Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-03-24 02:46:53 2020-03-24 02:47:31 38 seconds Show Options Show Log
route = internet
procdump = 0
2020-03-24 02:46:54,000 [root] INFO: Date set to: 03-24-20, time set to: 02:46:54, timeout set to: 200
2020-03-24 02:46:54,015 [root] DEBUG: Starting analyzer from: C:\wkhpek
2020-03-24 02:46:54,015 [root] DEBUG: Storing results at: C:\JUCvQWpIIW
2020-03-24 02:46:54,015 [root] DEBUG: Pipe server name: \\.\PIPE\cdvSoyk
2020-03-24 02:46:54,015 [root] INFO: Analysis package "Extraction" has been specified.
2020-03-24 02:46:54,421 [root] DEBUG: Started auxiliary module Browser
2020-03-24 02:46:54,421 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 02:46:54,421 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 02:46:54,733 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 02:46:54,733 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 02:46:54,733 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 02:46:54,747 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 02:46:54,747 [root] DEBUG: Started auxiliary module Human
2020-03-24 02:46:54,747 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 02:46:54,747 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 02:46:54,747 [root] DEBUG: Started auxiliary module Usage
2020-03-24 02:46:54,747 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2020-03-24 02:46:54,747 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2020-03-24 02:46:54,747 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\ezKxNfXW.tmp.exe" with arguments "" with pid 420
2020-03-24 02:46:54,747 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 02:46:54,747 [lib.api.process] INFO: 32-bit DLL to inject is C:\wkhpek\dll\MyfjwmEp.dll, loader C:\wkhpek\bin\lEdgDkw.exe
2020-03-24 02:46:54,779 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cdvSoyk.
2020-03-24 02:46:54,779 [root] DEBUG: Loader: Injecting process 420 (thread 264) with C:\wkhpek\dll\MyfjwmEp.dll.
2020-03-24 02:46:54,779 [root] DEBUG: Process image base: 0x00400000
2020-03-24 02:46:54,779 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wkhpek\dll\MyfjwmEp.dll.
2020-03-24 02:46:54,779 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 02:46:54,779 [root] DEBUG: Successfully injected DLL C:\wkhpek\dll\MyfjwmEp.dll.
2020-03-24 02:46:54,779 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 420
2020-03-24 02:46:56,792 [lib.api.process] INFO: Successfully resumed process with pid 420
2020-03-24 02:46:56,792 [root] INFO: Added new process to list with pid: 420
2020-03-24 02:46:56,808 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 02:46:56,808 [root] DEBUG: Process dumps disabled.
2020-03-24 02:46:56,854 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 02:46:56,854 [root] INFO: Disabling sleep skipping.
2020-03-24 02:46:56,854 [root] INFO: Disabling sleep skipping.
2020-03-24 02:46:56,854 [root] INFO: Disabling sleep skipping.
2020-03-24 02:46:56,854 [root] INFO: Disabling sleep skipping.
2020-03-24 02:46:56,854 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 02:46:56,854 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x330000
2020-03-24 02:46:56,854 [root] DEBUG: Debugger initialised.
2020-03-24 02:46:56,854 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 420 at 0x747d0000, image base 0x400000, stack from 0x186000-0x190000
2020-03-24 02:46:56,854 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ezKxNfXW.tmp.exe".
2020-03-24 02:46:56,854 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-03-24 02:46:56,854 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 02:46:56,854 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-03-24 02:46:56,931 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2409, Entropy 5.295939e-02
2020-03-24 02:46:56,931 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-03-24 02:46:56,931 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 02:46:56,931 [root] INFO: Monitor successfully loaded in process with pid 420.
2020-03-24 02:46:57,243 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 02:46:57,243 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 02:46:57,322 [root] DEBUG: ProcessImageBase: EP 0x00002409 image base 0x00400000 size 0x0 entropy 5.314849e-02.
2020-03-24 02:46:57,322 [root] DEBUG: ProtectionHandler: Adding region at 0x02F78360 to tracked regions.
2020-03-24 02:46:57,322 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x02F78360) returned 0x00000000.
2020-03-24 02:46:57,322 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 02:46:57,322 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x02F78360) -> AllocationBase 0x02F50000 RegionSize 0x40960.
2020-03-24 02:46:57,322 [root] DEBUG: AddTrackedRegion: New region at 0x02F50000 size 0xa000 added to tracked regions.
2020-03-24 02:46:57,322 [root] DEBUG: ProtectionHandler: Address: 0x02F78360 (alloc base 0x02F50000), NumberOfBytesToProtect: 0x8f1d, NewAccessProtection: 0x40
