Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-07-11 08:46:54 2020-07-11 08:53:39 405 seconds Show Options Show Log
route = tor
2020-05-13 09:30:09,449 [root] INFO: Date set to: 20200710T13:43:19, timeout set to: 200
2020-07-10 13:43:19,109 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-07-10 13:43:19,109 [root] DEBUG: Storing results at: C:\QgTpUA
2020-07-10 13:43:19,125 [root] DEBUG: Pipe server name: \\.\PIPE\dQIiTWu
2020-07-10 13:43:19,125 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-07-10 13:43:19,125 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-07-10 13:43:19,125 [root] INFO: Automatically selected analysis package "exe"
2020-07-10 13:43:19,125 [root] DEBUG: Trying to import analysis package "exe"...
2020-07-10 13:43:19,734 [root] DEBUG: Imported analysis package "exe".
2020-07-10 13:43:19,734 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-07-10 13:43:19,734 [root] DEBUG: Initialized analysis package "exe".
2020-07-10 13:43:20,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-07-10 13:43:20,421 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-07-10 13:43:20,437 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-07-10 13:43:20,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-07-10 13:43:20,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-07-10 13:43:20,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-07-10 13:43:20,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-07-10 13:43:20,609 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-07-10 13:43:20,625 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-07-10 13:43:20,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-07-10 13:43:20,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-07-10 13:43:20,765 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-07-10 13:43:20,765 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-07-10 13:43:20,812 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-07-10 13:43:20,812 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-07-10 13:43:20,828 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-07-10 13:43:20,828 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-07-10 13:43:20,828 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-07-10 13:43:20,828 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-07-10 13:43:20,937 [lib.api.screenshot] DEBUG: Importing 'math'
2020-07-10 13:43:20,937 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-07-10 13:43:24,781 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-07-10 13:43:24,843 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-07-10 13:43:25,109 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-07-10 13:43:25,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-07-10 13:43:25,109 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-07-10 13:43:25,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-07-10 13:43:25,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-07-10 13:43:25,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-07-10 13:43:25,171 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-07-10 13:43:25,171 [root] DEBUG: Initialized auxiliary module "Browser".
2020-07-10 13:43:25,171 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-07-10 13:43:25,171 [root] DEBUG: Started auxiliary module Browser
2020-07-10 13:43:25,171 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-07-10 13:43:25,187 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-07-10 13:43:25,187 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-07-10 13:43:25,187 [root] DEBUG: Started auxiliary module Curtain
2020-07-10 13:43:25,187 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-07-10 13:43:25,187 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-07-10 13:43:25,187 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-07-10 13:43:25,187 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-07-10 13:43:28,656 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-07-10 13:43:28,656 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-07-10 13:43:28,671 [root] DEBUG: Started auxiliary module DigiSig
2020-07-10 13:43:28,671 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-07-10 13:43:28,671 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-07-10 13:43:28,671 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-07-10 13:43:28,687 [root] DEBUG: Started auxiliary module Disguise
2020-07-10 13:43:28,687 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-07-10 13:43:28,703 [root] DEBUG: Initialized auxiliary module "Human".
2020-07-10 13:43:28,703 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-07-10 13:43:28,703 [root] DEBUG: Started auxiliary module Human
2020-07-10 13:43:28,703 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-07-10 13:43:28,703 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-07-10 13:43:28,703 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-07-10 13:43:28,703 [root] DEBUG: Started auxiliary module Procmon
2020-07-10 13:43:28,703 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-07-10 13:43:28,718 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-07-10 13:43:28,718 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-07-10 13:43:28,718 [root] DEBUG: Started auxiliary module Screenshots
2020-07-10 13:43:28,718 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-07-10 13:43:28,718 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-07-10 13:43:28,718 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-07-10 13:43:28,718 [root] DEBUG: Started auxiliary module Sysmon
2020-07-10 13:43:28,718 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-07-10 13:43:28,718 [root] DEBUG: Initialized auxiliary module "Usage".
2020-07-10 13:43:28,734 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-07-10 13:43:28,734 [root] DEBUG: Started auxiliary module Usage
2020-07-10 13:43:28,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-07-10 13:43:28,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-07-10 13:43:28,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-07-10 13:43:28,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-07-10 13:43:28,750 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\1WjXjyTUqnQ1qIv.exe" with arguments "" with pid 1984
2020-07-10 13:43:28,765 [lib.api.process] INFO: Monitor config for process 1984: C:\tmp558c2t_g\dll\1984.ini
2020-07-10 13:43:28,765 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\rSIrVZD.dll, loader C:\tmp558c2t_g\bin\EXJCJIdR.exe
2020-07-10 13:43:28,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dQIiTWu.
2020-07-10 13:43:28,875 [root] DEBUG: Loader: Injecting process 1984 (thread 4408) with C:\tmp558c2t_g\dll\rSIrVZD.dll.
2020-07-10 13:43:28,875 [root] DEBUG: Process image base: 0x0000000140000000
2020-07-10 13:43:28,875 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\rSIrVZD.dll.
2020-07-10 13:43:28,890 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-07-10 13:43:28,890 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rSIrVZD.dll.
2020-07-10 13:43:28,890 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1984
2020-07-10 13:43:30,890 [lib.api.process] INFO: Successfully resumed process with pid 1984
2020-07-10 13:43:31,281 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-07-10 13:43:31,281 [root] DEBUG: Dropped file limit defaulting to 100.
2020-07-10 13:43:31,281 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-07-10 13:43:31,296 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 1984 at 0x0000000072FF0000, image base 0x0000000140000000, stack from 0x0000000000125000-0x0000000000130000
2020-07-10 13:43:31,312 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\1WjXjyTUqnQ1qIv.exe".
2020-07-10 13:43:31,359 [root] WARNING: b'Unable to place hook on LockResource'
2020-07-10 13:43:31,359 [root] WARNING: b'Unable to hook LockResource'
2020-07-10 13:43:32,140 [root] INFO: Loaded monitor into process with pid 1984
2020-07-10 13:43:32,203 [root] INFO: Disabling sleep skipping.
2020-07-10 13:43:32,203 [root] INFO: Disabling sleep skipping.
2020-07-10 13:43:32,203 [root] INFO: Disabling sleep skipping.
2020-07-10 13:43:32,203 [root] INFO: Disabling sleep skipping.
2020-07-10 13:43:32,468 [root] DEBUG: DLL loaded at 0x00000000FF0E0000: C:\Windows\system32\taskmgr.exe (0x45000 bytes).
2020-07-10 13:43:34,281 [root] DEBUG: set_caller_info: Adding region at 0x0000000000200000 to caller regions list (ntdll::NtQuerySystemInformation).
2020-07-10 13:43:34,296 [root] DEBUG: DLL loaded at 0x000007FEFCD60000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-07-10 13:43:34,328 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\QgTpUA\CAPE\1984_142342272134431910572020 (size 0x23c10)
2020-07-10 13:43:34,343 [root] DEBUG: DumpRegion: Dumped stack region from 0x0000000000200000, size 0x24000.
2020-07-10 13:43:34,343 [root] DEBUG: set_caller_info: Adding region at 0x0000000000230000 to caller regions list (ntdll::LdrLoadDll).
2020-07-10 13:43:34,343 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x0000000000230000
2020-07-10 13:43:34,343 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-07-10 13:43:34,343 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000000230000.
2020-07-10 13:43:34,343 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001000.
2020-07-10 13:43:34,343 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x0000000180000000.
2020-07-10 13:43:34,375 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x23600.
2020-07-10 13:43:34,375 [root] DEBUG: set_caller_info: Adding region at 0x0000000000030000 to caller regions list (ntdll::NtQuerySystemInformation).
2020-07-10 13:43:34,390 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x0000000000030000.
2020-07-10 13:43:34,390 [root] DEBUG: set_caller_info: Adding region at 0x0000000180000000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-07-10 13:43:34,437 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x7fffffff
2020-07-10 13:43:34,437 [root] DEBUG: DumpMemory: Nothing to dump at 0x0000000180000000!
2020-07-10 13:43:34,453 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x0000000180000000 size 0x2a000.
2020-07-10 13:43:34,468 [root] DEBUG: DumpPEsInRange: Scanning range 0x80000000 - 0x8002a000.
2020-07-10 13:43:34,468 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x80000000-0x8002a000.
2020-07-10 13:43:34,531 [root] DEBUG: DLL loaded at 0x000007FEFF2E0000: C:\Windows\system32\OLEAUT32 (0xda000 bytes).
2020-07-10 13:45:34,625 [root] DEBUG: DLL loaded at 0x000007FEFA440000: C:\Windows\system32\SAMCLI (0x14000 bytes).
2020-07-10 13:45:34,640 [root] DEBUG: DLL loaded at 0x000007FEFAF70000: C:\Windows\system32\WKSCLI (0x15000 bytes).
2020-07-10 13:45:34,656 [root] DEBUG: DLL loaded at 0x000007FEFB500000: C:\Windows\system32\netapi32 (0x16000 bytes).
2020-07-10 13:45:34,656 [root] DEBUG: DLL loaded at 0x000007FEFAF90000: C:\Windows\system32\netutils (0xc000 bytes).
2020-07-10 13:45:34,656 [root] DEBUG: DLL loaded at 0x000007FEFC900000: C:\Windows\system32\srvcli (0x23000 bytes).
2020-07-10 13:45:34,687 [root] DEBUG: DLL loaded at 0x000007FEFCA30000: C:\Windows\system32\Secur32 (0xb000 bytes).
2020-07-10 13:45:34,703 [root] DEBUG: DLL loaded at 0x000007FEFA6A0000: C:\Windows\system32\KtmW32 (0xa000 bytes).
2020-07-10 13:45:34,718 [root] DEBUG: DLL loaded at 0x000007FEFDAD0000: C:\Windows\system32\Shell32 (0xd8a000 bytes).
2020-07-10 13:45:34,750 [root] DEBUG: DLL loaded at 0x000007FEFD080000: C:\Windows\system32\crypt32 (0x16d000 bytes).
2020-07-10 13:45:34,765 [root] DEBUG: DLL loaded at 0x000007FEFCF10000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-07-10 13:45:34,828 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 1984).
2020-07-10 13:45:34,843 [root] INFO: Stopping WMI Service
2020-07-10 13:45:42,671 [root] INFO: Stopped WMI Service
2020-07-10 13:45:42,953 [lib.api.process] INFO: Monitor config for process 588: C:\tmp558c2t_g\dll\588.ini
2020-07-10 13:45:42,953 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\rSIrVZD.dll, loader C:\tmp558c2t_g\bin\EXJCJIdR.exe
2020-07-10 13:45:42,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dQIiTWu.
2020-07-10 13:45:42,984 [root] DEBUG: Loader: Injecting process 588 (thread 0) with C:\tmp558c2t_g\dll\rSIrVZD.dll.
2020-07-10 13:45:42,984 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-07-10 13:45:42,984 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-07-10 13:45:43,000 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-07-10 13:45:43,000 [root] DEBUG: Dropped file limit defaulting to 100.
2020-07-10 13:45:43,000 [root] INFO: Disabling sleep skipping.
2020-07-10 13:45:43,015 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 588 at 0x0000000072FF0000, image base 0x00000000FF500000, stack from 0x0000000001A16000-0x0000000001A20000
2020-07-10 13:45:43,015 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2020-07-10 13:45:43,062 [root] WARNING: b'Unable to place hook on LockResource'
2020-07-10 13:45:43,062 [root] WARNING: b'Unable to hook LockResource'
2020-07-10 13:45:43,093 [root] INFO: Loaded monitor into process with pid 588
2020-07-10 13:45:43,093 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-07-10 13:45:43,093 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-07-10 13:45:43,093 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rSIrVZD.dll.
2020-07-10 13:45:45,109 [root] INFO: Starting WMI Service
2020-07-10 13:45:45,265 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3380, handle 0x5f4.
2020-07-10 13:45:45,312 [root] INFO: Started WMI Service
2020-07-10 13:45:45,312 [lib.api.process] INFO: Monitor config for process 3380: C:\tmp558c2t_g\dll\3380.ini
2020-07-10 13:45:45,312 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\rSIrVZD.dll, loader C:\tmp558c2t_g\bin\EXJCJIdR.exe
2020-07-10 13:45:45,343 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dQIiTWu.
2020-07-10 13:45:45,343 [root] DEBUG: Loader: Injecting process 3380 (thread 0) with C:\tmp558c2t_g\dll\rSIrVZD.dll.
2020-07-10 13:45:45,343 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-07-10 13:45:45,343 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-07-10 13:45:45,343 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-07-10 13:45:45,359 [root] DEBUG: Dropped file limit defaulting to 100.
2020-07-10 13:45:45,359 [root] INFO: Disabling sleep skipping.
2020-07-10 13:45:45,359 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 3380 at 0x0000000072FF0000, image base 0x00000000FF500000, stack from 0x0000000001286000-0x0000000001290000
2020-07-10 13:45:45,359 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-07-10 13:45:45,453 [root] WARNING: b'Unable to place hook on LockResource'
2020-07-10 13:45:45,453 [root] WARNING: b'Unable to hook LockResource'
2020-07-10 13:45:45,453 [root] INFO: Loaded monitor into process with pid 3380
2020-07-10 13:45:45,468 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-07-10 13:45:45,468 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-07-10 13:45:45,468 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rSIrVZD.dll.
2020-07-10 13:45:47,484 [root] DEBUG: DLL loaded at 0x000007FEFEAD0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2020-07-10 13:45:47,500 [root] DEBUG: set_caller_info: Adding region at 0x00000000002A0000 to caller regions list (ntdll::NtClose).
2020-07-10 13:45:47,500 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x39ffff
2020-07-10 13:45:47,500 [root] DEBUG: DumpMemory: Nothing to dump at 0x00000000002A0000!
2020-07-10 13:45:47,500 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00000000002A0000 size 0x100000.
2020-07-10 13:45:47,515 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x335000.
2020-07-10 13:45:47,515 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a0000-0x335000.
2020-07-10 13:45:47,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\QgTpUA\CAPE\1984_44756014847451910572020 (size 0x94ffa)
2020-07-10 13:45:47,578 [root] DEBUG: DumpRegion: Dumped stack region from 0x00000000002A0000, size 0x95000.
2020-07-10 13:45:47,593 [root] DEBUG: DLL loaded at 0x000007FEFC840000: C:\Windows\system32\bcrypt (0x22000 bytes).
2020-07-10 13:45:47,609 [root] DEBUG: DLL loaded at 0x000007FEFC870000: C:\Windows\system32\ncrypt (0x50000 bytes).
2020-07-10 13:45:48,218 [root] DEBUG: DLL loaded at 0x000007FEFEB70000: C:\Windows\system32\wininet (0x240000 bytes).
2020-07-10 13:45:48,218 [root] DEBUG: DLL loaded at 0x000007FEFCFC0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-07-10 13:45:48,234 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-07-10 13:45:48,234 [root] DEBUG: DLL loaded at 0x000007FEFCF30000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-07-10 13:45:48,249 [root] DEBUG: DLL loaded at 0x000007FEFBFC0000: C:\Windows\system32\version (0xc000 bytes).
2020-07-10 13:45:48,249 [root] DEBUG: DLL loaded at 0x000007FEFCFB0000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-07-10 13:45:48,265 [root] DEBUG: DLL loaded at 0x0000000077280000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-07-10 13:45:48,281 [root] DEBUG: DLL loaded at 0x000007FEFD7A0000: C:\Windows\system32\iertutil (0x2a8000 bytes).
2020-07-10 13:45:48,296 [root] DEBUG: DLL loaded at 0x000007FEFD250000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-07-10 13:45:48,484 [root] DEBUG: DLL loaded at 0x000007FEFCE70000: C:\Windows\system32\profapi (0xf000 bytes).
2020-07-10 13:45:48,500 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-07-10 13:45:48,515 [root] DEBUG: DLL loaded at 0x000007FEFCF20000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-07-10 13:45:48,562 [root] DEBUG: DLL loaded at 0x000007FEF6F00000: C:\Windows\system32\winhttp (0x71000 bytes).
2020-07-10 13:45:48,578 [root] DEBUG: DLL loaded at 0x000007FEF6E90000: C:\Windows\system32\webio (0x65000 bytes).
2020-07-10 13:45:48,578 [root] DEBUG: DLL unloaded from 0x000007FEF6F00000.
2020-07-10 13:45:48,609 [root] DEBUG: DLL loaded at 0x000007FEFC640000: C:\Windows\system32\mswsock (0x55000 bytes).
2020-07-10 13:45:48,625 [root] DEBUG: DLL loaded at 0x000007FEFC630000: C:\Windows\System32\wship6 (0x7000 bytes).
2020-07-10 13:45:48,640 [root] DEBUG: DLL loaded at 0x000007FEFAB40000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-07-10 13:45:48,656 [root] DEBUG: DLL loaded at 0x000007FEFAB30000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-07-10 13:45:48,671 [root] DEBUG: DLL loaded at 0x000007FEFC1A0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2020-07-10 13:45:48,687 [root] DEBUG: DLL loaded at 0x000007FEF5520000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-07-10 13:45:48,703 [root] DEBUG: DLL loaded at 0x000007FEFC4C0000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2020-07-10 13:46:15,359 [root] DEBUG: DLL loaded at 0x000007FEF6790000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2020-07-10 13:46:15,375 [root] DEBUG: DLL loaded at 0x000007FEFAD80000: C:\Windows\system32\ATL (0x19000 bytes).
2020-07-10 13:46:15,375 [root] DEBUG: DLL loaded at 0x000007FEF6700000: C:\Windows\system32\VssTrace (0x17000 bytes).
2020-07-10 13:46:15,437 [root] DEBUG: DLL loaded at 0x000007FEFA440000: C:\Windows\system32\samcli (0x14000 bytes).
2020-07-10 13:46:15,453 [root] DEBUG: DLL loaded at 0x000007FEFB520000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2020-07-10 13:46:15,484 [root] DEBUG: DLL loaded at 0x000007FEFAF90000: C:\Windows\system32\netutils (0xc000 bytes).
2020-07-10 13:46:15,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d8 amd local view 0x0000000000D70000 to global list.
2020-07-10 13:46:45,343 [root] DEBUG: DLL unloaded from 0x000007FEFD2B0000.
2020-07-10 13:46:51,109 [root] INFO: Analysis timeout hit, terminating analysis.
2020-07-10 13:46:51,109 [lib.api.process] ERROR: Failed to open terminate event for pid 1984
2020-07-10 13:46:51,109 [root] INFO: Terminate event set for process 1984.
2020-07-10 13:46:51,109 [lib.api.process] INFO: Terminate event set for process 588
2020-07-10 13:46:51,140 [root] DEBUG: Terminate Event: Attempting to dump process 588
2020-07-10 13:46:51,140 [lib.api.process] INFO: Termination confirmed for process 588
2020-07-10 13:46:51,140 [root] INFO: Terminate event set for process 588.
2020-07-10 13:46:51,140 [lib.api.process] INFO: Terminate event set for process 3380
2020-07-10 13:46:51,203 [root] DEBUG: Terminate Event: Attempting to dump process 3380
2020-07-10 13:46:51,249 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-07-10 13:46:51,281 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-07-10 13:46:51,281 [lib.api.process] INFO: Termination confirmed for process 3380
2020-07-10 13:46:51,281 [root] INFO: Terminate event set for process 3380.
2020-07-10 13:46:51,281 [root] INFO: Created shutdown mutex.
2020-07-10 13:46:51,281 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3380
2020-07-10 13:46:52,281 [root] INFO: Shutting down package.
2020-07-10 13:46:52,281 [root] INFO: Stopping auxiliary modules.
2020-07-10 13:46:52,437 [lib.common.results] WARNING: File C:\QgTpUA\bin\procmon.xml doesn't exist anymore
2020-07-10 13:46:52,437 [root] INFO: Finishing auxiliary modules.
2020-07-10 13:46:52,437 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-07-10 13:46:52,437 [root] WARNING: Folder at path "C:\QgTpUA\debugger" does not exist, skip.
2020-07-10 13:46:52,437 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-07-11 08:46:54 2020-07-11 08:53:39

