DllKitPRO.exe
This report is generated from a file or URL submitted to this webservice on October 25th 2018 22:05:28 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Possibly checks for the presence of an Antivirus engine
Possibly tries to implement anti-virtualization techniques
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 37/69 Antivirus vendors marked sample as malicious (53% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
4/15 Antivirus vendors marked sample as malicious (26% detection rate)
37/69 Antivirus vendors marked sample as malicious (53% detection rate) - source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 11
-
Anti-Detection/Stealthyness
-
Possibly checks for the presence of an Antivirus engine
- details
-
"get_AntivirusPopup" (Indicator: "antivirus")
"set_AntivirusPopup" (Indicator: "antivirus")
"antivirusPopup" (Indicator: "antivirus") - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1063 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
- details
- "DllKitPRO.exe" at 00013266-00004156-00000033-40361928008
- source
- API Call
- relevance
- 6/10
-
Possibly checks for the presence of an Antivirus engine
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "DllKitPRO.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Possibly checks for known debuggers/analysis tools
- details
-
"d": 40121
"category": "Windows System Errors"
"display1": "icDisconnected" }
{ "id": 40122
"category": "Windows System Errors"
"display1": "icExecuting" }
{ "id": 40123
"category": "Windows System Errors"
"display1": "icExtendedError" }
{ "id": 40124
"category": "Windows System Errors"
"display1": "icFailedDueToSecurityCheck" }
{ "id": 40125
"category": "Windows System Errors"
"display1": "icForceEntry" }
{ "id": 40126
"category": "Windows System Errors"
"display1": "icFtpCommandFailed" }
{ "id": 40127
"category": "Windows System Errors"
"display1": "icFtpDropped" }
{ "id": 40128
"category": "Windows System Errors"
"display1": "icFtpNoPassiveMode" }
{ "id": 40129
"category": "Windows System Errors"
"display1": "icFtpTransferInProgress" }
{ "id": 40130
"category": "Windows System Errors"
" (Indicator: "icext"), "": ".H4R", "description": "Heroes of Might and Magic IV Data File" }, { "id": 3541, "name": ".HPJ", "description": "Help Project File" }, { "id": 3542, "name": ".HBC", "description": "HyperBac Compressed Archive" }, { "id": 3543, "name": ".HDZ", "description": "Compressed Poser Hand Pose File" }, { "id": 3544, "name": ".HDD", "description": "Parallels Desktop Hard Disk File" }, { "id": 3545, "name": ".HIPNC", "description": "Houdini Apprentice File" }, { "id": 3546, "name": ".HML", "description": "HostMonitor TestList File" }, { "id": 3547, "name": ".HRZ", "description": "Compressed Poser Hair File" }, { "id": 3548, "name": ".HR2", "description": "Poser Hair File" }, { "id": 3549, "name": ".HKM", "description": "Havok Movie File" }, { "id": 3550, "name": ".HGL", "description": "HP Graphics Language" (Indicator: "ntice"), ""description": "Certificate Request Response File" }
{ "id": 6092
"name": ".P10"
"description": "Certificate Request File" }
{ "id": 6093
"name": ".PBD"
"description": "EaseUS Todo Backup File" }
{ "id": 6094
"name": ".PBD"
"description": "ProBID+ Data File" }
{ "id": 6095
"name": ".PHD"
"description": "PhotoDirector Project File" }
{ "id": 6096
"name": ".PHD"
"description": "Portable Heap Dump File" }
{ "id": 6097
"name": ".PJT"
"description": "Didger Project File" }
{ "id": 6098
"name": ".PJT"
"description": "FoxPro Project Memo" }
{ "id": 6099
"name": ".PML"
"description": "Process Monitor Log File" }
{ "id": 6100
"name": ".PML"
"description": "Palm Markup Language File" }
{ "id": 6101
"name": ".PML"
"description": "Pyre Properties File" }
{ "id": 6102
" (Indicator: "process monitor") - source
- File/Memory
- relevance
- 2/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"Image" }
{ "id": 491
"name": ".ARFF"
"description": "Attribute-Relation File Format" }
{ "id": 492
"name": ".ATX"
"description": "ArcGIS Attribute Index File" }