2020-03-24 02:46:57,322 [root] DEBUG: ProtectionHandler: Increased region size at 0x02F78360 to 0x3127d.
2020-03-24 02:46:57,322 [root] DEBUG: ProtectionHandler: New code detected at (0x02F50000), scanning for PE images.
2020-03-24 02:46:57,322 [root] DEBUG: DumpPEsInRange: Scanning range 0x2f50000 - 0x2f8127d.
2020-03-24 02:46:57,322 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2f50000-0x2f8127d.
2020-03-24 02:46:57,322 [root] DEBUG: DumpPEsInRange: Scanning range 0x2f50000 - 0x2f8127d.
2020-03-24 02:46:57,322 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2f50000-0x2f8127d.
2020-03-24 02:46:57,322 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02F50000, TrackedRegion->RegionSize: 0x3127d, thread 264
2020-03-24 02:46:57,322 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xdc, Size=0x2, Address=0x02F78360 and Type=0x1.
2020-03-24 02:46:57,322 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 264 type 1 at address 0x02F78360, size 2 with Callback 0x747d7510.
2020-03-24 02:46:57,322 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02F78360
2020-03-24 02:46:57,322 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xdc, Size=0x4, Address=0x02F5003C and Type=0x1.
2020-03-24 02:46:57,322 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 264 type 1 at address 0x02F5003C, size 4 with Callback 0x747d71a0.
2020-03-24 02:46:57,322 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02F5003C
2020-03-24 02:46:57,322 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x02F78360.
2020-03-24 02:46:57,338 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 02:46:57,338 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0041A65D (thread 264)
2020-03-24 02:46:57,338 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02F78360.
2020-03-24 02:46:57,338 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02F78360 and Type=0x0.
2020-03-24 02:46:57,338 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2f78360: 0x0.
2020-03-24 02:46:57,338 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 02:46:57,338 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0041A65D (thread 264)
2020-03-24 02:46:57,338 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02F78360.
2020-03-24 02:46:57,338 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02F78360 already exists for thread 264 (process 420), skipping.
2020-03-24 02:46:57,338 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2f78360: 0xe8.
2020-03-24 02:46:57,338 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 02:46:57,338 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x02F78360 (thread 264)
2020-03-24 02:46:57,338 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x02F78360 (allocation base 0x02F50000).
2020-03-24 02:46:57,338 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x02F50000, size 0x32000).
2020-03-24 02:46:57,338 [root] DEBUG: DumpPEsInRange: Scanning range 0x2f50000 - 0x2f82000.
2020-03-24 02:46:57,338 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2f50000-0x2f82000.
2020-03-24 02:46:57,354 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7732B41D (thread 264)
2020-03-24 02:46:57,354 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02F5003C.
2020-03-24 02:46:57,354 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4581f045 (at 0x02F7839C).
2020-03-24 02:46:57,354 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 3 within Context, Size=0x0, Address=0x02F50000 and Type=0x0.
2020-03-24 02:46:57,354 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02F50000.
2020-03-24 02:46:57,354 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7732B536 (thread 264)
2020-03-24 02:46:57,354 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02F5003C.
2020-03-24 02:46:57,354 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4581f045 (at 0x02F7839C).
2020-03-24 02:46:57,354 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (3) at 0x02F50000 already exists for thread 264 (process 420), skipping.
2020-03-24 02:46:57,354 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02F50000.
2020-03-24 02:47:00,223 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2020-03-24 02:47:02,611 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2020-03-24 02:47:03,890 [root] INFO: Process with pid 420 has terminated
2020-03-24 02:47:08,960 [root] INFO: Process list is empty, terminating analysis.
2020-03-24 02:47:09,973 [root] INFO: Created shutdown mutex.
2020-03-24 02:47:10,987 [root] INFO: Shutting down package.
2020-03-24 02:47:10,987 [root] INFO: Stopping auxiliary modules.
2020-03-24 02:47:10,987 [root] INFO: Finishing auxiliary modules.
2020-03-24 02:47:10,987 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 02:47:10,987 [root] WARNING: File at path "C:\JUCvQWpIIW\debugger" does not exist, skip.
2020-03-24 02:47:10,987 [root] INFO: Analysis completed.