File Details

File Name 1WjXjyTUqnQ1qIv
File Size 295424 bytes
File Type PE32+ executable (console) x86-64, for MS Windows
PE timestamp 2020-06-12 09:35:14
MD5 fdffbfa1380ab1a0ee2e26ff1be432b1
SHA1 5a004286c5b97afd97beec4b1332777c494d6ff1
SHA256 e77e27630277a31276539c379671f54095d6b735f0568a3c457ac6a189c4c5b4
SHA512 36f8b7fafff7a8c23802358de537efe3a3de76d89db212c62ee9ce502c64cad7817c185e1cea8487214745e636c285476a0819f90fa397a29a25f56f3dbc59d9
CRC32 987E78EC
Ssdeep 6144:5nHYYpyAFUkAVcUtJ9YR7qZmeN9CGSiVMryu1Y5IDfsz:RxpyoUz1Gdom7GSuMrdk
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1984 trigged the Yara rule 'embedded_pe'
Hit: PID 1984 trigged the Yara rule 'embedded_win_api'
Hit: PID 1984 trigged the Yara rule 'shellcode_get_eip'
Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/OutputDebugStringW
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/RtlCaptureContext
DynamicLoader: kernel32.dll/RtlLookupFunctionEntry
DynamicLoader: kernel32.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleHandleExW
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/RtlUnwindEx
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/DisableThreadLibraryCalls
DynamicLoader: kernel32.dll/InitializeSListHead
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/RtlPcToFileHeader
DynamicLoader: kernel32.dll/InterlockedFlushSList
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileExA
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/SetTimer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/CreatePipe
DynamicLoader: kernel32.dll/SetHandleInformation
DynamicLoader: kernel32.dll/GetFileAttributesExA
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/CreateMutexExA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/VerSetConditionMask
DynamicLoader: kernel32.dll/VerifyVersionInfoW
DynamicLoader: kernel32.dll/GetProductInfo
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/CreateFileTransactedA
DynamicLoader: kernel32.dll/CopyFileA
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/MoveFileA
DynamicLoader: kernel32.dll/MoveFileW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetDateFormatA
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/MoveFileExW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: netapi32.dll/NetWkstaGetInfo
DynamicLoader: netapi32.dll/NetApiBufferFree
DynamicLoader: Secur32.dll/GetUserNameExW
DynamicLoader: KtmW32.dll/CreateTransaction
DynamicLoader: KtmW32.dll/RollbackTransaction
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: WS2_32.dll/recvfrom
DynamicLoader: WS2_32.dll/sendto
DynamicLoader: WS2_32.dll/__WSAFDIsSet
DynamicLoader: WS2_32.dll/ntohs
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/WSACleanup
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/wnsprintfA
DynamicLoader: Shell32.dll/SHGetSpecialFolderPathW
DynamicLoader: crypt32.dll/CryptStringToBinaryA
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: bcrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcrypt.dll/BCryptImportKeyPair
DynamicLoader: bcrypt.dll/BCryptGetProperty
DynamicLoader: bcrypt.dll/BCryptVerifySignature
DynamicLoader: bcrypt.dll/BCryptDestroyKey
DynamicLoader: bcrypt.dll/BCryptCloseAlgorithmProvider
DynamicLoader: ncrypt.dll/NCryptOpenStorageProvider
DynamicLoader: ncrypt.dll/NCryptImportKey
DynamicLoader: ncrypt.dll/NCryptDeleteKey
DynamicLoader: ncrypt.dll/NCryptFreeObject
DynamicLoader: wininet.dll/InternetCrackUrlA
DynamicLoader: wininet.dll/InternetConnectA
DynamicLoader: wininet.dll/InternetOpenA
DynamicLoader: wininet.dll/HttpOpenRequestA
DynamicLoader: wininet.dll/HttpSendRequestA
DynamicLoader: wininet.dll/HttpQueryInfoA
DynamicLoader: wininet.dll/InternetReadFile
DynamicLoader: wininet.dll/InternetCloseHandle
DynamicLoader: wininet.dll/InternetQueryOptionA
DynamicLoader: wininet.dll/InternetSetOptionA
DynamicLoader: ntdll.dll/NtGetContextThread
DynamicLoader: ntdll.dll/NtReadVirtualMemory
DynamicLoader: ntdll.dll/NtWriteVirtualMemory
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
Performs HTTP requests potentially not found in PCAP.
url: 185.65.202.58:443//api/v86
CAPE extracted potentially suspicious content
1WjXjyTUqnQ1qIv.exe: Unpacked Shellcode
1WjXjyTUqnQ1qIv.exe: Unpacked Shellcode
1WjXjyTUqnQ1qIv.exe: Unpacked PE Image
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.93, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00025600, virtual_size: 0x000279d0
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\1WjXjyTUqnQ1qIv
File has been identified by 23 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Trojan.GenericKD.43375037
FireEye: Trojan.GenericKD.43375037
McAfee: Artemis!FDFFBFA1380A
Cybereason: malicious.6c5b97
Arcabit: Trojan.Generic.D295D9BD
TrendMicro-HouseCall: TROJ_GEN.R002H09FN20
BitDefender: Trojan.GenericKD.43375037
AegisLab: Trojan.Win32.Generic.4!c
Avast: Win64:Malware-gen
Rising: Trojan.Trickbot!8.E313 (CLOUD)
Ad-Aware: Trojan.GenericKD.43375037
Fortinet: W32/Malicious_Behavior.VEX
Emsisoft: Trojan.GenericKD.43375037 (B)
Jiangmin: Trojan.Generic.flusp
Webroot: W32.Trojan.Gen
MAX: malware (ai score=85)
Microsoft: Trojan:Win32/Trickbot.KB
ALYac: Trojan.GenericKD.43375037
APEX: Malicious
GData: Trojan.GenericKD.43375037
AVG: Win64:Malware-gen
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Win64/Trojan.ae7
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest
signature: ET JA3 Hash - Possible Malware - RigEK