{ "id": 493
"name": ".ATX"
"description": "Animation Master Plugin File" }
{ "id": 494
"name": ".AVHD"
"description": "Hyper-V SnapShot File" }
{ "id": 495
"name": ".AVV"
"description": "Avid Volume Bin File" }
{ "id": 496
"name": ".ANE"
"description": "Adobe AIR Native Extension" }
{ "id": 497
"name": ".APPDOWNLOAD"
"description": "Mac App Store Partially Downloaded App" }
{ "id": 498
"name": ".ACCFT"
"description": "Microsoft Access Data Type Template" }
{ "id": 499
"name": ".ADV"
"description": "Ableton Device Preset File" }
{ "id": 500
"name": ".ADV"
"description": "Nortek Acoustic Doppler Velocimeter File" }" (Indicator: "hyper-v"), "mposer Text File" }, { "id": 5476, "name": ".N2", "description": "Nitrous Minecraft GLSL Shader File" }, { "id": 5477, "name": ".NSBTA", "description": "Nintendo DS Texture Animation File" }, { "id": 5478, "name": ".NFS11SAVE", "description": "Need for Speed: Hot Pursuit Save File" }, { "id": 5479, "name": ".NTFS", "description": "NTFS Partition File" }, { "id": 5480, "name": ".NETSPM", "description": "NetSpot Map File" }, { "id": 5481, "name": ".NVI", "description": "NVIDIA Driver File" }, { "id": 5482, "name": ".NLELEM", "description": "NoLimits Track Element File" }, { "id": 5483, "name": ".NXG", "description": "eSite Builder NXG Web Page" }, { "id": 5484, "name": ".NBT", "description": "Minecraft Named Binary Tag File" }, { "id": 5485, "name": ".NVRAM", "description": "VMware NVRAM File" }, {" (Indicator: "vmware")
"nch File" }
{ "id": 6460
"name": ".QUIZ"
"description": "Quobject Quiz Package" }
{ "id": 6461
"name": ".QCOW"
"description": "QEMU Copy On Write Disk Image" }
{ "id": 6462
"name": ".QCOW2"
"description": "QEMU Copy On Write Version 2 Disk Image" }
{ "id": 6463
"name": ".QBA"
"description": "QuickBooks Accountant's Copy Work File" }
{ "id": 6464
"name": ".QUOX"
"description": "Question Object File Format" }
{ "id": 6465
"name": ".QX"
"description": "Quexal Source Code" }
{ "id": 6466
"name": ".Q3D"
"description": "Quest3D Project File" }
{ "id": 6467
"name": ".QRM"
"description": "Qworum Message File" }
{ "id": 6468
"name": ".QVM"
"description": "Q Virtual Machine" }
{ "id": 6469
"name": ".QVM"
"description": "Quake 3 Virtual Machine File" }
{ "id": 6470
"" (Indicator: "qemu")
""name": ".SMP", "description": "SampleVision Audio Sample Format" }, { "id": 7400, "name": ".SMP", "description": "SmilePlant Project Data File" }, { "id": 7401, "name": ".SMP", "description": "Xionics SMP Image" }, { "id": 7402, "name": ".SMA", "description": "AMX Mod Plugin Source File" }, { "id": 7403, "name": ".SMA", "description": "SmartMusic Accompaniment File" }, { "id": 7404, "name": ".SCRIPTTERMINOLOGY", "description": "AppleScript Script Terminology File" }, { "id": 7405, "name": ".SCRIPTSUITE", "description": "AppleScript Script Suite File" }, { "id": 7406, "name": ".SNAPSHOT", "description": "VMware ThinApp Snapshot File" }, { "id": 7407, "name": ".SXT", "description": "Propellerhead Reason NN-XT Patch File" }, { "id": 7408, "name": ".SFF", "description": "M.U.G.E.N. Sprite File" }, { "id": 7409," (Indicator: "vmware")
"928, "name": ".TRACE", "description": "VMware ThinApp Trace Log File" }, { "id": 7929, "name": ".TFC", "description": "Unreal Engine 3 Texture File Cache" }, { "id": 7930, "name": ".TARGA", "description": "Targa Graphic" }, { "id": 7931, "name": ".TR", "description": "TomeRaider 2 eBook File" }, { "id": 7932, "name": ".TMB", "description": "Timbuktu Pro Connection Document" }, { "id": 7933, "name": ".TSL", "description": "Tracker Status Log" }, { "id": 7934, "name": ".TMZIP", "description": "Theme Manager Zip File" }, { "id": 7935, "name": ".TID", "description": "AVCHD Thumbnail File" }, { "id": 7936, "name": ".TWZIP", "description": "theWord Compressed Archive Module" }, { "id": 7937, "name": ".TWZ", "description": "theWord Compressed Archive Module" }, { "id": 7938, "name": ".THX", "descript" (Indicator: "vmware"), "24
"name": ".VMX"
"description": "VMware Configuration File" }
{ "id": 8225
"name": ".VMX"