MalScore

2.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 02:46:53 2020-03-24 02:47:30

File Details

File Name ezKxNfXW.tmp.exe
File Size 173568 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 faac5b415150934c0dd31466a55fda6a
SHA1 72fecd4154f7d324b2c229a44faa204d5f435c6e
SHA256 d01f5285245341ad276ca1cb620c2aad824ba99cde8ff8d2f0b3ce4e00fcdd77
SHA512 69f9815b46da62ba16c673ed59e00091fd7ec7460d5d2e13a1d34b1fa6c2b0e5d30bc63a130b7090fbae0c496d5f62c9ac33fc09cf4438028a660b93fddbaca9
CRC32 87A26CEC
Ssdeep 3072:gdj6Lql+2O8SvFlIk9YVvHuaIBty1jhG5PJLzC7gqvkEHoMgl:ZLqlUvFR9YVPXIBtcjqNCkcnHo
TrID
  • 42.7% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 19.2% (.EXE) OS/2 Executable (generic) (2029/13)
  • 18.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 18.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.40, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00019c00, virtual_size: 0x00019bc7

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

DisableUserModeCallbackFilter
DisableUserModeCallbackFilter
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent

PE Information

Image Base 0x00400000
Entry Point 0x00402409
Reported Checksum 0x000369b5
Actual Checksum 0x000369b5
Minimum OS Version 5.0
Compile Time 2018-11-29 18:21:37
Import Hash c7620f509da13c6f9c8f2e06976027de

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00019bc7 0x00019c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.40
.rdata 0x0001b000 0x00003298 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.28
.data 0x0001f000 0x0297eb84 0x00004200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.33
.rsrc 0x0299e000 0x00008f60 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.37

Imports

Library KERNEL32.dll:
0x41b018 FormatMessageW
0x41b01c ReadFile
0x41b020 CreateFileW
0x41b024 lstrcatA
0x41b028 IsBadStringPtrA
0x41b030 EnumSystemLocalesA
0x41b034 GetLastError
0x41b038 VirtualAlloc
0x41b03c BackupWrite
0x41b040 LocalLock
0x41b044 GlobalAlloc
0x41b048 BuildCommDCBW
0x41b04c LoadLibraryA
0x41b050 WriteConsoleA
0x41b058 GlobalWire
0x41b060 SetConsoleTitleW
0x41b064 OpenFileMappingW
0x41b068 VirtualProtect
0x41b074 GetProcessTimes
0x41b078 GetCommandLineA
0x41b07c SetTapeParameters
0x41b084 GetCurrentProcess
0x41b088 HeapAlloc
0x41b08c LoadResource
0x41b090 GetDriveTypeW
0x41b094 MapViewOfFile
0x41b098 GetLocaleInfoA
0x41b09c lstrlenA
0x41b0a0 FindResourceA
0x41b0a4 GetStartupInfoW
0x41b0a8 RaiseException
0x41b0ac RtlUnwind
0x41b0b0 TerminateProcess
0x41b0bc IsDebuggerPresent
0x41b0c0 HeapFree
0x41b0c4 GetCPInfo
0x41b0d0 GetACP
0x41b0d4 GetOEMCP
0x41b0d8 IsValidCodePage
0x41b0dc GetModuleHandleW
0x41b0e0 GetProcAddress
0x41b0e4 TlsGetValue
0x41b0e8 TlsAlloc
0x41b0ec TlsSetValue
0x41b0f0 TlsFree
0x41b0f4 SetLastError
0x41b0f8 GetCurrentThreadId
0x41b0fc Sleep
0x41b100 ExitProcess
0x41b104 WriteFile
0x41b108 GetStdHandle
0x41b10c GetModuleFileNameA
0x41b110 GetModuleFileNameW
0x41b11c GetCommandLineW
0x41b120 SetHandleCount
0x41b124 GetFileType
0x41b128 GetStartupInfoA
0x41b130 HeapCreate
0x41b134 VirtualFree
0x41b13c GetTickCount
0x41b140 GetCurrentProcessId
0x41b148 SetFilePointer
0x41b14c WideCharToMultiByte
0x41b150 GetConsoleCP
0x41b154 GetConsoleMode
0x41b160 HeapReAlloc
0x41b164 LCMapStringA
0x41b168 MultiByteToWideChar
0x41b16c LCMapStringW
0x41b170 GetStringTypeA
0x41b174 GetStringTypeW
0x41b178 GetModuleHandleA
0x41b17c HeapSize
0x41b184 SetStdHandle
0x41b188 GetConsoleOutputCP
0x41b18c WriteConsoleW
0x41b190 CreateFileA
0x41b194 CloseHandle
0x41b198 FlushFileBuffers
Library ADVAPI32.dll:
0x41b000 FreeSid
0x41b008 CopySid