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.158.209.219 [VT] United States
Y 51.145.123.29 [VT] United Kingdom
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\sysnative\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\sysnative\api-ms-win-core-localization-l1-2-1.DLL
C:\Users\Louise\AppData\Local\Temp\
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Users\Louise\AppData\Local\Temp\1WjXjyTUqnQ1qIv.exe_fgqw
C:\Users\Louise\AppData\Local\Temp\__1WjXjyTUqnQ1qIv.bin
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Users\Louise\AppData\Local\Temp\__1WjXjyTUqnQ1qIv.bin
\??\PIPE\samr
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
\??\PIPE\samr
C:\Users\Louise\AppData\Local\Temp\1WjXjyTUqnQ1qIv.exe_fgqw
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\1WjXjyTUqnQ1qIv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
kernel32.dll.VirtualQuery
kernel32.dll.VirtualFree
kernel32.dll.VirtualAlloc
kernel32.dll.SetLastError
kernel32.dll.VirtualProtect
kernel32.dll.IsBadReadPtr
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.FreeLibrary
kernel32.dll.GetNativeSystemInfo
kernel32.dll.HeapAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.HeapFree
kernel32.dll.RaiseException
kernel32.dll.GetLastError
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.DeleteCriticalSection
kernel32.dll.HeapReAlloc
kernel32.dll.HeapSize
kernel32.dll.IsDebuggerPresent
kernel32.dll.OutputDebugStringW
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.RtlCaptureContext
kernel32.dll.RtlLookupFunctionEntry
kernel32.dll.RtlVirtualUnwind
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.GetCurrentProcess
kernel32.dll.TerminateProcess
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.GetModuleHandleW
kernel32.dll.GetCurrentThreadId
kernel32.dll.TlsAlloc
kernel32.dll.TlsGetValue
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.LoadLibraryExW
kernel32.dll.LCMapStringW
kernel32.dll.IsValidCodePage
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.GetCPInfo
kernel32.dll.ExitProcess
kernel32.dll.GetModuleHandleExW
kernel32.dll.GetStringTypeW
kernel32.dll.MultiByteToWideChar
kernel32.dll.WideCharToMultiByte
kernel32.dll.RtlUnwindEx
kernel32.dll.GetStartupInfoW
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetCurrentProcessId
kernel32.dll.DisableThreadLibraryCalls
kernel32.dll.InitializeSListHead
kernel32.dll.LocalFree
kernel32.dll.RtlPcToFileHeader
kernel32.dll.InterlockedFlushSList
kernel32.dll.CreateFileW
kernel32.dll.WriteConsoleW
kernel32.dll.SetFilePointerEx
kernel32.dll.CloseHandle
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.FlushFileBuffers
kernel32.dll.WriteFile
kernel32.dll.SetStdHandle
kernel32.dll.GetModuleFileNameA
kernel32.dll.FindClose
kernel32.dll.FindFirstFileExA
kernel32.dll.FindNextFileA
kernel32.dll.GetCommandLineA
kernel32.dll.GetCommandLineW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetStdHandle
kernel32.dll.GetFileType
user32.dll.GetMessageA
user32.dll.DispatchMessageA
user32.dll.SetTimer
oleaut32.dll.#2
oleaut32.dll.#9
oleaut32.dll.#8
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
kernel32.dll.ReadFile
kernel32.dll.CreatePipe
kernel32.dll.SetHandleInformation
kernel32.dll.GetFileAttributesExA
kernel32.dll.IsWow64Process
kernel32.dll.CreateMutexExA
kernel32.dll.GetTempPathA
kernel32.dll.VerSetConditionMask
kernel32.dll.VerifyVersionInfoW
kernel32.dll.GetProductInfo
kernel32.dll.CreateFileTransactedA
kernel32.dll.CopyFileA
kernel32.dll.CopyFileW
kernel32.dll.MoveFileA
kernel32.dll.MoveFileW
kernel32.dll.CreateProcessA
kernel32.dll.CreateProcessW
kernel32.dll.VirtualAllocEx
kernel32.dll.CreateFileMappingA
kernel32.dll.MapViewOfFile
kernel32.dll.GetLocaleInfoA
kernel32.dll.GetTempPathW
kernel32.dll.GetLongPathNameW
kernel32.dll.GetDateFormatA
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.MoveFileExW
ole32.dll.CoInitializeEx
ole32.dll.CoInitializeSecurity
ole32.dll.CoUninitialize
ole32.dll.CoCreateInstance
ole32.dll.CoSetProxyBlanket
netapi32.dll.NetWkstaGetInfo
netapi32.dll.NetApiBufferFree
secur32.dll.GetUserNameExW
ktmw32.dll.CreateTransaction
ktmw32.dll.RollbackTransaction
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegQueryInfoKeyA
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegQueryValueExA
advapi32.dll.RegSetValueExA
ws2_32.dll.recvfrom
ws2_32.dll.sendto
ws2_32.dll.__WSAFDIsSet
ws2_32.dll.ntohs
ws2_32.dll.WSAStartup
ws2_32.dll.WSACleanup
shlwapi.dll.PathFindFileNameA
shlwapi.dll.PathFindFileNameW
shlwapi.dll.wnsprintfA
shell32.dll.SHGetSpecialFolderPathW
crypt32.dll.CryptStringToBinaryA
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
oleaut32.dll.#500
advapi32.dll.CryptAcquireContextW
advapi32.dll.CryptCreateHash
advapi32.dll.CryptGetHashParam
bcrypt.dll.BCryptOpenAlgorithmProvider
bcrypt.dll.BCryptImportKeyPair
bcrypt.dll.BCryptGetProperty
bcrypt.dll.BCryptVerifySignature
bcrypt.dll.BCryptDestroyKey
bcrypt.dll.BCryptCloseAlgorithmProvider
ncrypt.dll.NCryptOpenStorageProvider
ncrypt.dll.NCryptImportKey
ncrypt.dll.NCryptDeleteKey
ncrypt.dll.NCryptFreeObject
wininet.dll.InternetCrackUrlA
wininet.dll.InternetConnectA
wininet.dll.InternetOpenA
wininet.dll.HttpOpenRequestA
wininet.dll.HttpSendRequestA
wininet.dll.HttpQueryInfoA
wininet.dll.InternetReadFile
wininet.dll.InternetCloseHandle
wininet.dll.InternetQueryOptionA
wininet.dll.InternetSetOptionA
ntdll.dll.NtGetContextThread
ntdll.dll.NtReadVirtualMemory
ntdll.dll.NtWriteVirtualMemory
ntdll.dll.NtSetContextThread
ntdll.dll.NtResumeThread
ntdll.dll.NtUnmapViewOfSection
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
vssapi.dll.CreateWriter
oleaut32.dll.#6
ole32.dll.CoTaskMemFree
ole32.dll.CoTaskMemAlloc
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.CoCreateGuid
sechost.dll.ConvertSidToStringSidW
ole32.dll.CoTaskMemRealloc
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
ld_201127

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x140000000 0x14000b0cc 0x00000000 0x0005017f 5.2 2020-06-12 09:35:14 2124ed769cf08c8d5325e327d8fd7b34

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x0001ad42 0x0001ae00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.30
.rdata 0x0001b200 0x0001c000 0x0000638e 0x00006400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.80
.data 0x00021600 0x00023000 0x000279d0 0x00025600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.93
.pdata 0x00046c00 0x0004b000 0x00000f24 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.07
.rsrc 0x00047c00 0x0004c000 0x000005f8 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.18

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x0004c0a0 0x000003bc LANG_ENGLISH SUBLANG_ENGLISH_US 3.49 None
RT_MANIFEST 0x0004c460 0x00000196 LANG_ENGLISH SUBLANG_ENGLISH_US 4.93 None