"description": "Cubase Mixer Settings File" }
{ "id": 8226
"name": ".VMX"
"description": "Valve Map Backup File" }
{ "id": 8227
"name": ".VPK"
"description": "Valve Pak" }
{ "id": 8228
"name": ".VCPROJ"
"description": "Visual C++ Project File" }
{ "id": 8229
"name": ".VDF"
"description": "Valve Data File" }
{ "id": 8230
"name": ".VDF"
"description": "AntiVir Virus Definitions File" }
{ "id": 8231
"name": ".VDF"
"description": "VirtualDub Video Filter" }
{ "id": 8232
"name": ".VDF"
"description": "Gothic Game Data File" }
{ "id": 8233
"name": ".VBOX-EXTPACK"
"description": "Oracle VM VirtualBox Extension Pack" }
{ "id": 8234
"name": ".VBOX"
"description": "Oracle VM Virtual" (Indicator: "vbox")
"24, "name": ".VMX", "description": "VMware Configuration File" }, { "id": 8225, "name": ".VMX", "description": "Cubase Mixer Settings File" }, { "id": 8226, "name": ".VMX", "description": "Valve Map Backup File" }, { "id": 8227, "name": ".VPK", "description": "Valve Pak" }, { "id": 8228, "name": ".VCPROJ", "description": "Visual C++ Project File" }, { "id": 8229, "name": ".VDF", "description": "Valve Data File" }, { "id": 8230, "name": ".VDF", "description": "AntiVir Virus Definitions File" }, { "id": 8231, "name": ".VDF", "description": "VirtualDub Video Filter" }, { "id": 8232, "name": ".VDF", "description": "Gothic Game Data File" }, { "id": 8233, "name": ".VBOX-EXTPACK", "description": "Oracle VM VirtualBox Extension Pack" }, { "id": 8234, "name": ".VBOX", "description": "Oracle VM Virtual" (Indicator: "virtualbox"), "24
"name": ".VMX"
"description": "VMware Configuration File" }
{ "id": 8225
"name": ".VMX"
"description": "Cubase Mixer Settings File" }
{ "id": 8226
"name": ".VMX"
"description": "Valve Map Backup File" }
{ "id": 8227
"name": ".VPK"
"description": "Valve Pak" }
{ "id": 8228
"name": ".VCPROJ"
"description": "Visual C++ Project File" }
{ "id": 8229
"name": ".VDF"
"description": "Valve Data File" }
{ "id": 8230
"name": ".VDF"
"description": "AntiVir Virus Definitions File" }
{ "id": 8231
"name": ".VDF"
"description": "VirtualDub Video Filter" }
{ "id": 8232
"name": ".VDF"
"description": "Gothic Game Data File" }
{ "id": 8233
"name": ".VBOX-EXTPACK"
"description": "Oracle VM VirtualBox Extension Pack" }
{ "id": 8234
"name": ".VBOX"
"description": "Oracle VM Virtual" (Indicator: "vmware")
"Box Settings File" }
{ "id": 8235
"name": ".VHD"
"description": "Virtual PC Virtual Hard Disk" }
{ "id": 8236
"name": ".VHD"
"description": "VHDL Source File" }
{ "id": 8237
"name": ".VMC"
"description": "Windows Virtual Machine Configuration File" }
{ "id": 8238
"name": ".VDPROJ"
"description": "Visual Studio Setup and Deployment Project" }
{ "id": 8239
"name": ".VDI"
"description": "VirtualBox Virtual Disk Image" }
{ "id": 8240
"name": ".VDI"
"description": "StepMania Debug Resource File" }
{ "id": 8241
"name": ".VDI"
"description": "Virtuo CD Manager Disk Image" }
{ "id": 8242
"name": ".VTF"
"description": "Valve Texture File" }
{ "id": 8243
"name": ".VTF"
"description": "3DESIGN CAD File" }
{ "id": 8244
"name": ".VXML"
"description": "VoiceXML File" }
{ "id"" (Indicator: "virtualbox"), ""Voyetra Voice File" }
{ "id": 8256
"name": ".VMCX"
"description": "Virtual Machine Shell Information File" }
{ "id": 8257
"name": ".VUD"
"description": "Virtual Machine Undo Drive File" }
{ "id": 8258
"name": ".VBOX-PREV"
"description": "Oracle VM VirtualBox Settings Backup File" }
{ "id": 8259
"name": ".VM"
"description": "Velocity Template" }
{ "id": 8260
"name": ".VIMRC"
"description": "Vim Runtime Configuration File" }
{ "id": 8261
"name": ".VBPF1"
"description": "Virtual Business - Personal Finance Data File" }
{ "id": 8262
"name": ".VDC"
"description": "IDRISI Vector Documentation File" }
{ "id": 8263
"name": ".VCT"
"description": "IDRISI Vector Image" }
{ "id": 8264
"name": ".VCT"
"description": "VISE Installer Project" }
{ "id": 8265
"name": ".VCT"
"description":" (Indicator: "vbox"), ""Voyetra Voice File" }
{ "id": 8256
"name": ".VMCX"
"description": "Virtual Machine Shell Information File" }
