CAPE

Triggered CAPE Tasks: Task #108518: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-11-08 21:34:59 2019-11-08 21:38:42 223 seconds Show Options Show Log
procdump = 1
2019-11-08 21:35:00,000 [root] INFO: Date set to: 11-08-19, time set to: 21:35:00, timeout set to: 200
2019-11-08 21:35:00,030 [root] DEBUG: Starting analyzer from: C:\xtstr
2019-11-08 21:35:00,030 [root] DEBUG: Storing results at: C:\CZzPspxbUP
2019-11-08 21:35:00,030 [root] DEBUG: Pipe server name: \\.\PIPE\xeWEnbghqj
2019-11-08 21:35:00,030 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-11-08 21:35:00,030 [root] INFO: Automatically selected analysis package "exe"
2019-11-08 21:35:00,686 [root] DEBUG: Started auxiliary module Browser
2019-11-08 21:35:00,686 [root] DEBUG: Started auxiliary module Curtain
2019-11-08 21:35:00,686 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-11-08 21:35:00,920 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-11-08 21:35:00,920 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-11-08 21:35:00,920 [root] DEBUG: Started auxiliary module DigiSig
2019-11-08 21:35:00,920 [root] DEBUG: Started auxiliary module Disguise
2019-11-08 21:35:00,920 [root] DEBUG: Started auxiliary module Human
2019-11-08 21:35:00,920 [root] DEBUG: Started auxiliary module Screenshots
2019-11-08 21:35:00,920 [root] DEBUG: Started auxiliary module Sysmon
2019-11-08 21:35:00,920 [root] DEBUG: Started auxiliary module Usage
2019-11-08 21:35:00,920 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-11-08 21:35:00,920 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-11-08 21:35:00,936 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\txVtZDyLM.exe" with arguments "" with pid 1748
2019-11-08 21:35:00,936 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:35:00,936 [lib.api.process] INFO: 32-bit DLL to inject is C:\xtstr\dll\OSZqmumy.dll, loader C:\xtstr\bin\FtKuLLJ.exe
2019-11-08 21:35:00,982 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xeWEnbghqj.
2019-11-08 21:35:00,982 [root] DEBUG: Loader: Injecting process 1748 (thread 836) with C:\xtstr\dll\OSZqmumy.dll.
2019-11-08 21:35:00,982 [root] DEBUG: Process image base: 0x00400000
2019-11-08 21:35:00,982 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xtstr\dll\OSZqmumy.dll.
2019-11-08 21:35:00,982 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00429000 - 0x77110000
2019-11-08 21:35:00,982 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00430000.
2019-11-08 21:35:00,982 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-11-08 21:35:00,982 [root] DEBUG: Successfully injected DLL C:\xtstr\dll\OSZqmumy.dll.
2019-11-08 21:35:00,982 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1748
2019-11-08 21:35:02,994 [lib.api.process] INFO: Successfully resumed process with pid 1748
2019-11-08 21:35:02,994 [root] INFO: Added new process to list with pid: 1748
2019-11-08 21:35:03,009 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-11-08 21:35:03,009 [root] DEBUG: Process dumps enabled.
2019-11-08 21:35:03,056 [root] INFO: Disabling sleep skipping.
2019-11-08 21:35:03,056 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-11-08 21:35:03,056 [root] INFO: Disabling sleep skipping.
