Edit tour

Windows Analysis Report
Drivespan.dll

Overview

General Information

Sample name:	Drivespan.dll
Analysis ID:	1584902
MD5:	4d9c5296957da900b90aefba32b40072
SHA1:	7f326b02a73e0cb58933c7a9f7c32d4bf9ec555e
SHA256:	11a01ce93db410211c6d64febcc9c621206761ab865c7bd4dd5074628103ac6a
Tags:	bankerdlllatamtrojanuser-johnk3r
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory in foreign processes

Connects to a pastebin service (likely for C&C)

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6644 cmdline: loaddll32.exe "C:\Users\user\Desktop\Drivespan.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6784 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6856 cmdline: rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6804 cmdline: rundll32.exe C:\Users\user\Desktop\Drivespan.dll,EntryPointProc MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7012 cmdline: rundll32.exe C:\Users\user\Desktop\Drivespan.dll,eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348 MD5: 889B99C52A60DD49227C5E485A016679)

cttune.exe (PID: 7088 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)

rundll32.exe (PID: 2844 cmdline: rundll32.exe C:\Users\user\Desktop\Drivespan.dll,ru3n MD5: 889B99C52A60DD49227C5E485A016679)

cttune.exe (PID: 1436 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)

rundll32.exe (PID: 6684 cmdline: rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",EntryPointProc MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6664 cmdline: rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348 MD5: 889B99C52A60DD49227C5E485A016679)

cttune.exe (PID: 7108 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)

rundll32.exe (PID: 6932 cmdline: rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",ru3n MD5: 889B99C52A60DD49227C5E485A016679)

cttune.exe (PID: 7032 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)

rundll32.exe (PID: 6884 cmdline: rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",rusn MD5: 889B99C52A60DD49227C5E485A016679)

cttune.exe (PID: 3320 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)

rundll32.exe (PID: 6860 cmdline: rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",run MD5: 889B99C52A60DD49227C5E485A016679)

cttune.exe (PID: 6404 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)

cleanup

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T18:14:00.909217+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.20.3.235	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Drivespan.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: Drivespan.dll

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: Drivespan.dll

Joe Sandbox ML: detected

Source: Drivespan.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: Drivespan.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Administrator\source\repos\Dll2\Release\Drivespan.pdb source: Drivespan.dll

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 217.77.11.216:4464

Source: global traffic

TCP traffic: 192.168.2.4:58629 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.20.3.235:443

Source: global traffic

HTTP traffic detected: GET /raw/qLipTDP9 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com

Source: unknown	TCP traffic detected without corresponding DNS query: 217.77.11.216
Source: unknown	TCP traffic detected without corresponding DNS query: 217.77.11.216
Source: unknown	TCP traffic detected without corresponding DNS query: 217.77.11.216
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /raw/qLipTDP9 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com

Source: global traffic

DNS traffic detected: DNS query: pastebin.com

Source: cttune.exe, cttune.exe, 0000000F.00000002.1774164934.0000000004A3B000.00000040.00000400.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1765628643.0000000002F3B000.00000040.00000001.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1774993393.000000000542F000.00000004.00001000.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1774591539.0000000004EEB000.00000040.00000400.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1775429872.000000000566F000.00000004.00001000.00020000.00000000.sdmp, Drivespan.dll	String found in binary or memory: http://www.indyproject.org/
Source: cttune.exe, 00000006.00000002.1736417809.0000000004B41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://g1.gestaoclicki.site/1.txtlWhite
Source: cttune.exe, cttune.exe, 0000000F.00000002.1774164934.0000000004A3B000.00000040.00000400.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1765628643.0000000002F3B000.00000040.00000001.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1774591539.0000000004EEB000.00000040.00000400.00020000.00000000.sdmp, Drivespan.dll	String found in binary or memory: https://pastebin.com/raw/qLipTDP9
Source: cttune.exe, 00000006.00000002.1733275825.000000000054A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/qLipTDP9Q

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: Drivespan.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal84.troj.evad.winDLL@34/0@1/2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\SysWOW64\cttune.exe	Mutant created: \Sessions\1\BaseNamedObjects\ClearTypeTunerWizardMutex
Source: C:\Windows\SysWOW64\cttune.exe	Mutant created: \Sessions\1\BaseNamedObjects\My-Comercio

Source: Drivespan.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cttune.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Drivespan.dll,EntryPointProc