{ "id": 8257
"name": ".VUD"
"description": "Virtual Machine Undo Drive File" }
{ "id": 8258
"name": ".VBOX-PREV"
"description": "Oracle VM VirtualBox Settings Backup File" }
{ "id": 8259
"name": ".VM"
"description": "Velocity Template" }
{ "id": 8260
"name": ".VIMRC"
"description": "Vim Runtime Configuration File" }
{ "id": 8261
"name": ".VBPF1"
"description": "Virtual Business - Personal Finance Data File" }
{ "id": 8262
"name": ".VDC"
"description": "IDRISI Vector Documentation File" }
{ "id": 8263
"name": ".VCT"
"description": "IDRISI Vector Image" }
{ "id": 8264
"name": ".VCT"
"description": "VISE Installer Project" }
{ "id": 8265
"name": ".VCT"
"description":" (Indicator: "virtualbox"), "Recording" }, { "id": 8328, "name": ".VMV", "description": "VirtuaNES Recording" }, { "id": 8329, "name": ".VSPS", "description": "Visual Studio Serialized Performance Report" }, { "id": 8330, "name": ".VHDX", "description": "Windows 8 Virtual Hard Drive File" }, { "id": 8331, "name": ".VSIX", "description": "Visual Studio Extension" }, { "id": 8332, "name": ".VMSS", "description": "VMware Suspended State File" }, { "id": 8333, "name": ".VMSN", "description": "VMware Snapshot State File" }, { "id": 8334, "name": ".VMXF", "description": "VMware Team Member File" }, { "id": 8335, "name": ".VFD", "description": "Virtual Floppy Disk" }, { "id": 8336, "name": ".VCX", "description": "Virtual Disc Definition File" }, { "id": 8337, "name": ".VCX", "description": "Visual Fox Pro Class Library" }, { "" (Indicator: "vmware"), "Group File" }, { "id": 8391, "name": ".VMTM", "description": "VMware Team Data File" }, { "id": 8392, "name": ".VIEWLET", "description": "Qarbon Viewlet" }, { "id": 8393, "name": ".VQF", "description": "TwinVQ Audio File" }, { "id": 8394, "name": ".VOX", "description": "Dialogic Voice Audio File" }, { "id": 8395, "name": ".VOX", "description": "Voxlap Voxel Model File" }, { "id": 8396, "name": ".VPC7", "description": "Virtual Machine Package" }, { "id": 8397, "name": ".VBSCRIPT", "description": "Visual Basic Script" }, { "id": 8398, "name": ".VBZ", "description": "Visual Basic Project Template" }, { "id": 8399, "name": ".VAPORCD", "description": "Norum Vapor CD" }, { "id": 8400, "name": ".VBP", "description": "Visual Basic Project File" }, { "id": 8401, "name": ".VSX", "description"" (Indicator: "vmware")
"tion": "VMware Configuration File" }
{ "id": 8413
"name": ".VSSSCC"
"description": "Visual Studio Solution Source Control File" }
{ "id": 8414
"name": ".VGZ"
"description": "DigitalVDO Compressed Video File" }
{ "id": 8415
"name": ".VGZ"
"description": "Video Game Music Compressed File" }
{ "id": 8416
"name": ".VBD"
"description": "Visual Basic ActiveX Document" }
{ "id": 8417
"name": ".VCS"
"description": "vCalendar Event File" }
{ "id": 8418
"name": ".VSPSCC"
"description": "Visual Studio Project Source Control File" }
{ "id": 8419
"name": ".VMWAREVM"
"description": "VMware Fusion Virtual Machine" }
{ "id": 8420
"name": ".VPL"
"description": "Karaoke Player Playlist" }
{ "id": 8421
"name": ".VRD"
"description": "Visio Report Definition File" }
{ "id": 8422
"name": ".VC1"
" (Indicator: "vmware"), ""description": "VMware Policy File" }
{ "id": 8434
"name": ".VHDL"
"description": "VHDL Source File" }
{ "id": 8435
"name": ".VMLT"
"description": "VAIO Video File" }
{ "id": 8436
"name": ".VISUAL_PROCESSED"
"description": "World of Tanks 3D Model Surface File" }
{ "id": 8437
"name": ".V2M"
"description": "V2 Synthesizer Audio File" }
{ "id": 8438
"name": ".VIV"
"description": "Need for Speed Car Data File" }
{ "id": 8439
"name": ".VIV"
"description": "PlayStation Video File" }
{ "id": 8440
"name": ".VIV"
"description": "VivoActive Video File" }
{ "id": 8441
"name": ".VPH"
"description": "VirtualPhotographer Custom Settings" }
{ "id": 8442
"name": ".VGD"
"description": "Generic CADD VGA Driver" }
{ "id": 8443
"name": ".VGA"
"description": "VGA Display Driver" }
{" (Indicator: "vmware"), ""id": 8444
"name": ".VID"
"description": "Generic Video File" }
{ "id": 8445