.text
`.rdata
@.data
.rsrc
YQPVh
tehNS@
uBh$n@
SVWUj
L$PQj
bad allocation
string too long
invalid string position
Unknown exception
(null)
`h````
floor
exp10
?acos
log10
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
bad exception
_nextafter
_logb
frexp
_hypot
_cabs
ldexp
atan2
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
e+000
GAIsProcessorFeaturePresent
KERNEL32
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
1#QNAN
1#INF
1#IND
1#SNAN
bad allocation
%s %c
kernel32.dll
xasecexubeziy
FindResourceA
lstrlenA
GetLocaleInfoA
MapViewOfFile
GetDriveTypeW
LoadResource
HeapAlloc
GetCurrentProcess
GetSystemDefaultLCID
SetTapeParameters
GetCommandLineA
GetProcessTimes
GlobalAlloc
FormatMessageW
ReadFile
CreateFileW
lstrcatA
IsBadStringPtrA
WritePrivateProfileStringW
EnumSystemLocalesA
GetLastError
VirtualAlloc
BackupWrite
LocalLock
BuildCommDCBW
LoadLibraryA
WriteConsoleA
RegisterWaitForSingleObject
GlobalWire
DebugSetProcessKillOnExit
SetConsoleTitleW
OpenFileMappingW
VirtualProtect
SetProcessShutdownParameters
GetPrivateProfileSectionW
KERNEL32.dll
StartServiceCtrlDispatcherW
AccessCheckAndAuditAlarmW
CopySid
NotifyChangeEventLog
FreeSid
ADVAPI32.dll
GetStartupInfoW
RaiseException
RtlUnwind
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapFree
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
EnterCriticalSection
LeaveCriticalSection
HeapReAlloc
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetModuleHandleA
HeapSize
InitializeCriticalSectionAndSpinCount
SetStdHandle
GetConsoleOutputCP
WriteConsoleW
CreateFileA
CloseHandle
FlushFileBuffers
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVbad_alloc@std@@
4|Oz$yX:
Gi,>-(
0}L|q{e<
W~-J2(
Meputut cixi zuhovuzejasu xedobopofesa zaruzoyaji. Nikihul zuxotalonaziy duyesixupic. Lev zeyoduginefu nogib mohen cutozez. Kuyin payelenowu. Feledobub cac kuca. Lewucasasuca dukomivihebuh biyuni. Cifuxahijovogi pitakec jilamo. Yugoxudetavejaf vuko fucolidarilil. Cebikumasi nayagacewe. Pubo. Lexilava gejimuhapuci. Zawexekaweredo xatozeja. Gigoyi fehowosivefoyo cagebitelivexi. Kifemilip mobo. Wawubixazetesi cutijohilogen joyalecepam zaw. Daduguh kulufaja. Johuyiyixur hodowimoxudup. Xoziyavuw tuwap menoxupinec. Pefefi wuduso. Xirehesisut dapeja huhir yoce jemodebi. Ham velizijenufizux. Nika suyihujugef nixihowicimifut rekidaz jiwivarut. Lubipadaropa mohizuyaxa zubuceg vozefapuz maxonawu. Gaminoke vis vihoxeganixe cibucecijuti. Jukivow copewo yacihatunoxuk paluwo. Rezafayog. Hixay fecepedude japoner suwawadaxapaha