Imports

0x14001c268 WSAStartup
0x14001c270 WSAStringToAddressW
0x14001c278 bind
0x14001c280 getsockname
0x14001c288 WSASetServiceW
0x14001c290 listen
0x14001c298 accept
0x14001c2a0 recv
0x14001c2a8 socket
0x14001c2b0 connect
0x14001c2b8 send
0x14001c2c0 closesocket
0x14001c2c8 WSALookupServiceBeginW
0x14001c2d0 WSALookupServiceNextW
0x14001c2d8 WSAGetLastError
0x14001c2e0 WSALookupServiceEnd
0x14001c000 GetProcAddress
0x14001c008 ReadFile
0x14001c010 CloseHandle
0x14001c018 CreateFileA
0x14001c020 FlushFileBuffers
0x14001c028 HeapReAlloc
0x14001c030 WriteConsoleW
0x14001c038 GetConsoleOutputCP
0x14001c040 WriteConsoleA
0x14001c048 SetStdHandle
0x14001c058 LoadLibraryA
0x14001c060 HeapFree
0x14001c068 Sleep
0x14001c070 HeapAlloc
0x14001c078 GetProcessHeap
0x14001c080 GetLastError
0x14001c088 GetComputerNameW
0x14001c090 LoadLibraryExA
0x14001c098 LoadLibraryExW
0x14001c0a0 FreeConsole
0x14001c0a8 RaiseException
0x14001c0b0 RtlPcToFileHeader
0x14001c0b8 RtlLookupFunctionEntry
0x14001c0c0 RtlUnwindEx
0x14001c0c8 TerminateProcess
0x14001c0d0 GetCurrentProcess
0x14001c0d8 UnhandledExceptionFilter
0x14001c0e8 IsDebuggerPresent
0x14001c0f0 RtlVirtualUnwind
0x14001c0f8 RtlCaptureContext
0x14001c100 EnterCriticalSection
0x14001c108 LeaveCriticalSection
0x14001c110 GetCPInfo
0x14001c118 GetACP
0x14001c120 GetOEMCP
0x14001c128 IsValidCodePage
0x14001c130 EncodePointer
0x14001c138 DecodePointer
0x14001c140 FlsGetValue
0x14001c148 FlsSetValue
0x14001c150 FlsFree
0x14001c158 SetLastError
0x14001c160 GetCurrentThreadId
0x14001c168 FlsAlloc
0x14001c170 GetModuleHandleW
0x14001c178 ExitProcess
0x14001c180 WriteFile
0x14001c188 GetStdHandle
0x14001c190 GetModuleFileNameA
0x14001c198 GetModuleFileNameW
0x14001c1a0 FreeEnvironmentStringsW
0x14001c1a8 GetEnvironmentStringsW
0x14001c1b0 GetCommandLineW
0x14001c1b8 SetHandleCount
0x14001c1c0 GetFileType
0x14001c1c8 GetStartupInfoA
0x14001c1d0 DeleteCriticalSection
0x14001c1d8 HeapSetInformation
0x14001c1e0 HeapCreate
0x14001c1e8 QueryPerformanceCounter
0x14001c1f0 GetTickCount
0x14001c1f8 GetCurrentProcessId
0x14001c200 GetSystemTimeAsFileTime
0x14001c208 SetFilePointer
0x14001c210 WideCharToMultiByte
0x14001c218 GetConsoleCP
0x14001c220 GetConsoleMode
0x14001c228 MultiByteToWideChar
0x14001c230 LCMapStringA
0x14001c238 LCMapStringW
0x14001c240 GetStringTypeA
0x14001c248 GetStringTypeW
0x14001c250 GetLocaleInfoA
0x14001c258 HeapSize

