PUP.DllInject.PA
Table of Contents
Analysis Report
General information
| Family Name: | PUP.DllInject.PA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
c0631c5d9681967bc9e1e1034b4250b7
SHA1:
940846d9df8d26979add17648fd6229eb1816fd7
SHA256:
1CDF197643E6B4D1D3FFA4C2AD5166849375191EB338378F2CD7C4D8F0793F8D
File Size:
1.63 MB, 1634304 bytes
|
|
MD5:
da1ac4581197cdd0df900e0bb8fb7b1b
SHA1:
1d3f32b018376d51a6e95ba70eb641185b0683d6
SHA256:
A8ECA46F20CFC5E00208ED7A4261FAA03543924F2D433BEBB67681D31AD9FDD5
File Size:
310.78 KB, 310784 bytes
|
|
MD5:
a6d36605928d8c58c787fbb76a668aef
SHA1:
5b7339e9e0b0798e16c82cea724bfa7a0af350c1
SHA256:
B3D4427FA3C8F0795A8EFFFBC069EC964521E7D51B92DDE4D275DF66BFBDDCB9
File Size:
1.66 MB, 1658880 bytes
|
|
MD5:
29dece1cfcdf53d3634f5807b6855ab6
SHA1:
2e2326b08888e8cd7990f34ebc7c49fbda7a9da2
SHA256:
E4857708D27274AF4DB3502ED6E82CC146D129EDE58B656CF214B65EBC366DCF
File Size:
442.88 KB, 442880 bytes
|
|
MD5:
6d881d61130342a1099f691906c78758
SHA1:
28e33bc1084315229f0b887e51fca2455269b33b
SHA256:
172969D0E885169515AD44D99636AE7BC4F00D339E6A31C33C4E68E0979A30DC
File Size:
1.57 MB, 1570816 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- dll
- HighEntropy
- No Version Info
- VirtualQueryEx
- WriteProcessMemory
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 4,707 |
|---|---|
| Potentially Malicious Blocks: | 348 |
| Whitelisted Blocks: | 2,880 |
| Unknown Blocks: | 1,479 |
Visual Map
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
?
x
x
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
?
?
x
?
?
0
?
?
0
0
?
?
?
x
?
?
x
?
x
x
?
x
x
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
?
?
?
0
0
x
0
0
?
0
0
x
?
?
0
0
?
0
0
?
0
0
0
0
?
?
?
?
?
?
0
?
x
x
0
?
0
?
0
0
0
0
0
0
0
?
0
?
0
0
0
0
?
?
0
0
0
0
0
?
?
0
x
0
0
?
0
?
?
?
?
?
?
0
?
?
?
?
0
0
?
0
0
0
?
?
?
?
?
0
?
0
0
0
0
0
x
?
x
?
?
x
0
0
?
?
?
?
?
0
0
?
?
?
?
?
?
0
0
0
0
0
0
0
0
?
?
?
?
?
0
0
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
x
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
0
?
?
?
?
?
0
?
0
?
?
0
?
?
?
?
?
?
?
0
?
0
0
0
0
0
0
?
?
?
0
0
?
?
0
?
0
?
0
?
?
?
?
?
0
?
0
?
?
?
0
?
?
?
?
?
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
?
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
x
?
x
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
0
?
0
0
?
?
0
?
0
0
?
?
?
?
?
0
?
?
0
0
?
0
?
?
?
x
x
0
?
?
?
?
?
?
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
?
0
0
0
0
0
?
0
?
?
0
x
x
0
0
0
x
x
x
0
0
x
x
x
0
?
0
?
?
?
0
0
0
?
0
?
?
?
0
0
?
x
?
?
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
?
?
0
?
?
?
?
x
?
?
?
?
?
0
?
0
0
?
0
0
?
?
?
?
?
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
0
0
?
x
?
?
x
0
x
0
?
?
?
0
x
x
0
0
0
0
0
0
0
0
?
0
0
?
?
0
0
0
0
?
?
?
0
0
0
?
0
?
0
?
?
?
?
x
?
?
0
?
?
0
0
?
?
?
?
?
?
0
0
?
?
0
0
x
?
0
0
0
?
?
0
0
?
0
?
0
?
?
?
?
?
x
?
?
?
?
0
?
x
x
x
x
?
?
x
x
?
0
?
?
?
0
0
?
?
0
0
?
x
0
?
0
0
0
x
x
?
?
?
?
?
?
0
?
?
0
0
?
?
?
?
0
0
?
?
?
?
0
?
?
0
?
0
?
?
0
0
?
?
?
0
0
0
?
?
0
0
?
?
?
?
?
?
?
?
0
0
?
?
?
?
0
?
?
?
?
?
?
0
?
?
?
x
0
0
0
?
0
0
?
?
?
?
?
0
?
?
?
?
?
0
x
?
?
?
x
?
?
0
0
0
?
?
?
?
?
0
?
?
?
?
?
?
?
0
?
0
?
?
?
?
?
?
0
0
x
?
?
x
?
?
?
0
?
?
?
?
0
0
0
0
?
?
?
x
?
?
?
x
0
0
0
?
?
0
?
?
?
0
x
?
?
0
x
?
?
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
?
0
?