2019-11-08 21:35:03,056 [root] INFO: Disabling sleep skipping.
2019-11-08 21:35:03,056 [root] INFO: Disabling sleep skipping.
2019-11-08 21:35:03,056 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1748 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-11-08 21:35:03,056 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\txVtZDyLM.exe".
2019-11-08 21:35:03,056 [root] INFO: Monitor successfully loaded in process with pid 1748.
2019-11-08 21:35:03,056 [root] DEBUG: DLL loaded at 0x74500000: C:\Windows\system32\odbcint (0x38000 bytes).
2019-11-08 21:35:03,072 [root] DEBUG: set_caller_info: Adding region at 0x10000000 to caller regions list (ntdll::LdrLoadDll).
2019-11-08 21:35:03,088 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-11-08 21:35:03,088 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-11-08 21:35:03,104 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\wininet (0xf5000 bytes).
2019-11-08 21:35:03,119 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-11-08 21:35:03,119 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-11-08 21:35:03,119 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-11-08 21:35:03,134 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-11-08 21:35:03,151 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-11-08 21:35:03,151 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2019-11-08 21:35:03,151 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-11-08 21:35:17,503 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-11-08 21:38:23,766 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-11-08 21:38:23,766 [root] INFO: Created shutdown mutex.
2019-11-08 21:38:24,780 [lib.api.process] INFO: Terminate event set for process 1748
2019-11-08 21:38:24,780 [root] DEBUG: Terminate Event: Attempting to dump process 1748
2019-11-08 21:38:24,780 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-11-08 21:38:24,780 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-11-08 21:38:24,780 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-11-08 21:38:24,780 [root] DEBUG: DumpProcess: Module entry point VA is 0x00011024.
2019-11-08 21:38:24,780 [root] INFO: Added new CAPE file to list with path: C:\CZzPspxbUP\CAPE\1748_67174290624382185112019
2019-11-08 21:38:24,780 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21e00.
2019-11-08 21:38:24,780 [lib.api.process] INFO: Termination confirmed for process 1748
2019-11-08 21:38:24,780 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1748
2019-11-08 21:38:24,780 [root] INFO: Terminate event set for process 1748.
2019-11-08 21:38:24,780 [root] INFO: Terminating process 1748 before shutdown.
2019-11-08 21:38:24,780 [root] INFO: Waiting for process 1748 to exit.
2019-11-08 21:38:25,795 [root] INFO: Shutting down package.
2019-11-08 21:38:25,795 [root] INFO: Stopping auxiliary modules.
2019-11-08 21:38:25,795 [root] INFO: Finishing auxiliary modules.
2019-11-08 21:38:25,795 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-11-08 21:38:25,795 [root] WARNING: File at path "C:\CZzPspxbUP\debugger" does not exist, skip.
2019-11-08 21:38:25,795 [root] INFO: Analysis completed.

