: |
26_2_000001B52153EFB0 | |
| Source: |
Code function: |
26_2_000001B5215667D0 | |
| Source: |
Code function: |
26_2_000001B521507A60 | |
| Source: |
Code function: |
26_2_000001B521569A50 | |
| Source: |
Code function: |
26_2_000001B521567A40 | |
| Source: |
Code function: |
26_2_000001B521518300 | |
| Source: |
Code function: |
26_2_000001B521562B00 | |
| Source: |
Code function: |
26_2_000001B52153AAC0 | |
| Source: |
Code function: |
26_2_000001B52151E170 | |
| Source: |
Code function: |
26_2_000001B521502980 | |
| Source: |
Code function: |
26_2_000001B521515120 | |
| Source: |
Code function: |
26_2_000001B52150B120 | |
| Source: |
Code function: |
26_2_000001B521557950 | |
| Source: |
Code function: |
26_2_000001B521539140 | |
| Source: |
Code function: |
26_2_000001B521523140 | |
| Source: |
Code function: |
26_2_000001B52154F940 | |
| Source: |
Code function: |
26_2_000001B5215319F0 | |
| Source: |
Code function: |
26_2_000001B52152EA00 | |
| Source: |
Code function: |
26_2_000001B521522A00 | |
| Source: |
Code function: |
26_2_000001B52152E1B0 | |
| Source: |
Code function: |
26_2_000001B5215389A0 | |
| Source: |
Code function: |
26_2_000001B5215381A0 | |
| Source: |
Code function: |
26_2_000001B5215611A0 | |
| Source: |
Code function: |
26_2_000001B5215139D0 | |
| Source: |
Code function: |
26_2_000001B52157C9D0 | |
| Source: |
Code function: |
26_2_00007FF6D6062B60 | |
| Source: |
Code function: |
26_2_00007FF6D60687C0 | |
| Source: |
Code function: |
26_2_00007FF6D606487C | |
| Source: |
Code function: |
26_2_00007FF6D6067CB0 | |
| Source: |
Code function: |
26_2_00007FF6D606CCD0 | |
| Source: |
Code function: |
26_2_00007FF6D606A0BC | |
| Source: |
Code function: |
26_2_00007FF6D6065940 | |
| Source: |
Code function: |
26_2_00007FF6D6063DC8 | |
| Source: |
Code function: |
26_2_00007FF6D6066A70 | |
| Source: |
Code function: |
26_2_00007FF6D6067328 | |
| Source: |
Code function: |
26_2_00007FF6D6061334 | |
| Source: |
Code function: |
32_2_00007FF7A1D0EAFC | |
| Source: |
Code function: |
32_2_00007FF7A1D142C0 | |
| Source: |
Code function: |
32_2_00007FF7A1D04A9C | |
| Source: |
Code function: |
32_2_00007FF7A1D002BC | |
| Source: |
Code function: |
32_2_00007FF7A1D05268 | |
| Source: |
Code function: |
32_2_00007FF7A1D12A88 | |
| Source: |
Code function: |
32_2_00007FF7A1CFBA88 | |
| Source: |
Code function: |
32_2_00007FF7A1CF2A00 | |
| Source: |
Code function: |
32_2_00007FF7A1D239D0 | |
| Source: |
Code function: |
32_2_00007FF7A1D2DCEC | |
| Source: |
Code function: |
32_2_00007FF7A1CFB4B4 | |
| Source: |
Code function: |
32_2_00007FF7A1D094BC | |
| Source: |
Code function: |
32_2_00007FF7A1D0CCC0 | |
| Source: |
Code function: |
32_2_00007FF7A1D01CD0 | |
| Source: |
Code function: |
32_2_00007FF7A1CFFC70 | |
| Source: |
Code function: |
32_2_00007FF7A1CF8484 | |
| Source: |
Code function: |
32_2_00007FF7A1D18C40 | |
| Source: |
Code function: |
32_2_00007FF7A1D2BC08 | |
| Source: |
Code function: |
32_2_00007FF7A1D22BB0 | |
| Source: |
Code function: |
32_2_00007FF7A1D19B44 | |
| Source: |
Code function: |
32_2_00007FF7A1D27EF4 | |
| Source: |
Code function: |
32_2_00007FF7A1D0064C | |
| Source: |
Code function: |
32_2_00007FF7A1CF9DEC | |
| Source: |
Code function: |
32_2_00007FF7A1D2A5B8 | |
| Source: |
Code function: |
32_2_00007FF7A1D02DA4 | |
| Source: |
Code function: |
32_2_00007FF7A1CF9594 | |
| Source: |
Code function: |
32_2_00007FF7A1D1C560 | |
| Source: |
Code function: |
32_2_00007FF7A1D0158C | |
| Source: |
Code function: |
32_2_00007FF7A1D2ED6C | |
| Source: |
Code function: |
32_2_00007FF7A1D218F0 | |
| Source: |
Code function: |
32_2_00007FF7A1D390C0 | |
| Source: |
Code function: |
32_2_00007FF7A1D1B0A0 | |
| Source: |
Code function: |
32_2_00007FF7A1CF7864 | |
| Source: |
Code function: |
32_2_00007FF7A1CFE860 | |
| Source: |
Code function: |
32_2_00007FF7A1D37058 | |
| Source: |
Code function: |
32_2_00007FF7A1D1F070 | |
| Source: |
Code function: |
32_2_00007FF7A1D20010 | |
| Source: |
Code function: |
32_2_00007FF7A1CFAFA8 | |
| Source: |
Code function: |
32_2_00007FF7A1D00F34 | |
| Source: |
Code function: |
32_2_00007FF7A1CF5720 | |
| Contains functionality to launch a process as a different user |
| Source: |
Code function: |
26_2_00007FF6D6064030 | |
| Contains functionality to call native functions |
| Source: |
Code function: |
0_2_0000000140046C90 | |
| Source: |
Code function: |
0_2_000000014006A4B0 | |
| Source: |
Code function: |
26_2_000001B521546C90 | |
| Source: |
Code function: |
26_2_000001B52156A4B0 | |
| Source: |
Code function: |
26_2_000001B521525330 | |
| Source: |
Code function: |
26_2_000001B52153BC10 | |
| Source: |
Code function: |
26_2_000001B521535520 | |
| Source: |
Code function: |
26_2_000001B52153B220 | |
| Source: |
Code function: |
26_2_000001B52153A2E0 | |
| Source: |
Code function: |
32_2_00007FF7A1D10BA4 | |
| Source: |
Code function: |
32_2_00007FF7A1D06B5C | |
| PE file contains strange resources |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Tries to load missing DLLs |
| Source: |
Section loaded: |
Jump to behavior | ||
| PE file contains more sections than normal |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Virustotal: |
||
| Source: |
Metadefender: |
||
| Source: |
ReversingLabs: |
||
| Source: |
Static PE information: |
||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Classification label: |
||
| Source: |
Code function: |
20_2_00007FF69ED3687C | |
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Section loaded: |
||
| Source: |
Code function: |
26_2_000001B52153C240 | |
| Source: |
Process created: |
||
| Source: |
Mutant created: |
||
| Source: |
Mutant created: |
||
| Source: |
Code function: |
26_2_00007FF6D6067CB0 | |
| Source: |
Window detected: |
||
| Source: |
Static PE information: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Static file information: |
||
| Source: |
Static PE information: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
Data Obfuscation: |
|
|---|
| Uses code obfuscation techniques (call, push, ret) |
| Source: |
Code function: |
0_2_0000000140056A4E | |
| Source: |
Code function: |
26_2_000001B521556A4E | |
| PE file contains sections with non-standard names |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| PE file contains an invalid checksum |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Binary contains a suspicious time stamp |
| Source: |
Static PE information: |
||
| Registers a DLL |
| Source: |
Process created: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
Persistence and Installation Behavior: |
|
|---|
| Drops files with a non-matching file extension (content does not match file extension) |
| Source: |
File created: |
Jump to dropped file | ||
| Drops PE files |
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection: |
|
|---|
| Contains functionality to check if a window is minimized (may be used to check if an application is visible) |
| Source: |
Code function: |
32_2_00007FF7A1D01CD0 | |
| Source: |
Code function: |
32_2_00007FF7A1D02480 | |
| Source: |
Code function: |
32_2_00007FF7A1D018AC | |
| Source: |
Code function: |
32_2_00007FF7A1D0386C | |
| Source: |
Code function: |
32_2_00007FF7A1D017DC | |
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
Malware Analysis System Evasion: |
|
|---|
| May sleep (evasive loops) to hinder dynamic analysis |
| Source: |
Thread sleep count: |
Jump to behavior | ||
| Found dropped PE file which has not been started or loaded |
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Process information queried: |
Jump to behavior | ||
| Source: |
Code function: |
0_2_000000014005C340 | |
| Source: |
Code function: |
0_2_000000014005D290 | |
| Source: |
Code function: |
26_2_000001B52155D290 | |
| Source: |
Code function: |
26_2_00007FF6D6061280 | |
| Source: |
Code function: |
26_2_00007FF6D606B2F4 | |
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
Anti Debugging: |
|
|---|
| Contains functionality to check if a debugger is running (IsDebuggerPresent) |
| Source: |
Code function: |
26_2_00007FF6D606487C | |
| Contains functionality to check if a debugger is running (OutputDebugString,GetLastError) |
| Source: |
Code function: |
26_2_00007FF6D606487C | |
| Contains functionality which may be used to detect a debugger (GetProcessHeap) |
| Source: |
Code function: |
20_2_00007FF69ED3202C | |
| Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) |
| Source: |
Code function: |
0_2_0000000140048AC0 | |
| Source: |
Memory allocated: |
||
| Source: |
Code function: |
20_2_00007FF69ED4D918 | |
| Source: |
Code function: |
23_2_00007FF7B5967570 | |
| Source: |
Code function: |
23_2_00007FF7B59677EC | |
| Source: |
Code function: |
26_2_000001B521535520 | |
| Source: |
Code function: |
26_2_00007FF6D606DC70 | |
| Source: |
Code function: |
26_2_00007FF6D606D964 | |
| Source: |
Code function: |
28_2_00007FF6683D16B4 | |
| Source: |
Code function: |
28_2_00007FF6683D1430 | |
| Source: |
Code function: |
32_2_00007FF7A1D38274 | |
| Source: |
Code function: |
32_2_00007FF7A1D38CB8 | |
| Source: |
Code function: |
32_2_00007FF7A1D38E94 | |
HIPS / PFW / Operating System Protection Evasion: |
|
|---|
| Benign windows process drops PE files |
| Source: |
File created: |
Jump to dropped file | ||
| Changes memory attributes in foreign processes to executable or writable |
| Source: |
Memory protected: |
Jump to behavior | ||
| Source: |
Memory protected: |
Jump to behavior | ||
| Source: |
Memory protected: |
Jump to behavior | ||
| Queues an APC in another process (thread injection) |
| Source: |
Thread APC queued: |
Jump to behavior | ||
| Uses Atom Bombing / ProGate to inject into other processes |
| Source: |
Atom created: |
Jump to behavior | ||
| Creates a process in suspended mode (likely to inject code) |
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Code function: |
32_2_00007FF7A1D14708 | |
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
Language, Device and Operating System Detection: |
|
|---|
| Queries the volume information (name, serial number etc) of a device |
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Source: |
Queries volume information: |
|||
| Contains functionality to query locales information (e.g. system language) |
| Source: |
Code function: |
26_2_00007FF6D606CCD0 | |
| Queries the installation date of Windows |
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
Code function: |
20_2_00007FF69ED356F4 | |
| Source: |
Code function: |
26_2_00007FF6D606C7D8 | |
Remote Access Functionality: |
|
|---|
| Contains functionality to open a port and listen for incoming connection (possibly a backdoor) |
| Source: |
Code function: |
20_2_00007FF69ED37390 | |
| Source: |
Code function: |
26_2_00007FF6D6062B60 | |
| Source: |
Code function: |
26_2_00007FF6D60687C0 | |
| Source: |
Code function: |
32_2_00007FF7A1CFCF08 | |
| Source: |
Code function: |
32_2_00007FF7A1CF9DEC | |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Contacted Public IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.20.185.68 | geolocation.onetrust.com | United States | 13335 | CLOUDFLARENETUS | false | |
| 87.248.118.22 | edge.gycpi.b.yahoodns.net | United Kingdom | 203220 | YAHOO-DEBDE | false | |
| 104.26.6.139 | btloader.com | United States | 13335 | CLOUDFLARENETUS | false |
Private |
|---|
| IP |
|---|
| 192.168.2.1 |
Contacted Domains
| Name | IP | Active |
|---|---|---|
| contextual.media.net | 23.54.113.52 | true |
| hblg.media.net | 23.54.113.52 | true |
| lg3.media.net | 23.54.113.52 | true |
| btloader.com | 104.26.6.139 | true |
| geolocation.onetrust.com | 104.20.185.68 | true |
| edge.gycpi.b.yahoodns.net | 87.248.118.22 | true |
| s.yimg.com | unknown | unknown |
| web.vortex.data.msn.com | unknown | unknown |
| www.msn.com | unknown | unknown |
| srtb.msn.com | unknown | unknown |
| crcdn01.adnxs-simple.com | unknown | unknown |
| cvision.media.net | unknown | unknown |
Contacted URLs
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
|
high | |
| false |
|
unknown |