ScreenShot
| Created | 2023.11.28 09:58 | Machine | s1_win7_x6402 |
| Filename | ndldll.txt.exe | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (AIDetectMalware, Mikey, Artemis, Kryptik, malicious, high confidence, HUUR, Ulise, Gencirc, Farfli, zuzfc, ai score=85, Detected, score, Ka9wDGtJXTM, ZedlaF, wv@@aKfWbSdj) | ||
| md5 | 4e88cb52fa6c33f10aeeac975b2e4cd4 | ||
| sha256 | ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396 | ||
| ssdeep | 24576:ZcOeh7E7IJbtEJEHng8wGrQTLq73xaH7pbHl6GV:ZcOWFJbtSMXoTLq73xK51 | ||
| imphash | c3808a9e82ae47a53120a4e9320a8c72 | ||
| impfuzzy | 6:+rJ5T2BmYJqvnLWAKuBpGcBGUg0E7RwT0OUW5yBJAEoZ/OEGDfAwD3:4QbJqvLXFBpGcBlT7yABZG/DfAwD3 | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Foreign language identified in PE resource |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
MFC42.DLL
0x10004010 None
0x10004014 None
0x10004018 None
0x1000401c None
0x10004020 None
MSVCRT.dll
0x10004028 free
0x1000402c malloc
0x10004030 _adjust_fdiv
0x10004034 ??1type_info@@UAE@XZ
0x10004038 ??3@YAXPAX@Z
0x1000403c _except_handler3
0x10004040 memset
0x10004044 memcpy
0x10004048 _CxxThrowException
0x1000404c __CxxFrameHandler
0x10004050 _initterm
KERNEL32.dll
0x10004000 LoadLibraryA
0x10004004 ExitProcess
0x10004008 GetProcAddress
USER32.dll
0x10004058 MessageBoxA
EAT(Export Address Table) Library
0x10001026 GetCrashKeyCountImpl
0x1000103d GetHandleVerifier
0x10001054 IsSandboxedProcess
0x1000106b RelaunchChromeBrowserWithNewCommandLineIfNeeded
0x10001082 cef_add_cross_origin_whitelist_entry
0x10002153 cef_api_hash
0x1000219f cef_base64decode
0x100021b6 cef_base64encode
0x100021cd cef_begin_tracing
0x100021e4 cef_binary_value_create
0x100021fb cef_browser_host_create_browser
0x10002212 cef_browser_host_create_browser_sync
0x10002229 cef_browser_view_create
0x10002240 cef_browser_view_get_for_browser
0x10002257 cef_clear_cross_origin_whitelist
0x1000226e cef_clear_scheme_handler_factories
0x10002285 cef_command_line_create
0x1000229c cef_command_line_get_global
0x100022b3 cef_cookie_manager_create_manager
0x100022ca cef_cookie_manager_get_global_manager
0x100022e1 cef_crash_reporting_enabled
0x100022f8 cef_create_context_shared
0x1000230f cef_create_directory
0x10002326 cef_create_new_temp_directory
0x1000233d cef_create_temp_directory_in_directory
0x10002354 cef_create_url
0x1000236b cef_currently_on
0x10002382 cef_delete_file
0x10002399 cef_dictionary_value_create
0x100023b0 cef_directory_exists
0x100023c7 cef_display_get_alls
0x100023de cef_display_get_count
0x100023f5 cef_display_get_matching_bounds
0x1000240c cef_display_get_nearest_point
0x10002423 cef_display_get_primary
0x1000243a cef_do_message_loop_work
0x10002451 cef_drag_data_create
0x10002468 cef_enable_highdpi_support
0x1000247f cef_end_tracing
0x10002496 cef_execute_java_script_with_user_gesture_for_tests
0x100024ad cef_execute_process
0x100024c4 cef_format_url_for_security_display
0x100024db cef_get_current_platform_thread_handle
0x100024f2 cef_get_current_platform_thread_id
0x10002509 cef_get_extensions_for_mime_type
0x10002520 cef_get_geolocation
0x10002537 cef_get_mime_type
0x1000254e cef_get_min_log_level
0x10002565 cef_get_path
0x1000257c cef_get_temp_directory
0x10002593 cef_get_vlog_level
0x100025aa cef_image_create