MalScore

2.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-11-08 21:34:59 2019-11-08 21:38:39

File Details

File Name f671d23d45ca06e64d8e4c801254a19c
File Size 167950 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f671d23d45ca06e64d8e4c801254a19c
SHA1 4b63c9c1a770c2a4552b783b8719bf46b9760882
SHA256 a3486a4162e45b9ff72d6b885daf7ce14d79183747b95242170b74103f0f4911
SHA512 37dd274adebff80a89ba51b3b55fefa8be7db32754f0555fad52143fbe596ec9206892384496a763cc9ac03dc7008ba495fb5da726b2d88e557de0562e6e2c20
CRC32 6EDC9D9F
Ssdeep 3072:9qaL11rx8W7E8nr8OL6MGUyzF1uJ5WRQl/3fxiGIAJvph8JzSX6a6Ai9c:9LrGKOMXs1uyRBGbvph8JziVf
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1748 trigged the Yara rule 'shellcode_stack_strings'
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/DisableThreadLibraryCalls
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalSize
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/InterlockedExchange
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: USER32.dll/GetWindow
DynamicLoader: USER32.dll/GetWindowTextA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetClassNameA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: ADVAPI32.dll/OpenEventLogA
DynamicLoader: ADVAPI32.dll/ClearEventLogA
DynamicLoader: ADVAPI32.dll/CloseEventLog
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_strupr
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/malloc
DynamicLoader: msvcrt.dll/??3@YAXPAX@Z
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/ceil
DynamicLoader: msvcrt.dll/_ftol
DynamicLoader: msvcrt.dll/__CxxFrameHandler
DynamicLoader: msvcrt.dll/_CxxThrowException
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/??2@YAPAXI@Z
DynamicLoader: msvcrt.dll/memcmp
DynamicLoader: msvcrt.dll/strlen
DynamicLoader: msvcrt.dll/strstr
DynamicLoader: msvcrt.dll/strcpy
DynamicLoader: msvcrt.dll/strncpy
DynamicLoader: msvcrt.dll/strrchr
DynamicLoader: msvcrt.dll/atoi
DynamicLoader: msvcrt.dll/strcspn
DynamicLoader: msvcrt.dll/_stricmp
DynamicLoader: msvcrt.dll/getchar
DynamicLoader: msvcrt.dll/strcmp
DynamicLoader: msvcrt.dll/realloc
DynamicLoader: msvcrt.dll/free
DynamicLoader: msvcrt.dll/_beginthreadex
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/??1type_info@@UAE@XZ
DynamicLoader: msvcrt.dll/__dllonexit
DynamicLoader: msvcrt.dll/_onexit
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetSystemDirectoryA
DynamicLoader: kernel32.dll/MoveFileA
DynamicLoader: kernel32.dll/MoveFileExA
DynamicLoader: kernel32.dll/WTSGetActiveConsoleSessionId
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/ExitWindowsEx
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/IsWindowVisible
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: msvcrt.dll/strcmp
DynamicLoader: msvcrt.dll/strlen
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/strstr
DynamicLoader: ws2_32.dll/WSAStartup
DynamicLoader: ws2_32.dll/WSACleanup
DynamicLoader: ws2_32.dll/socket
DynamicLoader: ws2_32.dll/gethostbyname
DynamicLoader: ws2_32.dll/htons
DynamicLoader: ws2_32.dll/connect
DynamicLoader: ws2_32.dll/send
DynamicLoader: ws2_32.dll/recv
DynamicLoader: ws2_32.dll/closesocket
DynamicLoader: ws2_32.dll/setsockopt
DynamicLoader: ws2_32.dll/WSAIoctl
DynamicLoader: ws2_32.dll/select
DynamicLoader: ws2_32.dll/getsockname
DynamicLoader: ws2_32.dll/gethostname
DynamicLoader: ADVAPI32.dll/SetServiceStatus
DynamicLoader: ADVAPI32.dll/RegisterServiceCtrlHandlerA
DynamicLoader: ADVAPI32.dll/OpenSCManagerA
DynamicLoader: ADVAPI32.dll/OpenServiceA
DynamicLoader: ADVAPI32.dll/StartServiceA
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/CreateServiceA
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2A
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/SetTokenInformation
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserA
DynamicLoader: USER32.dll/OpenInputDesktop
DynamicLoader: USER32.dll/OpenDesktopA
DynamicLoader: USER32.dll/CloseDesktop
DynamicLoader: USER32.dll/GetThreadDesktop
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: USER32.dll/SetThreadDesktop
DynamicLoader: USER32.dll/CloseDesktop
DynamicLoader: kernel32.dll/GetCurrentThreadId

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.515bt.com [VT]