!This program cannot be run in DOS mode.
JSRich
.text
`.rdata
@.data
.pdata
@.rsrc
@SUWAT
ffffff
A\_][
|$ ATH
Hc_<H
(t$ H
@SATAUAVAWH
0A_A^A]A\[
L9|$x
fffff
0A_A^A]A\[
L$ SVH
@UVATH
L$PH3
`A\^]
UWAUAVAWH
f98t H
L$PE3
A_A^A]_]
@SUVATAUH
fffff
A]A\^][
SVWATH
XA\_^[
|$ ATH
VWATH
L$ E3
H SWH
@8l$Ht
D$09h
@8l$Ht
H SWH
\$0H=
t$ WATAUAVAWH
~ID;c
T$PE3
A_A^A]A\_
p WATAUH
A]A\_
WATAUH
t*HcN
A]A\_
D$`Hc
x ATH
fffffff
fffffff
UVWATAUAVAWH
D9T$`
T$ULc
l$H~.A
t$hE+
L$XLc
A_A^A]A\_^]
WATAUAVAWH
9.vTH
A_A^A]A\_
UVWATAUAVAWH
D$L0A
D$DD9T$X
l$h+t$D+
9D$Ptu;
A_A^A]A\_^]
8D$8t
x ATAUAWH
D8l$Ht
D8l$Ht
80tWD
gfffA
D8l$Ht
A_A]A\
@SVWATH
L$pH3
A\_^[
` AUAVAWH
D8t$Ht
D8t$Ht
7D8t$H
D8t$H
gfffffffH
D8T$H
A_A^A]
x ATH
H!|$
@8|$Ht
H!t$
@8t$Ht
<$-Hc
@SVWATH
|$0-H
L$`H3
xA\_^[
@SUVWATH
L$pH3
A\_^][
\$XE3
D$p H
\$0H;
L$0H;
UVWATAUH
D9d$
D$&8\$&t-8X
L$8H3
@A]A\_^]
` AUH
L$0H;
ATAUAVH
A^A]A\
UVWATAUAVAWH
l$HI;
l$xfA;
T$pfA;*
T$pE3
l$TA:
t$8f;
L$4E3
|$TA;
t$0E3
t$0A+
l$PA;
t$8f;
D8l$4
|$TA:
{t6fA92
t$0E3
T$<A:
T$pfA;
\$hI;
D$hH;
ugfD;
T$pfD;
T$pfD
t$8fA9:
t$8f;
9L$`t
t$89L$`t
9T$`t
t$8f;
8T$4uiL;
HcD$P
d$TD;
9|$`t
@8|$D
d$TD;
\$X9|$`t
D8l$4u'D
D8l$5t
LfA;*u
\$pf;
D$xA;
T$<A:
d$xD8
A_A^A]A\_^]
x ATH
SVWATAUAVAWH
0A_A^A]A\_^[
WATAUAVAWH
F0HcH
F0HcH
A_A^A]A\_
@SWATAUAVAWH
t$ D!
D$PL9wXt(
D$8HcH
A_A^A]A\_[
ATAUAVH
t:LcF
t!LcV
0A^A]A\
VWATAUAVH
A^A]A\_^
UVWATAUAVAWH
pA_A^A]A\_^]
UVWATAUAVAWH
O0HcQ
O0HcQ
HcC H
A_A^A]A\_^]
WATAVH
t?D9
HcO H
K0LcY
@A^A\_
WATAUAVAWH
|$ H;
@A_A^A]A\_
l$ AVH
x ATH
fD9#thH
CfD9#u
h AVL
fD91u
fD9)t
fD91u:A
fD90u
l$(A^
L$PE3
Hct$PH
shHcD$XH
` AUAVAWH
fD9|$b
D$hI;
A_A^A]
\$8L3
WATAUAVAWH
|$ E3
|$ E3
0A_A^A]A\_
\$ UVWATAUAVAW
H!|$ E3
t$PMk
!|$LI
f;D$D
f;D$Dux
H!\$ H
HcD$HH;
H!\$ H
HcD$HH;
L$HD+
t$HD;
H!|$ L
A_A^A]A\_^]
WATAUAVAWH
|$ E3
|$ E3
0A_A^A]A\_
l$ VWATH
x9\$ ~?H
;\$ |
L$0H3
@A\_^
x ATH
x ATH
WATAUH
A]A\_
\$0A9k
@8l$Ht
r(@8o
@8l$H
@8l$Ht
HcH<H
LcA<E3
AUAVAWH
0A_A^A]
L$ UVWH
@8l$Xt
@8l$X
@8l$X
@8l$X
L$hE3
L$xH3
L$hE3
L$xH3
@SVWH
L$0fA
L$pH3
@UATAUAVAWH
D91u(
e A_A^A]A\]
L$ UATAUAVAWH
|$0H;
A_A^A]A\]
@8l$Ht
D$x8L$Xt
L$PE3
VWATH
A\_^
l$ VWATAUAWH
L$$fA;
uj;w$
u 9w$r
t5f9(t
L$0H3
A_A]A\_^
@SUVWATAUAVH
D$pE3
l$HE9u
D8t$`
D8t$`
fD90t
fD90u
D8t$`
D8t$`t
D8t$`t
D$HD9p
D8t$`t
L$pH3
A^A]A\_^][
D$`L;
L!d$ E3
WATAUAVAWH
H!t$ E3
A_A^A]A\_
VWATAUAVH
@A^A]A\_^
` AUH
L$PH3
VWATH
A\_^
H!|$ E3
H!\$ E3
VWATH
0A\_^
x ATAUAVH
@8|$Ht
A^A]A\
8D$Xt
SVWATAUAVAWH
@A_A^A]A\_^[
SVWATAUAVAWH
@A_A^A]A\_^[
UVWATAUAVAWH
9\$4}
9\$0u
`9\$8u
fD92r&H
\$PfD3
\$TfE#
\$XfA;
D$hfE
9\$du
9\$`u
T$4Lc
\$RA;
\$VfA;
t$ZfE
D$RfE
D$TfD
D$<fA
A_A^A]A\_^]
UVWATAUAVAWH
|$zfD
l$XfD9u
d$`fA#
|$2fA;
D$xfE
l$XE3
T$hA;
d$ffA;
t$jfE
T$pfD
L$8E;
d$dfD3
d$hfE#
D$xfE
l$HE+
D$hE;
d$ff;
l$jfE
D$bfE
D$dfD
fD9l$0
L$x};A
A_A^A]A\_^]
fD9l$0
L$(H3
@USVWATAUAVAWH
eHA_A^A]A\_^[]
H!|$ E3
H!|$ E3
WATAUH
|$ E3
|$ E3
0A]A\_
VWAUH
A]_^
SUVWATAUAVAWH
\$8A;
L09A:
L0:A:
HcT$0;
u{9|$0tuL
D1:Hc
XA_A^A]A\_^][
WATAUAVAWH
\$ E3
\$ E3
\$ E3
0A_A^A]A\_
H(H9J(u
HcM H
bad allocation
Just print the percentage sign %%
Unsigned value: %u
Octal: %o
Hexadecimal: %x
Float number: %3.2f
Third number: %i
Second number: %04d
First number: %d
The color: %s
KERNEL32.dll
z1hztoNJ
VYFcvuK2YZyuLbhaSkZMm1sGjwSaLXSXi6StH
string too long
invalid string position
Unknown exception
(null)
( 8PX
700WP
`h````
xpxxxx
e+000
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
bad exception
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
('8PW
700PP
`h`hhh
xppwpp
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
1#QNAN
1#INF
1#IND
1#SNAN
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
RSDS\
C:\Users\User\Desktop\Windows-classic-samples-master\Windows-classic-samples-master\Samples\WinsockBluetoothConnection\cpp\x64\Release\bthcxn.pdb
WSALookupServiceEnd
WSALookupServiceNextW
WSALookupServiceBeginW
WSASetServiceW
WSAStringToAddressW
WS2_32.dll
HeapFree
Sleep
HeapAlloc
GetProcessHeap
GetLastError
GetComputerNameW
LoadLibraryExA
LoadLibraryExW
FreeConsole
KERNEL32.dll
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsSetValue
FlsFree
SetLastError
GetCurrentThreadId
FlsAlloc
GetModuleHandleW
GetProcAddress
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
HeapSetInformation
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
LoadLibraryA
InitializeCriticalSectionAndSpinCount
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
HeapReAlloc
FlushFileBuffers
CreateFileA
CloseHandle
ReadFile
3wTU~
u?sXP
J05lm
SQ9BU
+mr>*Z
(JVIe
01)o;
[$\C9&`
r_z>w
xTN]<
R~]\8
R4fbb
|d7G>nAW9
YIh,)
+m|)h+
d89~U
*?VAY5
T+&$tQ
vAZv;G
/4"9b
Gm3h%
E:Ya9
F5hKQ
JU?T^
iWJn,
iFDpS
Co:es
gRW]4
Rd{g44
6akiA
,omlb>@Y
AmYBe
)LnO2
f_Ex;
5|:'S
T?k5OX
U98(
W\dI>
Ko6;4i
ja22&
d"2d,.
>/_`x2
5^Au_9
nG,[u
?0`7k
vWyH-cz
Y|ej\
omSm?84
zhz6#
PTb&FO5
]VG6M1myv
DUG_.)
_[I]$
54oo{{
aGj{[
PP3sJ
xtLU{
o<7>gBD
6]LiE+
w_d>N!
LW[sH
lJuRy
)ZQ,L
63& B
JS){#
[?8O)
%]pPN:
io{/^
]7MRjeY
e%$cZ
*L=Lt
QLuC2n
|q8Q0J
bZ%]K
+i#[X
R,sA X
NX5qy+
!5a/>n
Uoahj$
JdhPR
kG^w;?
+`zhlo
IL-[c
bT9zW
.h:kI
\-n{*
THKbv
-3']/
&iF&
?aYmt
"Vcrs
TFIK!
j$;Xp<n
CIP%g
hk">&
(ngN8
bR;#}d
e3-x0
q,)9G-
d#hVD
#.m,_P]$
^h8O)H
C&x*
F"ohj
Y2`";6B
^o{a)a
tP-j&
a$p/%
`adi:
kb:_h
9%2&T
|=76W
0/r5Cf
='GG{.7_]B3
^D:O|
*o-}/
e%fBt
tNh_l
0REgo
kB))$Z
h;ESv
C")+eL
A0,?W
@no}}
)]C=!
;\_1[
bR$YG*A
04e*GZ
h-,Lw
# aQ'
r_.9>
V r2=
)hlTP
=A2md2
Bg72c
N+$p#
$9'>Co
iU>rX'
IU1Un`
86RkA
>3Qmi
WKx_a\
A0P_>5n
m{$.E]f
2r$)W(
({r_)
24=wL
QELquHa
GOMt`q%
Q1x5N4PL
K4!ck.r
6C'\n
9z$xt
dkmzB
S 542T
D`KI<O
8%@\*
c-AmI
4a8oaP
us01T*~0
hDrck
{Z&+H
#}+qE
?sj`l^
H^t :
n5"W%
-j!"5
~h\aFB
7 "Cz
^}O1a
EcFuQ=
$#4)U
#`&WZ1
UNe#0
-#;"v
+Bpx7KC
eLw >
!o|`
vn? -
7Uzn|%
EhwJv
PU#TW
B>GzQ
":`Ch
pt_|\k
9.xA!
hph?R5
c"nCl
WtIo2
A&7%r
g"%ypE
Ep_C?
#{:Um
r$Det
fbrr,
tLDt>
vKpe?I*W_
?fOwA
U<!RS
9}4x&3x
)\_er
Wk5Pm
)t=O5
25"XY
! gsA
r[,hl#
=UGqs{
u$|DB
{N'oW
\mnhB
Q}kOPt
&!?(r
Nx[:L!K!
fMc'+~
*lPg
E+No9W
:!Ut>
0IC.N
4vI>}
*SH*>Y.
/u#C(
J,!(?
%1_c'
>d)8T
.SJXU
2,E.f
xN#4&5|
SaYFy0
L'nT)
?'N,(
X3 2>
y+%Pe:R
KFDRx
0kobzQR%
=$K4:
uG9PL
T&H-{
=075c
Kl4.Ms.
^-BwnJO
&p\BI
g\\vt
n:umMDo
y6G[%&
2#'}/O
FM:Y&
DkN$NdXQ
q&+ad
q"/A6*
!|/(W$
X"z&"W
H9n]7
r>}}N
BJny#
7u~R4
ECz<-$
lnBV
y5d6>
O.3-2B
GVM9N
ii>-q
@8dFX
oP3\@
QNtZc
-A*eU"
[U"$X
Xtgx?
pM,L|
tMUv]
xHd8rqg
:Q}w0
B^J\5
L+cBt
qB;a~
3"0$gF|q
rv[\|2
4,cXX
7)tYW
X}/{C
6Qfgm
p-+I+i)
zwBa8\
Lo{}U
*]lW)
X[bA5
z*W 8W
@>M1*
FBCPK
L:0]J
/.P%>
JW,^d
.V*'z
3]\w+F
EQ-hN.
dp,kL
#dIYm1)
?)VKc