Source: Drivespan.dll

ReversingLabs: Detection: 31%

Source: cttune.exe	String found in binary or memory: jp-ocr-hand-add
Source: cttune.exe	String found in binary or memory: jp-ocr-b-add
Source: cttune.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: cttune.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: cttune.exe	String found in binary or memory: ISO_6937-2-add
Source: cttune.exe	String found in binary or memory: NATS-SEFI-ADD
Source: cttune.exe	String found in binary or memory: NATS-DANO-ADD
Source: cttune.exe	String found in binary or memory: jp-ocr-hand-add
Source: cttune.exe	String found in binary or memory: jp-ocr-b-add
Source: cttune.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: cttune.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: cttune.exe	String found in binary or memory: ISO_6937-2-add
Source: cttune.exe	String found in binary or memory: NATS-SEFI-ADD
Source: cttune.exe	String found in binary or memory: NATS-DANO-ADD

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Drivespan.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Drivespan.dll,EntryPointProc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Drivespan.dll,eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Drivespan.dll,ru3n
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",EntryPointProc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",ru3n
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",rusn
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",run
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Drivespan.dll,EntryPointProc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Drivespan.dll,eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Drivespan.dll,ru3n	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",EntryPointProc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",ru3n	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",rusn	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",run	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\cttune.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Drivespan.dll

Static file information: File size 4244992 > 1048576

Source: Drivespan.dll

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x409400

Source: Drivespan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Drivespan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Drivespan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Drivespan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Drivespan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Drivespan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Drivespan.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Drivespan.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\source\repos\Dll2\Release\Drivespan.pdb source: Drivespan.dll

Source: Drivespan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Drivespan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Drivespan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Drivespan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Drivespan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\cttune.exe TID: 2304

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: cttune.exe, 00000006.00000002.1733275825.000000000054A000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 00000006.00000002.1733275825.0000000000598000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 00000006.00000003.1711852033.0000000000598000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 45E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 4A00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: AAF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 52E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 5890000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 2F10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 4ED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 5300000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 4A20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 44C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 2F20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\cttune.exe base: 3340000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\SysWOW64\rundll32.exe	Thread created: C:\Windows\SysWOW64\cttune.exe EIP: 4A00018	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread created: unknown EIP: 52E0018	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread created: C:\Windows\SysWOW64\cttune.exe EIP: 5300018	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread created: C:\Windows\SysWOW64\cttune.exe EIP: 44C0018	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 45E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AAF0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5890000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4ED0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4A20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 2F20000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 45E0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 45E1000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4969000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 496C000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 497A000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4981000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4985000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4986000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4987000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4988000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 49DD000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4A00000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4A00018	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AAF0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AAF1000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AE79000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AE7C000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AE8A000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AE91000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AE95000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AE96000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AE97000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AE98000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: AEED000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 52E0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 52E0018	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5890000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5891000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C19000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C1C000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C2A000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C31000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C35000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C36000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C37000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C38000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5C8D000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 2F10000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 2F10018	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4ED0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4ED1000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5259000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 525C000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 526A000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5271000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5275000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5276000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5277000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5278000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 52CD000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 5300018	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4A20000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4A21000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4DA9000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4DAC000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4DBA000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4DC1000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4DC5000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4DC6000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4DC7000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4DC8000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 4E1D000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 44C0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 44C0018	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 2F20000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 2F21000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 32A9000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 32AC000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 32BA000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 32C1000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 32C5000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 32C6000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 32C7000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 32C8000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 331D000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 3340000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\cttune.exe base: 3340018	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	411 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Rundll32	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Drivespan.dll	32%	ReversingLabs	Win32.Dropper.Generic
Drivespan.dll	100%	Avira	TR/Dropper.Gen
Drivespan.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://g1.gestaoclicki.site/1.txtlWhite	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	104.20.3.235	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/qLipTDP9	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.indyproject.org/	cttune.exe, cttune.exe, 0000000F.00000002.1774164934.0000000004A3B000.00000040.00000400.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1765628643.0000000002F3B000.00000040.00000001.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1774993393.000000000542F000.00000004.00001000.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1774591539.0000000004EEB000.00000040.00000400.00020000.00000000.sdmp, cttune.exe, 0000000F.00000002.1775429872.000000000566F000.00000004.00001000.00020000.00000000.sdmp, Drivespan.dll	false		high
https://g1.gestaoclicki.site/1.txtlWhite	cttune.exe, 00000006.00000002.1736417809.0000000004B41000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/qLipTDP9Q	cttune.exe, 00000006.00000002.1733275825.000000000054A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States		13335	CLOUDFLARENETUS	false
217.77.11.216	unknown	United Kingdom		16362	SEVEN-ASGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584902
Start date and time:	2025-01-06 18:13:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Drivespan.dll
Detection:	MAL
Classification:	mal84.troj.evad.winDLL@34/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Drivespan.dll