Summary

C:\Windows\System32\en-US\odbcint.dll.mui
C:\Windows\System32\MFC42LOC.DLL
C:\Windows\System32\MFC42LOC.DLL.DLL
C:\Windows\sysnative\MFC42LOC.DLL
C:\Windows\sysnative\MFC42LOC.DLL.DLL
C:\Windows\System32\en-US\odbcint.dll.mui
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BidInterface\Loader
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
DisableUserModeCallbackFilter
kernel32.dll.TryEnterCriticalSection
kernel32.dll.SetCriticalSectionSpinCount
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.HeapAlloc
kernel32.dll.VirtualAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.IsBadReadPtr
kernel32.dll.HeapReAlloc
kernel32.dll.FreeLibrary
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryA
kernel32.dll.CloseHandle
kernel32.dll.WaitForSingleObject
kernel32.dll.GetVersionExA
kernel32.dll.GetCurrentProcess
kernel32.dll.GetModuleHandleA
kernel32.dll.VirtualProtect
kernel32.dll.HeapFree
kernel32.dll.SetEvent
kernel32.dll.CreateEventA
kernel32.dll.lstrcmpiA
kernel32.dll.DisableThreadLibraryCalls
kernel32.dll.lstrlenA
kernel32.dll.CreateFileA
kernel32.dll.WriteFile
kernel32.dll.lstrcatA
kernel32.dll.GetTickCount
kernel32.dll.LocalAlloc
kernel32.dll.LocalSize
kernel32.dll.LocalFree
kernel32.dll.lstrcpyA
kernel32.dll.Sleep
kernel32.dll.InterlockedExchange
kernel32.dll.VirtualFree
kernel32.dll.GlobalMemoryStatusEx
user32.dll.GetWindow
user32.dll.GetWindowTextA
user32.dll.wsprintfA
user32.dll.FindWindowA
user32.dll.GetClassNameA
advapi32.dll.OpenEventLogA
advapi32.dll.ClearEventLogA
advapi32.dll.CloseEventLog
msvcrt.dll.rand
msvcrt.dll._strupr
msvcrt.dll._adjust_fdiv
msvcrt.dll.malloc
msvcrt.dll.??3@YAXPAX@Z
msvcrt.dll.memcpy
msvcrt.dll.ceil
msvcrt.dll._ftol
msvcrt.dll.__CxxFrameHandler
msvcrt.dll._CxxThrowException
msvcrt.dll.memset
msvcrt.dll.??2@YAPAXI@Z
msvcrt.dll.memcmp
msvcrt.dll.strlen
msvcrt.dll.strstr
msvcrt.dll.strcpy
msvcrt.dll.strncpy
msvcrt.dll.strrchr
msvcrt.dll.atoi
msvcrt.dll.strcspn
msvcrt.dll._stricmp
msvcrt.dll.getchar
msvcrt.dll.strcmp
msvcrt.dll.realloc
msvcrt.dll.free
msvcrt.dll._beginthreadex
msvcrt.dll._except_handler3
msvcrt.dll.strchr
msvcrt.dll.??1type_info@@UAE@XZ
msvcrt.dll.__dllonexit
msvcrt.dll._onexit
msvcrt.dll._initterm
kernel32.dll.CreateProcessA
kernel32.dll.GetModuleFileNameA
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.GetLastError
kernel32.dll.GetFileAttributesA
kernel32.dll.ResetEvent
kernel32.dll.CancelIo
kernel32.dll.TerminateThread
kernel32.dll.GetExitCodeProcess
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.GetSystemInfo
kernel32.dll.GetSystemDirectoryA
kernel32.dll.MoveFileA
kernel32.dll.MoveFileExA
kernel32.dll.WTSGetActiveConsoleSessionId
user32.dll.ExitWindowsEx
user32.dll.MessageBoxA
user32.dll.IsWindowVisible
user32.dll.SendMessageA
user32.dll.EnumWindows
ws2_32.dll.WSAStartup
ws2_32.dll.WSACleanup
ws2_32.dll.socket
ws2_32.dll.gethostbyname
ws2_32.dll.htons
ws2_32.dll.connect
ws2_32.dll.send
ws2_32.dll.recv
ws2_32.dll.closesocket
ws2_32.dll.setsockopt
ws2_32.dll.WSAIoctl
ws2_32.dll.select
ws2_32.dll.getsockname
ws2_32.dll.gethostname
advapi32.dll.SetServiceStatus
advapi32.dll.RegisterServiceCtrlHandlerA
advapi32.dll.OpenSCManagerA
advapi32.dll.OpenServiceA
advapi32.dll.StartServiceA
advapi32.dll.CloseServiceHandle
advapi32.dll.QueryServiceStatus
advapi32.dll.ControlService
advapi32.dll.CreateServiceA
advapi32.dll.ChangeServiceConfig2A
advapi32.dll.DeleteService
advapi32.dll.OpenProcessToken
advapi32.dll.DuplicateTokenEx
advapi32.dll.SetTokenInformation
advapi32.dll.CreateProcessAsUserA
user32.dll.OpenInputDesktop
user32.dll.OpenDesktopA
user32.dll.CloseDesktop
user32.dll.GetThreadDesktop
user32.dll.GetUserObjectInformationA
user32.dll.SetThreadDesktop
kernel32.dll.GetCurrentThreadId
www.515bt.com:8000:SRDSL

PE Information

Image Base 0x00400000
Entry Point 0x00411024
Reported Checksum 0x00000000
Actual Checksum 0x0002fae1
Minimum OS Version 4.0
Compile Time 2017-09-04 17:11:39
Import Hash 30f204ada17cbce549a5035709c52fee

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00012d1a 0x00013000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.15
.rdata 0x00014000 0x0000534e 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.84
.data 0x0001a000 0x000097f0 0x0000a000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.87
.rsrc 0x00024000 0x000045f8 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.62