G>8W}zJ
J(}d+#
9Gu{i(y
<Ic?$wt
r"2aL
k}C<U
0);_!
z96!{
Tc64q\
E>\a^
,#E m
#`^C`aI
bqH&fV
$7cUPc]3
wBAOVR)n
{^H4I
okFhY
o|=K7
Ii.([
me$1/C
0kWNrrK\)
%P1pH
T`u5%
<r C/S
L:sZQ
/;F:3
[f4CD\C
S1|t6
8q)7c
4q)|2
L#{xB3:
+RgdUCxi
./h<Mj
bhoRW*
qCeMd
];H1G
i!zL2
0>dxZ
c[X/'
,"c=q
Ogyp)
Dxpvn
?Inf-A
~Fv(}
R]C^vD
4W^+B
e*VO5
wL+8F
R;9[I"=
]h->c
!iHyh
ZO7:)
tEq.V
]CA67
%@*rK
f/Aw4
32?f2,
j?ovm>P
!cm>e.
bTq>W
^Y*1
QZmk*
jaiO\uD
(bM n
6%)ko
g0uGRF)
XgZ=$R
AwaDI
|S~`R
eQw
AdY5,
z+[EU|
?R2I]%
P<p?~
HDFOe
u}E'G
>]tapp
@j_OZs
0^-?M
w'1Lk&#
O JVtSQ
k#YPn
XrD>510g
B*Dr~
*@]"m
^cktlL
yZj1y
any8g
VVYgc~
XOh5av
u,2v\
:P4inQW9
4v(zi
9-a+{~
7(xY*
1~<+g
WI!DQ
A^mbc
w7Kom
]k"v,
bqx=6
V[uqcJ8
4$L,n
y9mR\S
O{IH8?
H\|X[
j82[A)o
5&l}"'A
QOmo,
6/\Q]
J471_
H W Zw
x$?x]
_R-"31v
dM25":hx(
s#{u<;:
_i#5oZ1
O|J(hQ'7
X*gqO
!q?w;0T6d.
IL~-}
xpO(g
.$Sal{
!n1}4
-gGOa
2#LNI
r-xoe^u
D$pQld
(FmUM6
PX`oM
!uaUvR
rQ6bX
nuu+4
Y'4hA
cb']bq
ovnpOpy
fkb/"[D
4Hcpt/
!4OMH
\.`+5~
.8o}%J
h5f*F
?W^aX
d`6U:n
c|%?`
wQH:J
:/S^X
~[H#r
[ffrw
Mx=3C/
lr98"
'4'X9]
<6TH-
f.^jt~SLN
UTw[]
2lp[5H
/VdxW%
Jf12+
s={d]Q
rTs3{
X7s#[
ubU'w
X7r.hB2
^j1]A
S2I+A
Ng(xl%(
Uilk-
NG}5p
mT"X2
##3Er
^CbkTIe
";qr!G1GJJ
y]$i'm
&C}z9
mxTub
E;0km
IDbRH
g\2s6k
xVgyF
;o=Li
o+C.[
;piom
5IHl
" p{7
3x\d3
mvZM:
;-o:`PoX
?:7$]{
|ijb
NM!SP2
LsgIE$|
o&L,j
O#If*
,7,1q
k5g7j3
Z-<fY
+p9_yf
nks,=e2_
xX+2c,a
M7W97ei)
t,5NgB
+Le2e
dg}58
fYisuS
y:#%+
58DP*
jX1)WR
!W6ofoE
DDhsNU
UQ>v(
c*Z8Z
4|42
rM8"$
@6RYR
DGgrVY
mkh,*e
Y>A75
#sCpQ
Y+^p;2##
+Q oO
Yqo;wC7
GfRQ:)
G,OH}n
Y$Y\"
pG/A,G
FJA<*
H?{bQSJU
oirL1
>dd-O
a$wo4QL
c5S[*
y.0H+
=gsu]b
/wu_\s&
Q~?4H
vJj_6
-f#i|c
rbspS
r2d/Z
{}{lr
M<Ovf
a+~=d
1)]>d
cO/FY
^L]OK
&iDis
@nt<"
a";q|v
'~p3oz1
GLe~m4U
vA4i}}
^3`ft
KKO7r
Q{tYf
s]2sI
HUv4N
_Zg"6
`vx/|R
7:pAc
^Gz;7
zR1=d$
3~})v-
2E;e$
+O)^1|oK
pP+v7
)B[J-
~)8 ?K
COk1n
r$88y
!e{d\
:@'?o
h<_(]
<5kl8
,FGEh
A,a[cR
IpJOb>
]^q;8R
wBN7_
5VxDH}
LdI_RH
ln[<-K
H;AS^
$!vuX
<{#2c
.4Z&f
6cSNdo5]Q
IR/e"
\'R[!j
Skk6?
q[Z%A
;1KiT
\W>z&
g=YH$$
8\V)M[
RNK!C
THW8u7
bAE:eG
vZ/dk
B*}|%
h<Dc&
-wp:|S
3S~<7U3
Lf`&um
Z^yQ|Q
tQUvJ
jT?u"
-p}`&
$?Igc)a5
OtDZk
| u+a
en)I%+z
2|sJkQ
#Otu2
fZO_'`
MaO_V
S^qLNc
EMZx|
x xvo3}B
fMlqt3
U,YV2
!g^H-
p|kj
8pyPo
0v}$Fcq
'Z}=U
Fj507
/u(MU
'F\y3
IR;U:L
qZx9wQ
CbohVo
bvzmt
AZ2iy
YZ$n /
MlE"X
c9O)#(et5
"2}zR
/-Ko,-3
{8G`3J
z&oo=
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
z?aUY
zc%C1
-64OS
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
=CRITICAL= | WSALookupServiceBegin() failed with error code %d, WSAGetLastError = %d
=CRITICAL= | WSALookupServiceNext() failed with error code %d
!ERROR! | Unable to allocate memory for WSAQERYSET
*INFO* | Inquiring device ...
*INFO* | Unable to find device. Waiting for %d seconds before re-inquiry...
*INFO* | Inquiring device from cache...
!ERROR! | Unable to allocate memory for WSAQUERYSET
Bluetooth Connection Sample application for demonstrating connection and data transfer.
BTHCxn.exe [-n<RemoteName> | -a<RemoteAddress>]
[-c<ConnectionCycles>]
Switches applicable for Client mode:
-n<RemoteName> Specifies name of remote BlueTooth-Device.
-a<RemoteAddress> Specifies address of remote BlueTooth-Device.
The address is in form XX:XX:XX:XX:XX:XX
where XX is a hexidecimal byte
One of the above two switches is required for client.
Switches applicable for both Client and Server mode:
-c<ConnectionCycles> Specifies number of connection cycles.
Default value for this parameter is 1. Specify 0 to
run infinite number of connection cycles.
Command Line Examples:
"BTHCxn.exe -c0"
Runs the BTHCxn server for infinite connection cycles.
The application reports minimal information onto the cmd window.
"BTHCxn.exe -nServerDevice -c50"
Runs the BTHCxn client connecting to remote device (having name
"ServerDevice" for 50 connection cycles.
The application reports minimal information onto the cmd window.
=CRITICAL= | socket() call failed. WSAGetLastError = [%d]
=CRITICAL= | connect() call failed. WSAGetLastError=[%d]
=CRITICAL= | send() call failed w/socket = [0x%I64X], szData = [%p], dataLen = [%I64u]. WSAGetLastError=[%d]
=CRITICAL= | closesocket() call failed w/socket = [0x%I64X]. WSAGetLastError=[%d]
*INFO* | Sending following data string:
=CRITICAL= | Creating a static data string failed
[email protected]#$%^&*()-_=+?<>1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
=CRITICAL= | HeapAlloc failed | out of memory, gle = [%d]
=CRITICAL= | accept() call failed. WSAGetLastError=[%d]
*INFO* | Received following data string from remote device:
+WARNING+ | Data transfer aborted mid-stream. Expected Length = [%I64u], Actual Length = [%d]
=CRITICAL= | recv() call failed. WSAGetLastError=[%d]
=CRITICAL= | received too much data
=CRITICAL= | listen() call failed w/socket = [0x%I64X]. WSAGetLastError=[%d]
=CRITICAL= | WSASetService() call failed. WSAGetLastError=[%d]
Example Service instance registered in the directory service through RnR
%s %s
Sample Bluetooth Server
-FATAL- | HeapAlloc failed | out of memory | gle = [%d]
-FATAL- | ComputerName specified is too large
=CRITICAL= | getsockname() call failed w/socket = [0x%I64X]. WSAGetLastError=[%d]
=CRITICAL= | bind() call failed w/socket = [0x%I64X]. WSAGetLastError=[%d]
=CRITICAL= | GetComputerName() call failed. WSAGetLastError=[%d]
!ERROR! | Unable to allocate memory for CSADDR_INFO
!ERROR! | cmd line | Unable to parse -a<RemoteAddress>, Remote bluetooth radio address string length expected %d | Found: %I64u)
!ERROR! | cmd line | Must provide a value with -c option
!ERROR! | cmd line | Must provide +ve or 0 value with -c option
!ERROR! | cmd line | Unable to parse -n<RemoteName>, length error (min 1 char, max %d chars)
!ERROR! | cmd line | Bad option prefix, use '/' or '-'
taskmgr.exe
-FATAL- | Unable to get address of the remote radio having formated address-string %s
-FATAL- | Unable to get address of the remote radio having name %s
-FATAL- | Unable to initialize Winsock version 2.2
-FATAL- | Error in parsing command line
(null)
mscoree.dll
((((( H
h(((( H
H
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Windows (R) Codename Longhorn DDK provider
FileDescription
Bluetooth Connection Sample Application
FileVersion
6.0.6000.16384
InternalName
BthCxn.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
BthCxn.exe
ProductName
Windows (R) Codename Longhorn DDK driver
ProductVersion
6.0.6000.16384
VarFileInfo
Translation