"name": ".VLW"
"description": "Processing Font File" }
{ "id": 8446
"name": ".VICAR"
"description": "VICAR Image File" }
{ "id": 8447
"name": ".VSCT"
"description": "Visual Studio Command Table " }
{ "id": 8448
"name": ".VEC"
"description": "CX-Designer Shape File" }
{ "id": 8449
"name": ".VEC"
"description": "Orbiter Vector Map File" }
{ "id": 8450
"name": ".VEC"
"description": "IDRISI Vector File" }
{ "id": 8451
"name": ".VMDK-CONVERTTMP"
"description": "VMWare Fusion Temporary File" }
{ "id": 8452
"name": ".VPOL"
"description": "Windows Vault Policy File" }
{ "id": 8453
"name": ".VCRD"
"description": "Windows Vault Credentials File" }
{ "id": 8454
"name": ".VEGASWINDOWLAYOUT"
"de" (Indicator: "vmware")
"Voice Recording" }
{ "id": 8487
"name": ".VAL"
"description": "Values List" }
{ "id": 8488
"name": ".VPC"
"description": "ViziGen Configuration File" }
{ "id": 8489
"name": ".VGM"
"description": "Video Game Music File" }
{ "id": 8490
"name": ".VSE"
"description": "AVTECH CCTV Video" }
{ "id": 8491
"name": ".VS4"
"description": "AVTECH CCTV Video Surveillance File" }
{ "id": 8492
"name": ".VIDEO"
"description": "aTube Catcher Video File" }
{ "id": 8493
"name": ".VMSD"
"description": "VMware Snapshot Metadata File" }
{ "id": 8494
"name": ".VMHF"
"description": "VMware Hot Fix File" }
{ "id": 8495
"name": ".VX_"
"description": "Compressed Virtual Device Driver File" }
{ "id": 8496
"name": ".VND"
"description": "Type3 Design File" }
{ "id": 8497
"name": ".VDJ"" (Indicator: "vmware"), "
"description": "VirtualDJ Audio Sample File" }
{ "id": 8498
"name": ".VMHR"
"description": "VMware Hot Fix Request File" }
{ "id": 8499
"name": ".VAC"
"description": "Oc2.316s Cakit File" }
{ "id": 8500
"name": ".VAC"
"description": "MikuMikuDance Accessory Settings File" }
{ "id": 8501
"name": ".VSPF"
"description": "Visual Studio Performance Filter File" }
{ "id": 8502
"name": ".VCR"
"description": "ATI Video Card Recording" }
{ "id": 8503
"name": ".VBX6SETTINGS"
"description": "VirusBarrier X6 Settings File" }
{ "id": 8504
"name": ".VOLARCHIVE"
"description": "CopyCatX Volume Archive" }
{ "id": 8505
"name": ".VNF"
"description": "Vision Numeric Font" }
{ "id": 8506
"name": ".VLP"
"description": "LiveSite Project" }
{ "id": 8507
"name": ".VISUAL"
"description": "Wo" (Indicator: "vmware")
"ame": ".VMBA"
"description": "VMware Configuration File" }
{ "id": 8519
"name": ".VMAC"
"description": "VMware Configuration File" }
{ "id": 8520
"name": ".VIVO"
"description": "VivoActive Video File" }
{ "id": 8521
"name": ".VHV"
"description": "Valve Source Lighting File" }
{ "id": 8522
"name": ".VDJSEND"
"description": "VirtualDJ Send File" }
{ "id": 8523
"name": ".VLCL"
"description": "VMware Localization File" }
{ "id": 8524
"name": ".VMSG"
"description": "VMware Application Message File" }
{ "id": 8525
"name": ".VNA"
"description": "JVC JLIP Image" }
{ "id": 8526
"name": ".VC8"
"description": "Virtual CD 8 Disc Image" }
{ "id": 8527
"name": ".VAULT"
"description": "Fontcase Vault File" }
{ "id": 8528
"name": ".VNI"
"description": "Dell Webcam Central Application" (Indicator: "vmware")
""id": 8943, "name": ".XDS", "description": "DS Game Maker Project File" }, { "id": 8944, "name": ".XS", "description": "Age of Empires 3 Map AI Generator" }, { "id": 8945, "name": ".XCDATAMODELD", "description": "Xcode Core Data Model File" }, { "id": 8946, "name": ".XOML", "description": "Windows Workflow File" }, { "id": 8947, "name": ".XEJ", "description": "Expression Encoder Job File" }, { "id": 8948, "name": ".XPDL", "description": "XPDL Module" }, { "id": 8949, "name": ".XEL", "description": "Expression Encoder Live Encoding File" }, { "id": 8950, "name": ".XESC", "description": "Expression Encoder Screen Capture File" }, { "id": 8951, "name": ".XVM", "description": "VMware Console Configuration File" }, { "id": 8952, "name": ".XMF", "description": "Cal3D XML Mesh File" }, { "id": 8953," (Indicator: "vmware") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "DllKitPRO.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Found a potential E-Mail address in binary/memory
