Analysis

Category Package Started Completed Duration Options Log
FILE dll 2020-06-30 16:51:28 2020-06-30 16:57:37 369 seconds Show Options Show Log
route = tor
2020-05-13 09:26:05,024 [root] INFO: Date set to: 20200630T16:06:58, timeout set to: 200
2020-06-30 16:06:58,093 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-06-30 16:06:58,093 [root] DEBUG: Storing results at: C:\mYLSar
2020-06-30 16:06:58,093 [root] DEBUG: Pipe server name: \\.\PIPE\VAQwKBqwV
2020-06-30 16:06:58,093 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-30 16:06:58,093 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 16:06:58,093 [root] INFO: Automatically selected analysis package "dll"
2020-06-30 16:06:58,093 [root] DEBUG: Trying to import analysis package "dll"...
2020-06-30 16:06:58,187 [root] DEBUG: Imported analysis package "dll".
2020-06-30 16:06:58,187 [root] DEBUG: Trying to initialize analysis package "dll"...
2020-06-30 16:06:58,187 [root] DEBUG: Initialized analysis package "dll".
2020-06-30 16:06:58,609 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 16:06:58,703 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 16:06:58,703 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 16:06:58,750 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 16:06:58,750 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 16:06:58,796 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 16:06:58,796 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 16:06:58,875 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 16:06:58,875 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 16:06:58,875 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 16:06:58,875 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 16:06:59,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 16:06:59,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 16:07:00,125 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 16:07:00,125 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 16:07:00,125 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 16:07:00,125 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 16:07:00,125 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 16:07:00,125 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 16:07:00,281 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 16:07:00,281 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 16:07:02,515 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 16:07:02,562 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 16:07:02,671 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 16:07:02,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 16:07:02,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 16:07:02,687 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 16:07:02,687 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 16:07:02,687 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 16:07:02,687 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 16:07:02,687 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 16:07:02,687 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 16:07:02,703 [root] DEBUG: Started auxiliary module Browser
2020-06-30 16:07:02,703 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 16:07:02,703 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 16:07:02,703 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 16:07:02,703 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 16:07:02,703 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 16:07:02,703 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 16:07:02,703 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 16:07:02,703 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 16:07:04,375 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 16:07:04,375 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 16:07:04,406 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 16:07:04,406 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 16:07:04,406 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 16:07:04,406 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 16:07:04,437 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 16:07:04,437 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 16:07:04,437 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 16:07:04,437 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 16:07:04,437 [root] DEBUG: Started auxiliary module Human
2020-06-30 16:07:04,453 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 16:07:04,453 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 16:07:04,453 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 16:07:04,453 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 16:07:04,453 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 16:07:04,453 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 16:07:04,453 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 16:07:04,453 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 16:07:04,453 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 16:07:04,468 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 16:07:04,468 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 16:07:04,468 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 16:07:04,468 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 16:07:04,468 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 16:07:04,468 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 16:07:04,468 [root] DEBUG: Started auxiliary module Usage