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean DrWeb Clean MicroWorld-eScan Trojan.GenericKD.43375037
FireEye Trojan.GenericKD.43375037 CAT-QuickHeal Clean McAfee Artemis!FDFFBFA1380A
Cylance Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Clean Alibaba Clean
K7GW Clean Cybereason malicious.6c5b97 Arcabit Trojan.Generic.D295D9BD
Invincea Clean BitDefenderTheta Clean F-Prot Clean
ESET-NOD32 Clean Zoner Clean TrendMicro-HouseCall TROJ_GEN.R002H09FN20
TotalDefense Clean Paloalto Clean ClamAV Clean
Kaspersky Clean BitDefender Trojan.GenericKD.43375037 NANO-Antivirus Clean
AegisLab Trojan.Win32.Generic.4!c Avast Win64:Malware-gen Rising Trojan.Trickbot!8.E313 (CLOUD)
Ad-Aware Trojan.GenericKD.43375037 Sophos Clean Comodo Clean
F-Secure Clean Baidu Clean VIPRE Clean
TrendMicro Clean Fortinet W32/Malicious_Behavior.VEX Trapmine Clean
CMC Clean Emsisoft Trojan.GenericKD.43375037 (B) SentinelOne Clean
Cyren Clean Jiangmin Trojan.Generic.flusp Webroot W32.Trojan.Gen
Avira Clean MAX malware (ai score=85) Antiy-AVL Clean
Kingsoft Clean Endgame Clean Microsoft Trojan:Win32/Trickbot.KB
ViRobot Clean ZoneAlarm Clean Avast-Mobile Clean
Cynet Clean AhnLab-V3 Clean Acronis Clean
ALYac Trojan.GenericKD.43375037 TACHYON Clean VBA32 Clean
Malwarebytes Clean APEX Malicious Tencent Clean
Yandex Clean Ikarus Clean eGambit Clean
GData Trojan.GenericKD.43375037 AVG Win64:Malware-gen Panda Clean
CrowdStrike win/malicious_confidence_100% (W) Qihoo-360 Win64/Trojan.ae7
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.158.209.219 [VT] United States
Y 51.145.123.29 [VT] United Kingdom
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.8 49173 13.107.42.23 443
192.168.1.8 49175 13.107.42.23 443
192.168.1.8 50363 52.114.77.34 45306
192.168.1.8 53538 52.114.77.34 28974
192.168.1.8 49183 52.114.77.34 443
192.168.1.8 49184 8.247.210.126 80