- details
- Pattern match: "support@dllkit.com"
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"DllKitPRO.exe" wrote bytes "bce7b0e2" to virtual address "0x72A2F314" (part of module "CLR.DLL")
"DllKitPRO.exe" wrote bytes "711171017a3b7001ab8b02007f950200fc8c0200729602006cc805001ecd6d017d266d01" to virtual address "0x75BF07E4" (part of module "USER32.DLL")
"DllKitPRO.exe" wrote bytes "db4d357400000000" to virtual address "0x000C2000" (part of module "DLLKITPRO.EXE") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "DllKitPRO.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 10
-
Environment Awareness
-
Queries volume information
- details
- "DllKitPRO.exe" queries volume information of "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" at 00013266-00004156-00000046-36289891093
- source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Contains PDB pathways
- details
-
"est File" }
{ "id": 5731
"name": ".OLK14TASK"
"description": "Outlook Task File" }
{ "id": 5732
"name": ".ODIF"
"description": "Open Document Interchange Format" }
{ "id": 5733
"name": ".OOK"
"description": "Arachne Batch Script" }
{ "id": 5734
"name": ".ORC"
"description": "Voyetra Digital Orchestrator File" }
{ "id": 5735
"name": ".ODO"
"description": "Online Operating System Write Document" }
{ "id": 5736
"name": ".OR2"
"description": "Lotus Organizer 2 File" }
{ "id": 5737
"name": ".PPTX"
"description": "PowerPoint Open XML Presentation" }
{ "id": 5738
"name": ".PSD"
"description": "Adobe Photoshop Document" }
{ "id": 5739
"name": ".PHP"
"description": "PHP Source Code File" }
{ "id": 5740
"name": ".PDB"
"description": "Program Database" }
{ "id": 5741
", ""name": ".PDB"
"description": "Protein Data Bank File" }
{ "id": 5742
"name": ".PDB"
"description": "Tanida Demo Builder File" }
{ "id": 5743
"name": ".PDB"
"description": "PowerDesigner Database Backup File" }
{ "id": 5744
"name": ".PDB"
"description": "Palm Desktop Database File" }
{ "id": 5745
"name": ".PKG"
"description": "Symbian Package File" }
{ "id": 5746
"name": ".PKG"
"description": "PlayStation Store Downloaded Package" }
{ "id": 5747
"name": ".PKG"
"description": "Mac OS X Installer Package" }
{ "id": 5748
"name": ".PKG"
"description": "Midtown Madness 2 Model File" }
{ "id": 5749
"name": ".PKG"
"description": "CoCreate OneSpace Modeling Package File" }
{ "id": 5750
"name": ".PY"
"description": "Python Script" }
{ "id": 5751
"name": ".PART"
"description":", "C:\Drive\Projects\PBAntimalware\trunk\CLEANER\Cleaner\obj\dllkit\RC.pdb" - source
- File/Memory
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "DllKitPRO.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\77f338d420d067a26b2d34f47445fc51\mscorlib.ni.dll" at 71690000
- source
- Loaded Module
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: 14:67:0C:B6:F0:5F:EC:45:C1:0C:C4:B6:A0:FE:BB:11:8F:EB:20:08; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "DllKitPRO.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"DllKitPRO.exe" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"DllKitPRO.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"DllKitPRO.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"DllKitPRO.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"DllKitPRO.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"DllKitPRO.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"DllKitPRO.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"DllKitPRO.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config"
"DllKitPRO.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"DllKitPRO.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\77f338d420d067a26b2d34f47445fc51\mscorlib.ni.dll.aux"
"DllKitPRO.exe" touched file "C:\Windows\assembly\pubpol107.dat"
"DllKitPRO.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll"
"DllKitPRO.exe" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"DllKitPRO.exe" touched file "C:\Windows\symbols\exe\RC.pdb"
