Try VMRay Platform
Malicious
Classifications

Spyware

Threat Names

Trojan.GenericKDZ.76753 Gen:Variant.Mikey.113998

Dynamic Analysis Report

Created on 2021-09-28T10:23:00

d485423afb5929de201a0fee5476c8b6d7d1a1868b537d7730db9b3e67d6a222.exe.dll

Windows DLL (x86-64)
...

Remarks (2/2)

(0x02000009): DLL files normally need to be submitted with an appropriate loader. Analysis result may be incomplete if an appropriate loader was not submitted.

(0x0200000E): The overall sleep time of all monitored processes was truncated from "27 minutes, 33 seconds" to "7 minutes, 10 seconds" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\d485423afb5929de201a0fee5476c8b6d7d1a1868b537d7730db9b3e67d6a222.exe.dll Sample File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 1.16 MB
MD5 718a7d9b1fe55a72cfa586e869236df8 Copy to Clipboard
SHA1 5d870aeb7951ab6af0900ba837924f79e3716936 Copy to Clipboard
SHA256 d485423afb5929de201a0fee5476c8b6d7d1a1868b537d7730db9b3e67d6a222 Copy to Clipboard
SSDeep 12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb Copy to Clipboard
ImpHash 6668be91e2c948b183827f040944057f Copy to Clipboard
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKDZ.76753
malicious
PE Information
»
Image Base 0x140000000
Entry Point 0x140041070
Size Of Code 0x41000
Size Of Initialized Data 0xe8000
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2020-02-20 08:35:24+00:00
Version Information (8)
»
CompanyName Microsoft Corporati
FileDescription Background Intellig
FileVersion 7.5.7600.16385 (win7_rtm.090713-
InternalName bitsp
LegalCopyright © Microsoft Corporation. All rights reserv
OriginalFilename kbdy
ProductName Microsoft® Windows® Operating S
ProductVersion 6.1.7600
Sections (34)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x40796 0x41000 0x1000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.73
.rdata 0x140042000 0x64fcb 0x65000 0x42000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.87
.data 0x1400a7000 0x178b8 0x18000 0xa7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.32
.pdata 0x1400bf000 0x12c 0x1000 0xbf000 IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.58
.rsrc 0x1400c0000 0x880 0x1000 0xc0000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.24
.reloc 0x1400c1000 0x2324 0x3000 0xc1000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.65
.qkm 0x1400c4000 0x74a 0x1000 0xc4000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.cvjb 0x1400c5000 0x1e66 0x2000 0xc5000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.tlmkv 0x1400c7000 0xbde 0x1000 0xc7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wucsxe 0x1400c8000 0x45174 0x46000 0xc8000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wnx 0x14010e000 0x8fe 0x1000 0x10e000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.weqy 0x14010f000 0x8fe 0x1000 0x10f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.yby 0x140110000 0x1278 0x2000 0x110000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ormx 0x140112000 0xbde 0x1000 0x112000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.dhclu 0x140113000 0x23b 0x1000 0x113000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.xmiul 0x140114000 0x23b 0x1000 0x114000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.tlwcxe 0x140115000 0x13e 0x1000 0x115000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.get 0x140116000 0xbde 0x1000 0x116000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.hzrd 0x140117000 0x1124 0x2000 