2020-06-30 16:07:04,468 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2020-06-30 16:07:04,468 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2020-06-30 16:07:04,468 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2020-06-30 16:07:04,468 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2020-06-30 16:07:04,750 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\Louise\AppData\Local\Temp\47ce0f.dll",#1" with pid 4716
2020-06-30 16:07:04,750 [lib.api.process] INFO: Monitor config for process 4716: C:\tmp2ssujfce\dll\4716.ini
2020-06-30 16:07:04,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\PSoLoE.dll, loader C:\tmp2ssujfce\bin\GIdRBSh.exe
2020-06-30 16:07:04,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\VAQwKBqwV.
2020-06-30 16:07:04,859 [root] DEBUG: Loader: Injecting process 4716 (thread 2004) with C:\tmp2ssujfce\dll\PSoLoE.dll.
2020-06-30 16:07:04,859 [root] DEBUG: Process image base: 0x001B0000
2020-06-30 16:07:04,859 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\PSoLoE.dll.
2020-06-30 16:07:04,890 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 16:07:04,890 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\PSoLoE.dll.
2020-06-30 16:07:04,906 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4716
2020-06-30 16:07:06,906 [lib.api.process] INFO: Successfully resumed process with pid 4716
2020-06-30 16:07:11,984 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 16:07:12,000 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 16:07:12,015 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 16:07:12,015 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" "C:\Users\Louise\AppData\Local\Temp\47ce0f.dll",#1.
2020-06-30 16:07:12,062 [root] INFO: Loaded monitor into process with pid 4716
2020-06-30 16:07:12,062 [root] INFO: Disabling sleep skipping.
2020-06-30 16:07:12,062 [root] INFO: Disabling sleep skipping.
2020-06-30 16:07:12,062 [root] INFO: Disabling sleep skipping.
2020-06-30 16:07:12,062 [root] INFO: Disabling sleep skipping.
2020-06-30 16:07:12,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x6F8F0000 to global list.
2020-06-30 16:07:12,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x6F8D0000 to global list.
2020-06-30 16:07:12,625 [root] DEBUG: DLL loaded at 0x73330000: C:\Windows\SYSTEM32\MSCOREE (0x4a000 bytes).
2020-06-30 16:07:12,625 [root] DEBUG: Target DLL loaded at 0x6F8D0000: C:\Users\Louise\AppData\Local\Temp\47ce0f.dll (0x1b000 bytes).
2020-06-30 16:07:12,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x763F0000 for section view with handle 0xcc.
2020-06-30 16:07:12,640 [root] DEBUG: DLL loaded at 0x763F0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-30 16:07:12,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x760B0000 for section view with handle 0xcc.
2020-06-30 16:07:12,640 [root] DEBUG: DLL loaded at 0x760B0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-30 16:07:12,640 [root] DEBUG: set_caller_info: Adding region at 0x00130000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 16:07:12,656 [root] DEBUG: set_caller_info: Adding region at 0x02440000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 16:07:12,859 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x2440000
2020-06-30 16:07:12,859 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02440000 size 0x400000.
2020-06-30 16:07:12,859 [root] DEBUG: DumpPEsInRange: Scanning range 0x2440000 - 0x2441000.
2020-06-30 16:07:13,640 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\mYLSar\CAPE\4716_131465016712751372020 (size 0xfd8)
2020-06-30 16:07:13,640 [root] DEBUG: DumpRegion: Dumped stack region from 0x02440000, size 0x1000.
2020-06-30 16:07:13,671 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00130000.
2020-06-30 16:07:13,671 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 16:07:13,718 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x577fff
2020-06-30 16:07:13,718 [root] DEBUG: DumpMemory: Nothing to dump at 0x003F0000!
2020-06-30 16:07:13,718 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003F0000 size 0x188000.
2020-06-30 16:07:13,718 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x3f8000.
2020-06-30 16:07:13,718 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0000-0x3f8000.
2020-06-30 16:07:13,796 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\mYLSar\CAPE\4716_15213219813751372020 (size 0x7ff2)
2020-06-30 16:07:13,812 [root] DEBUG: DumpRegion: Dumped stack region from 0x003F0000, size 0x8000.
2020-06-30 16:07:13,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11c amd local view 0x72D60000 to global list.
2020-06-30 16:07:13,812 [root] DEBUG: DLL loaded at 0x72D60000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 16:07:13,828 [root] DEBUG: DLL unloaded from 0x760C0000.
2020-06-30 16:07:13,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x124 amd local view 0x00170000 to global list.
2020-06-30 16:07:13,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x120 amd local view 0x00170000 to global list.
2020-06-30 16:07:13,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x12c amd local view 0x00170000 to global list.
2020-06-30 16:07:13,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x128 amd local view 0x00170000 to global list.
2020-06-30 16:07:13,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x130 amd local view 0x00170000 to global list.
2020-06-30 16:07:13,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x134 amd local view 0x00170000 to global list.
2020-06-30 16:07:13,890 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-30 16:07:13,890 [root] DEBUG: DLL loaded at 0x746C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-30 16:07:13,906 [root] DEBUG: DLL loaded at 0x72E10000: C:\Windows\system32\NLAapi (0x10000 bytes).
