Auto Tasks

#28074: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-07-19 18:16:10 2020-07-19 18:23:16 426 seconds Show Options Show Log
route = tor
2020-05-13 09:28:12,771 [root] INFO: Date set to: 20200719T17:21:17, timeout set to: 200
2020-07-19 17:21:17,062 [root] DEBUG: Starting analyzer from: C:\tmpt2nfl3rg
2020-07-19 17:21:17,062 [root] DEBUG: Storing results at: C:\dxasAr
2020-07-19 17:21:17,062 [root] DEBUG: Pipe server name: \\.\PIPE\SHyueOiu
2020-07-19 17:21:17,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-07-19 17:21:17,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-07-19 17:21:17,062 [root] INFO: Automatically selected analysis package "exe"
2020-07-19 17:21:17,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-07-19 17:21:17,593 [root] DEBUG: Imported analysis package "exe".
2020-07-19 17:21:17,593 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-07-19 17:21:17,593 [root] DEBUG: Initialized analysis package "exe".
2020-07-19 17:21:18,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-07-19 17:21:18,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-07-19 17:21:18,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-07-19 17:21:18,437 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-07-19 17:21:18,437 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-07-19 17:21:18,718 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-07-19 17:21:18,718 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-07-19 17:21:18,828 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-07-19 17:21:18,843 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-07-19 17:21:18,859 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-07-19 17:21:18,859 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-07-19 17:21:18,921 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-07-19 17:21:18,921 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-07-19 17:21:18,984 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-07-19 17:21:18,984 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-07-19 17:21:18,984 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-07-19 17:21:18,984 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-07-19 17:21:18,984 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-07-19 17:21:18,984 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-07-19 17:21:19,187 [lib.api.screenshot] DEBUG: Importing 'math'
2020-07-19 17:21:19,187 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-07-19 17:21:26,109 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-07-19 17:21:26,343 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-07-19 17:21:26,562 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-07-19 17:21:26,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-07-19 17:21:26,562 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-07-19 17:21:26,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-07-19 17:21:26,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-07-19 17:21:26,609 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-07-19 17:21:26,609 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-07-19 17:21:26,609 [root] DEBUG: Initialized auxiliary module "Browser".
2020-07-19 17:21:26,609 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-07-19 17:21:26,625 [root] DEBUG: Started auxiliary module Browser
2020-07-19 17:21:26,625 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-07-19 17:21:26,625 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-07-19 17:21:26,625 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-07-19 17:21:26,625 [root] DEBUG: Started auxiliary module Curtain
2020-07-19 17:21:26,625 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-07-19 17:21:26,625 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-07-19 17:21:26,625 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-07-19 17:21:26,625 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-07-19 17:21:32,562 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-07-19 17:21:32,562 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-07-19 17:21:32,593 [root] DEBUG: Started auxiliary module DigiSig
2020-07-19 17:21:32,593 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-07-19 17:21:32,593 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-07-19 17:21:32,593 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-07-19 17:21:32,671 [root] DEBUG: Started auxiliary module Disguise
2020-07-19 17:21:32,671 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-07-19 17:21:32,671 [root] DEBUG: Initialized auxiliary module "Human".
2020-07-19 17:21:32,687 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-07-19 17:21:32,687 [root] DEBUG: Started auxiliary module Human
2020-07-19 17:21:32,687 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-07-19 17:21:32,687 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-07-19 17:21:32,687 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-07-19 17:21:32,703 [root] DEBUG: Started auxiliary module Procmon
2020-07-19 17:21:32,703 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-07-19 17:21:32,703 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-07-19 17:21:32,703 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-07-19 17:21:32,703 [root] DEBUG: Started auxiliary module Screenshots
2020-07-19 17:21:32,703 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-07-19 17:21:32,703 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-07-19 17:21:32,703 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-07-19 17:21:32,703 [root] DEBUG: Started auxiliary module Sysmon
2020-07-19 17:21:32,703 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-07-19 17:21:32,703 [root] DEBUG: Initialized auxiliary module "Usage".
2020-07-19 17:21:32,703 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-07-19 17:21:32,718 [root] DEBUG: Started auxiliary module Usage
2020-07-19 17:21:32,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-07-19 17:21:32,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-07-19 17:21:32,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-07-19 17:21:32,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-07-19 17:21:32,875 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\chthonic_2.23.12.4.vir" with arguments "" with pid 5044
2020-07-19 17:21:32,875 [lib.api.process] INFO: Monitor config for process 5044: C:\tmpt2nfl3rg\dll\5044.ini
2020-07-19 17:21:32,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\zfcPAP.dll, loader C:\tmpt2nfl3rg\bin\gAGBoaz.exe
2020-07-19 17:21:33,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\SHyueOiu.
2020-07-19 17:21:33,093 [root] DEBUG: Loader: Injecting process 5044 (thread 4364) with C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:33,093 [root] DEBUG: Process image base: 0x00400000
2020-07-19 17:21:33,093 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:33,093 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-07-19 17:21:33,093 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:33,109 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5044
2020-07-19 17:21:35,109 [lib.api.process] INFO: Successfully resumed process with pid 5044
2020-07-19 17:21:35,140 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-07-19 17:21:35,140 [root] DEBUG: Dropped file limit defaulting to 100.
2020-07-19 17:21:35,140 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-07-19 17:21:35,156 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5044 at 0x73640000, image base 0x400000, stack from 0x186000-0x190000
2020-07-19 17:21:35,156 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\chthonic_2.23.12.4.vir".
2020-07-19 17:21:35,234 [root] INFO: Loaded monitor into process with pid 5044
2020-07-19 17:21:35,234 [root] INFO: Disabling sleep skipping.
2020-07-19 17:21:35,234 [root] INFO: Disabling sleep skipping.
2020-07-19 17:21:35,249 [root] INFO: Disabling sleep skipping.
2020-07-19 17:21:35,640 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-07-19 17:21:35,640 [root] DEBUG: set_caller_info: Adding region at 0x01D60000 to caller regions list (ntdll::RtlDispatchException).
2020-07-19 17:21:35,671 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1d60000
2020-07-19 17:21:35,671 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01D60000 size 0x400000.
2020-07-19 17:21:35,671 [root] DEBUG: DumpPEsInRange: Scanning range 0x1d60000 - 0x1ddf000.
2020-07-19 17:21:35,671 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1d60000-0x1ddf000.
2020-07-19 17:21:35,796 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dxasAr\CAPE\5044_3308016003541120172020 (size 0x305af)
2020-07-19 17:21:35,796 [root] DEBUG: DumpRegion: Dumped base address 0x01D60000, size 0x7f000.
2020-07-19 17:21:35,796 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00090000.