UDP

Source Source Port Destination Destination Port
192.168.1.8 61380 1.1.1.1 53
192.168.1.8 137 192.168.1.255 137
192.168.1.8 49744 8.8.8.8 53
192.168.1.8 51064 8.8.8.8 53
192.168.1.8 55051 8.8.8.8 53
192.168.1.8 56571 8.8.8.8 53
192.168.1.8 61380 8.8.8.8 53
192.168.1.8 63225 8.8.8.8 53
192.168.1.8 63471 8.8.8.8 53
192.168.1.8 65129 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.8 1.1.1.1 3
192.168.1.8 8.8.8.8 3
192.168.1.8 8.8.8.8 3
192.168.1.8 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-07-11 08:50:08.166 192.168.1.8 [VT] 49172 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-11 08:50:08.374 192.168.1.8 [VT] 49173 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-11 08:50:08.476 192.168.1.8 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-11 08:50:08.611 192.168.1.8 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-11 08:50:08.643 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-11 08:52:35.966 192.168.1.8 [VT] 49189 52.158.209.219 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-07-11 08:50:08.377 192.168.1.8 [VT] 49172 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-11 08:50:08.394 192.168.1.8 [VT] 49173 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-11 08:50:08.519 192.168.1.8 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-11 08:50:08.768 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-11 08:50:09.014 192.168.1.8 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-11 08:50:21.855 192.168.1.8 [VT] 49183 52.114.77.34 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-07-11 08:52:36.024 192.168.1.8 [VT] 49189 52.158.209.219 [VT] 443 CN=watson.microsoft.com e1:6a:52:eb:a9:ec:f3:58:ca:9a:f9:fb:05:f8:bf:38:d8:76:1d:50 TLSv1

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-07-11 08:50:23.127 192.168.1.8 [VT] 49184 8.247.210.126 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0d23747eb5b0cb5e application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-07-11 08:50:24.046 192.168.1.8 [VT] 49185 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.8 49172 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49183 52.114.77.34 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.8 49189 52.158.209.219 443 bafc6b01eae6f4350f5db6805ace208e unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name svchost.exe
PID 3380
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 89e554a901923727dc55ab160be6b540
SHA1 51491a3e6d84471611a42b21b31855ebdf2e33ab
SHA256 f86448ff2ace31b17917e56633e4034254ce49240e33fbe732e28d31ee9d1e21
CRC32 D86C603E
Ssdeep 384:zvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCEyrlWVSsEsj45RCOvojZPKW9C5bW:bWkX7q+f5TYvVeZMmn+0C4xZEbvKZPK
Dump Filename f86448ff2ace31b17917e56633e4034254ce49240e33fbe732e28d31ee9d1e21
Download Download Zip

BinGraph Download graph

Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy

    Processing ( 7.834999999999999 seconds )

    • 5.253 Suricata
    • 1.048 BehaviorAnalysis
    • 0.719 NetworkAnalysis
    • 0.302 Static
    • 0.191 VirusTotal
    • 0.129 CAPE
    • 0.072 AnalysisInfo
    • 0.048 Deduplicate
    • 0.031 TargetInfo
    • 0.015 Debug
    • 0.01 ProcDump
    • 0.009 peid
    • 0.008 Strings

    Signatures ( 0.14700000000000005 seconds )

    • 0.026 antiav_detectreg
    • 0.013 ransomware_files
    • 0.011 infostealer_ftp
    • 0.01 territorial_disputes_sigs
    • 0.008 ransomware_extensions
    • 0.007 antiav_detectfile
    • 0.006 infostealer_im
    • 0.005 antianalysis_detectreg
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_bitcoin
    • 0.003 persistence_autorun
    • 0.003 antivm_vbox_keys
    • 0.003 infostealer_mail
    • 0.003 masquerade_process_name
    • 0.002 antiemu_wine_func
    • 0.002 api_spamming
    • 0.002 decoy_document
    • 0.002 dynamic_function_loading
    • 0.002 stealth_timeout
    • 0.002 antivm_vbox_files
    • 0.002 antivm_vmware_keys
    • 0.002 geodo_banking_trojan
    • 0.001 antivm_vbox_libs
    • 0.001 betabot_behavior
    • 0.001 cerber_behavior
    • 0.001 exec_crash
    • 0.001 exploit_getbasekerneladdress
    • 0.001 infostealer_browser_password
    • 0.001 kibex_behavior
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 NewtWire Behavior
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_parallels_keys
    • 0.001 antivm_vpc_keys
    • 0.001 antivm_xen_keys
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 masslogger_files
    • 0.001 qulab_files
    • 0.001 revil_mutexes
    • 0.001 modirat_bheavior
    • 0.001 recon_fingerprint
    • 0.001 lokibot_mutexes

    Reporting ( 5.223000000000001 seconds )

    • 4.639 BinGraph
    • 0.309 JsonDump
    • 0.275 MITRE_TTPS