2020-06-30 16:07:13,906 [root] DEBUG: DLL loaded at 0x72E20000: C:\Windows\system32\napinsp (0x10000 bytes).
2020-06-30 16:07:13,906 [root] DEBUG: DLL loaded at 0x70760000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2020-06-30 16:07:13,921 [root] DEBUG: DLL loaded at 0x70250000: C:\Windows\SysWOW64\DNSAPI (0x44000 bytes).
2020-06-30 16:07:13,921 [root] DEBUG: DLL loaded at 0x70750000: C:\Windows\System32\winrnr (0x8000 bytes).
2020-06-30 16:07:13,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f8 amd local view 0x04470000 to global list.
2020-06-30 16:07:13,953 [root] DEBUG: DLL loaded at 0x739D0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-30 16:07:13,968 [root] DEBUG: DLL loaded at 0x70230000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2020-06-30 16:07:13,984 [root] INFO: Announced 32-bit process name: cmd.exe pid: 3808
2020-06-30 16:07:13,984 [lib.api.process] INFO: Monitor config for process 3808: C:\tmp2ssujfce\dll\3808.ini
2020-06-30 16:07:14,000 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\PSoLoE.dll, loader C:\tmp2ssujfce\bin\GIdRBSh.exe
2020-06-30 16:07:14,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\VAQwKBqwV.
2020-06-30 16:07:14,031 [root] DEBUG: Loader: Injecting process 3808 (thread 5016) with C:\tmp2ssujfce\dll\PSoLoE.dll.
2020-06-30 16:07:14,031 [root] DEBUG: Process image base: 0x4AA50000
2020-06-30 16:07:14,031 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\PSoLoE.dll.
2020-06-30 16:07:14,031 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-30 16:07:14,031 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 16:07:14,093 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 16:07:14,109 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 16:07:14,125 [root] INFO: Disabling sleep skipping.
2020-06-30 16:07:14,125 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3808 at 0x6fa40000, image base 0x4aa50000, stack from 0x403000-0x500000
2020-06-30 16:07:14,125 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\cmd.exe.
2020-06-30 16:07:14,156 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-06-30 16:07:14,187 [root] INFO: Loaded monitor into process with pid 3808
2020-06-30 16:07:14,187 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 16:07:14,187 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 16:07:14,203 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\PSoLoE.dll.
2020-06-30 16:07:14,218 [root] DEBUG: CreateProcessHandler: using lpCommandLine: cmd.exe.
2020-06-30 16:07:14,218 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3808, ImageBase: 0x4AA50000
2020-06-30 16:07:14,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x00170000 to global list.
2020-06-30 16:07:14,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x14c amd local view 0x00170000 to global list.
2020-06-30 16:07:14,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 amd local view 0x00170000 to global list.
2020-06-30 16:07:14,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x01EA0000 to global list.
2020-06-30 16:07:14,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x01EA0000 to global list.
2020-06-30 16:07:14,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03CD0000 for section view with handle 0xd8.
2020-06-30 16:07:15,157 [root] DEBUG: GetHookCallerBase: thread 2004 (handle 0x0), return address 0x001B24C5, allocation base 0x001B0000.
2020-06-30 16:07:15,165 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x6F8D0000.
2020-06-30 16:07:15,165 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 16:07:15,165 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x6F8D0000.
2020-06-30 16:07:15,165 [root] DEBUG: DumpProcess: Error - entry point too big: 0x3a8254e, ignoring.
2020-06-30 16:07:15,243 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x19400.
2020-06-30 16:07:15,243 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x001B0000.
2020-06-30 16:07:15,243 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 16:07:15,243 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x001B0000.
2020-06-30 16:07:15,250 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001798.
2020-06-30 16:07:15,345 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2020-06-30 16:07:15,345 [root] DEBUG: DLL unloaded from 0x6F8D0000.
2020-06-30 16:07:15,345 [root] DEBUG: DLL unloaded from 0x73580000.
2020-06-30 16:07:15,345 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-06-30 16:07:15,361 [root] DEBUG: DLL unloaded from 0x72D60000.
2020-06-30 16:07:15,361 [root] DEBUG: DLL unloaded from 0x76680000.
2020-06-30 16:07:15,376 [root] INFO: Process with pid 4716 has terminated
2020-06-30 16:09:19,455 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3808
2020-06-30 16:09:19,611 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2020-06-30 16:10:27,189 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 16:10:27,205 [lib.api.process] ERROR: Failed to open terminate event for pid 3808
2020-06-30 16:10:27,205 [root] INFO: Terminate event set for process 3808.
2020-06-30 16:10:27,205 [root] INFO: Created shutdown mutex.
2020-06-30 16:10:28,220 [root] INFO: Shutting down package.
2020-06-30 16:10:28,220 [root] INFO: Stopping auxiliary modules.
2020-06-30 16:10:28,439 [lib.common.results] WARNING: File C:\mYLSar\bin\procmon.xml doesn't exist anymore
2020-06-30 16:10:28,439 [root] INFO: Finishing auxiliary modules.
2020-06-30 16:10:28,439 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 16:10:28,439 [root] WARNING: Folder at path "C:\mYLSar\debugger" does not exist, skip.
2020-06-30 16:10:28,439 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-06-30 16:51:28 2020-06-30 16:57:36