2020-07-19 17:21:35,812 [root] DEBUG: set_caller_info: Adding region at 0x002D0000 to caller regions list (ntdll::RtlDispatchException).
2020-07-19 17:21:35,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dxasAr\CAPE\5044_20912234243541120172020 (size 0x98e)
2020-07-19 17:21:35,968 [root] DEBUG: set_caller_info: Adding region at 0x003E0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-07-19 17:21:36,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dxasAr\CAPE\5044_17623244323541120172020 (size 0xf11d)
2020-07-19 17:21:36,015 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x003E0000, size 0x18000.
2020-07-19 17:21:36,015 [root] DEBUG: set_caller_info: Adding region at 0x00540000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-07-19 17:21:36,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dxasAr\CAPE\5044_21251406343641120172020 (size 0x78c)
2020-07-19 17:21:36,046 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00540000, size 0x1000.
2020-07-19 17:21:36,796 [root] INFO: Announced 32-bit process name: msiexec.exe pid: 4152
2020-07-19 17:21:36,796 [lib.api.process] INFO: Monitor config for process 4152: C:\tmpt2nfl3rg\dll\4152.ini
2020-07-19 17:21:36,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\zfcPAP.dll, loader C:\tmpt2nfl3rg\bin\gAGBoaz.exe
2020-07-19 17:21:36,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\SHyueOiu.
2020-07-19 17:21:36,859 [root] DEBUG: Loader: Injecting process 4152 (thread 2284) with C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:36,859 [root] DEBUG: Process image base: 0x00BE0000
2020-07-19 17:21:36,875 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:36,875 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-07-19 17:21:36,875 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:36,890 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4152
2020-07-19 17:21:36,890 [root] DEBUG: DLL loaded at 0x75300000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-07-19 17:21:37,468 [root] DEBUG: CreateProcessHandler: using lpCommandLine: msiexec.exe.
2020-07-19 17:21:37,484 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4152, ImageBase: 0x00BE0000
2020-07-19 17:21:37,484 [root] INFO: Announced 32-bit process name: msiexec.exe pid: 4152
2020-07-19 17:21:37,484 [lib.api.process] INFO: Monitor config for process 4152: C:\tmpt2nfl3rg\dll\4152.ini
2020-07-19 17:21:37,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\zfcPAP.dll, loader C:\tmpt2nfl3rg\bin\gAGBoaz.exe
2020-07-19 17:21:37,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\SHyueOiu.
2020-07-19 17:21:37,562 [root] DEBUG: Loader: Injecting process 4152 (thread 2284) with C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:37,562 [root] DEBUG: Process image base: 0x00BE0000
2020-07-19 17:21:37,562 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:37,562 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-07-19 17:21:37,562 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:37,578 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4152
2020-07-19 17:21:37,578 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0040192F (size 0x122) injected into process 4152.
2020-07-19 17:21:37,640 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dxasAr\CAPE\5044_13572376043741120172020 (size 0x121)
2020-07-19 17:21:37,640 [root] INFO: Announced 32-bit process name: msiexec.exe pid: 4152
2020-07-19 17:21:37,640 [lib.api.process] INFO: Monitor config for process 4152: C:\tmpt2nfl3rg\dll\4152.ini
2020-07-19 17:21:37,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\zfcPAP.dll, loader C:\tmpt2nfl3rg\bin\gAGBoaz.exe
2020-07-19 17:21:37,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\SHyueOiu.
2020-07-19 17:21:37,687 [root] DEBUG: Loader: Injecting process 4152 (thread 0) with C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:37,687 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2284, handle 0xbc
2020-07-19 17:21:37,687 [root] DEBUG: Process image base: 0x00BE0000
2020-07-19 17:21:37,687 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:37,687 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-07-19 17:21:37,687 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\zfcPAP.dll.
2020-07-19 17:21:37,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4152
2020-07-19 17:21:37,703 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00BE0000.
2020-07-19 17:21:37,703 [root] DEBUG: DumpProcess: Module entry point VA is 0x00003DC0.
2020-07-19 17:21:37,734 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x11e00.
2020-07-19 17:21:37,734 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-07-19 17:21:37,734 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4152.
2020-07-19 17:21:40,421 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-07-19 17:21:40,421 [root] DEBUG: Dropped file limit defaulting to 100.
2020-07-19 17:21:40,421 [root] INFO: Disabling sleep skipping.
2020-07-19 17:21:40,437 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-07-19 17:21:40,437 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4152 at 0x73640000, image base 0xbe0000, stack from 0x236000-0x240000
2020-07-19 17:21:40,437 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\msiexec.exe.
2020-07-19 17:21:40,531 [root] INFO: Loaded monitor into process with pid 4152
2020-07-19 17:21:40,546 [root] DEBUG: set_caller_info: Adding region at 0x00240000 to caller regions list (ntdll::RtlDosPathNameToNtPathName_U).
2020-07-19 17:21:40,546 [root] DEBUG: set_caller_info: Adding region at 0x02130000 to caller regions list (kernel32::GetSystemTime).
2020-07-19 17:21:40,593 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x2130000
2020-07-19 17:21:40,593 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02130000 size 0x400000.
2020-07-19 17:21:40,593 [root] DEBUG: DumpPEsInRange: Scanning range 0x2130000 - 0x2131000.
2020-07-19 17:21:40,609 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2130000-0x2131000.
2020-07-19 17:21:40,640 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dxasAr\CAPE\4152_2865277714041120172020 (size 0xffe)
2020-07-19 17:21:40,640 [root] DEBUG: DumpRegion: Dumped base address 0x02130000, size 0x1000.
2020-07-19 17:21:40,703 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dxasAr\CAPE\4152_18573661444041120172020 (size 0x1266d)
2020-07-19 17:21:40,703 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00240000, size 0x13000.
2020-07-19 17:21:41,796 [root] DEBUG: DLL loaded at 0x734C0000: C:\Windows\system32\dnsapi (0x44000 bytes).
2020-07-19 17:21:41,812 [root] DEBUG: DLL loaded at 0x773A0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-07-19 17:21:41,812 [root] DEBUG: DLL loaded at 0x77140000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-07-19 17:21:50,140 [root] DEBUG: DLL loaded at 0x734B0000: C:\Windows\system32\secur32 (0x8000 bytes).
2020-07-19 17:21:52,000 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 4152).
2020-07-19 17:21:52,000 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2020-07-19 17:21:52,015 [root] DEBUG: DLL loaded at 0x76C10000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-07-19 17:21:52,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1ec and local view 0x040F0000 to global list.
2020-07-19 17:21:52,828 [root] INFO: Added new file to list with pid None and path C:\ProgramData\Microsoft Visual Studio 8\WMicrosoftVisualStudio8.exe
2020-07-19 17:21:55,671 [root] INFO: Error dumping file from path "C:\Users\Louise\AppData\Local\Temp\chthonic_2.23.12.4.vir": [Errno 13] Permission denied: 'C:\\Users\\Louise\\AppData\\Local\\Temp\\chthonic_2.23.12.4.vir'
2020-07-19 17:21:57,437 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\SysWOW64\IPHLPAPI (0x1c000 bytes).
2020-07-19 17:21:57,453 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2020-07-19 17:21:57,484 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-07-19 17:21:57,484 [root] DEBUG: DLL loaded at 0x74A80000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-07-19 17:22:03,000 [root] DEBUG: DLL unloaded from 0x75600000.
2020-07-19 17:22:05,531 [root] INFO: Received shutdown request
2020-07-19 17:22:06,125 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5044
2020-07-19 17:22:06,125 [root] DEBUG: GetHookCallerBase: thread 1144 (handle 0x0), return address 0x73671B6C, allocation base 0x73640000.
2020-07-19 17:22:06,156 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-07-19 17:22:06,171 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-07-19 17:22:06,171 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-07-19 17:22:06,187 [root] DEBUG: DumpProcess: Module entry point VA is 0x000024B0.
2020-07-19 17:22:06,249 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xcc00.
2020-07-19 17:22:06,249 [root] DEBUG: DLL unloaded from 0x75770000.
2020-07-19 17:22:06,281 [root] INFO: Process with pid 5044 has terminated