0x117000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qzu 0x140119000 0x736 0x1000 0x119000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.tbbd 0x14011a000 0x1f7 0x1000 0x11a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.shoovi 0x14011b000 0xbde 0x1000 0x11b000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wbmgl 0x14011c000 0x23b 0x1000 0x11c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.aobcn 0x14011d000 0x23b 0x1000 0x11d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.xdno 0x14011e000 0x1f2a 0x2000 0x11e000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ipsw 0x140120000 0x389 0x1000 0x120000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.cqpqq 0x140121000 0x573 0x1000 0x121000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.skzqoj 0x140122000 0x23b 0x1000 0x122000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.nvjg 0x140123000 0xd33 0x1000 0x123000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.bbt 0x140124000 0x2da 0x1000 0x124000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wsg 0x140125000 0x389 0x1000 0x125000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vqdhza 0x140126000 0x8fe 0x1000 0x126000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.mgf 0x140127000 0x1f2a 0x2000 0x127000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.xusvuv 0x140129000 0x8fe 0x1000 0x129000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.74
Imports (7)
»
USER32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LookupIconIdFromDirectoryEx - 0x140042098 0xa64c8 0xa64c8 0x205
WaitForInputIdle - 0x1400420a0 0xa64d0 0xa64d0 0x32e
GetParent - 0x1400420a8 0xa64d8 0xa64d8 0x166
GetFocus - 0x1400420b0 0xa64e0 0xa64e0 0x12e
SETUPAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CM_Get_Resource_Conflict_DetailsW - 0x140042078 0xa64a8 0xa64a8 0x8a
KERNEL32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteCriticalSection - 0x140042038 0xa6468 0xa6468 0xd2
DeleteTimerQueue - 0x140042040 0xa6470 0xa6470 0xd9
TerminateJobObject - 0x140042048 0xa6478 0xa6478 0x4cd
GetFileInformationByHandle - 0x140042050 0xa6480 0xa6480 0x1f3
GetThreadLocale - 0x140042058 0xa6488 0xa6488 0x293
GetNamedPipeServerProcessId - 0x140042060 0xa6490 0xa6490 0x229
GetConsoleFontSize - 0x140042068 0xa6498 0xa6498 0x1aa
GDI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateBitmapIndirect - 0x140042020 0xa6450 0xa6450 0x2b
GetPolyFillMode - 0x140042028 0xa6458 0xa6458 0x206
CRYPT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertGetCTLContextProperty - 0x140042010 0xa6440 0xa6440 0x44
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AddAccessDeniedObjectAce - 0x140042000 0xa6430 0xa6430 0x15
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ChrCmpIW - 0x140042088 0xa64b8 0xa64b8 0xa
Exports (69)
»
Api name EAT Address Ordinal
IsInteractiveUserSession 0x3458c 0x1
QueryActiveSession 0x2e730 0x2
QueryUserToken 0x10aa4 0x3
RegisterUsertokenForNoWinlogon 0x1a040 0x4
WTSCloseServer 0x2a60 0x5
WTSConnectSessionA 0xfa78 0x6
WTSConnectSessionW 0x2a100 0x7
WTSCreateListenerA 0x301c0 0x8
WTSCreateListenerW 0x1b488 0x9
WTSDisconnectSession 0x20b0c 0xa
WTSEnableChildSessions 0x38ecc 0xb
WTSEnumerateListenersA 0x26698 0xc
WTSEnumerateListenersW 0x1de24 0xd
WTSEnumerateProcessesA 0x3e8c0 0xe
WTSEnumerateProcessesExA 0x2da9c 0xf
WTSEnumerateProcessesExW 0x23780 0x10
WTSEnumerateProcessesW 0xcdcc 0x11
WTSEnumerateServersA 0x174a4 0x12
WTSEnumerateServersW 0x1c30c 0x13