Simulations

Behavior and APIs

Time	Type	Description
12:13:59	API Interceptor	3x Sleep call for process: cttune.exe modified
12:14:05	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	gabe.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	XClient.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	ogVinh0jhq.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	bad.txt	Get hash	malicious	AsyncRAT	Browse	104.20.3.235
	dlhost.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	htkeUc1zJ0.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	c2.exe	Get hash	malicious	Xmrig	Browse	104.20.4.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SEVEN-ASGB	https://maya-lopez.filemail.com/t/BLFGBJSQ	Get hash	malicious	HTMLPhisher	Browse	217.77.11.121
SEVEN-ASGB	https://identitys.fraudguard.es/SSA_Updated_Statement	Get hash	malicious	ScreenConnect Tool	Browse	217.77.14.110
CLOUDFLARENETUS	https://www.figma.com/design/Sw6t5vElBVmnrFNiteka8B/Untitled-(Copy)?node-id=0-1&p=f&t=x9aFU3FgLH1rkKBK-0	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://linkedln.contact/ugtxCQqLJUk?in/fuat-kirikci22-46d64297c/	Get hash	malicious	Unknown	Browse	104.18.9.247
	http://joeschmidtmusic.net	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://linkedln.contact/ugtxCQqLJUk?in/fuat-kirikci22-46d64297c/	Get hash	malicious	Unknown	Browse	104.18.9.247
	https://url9577.spatialobjects.com/ls/click?upn=u001.4ivVkFS2-2B4Sp-2Bivia16FvZ0teKfwckAWDUNO-2FsqtRchREXEyTglUEhVzVLlqiPt6oyeeJPuBMPPn-2FAJy8GEEGQs1-2BYVSMuO8RcYEmOVkcjI-3DnYq7_5kJ5LjeESMs3fQdMgHqyuvFFc7nFcZjYyI3vr6BFlw-2BbBsOMKGykWhuto9VBBSTEAWm9RK1szoMJSY3w0qEGh2haan1Og8NtlsLY75H85AELmELLmWbs81ikIO79Vk-2BAlUDIKzd2g1S8a2OhhfsFXuY6OMfebPMC6myP97HBZna1K6-2Bf-2BMbrfkWXlYPN21iZCikY-2Fj1mWRtbJrLJTAOgMXiWNk9cXQxyzwLnkUSS-2BNxcVuCkqDWejp6A-2FGSU05Z-2F9a1Dpa0znzETm-2Be8z9Abw3rZWiLfMFYofxE0t9vgWDzkWRWL6PmrMBcXk8MmBC1ALYIO7SJA6ICZQww3qf73KQ-3D-3D	Get hash	malicious	Unknown	Browse	104.18.40.68
	https://tfeweb.co.uk/signoff	Get hash	malicious	Unknown	Browse	104.17.24.14
	Remittance details.docx	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://z97f4f2525fyg27.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	Remittance details.docx	Get hash	malicious	Unknown	Browse	104.16.117.116
	DownloadedMessage.zip	Get hash	malicious	HTMLPhisher	Browse	104.21.52.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse	104.20.3.235
	setup.exe	Get hash	malicious	LummaC	Browse	104.20.3.235
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.20.3.235
	anrek.mp4.hta	Get hash	malicious	LummaC Stealer	Browse	104.20.3.235
	title.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	104.20.3.235
	Setup.exe	Get hash	malicious	LummaC	Browse	104.20.3.235
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.20.3.235
	un30brGAKP.exe	Get hash	malicious	LummaC	Browse	104.20.3.235
	Patcher_I5cxa9AN.exe	Get hash	malicious	LummaC	Browse	104.20.3.235

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.577491583408384
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.65% Win32 EXE PECompact compressed (generic) (41571/9) 3.97% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Drivespan.dll
File size:	4'244'992 bytes
MD5:	4d9c5296957da900b90aefba32b40072
SHA1:	7f326b02a73e0cb58933c7a9f7c32d4bf9ec555e
SHA256:	11a01ce93db410211c6d64febcc9c621206761ab865c7bd4dd5074628103ac6a
SHA512:	7e20cf58dade7ca60d863521a40ce9e0fa691055a67baf9031c48f99b0d169f1bae8224e98ceaa0b5e150fbfdb792acecb180d6d4eddb679ee32e31e58c57341
SSDEEP:	49152:sHRvwDCUV2SaiCrTHh4y6tvuJZEGWwzMvPMzmNjUDmpv4v6dTad0YoJCbN:sxoBCPowz7YUDmpvPc
TLSH:	4D165C23B284713ED06B4E3A593BA65C993FBB7139128C5B67F4098C4E355806E3F61B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9sYyW YyW YyW P.. ]yW H.T!XyW H.S!SyW H.R!UyW H.V!]yW ..V!ZyW YyV .yW ..^![yW ..W!XyW ... XyW ..U!XyW RichYyW ...............

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001ad6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x677044D8 [Sat Dec 28 18:35:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c8e66c16159ae2be96ac243273edf23c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F9388B41947h
call 00007F9388B41ACAh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F9388B417F3h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [10003058h]
push dword ptr [ebp+08h]
call dword ptr [1000305Ch]
push C0000409h
call dword ptr [10003054h]
push eax
call dword ptr [10003050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1000304Ch]
test eax, eax
je 00007F9388B41947h
push 00000002h
pop ecx
int 29h
mov dword ptr [1040D368h], eax
mov dword ptr [1040D364h], ecx
mov dword ptr [1040D360h], edx
mov dword ptr [1040D35Ch], ebx
mov dword ptr [1040D358h], esi
mov dword ptr [1040D354h], edi
mov word ptr [1040D380h], ss
mov word ptr [1040D374h], cs
mov word ptr [1040D350h], ds
mov word ptr [1040D34Ch], es
mov word ptr [1040D348h], fs
mov word ptr [1040D344h], gs
pushfd
pop dword ptr [1040D378h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [1040D36Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0040D370h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3750	0xa8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x37f8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40e000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40f000	0x210	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3240	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3180	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xd0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x164d	0x1800	ad54765767bfc9d2c0fec44d838d4a20	False	0.59423828125	data	6.101734864176362	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0xf06	0x1000	683f9cbfe2404e25fa468e9b775222ed	False	0.42529296875	data	4.76105142635359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x4095d8	0x409400	95721aade57b1b2f59b3ead944321592	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x40e000	0xf8	0x200	292de3d8825b6eb238864ebf5bed675b	False	0.3359375	data	2.5312981004807127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40f000	0x210	0x400	54ff3137e76e751da7b2d2437ed0075e	False	0.5029296875	data	4.092184468329379	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x40e060	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL	Import
KERNEL32.dll	WriteProcessMemory, OpenProcess, CreateToolhelp32Snapshot, Sleep, Process32NextW, LoadLibraryA, Process32FirstW, CloseHandle, GetProcAddress, VirtualAllocEx, CreateProcessW, CreateRemoteThread, lstrcmpW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter
MSVCP140.dll	?good@ios_base@std@@QBE_NXZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
VCRUNTIME140.dll	__std_type_info_destroy_list, __std_terminate, __CxxFrameHandler3, memset, _except_handler4_common
api-ms-win-crt-runtime-l1-1-0.dll	_execute_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _seh_filter_dll, _cexit, _initterm_e, _initterm, _initialize_onexit_table

Exports

Name	Ordinal	Address
EntryPointProc	1	0x100013e0
eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348	2	0x10001140
ru3n	3	0x10001470
run	4	0x10001470
rusn	5	0x10001470