Machine

Name Label Manager Started On Shutdown On
win7x64_2 win7x64_6 KVM 2020-07-19 18:16:10 2020-07-19 18:23:16

File Details

File Name chthonic_2.23.12.4.vir
File Size 217088 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2016-12-02 17:55:34
MD5 7b3584c15a1c394b2e77da5cf6888c8a
SHA1 a6874460fd44a3140afb6802f60de5df93cb038e
SHA256 b5360ecfb9f6acf73785533948430720c2bd3364df73b9e2405c12e9c1433af6
SHA512 1a84c7ae03d94fa13179d71cb04d405c42f57c2da4b481c826ea092a50ce79958b71e997693761df49aa3c51bb2e0a14ebb0d2d8bbda2fc3c0a1ab0232d2abdb
CRC32 2BD8B8B9
Ssdeep 6144:Pot6uq+rCxtmGzA0OJnMMMMMMMMMMMMMMMcMMMMMMMMMMMMMMMMMMMMeV9lgMMMm:PdhDmGaBMMMMMMMMMMMMMMMcMMMMMMMw
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC. - Author: William Ballenthin
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Communicates with IPs located across a large number of unique countries
country: Germany
country: United States
country: France
country: Switzerland
country: Italy
country: Netherlands
country: Australia
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 5044 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 5044 trigged the Yara rule 'shellcode_patterns'
Hit: PID 5044 trigged the Yara rule 'shellcode_stack_strings'
Hit: PID 4152 trigged the Yara rule 'embedded_win_api'
Hit: PID 4152 trigged the Yara rule 'shellcode_patterns'
Hit: PID 4152 trigged the Yara rule 'shellcode_get_eip'
Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetSystemDirectoryA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: ntdll.dll/wcsncpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetActiveWindow
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/LdrProcessRelocationBlock
DynamicLoader: ntdll.dll/RtlFreeAnsiString
DynamicLoader: ntdll.dll/RtlComputeCrc32
DynamicLoader: ntdll.dll/NtSetInformationProcess
DynamicLoader: ntdll.dll/NtQueryDirectoryFile
DynamicLoader: ntdll.dll/RtlExitUserThread
DynamicLoader: ntdll.dll/NtFreeVirtualMemory
DynamicLoader: ntdll.dll/RtlDosPathNameToNtPathName_U
DynamicLoader: ntdll.dll/NtClose
DynamicLoader: ntdll.dll/NtOpenFile
DynamicLoader: ntdll.dll/LdrLoadDll
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegisterTraceGuidsW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenThreadToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenProcessToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/AllocateAndInitializeSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CheckTokenMembership
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/FreeSid
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsA
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
CAPE extracted potentially suspicious content
msiexec.exe: Unpacked Shellcode
chthonic_2.23.12.4.vir: Injected PE Image: 32-bit executable
chthonic_2.23.12.4.vir: Unpacked Shellcode
msiexec.exe: Unpacked Shellcode
chthonic_2.23.12.4.vir: Unpacked Shellcode
chthonic_2.23.12.4.vir: Unpacked Shellcode
chthonic_2.23.12.4.vir: Injected Shellcode/Data
chthonic_2.23.12.4.vir: Unpacked Shellcode
Multiple direct IP connections
direct_ip_connections: Made direct connections to 7 unique IP addresses
HTTP traffic contains suspicious features which may be indicative of malware related traffic
post_no_referer: HTTP traffic contains a POST request with no referer header
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://192.168.1.7:5357/048da2fc-03cd-4f4f-9037-fcd5f0ea1411/
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://192.168.1.7:5357/048da2fc-03cd-4f4f-9037-fcd5f0ea1411/
Unconventionial language used in binary resources: Ukrainian
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\chthonic_2.23.12.4.vir
Behavioural detection: Injection (Process Hollowing)
Injection: chthonic_2.23.12.4.vir(5044) -> msiexec.exe(4152)
Executed a process and injected code into it, probably while unpacking
Injection: chthonic_2.23.12.4.vir(5044) -> msiexec.exe(4152)
Attempts to restart the guest VM
Behavioural detection: Injection (inter-process)
Attempts to stop active services
servicename: wscsvc
servicename: SharedAccess
servicename: MpsSvc
servicename: WinDefend
servicename: wuauserv
Installs itself for autorun at Windows startup
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WMicrosoftVisualStudio8
data: C:\ProgramData\Microsoft Visual Studio 8\WMicrosoftVisualStudio8.exe
File has been identified by 56 Antiviruses on VirusTotal as malicious
Bkav: W32.FamVT.RazyNHmA.Trojan
MicroWorld-eScan: Gen:Variant.Graftor.315845
FireEye: Generic.mg.7b3584c15a1c394b
McAfee: Trojan-FKNI!7B3584C15A1C
Cylance: Unsafe
Zillya: Downloader.Upatre.Win32.62635
Sangfor: Malware
K7AntiVirus: Trojan-Downloader ( 0055e3da1 )
Alibaba: TrojanDownloader:Win32/Upatre.e55df9cf
K7GW: Trojan-Downloader ( 0055e3da1 )
Cybereason: malicious.15a1c3
Arcabit: Trojan.Graftor.D4D1C5
Invincea: heuristic
BitDefenderTheta: Gen:[email protected]
APEX: Malicious
Avast: Win32:Malware-gen
ClamAV: Win.Trojan.NeutrinoPOS-6333858-3
Kaspersky: Trojan-Downloader.Win32.Upatre.fuuj
BitDefender: Gen:Variant.Graftor.315845
NANO-Antivirus: Trojan.Win32.MlwGen.ejlkwa
Paloalto: generic.ml
Rising: Downloader.Wauchos!8.D9 (CLOUD)
Ad-Aware: Gen:Variant.Graftor.315845
Emsisoft: Gen:Variant.Graftor.315845 (B)
F-Secure: Heuristic.HEUR/AGEN.1116238