0x100025c1 cef_initialize
0x100025d8 cef_is_cert_status_error
0x100025ef cef_is_cert_status_minor_error
0x10002606 cef_is_web_plugin_unstable
0x1000261d cef_label_button_create
0x10002634 cef_launch_process
0x1000264b cef_list_value_create
0x10002662 cef_load_crlsets_file
0x10002679 cef_log
0x10002690 cef_menu_button_create
0x100026a7 cef_menu_model_create
0x100026be cef_now_from_system_trace_time
0x100026d5 cef_panel_create
0x100026ec cef_parse_json
0x10002703 cef_parse_jsonand_return_error
0x1000271a cef_parse_url
0x10002731 cef_post_data_create
0x10002748 cef_post_data_element_create
0x1000275f cef_post_delayed_task
0x10002776 cef_post_task
0x1000278d cef_print_settings_create
0x100027a4 cef_process_message_create
0x100027bb cef_quit_message_loop
0x100027d2 cef_refresh_web_plugins
0x100027e9 cef_register_extension
0x10002800 cef_register_scheme_handler_factory
0x10002817 cef_register_web_plugin_crash
0x1000282e cef_register_widevine_cdm
0x10002845 cef_remove_cross_origin_whitelist_entry
0x1000285c cef_request_context_create_context
0x10002873 cef_request_context_get_global_context
0x1000288a cef_request_create
0x100028a1 cef_resource_bundle_get_global
0x100028b8 cef_response_create
0x100028cf cef_run_message_loop
0x100028e6 cef_scroll_view_create
0x100028fd cef_set_crash_key_value
0x10002914 cef_set_osmodal_loop
0x1000292b cef_shutdown
0x10002942 cef_stream_reader_create_for_data
0x10002959 cef_stream_reader_create_for_file
0x10002970 cef_stream_reader_create_for_handler
0x10002987 cef_stream_writer_create_for_file
0x1000299e cef_stream_writer_create_for_handler
0x100029b5 cef_string_ascii_to_utf16
0x100029cc cef_string_ascii_to_wide
0x100029e3 cef_string_list_alloc
0x100029fa cef_string_list_append
0x10002a11 cef_string_list_clear
0x10002a28 cef_string_list_copy
0x10002a3f cef_string_list_free
0x10002a56 cef_string_list_size
0x10002a6d cef_string_list_value
0x10002a84 cef_string_map_alloc
0x10002a9b cef_string_map_append
0x10002ab2 cef_string_map_clear
0x10002ac9 cef_string_map_find
0x10002ae0 cef_string_map_free
0x10002af7 cef_string_map_key
0x10002b0e cef_string_map_size
0x10002b25 cef_string_map_value
0x10002b3c cef_string_multimap_alloc
0x10002b53 cef_string_multimap_append
0x10002b6a cef_string_multimap_clear
0x10002b81 cef_string_multimap_enumerate
0x10002b98 cef_string_multimap_find_count
0x10002baf cef_string_multimap_free
0x10002bc6 cef_string_multimap_key
0x10002bdd cef_string_multimap_size
0x10002bf4 cef_string_multimap_value
0x10002c0b cef_string_userfree_utf16_alloc
0x10002c22 cef_string_userfree_utf16_free
0x10002c39 cef_string_userfree_utf8_alloc
0x10002c50 cef_string_userfree_utf8_free
0x10002c67 cef_string_userfree_wide_alloc
0x10002c7e cef_string_userfree_wide_free
0x10002c95 cef_string_utf16_clear
0x10002cac cef_string_utf16_cmp
0x10002cc3 cef_string_utf16_set
0x10002cda cef_string_utf16_to_lower
0x10002cf1 cef_string_utf16_to_upper
0x10002d08 cef_string_utf16_to_utf8
0x10002d1f cef_string_utf16_to_wide
0x10002d36 cef_string_utf8_clear
0x10002d4d cef_string_utf8_cmp
0x10002d64 cef_string_utf8_set
0x10002d7b cef_string_utf8_to_utf16
0x10002d92 cef_string_utf8_to_wide
0x10002da9 cef_string_wide_clear
0x10002dc0 cef_string_wide_cmp
0x10002dd7 cef_string_wide_set
0x10002dee cef_string_wide_to_utf16
0x10002e05 cef_string_wide_to_utf8
0x10002e1c cef_task_runner_get_for_current_thread
0x10002e33 cef_task_runner_get_for_thread
0x10002e4a cef_textfield_create
0x10002e61 cef_thread_create
0x10002e78 cef_time_delta
0x10002e8f cef_time_from_doublet
0x10002ea6 cef_time_from_timet
0x10002ebd cef_time_now
0x10002ed4 cef_time_to_doublet
0x10002eeb cef_time_to_timet
0x10002f02 cef_trace_counter
0x10002f19 cef_trace_counter_id
0x10002f30 cef_trace_event_async_begin
0x10002f47 cef_trace_event_async_end
0x10002f5e cef_trace_event_async_step_into
0x10002f75 cef_trace_event_async_step_past
0x10002f8c cef_trace_event_begin
0x10002fa3 cef_trace_event_end
0x10002fba cef_trace_event_instant
0x10002fd1 cef_translator_test_create
0x10002fe8 cef_translator_test_ref_ptr_library_child_child_create
0x10002fff cef_translator_test_ref_ptr_library_child_create
0x10003016 cef_translator_test_ref_ptr_library_create
0x1000302d cef_translator_test_scoped_library_child_child_create
0x10003044 cef_translator_test_scoped_library_child_create
0x1000305b cef_translator_test_scoped_library_create
0x10003072 cef_unregister_internal_web_plugin
0x10003089 cef_uridecode
0x100030a0 cef_uriencode
0x100030b7 cef_urlrequest_create
0x100030ce cef_v8context_get_current_context
0x100030e5 cef_v8context_get_entered_context
0x100030fc cef_v8context_in_context
0x10003113 cef_v8stack_trace_get_current
0x1000312a cef_v8value_create_array
0x10003141 cef_v8value_create_bool
0x10003158 cef_v8value_create_date
0x1000316f cef_v8value_create_double
0x10003186 cef_v8value_create_function
0x1000319d cef_v8value_create_int
0x100031b4 cef_v8value_create_null
0x100031cb cef_v8value_create_object
0x100031e2 cef_v8value_create_string
0x100031f9 cef_v8value_create_uint
0x10003210 cef_v8value_create_undefined
0x10003227 cef_value_create
0x1000323e cef_version_info
0x10003255 cef_visit_web_plugin_info
0x1000326c cef_waitable_event_create
0x10003283 cef_window_create_top_level
0x1000329a cef_write_json
0x100032b1 cef_xml_reader_create
0x100032c8 cef_zip_directory
0x100032df cef_zip_reader_create
0x10001026 hi
MFC42.DLL
0x10004010 None
0x10004014 None
0x10004018 None
0x1000401c None
0x10004020 None
MSVCRT.dll
0x10004028 free
0x1000402c malloc
0x10004030 _adjust_fdiv
0x10004034 ??1type_info@@UAE@XZ
0x10004038 ??3@YAXPAX@Z
0x1000403c _except_handler3
0x10004040 memset
0x10004044 memcpy
0x10004048 _CxxThrowException
0x1000404c __CxxFrameHandler
0x10004050 _initterm
KERNEL32.dll
0x10004000 LoadLibraryA
0x10004004 ExitProcess
0x10004008 GetProcAddress
USER32.dll
0x10004058 MessageBoxA
EAT(Export Address Table) Library
0x10001026 GetCrashKeyCountImpl
0x1000103d GetHandleVerifier
0x10001054 IsSandboxedProcess
0x1000106b RelaunchChromeBrowserWithNewCommandLineIfNeeded
0x10001082 cef_add_cross_origin_whitelist_entry
0x10002153 cef_api_hash
0x1000219f cef_base64decode
0x100021b6 cef_base64encode
0x100021cd cef_begin_tracing
0x100021e4 cef_binary_value_create
0x100021fb cef_browser_host_create_browser
0x10002212 cef_browser_host_create_browser_sync
0x10002229 cef_browser_view_create
0x10002240 cef_browser_view_get_for_browser
0x10002257 cef_clear_cross_origin_whitelist
0x1000226e cef_clear_scheme_handler_factories
0x10002285 cef_command_line_create
0x1000229c cef_command_line_get_global
0x100022b3 cef_cookie_manager_create_manager