"DllKitPRO.exe" touched file "C:\Windows\exe\RC.pdb" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "Btoa Encoded File }, { id: 1096, name: .BTR, description: Btrieve Database File }, { id: 1097, name: .BAFL, description: BurnAware File List }, { id: 1098, name: .BSH, "
Heuristic match: "description: MapInfo Geoset File }, { id: 3285, name: .GXD, description: General CADD Pro Drawing }, { id: 3286, name: .GXC, description: General CADD Pro Component }, { id: 328"
Heuristic match: " }, { id: 4478, name: .LAYOUT, description: LayOut Document }, { id: 4479, name: .LIX, description: Logos Library System File }, { id: 4480, name: .LIX, description"
Heuristic match: "id: 4755, name: .MPP, description: Microsoft Project File }, { id: 4756, name: .MPP, description: MobileFrame Project Publisher File }, { id: 4757, name: .MSIM, description: m"
Heuristic match: "{ id: 5284, name: .NCFG, description: ArcGIS Explorer Configuration File }, { id: 5285, name: .NSQ, description: NScheduler Data File }, { id: 5286, name: .NCB, description"
Heuristic match: "ame: .PS, description: PostScript File }, { id: 5763, name: .PCT, description: Picture File }, { id: 5764, name: .PCT, description: Pure Compound Text File }, { id: 5765"
Heuristic match: "Brush File }, { id: 6176, name: .PNM, description: Portable Any Map Image }, { id: 6177, name: .PROVISIONPROFILE, description: Apple Provision Profile }, { id: 6178, name: "
Heuristic match: "@example.com"
Pattern match: "http://www.dllkit.com/purchase/weekend-sale/?language={0}&cuid={1"
Pattern match: "https://dll2.azurewebsites.net/api/dll/{0}/{1}/{2}/{3"
Pattern match: "https://dll2.azurewebsites.net/api/info/{0}/"
Pattern match: "https://dll2.azurewebsites.net/api/info2/{0}/"
Pattern match: "https://dll2.azurewebsites.net/api/info3/{0}/"
Pattern match: "https://dll2.azurewebsites.net/api/installer/{0}/{1"
Pattern match: "https://update.dllkit.com/keyActivate"
Pattern match: "https://update.dllkit.com/keyCheck"
Pattern match: "https://update.dllkit.com/eventext2"
Heuristic match: "events.dllkit.com"
Pattern match: "https://update.dllkit.com/api/settings"
Pattern match: "https://www.dllkit.com/settings/update.json"
Pattern match: "https://update.dllkit.com/api/update?version={0}&wl={1"
Pattern match: "www.dllkit.com/support"
Heuristic match: "support@dllkit.com"
Pattern match: "https://dll2.azurewebsites.net/"
Pattern match: "http://www.dllkit.com/support/"
Pattern match: "http://www.dllkit.com/support/#How_to_Register"
Pattern match: "http://www.dllkit.com/update/?language={0}&cuid={1"
Pattern match: "https://update.dllkit.com/"
Pattern match: "https://update.dllkit.com/api/hosts/{0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"mon Save File" }
{ "id": 2505
"name": ".ENQ"
"description": "EndNote Search Options File" }
{ "id": 2506
"name": ".EMBR"
"description": "Spatial Geodatabase File" }
{ "id": 2507
"name": ".EXO"
"description": "YouTube Video Chunk File" }
{ "id": 2508
"name": ".EZP"
"description": "AutoCAD Ecscad Project Backup File" }
{ "id": 2509
"name": ".EMBL"
"description": "EMBL Sequence Data File" }
{ "id": 2510
"name": ".EF2"
"description": "Internet Download Manager Export File" }
{ "id": 2511
"name": ".EYETVSCHED"
"description": "EyeTV Schedule File" }
{ "id": 2512
"name": ".EVENT"
"description": "Corel Cataloged Folder File" }
{ "id": 2513
"name": ".ECT"
"description": "Yozo Office Chart Template File" }
{ "id": 2514
"name": ".EST_UAX"
"description": "Spanish Unreal Audio Package"" (Indicator: "youtube"), ": 7168
"name": ".SPF"
"description": "ShadowProtect Full Backup File" }
{ "id": 7169
"name": ".SBV"
"description": "YouTube Captions File" }
{ "id": 7170
"name": ".SBV"
"description": "Superbase Form Definition File" }
{ "id": 7171
"name": ".SETTINGS"
"description": "Visual Studio Settings File" }
{ "id": 7172
"name": ".SETTINGS"
"description": "Minecraft iConomy Plug-in Settings File" }
{ "id": 7173
"name": ".SKN"
"description": "Avant Browser Skin File" }
{ "id": 7174
"name": ".SKN"
"description": "Symbian OS Skin File" }
{ "id": 7175