File Details

File Name 47ce0f.dll
File Size 100352 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-21 16:51:23
MD5 834fbacdff8eaaf8163b00175e1dfff0
SHA1 a636c33b41dfb92312a6c8379169a80a6b57d02f
SHA256 47ce0f84aceaca95dfa327d9bf9c1eeacbde6cf5a4673bb2a4c96d1938958835
SHA512 824cce42249d66b36826c17ba974cf932d3b2c0f48ebd85c195be6743187a15e53610546480f9dededa059847d48c9deb27eb99ed95c2ed4b242a8599331387d
CRC32 35C9FB59
Ssdeep 3072:iYKwcf9/azKSFThJEg/AOJ0fuTzhH7VwWQnw:xcly5thJl/Ag0fuTz/Qw
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: rundll32.exe, PID 4716
Dynamic (imported) function loading detected
DynamicLoader: MSCOREE.DLL/_CorExeMain
DynamicLoader: MSCOREE.DLL/_CorImageUnloading
DynamicLoader: MSCOREE.DLL/_CorValidateImage
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetDateFormatEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetTimeFormatEx
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/IsValidLocaleName
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleExW
DynamicLoader: kernel32.dll/SetFileInformationByHandleW
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/AreFileApisANSI
DynamicLoader: 47ce0f.dll/
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
CAPE extracted potentially suspicious content
rundll32.exe: Unpacked Shellcode
rundll32.exe: Unpacked Shellcode
Multiple direct IP connections
direct_ip_connections: Made direct connections to 6 unique IP addresses
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\47ce0f.dll
Anomalous .NET characteristics
anomalous_version: Assembly version is set to 0
Uses Windows utilities for basic functionality
command: cmd.exe
Created network traffic indicative of malicious activity
signature: GPL EXPLOIT Microsoft cmd.exe banner
signature: ET JA3 Hash - Possible Malware - Various Eitest
signature: ET JA3 Hash - Possible Malware - RigEK

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.114.132.20 [VT] United States
Y 20.36.252.129 [VT] United States
Y 185.46.139.12 [VT] Germany
Y 172.217.168.195 [VT] United States
Y 171.239.179.93 [VT] Vietnam

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\47ce0f.dll
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll.123.Manifest
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll.124.Manifest
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll.config
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\Fonts\staticcache.dat
C:\Users\Louise\AppData\Local\Temp
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Windows\SysWOW64\Branding\Basebrd\Basebrd.dll
C:\Windows\Branding\Basebrd\basebrd.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll.123.Manifest
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll.124.Manifest
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\47ce0f.dll.config
C:\Windows\Fonts\staticcache.dat
C:\Windows\Branding\Basebrd\basebrd.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x9fc0\x24dEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_CURRENT_USER\Control Panel\Desktop\LanguageConfiguration
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x9fc0\x24dEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
mscoree.dll._CorExeMain
mscoree.dll._CorImageUnloading
mscoree.dll._CorValidateImage
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorDllMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.AreFileApisANSI
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
oleaut32.dll.#500
advapi32.dll.EventUnregister
kernel32.dll.SetThreadUILanguage
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
cmd.exe
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x10000000 0x10010f18 0x00000000 0x00026a6f 6.0 2020-06-21 16:51:23 8b4fd1375aeccba4a8270a55fe0855c0

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x0000ff1e 0x00010000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.66
.rdata 0x00010400 0x00011000 0x000069e4 0x00006a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.18
.data 0x00016e00 0x00018000 0x00001500 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.96
.reloc 0x00017800 0x0001a000 0x00000ee8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.29

Imports

0x1001110c WSASocketA
0x10011110 WSAConnect
0x10011114 WSAGetLastError
0x10011118 WSAStartup
0x1001111c gethostbyname
0x10011120 inet_ntoa
0x10011124 inet_addr
0x10011128 htons
0x10011000 HeapAlloc
0x10011004 CloseHandle
0x10011008 DecodePointer
0x1001100c GetConsoleMode
0x10011010 GetConsoleOutputCP
0x10011014 WriteConsoleW
0x10011018 CreateThread
0x1001101c CreateProcessA
0x10011028 GetCurrentProcess
0x1001102c TerminateProcess
0x10011038 GetCurrentProcessId
0x1001103c GetCurrentThreadId
0x10011044 InitializeSListHead
0x10011048 IsDebuggerPresent
0x1001104c GetStartupInfoW
0x10011050 GetModuleHandleW
0x10011054 WriteFile
0x10011058 InterlockedFlushSList
0x1001105c RtlUnwind
0x10011060 GetLastError
0x10011064 SetLastError
0x10011068 EnterCriticalSection
0x1001106c LeaveCriticalSection
0x10011070 DeleteCriticalSection
0x10011078 TlsAlloc
0x1001107c TlsGetValue
0x10011080 TlsSetValue
0x10011084 TlsFree
0x10011088 FreeLibrary
0x1001108c GetProcAddress
0x10011090 LoadLibraryExW
0x10011094 RaiseException
0x10011098 ExitProcess
0x1001109c GetModuleHandleExW
0x100110a0 GetModuleFileNameW
0x100110a4 HeapFree
0x100110a8 FlushFileBuffers
0x100110ac GetStdHandle
0x100110b0 GetFileType
0x100110b4 FindClose
0x100110b8 FindFirstFileExW
0x100110bc FindNextFileW
0x100110c0 IsValidCodePage
0x100110c4 GetACP
0x100110c8 GetOEMCP
0x100110cc GetCPInfo
0x100110d0 GetCommandLineA
0x100110d4 GetCommandLineW
0x100110d8 MultiByteToWideChar
0x100110dc WideCharToMultiByte
0x100110e0 GetEnvironmentStringsW
0x100110e8 LCMapStringW
0x100110ec GetProcessHeap
0x100110f0 SetFilePointerEx
0x100110f4 GetStringTypeW
0x100110f8 SetStdHandle
0x100110fc HeapSize
0x10011100 HeapReAlloc
0x10011104 CreateFileW
0x10011130 _CorDllMain