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T18:14:00.909217+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.20.3.235	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 18:14:00.427367926 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:00.427402973 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:00.427508116 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:00.431972980 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:00.431989908 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:00.909142971 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:00.909216881 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:00.912763119 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:00.912770987 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:00.913008928 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:00.963171005 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:00.991436005 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:01.035335064 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:01.302278042 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:01.302376032 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:01.302449942 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:01.305167913 CET	49731	443	192.168.2.4	104.20.3.235
Jan 6, 2025 18:14:01.305187941 CET	443	49731	104.20.3.235	192.168.2.4
Jan 6, 2025 18:14:02.873861074 CET	49735	4464	192.168.2.4	217.77.11.216
Jan 6, 2025 18:14:02.878817081 CET	4464	49735	217.77.11.216	192.168.2.4
Jan 6, 2025 18:14:02.878882885 CET	49735	4464	192.168.2.4	217.77.11.216
Jan 6, 2025 18:14:04.217024088 CET	49735	4464	192.168.2.4	217.77.11.216
Jan 6, 2025 18:14:17.768775940 CET	58629	53	192.168.2.4	1.1.1.1
Jan 6, 2025 18:14:17.773550987 CET	53	58629	1.1.1.1	192.168.2.4
Jan 6, 2025 18:14:17.773611069 CET	58629	53	192.168.2.4	1.1.1.1
Jan 6, 2025 18:14:17.778390884 CET	53	58629	1.1.1.1	192.168.2.4
Jan 6, 2025 18:14:18.240701914 CET	58629	53	192.168.2.4	1.1.1.1
Jan 6, 2025 18:14:18.245618105 CET	53	58629	1.1.1.1	192.168.2.4
Jan 6, 2025 18:14:18.245662928 CET	58629	53	192.168.2.4	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 18:14:00.413525105 CET	54277	53	192.168.2.4	1.1.1.1
Jan 6, 2025 18:14:00.421278000 CET	53	54277	1.1.1.1	192.168.2.4
Jan 6, 2025 18:14:17.768285990 CET	53	54478	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 6, 2025 18:14:00.413525105 CET	192.168.2.4	1.1.1.1	0xf6c8	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 6, 2025 18:14:00.421278000 CET	1.1.1.1	192.168.2.4	0xf6c8	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Jan 6, 2025 18:14:00.421278000 CET	1.1.1.1	192.168.2.4	0xf6c8	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Jan 6, 2025 18:14:00.421278000 CET	1.1.1.1	192.168.2.4	0xf6c8	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.20.3.235	443	7088	C:\Windows\SysWOW64\cttune.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 17:14:00 UTC	158	OUT	GET /raw/qLipTDP9 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2025-01-06 17:14:01 UTC	388	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 17:14:01 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Mon, 06 Jan 2025 17:14:01 GMT Server: cloudflare CF-RAY: 8fdd578c88c7c358-EWR
2025-01-06 17:14:01 UTC	83	IN	Data Raw: 34 64 0d 0a 69 6e 69 63 69 6f 7b 0d 0a 22 68 6f 73 74 22 3a 22 32 32 31 36 30 36 36 38 46 32 36 44 46 44 36 42 46 30 34 35 32 42 36 45 45 38 34 41 22 2c 0d 0a 22 70 6f 72 74 61 22 3a 22 42 30 41 35 39 34 39 31 41 35 39 32 22 0d 0a 7d 66 69 6d 0d 0a Data Ascii: 4dinicio{"host":"22160668F26DFD6BF0452B6EE84A","porta":"B0A59491A592"}fim
2025-01-06 17:14:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:13:56
Start date:	06/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Drivespan.dll"
Imagebase:	0x50000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:13:56
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:13:56
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:13:56
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Drivespan.dll,EntryPointProc
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:13:56
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",#1
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:13:59
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Drivespan.dll,eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:13:59
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cttune.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cttune.exe"
Imagebase:	0xb60000
File size:	72'192 bytes
MD5 hash:	E515AF722F75E1A5708B532FAA483333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:14:02
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Drivespan.dll,ru3n
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:14:02
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cttune.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cttune.exe"
Imagebase:	0x7ff7699e0000
File size:	72'192 bytes
MD5 hash:	E515AF722F75E1A5708B532FAA483333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",EntryPointProc
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",eQ8FKAFK298HGKAF0PK1K0RFJF9OMG9348
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",ru3n
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",rusn
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Drivespan.dll",run
Imagebase:	0x400000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cttune.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cttune.exe"
Imagebase:	0xb60000
File size:	72'192 bytes
MD5 hash:	E515AF722F75E1A5708B532FAA483333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cttune.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cttune.exe"
Imagebase:	0xb60000
File size:	72'192 bytes
MD5 hash:	E515AF722F75E1A5708B532FAA483333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cttune.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cttune.exe"
Imagebase:	0xb60000
File size:	72'192 bytes
MD5 hash:	E515AF722F75E1A5708B532FAA483333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:14:05
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cttune.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cttune.exe"
Imagebase:	0xb60000
File size:	72'192 bytes
MD5 hash:	E515AF722F75E1A5708B532FAA483333
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	37.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 04A00018 Relevance: 3.1, APIs: 2, Instructions: 128
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,-00000002), ref: 04A000C8
LoadLibraryA.KERNEL32(?), ref: 04A00102