Overlay

Offset 0x00029000
Size 0x0000000e

Imports

Library MFC42.DLL:
0x414044 None
0x414048 None
0x41404c None
0x414050 None
0x414054 None
0x414058 None
0x41405c None
0x414060 None
0x414064 None
0x414068 None
0x41406c None
0x414070 None
0x414074 None
0x414078 None
0x41407c None
0x414080 None
0x414084 None
0x414088 None
0x41408c None
0x414090 None
0x414094 None
0x414098 None
0x41409c None
0x4140a0 None
0x4140a4 None
0x4140a8 None
0x4140ac None
0x4140b0 None
0x4140b4 None
0x4140b8 None
0x4140bc None
0x4140c0 None
0x4140c4 None
0x4140c8 None
0x4140cc None
0x4140d0 None
0x4140d4 None
0x4140d8 None
0x4140dc None
0x4140e0 None
0x4140e4 None
0x4140e8 None
0x4140ec None
0x4140f0 None
0x4140f4 None
0x4140f8 None
0x4140fc None
0x414100 None
0x414104 None
0x414108 None
0x41410c None
0x414110 None
0x414114 None
0x414118 None
0x41411c None
0x414120 None
0x414124 None
0x414128 None
0x41412c None
0x414130 None
0x414134 None
0x414138 None
0x41413c None
0x414140 None
0x414144 None
0x414148 None
0x41414c None
0x414150 None
0x414154 None
0x414158 None
0x41415c None
0x414160 None
0x414164 None
0x414168 None
0x41416c None
0x414170 None
0x414174 None
0x414178 None
0x41417c None
0x414180 None
0x414184 None
0x414188 None
0x41418c None
0x414190 None
0x414194 None
0x414198 None
0x41419c None
0x4141a0 None
0x4141a4 None
0x4141a8 None
0x4141ac None
0x4141b0 None
0x4141b4 None
0x4141b8 None
0x4141bc None
0x4141c0 None
0x4141c4 None
0x4141c8 None
0x4141cc None
0x4141d0 None
0x4141d4 None
0x4141d8 None
0x4141dc None
0x4141e0 None
0x4141e4 None
0x4141e8 None
0x4141ec None
0x4141f0 None
0x4141f4 None
0x4141f8 None
0x4141fc None
0x414200 None
0x414204 None
0x414208 None
0x41420c None
0x414210 None
0x414214 None
0x414218 None
0x41421c None
0x414220 None
0x414224 None
0x414228 None
0x41422c None
0x414230 None
0x414234 None
0x414238 None
0x41423c None
0x414240 None
0x414244 None
0x414248 None
0x41424c None
0x414250 None
0x414254 None
0x414258 None
0x41425c None
0x414260 None
0x414264 None
0x414268 None
0x41426c None
0x414270 None
0x414274 None
0x414278 None
0x41427c None
Library MSVCRT.dll:
0x414284 _controlfp
0x414288 _except_handler3
0x41428c __set_app_type
0x414290 __p__fmode
0x414294 __p__commode
0x414298 _adjust_fdiv
0x41429c __setusermatherr
0x4142a0 _initterm
0x4142a4 __getmainargs
0x4142a8 _acmdln
0x4142ac _XcptFilter
0x4142b0 _exit
0x4142b4 _onexit
0x4142b8 __dllonexit
0x4142c0 exit
0x4142c4 rand
0x4142c8 _CxxThrowException
0x4142cc __CxxFrameHandler
0x4142d0 atol
0x4142d4 _setmbcp
0x4142d8 wcslen
0x4142dc _mbscmp
0x4142e0 atoi
Library KERNEL32.dll:
0x414008 MultiByteToWideChar
0x41400c lstrlenA
0x414014 GetProcAddress
0x414018 LoadLibraryA
0x41401c VirtualAlloc
0x414020 GetLastError
0x414024 GetTickCount
0x414028 GetModuleHandleA
0x41402c GetStartupInfoA
0x414030 FreeLibrary
0x414034 LocalFree
0x414038 WideCharToMultiByte
Library USER32.dll:
0x41430c AppendMenuA
0x414310 SendMessageA
0x414314 EnableWindow
0x414318 GetSystemMetrics
0x41431c GetSystemMenu
0x414320 DrawIcon
0x414324 GetClientRect
0x414328 LoadIconA
0x41432c IsIconic
Library COMCTL32.dll:
Library ole32.dll:
0x414334 CLSIDFromProgID
0x414338 CoUninitialize
0x41433c CoCreateInstance
0x414340 OleRun
0x414344 CoInitialize
0x414348 CLSIDFromString
Library OLEAUT32.dll:
0x4142e8 SysStringByteLen
0x4142ec VariantChangeType
0x4142f0 SysAllocString
0x4142f4 VariantInit
0x4142f8 SysFreeString
0x4142fc GetErrorInfo
0x414304 VariantClear