"name": ".SITEMAP"
"description": "ASP.NET Site Map File" }
{ "id": 7176
"name": ".SKIN"
"description": "ASP.NET Skin File" }
{ "id": 7177
"name": ".SKIN"
"description": "InstallShield Skin File" }
{ "id": 7178
"name": ".SBW"
"de" (Indicator: "youtube")
"{ "id": 7717, "name": ".TEC", "description": "TECkit Compiled Mapping File" }, { "id": 7718, "name": ".TMD", "description": "MySQL Temporary Database File" }, { "id": 7719, "name": ".TMD", "description": "TextMaker Document" }, { "id": 7720, "name": ".TMD", "description": "PlayStation Game Model File" }, { "id": 7721, "name": ".TXN", "description": "MySpaceIM Conversation Log File" }, { "id": 7722, "name": ".TPF", "description": "SPSS Text Wizard Document" }, { "id": 7723, "name": ".TPF", "description": "TexMod Package File" }, { "id": 7724, "name": ".TPF", "description": "Transit NXT Pack Translation File" }, { "id": 7725, "name": ".TDM", "description": "LabVIEW Binary Measurement File" }, { "id": 7726, "name": ".TCC", "description": "TimeCalc Classic Data File" }, { "id": 7727, "name": "." (Indicator: "myspace") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "DllKitPRO.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Found reference to Diagnosis CAB file
- details
- "".DC2", "description": "DesignCAD 2D ASCII Drawing" }, { "id": 1893, "name": ".DC2", "description": "DevCad Cam Pro Document" }, { "id": 1894, "name": ".DC2", "description": "Kodak Photo-Enhancer File" }, { "id": 1895, "name": ".DVDS", "description": "DVDStyler Project File" }, { "id": 1896, "name": ".DLV", "description": "CATIA 4 Export File" }, { "id": 1897, "name": ".DIAGCAB", "description": "Troubleshooting Pack Cabinet File" }, { "id": 1898, "name": ".DESIGN", "description": "Microsoft Expression Design Drawing" }, { "id": 1899, "name": ".DIX", "description": "DIVA-GIS Export File" }, { "id": 1900, "name": ".DBS", "description": "SQLBase Database File" }, { "id": 1901, "name": ".DBS", "description": "GAMBIT Mesh File" }, { "id": 1902, "name": ".DXX", "description": "AutoCAD Drawing Interchang" (Indicator: ".diagcab")
- source
- File/Memory
- relevance
- 7/10
-
Found reference to Diagnosis CAB file
File Details
DllKitPRO.exe
- Filename
- DllKitPRO.exe
- Size
- 3.7MiB (3873768 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 9655fedb2badf83affc75d923d6f9ca7176cfd6aa22f720bf02739839fa76eb9
- MD5
- 95184039780f0110fb8f165fdd705a43
- SHA1
- 799d5be5c9e03fca37e5e242b66b97316e6c7d63
- ssdeep
- 98304:xbKFjeBbchNH9uH4A3VEiRyz8YoxkL/p6f9S:x8jeVchNH9uH4A3VEiRyz8YoxkL/p6fo
- imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- authentihash
- f47053a38b5675039a2e5aa8acd06ef54fb4149e64b4a28b647660d98a45add7
- PDB Timestamp
- 02/13/2018 16:37:55 (UTC)
- PDB Pathway
- C:\Drive\Projects\PBAntimalware\trunk\CLEANER\Cleaner\obj\dllkit\RC.pdb
- PDB GUID
- DF3C5F008F6F4EA4B1074E5930F9CD13
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- Copyright 2017 DllKit PRO
- Assembly Version
- 1.1.6618.33536
- InternalName
- RC.exe
- FileVersion
- 1.1.6618.33536
- CompanyName
- -
- LegalTrademarks
- -
- Comments
- -
- ProductName
- DllKit PRO
- ProductVersion
- 1.1.6618.33536
- FileDescription
- DllKit PRO
- OriginalFilename
- RC.exe
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Download Certificate File (3.5KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=DllKitster Ltd, O=DllKitster Ltd, STREET=4 Queen Street, L=Edinburgh, ST=Scotland, OID.2.5.4.17=EH2 1JE, C=GB | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2dfb2ad4423f6786e2e8e9bf9da9d59b |
01/04/2018 01:00:00 01/05/2019 00:59:59 |
94:B3:06:76:05:8C:3C:04:25:2E:04:D7:F8:B7:96:55 14:67:0C:B6:F0:5F:EC:45:C1:0C:C4:B6:A0:FE:BB:11:8F:EB:20:08 |
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2e7c87cc0e934a52fe94fd1cb7cd34af |
05/09/2013 02:00:00 05/09/2028 01:59:59 |
AA:37:4C:C0:0B:ED:2E:1E:A6:91:EF:41:5B:80:8F:E1 B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- DllKitPRO.exe (PID: 4156) 39/79
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Anonymous commented 5 years ago updated