Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
PROCEXP152.dll

Overview

General Information

Sample Name:PROCEXP152.dll
(renamed file extension from SYS to dll)
Analysis ID:804127
MD5:210134d1c25645324d4881fee5151324
SHA1:17d9200843fe0eb224644a61f0d1982fac54d844
SHA256:d76c74fc7a00a939985ae515991b80afa0524bf0a4feaec3e5e58e52630bd717
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sample file is different than original file name gathered from version info
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w7x64
  • loaddll64.exe (PID: 2024 cmdline: loaddll64.exe "C:\Users\user\Desktop\PROCEXP152.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • cmd.exe (PID: 1184 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1 MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • rundll32.exe (PID: 1216 cmdline: rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1 MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: PROCEXP152.dllStatic PE information: certificate valid
Source: PROCEXP152.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Source: Binary string: D:\a\1\s\sys\x64\Release\ProcExpDriver.pdb source: PROCEXP152.dll
Source: PROCEXP152.dllString found in binary or memory: https://www.sysinternals.com0
Source: PROCEXP152.dllBinary or memory string: OriginalFilenameprocexp.SysB vs PROCEXP152.dll
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PROCEXP152.dllBinary string: \DosDevices\PROCEXP152\ObjectTypes\\Device\PROCEXP152PsAcquireProcessExitSynchronizationPsReleaseProcessExitSynchronizationMmGetMaximumNonPagedPoolInBytesObGetObjectTypePsIsProtectedProcessMutantIoCreateDeviceSecureIoValidateDeviceIoControlAccessD:P(A;;GA;;;SY)(A;;GA;;;BA)68
Source: classification engineClassification label: clean2.winDLL@5/0@0/0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\PROCEXP152.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1Jump to behavior
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: PROCEXP152.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: PROCEXP152.dllStatic PE information: certificate valid
Source: PROCEXP152.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PROCEXP152.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PROCEXP152.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PROCEXP152.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PROCEXP152.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PROCEXP152.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: PROCEXP152.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Source: PROCEXP152.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\s\sys\x64\Release\ProcExpDriver.pdb source: PROCEXP152.dll
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Rundll32		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 804127 Sample: PROCEXP152.SYS Startdate: 10/02/2023 Architecture: WINDOWS Score: 2 6 loaddll64.exe 2->6         started        process3 8 cmd.exe 6->8         started        process4 10 rundll32.exe 8->10         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PROCEXP152.dll0%ReversingLabs
PROCEXP152.dll0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.sysinternals.com00%URL Reputationsafe
https://www.sysinternals.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://www.sysinternals.com0PROCEXP152.dllfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:804127
Start date and time:2023-02-10 17:51:17 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:PROCEXP152.dll
(renamed file extension from SYS to dll)
Detection:CLEAN
Classification:clean2.winDLL@5/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (DLL) (native) x86-64, for MS Windows
Entropy (8bit):6.299134222165699
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Device Driver (generic) (12004/3) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:PROCEXP152.dll
File size:37288
MD5:210134d1c25645324d4881fee5151324
SHA1:17d9200843fe0eb224644a61f0d1982fac54d844
SHA256:d76c74fc7a00a939985ae515991b80afa0524bf0a4feaec3e5e58e52630bd717
SHA512:f51e426d2f90a862940e68d883b4c73f79a613cfb4943ce425f4709840840f48d55f8071c51ab7bdab818d332732844a86269a2dd3a1fe5c0c45d20315ec173b
SSDEEP:768:OyVQcSGXgiRHT4cTNVTC1pua2Nul+brKtZ9puD8Uk9z:OyIuPHfn7NulWQ9z
TLSH:C4F26C8593D855C6E6A7D53082B8CAD7FD303A036711A7DF02A4C4792E63FD4EA38B19
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.NML..ML..ML..ML..LL...4..JL...4..JL...4..NL..ML...L...4..JL...7..LL...7_.LL...7..LL..RichML..................PE..d...VMmc...

File Icon

Icon Hash:3074e4d6ded4d0e4

Static PE Info

General

Entrypoint:0x180009000
Entrypoint Section:INIT
Digitally signed:true
Imagebase:0x180000000
Subsystem:native
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Time Stamp:0x636D4D56 [Thu Nov 10 19:13:26 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:192407b9613ece36cb3e3bc2b2ad984c

