
String found in binary or memory: ts.godaddy. String found in binary or memory: tificates. String found in binary or memory: syndicatio n.org/2006 /appsynapp licationap uputil.cpp upgradeexc lusivetrue enclosured igestalgor String found in binary or memory: syndicatio n.org/2006 /appsyn Facebook equals com (Faceb ook)ĭNS traffic detected: queries fo r: secure. String found in binary or memory: Microsoft. JA3 fingerprint: 54328bd36c 14bd82ddaa 0c04b25ed9 adĬontains functionality to download additional files from the internetĬode function: 0_2_00E15B 06 Interne tReadFile, WriteFile, WriteFile, GetLastErr or,GetLast Error,įound strings which match to known social media urls JA3 SSL client fingerprint seen in connection with other malware Source: C:\Users\u ser\Deskto p\dopdf-fu ll.exeĬode function: 0_2_00DE50 8B CryptHa shPublicKe yInfo,_mem cmp,_memcm p,GetLastE rror,Ĭode function: 0_2_00DE60 30 Decrypt FileW,Ĭode function: 0_2_00DE52 02 _memset ,CryptCATA dminCalcHa shFromFile Handle,Get LastError, GetLastErr or,CryptCA TAdminCalc HashFromFi leHandle,G etLastErro r,GetLastE rror,GetLa stError,Wi nVerifyTru st,WinVeri fyTrust,Wi nVerifyTru st,Ĭode function: 0_2_00E0C5 39 _memset ,CryptAcqu ireContext W,GetLastE rror,Crypt CreateHash ,GetLastEr ror,CryptH ashData,Re adFile,Get LastError, CryptDestr oyHash,Cry ptReleaseC ontext,Get LastError, CryptGetHa shParam,Ge tLastError ,SetFilePo interEx,Ge tLastError ,Ĭode function: 0_2_00DE5E 12 Decrypt FileW,Decr yptFileW,

Uses Microsoft's Enhanced Cryptographic Provider Standard Non-Application Layer Protocol 2Įxfiltration Over Command and Control Channel Report size getting too big, too many NtReadVirtualMemory calls found.ĭeobfuscate/Decode Files or Information 1.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.

Report size getting too big, too many NtOpenKeyEx calls found.

Report size getting too big, too many NtAllocateVirtualMemory calls found.Report size exceeded maximum capacity and may have missing disassembly code.Report size exceeded maximum capacity and may have missing behavior information.Excluded domains from analysis (whitelisted): wu.ec.,, ,, , ., wu., wu.Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe.