.text
`.rdata
@.data
.rsrc
D$ RPh0DA
D$ RPh@GA
D$ RPhhJA
D$ RPhhKA
L$xQj
WhL-B
u8Ph(.B
u!PPh`/B
u!PPhD/B
D$(RhT0B
Pht2B
L$DPhD3B
Ph`3B
Fth42B
Ph 5B
L$ Ph 5B
D$(Rh`5B
MFC42.DLL
__CxxFrameHandler
_mbscmp
_CxxThrowException
MSVCRT.dll
??1type_info@@UAE@XZ
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
LocalFree
InterlockedDecrement
GetLastError
MultiByteToWideChar
lstrlenA
InterlockedIncrement
GetProcAddress
LoadLibraryA
VirtualAlloc
FreeLibrary
GetTickCount
GetModuleHandleA
GetStartupInfoA
KERNEL32.dll
EnableWindow
SendMessageA
LoadIconA
AppendMenuA
GetSystemMenu
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
USER32.dll
ImageList_ReplaceIcon
COMCTL32.dll
CoInitialize
OleRun
CoCreateInstance
CoUninitialize
CLSIDFromProgID
CLSIDFromString
ole32.dll
OLEAUT32.dll
wcslen
_setmbcp
WideCharToMultiByte
.?AV_com_error@@
Provider=SQLOLEDB.1; Server=127.0.0.1; Database=LibraryManageSys; uid=sa; pwd=sa;
ADODB.Connection
CAdodc
RemainCount
BookCount
PublishYear
Publisher
Author
SELECT * FROM BookInfo WHERE BookCode =
SELECT Name FROM BookInfo WHERE BookCode =
INSERT INTO BookInfo (BookCode, Name, Author, Publisher, PublishYear, BookCount, RemainCount) VALUES ('
' WHERE BookCode =
' , RemainCount = '
', BookCount = '
', PublishYear = '
', Publisher = '
', Author = '
UPDATE BookInfo SET Name = '
DELETE FROM BookInfo WHERE BookCode =
FROM BookInfo AS b
%Y-%m-%d
2000.01.01
BorrowId
' AND StuId = '
SELECT * FROM BorrowBookInfo WHERE BookCode = '
INSERT INTO BorrowBookInfo (BookCode, StuId, BorrowDate) VALUES ('
DELETE FROM BorrowBookInfo WHERE BorrowId =
FROM BorrowBookInfo b,Student s, BookInfo bb WHERE b.BookCode = bb.BookCode AND s.StuId = b.StuId
CDataCombo
CDataGrid
CDataList
DepName
DepId
SELECT * FROM DepInfo ORDER BY UID
SELECT * FROM DepInfo WHERE DepName = '
SELECT * FROM DepInfo WHERE UID =
SELECT * FROM Speciality WHERE DepId =
Describes
SELECT * FROM DepInfo WHERE DepId =
MaxId
SELECT MAX(DepId) AS MaxId FROM DepInfo
INSERT INTO DepInfo (DepName, Describes, UID) VALUES('
' WHERE DepId = '
', Describes = '
UPDATE DepInfo SET DepName = '
DELETE FROM DepInfo WHERE DepId =
.text
`.rdata
@.data
.reloc
WCWSh7(
SVWhxd
VirtualFree
VirtualAlloc
InterlockedExchange
Sleep
lstrcpyA
LocalFree
LocalSize
LocalAlloc
GetTickCount
lstrcatA
WriteFile
CreateFileA
lstrlenA
FreeLibrary
GetProcAddress
LoadLibraryA
CloseHandle
WaitForSingleObject
GetVersionExA
GetCurrentProcess
GetModuleHandleA
GlobalMemoryStatusEx
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
SetEvent
CreateEventA
lstrcmpiA
KERNEL32.dll
wsprintfA
GetClassNameA
GetWindow
GetWindowTextA
FindWindowA
USER32.dll
CloseEventLog
ClearEventLogA
OpenEventLogA
ADVAPI32.dll
??3@YAXPAX@Z
memcpy
_ftol
__CxxFrameHandler
_CxxThrowException
memset
??2@YAPAXI@Z
memcmp
strlen
strstr
strcpy
strncpy
strrchr
strcspn
getchar
strcmp
realloc
_beginthreadex
_except_handler3
strchr
MSVCRT.dll
??1type_info@@UAE@XZ
__dllonexit
_onexit
_initterm
malloc
_adjust_fdiv
DisableThreadLibraryCalls
_strupr
_stricmp
MainDll.dll
bad Allocate
bad buffer
PluginMe
OpenProxy
CloseProxy
SeShutdownPrivilege
System
Security
Application
Group
Remark
SYSTEM\CurrentControlSet\Services\%s
%s\%d.bak
WinSta0\Default
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
www.515bt.com
SRDSL
System Remote Data Simulation Layer
Default
%ProgramFiles%\Google\
%s:%d:%s
InstallTime
SysFreeString
Oleaut32.dll
CoCreateInstance
CoUninitialize
CoInitialize
Ole32.dll
%d*%sMHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Error
kernel32.dll
IsWow64Process
RtlGetNtVersionNumbers
ntdll.dll
CTXOPConntion_Class
IsBadReadPtr
wininet.dll
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
OpenProcessToken
DeleteService
ChangeServiceConfig2A