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Windows Third Party Component CA 2012, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 5/5/2022 3:02:14 PM 5/4/2023 3:02:14 PM
Subject Chain
  • CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:EE55069CA921D4713375F7580243622C
Thumbprint SHA-1:C1BB01FACA93B0293E172B2015600AB4391F3AD4
Thumbprint SHA-256:DCE4EAA2521F1773FB5E1A8D343EDB967AEC583CBE2CC74B872ABCE78C451153
Serial:33000000DF8C239890E546903D0000000000DF
Instruction
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov ebx, edx
dec eax
mov edi, ecx
call 00007F5244765CFCh
dec eax
mov edx, ebx
dec eax
mov ecx, edi
call 00007F524475DCC5h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
dec eax
mov eax, dword ptr [FFFFC1DDh]
inc ebp
xor ecx, ecx
dec ecx
mov eax, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax-7Bh], cl
sal byte ptr [ebp+eax+49h], 0000003Bh
sal byte ptr [ebp+38h], 0000000Fh
xor dword ptr [eax-3Fh], ecx
loop 00007F5244765D02h
dec eax
lea ecx, dword ptr [FFFFC1B9h]
dec eax
or eax, edx
dec eax
xor eax, ecx
dec eax
mov dword ptr [FFFFC1ACh], eax
inc sp
mov dword ptr [FFFFC1AAh], ecx
dec eax
mov eax, dword ptr [FFFFC19Dh]
dec eax
test eax, eax
jne 00007F5244765CECh
dec ecx
mov eax, eax
dec eax
mov dword ptr [FFFFC18Eh], eax
dec eax
not eax
dec eax
mov dword ptr [FFFFC18Ch], eax
ret
int3
int3
int3
mov eax, 00000090h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx-6Ah], al
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, dl
xchg eax, edx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
ficom dword ptr [edx+00000000h]
add byte ptr [eax], al
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x90900x28INIT
IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x380.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x60000x2e8.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x6c000x25a8
IMAGE_DIRECTORY_ENTRY_BASERELOC0xb0000x3c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x48800x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x47400x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000x218.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x21400x2200False0.5900735294117647data6.065228952504458IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x40000xfc40x1000False0.43408203125data4.079795933507306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data0x50000x26c0x400False0.1962890625data1.267499269275798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x60000x2e80x400False0.4208984375data3.2239429693679105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
PAGE0x70000x1c530x1e00False0.57890625data6.067395582736787IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
INIT0x90000x87e0xa00False0.43828125zlib compressed data4.747563608444487IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0xa0000x3800x400False0.3984375data2.9759006749433174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.reloc0xb0000x3c0x200False0.142578125data0.8067669562396371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0xa0600x320dataEnglishUnited States
DLLImport
ntoskrnl.exestrncpy, RtlInitUnicodeString, MmGetSystemRoutineAddress, RtlUnicodeStringToAnsiString, RtlFreeAnsiString, KeLowerIrql, KfRaiseIrql, KeWaitForSingleObject, ExAllocatePoolWithTag, ExFreePoolWithTag, ExGetPreviousMode, SeCaptureSubjectContext, SeReleaseSubjectContext, PsGetVersion, IofCompleteRequest, IoCreateSymbolicLink, IoDeleteDevice, IoDeleteSymbolicLink, ObReferenceObjectByHandle, ObCloseHandle, ObfDereferenceObject, ZwClose, MmIsAddressValid, ZwOpenProcess, KeStackAttachProcess, KeUnstackDetachProcess, SePrivilegeCheck, PsLookupProcessByProcessId, ObOpenObjectByPointer, ObQueryNameString, ZwQueryObject, ZwDuplicateObject, ZwOpenProcessToken, ZwQueryInformationProcess, ZwQuerySystemInformation, ObOpenObjectByName, __C_specific_handler, IoFileObjectType, PsProcessType, PsThreadType, PsInitialSystemProcess, RtlFreeUnicodeString, ZwSetSecurityObject, IoDeviceObjectType, IoCreateDevice, RtlGetDaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, SeCaptureSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeExports, RtlCreateSecurityDescriptor, _wcsnicmp, wcschr, RtlAbsoluteToSelfRelativeSD, RtlAddAccessAllowedAce, RtlLengthSid, IoIsWdmVersionAvailable, RtlSetDaclSecurityDescriptor, ZwOpenKey, ZwSetValueKey, ZwQueryValueKey, ZwCreateKey, KeBugCheckEx

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

Statistics

CPU Usage

051015s020406080100

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:1
Start time:17:51:15
Start date:10/02/2023
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\PROCEXP152.dll"
Imagebase:0x13f7c0000
File size:139776 bytes
MD5 hash:C676FC0263EDD17D4CE7D644B8F3FCD6
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:3
Start time:17:51:16
Start date:10/02/2023
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1
Imagebase:0x4a3b0000
File size:345088 bytes
MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:4
Start time:17:51:16
Start date:10/02/2023
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\PROCEXP152.dll",#1
Imagebase:0xffba0000
File size:45568 bytes
MD5 hash:DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly