CAPE

Detections

Ursnif


Analysis

Category Package Started Completed Duration Log
FILE Ursnif 2018-07-04 06:01:22 2018-07-04 06:05:39 257 seconds Show Log
bp1 = 170194
bp0 = 126708
2018-07-04 07:01:23,000 [root] INFO: Date set to: 07-04-18, time set to: 06:01:23
2018-07-04 07:01:23,015 [root] DEBUG: Starting analyzer from: C:\kpalbivkhd
2018-07-04 07:01:23,015 [root] DEBUG: Storing results at: C:\cQTqHEqBJN
2018-07-04 07:01:23,015 [root] DEBUG: Pipe server name: \\.\PIPE\QorXpe
2018-07-04 07:01:23,015 [root] INFO: Analysis package "Ursnif" has been specified.
2018-07-04 07:01:23,312 [root] DEBUG: Started auxiliary module Browser
2018-07-04 07:01:23,312 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2018-07-04 07:01:23,312 [root] DEBUG: Started auxiliary module DigiSig
2018-07-04 07:01:23,312 [root] DEBUG: Started auxiliary module Disguise
2018-07-04 07:01:23,312 [root] DEBUG: Started auxiliary module Human
2018-07-04 07:01:23,312 [root] DEBUG: Started auxiliary module Screenshots
2018-07-04 07:01:23,312 [root] DEBUG: Started auxiliary module Usage
2018-07-04 07:01:23,312 [root] INFO: Analyzer: DLL set to Ursnif.dll from package modules.packages.Ursnif
2018-07-04 07:01:23,312 [root] INFO: Analyzer: DLL_64 set to Ursnif_x64.dll from package modules.packages.Ursnif
2018-07-04 07:01:23,312 [root] INFO: Analyzer: Loader (32-bit) set to newloader.exe from package modules.packages.Ursnif
2018-07-04 07:01:23,312 [root] INFO: Analyzer: Loader (64-bit) set to newloader_x64.exe from package modules.packages.Ursnif
2018-07-04 07:01:23,436 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\032901.bin" with arguments "" with pid 884
2018-07-04 07:01:23,436 [lib.api.process] INFO: DLL to inject is dll\yrdETqK.dll
2018-07-04 07:01:23,436 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-07-04 07:01:23,451 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2018-07-04 07:01:23,451 [lib.api.process] INFO: Option 'bp0' with value '126708' sent to monitor
2018-07-04 07:01:23,451 [lib.api.process] INFO: Option 'bp1' with value '170194' sent to monitor
2018-07-04 07:01:23,483 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 884
2018-07-04 07:01:25,496 [lib.api.process] INFO: Successfully resumed process with pid 884
2018-07-04 07:01:25,496 [root] INFO: Added new process to list with pid: 884
2018-07-04 07:01:25,808 [root] DEBUG: (0) bp0 set to 0x1eef4
2018-07-04 07:01:25,808 [root] DEBUG: (0) bp1 set to 0x298d2
2018-07-04 07:01:25,838 [root] DEBUG: (884) WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2018-07-04 07:01:25,838 [root] DEBUG: (884) WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x510000
2018-07-04 07:01:25,838 [root] DEBUG: (884) CAPE initialised: 32-bit Ursnif package. Loaded at 0x734d0000
2018-07-04 07:01:25,838 [root] INFO: Monitor successfully loaded in process with pid 884.
2018-07-04 07:01:25,854 [root] DEBUG: (884) NtCreateThreadEx: Initialising breakpoints for thread 2032.
2018-07-04 07:01:25,854 [root] INFO: Disabling sleep skipping.
2018-07-04 07:01:28,474 [root] DEBUG: (884) GetCursorPos hook: Ursnif payload marker detected - calling GetHookCallerBase.
2018-07-04 07:01:28,474 [root] DEBUG: (884) GetReturnAddress: operate_on_backtrace call with Ebp 0x18d950.
2018-07-04 07:01:28,474 [root] DEBUG: (884) GetHookCallerBase: thread 1332 (handle 0x178), return address 0x00000202, allocation base 0x00000000.
2018-07-04 07:01:36,118 [root] DEBUG: (884) CreateThread: Initialising breakpoints for thread 1468.
2018-07-04 07:01:36,118 [root] DEBUG: (884) CreateThread: Initialising breakpoints for thread 1368.
2018-07-04 07:01:43,436 [root] DEBUG: (884) CreateThread: Initialising breakpoints for thread 1308.
2018-07-04 07:01:48,941 [root] INFO: Announced 64-bit process name: control.exe pid: 664
2018-07-04 07:01:48,941 [lib.api.process] INFO: DLL to inject is dll\mCWqWsxn.dll
2018-07-04 07:01:48,941 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-07-04 07:01:48,941 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2018-07-04 07:01:48,941 [lib.api.process] INFO: Option 'bp0' with value '126708' sent to monitor
2018-07-04 07:01:48,941 [lib.api.process] INFO: Option 'bp1' with value '170194' sent to monitor
2018-07-04 07:01:48,941 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 664
2018-07-04 07:01:48,957 [root] DEBUG: (0) bp0 set to 0x1eef4
2018-07-04 07:01:48,957 [root] DEBUG: (0) bp1 set to 0x298d2
2018-07-04 07:01:48,957 [root] INFO: Disabling sleep skipping.
2018-07-04 07:01:48,989 [root] DEBUG: (664) CAPE initialised: 64-bit Ursnif package. Loaded at 0x0000000073190000
2018-07-04 07:01:48,989 [root] INFO: Added new process to list with pid: 664
2018-07-04 07:01:48,989 [root] INFO: Monitor successfully loaded in process with pid 664.
2018-07-04 07:01:49,066 [root] DEBUG: (664) lstrcpynA hook: Ursnif payload marker: .bss.
2018-07-04 07:01:49,082 [root] DEBUG: (664) GetReturnAddress: operate_on_backtrace call with Rip 0x000007FEBD3D0080.
2018-07-04 07:01:49,082 [root] DEBUG: (664) GetHookCallerBase: thread 1648 (handle 0xb0), return address 0x00000000002B14FF, allocation base 0x00000000002B0000.
2018-07-04 07:01:49,082 [root] DEBUG: (664) FileOffsetToVA: Debug - VA = 0x00000000002CFAF4.
2018-07-04 07:01:49,082 [root] DEBUG: (664) SetInitialBreakpoint: FileOffsetToVA gives VA 0x00000000002CFAF4 for bp0.
2018-07-04 07:01:49,082 [root] DEBUG: (664) SetBreakpoint: About to call SetThreadBreakpoint for thread 1648.
2018-07-04 07:01:49,082 [root] DEBUG: (664) SetDebugRegister: Setting breakpoint 0 hThread=0xb0, Size=0x0, Address=0x00000000002CFAF4 and Type=0x0.
2018-07-04 07:01:49,082 [root] DEBUG: (664) SetThreadBreakpoint: Set bp 0 thread id 1648 type 0 at address 0x00000000002CFAF4, size 0 with Callback 0x731a3a40.
2018-07-04 07:01:49,082 [root] DEBUG: (664) SetInitialBreakpoint: Breakpoint 0 set on config parsing function at 0x00000000002CFAF4
2018-07-04 07:01:49,082 [root] DEBUG: (664) FileOffsetToVA: Debug - VA = 0x00000000002DA4D2.
2018-07-04 07:01:49,082 [root] DEBUG: (664) SetInitialBreakpoint: FileOffsetToVA gives VA 0x00000000002DA4D2 for bp1.
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4d2 (02) 33c6                     XOR EAX, ESI
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4d4 (02) ffc7                     INC EDI
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4d6 (04) 4983c204                 ADD R10, 0x4
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4da (02) 33c3                     XOR EAX, EBX
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4dc (02) 8bf1                     MOV ESI, ECX
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4de (02) 8bcf                     MOV ECX, EDI
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4e0 (02) d3c8                     ROR EAX, CL
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4e2 (02) 8902                     MOV [RDX], EAX
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4e4 (04) 4883c204                 ADD RDX, 0x4
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4e8 (04) 4183c3ff                 ADD R11D, -0x1
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4ec (02) 75d0                     JNZ 0xffffffffffffffec
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4ee (03) 4585c9                   TEST R9D, R9D
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4f1 (02) 751a                     JNZ 0x3b
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4f3 (04) 4183e003                 AND R8D, 0x3
2018-07-04 07:01:49,082 [root] DEBUG: (664) 00000000002da4f7 (02) 7414                     JZ 0x3b
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da4f9 (03) 4c2bd2                   SUB R10, RDX
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da4fc (02) 8ac3                     MOV AL, BL
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da4fe (04) 41320412                 XOR AL, [R10+RDX]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da502 (02) 8802                     MOV [RDX], AL
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da504 (03) 48ffc2                   INC RDX
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da507 (04) 4183c0ff                 ADD R8D, -0x1
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da50b (02) 75ef                     JNZ 0x2a
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da50d (05) 488b5c2408               MOV RBX, [RSP+0x8]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da512 (05) 488b742410               MOV RSI, [RSP+0x10]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da517 (05) 488b7c2418               MOV RDI, [RSP+0x18]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002da51c (01) c3                       RET
2018-07-04 07:01:49,098 [root] DEBUG: (664) SetBreakpoint: About to call SetThreadBreakpoint for thread 1648.
2018-07-04 07:01:49,098 [root] DEBUG: (664) SetDebugRegister: Setting breakpoint 2 hThread=0xb0, Size=0x0, Address=0x00000000002DA51C and Type=0x0.
2018-07-04 07:01:49,098 [root] DEBUG: (664) SetThreadBreakpoint: Set bp 2 thread id 1648 type 0 at address 0x00000000002DA51C, size 0 with Callback 0x731a3980.
2018-07-04 07:01:49,098 [root] DEBUG: (664) SetInitialBreakpoint: Breakpoint 2 set on ret instruction at 0x00000000002DA4D2 (delta 0x4a).
2018-07-04 07:01:49,098 [root] DEBUG: (664) CAPEExceptionFilter: breakpoint hit by instruction at 0x00000000002DA51C
2018-07-04 07:01:49,098 [root] DEBUG: (664) BreakpointCallback: Breakpoint 2 Size=0x0 and Address=0x00000000002DA51C.
2018-07-04 07:01:49,098 [root] DEBUG: (664) ContextClearBreakpoint: Clearing breakpoint 2
2018-07-04 07:01:49,098 [root] DEBUG: (664) ContextClearBreakpoint: SetThreadContext success.
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b1590 (04) 448b5e0c                 MOV R11D, [RSI+0xc]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b1594 (07) 488d0515bb0300           LEA RAX, [RIP+0x3bb15]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b159b (03) 498bcc                   MOV RCX, R12
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b159e (03) 492bcb                   SUB RCX, R11
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b15a1 (03) 482bcd                   SUB RCX, RBP
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b15a4 (03) 4803c8                   ADD RCX, RAX
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b15a7 (03) 8b4104                   MOV EAX, [RCX+0x4]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b15aa (03) 2b410c                   SUB EAX, [RCX+0xc]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b15ad (02) 0301                     ADD EAX, [RCX]
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b15af (06) 89053b870300             MOV [RIP+0x3873b], EAX
2018-07-04 07:01:49,098 [root] DEBUG: (664) 00000000002b15b5 (05) 3d706e6c73               CMP EAX, 0x736c6e70
2018-07-04 07:01:49,114 [root] DEBUG: (664) Trace: Comparison detected: RAX (0x736c6e70) vs 0x736c6e70.
2018-07-04 07:01:49,114 [root] DEBUG: (664) 00000000002b15ba (02) 7512                     JNZ 0x14
2018-07-04 07:01:49,114 [root] DEBUG: (664) 00000000002b15bc (04) 448b4610                 MOV R8D, [RSI+0x10]
2018-07-04 07:01:49,114 [root] DEBUG: (664) 00000000002b15c0 (04) 498d0c2b                 LEA RCX, [R11+RBP]
2018-07-04 07:01:49,114 [root] DEBUG: (664) 00000000002b15c4 (03) 498bd4                   MOV RDX, R12
2018-07-04 07:01:49,114 [root] DEBUG: (664) 00000000002b15c7 (05) e8a2800200               CALL 0x280a7
2018-07-04 07:01:49,114 [root] DEBUG: (664) ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x00000000002B15CC and Type=0x0.
2018-07-04 07:01:49,114 [root] DEBUG: (664) ContextSetDebugRegister: SetThreadContext success.
2018-07-04 07:01:49,114 [root] DEBUG: (664) ContextSetThreadBreakpoint: Call to ContextSetDebugRegister succeeded.
2018-07-04 07:01:49,114 [root] DEBUG: (664) Trace: Breakpoint 1 set on return address 0x00000000002B15CC
2018-07-04 07:01:49,114 [root] DEBUG: (664) CAPEExceptionFilter: breakpoint hit by instruction at 0x00000000002B15CC
2018-07-04 07:01:49,114 [root] DEBUG: (664) DumpCallback: Breakpoint 1 Size=0x0 and Address=0x00000000002B15CC.
2018-07-04 07:01:49,114 [root] DEBUG: (664) DumpCallback: Break on return from copy, dumping module.
2018-07-04 07:01:49,114 [root] DEBUG: (664) DumpProcess: Instantiating PeParser with address: 0x00000000002B0000.
2018-07-04 07:01:49,114 [root] DEBUG: (664) DumpProcess: Module entry point VA is 0x0000000000001820.
2018-07-04 07:01:49,130 [root] INFO: Added new CAPE file to list with path: C:\kpalbivkhd\CAPE\664_880289540494164372018
2018-07-04 07:01:49,130 [root] DEBUG: (664) DumpProcess: Module image dump success - dump size 0x3b200.
2018-07-04 07:01:49,130 [root] DEBUG: (664) DumpCallback: Succssfully dumped module.
2018-07-04 07:01:49,130 [root] DEBUG: (664) ContextClearBreakpoint: Clearing breakpoint 1
2018-07-04 07:01:49,130 [root] DEBUG: (664) ContextClearBreakpoint: SetThreadContext success.
2018-07-04 07:01:49,130 [root] DEBUG: (664) CAPEExceptionFilter: Stepping over execution breakpoint to: 0x2b15d3
2018-07-04 07:01:49,130 [root] DEBUG: (664) NtCreateThreadEx: Initialising breakpoints for thread 992.
2018-07-04 07:01:49,130 [root] DEBUG: (664) SetDebugRegister: Setting breakpoint 0 hThread=0xf8, Size=0x0, Address=0x00000000002CFAF4 and Type=0x0.
2018-07-04 07:01:49,130 [root] DEBUG: (664) SetThreadBreakpoint: Set bp 0 thread id 992 type 0 at address 0x00000000002CFAF4, size 0 with Callback 0x731a3a40.
2018-07-04 07:01:49,161 [root] INFO: Notified of termination of process with pid 884.
2018-07-04 07:01:49,161 [root] DEBUG: (664) CAPEExceptionFilter: breakpoint hit by instruction at 0x00000000002CFAF4
2018-07-04 07:01:49,161 [root] DEBUG: (664) ConfigCallback: Breakpoint 0 Size=0x0 and Address=0x00000000002CFAF4.
2018-07-04 07:01:49,161 [root] DEBUG: (664) ConfigCallback: Config location set to: 0x000000000379C010.
2018-07-04 07:01:49,161 [root] DEBUG: (664) DumpMemory: CAPE output file successfully created: C:\kpalbivkhd\CAPE\664_29522325294264372018
2018-07-04 07:01:49,161 [root] INFO: Added new CAPE file to list with path: C:\kpalbivkhd\CAPE\664_29522325294264372018
2018-07-04 07:01:49,176 [root] DEBUG: (664) ConfigCallback: Dumped config region at 0x000000000379C010 size 0x303.
2018-07-04 07:01:49,176 [root] DEBUG: (664) ContextClearBreakpoint: Clearing breakpoint 0
2018-07-04 07:01:49,176 [root] DEBUG: (664) ContextClearBreakpoint: SetThreadContext success.
2018-07-04 07:01:49,191 [root] DEBUG: (664) CAPEExceptionFilter: Stepping over execution breakpoint to: 0x2cfaf7
2018-07-04 07:01:49,207 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2018-07-04 07:01:49,207 [lib.api.process] INFO: DLL to inject is dll\mCWqWsxn.dll
2018-07-04 07:01:49,207 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-07-04 07:01:49,207 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2018-07-04 07:01:49,207 [lib.api.process] INFO: Option 'bp0' with value '126708' sent to monitor
2018-07-04 07:01:49,207 [lib.api.process] INFO: Option 'bp1' with value '170194' sent to monitor
2018-07-04 07:01:49,207 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1632
2018-07-04 07:01:49,239 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2018-07-04 07:01:49,239 [lib.api.process] INFO: DLL to inject is dll\mCWqWsxn.dll
2018-07-04 07:01:49,239 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2018-07-04 07:01:49,239 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2018-07-04 07:01:49,239 [lib.api.process] INFO: Option 'bp0' with value '126708' sent to monitor
2018-07-04 07:01:49,239 [lib.api.process] INFO: Option 'bp1' with value '170194' sent to monitor
2018-07-04 07:01:49,253 [root] DEBUG: (0) bp0 set to 0x1eef4
2018-07-04 07:01:49,253 [root] DEBUG: (0) bp1 set to 0x298d2
2018-07-04 07:01:49,269 [root] INFO: Disabling sleep skipping.
2018-07-04 07:01:49,332 [root] DEBUG: (1632) CAPE initialised: 64-bit Ursnif package. Loaded at 0x0000000073190000
2018-07-04 07:01:49,332 [root] INFO: Added new process to list with pid: 1632
2018-07-04 07:01:49,332 [root] INFO: Monitor successfully loaded in process with pid 1632.
2018-07-04 07:01:49,846 [root] INFO: Process with pid 884 has terminated
2018-07-04 07:01:49,878 [root] DEBUG: (1632) GetCursorPos hook: Ursnif payload marker detected - calling GetHookCallerBase.
2018-07-04 07:01:49,878 [root] DEBUG: (1632) GetReturnAddress: operate_on_backtrace call with Rip 0x0000000037130080.
2018-07-04 07:01:49,878 [root] DEBUG: (1632) GetHookCallerBase: thread 1636 (handle 0x0), return address 0x000007FEFD755EC6, allocation base 0x000007FEFD560000.
2018-07-04 07:01:49,878 [root] DEBUG: (1632) FileOffsetToVA: Debug - VA = 0x000007FEFD57F6F4.
2018-07-04 07:01:49,878 [root] DEBUG: (1632) SetInitialBreakpoint: FileOffsetToVA gives VA 0x000007FEFD57F6F4 for bp0.
2018-07-04 07:01:49,894 [root] DEBUG: (1632) SetInitialBreakpoint: Not within Ursnif payload - bailing.
2018-07-04 07:05:13,022 [root] INFO: Analysis timeout hit, terminating analysis.
2018-07-04 07:05:13,038 [root] INFO: Created shutdown mutex.
2018-07-04 07:05:14,332 [root] INFO: Shutting down package.
2018-07-04 07:05:14,348 [root] INFO: Stopping auxiliary modules.
2018-07-04 07:05:26,328 [root] INFO: Terminating remaining processes before shutdown.
2018-07-04 07:05:26,328 [lib.api.process] INFO: Successfully terminated process with pid 664.
2018-07-04 07:05:26,328 [lib.api.process] INFO: Successfully terminated process with pid 1632.
2018-07-04 07:05:26,328 [root] INFO: Finishing auxiliary modules.
2018-07-04 07:05:26,328 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -7
2018-07-04 07:05:26,328 [root] INFO: Shutting down pipe server and dumping dropped files.
2018-07-04 07:05:26,328 [root] INFO: Analysis completed.

MalScore

9.5

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2018-07-04 06:01:23 2018-07-04 06:05:39

File Details

File Name 032901.bin
File Size 445440 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 f3c6625d8ede3fe6c8c4023337d761ac
SHA1 968e0e2a3e224f34d22dc3c52d54747ac28911b4
SHA256 a93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837
SHA512 8dfd02809ca3b84671cac11533b8eb4545654bf140cae907c20256269f4ad288052af0d5a19857ed8b2aef9748530352fe527c4a79ac6de44b8443840a79cd6a
CRC32 DBA8FF60
Ssdeep 12288:gO421oYvWc+hQyfqmlPX3AQLMvdPiHGWnwQECUe:n1oYjy5HA2YdKHGWKCT
TrID None matched
ClamAV None matched
Yara None matched
CAPE Yara
Download Resubmit sample

Signatures

CAPE detection: Executable code extraction
CAPE detection: Injection (inter-process)
CAPE detection: Injection (Process Hollowing)
Injection: 032901.bin(884) -> control.exe(664)
CAPE detection: Injection with CreateRemoteThread in a remote process
File has been identified by 6 Antiviruses on VirusTotal as malicious
Bkav: W32.eHeur.Malware14
Symantec: ML.Attribute.HighConfidence
Paloalto: generic.ml
Invincea: heuristic
Endgame: malicious (moderate confidence)
CrowdStrike: malicious_confidence_60% (D)
The binary likely contains encrypted or compressed data.
section: name: UPX1, entropy: 7.79, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0006b800, virtual_size: 0x0006c000
The executable is compressed using UPX
section: name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00020000
Deletes its original binary from disk
Executed a process and injected code into it, probably while unpacking
Injection: 032901.bin(884) -> control.exe(664)

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

\Device\KsecDD
C:\Users\user\AppData\Local\Temp\wdmaud.drv
C:\Windows\System32\wdmaud.drv
C:\DosDevices\pipe\
C:\Users\user\AppData\Local\Temp\\x02
C:\Windows\sysnative\*.dll
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs
C:\Users\user\AppData\Local\Temp\032901.bin
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\032901.bin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DRIVERS32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wdmaud.drv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wavemapper
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midimapper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\DeviceState
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.imaadpcm
HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm\cFilterTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.msg711
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711\cFilterTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.msgsm610
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610\cFilterTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.msadpcm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm\cFilterTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.l3acm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm\cFilterTags
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM\NoPCMConverter
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00\Priority1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\acm
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DEVICE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_USERS\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wdmaud.drv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{e6a9809d-24f6-4a0a-92d6-e2c21c85cc2e}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wavemapper
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midimapper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{1dae6975-1479-4c78-81ea-93c3262476ea}\DeviceState
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.imaadpcm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.msg711
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.msgsm610
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.msadpcm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\msacm.l3acm
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM\NoPCMConverter
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00\Priority1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DEVICE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm\cFilterTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711\cFilterTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610\cFilterTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm\cFilterTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm\fdwSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm\cFormatTags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm\aFormatTagCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm\cFilterTags
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
kernel32.dll.GetConsoleWindow
kernel32.dll.SetConsoleScreenBufferSize
kernel32.dll.SetConsoleWindowInfo
kernel32.dll.GetTimeFormatA
kernel32.dll.GetProcessTimes
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetStdHandle
kernel32.dll.WaitNamedPipeA
kernel32.dll.GetAtomNameW
kernel32.dll.GetCommandLineA
kernel32.dll.GetConsoleScreenBufferInfo
kernel32.dll.VirtualAlloc
kernel32.dll.LocalAlloc
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.CompareStringW
kernel32.dll.CreateFileW
kernel32.dll.WriteConsoleW
kernel32.dll.FlushFileBuffers
kernel32.dll.SetStdHandle
kernel32.dll.GetTimeZoneInformation
kernel32.dll.LoadLibraryW
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.SetFilePointer
kernel32.dll.GetTickCount
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetFileType
kernel32.dll.SetHandleCount
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.LocalFree
kernel32.dll.LCMapStringW
kernel32.dll.Sleep
kernel32.dll.ExitProcess
kernel32.dll.HeapCreate
kernel32.dll.GetStringTypeW
kernel32.dll.GetModuleFileNameW
kernel32.dll.TlsFree
kernel32.dll.TlsSetValue
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.IsValidCodePage
kernel32.dll.GetOEMCP
kernel32.dll.GetACP
kernel32.dll.GetCPInfo
kernel32.dll.HeapSize
kernel32.dll.HeapReAlloc
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.TerminateProcess
kernel32.dll.GetStartupInfoW
kernel32.dll.HeapSetInformation
kernel32.dll.RtlUnwind
kernel32.dll.VirtualQuery
kernel32.dll.GetSystemInfo
kernel32.dll.VirtualProtect
kernel32.dll.InterlockedPopEntrySList
kernel32.dll.VirtualFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.HeapAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.HeapFree
kernel32.dll.InterlockedPushEntrySList
kernel32.dll.InterlockedCompareExchange
kernel32.dll.SetNamedPipeHandleState
kernel32.dll.WriteFile
kernel32.dll.BackupWrite
kernel32.dll.GetProfileStringA
kernel32.dll.FindResourceExA
kernel32.dll.LockResource
kernel32.dll.UpdateResourceA
kernel32.dll.FreeResource
kernel32.dll.EnumResourceTypesA
kernel32.dll.GetCurrentProcessId
kernel32.dll.LoadLibraryExA
kernel32.dll.FindResourceA
kernel32.dll.LoadResource
kernel32.dll.SizeofResource
kernel32.dll.FreeLibrary
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.MulDiv
kernel32.dll.lstrcmpA
kernel32.dll.SetEvent
kernel32.dll.IsDBCSLeadByte
kernel32.dll.GetModuleHandleW
kernel32.dll.GetModuleFileNameA
kernel32.dll.CreateFileA
kernel32.dll.ReadFile
kernel32.dll.CreateIoCompletionPort
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.FormatMessageA
kernel32.dll.GlobalAlloc
kernel32.dll.DeviceIoControl
kernel32.dll.CreateEventA
kernel32.dll.WaitForSingleObject
kernel32.dll.CloseHandle
kernel32.dll.lstrcmpiA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetProcAddress
kernel32.dll.DeleteCriticalSection
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.GetLastError
kernel32.dll.lstrlenW
kernel32.dll.WideCharToMultiByte
kernel32.dll.OutputDebugStringA
kernel32.dll.InterlockedIncrement
kernel32.dll.GetFullPathNameA
kernel32.dll.lstrlenA
kernel32.dll.InterlockedDecrement
kernel32.dll.MultiByteToWideChar
kernel32.dll.SetLastError
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentProcess
kernel32.dll.FlushInstructionCache
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.RaiseException
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegDeleteKeyA
advapi32.dll.LookupAccountNameA
advapi32.dll.ConvertStringSidToSidA
advapi32.dll.RegEnumKeyExA
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegSetValueExA
advapi32.dll.RegCloseKey
advapi32.dll.RegDeleteValueA
advapi32.dll.RegOpenKeyExA
authz.dll.AuthzInitializeContextFromSid
authz.dll.AuthzAccessCheck
avifil32.dll.AVIStreamWrite
comctl32.dll.InitCommonControlsEx
comdlg32.dll.PageSetupDlgA
comdlg32.dll.ChooseFontA
comdlg32.dll.ReplaceTextA
comdlg32.dll.PrintDlgExA
credui.dll.CredUIPromptForCredentialsW
gdi32.dll.SetBkMode
gdi32.dll.SetMapMode
gdi32.dll.LPtoDP
gdi32.dll.CreateFontIndirectA
gdi32.dll.GetObjectA
gdi32.dll.GetStockObject
gdi32.dll.CreateFontA
gdi32.dll.GetTextExtentPoint32A
gdi32.dll.SetPixelFormat
gdi32.dll.ChoosePixelFormat
gdi32.dll.SetWindowExtEx
gdi32.dll.TextOutA
gdi32.dll.SelectObject
gdi32.dll.DeleteDC
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.DeleteObject
gdi32.dll.CreateSolidBrush
gdi32.dll.CreateCompatibleDC
gdi32.dll.BitBlt
gdi32.dll.GetDeviceCaps
netapi32.dll.NetShareGetInfo
netapi32.dll.NetAuditClear
ole32.dll.OleLockRunning
ole32.dll.CoCreateInstance
ole32.dll.CoTaskMemAlloc
ole32.dll.CoInitialize
ole32.dll.CoTaskMemRealloc
ole32.dll.OleInitialize
ole32.dll.CreateStreamOnHGlobal
ole32.dll.CLSIDFromProgID
ole32.dll.CoGetClassObject
ole32.dll.OleUninitialize
ole32.dll.StringFromGUID2
ole32.dll.CLSIDFromString
ole32.dll.CoTaskMemFree
oleaut32.dll.#161
oleaut32.dll.#2
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#420
oleaut32.dll.#162
oleaut32.dll.#4
oleaut32.dll.#7
oleaut32.dll.#277
oleaut32.dll.#6
opengl32.dll.wglCreateContext
opengl32.dll.wglMakeCurrent
pdh.dll.PdhCollectQueryData
psapi.dll.GetProcessMemoryInfo
shell32.dll.SHGetFileInfoW
urlmon.dll.CoInternetParseUrl
user32.dll.KillTimer
user32.dll.SetWindowRgn
user32.dll.GetCursorPos
user32.dll.GetWindowTextLengthA
user32.dll.GetWindowTextA
user32.dll.SetWindowTextA
user32.dll.NotifyWinEvent
user32.dll.SetPropA
user32.dll.OemKeyScan
user32.dll.GetWindowLongA
user32.dll.GetParent
user32.dll.SetWindowPos
user32.dll.UnregisterClassA
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.SetWindowLongA
user32.dll.GetClassInfoExA
user32.dll.LoadCursorA
user32.dll.RegisterClassExA
user32.dll.PtInRect
user32.dll.GetPropW
user32.dll.DrawFrameControl
user32.dll.CreateWindowExA
user32.dll.SendMessageA
user32.dll.CharNextA
user32.dll.MessageBoxA
user32.dll.GetWindow
user32.dll.RegisterWindowMessageA
user32.dll.IsWindow
user32.dll.DefWindowProcA
user32.dll.DrawFocusRect
user32.dll.SetRect
user32.dll.SetScrollRange
user32.dll.SetTimer
user32.dll.RegisterClassExW
user32.dll.LoadIconA
user32.dll.DestroyWindow
user32.dll.LoadImageA
user32.dll.CreateAcceleratorTableA
user32.dll.GetDesktopWindow
user32.dll.SetFocus
user32.dll.GetFocus
user32.dll.DestroyAcceleratorTable
user32.dll.BeginPaint
user32.dll.EndPaint
user32.dll.CallWindowProcA
user32.dll.FillRect
user32.dll.ReleaseCapture
user32.dll.GetClassNameA
user32.dll.GetDlgItem
user32.dll.IsChild
user32.dll.SetCapture
user32.dll.RedrawWindow
user32.dll.InvalidateRgn
user32.dll.InvalidateRect
user32.dll.ReleaseDC
user32.dll.GetDC
user32.dll.ScreenToClient
user32.dll.ClientToScreen
user32.dll.MoveWindow
user32.dll.GetSysColor
uxtheme.dll.OpenThemeData
winhttp.dll.WinHttpSendRequest
winmm.dll.mmioDescend
winmm.dll.mmioClose
winmm.dll.mmioOpenA
winmm.dll.waveOutGetDevCapsA
winmm.dll.waveOutGetNumDevs
winmm.dll.waveInGetNumDevs
winmm.dll.waveOutOpen
winscard.dll.SCardEstablishContext
wldap32.dll.#143
wldap32.dll.#88
ws2_32.dll.WSASocketA
ws2_32.dll.#9
ws2_32.dll.#13
ws2_32.dll.#115
ws2_32.dll.#2
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
cryptbase.dll.SystemFunction036
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.QueryServiceConfigW
sechost.dll.CloseServiceHandle
winsta.dll.WinStationRegisterNotificationEvent
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
advapi32.dll.CreateWellKnownSid
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingSetAuthInfoExW
sechost.dll.LookupAccountNameLocalW
rpcrt4.dll.RpcAsyncInitializeHandle
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.NdrAsyncClientCall
winsta.dll.WinStationIsSessionRemoteable
rpcrt4.dll.RpcBindingFree
wtsapi32.dll.WTSQuerySessionInformationW
winsta.dll.WinStationQueryInformationW
wtsapi32.dll.WTSFreeMemory
sechost.dll.QueryServiceStatus
mmdevapi.dll.#3
wdmaud.drv.DriverProc
wdmaud.drv.modMessage
wdmaud.drv.midMessage
wdmaud.drv.wodMessage
mmdevapi.dll.DllGetClassObject
ole32.dll.CoCreateFreeThreadedMarshaler
setupapi.dll.SetupDiCreateDeviceInfoList
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegCloseKey
wdmaud.drv.mxdMessage
shlwapi.dll.#487
ole32.dll.PropVariantClear
setupapi.dll.SetupDiOpenDeviceInfoW
setupapi.dll.SetupDiGetDeviceInstanceIdW
setupapi.dll.SetupDiGetDevicePropertyW
shlwapi.dll.SHStrDupW
audioses.dll.DllGetClassObject
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
wdmaud.drv.widMessage
msacm32.drv.DriverProc
msacm32.drv.wodMessage
msacm32.drv.widMessage
midimap.dll.DriverProc
midimap.dll.modMessage
imaadp32.acm.DriverProc
msg711.acm.DriverProc
msgsm32.acm.DriverProc
msadp32.acm.DriverProc
l3codeca.acm.DriverProc
opengl32.dll.wglChoosePixelFormat
opengl32.dll.wglSetPixelFormat
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
kernel32.dll.ExitThread
kernel32.dll.CreateMailslotA
kernel32.dll.TerminateThread
kernel32.dll.LoadLibraryA
kernel32.dll.GetExitCodeThread
kernel32.dll.CreateThread
ntdll.dll.memcpy
ntdll.dll.memset
ntdll.dll.ZwOpenProcess
ntdll.dll.NtCreateSection
ntdll.dll.ZwClose
ntdll.dll.RtlNtStatusToDosError
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtMapViewOfSection
ntdll.dll.NtQuerySystemInformation
ntdll.dll.ZwQueryInformationProcess
ntdll.dll.mbstowcs
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.RtlUpcaseUnicodeString
ntdll.dll.ZwOpenProcessToken
ntdll.dll.ZwQueryInformationToken
ntdll.dll.RtlUnwind
ntdll.dll.NtQueryVirtualMemory
shlwapi.dll.PathCombineW
shlwapi.dll.PathFindExtensionA
shlwapi.dll.PathFindExtensionW
shlwapi.dll.StrChrA
shlwapi.dll.StrRChrA
shlwapi.dll.PathFindFileNameW
shlwapi.dll.StrStrIW
kernel32.dll.ResetEvent
kernel32.dll.CreateFileMappingW
kernel32.dll.lstrcmpiW
kernel32.dll.lstrcatW
kernel32.dll.DeleteFileW
kernel32.dll.CreateWaitableTimerA
kernel32.dll.MoveFileExW
kernel32.dll.SetWaitableTimer
kernel32.dll.MapViewOfFile
kernel32.dll.GetFileSize
kernel32.dll.HeapDestroy
kernel32.dll.SleepEx
kernel32.dll.CreateProcessA
kernel32.dll.GetTempPathA
kernel32.dll.GetTempFileNameA
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.lstrcpynA
kernel32.dll.GetFileTime
kernel32.dll.FindNextFileA
kernel32.dll.FindClose
kernel32.dll.FindFirstFileA
kernel32.dll.CompareFileTime
kernel32.dll.OpenProcess
kernel32.dll.VirtualProtectEx
kernel32.dll.SuspendThread
kernel32.dll.ResumeThread
kernel32.dll.lstrcpyA
kernel32.dll.GetLongPathNameW
kernel32.dll.GetVersion
kernel32.dll.lstrcatA
kernel32.dll.SetEndOfFile
kernel32.dll.CreateDirectoryW
kernel32.dll.lstrcpyW
kernel32.dll.Wow64EnableWow64FsRedirection
kernel32.dll.IsWow64Process
user32.dll.wsprintfW
user32.dll.wsprintfA
advapi32.dll.OpenProcessToken
advapi32.dll.RegDeleteValueW
advapi32.dll.RegOpenKeyW
advapi32.dll.GetTokenInformation
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA
advapi32.dll.RegQueryValueExA
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCreateKeyA
advapi32.dll.RegOpenKeyA
advapi32.dll.GetSidSubAuthority
shell32.dll.ShellExecuteExW
ole32.dll.CoUninitialize
ole32.dll.CoInitializeEx
ole32.dll.CoRevokeInitializeSpy
comctl32.dll.#388
oleaut32.dll.#500
user32.dll.FindWindowA
user32.dll.GetWindowThreadProcessId
ntdll.dll.ZwWow64QueryInformationProcess64
ntdll.dll.ZwWow64ReadVirtualMemory64
setupapi.dll.SetupDiDestroyDeviceInfoList
wintrust.dll.WinVerifyTrust
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
ntdll.dll.sprintf
ntdll.dll.strcpy
ntdll.dll._wcsupr
ntdll.dll._strupr
ntdll.dll.memmove
ntdll.dll.wcscpy
ntdll.dll.ZwQueryKey
ntdll.dll.wcstombs
ntdll.dll.RtlImageNtHeader
ntdll.dll.RtlAdjustPrivilege
ntdll.dll._snprintf
ntdll.dll.__C_specific_handler
ntdll.dll.__chkstk
kernel32.dll.OpenFileMappingA
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.QueueUserWorkItem
kernel32.dll.GetLocalTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.CreateDirectoryA
kernel32.dll.RemoveDirectoryA
kernel32.dll.DeleteFileA
kernel32.dll.GetCurrentThread
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.CopyFileW
kernel32.dll.DuplicateHandle
kernel32.dll.SwitchToThread
kernel32.dll.UnmapViewOfFile
kernel32.dll.OpenWaitableTimerA
kernel32.dll.OpenMutexA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.GetVersionExA
kernel32.dll.InitializeCriticalSection
kernel32.dll.UnregisterWait
kernel32.dll.LoadLibraryExW
kernel32.dll.RegisterWaitForSingleObject
kernel32.dll.GetDriveTypeW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.GetExitCodeProcess
kernel32.dll.CreateFileMappingA
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.QueueUserAPC
kernel32.dll.OpenThread
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CallNamedPipeA
kernel32.dll.ConnectNamedPipe
kernel32.dll.GetOverlappedResult
kernel32.dll.DisconnectNamedPipe
kernel32.dll.CreateNamedPipeA
kernel32.dll.CancelIo
kernel32.dll.GetSystemTime
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.OpenEventA
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.RemoveDirectoryW
kernel32.dll.FindNextFileW
kernel32.dll.GetFileAttributesW
kernel32.dll.SetFilePointerEx
kernel32.dll.FindFirstFileW
kernel32.dll.GetComputerNameW
advapi32.dll.GetUserNameA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
psapi.dll.EnumProcessModules
shlwapi.dll.StrToIntExA
shlwapi.dll.StrTrimA
user32.dll.GetShellWindow
ntdll.dll.RtlExitUserThread
kernel32.dll.CreateRemoteThread
C:\Windows\system32\control.exe /?
{9CE99508-4BF8-2E71-B590-AF42B9C45396}

PE Information

Image Base 0x00400000
Entry Point 0x0048c410
Reported Checksum 0x00000000
Actual Checksum 0x0007057e
Minimum OS Version 5.1
Compile Time 2018-07-03 17:53:24
Import Hash 09c343522024405bb05d29c340283597
Icon
Icon Exact Hash 6beede98b2cf830bb39bc6ec89a011c4
Icon Similarity Hash 7911b80b08ff8cb491435dc56b4e5aa5

Version Infos

LegalCopyright Copyright (C) 2018
InternalName template.exe
FileVersion 1.0.0.1
CompanyName TODO: <Company name>
ProductName TODO: <Product name>
ProductVersion 1.0.0.1
FileDescription TODO: <File description>
OriginalFilename template.exe
Translation 0x0409 0x04b0

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
UPX0 0x00001000 0x00020000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
UPX1 0x00021000 0x0006c000 0x0006b800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.79
.rsrc 0x0008d000 0x00001000 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.47

Resources

Name Offset Size Language Sub-language Entropy File type
RCDATA 0x00059148 0x000291ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.73 data
RCDATA 0x00059148 0x000291ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.73 data
RT_ICON 0x0008d318 0x000002e8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.00 data
RT_ICON 0x0008d318 0x000002e8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.00 data
RT_GROUP_ICON 0x0008d604 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.37 MS Windows icon resource - 2 icons, 16x16, 16-colors
RT_VERSION 0x0008d62c 0x00000300 LANG_ENGLISH SUBLANG_ENGLISH_US 3.36 data
RT_MANIFEST 0x0008d930 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 4.80 ASCII text, with CRLF line terminators

Imports

Library KERNEL32.DLL:
0x48dc6c LoadLibraryA
0x48dc70 GetProcAddress
0x48dc74 VirtualProtect
0x48dc78 VirtualAlloc
0x48dc7c VirtualFree
0x48dc80 ExitProcess
Library ADVAPI32.dll:
0x48dc88 RegCloseKey
Library AUTHZ.dll:
0x48dc90 AuthzAccessCheck
Library AVIFIL32.dll:
0x48dc98 AVIStreamWrite
Library COMCTL32.dll:
Library COMDLG32.dll:
0x48dca8 ChooseFontA
Library credui.dll:
Library GDI32.dll:
0x48dcb8 LPtoDP
Library NETAPI32.dll:
0x48dcc0 NetAuditClear
Library ole32.dll:
0x48dcc8 CoInitialize
Library OLEAUT32.dll:
0x48dcd0 SysFreeString
Library OPENGL32.dll:
0x48dcd8 wglMakeCurrent
Library pdh.dll:
0x48dce0 PdhCollectQueryData
Library PSAPI.DLL:
Library SHELL32.dll:
0x48dcf0 SHGetFileInfoW
Library urlmon.dll:
0x48dcf8 CoInternetParseUrl
Library USER32.dll:
0x48dd00 GetDC
Library UxTheme.dll:
0x48dd08 OpenThemeData
Library WINHTTP.dll:
0x48dd10 WinHttpSendRequest
Library WINMM.dll:
0x48dd18 mmioClose
Library WinSCard.dll:
Library WLDAP32.dll:
0x48dd28 None
Library WS2_32.dll:
0x48dd30 bind

.rsrc
fh`6A
+MJ0Xl
lu6f^:u/.
3,b<]
?TypeLib
CONFIG
g position
'L(:c
s New Roman
nWfBoxbU
'~j~8
PR?OF
`F[3E
g(\Ja
_lt_\
08z:'
+b@eQ[(x
wwwww
wwwwwwwwwp
</assembly>PA
KERNEL32.DLL
ADVAPI32.dll
AUTHZ.dll
AVIFIL32.dll
COMCTL32.dll
COMDLG32.dll
credui.dll
GDI32.dll
NETAPI32.dll
ole32.dll
OLEAUT32.dll
OPENGL32.dll
pdh.dll
PSAPI.DLL
SHELL32.dll
urlmon.dll
USER32.dll
UxTheme.dll
WINHTTP.dll
WINMM.dll
WinSCard.dll
WLDAP32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
AuthzAccessCheck
AVIStreamWrite
InitCommonControlsEx
ChooseFontA
CredUIPromptForCredentialsW
LPtoDP
NetAuditClear
CoInitialize
wglMakeCurrent
PdhCollectQueryData
GetProcessMemoryInfo
SHGetFileInfoW
CoInternetParseUrl
GetDC
OpenThemeData
WinHttpSendRequest
mmioClose
SCardEstablishContext
RCDATA
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
TODO: <Company name>
FileDescription
TODO: <File description>
FileVersion
1.0.0.1
InternalName
template.exe
LegalCopyright
Copyright (C) 2018
OriginalFilename
template.exe
ProductName
TODO: <Product name>
ProductVersion
1.0.0.1
VarFileInfo
Translation

Full Results

VirusTotal Signature
Bkav W32.eHeur.Malware14
TotalDefense Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Malwarebytes Clean
Zillya Clean
TheHacker Clean
K7GW Clean
K7AntiVirus Clean
Baidu Clean
NANO-Antivirus Clean
Cyren Clean
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Clean
Paloalto generic.ml
ClamAV Clean
Kaspersky Clean
BitDefender Clean
Babable Clean
ViRobot Clean
SUPERAntiSpyware Clean
Ad-Aware Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Clean
Invincea heuristic
McAfee-GW-Edition Clean
Fortinet Clean
Sophos Clean
Ikarus Clean
F-Prot Clean
Jiangmin Clean
Avira Clean
MAX Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame malicious (moderate confidence)
Arcabit Clean
AegisLab Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
AhnLab-V3 Clean
McAfee Clean
AVware Clean
TACHYON Clean
VBA32 Clean
Panda Clean
Zoner Clean
Tencent Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
GData Clean
AVG Clean
Cybereason Clean
Avast Clean
CrowdStrike malicious_confidence_60% (D)
Qihoo-360 Clean

Process Tree


032901.bin, PID: 884, Parent PID: 1756
Full Path: C:\Users\user\AppData\Local\Temp\032901.bin
Command Line: "C:\Users\user\AppData\Local\Temp\032901.bin"
control.exe, PID: 664, Parent PID: 884
Full Path: C:\Windows\sysnative\control.exe
Command Line: C:\Windows\system32\control.exe /?
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.
Sorry! No dropped files.
Type Ursnif Config
Config Fail Timeout
360
Send Timeout
300
Knocker Timeout
100
DGA Season
10
Botnet ID
20187
DGA TLDs
ru
IP Service
curlmyip.net
BC Timeout
10
Timer
3
Server
12
64-bit DLL URLs
pingdns.xyz/images/2.png
file://c:\test\tor64.dll
Encryption key
s4Sc9mDb35Ayj8oO
Config Timeout
30
DGA CRC
0x4eb7d2ca
Domains
kp.reslifefurniture.com
DGA Base URL
constitution.org/usdeclar.txt
Task Timeout
150
TOR Domains
iod5tem372udbzu2.onion
32-bit DLL URLs
pingdns.xyz/images/1.png
file://c:\test\test32.dll
Download
Type Ursnif Payload
Size 242176 bytes
Process control.exe
PID 664
Path C:\Windows\sysnative\control.exe
MD5 e2dbfc2cfdb0762f78ad0ee6b8899b29
SHA1 4e32bddc9985951a11388ac684bef21a782033af
SHA256 c3fb19c7ab2232f988b75b3c4a940f716617e0d13c31f649bf84245a22c2d58a
CRC32 2A269386
Ssdeep 6144:PsckcEhquXtdL6kNyJ3uHojgguvlw0CWa:Psc2hqsL6kNy0HojgguvrZa
Yara None matched
CAPE Yara
  • Ursnif
  • Ursnif Payload
Download
Type UPX-extracted 32-bit executable
Size 535552 bytes
MD5 2d100b70e0c7d376691a6a16e427597c
SHA1 ac8dfe77ffd232afb7b0c5e2f3d64c20518df3c4
SHA256 69059b4210b1ddeba2c0c8571c9362584799c8ce15f19fc6805d5f9bcb4bd97b
CRC32 17742932
Ssdeep 12288:u7YTPrufuAy4PvQVpHQNhNQuY4hQ+gZPAqNdV:u7Cuffv0iSCQ9ZPA4
Yara None matched
CAPE Yara None matched
Download
Sorry! No process dumps.

Comments



No comments posted

Processing ( 1.535 seconds )

  • 0.685 BehaviorAnalysis
  • 0.42 VirusTotal
  • 0.241 Static
  • 0.13 CAPE
  • 0.027 Strings
  • 0.021 TargetInfo
  • 0.006 AnalysisInfo
  • 0.002 NetworkAnalysis
  • 0.002 config_decoder
  • 0.001 Debug

Signatures ( 0.272 seconds )

  • 0.029 stealth_timeout
  • 0.022 injection_createremotethread
  • 0.022 InjectionCreateRemoteThread
  • 0.021 Doppelganging
  • 0.02 decoy_document
  • 0.019 api_spamming
  • 0.016 InjectionProcessHollowing
  • 0.016 injection_runpe
  • 0.015 antiav_detectreg
  • 0.01 injection_explorer
  • 0.008 InjectionInterProcess
  • 0.006 infostealer_ftp
  • 0.005 antiemu_wine_func
  • 0.004 infostealer_browser_password
  • 0.004 persistence_autorun
  • 0.004 kovter_behavior
  • 0.004 ransomware_files
  • 0.003 antianalysis_detectreg
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 infostealer_mail
  • 0.003 ransomware_extensions
  • 0.002 stack_pivot
  • 0.002 antivm_generic_disk
  • 0.002 browser_security
  • 0.002 disables_browser_warn
  • 0.002 infostealer_bitcoin
  • 0.001 tinba_behavior
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 recon_programs
  • 0.001 antisandbox_sleep
  • 0.001 betabot_behavior
  • 0.001 mimics_filetime
  • 0.001 stealth_file
  • 0.001 antivm_vbox_libs
  • 0.001 antivm_generic_scsi
  • 0.001 reads_self
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 modify_proxy

Reporting ( 0.08 seconds )

  • 0.08 CompressResults
Task ID 11963
Mongo ID 5b3c63bade96421d18c515bd
Cuckoo release 1.3-CAPE
Delete