CreateServiceA
ControlService
QueryServiceStatus
CloseServiceHandle
StartServiceA
OpenServiceA
OpenSCManagerA
RegisterServiceCtrlHandlerA
SetServiceStatus
ADVAPI32.dll
gethostname
getsockname
select
WSAIoctl
setsockopt
closesocket
connect
htons
gethostbyname
socket
WSACleanup
WSAStartup
ws2_32.dll
strstr
memset
memcpy
strlen
strcmp
MSVCRT.dll
EnumWindows
SendMessageA
IsWindowVisible
MessageBoxA
ExitWindowsEx
wsprintfA
User32.dll
GetCurrentProcess
WTSGetActiveConsoleSessionId
MoveFileExA
MoveFileA
GetSystemDirectoryA
GetSystemInfo
ExpandEnvironmentStringsA
GetExitCodeProcess
GetVersionExA
TerminateThread
SetEvent
CancelIo
ResetEvent
CreateEventA
GetFileAttributesA
WaitForSingleObject
GetTickCount
lstrcatA
Sleep
CloseHandle
GetLastError
ReleaseMutex
CreateMutexA
GetModuleFileNameA
CreateProcessA
GetCurrentThreadId
CloseDesktop
SetThreadDesktop
GetUserObjectInformationA
GetThreadDesktop
user32.dll
OpenDesktopA
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
MSIE 6.0
InternetOpenA
KERNEL32.dll
LookupPrivilegeValueA
AdjustTokenPrivileges
Process32Next
Process32First
CreateToolhelp32Snapshot
RegCloseKey
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegCreateKeyExA
.?AVtype_info@@
8<8I8
kernel32.dll
HeapFree
GetProcessHeap
HeapAlloc
HeapReAlloc
VirtualAlloc
VirtualProtect
VirtualFree
KERNEL32.dll
SpeId
SELECT * FROM Speciality ORDER BY SpeId
SELECT * FROM Speciality WHERE Name = '
SELECT * FROM Student WHERE SpeId =
SELECT * FROM Speciality WHERE SpeId =
INSERT INTO Speciality (Name, DepId, Describes) VALUES('
' WHERE SpeId =
UPDATE Speciality SET Name = '
DELETE FROM Speciality WHERE SpeId =
OR d.DepId =
AND (d.UID =
AND d.DepId =
FROM Speciality s, DepInfo d WHERE s.DepId = d.DepId
BorrowBookCount
SELECT * FROM Student WHERE StuId =
SELECT Name FROM Student WHERE StuId =
INSERT INTO Student (StuId, Name, Sex, DepId, SpeId, BorrowBookCount) VALUES ('
' WHERE StuId =
', BorrowBookCount = '
', SpeId = '
', DepId = '
', Sex = '
UPDATE Student SET Name = '
DELETE FROM Student WHERE StuId =
, s.DepId,s.SpeId FROM Student s, Speciality p, DepInfo d WHERE s.DepId = d.DepId AND s.SpeId = p.SpeId
admin
SELECT * FROM UserInfo WHERE UserName = '
UserType
Passwd
INSERT INTO UserInfo VALUES ('
WHERE UserName = '
', UserType =
UPDATE UserInfo SET Passwd = '
DELETE FROM UserInfo WHERE UserName = '
FROM UserInfo
.?AVtype_info@@
DDDDDDD
DDDDDDD
eFriendlyName
LibraryMagSys
(C) 2008
{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}
{67397AA3-7FB1-11D0-B148-00A0C922E820}
Static
SysTreeView32
Tree1
Static
SysTreeView32
Tree1
{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}
{67397AA3-7FB1-11D0-B148-00A0C922E820}
Static
SysTreeView32
Tree1
{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}
{67397AA3-7FB1-11D0-B148-00A0C922E820}
{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}
{67397AA3-7FB1-11D0-B148-00A0C922E820}
Cancel
{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}
{67397AA3-7FB1-11D0-B148-00A0C922E820}
Cancel
Cancel
VS_VERSION_INFO
StringFileInfo
080404B0
CompanyName
FileDescription
FileVersion
1, 0, 0, 1
InternalName
LibraryMagSys
LegalCopyright
(C) 2008
LegalTrademarks
OriginalFilename
LibraryMagSys.EXE
ProductName
ProductVersion
1, 0, 0, 1
VarFileInfo
Translation
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1|
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1|
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1|
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1|
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1|
Provider=SQLOLEDB.1;Password=sa;Persist Security Info=True;User ID=sa;Initial Catalog=LibraryManageSys;Data Source=127.0.0.1
LibraryMagSys(&A)...
This file is not on VirusTotal.