Assembly Information

Name x86
Version 0.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0

Type References

Assembly Type Name
mscorlib System.Object

!This program cannot be run in DOS mode.
Rich.n
.text
`.rdata
@.data
.reloc
Y__^[
5ineI
5Genu
URPQQh
BVj(j
SVWUj
;t$,v-
UQPXY]Y[
F4_^[]
F4_^[
A1<Fu
<ItC<Lt3<Tt#<h
A<lt'<tt
SWj P
F1<at
F1<gt
C;^8u
0^_[]
< t3<
PPPPP
PPPPP
u,PQRS
Wj0XPV
SPSVQ
SPjdVQ
-jd_;
PPPPP
PPPPP
SSSSj
SSSSS
WWWWW
zSSSSj
SVWh
*t`=+
*tD=+
f9:t!V
WSVPP
~1WPQ
f9<H}
wIPS3
PPPPP
9E WW
t1RWV
Y_[^]
PPPPPPPP
PPPPPWS
PP9E u:PPVWP
\0.F;
>@s5f
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
(null)
CorExitProcess
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
e+000
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
AreFileApisANSI
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
[aOni*{
eLK(w
~ $s%r
@b;zO]
iu+-,
obwQ4
v2!L.2
^<V7w
1#INF
1#QNAN
1#SNAN
1#IND
log10
log10
?5Wg4p
BC .=
%S#[k
"B <1=
#.X'=
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
v4.0.30319
#Strings
#GUID
#Blob
<Module>
Empty
mscorlib
Object
System
.ctor
x86.dll
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
WSAConnect
WSASocketA
WS2_32.dll
CreateThread
CreateProcessA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
KERNEL32.dll
InterlockedFlushSList
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
RaiseException
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
HeapFree
HeapAlloc
GetStdHandle
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetProcessHeap
SetFilePointerEx
GetStringTypeW
SetStdHandle
HeapSize
HeapReAlloc
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
DecodePointer
CloseHandle
CreateFileW
WriteConsoleW
_CorDllMain
mscoree.dll
171.239.179.93
%s%s%s%s
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0.03080>0[0a0t0
1"1(1o1
313>3_3d3}3
4$4?4W4
6#6.656U6[6a6g6m6s6z6
7 7)7H7W7`7m7
9 9Q9
:%:+:=:G:
<"<6<;<N<a<~<
>/>8>A>O>X>z>
171?1Q1^1
2E3Q3n4u4
5.5V5d5j5
6+676S6s6
8'8E8S8
:8:?:D:H:L:P:
:e=y=
=!><>A>F>a>n>w>|>
?+?0?5?V?f?
0%030
2$2(2,202
2D6j:r:y:
2$3U7n7
;$;q;~;
=S=[=e=n=
>$>->
1<2]2x2
3>4P4T4\4h4
5$575S5l5q5
6i:W;a;n;
<@<G<Z<
=A=G=
4d5?6F6n6
7%7>7W7u7
8H8]8o8|8
9%9/9
595T5a5o5}5
5>6{6
7:7q7
7>8N8h8
8q9w9
0%2k2
4Y4`4g4n4
5V5~5m7
999{9
9':N:
=1>6>;>K>P>U>e>j>o>
?&?R?[?
0.03080S0]0m0r0w0
1"1-12171X1h1
272I2U2b2i2s2
3;3S3n3y3
374>4E4L4Y4
696_6
;&;0;
=+===O=a=s=
>$>Y?
1&1l1{1
2.2i2p2
<r<x<
=4=I=Z=
=)>E>g>
0+1`1
1$2U2t2
3)4O4v4
708m8
< <2<z<
=,=5=>=
3^3h3
;q;};
<:<B<_<o<{<
>G>d>x>
0F1f1v1
4-4X4s4
5$5H5
9)999r9
;B=|>
/273H3&6+6=6[6o6u6"9
97:R:
;&<b=
81H1L1P1\1`1d1
2 2([email protected]`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
50;4;8;
(10181<[email protected]\1`1d1h1l1p1t1x1
3 3$3(3,3034383<[email protected]
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
4X8\8`8d8
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
? ?([email protected]?H?P?X?`?h?p?x?
0 0([email protected]`0h0p0x0
1 1([email protected]`1h1p1x1
2 2([email protected]`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
5 5([email protected]`5h5p5x5
9$9,949<9D9L9T9\9d9l9t9|9
9,;0;8;x?
81h1x1
1(7,7074787<[email protected]\7`7d7h7l7p7t7
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
(null)
mscoree.dll
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
ja-JP
zh-CN
ko-KR
zh-TW
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
((((( H
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.114.132.20 [VT] United States
Y 20.36.252.129 [VT] United States
Y 185.46.139.12 [VT] Germany
Y 172.217.168.195 [VT] United States
Y 171.239.179.93 [VT] Vietnam