0x100022ca cef_cookie_manager_get_global_manager
0x100022e1 cef_crash_reporting_enabled
0x100022f8 cef_create_context_shared
0x1000230f cef_create_directory
0x10002326 cef_create_new_temp_directory
0x1000233d cef_create_temp_directory_in_directory
0x10002354 cef_create_url
0x1000236b cef_currently_on
0x10002382 cef_delete_file
0x10002399 cef_dictionary_value_create
0x100023b0 cef_directory_exists
0x100023c7 cef_display_get_alls
0x100023de cef_display_get_count
0x100023f5 cef_display_get_matching_bounds
0x1000240c cef_display_get_nearest_point
0x10002423 cef_display_get_primary
0x1000243a cef_do_message_loop_work
0x10002451 cef_drag_data_create
0x10002468 cef_enable_highdpi_support
0x1000247f cef_end_tracing
0x10002496 cef_execute_java_script_with_user_gesture_for_tests
0x100024ad cef_execute_process
0x100024c4 cef_format_url_for_security_display
0x100024db cef_get_current_platform_thread_handle
0x100024f2 cef_get_current_platform_thread_id
0x10002509 cef_get_extensions_for_mime_type
0x10002520 cef_get_geolocation
0x10002537 cef_get_mime_type
0x1000254e cef_get_min_log_level
0x10002565 cef_get_path
0x1000257c cef_get_temp_directory
0x10002593 cef_get_vlog_level
0x100025aa cef_image_create
0x100025c1 cef_initialize
0x100025d8 cef_is_cert_status_error
0x100025ef cef_is_cert_status_minor_error
0x10002606 cef_is_web_plugin_unstable
0x1000261d cef_label_button_create
0x10002634 cef_launch_process
0x1000264b cef_list_value_create
0x10002662 cef_load_crlsets_file
0x10002679 cef_log
0x10002690 cef_menu_button_create
0x100026a7 cef_menu_model_create
0x100026be cef_now_from_system_trace_time
0x100026d5 cef_panel_create
0x100026ec cef_parse_json
0x10002703 cef_parse_jsonand_return_error
0x1000271a cef_parse_url
0x10002731 cef_post_data_create
0x10002748 cef_post_data_element_create
0x1000275f cef_post_delayed_task
0x10002776 cef_post_task
0x1000278d cef_print_settings_create
0x100027a4 cef_process_message_create
0x100027bb cef_quit_message_loop
0x100027d2 cef_refresh_web_plugins
0x100027e9 cef_register_extension
0x10002800 cef_register_scheme_handler_factory
0x10002817 cef_register_web_plugin_crash
0x1000282e cef_register_widevine_cdm
0x10002845 cef_remove_cross_origin_whitelist_entry
0x1000285c cef_request_context_create_context
0x10002873 cef_request_context_get_global_context
0x1000288a cef_request_create
0x100028a1 cef_resource_bundle_get_global
0x100028b8 cef_response_create
0x100028cf cef_run_message_loop
0x100028e6 cef_scroll_view_create
0x100028fd cef_set_crash_key_value
0x10002914 cef_set_osmodal_loop
0x1000292b cef_shutdown
0x10002942 cef_stream_reader_create_for_data
0x10002959 cef_stream_reader_create_for_file
0x10002970 cef_stream_reader_create_for_handler
0x10002987 cef_stream_writer_create_for_file
0x1000299e cef_stream_writer_create_for_handler
0x100029b5 cef_string_ascii_to_utf16
0x100029cc cef_string_ascii_to_wide
0x100029e3 cef_string_list_alloc
0x100029fa cef_string_list_append
0x10002a11 cef_string_list_clear
0x10002a28 cef_string_list_copy
0x10002a3f cef_string_list_free
0x10002a56 cef_string_list_size
0x10002a6d cef_string_list_value
0x10002a84 cef_string_map_alloc
0x10002a9b cef_string_map_append
0x10002ab2 cef_string_map_clear
0x10002ac9 cef_string_map_find
0x10002ae0 cef_string_map_free
0x10002af7 cef_string_map_key