Process Tree


txVtZDyLM.exe, PID: 1748, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\txVtZDyLM.exe
Command Line: "C:\Users\user\AppData\Local\Temp\txVtZDyLM.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 57334 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 59473 8.8.8.8 53
192.168.35.21 64235 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.515bt.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name txVtZDyLM.exe
PID 1748
Dump Size 138752 bytes
Module Path C:\Users\user\AppData\Local\Temp\txVtZDyLM.exe
Type PE image: 32-bit executable
MD5 ad54230ff5753a290601b3f577c02c71
SHA1 4572bb8c6eb382bf949c0538cdb14b8d1772569e
SHA256 d5802213be4258b3c92c6e9635f8235e55469ff7fb897cf7050b4199aa3e7ebf
CRC32 221B25A5
Ssdeep 3072:PqaL11rx8W7E8nr8OL6MGUyzF1uJ5WRQl/3fxkqGIAJvph8JzSX6a:PLrGKOMXs1uyR6Gbvph8Jzi
ClamAV None
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Dump Filename d5802213be4258b3c92c6e9635f8235e55469ff7fb897cf7050b4199aa3e7ebf

Comments



No comments posted

Processing ( 0.993 seconds )

  • 0.311 CAPE
  • 0.171 TargetInfo
  • 0.151 Static
  • 0.134 ProcDump
  • 0.125 TrID
  • 0.039 BehaviorAnalysis
  • 0.03 Deduplicate
  • 0.016 NetworkAnalysis
  • 0.01 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.056 seconds )

  • 0.008 antiav_detectreg
  • 0.008 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 NewtWire Behavior
  • 0.001 api_spamming
  • 0.001 antiemu_wine_func
  • 0.001 dynamic_function_loading
  • 0.001 decoy_document
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name
  • 0.001 network_torgateway

Reporting ( 0.012 seconds )

  • 0.012 SubmitCAPE
Task ID 108516
Mongo ID 5dc5e06603bfea2d656a1240
Cuckoo release 1.3-CAPE
Delete