DrWeb: Trojan.DownLoader26.10255
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: TrojanSpy.Win32.AZORULT.UJT
McAfee-GW-Edition: Trojan-FKNI!7B3584C15A1C
Fortinet: W32/Kryptik.FISA!tr
Trapmine: malicious.moderate.ml.score
Sophos: Mal/Generic-S
Jiangmin: TrojanDownloader.Upatre.alff
Webroot: W32.Trojan.Gen
Avira: HEUR/AGEN.1116238
MAX: malware (ai score=97)
Endgame: malicious (high confidence)
Microsoft: VirTool:Win32/CeeInject.GF
AegisLab: Trojan.Win32.Upatre.a!c
ZoneAlarm: Trojan-Downloader.Win32.Upatre.fuuj
Acronis: suspicious
VBA32: BScope.TrojanPSW.Azorult
ALYac: Gen:Variant.Graftor.315845
TACHYON: Trojan-Downloader/W32.Upatre.217088
ESET-NOD32: Win32/TrojanDownloader.Wauchos.CI
TrendMicro-HouseCall: TrojanSpy.Win32.AZORULT.UJT
Tencent: Win32.Trojan-downloader.Upatre.Ahyj
Yandex: Trojan.DL.Upatre!
Ikarus: Worm.Win32.Kasidet
eGambit: Unsafe.AI_Score_99%
GData: Gen:Variant.Graftor.315845
MaxSecure: Trojan.Malware.1728101.susgen
AVG: Win32:Malware-gen
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Win32/Sorter.AVE.CryptLocker.O
Attempts to modify browser security settings
Attempts to disable UAC
Attempts to disable Windows Defender
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
Collects information to fingerprint the system
Attempts to modify user notification settings
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 84.201.32.108 [VT] Germany
Y 8.8.8.8 [VT] United States
Y 5.135.183.146 [VT] France
Y 31.3.135.232 [VT] Switzerland
Y 193.183.98.154 [VT] Italy
Y 185.133.72.100 [VT] Netherlands
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\SysWOW64
C:\Windows\SysWOW64\*.dll
C:\
C:\Users\Louise\AppData\Local\Temp\chthonic_2.23.12.4.vir
C:\Users\Louise\AppData\Local\Temp\
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Program Files (x86)\*
C:\ProgramData\Microsoft Visual Studio 8
C:\ProgramData\Microsoft Visual Studio 8\WMicrosoftVisualStudio8.exe
C:\ProgramData\Microsoft Visual Studio 8\WMicrosoftVisualStudio8.exe:Zone.Identifier
C:\Windows\SysWOW64
C:\Users\Louise\AppData\Local\Temp\chthonic_2.23.12.4.vir
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\ProgramData\Microsoft Visual Studio 8\WMicrosoftVisualStudio8.exe
C:\Users\Louise\AppData\Local\Temp\chthonic_2.23.12.4.vir
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WMicrosoftVisualStudio8
HKEY_CURRENT_USER
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
HKEY_CURRENT_USER\Software\Microsoft\WMicrosoftVisualStudio8
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\software\policies\microsoft\windows defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\software\policies\microsoft\windows defender\real-time protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableBehaviorMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableOnAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableScanOnRealtimeEnable
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableOnAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableScanOnRealtimeEnable
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WMicrosoftVisualStudio8
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\software\policies\microsoft\windows defender\real-time protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableBehaviorMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableOnAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableScanOnRealtimeEnable
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.VirtualAlloc
kernel32.dll.GetCurrentThread
kernel32.dll.WriteFile
kernel32.dll.CreateEventA
kernel32.dll.GetSystemDirectoryA
kernel32.dll.LocalAlloc
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetVersionExA
kernel32.dll.GetCurrentProcessId
ntdll.dll.wcsncpy
ntdll.dll.memset
user32.dll.GetSystemMetrics
user32.dll.GetActiveWindow
user32.dll.wsprintfA
user32.dll.GetForegroundWindow
ntdll.dll.NtAllocateVirtualMemory
ntdll.dll.LdrProcessRelocationBlock
ntdll.dll.RtlFreeAnsiString
ntdll.dll.RtlComputeCrc32
ntdll.dll.NtSetInformationProcess
ntdll.dll.NtQueryDirectoryFile
ntdll.dll.RtlExitUserThread
ntdll.dll.NtFreeVirtualMemory
ntdll.dll.RtlDosPathNameToNtPathName_U
ntdll.dll.NtClose
ntdll.dll.NtOpenFile
ntdll.dll.LdrLoadDll
kernel32.dll.GetStartupInfoW
kernel32.dll.GetSystemDirectoryW
kernel32.dll.lstrcatW
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.VirtualProtectEx
kernel32.dll.DuplicateHandle
kernel32.dll.WriteProcessMemory
kernel32.dll.ResumeThread
kernel32.dll.WaitForSingleObject
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetNativeSystemInfo
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
kernel32.dll.RegQueryValueExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegisterTraceGuidsW
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenThreadToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenProcessToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.AllocateAndInitializeSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.CheckTokenMembership
api-ms-win-downlevel-advapi32-l1-1-0.dll.FreeSid
advapi32.dll.RegisterTraceGuidsA
kernel32.dll.ReadProcessMemory
kernel32.dll.SetEvent
cryptbase.dll.SystemFunction036
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
msiexec.exe
{F868134B-99A2-8019-5840-1C94D35FDB98}

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0040367d 0x00000000 0x000350ac 4.0 2016-12-02 17:55:34 8d02c22703f67eb9b4ead957478342de c23d3e22274fba68f6e6d66e1ced967d 29f85287aa9f04d0e0b4061c9394bba3

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x00008627 0x00009000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.33
.rdata 0x0000a000 0x0000a000 0x0001cad8 0x0001d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.04
.data 0x00027000 0x00027000 0x0000a8fc 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.19
.rsrc 0x00028000 0x00032000 0x0000c130 0x0000d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.02

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_ICON 0x0003d868 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.37 None
RT_GROUP_ICON 0x000323d0 0x000000d8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.15 None
RT_VERSION 0x0003dcd0 0x00000300 LANG_UKRAINIAN SUBLANG_DEFAULT 3.35 None
RT_MANIFEST 0x0003dfd0 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 4.80 None

Imports

0x40a000 GetStockObject
0x40a008 CreateCompatibleDC
0x40a018 VirtualAlloc
0x40a01c SetLastError
0x40a024 GlobalAlloc
0x40a028 GlobalLock
0x40a02c GlobalUnlock
0x40a030 GetVersion
0x40a034 lstrlenW
0x40a038 WideCharToMultiByte
0x40a03c lstrlenA
0x40a040 lstrcatA
0x40a044 lstrcpynA
0x40a048 CreateProcessA
0x40a04c GetCommandLineA
0x40a050 HeapFree
0x40a054 GetVersionExA
0x40a058 HeapAlloc
0x40a05c GetProcessHeap
0x40a060 GetStartupInfoA
0x40a064 TerminateProcess
0x40a068 GetCurrentProcess
0x40a074 IsDebuggerPresent
0x40a078 GetProcAddress
0x40a07c GetModuleHandleA
0x40a080 ExitProcess
0x40a084 WriteFile
0x40a088 GetStdHandle
0x40a08c GetModuleFileNameA
0x40a09c GetLastError
0x40a0a4 SetHandleCount
0x40a0a8 GetFileType
0x40a0b0 TlsGetValue
0x40a0b4 TlsAlloc
0x40a0b8 TlsSetValue
0x40a0bc TlsFree
0x40a0c4 GetCurrentThreadId
0x40a0cc HeapDestroy
0x40a0d0 HeapCreate
0x40a0d4 VirtualFree
0x40a0dc GetTickCount
0x40a0e0 GetCurrentProcessId
0x40a0f0 LoadLibraryA
0x40a0f8 GetCPInfo
0x40a0fc GetACP
0x40a100 GetOEMCP
0x40a104 Sleep
0x40a108 HeapReAlloc
0x40a10c RtlUnwind
0x40a110 HeapSize
0x40a114 MultiByteToWideChar
0x40a118 GetLocaleInfoA
0x40a11c LCMapStringA
0x40a120 LCMapStringW
0x40a124 GetStringTypeA
0x40a128 GetStringTypeW

!This program cannot be run in DOS mode.
IRichg
.text
`.rdata
@.data
.rsrc
VVVVV
VVVVV
YYuTVWh
VVVVV
PPPPP
<Yv8V
VVVVV
VVVVV
VVVVV
]_^[Y
t$<"u
>=Yt/j
tJVUP
SSSSS
Y]_^[
< tK<
@PVSS
t#SSUP
t$$VSS
_^][YY
j(j ^V
Rj(j
t$h$VB
YYt:V
Wh4VB
YYt4V
VVVVV
VVVVV
Y__^[
\$ UV
35PpB
D$,9h
QSUVW
_^][Y
PPPPP
WWWWW
SSSSS
SSSSS
0SSSSS
0SSSSS
0SSSSS
VVVVV
YYu-9D$
t^9(uZ
Y_^][
WWWWW
u8SS3
9]$SS
9] SS
WWWWW
wIVSP
PPPPPPPP
PPPPPPPP
SVWUj
;t$,v-
UQPXY]Y[
WWWWV
t+WWVPV
WWWWW
Tkxk`
DGwSd
(Yj_I
GZF:d
.xDhZ
kW?9X
"J*</
6Nrr/
TDg+{
vN-;X_
z,gn'
ZD2I\%V?
7V%M;
(A[hA
*VE7C
F=54H
BJK}!
cQGE83
B{V%Q
$I/:fk
7MAua%
LK_^J
y)K;K>
SZyGI
*6`*S
&j$m9
xUZ#k
8deP<
fF3!.
ic$O%uU
^(NL^
X+v$)
L<Zi(
SQ>Ck
*ua:%
lr971
hH:wDRY6&
u,|)S
s,ij$
rw}ii
a",#~n%
c]8!~
O2HifS
]4)[~
s;ha[
=;;bG
j+%P%
yMVM
LHth:XX
kB:yns
G+/p}
(G\B!a
}X$Vdo
hVO$7
]@R/b8%
y[,!/:
fH1=e
8I8HI
Vne>d
IppMq
]1 {^
3]Q_r
q,\QP
G")hCw)
e&x_t
UIbB i#
ST\5d
*KcCr;
O~-J9_
9q8;dr
|5Q7[
\NX~M
3='B-
7.!+-e,=lR
`Neo(
_zg K
J+33t`
,;eh6r
_!HRh
B,~jlX
6-d^*
{E,T\
@=]Q$
e2pM7
]|xLZE
zN_!uC
(s"wJ
b{[x!
wx=#[
|bPHwT
yk$D!
v}4&,Z+u
7pe()QBO!A
a9Q3j
o][Qx
QtDV7/
c'@GA
C3F[<
Q>`iOp
C`cfD)Q
2X&d0gm
Y(LMl
RZ9sk
*m95WH
-;.xB
@!+XN
3%X3+
?!.>)w
|k%D#
Tr-"4
yhSyS
dnUm:[U
OYFc~
bv?UE
L=*Ve
_LyxL
~)D8$v
a%sDs
duYin
KB;N5
1q_a+
UUMVb
UuGv}
Mwy'E
k0<<F
Y0E};
Vy`%l
G*T$S/rI
("DV^+
|W?I%`
gM*y
]~C($
p4)E~f
ojKH3
0g&+I
rO{QK
7G&OL
/O|>
e=n87
ccAQ|
^K79`{c
r0rE6kb
gNR}.{8$i_
v>F%f-
5WC-U
|D'0e
zu; Tu
bKzu9
O)gkW
atmuni.pdb
EV_MMAC_RDR_CLOSE_CHANNEL_TIMEOUT
EV_HMAC_OID_INTEL_ISV_PMODE_DISABLE
Pad: %f dB
STATUS_ACCESS_DISABLED_BY_POLICY_PATH
EC_WAIT_FD
dispatch: wait for %d events w/ timeout %d
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
InitializeCriticalSectionAndSpinCount
kernel32.dll
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
SetTextCharacterExtra
GetStockObject
GetTextExtentPoint32A
CreateCompatibleDC
GDI32.dll
SetHandleInformation
VirtualAlloc
SetLastError
CreateIoCompletionPort
GlobalAlloc
GlobalLock
GlobalUnlock
GetVersion
lstrlenW
WideCharToMultiByte
lstrlenA
lstrcatA
lstrcpynA
CreateProcessA
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetProcAddress
GetModuleHandleA
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSection
GetCPInfo
GetACP
GetOEMCP
Sleep
HeapReAlloc
RtlUnwind
HeapSize
MultiByteToWideChar
GetLocaleInfoA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
KERNEL32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
333c32r667
3w3ss3ss
3#7x{
xxxxxxxxxxp
277www
w7s78
P# # )X
X) # #P
$$$)d
d)$$$
--''-c
c-'-'-
]--'--
--'--]
V888h
i888V
wx{{||
(G!G!
G(3LLL+
muuuuuuuuuuuuuuuuuul
Kbbooppqsstv
ffffffffffffffffffffff
Y600R
R006i
%%((;;<=>J
M.uuM2
,,3PZZ^^^`cc
ppppppppppppo)
jjjjjjjjjjjjjjjl
jjjjjjjjjjjjjjjj
vvvvvv'Fvvvvvvvj
vvvvvr0!vvrvvvvv
vvvo=&S
gv&=ovvv
]|v.3|v]
}}}]77}m"\67]}}}
}}}}}m}}6?m}}}}}
()*+12j
%ea__# p
lhWUN
BbbbbbbbbB
GRTZ[ad
GGGGGGGGGG
$MMMA
MMMMM$
$NN4/
F/4NN$
'RP11J
01RR'
'SSSSS
HRRS&
'WWWWWWWWWW'
*+,-DXXYYX(
.ZXWSR
"7::<=]NZW
$WYZ[\]E[
)]]]]][6
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
((((( H
h(((( H
H
VS_VERSION_INFO
StringFileInfo
FFFF0000
FileVersion
0.3.0.20
ProductVersion
0.3.0.20
CompanyName
Albu Cristian
FileDescription
Advanced Onion Router
InternalName
AdvOR
LegalCopyright
Copyright
by Albu Cristian, 2009-2014
OriginalFilename
AdvOR.exe
ProductName
Advanced Onion Router
VarFileInfo
Translation

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.FamVT.RazyNHmA.Trojan MicroWorld-eScan Gen:Variant.Graftor.315845 FireEye Generic.mg.7b3584c15a1c394b
CAT-QuickHeal Clean McAfee Trojan-FKNI!7B3584C15A1C Cylance Unsafe
Zillya Downloader.Upatre.Win32.62635 SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Trojan-Downloader ( 0055e3da1 ) Alibaba TrojanDownloader:Win32/Upatre.e55df9cf K7GW Trojan-Downloader ( 0055e3da1 )
Cybereason malicious.15a1c3 Arcabit Trojan.Graftor.D4D1C5 Invincea heuristic
BitDefenderTheta Gen:[email protected] Cyren Clean TotalDefense Clean
Baidu Clean APEX Malicious Avast Win32:Malware-gen
ClamAV Win.Trojan.NeutrinoPOS-6333858-3 Kaspersky Trojan-Downloader.Win32.Upatre.fuuj BitDefender Gen:Variant.Graftor.315845
NANO-Antivirus Trojan.Win32.MlwGen.ejlkwa Paloalto generic.ml ViRobot Clean
Rising Downloader.Wauchos!8.D9 (CLOUD) Ad-Aware Gen:Variant.Graftor.315845 Emsisoft Gen:Variant.Graftor.315845 (B)
Comodo Clean F-Secure Heuristic.HEUR/AGEN.1116238 DrWeb Trojan.DownLoader26.10255
VIPRE Trojan.Win32.Generic!BT TrendMicro TrojanSpy.Win32.AZORULT.UJT McAfee-GW-Edition Trojan-FKNI!7B3584C15A1C
Fortinet W32/Kryptik.FISA!tr Trapmine malicious.moderate.ml.score CMC Clean
Sophos Mal/Generic-S SentinelOne Clean F-Prot Clean
Jiangmin TrojanDownloader.Upatre.alff Webroot W32.Trojan.Gen Avira HEUR/AGEN.1116238
MAX malware (ai score=97) Antiy-AVL Clean Kingsoft Clean
Endgame malicious (high confidence) Microsoft VirTool:Win32/CeeInject.GF AegisLab Trojan.Win32.Upatre.a!c
ZoneAlarm Trojan-Downloader.Win32.Upatre.fuuj Avast-Mobile Clean AhnLab-V3 Clean
Acronis suspicious VBA32 BScope.TrojanPSW.Azorult ALYac Gen:Variant.Graftor.315845
TACHYON Trojan-Downloader/W32.Upatre.217088 Malwarebytes Clean Zoner Clean
ESET-NOD32 Win32/TrojanDownloader.Wauchos.CI TrendMicro-HouseCall TrojanSpy.Win32.AZORULT.UJT Tencent Win32.Trojan-downloader.Upatre.Ahyj
Yandex Trojan.DL.Upatre! Ikarus Worm.Win32.Kasidet eGambit Unsafe.AI_Score_99%
GData Gen:Variant.Graftor.315845 MaxSecure Trojan.Malware.1728101.susgen AVG Win32:Malware-gen
Panda Trj/GdSda.A CrowdStrike win/malicious_confidence_100% (W) Qihoo-360 Win32/Sorter.AVE.CryptLocker.O
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 84.201.32.108 [VT] Germany
Y 8.8.8.8 [VT] United States
Y 5.135.183.146 [VT] France
Y 31.3.135.232 [VT] Switzerland
Y 193.183.98.154 [VT] Italy
Y 185.133.72.100 [VT] Netherlands
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.5 49175 192.168.1.7 5357
192.168.1.6 49259 192.168.1.7 5357
192.168.1.7 49173 13.107.42.23 443
192.168.1.7 49175 13.107.42.23 443
192.168.1.7 49177 13.107.42.23 443
192.168.1.7 62217 185.133.72.100 53
192.168.1.7 15976 192.168.1.5 29812
192.168.1.7 15976 192.168.1.6 29812
192.168.1.7 15976 192.168.1.8 29812
192.168.1.7 53417 193.183.98.154 53
192.168.1.7 61186 193.183.98.154 53
192.168.1.7 57335 31.3.135.232 53
192.168.1.7 60947 31.3.135.232 53
192.168.1.7 55936 5.135.183.146 53
192.168.1.7 9970 52.114.132.91 30650
192.168.1.7 30552 52.114.132.91 45651
192.168.1.7 57628 52.114.132.91 20642
192.168.1.7 58802 52.114.132.91 17185
192.168.1.7 53419 52.114.132.91 443
192.168.1.7 53420 8.253.204.121 80
192.168.1.7 58531 84.201.32.108 53
192.168.1.8 49194 192.168.1.7 5357

UDP

Source Source Port Destination Destination Port
192.168.1.6 137 192.168.1.7 137
192.168.1.7 54266 1.1.1.1 53
192.168.1.7 57648 1.1.1.1 53
192.168.1.7 59324 1.1.1.1 53
192.168.1.7 3702 192.168.1.2 52893
192.168.1.7 137 192.168.1.255 137
192.168.1.7 3702 192.168.1.3 57682
192.168.1.7 3702 192.168.1.5 64484
192.168.1.7 3702 192.168.1.6 53292
192.168.1.7 3702 192.168.1.8 55371
192.168.1.7 3702 192.168.1.9 60943
192.168.1.7 49152 239.255.255.250 3702
192.168.1.7 55169 8.8.8.8 53
192.168.1.7 56221 8.8.8.8 53
192.168.1.7 57251 8.8.8.8 53
192.168.1.7 61313 8.8.8.8 53
192.168.1.7 62371 8.8.8.8 53
192.168.1.7 65119 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

URI Data
http://192.168.1.7:5357/048da2fc-03cd-4f4f-9037-fcd5f0ea1411/
POST /048da2fc-03cd-4f4f-9037-fcd5f0ea1411/ HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
Content-Type: application/soap+xml
User-Agent: WSDAPI
Content-Length: 733
Host: 192.168.1.7:5357

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-07-19 18:19:00.749 192.168.1.7 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-19 18:19:00.749 192.168.1.7 [VT] 49173 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-19 18:19:00.866 192.168.1.7 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-19 18:19:00.870 192.168.1.7 [VT] 49177 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-19 18:19:00.941 192.168.1.7 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-07-19 18:22:48.994 192.168.1.7 [VT] 49157 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-07-19 18:19:00.806 192.168.1.7 [VT] 49173 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-19 18:19:00.957 192.168.1.7 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-19 18:19:00.999 192.168.1.7 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-19 18:19:01.073 192.168.1.7 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-19 18:19:01.081 192.168.1.7 [VT] 49177 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-19 18:19:55.777 192.168.1.7 [VT] 53419 52.114.132.91 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-07-19 18:20:05.347 192.168.1.7 [VT] 53422 52.114.132.91 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-07-19 18:22:49.414 192.168.1.7 [VT] 49157 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-07-19 18:22:55.221 192.168.1.7 [VT] 49158 52.114.132.91 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-07-19 18:19:56.929 192.168.1.7 [VT] 53420 8.253.204.121 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?086df30af318f8f6 application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-07-19 18:20:02.087 192.168.1.7 [VT] 53421 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-07-19 18:22:31.564 192.168.1.8 [VT] 49194 192.168.1.7 [VT] 5357 200 192.168.1.7 [VT] /048da2fc-03cd-4f4f-9037-fcd5f0ea1411/ application/soap+xml WSDAPI None 2202
2020-07-19 18:22:31.564 192.168.1.5 [VT] 49175 192.168.1.7 [VT] 5357 200 192.168.1.7 [VT] /048da2fc-03cd-4f4f-9037-fcd5f0ea1411/ application/soap+xml WSDAPI None 2202
2020-07-19 18:22:31.591 192.168.1.6 [VT] 49259 192.168.1.7 [VT] 5357 200 192.168.1.7 [VT] /048da2fc-03cd-4f4f-9037-fcd5f0ea1411/ application/soap+xml WSDAPI None 2202
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.7 49157 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49177 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49158 52.114.132.91 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.7 53419 52.114.132.91 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.7 53422 52.114.132.91 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name chthonic_2.23.12.4.vir
PID 5044
Dump Size 52224 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\chthonic_2.23.12.4.vir
Type PE image: 32-bit executable
PE timestamp 2016-11-21 21:04:14
MD5 95b43111219f95678f98cd84caf6b4ee
SHA1 10b9028897d40991f71c67d6e327c90a5aac2bae
SHA256 c8b66b61c9bd0c31f64bcf863dd5f343f389856a440e338c388955075c30a252
CRC32 0F338EC2
Ssdeep 768:+8zuUe3OpJio+MJAifacHQYfdgOcS/iAE8nQn7m1ePj6bqoju6:+8zuULTAifaUKanQaOoju6
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC. - Author: William Ballenthin
Dump Filename c8b66b61c9bd0c31f64bcf863dd5f343f389856a440e338c388955075c30a252
Download Download Zip
Defense Evasion Persistence Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1089 - Disabling Security Tools
    • Signature - antiav_servicestop
  • T1054 - Indicator Blocking
    • Signature - stealth_hide_notifications
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1031 - Modify Existing Service
    • Signature - antiav_servicestop
  • T1060 - Registry Run Keys / Startup Folder
    • Signature - persistence_autorun
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 8.347999999999999 seconds )

    • 6.206 Suricata
    • 1.156 BehaviorAnalysis
    • 0.342 NetworkAnalysis
    • 0.254 VirusTotal
    • 0.178 Static
    • 0.112 CAPE
    • 0.031 Deduplicate
    • 0.022 AnalysisInfo
    • 0.022 TargetInfo
    • 0.009 ProcDump
    • 0.007 peid
    • 0.005 Debug
    • 0.004 Strings

    Signatures ( 0.19100000000000006 seconds )

    • 0.027 antiav_detectreg
    • 0.018 ransomware_files
    • 0.016 infostealer_ftp
    • 0.012 infostealer_im
    • 0.012 ransomware_extensions
    • 0.011 territorial_disputes_sigs
    • 0.007 infostealer_mail
    • 0.006 antiav_detectfile
    • 0.005 persistence_autorun
    • 0.005 antianalysis_detectreg
    • 0.005 masquerade_process_name
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_bitcoin
    • 0.003 antivm_vbox_keys
    • 0.002 api_spamming
    • 0.002 decoy_document
    • 0.002 stealth_timeout
    • 0.002 antivm_vbox_files
    • 0.002 antivm_vmware_keys
    • 0.002 geodo_banking_trojan
    • 0.002 disables_browser_warn
    • 0.002 masslogger_files
    • 0.002 revil_mutexes
    • 0.001 Doppelganging
    • 0.001 InjectionCreateRemoteThread
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_disk
    • 0.001 betabot_behavior
    • 0.001 dynamic_function_loading
    • 0.001 infostealer_browser_password
    • 0.001 injection_createremotethread
    • 0.001 kibex_behavior
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 NewtWire Behavior
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_parallels_keys
    • 0.001 antivm_vpc_keys
    • 0.001 antivm_xen_keys
    • 0.001 browser_addon
    • 0.001 modify_proxy
    • 0.001 azorult_mutexes
    • 0.001 predatorthethief_files
    • 0.001 qulab_files
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 network_cnc_http
    • 0.001 office_security
    • 0.001 persistence_shim_database
    • 0.001 ransomware_radamant
    • 0.001 satan_mutexes
    • 0.001 limerat_regkeys
    • 0.001 modirat_bheavior
    • 0.001 rat_pcclient
    • 0.001 rat_spynet
    • 0.001 warzonerat_regkeys
    • 0.001 stealth_hiddenreg
    • 0.001 tampers_etw
    • 0.001 lokibot_mutexes

    Reporting ( 7.231 seconds )

    • 7.12 BinGraph
    • 0.059 MITRE_TTPS
    • 0.052 SubmitCAPE