0
?
x
x
x
x
x
x
?
?
x
x
x
x
?
?
?
0
?
?
?
?
?
?
?
?
0
?
?
x
?
?
?
?
0
0
?
x
0
?
x
?
?
x
?
0
?
?
?
?
?
?
?
0
0
?
?
?
?
?
?
?
?
?
?
0
?
?
x
?
?
x
x
0
0
0
x
x
x
0
0
x
?
?
?
0
?
?
?
?
?
x
?
?
0
?
?
?
?
?
?
?
x
x
?
x
?
x
x
x
0
x
x
x
x
?
0
0
?
?
0
?
?
?
x
?
0
0
?
?
?
?
?
x
0
0
x
0
?
?
?
?
?
0
?
?
0
x
x
?
?
?
?
?
?
?
?
?
?
x
0
0
?
0
0
?
?
?
0
?
?
?
?
?
?
0
?
0
?
?
?
?
?
?
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
0
?
0
?
?
?
?
0
x
?
0
?
?
?
?
?
0
0
?
0
x
?
0
0
?
x
?
?
?
?
0
0
?
?
0
0
0
?
?
?
?
?
?
0
?
?
0
?
0
0
?
?
0
0
?
0
0
0
?
?
?
?
?
?
?
?
x
x
0
x
?
?
?
?
0
?
?
?
?
?
?
?
?
?
0
0
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
x
?
?
?
?
0
0
?
?
x
?
?
?
0
x
0
0
?
0
0
?
?
?
x
?
0
?
?
?
x
0
0
0
?
0
?
?
0
0
0
0
?
0
?
?
?
x
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
?
?
?
0
0
?
?
?
?
?
0
?
?
?
?
0
?
?
0
?
0
?
?
?
?
?
?
x
x
0
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
?
0
?
?
?
0
0
0
?
?
?
x
?
?
?
?
?
x
0
0
?
?
?
?
?
0
?
?
0
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
0
?
0
?
?
?
?
?
0
?
?
x
?
?
?
0
x
?
?
0
0
?
x
?
?
?
?
?
x
?
?
?
?
?
?
?
?
0
?
?
?
?
0
x
?
0
x
?
0
x
?
?
?
?
?
?
0
0
?
?
0
0
?
?
?
?
?
?
?
0
?
?
?
?
?
0
0
x
?
?
?
?
?
?
?
?
?
?
x
x
?
0
0
0
?
x
x
x
?
x
?
?
0
?
?
?
0
?
?
0
?
?
?
0
0
0
?
0
0
?
0
?
0
?
0
0
?
?
0
x
0
0
0
?
?
?
?
0
?
x
?
?
0
?
?
?
?
0
?
0
?
0
?
?
x
?
?
?
0
?
?
?
0
?
0
?
?
x
?
?
?
?
x
?
?
?
0
?
?
?
0
?
?
?
?
?
?
0
?
0
?
0
0
?
?
?
x
?
?
x
?
?
0
?
0
?
?
?
?
?
?
?
0
?
0
?
?
0
?
?
0
0
?
?
0
?
x
?
?
0
?
0
?
?
?
?
?
0
?
0
?
0
?
?
x
?
?
x
?
?
0
?
?
?
?
0
?
?
?
0
?
?
?
x
?
?
0
?
?
?
?
?
0
?
?
0
?
?
0
?
?
x
?
?
0
?
0
?
?
?
0
?
x
?
?
?
x
?
?
?
x
?
?
x
?
?
x
?
?
0
?
0
?
?
x
?
?
?
?
0
?
0
?
?
0
?
?
?
0
?
?
?
?
0
?
0
?
0
?
?
0
?
?
?
x
?
?
?
0
?
?
0
?
x
?
?
0
?
?
?
0
?
x
?
?
x
?
?
?
0
?
0
?
x
?
?
0
?
?
?
?
0
?
?
?
?
0
?
?
?
?
?
?
x
?
?
x
?
?
x
?
?
?
?
x
?
?
0
?
0
?
0
?
?
0
?
0
?
0
?
?
0
?
0
?
?
?
0
?
?
?
?
0
?
0
?
0
?
?
0
?
x
?
?
0
?
?
?
?
?
0
?
?
0
?
?
0
?
0
?
0
?
x
?
?
x
?
?
?
0
?
x
?
?
x
?
?
0
?
?
0
?
?
?
?
0
?
?
?
x
?
0
?
?
0
?
?
0
?
?
?
?
?
0
?
0
?
?
?
?
x
x
?
?
0
?
?
x
?
?
?
?
?
0
?
?
?
x
?
?
0
?
?
?
?
?
0
?
?
0
x
x
?
?
x
?
0
x
?
x
?
x
x
x
x
?
x
?
x
?
?
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Kryptik.VCKV
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Shell Execute |
|
| Anti Debug |
|
| User Data Access |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\940846d9df8d26979add17648fd6229eb1816fd7_0001634304.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\1d3f32b018376d51a6e95ba70eb641185b0683d6_0000310784.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5b7339e9e0b0798e16c82cea724bfa7a0af350c1_0001658880.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\28e33bc1084315229f0b887e51fca2455269b33b_0001570816.,LiQMAxHB
|
