Source: VolumeConverter.dll |
Virustotal: Detection: 28% |
Perma Link |
Source: VolumeConverter.dll |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED |
Source: VolumeConverter.dll |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
Source: |
Binary string: VolumeConverter.pdb source: VolumeConverter.dll |
Source: VolumeConverter.dll |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED |
Source: VolumeConverter.dll |
Virustotal: Detection: 28% |
Source: VolumeConverter.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: classification engine |
Classification label: mal52.evad.winDLL@5/0@0/0 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1 |
Jump to behavior |
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: VolumeConverter.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: VolumeConverter.dll |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
Source: VolumeConverter.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: VolumeConverter.pdb source: VolumeConverter.dll |
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs |
.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0) |
Source: VolumeConverter.dll |
Static PE information: 0xE3671BCB [Fri Nov 24 05:42:35 2090 UTC] |
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs |
High entropy of concatenated method names: '.cctor', 'yj0yHNuMrdpao', 'vkvqDuToQ', 'mrRwKpaeG', 'ePe66v97i', 'LOhH8kIuQ', 'OnjGyypT5', 'z0qpR2EH5', 'NKWZeaNup', 'AJF3hU2Kt' |
Source: VolumeConverter.dll, VolumeConverter/volumeConverter.cs |
High entropy of concatenated method names: '.ctor', 'HvNJVTSIf', 'zSZ4Odeln', 'Dispose', 'QLRvPUjC1', 'g8N7k6PVPZscc8xn6k', 'gX6EmcZJUjQFlks9cF', 'nMm0ETqL131gGHwf38', 'TcrFfqspiWR1dIdcHd', 'aPQv2Bw4MYLAtN3TMb' |
Source: VolumeConverter.dll, ss/ff.cs |
High entropy of concatenated method names: 'tIorFj6tD', 'gVdjINcNQ', 'vr0I6VLFM', 'dd', '.cctor', 'RMWchDXxxUZSmyN6ug', 'Gr4MufHA1NoZ7FuyRH', 'BuneWGTh51JfvPm2ci', 'iGZ2Zttd9SIKxE4qlG', 'I2eNcn0uqlUSJImKfc' |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1 |
Jump to behavior |