WTSEnumerateSessionsA 0x11da4 0x14
WTSEnumerateSessionsExA 0x16a8 0x15
WTSEnumerateSessionsExW 0x3a6ec 0x16
WTSEnumerateSessionsW 0x23c0 0x17
WTSFreeMemory 0x3fd88 0x18
WTSFreeMemoryExA 0x158ec 0x19
WTSFreeMemoryExW 0x9900 0x1a
WTSGetChildSessionId 0x2759c 0x1b
WTSGetListenerSecurityA 0x21a28 0x1c
WTSGetListenerSecurityW 0x21da0 0x1d
WTSIsChildSessionsEnabled 0xe7ec 0x1e
WTSLogoffSession 0x388e0 0x1f
WTSOpenServerA 0x4678 0x20
WTSOpenServerExA 0x3ee3c 0x21
WTSOpenServerExW 0xed44 0x22
WTSOpenServerW 0x26cc8 0x23
WTSQueryListenerConfigA 0x33350 0x24
WTSQueryListenerConfigW 0xbffc 0x25
WTSQuerySessionInformationA 0x33c18 0x26
WTSQuerySessionInformationW 0x29aa0 0x27
WTSQueryUserConfigA 0x34e10 0x28
WTSQueryUserConfigW 0x32fac 0x29
WTSQueryUserToken 0x7c6c 0x2a
WTSRegisterSessionNotification 0x3c8d4 0x2b
WTSRegisterSessionNotificationEx 0x3e730 0x2c
WTSSendMessageA 0x3c47c 0x2d
WTSSendMessageW 0x2b7f4 0x2e
WTSSetListenerSecurityA 0x3be28 0x2f
WTSSetListenerSecurityW 0x32048 0x30
WTSSetRenderHint 0x616c 0x31
WTSSetSessionInformationA 0x4054c 0x32
WTSSetSessionInformationW 0x101a8 0x33
WTSSetUserConfigA 0x2ff30 0x34
WTSSetUserConfigW 0x30d18 0x35
WTSShutdownSystem 0x15c30 0x36
WTSStartRemoteControlSessionA 0x314a8 0x37
WTSStartRemoteControlSessionW 0x3b458 0x38
WTSStopRemoteControlSession 0x40220 0x39
WTSTerminateProcess 0x10dd0 0x3a
WTSUnRegisterSessionNotification 0x32ca0 0x3b
WTSUnRegisterSessionNotificationEx 0x3ce70 0x3c
WTSVirtualChannelClose 0x25520 0x3d
WTSVirtualChannelOpen 0xdef8 0x3e
WTSVirtualChannelOpenEx 0x33838 0x3f
WTSVirtualChannelPurgeInput 0x3c7e8 0x40
WTSVirtualChannelPurgeOutput 0x22f60 0x41
WTSVirtualChannelQuery 0x2f1d8 0x42
WTSVirtualChannelRead 0x1799c 0x43
WTSVirtualChannelWrite 0x82e4 0x44
WTSWaitSystemEvent 0x1e280 0x45
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat Modified File Stream
clean
...
»
MIME Type application/octet-stream
File Size 128 Bytes
MD5 cc90851958032b8c8bbb7b24ec6271dd Copy to Clipboard
SHA1 e027ad2ea4049374a3b01af2e3626b667dc816bc Copy to Clipboard
SHA256 c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858 Copy to Clipboard
SSDeep 3:Fl: Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 53 Bytes
MD5 9c3c1a69a3c43835d6a2579570e6aa0d Copy to Clipboard
SHA1 8af2c3b90473b35f1bb936de12a8bf72fe658468 Copy to Clipboard
SHA256 e641ff8107a4197ded9f558d1891e716811e9a7f109f14e876f5a8394844dc34 Copy to Clipboard
SSDeep 3:/l4l5mrc9l:e4rc9l Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.42 KB
MD5 268f2ac00f2d52d1588f7de7293ca223 Copy to Clipboard
SHA1 5f4de990bfb1a3fe20813c180d292c6c59be24ab Copy to Clipboard
SHA256 680fc9cc119369263e40cc810c716a3d367aed75e09d2a9659824f8c366b7cde Copy to Clipboard
SSDeep 24:ewOvYKUgayh0Zc6w19SCWPk0FE6ETx+2J03gVvWepGYc6IUb60YgvVd3Y:xEtU5Z5FFE66x+2Wey/SYC3Y Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.42 KB
MD5 253250ecef24e59cbe308e437e2fef34 Copy to Clipboard
SHA1 cecf6a97c73c87eb8153ded4da6365f2f576a902 Copy to Clipboard
SHA256 4459de34f31d879717f63fcf0b48c4b322ee763c7e60d4b0e2a2a61a7805cf43 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.42 KB
MD5 c4b8e82a2482442fbcca2b3bf438ba76 Copy to Clipboard
SHA1 ea7df545a4b0fa5efa4ac0ea8571605f98fdebb9 Copy to Clipboard
SHA256 34cbc604bed93cbd541c8f639999d089e597bfa366077ed4224547e8cd69eabb Copy to Clipboard
SSDeep 24:ewOvYKUgpOFsPeukGQgD/9V8XgKpwUkHCjYzi10CMG/q4ZfqHhRg/UANn:xEtUBSGuQgEbpwfO10ClGyU+ Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image