TCP

Source Source Port Destination Destination Port
192.168.1.6 49193 13.107.42.23 443
192.168.1.6 49194 171.239.179.93 3979
192.168.1.6 49208 172.217.20.110 80
192.168.1.6 49184 2.18.69.166 443
192.168.1.6 49199 2.18.69.166 443
192.168.1.6 49203 20.36.252.129 443
192.168.1.6 34509 52.114.132.20 1543
192.168.1.6 18125 52.114.132.20 32856
192.168.1.6 34286 52.114.132.20 17591
192.168.1.6 59657 52.114.7.37 25867
192.168.1.6 49204 52.114.7.37 443
192.168.1.6 49182 93.184.220.29 80
192.168.1.6 49205 93.184.220.29 80

UDP

Source Source Port Destination Destination Port
192.168.1.6 137 192.168.1.255 137
192.168.1.6 50764 8.8.8.8 53
192.168.1.6 50797 8.8.8.8 53
192.168.1.6 52555 8.8.8.8 53
192.168.1.6 56219 8.8.8.8 53
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 60016 8.8.8.8 53
192.168.1.6 63241 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53
192.168.1.6 65048 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-30 16:54:09.399 192.168.1.6 [VT] 49185 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 16:54:20.850 192.168.1.6 [VT] 49193 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 16:54:20.895 192.168.1.6 [VT] 49191 2.18.69.166 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-30 16:54:22.966 192.168.1.6 [VT] 49199 2.18.69.166 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-30 16:56:01.736 192.168.1.6 [VT] 49203 20.36.252.129 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-30 16:56:26.413 192.168.1.6 [VT] 49194 171.239.179.93 [VT] 3979 TCP 1 2102123 7 GPL EXPLOIT Microsoft cmd.exe banner Successful Administrator Privilege Gain 1
2020-06-30 16:56:28.908 192.168.1.6 [VT] 49207 172.217.168.195 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 16:57:15.130 185.46.139.12 [VT] 80 192.168.1.6 [VT] 49209 TCP 1 2018959 4 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation 1
2020-06-30 16:57:15.130 185.46.139.12 [VT] 80 192.168.1.6 [VT] 49209 TCP 1 2014520 7 ET INFO EXE - Served Attached HTTP Misc activity 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-30 16:53:39.263 192.168.1.6 [VT] 49180 20.36.252.129 [VT] 443 CN=g.msn.com 84:07:33:ed:86:d5:52:e5:ff:20:cd:89:1e:0a:3c:00:7b:68:0d:17 TLS 1.2
2020-06-30 16:54:06.492 192.168.1.6 [VT] 49184 2.18.69.166 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.sfx.ms 43:5a:ab:ca:cc:ab:86:4d:56:81:18:e3:e5:17:05:9b:0e:32:8c:38 TLS 1.2
2020-06-30 16:54:09.481 192.168.1.6 [VT] 49185 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 16:54:20.895 192.168.1.6 [VT] 49193 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 16:54:20.972 192.168.1.6 [VT] 49191 2.18.69.166 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.sfx.ms 43:5a:ab:ca:cc:ab:86:4d:56:81:18:e3:e5:17:05:9b:0e:32:8c:38 TLSv1
2020-06-30 16:54:22.970 192.168.1.6 [VT] 49199 2.18.69.166 [VT] 443 TLSv1
2020-06-30 16:55:44.604 192.168.1.6 [VT] 49201 52.114.132.20 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-06-30 16:56:01.886 192.168.1.6 [VT] 49203 20.36.252.129 [VT] 443 CN=g.msn.com 84:07:33:ed:86:d5:52:e5:ff:20:cd:89:1e:0a:3c:00:7b:68:0d:17 TLSv1
2020-06-30 16:56:19.499 192.168.1.6 [VT] 49204 52.114.7.37 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-06-30 16:56:28.908 192.168.1.6 [VT] 49207 172.217.168.195 [VT] 443 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com 7f:4a:a6:9d:a6:a8:b5:a6:48:ae:c5:5a:03:4c:b8:b0:25:32:b8:7f TLS 1.2
2020-06-30 16:57:23.599 192.168.1.6 [VT] 49210 52.114.7.37 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-30 16:53:50.231 192.168.1.6 [VT] 49181 93.184.221.240 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c05362e6e894290d application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-06-30 16:54:01.624 192.168.1.6 [VT] 49182 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-30 16:54:07.205 192.168.1.6 [VT] 49181 93.184.221.240 [VT] 80 304 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a5d47e2386d9bd56 None Microsoft-CryptoAPI/6.1 None 0
2020-06-30 16:54:07.353 192.168.1.6 [VT] 49182 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-30 16:55:45.453 192.168.1.6 [VT] 49202 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-30 16:56:22.360 192.168.1.6 [VT] 49205 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-30 16:56:32.483 192.168.1.6 [VT] 49208 172.217.20.110 [VT] 80 302 redirector.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe text/html Microsoft BITS/7.5 None 0
2020-06-30 16:56:33.157 192.168.1.6 [VT] 49209 185.46.139.12 [VT] 80 200 r1---sn-ntnxax8xo-cxge.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.101.131&mm=28&mn=sn-ntnxax8xo-cxge&ms=nvh&mt=1593536115&mv=m&mvi=0&pcm2cms=yes&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 0
2020-06-30 16:56:59.718 192.168.1.6 [VT] 49209 185.46.139.12 [VT] 80 206 r1---sn-ntnxax8xo-cxge.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.101.131&mm=28&mn=sn-ntnxax8xo-cxge&ms=nvh&mt=1593536115&mv=m&mvi=0&pcm2cms=yes&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 6360
2020-06-30 16:57:15.827 192.168.1.6 [VT] 49209 185.46.139.12 [VT] 80 206 r1---sn-ntnxax8xo-cxge.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.101.131&mm=28&mn=sn-ntnxax8xo-cxge&ms=nvh&mt=1593536115&mv=m&mvi=0&pcm2cms=yes&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 12229
2020-06-30 16:57:22.134 192.168.1.6 [VT] 49209 185.46.139.12 [VT] 80 206 r1---sn-ntnxax8xo-cxge.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.101.131&mm=28&mn=sn-ntnxax8xo-cxge&ms=nvh&mt=1593536115&mv=m&mvi=0&pcm2cms=yes&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 12417
2020-06-30 16:57:27.723 192.168.1.6 [VT] 49209 185.46.139.12 [VT] 80 206 r1---sn-ntnxax8xo-cxge.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.101.131&mm=28&mn=sn-ntnxax8xo-cxge&ms=nvh&mt=1593536115&mv=m&mvi=0&pcm2cms=yes&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 10600
2020-06-30 16:57:29.999 192.168.1.6 [VT] 49209 185.46.139.12 [VT] 80 206 r1---sn-ntnxax8xo-cxge.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.101.131&mm=28&mn=sn-ntnxax8xo-cxge&ms=nvh&mt=1593536115&mv=m&mvi=0&pcm2cms=yes&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 11901
2020-06-30 16:57:32.046 192.168.1.6 [VT] 49209 185.46.139.12 [VT] 80 206 r1---sn-ntnxax8xo-cxge.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.101.131&mm=28&mn=sn-ntnxax8xo-cxge&ms=nvh&mt=1593536115&mv=m&mvi=0&pcm2cms=yes&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 14232
2020-06-30 16:57:34.374 192.168.1.6 [VT] 49209 185.46.139.12 [VT] 80 206 r1---sn-ntnxax8xo-cxge.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.101.131&mm=28&mn=sn-ntnxax8xo-cxge&ms=nvh&mt=1593536115&mv=m&mvi=0&pcm2cms=yes&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 33002
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.6 49185 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49193 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49207 172.217.168.195 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49184 2.18.69.166 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49191 2.18.69.166 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49199 2.18.69.166 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49180 20.36.252.129 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49203 20.36.252.129 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49201 52.114.132.20 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49204 52.114.7.37 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49210 52.114.7.37 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name rundll32.exe
PID 4716
Dump Size 45056 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\47ce0f.dll
Type PE image: 32-bit executable
PE timestamp 2017-03-30 14:58:17
MD5 e47a9ae94c1f22d001b21a80be776733
SHA1 d8ebdeecb95e6e9f34142003834c13088b455054
SHA256 09e8e4b5bba0deacb9222d4e47485ed14bb6aec7c9c2a265428ea0a667cf3e73
CRC32 D1F68766
Ssdeep 768:GD1wkmo/gQXe+R4bSEln5IyYpamDjobj8S:k1d7/gQu+R4ln5IUmDjoX
Dump Filename 09e8e4b5bba0deacb9222d4e47485ed14bb6aec7c9c2a265428ea0a667cf3e73
Download Download Zip
Process Name rundll32.exe
PID 4716
Dump Size 103424 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\47ce0f.dll
Type PE image: 32-bit DLL
PE timestamp 2020-06-21 16:51:23
MD5 5e51e3190433a4536ada8011a9be2094
SHA1 31df51b07d2acfb54b19a80a861a29fb2a2b4001
SHA256 781e3347c7d2c417e5f2fc1d1e77e787a2aa40a924da14fdcaf7ca9ea63bf826
CRC32 CF70D9FA
Ssdeep 3072:+rgqwwBT3Al8SJ7hPCyxAQDcluxFq/TIO5c2Jnw:+8QxQ5RhPdxAgcluxFBCw
Dump Filename 781e3347c7d2c417e5f2fc1d1e77e787a2aa40a924da14fdcaf7ca9ea63bf826
Download Download Zip
Process Name cmd.exe
PID 3808
Dump Size 302592 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:00:27
MD5 8f3864135d07508d12ed63c6f1f66f35
SHA1 6fede1c65853e1003f9d28599402c0dd5261bd54
SHA256 46d7d37c4528c523367930455d610b7ef80a5b045025fafe49d6274c76527329
CRC32 BEE92974
Ssdeep 3072:svqFBmPpOBFxEmFZIGdRmla/tCdtkVQk/MjyGez1c:qOBjBF3r9Oa/EtkVQkkmt+
Dump Filename 46d7d37c4528c523367930455d610b7ef80a5b045025fafe49d6274c76527329
Download Download Zip
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature

    Processing ( 21.837000000000003 seconds )

    • 13.448 NetworkAnalysis
    • 5.37 Suricata
    • 2.027 BehaviorAnalysis
    • 0.322 Static
    • 0.156 static_dotnet
    • 0.151 VirusTotal
    • 0.142 Deduplicate
    • 0.107 CAPE
    • 0.051 ProcDump
    • 0.026 AnalysisInfo
    • 0.023 TargetInfo
    • 0.005 Debug
    • 0.005 peid
    • 0.004 Strings

    Signatures ( 0.25100000000000006 seconds )

    • 0.052 antiav_detectreg
    • 0.02 infostealer_ftp
    • 0.02 territorial_disputes_sigs
    • 0.014 antianalysis_detectreg
    • 0.011 antiav_detectfile
    • 0.011 infostealer_im
    • 0.011 ransomware_files
    • 0.007 ransomware_extensions
    • 0.006 antianalysis_detectfile
    • 0.006 antivm_vbox_keys
    • 0.006 masquerade_process_name
    • 0.005 antidbg_windows
    • 0.005 antivm_vmware_keys
    • 0.005 infostealer_bitcoin
    • 0.005 infostealer_mail
    • 0.004 antivm_vbox_files
    • 0.003 api_spamming
    • 0.003 decoy_document
    • 0.003 persistence_autorun
    • 0.003 antivm_parallels_keys
    • 0.002 antivm_generic_disk
    • 0.002 guloader_apis
    • 0.002 kibex_behavior
    • 0.002 mimics_filetime
    • 0.002 NewtWire Behavior
    • 0.002 stealth_timeout
    • 0.002 antivm_vpc_keys
    • 0.002 antivm_xen_keys
    • 0.002 geodo_banking_trojan
    • 0.002 revil_mutexes
    • 0.001 Doppelganging
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_scsi
    • 0.001 betabot_behavior
    • 0.001 bootkit
    • 0.001 dynamic_function_loading
    • 0.001 exec_crash
    • 0.001 hancitor_behavior
    • 0.001 network_tor
    • 0.001 rat_nanocore
    • 0.001 reads_self
    • 0.001 shifu_behavior
    • 0.001 stealth_file
    • 0.001 tinba_behavior
    • 0.001 virus
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vmware_files
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 bypass_firewall
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 masslogger_files
    • 0.001 predatorthethief_files
    • 0.001 qulab_files
    • 0.001 satan_mutexes
    • 0.001 limerat_regkeys
    • 0.001 rat_pcclient
    • 0.001 recon_fingerprint
    • 0.001 lokibot_mutexes

    Reporting ( 6.951999999999999 seconds )

    • 6.337 BinGraph
    • 0.568 JsonDump
    • 0.047 MITRE_TTPS