0x10002b0e cef_string_map_size
0x10002b25 cef_string_map_value
0x10002b3c cef_string_multimap_alloc
0x10002b53 cef_string_multimap_append
0x10002b6a cef_string_multimap_clear
0x10002b81 cef_string_multimap_enumerate
0x10002b98 cef_string_multimap_find_count
0x10002baf cef_string_multimap_free
0x10002bc6 cef_string_multimap_key
0x10002bdd cef_string_multimap_size
0x10002bf4 cef_string_multimap_value
0x10002c0b cef_string_userfree_utf16_alloc
0x10002c22 cef_string_userfree_utf16_free
0x10002c39 cef_string_userfree_utf8_alloc
0x10002c50 cef_string_userfree_utf8_free
0x10002c67 cef_string_userfree_wide_alloc
0x10002c7e cef_string_userfree_wide_free
0x10002c95 cef_string_utf16_clear
0x10002cac cef_string_utf16_cmp
0x10002cc3 cef_string_utf16_set
0x10002cda cef_string_utf16_to_lower
0x10002cf1 cef_string_utf16_to_upper
0x10002d08 cef_string_utf16_to_utf8
0x10002d1f cef_string_utf16_to_wide
0x10002d36 cef_string_utf8_clear
0x10002d4d cef_string_utf8_cmp
0x10002d64 cef_string_utf8_set
0x10002d7b cef_string_utf8_to_utf16
0x10002d92 cef_string_utf8_to_wide
0x10002da9 cef_string_wide_clear
0x10002dc0 cef_string_wide_cmp
0x10002dd7 cef_string_wide_set
0x10002dee cef_string_wide_to_utf16
0x10002e05 cef_string_wide_to_utf8
0x10002e1c cef_task_runner_get_for_current_thread
0x10002e33 cef_task_runner_get_for_thread
0x10002e4a cef_textfield_create
0x10002e61 cef_thread_create
0x10002e78 cef_time_delta
0x10002e8f cef_time_from_doublet
0x10002ea6 cef_time_from_timet
0x10002ebd cef_time_now
0x10002ed4 cef_time_to_doublet
0x10002eeb cef_time_to_timet
0x10002f02 cef_trace_counter
0x10002f19 cef_trace_counter_id
0x10002f30 cef_trace_event_async_begin
0x10002f47 cef_trace_event_async_end
0x10002f5e cef_trace_event_async_step_into
0x10002f75 cef_trace_event_async_step_past
0x10002f8c cef_trace_event_begin
0x10002fa3 cef_trace_event_end
0x10002fba cef_trace_event_instant
0x10002fd1 cef_translator_test_create
0x10002fe8 cef_translator_test_ref_ptr_library_child_child_create
0x10002fff cef_translator_test_ref_ptr_library_child_create
0x10003016 cef_translator_test_ref_ptr_library_create
0x1000302d cef_translator_test_scoped_library_child_child_create
0x10003044 cef_translator_test_scoped_library_child_create
0x1000305b cef_translator_test_scoped_library_create
0x10003072 cef_unregister_internal_web_plugin
0x10003089 cef_uridecode
0x100030a0 cef_uriencode
0x100030b7 cef_urlrequest_create
0x100030ce cef_v8context_get_current_context
0x100030e5 cef_v8context_get_entered_context
0x100030fc cef_v8context_in_context
0x10003113 cef_v8stack_trace_get_current
0x1000312a cef_v8value_create_array
0x10003141 cef_v8value_create_bool
0x10003158 cef_v8value_create_date
0x1000316f cef_v8value_create_double
0x10003186 cef_v8value_create_function
0x1000319d cef_v8value_create_int
0x100031b4 cef_v8value_create_null
0x100031cb cef_v8value_create_object
0x100031e2 cef_v8value_create_string
0x100031f9 cef_v8value_create_uint
0x10003210 cef_v8value_create_undefined
0x10003227 cef_value_create
0x1000323e cef_version_info
0x10003255 cef_visit_web_plugin_info
0x1000326c cef_waitable_event_create
0x10003283 cef_window_create_top_level
0x1000329a cef_write_json
0x100032b1 cef_xml_reader_create
0x100032c8 cef_zip_directory
0x100032df cef_zip_reader_create
0x10001026 hi