Memory Dump Source

Source File: 00000006.00000002.1736289447.0000000004A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4a00000_cttune.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: cb9b0787db191ec1bce4ce323a6da168da29d2a908fe8e72052c21ee0be81112
Instruction ID: 7e55169096d7f7cfd6a8727ec51b696477c7f9841721d85a5de0d269ba50fa81
Opcode Fuzzy Hash: cb9b0787db191ec1bce4ce323a6da168da29d2a908fe8e72052c21ee0be81112
Instruction Fuzzy Hash: F6416972B052069FEB24CF59E880B65F7E4FF49315B1881A9E918DB381E731F991CB90

Function 052E0018 Relevance: .1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1737307412.00000000052E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_cttune.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9b0787db191ec1bce4ce323a6da168da29d2a908fe8e72052c21ee0be81112
Instruction ID: c211126f0ea2a817b61ef911e964ce2c0a12a75a0889f3e11f61ee46b49f5465
Opcode Fuzzy Hash: cb9b0787db191ec1bce4ce323a6da168da29d2a908fe8e72052c21ee0be81112
Instruction Fuzzy Hash: D74178727142069FDB24CF59C884F69F3E4FF49310B5881A9E809DB341E7B1E892CB90

Function 045E9CCC Relevance: .0, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1735128740.00000000045E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000006.00000002.1735128740.00000000045FB000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1735128740.000000000497F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1735128740.0000000004988000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_45e0000_cttune.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515cd2e9baeb67353980e33e0740b7984e54f6a04955967e2318308f814bbaa8
Instruction ID: d815ebba13c22e924b12ffa57aaa159c0b7bdf2b2cb1e7146c43959fbb590d53
Opcode Fuzzy Hash: 515cd2e9baeb67353980e33e0740b7984e54f6a04955967e2318308f814bbaa8
Instruction Fuzzy Hash: 8FE04FB62087049FA709DF66F862C36B7A9E7C9B20310C46EE80487A10D935B811D468

Analysis Process: cttune.exePID: 7032, Parent PID: 6932COMMON

Execution Graph

Execution Coverage:	47.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 044C0018 Relevance: 3.1, APIs: 2, Instructions: 128
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNELBASE(00000000,-00000002), ref: 044C00C8
LoadLibraryA.KERNELBASE(?), ref: 044C0102

Memory Dump Source

Source File: 0000000F.00000002.1773977454.00000000044C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_44c0000_cttune.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: cb9b0787db191ec1bce4ce323a6da168da29d2a908fe8e72052c21ee0be81112
Instruction ID: 0790baa22a96e7f15b5677af9f27dc53c78b6db010f3719c83cbf1f609a71f26
Opcode Fuzzy Hash: cb9b0787db191ec1bce4ce323a6da168da29d2a908fe8e72052c21ee0be81112
Instruction Fuzzy Hash: E6414776600206DFDB54CF99D880A66F3E4FF45315B19816EE808DB341E731F991CB90

Function 05300018 Relevance: .1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1774936377.0000000005300000.00000040.00000400.00020000.00000000.sdmp, Offset: 05300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5300000_cttune.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9b0787db191ec1bce4ce323a6da168da29d2a908fe8e72052c21ee0be81112
Instruction ID: ded2bf98ef5a68650274414e863e1dd52480bc077db706af50410b8a92dd24ca
Opcode Fuzzy Hash: cb9b0787db191ec1bce4ce323a6da168da29d2a908fe8e72052c21ee0be81112
Instruction Fuzzy Hash: 0C416872B043069FDB18CF59C894B66F3E4FF45314B5881A9E819DB381E771E991CB90

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Drivespan.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
Drivespan.dll

Function 04A00018 Relevance: 3.1, APIs: 2, Instructions: 128
libraryloaderCOMMON

Function 052E0018 Relevance: .1, Instructions: 128
COMMON

Function 045E9CCC Relevance: .0, Instructions: 25
COMMON