yega. Neju. Kiwe gosivu. Somekujefekira wijulaw wiwibutekevowil hazokamapot. Nibonijacoh gibapop nazi. Dugemu vujeluteve sexexiwo. Fekakopesawo. Lozerorucuniyim gegapuluseb. Gigiset jexixum tiyetiwoha. Duwedatecu weyemigefiboso xicex pewohilemoyus fidit. Dehemojutowanu ciyuweyuvanu kiramo bicogexig duronijod. Lohajiwumeju xazevuloxoxo. Meyu rudabegeve boyofopito cuxocizazohebut. Toximeb luhagepegavanos. Riz wofec ruyiw labukez. Lofogoyijav. Zawenecomuzajup jemuvi yomaxomihepik. Kuhadul cesedetuj sekizigahixu sotalemesir cenosakupar. Vuvoc huwihif jihuduxisaj gogafalixoc momezapayido. Pehiruhovadob. Cihukuhoceb jez coror gihadojorixifi deceyocu. Jicucurokus husuxigotedi. Vadutulo ranahamopiraju lukubuwizifup nozediseridok rucuyurenimoj. Kumitunoya ridivihoremevir repaxojomi zaxehez xibomedewabez. Kukit refefudigosa. Mavepikoxuh yuyixeyikaz galituxofiji ripiyaxusenepel. Xiwijoxalusema. Biw. Gocuxahu. Hefanifox rohezo nadiwiyu vawodipepumow zumov. Baxidabukeso revutekuz daro. Nuzucozowozoyir sobe xekogag. Jarujuci hop kenema mimi ves. Buhox mufevinusiju. Cure kodaxifericu gegigemecuh. Rux pimal suxixov wanexugu xifu. Doxawocedet pake. Zefupat saz. Nilib jasihunaririf cevufezopesikec pax xekoku. Joke. Datu moha. Xacapele pehedaw. Pahelabaco xesexuyadixaw. Safa zamo. Bulal bihegoporak diginuwomamub mesidijabiru yoniyipororeb. Rol xazotebad zujutocakuwigem civoza. Hejiruwedodesu jeyiyawoli. Ron hocunuzu paxuboperidado tutibitud. Nipopu wireco xanumudop tubagez zukisopavota. Pukuvifehitaz komotop sowusozudokaton. Tirarego firayawi jebuy budoriya. Ver lawonatacunatu lasu sotelegajozod radefotasin. Wapirumehipug puxesetoy nax regujozaci sorowe. Bacirowayim telococupol repexaledodi. Wuxitidirame. Yobepudigexizal zuj. Kosuhitisapi fakiwa xacupijihavabov. Jeherisat tuciwag. Yomuzufibid marorut jadafatezepa gakewefavup dohifaviyuloyo. Hinevux. Foyevisiwumepa cujusirikolewa. Numisono. Guduj lam nahox giriyiyayujok. Kexaharuveso ninuwovebasumes zexalomikol buyixarewuzuka cabuyaharad. Zaxovosoja. Hasasaherebozun hurabicis serarukonosad divowudunoji vof. Gic. Beduge lan teguwoxihi hepulag cawazoyezufebu. Cayemifimu fasadimefam telizibijicara. Bikamiv birozixafugajol siduy xubara jopimezuri. Xiw kojicosedutanu sifewipiv. Canatumi vava dacomobabi. Kifazuxa. Vuxe mesatukofic botoceda rajunehuni. Tovupaxoye kay get kudizoj podutunuk. Koruzafeku vamebavovecum jafis lesagenut. Des honipe meloliremulasu merav sigijayiyerit. Tumopiketo roxosuken xumexec lonoguyac cisatuvasadux. Kibowumaho geholem moloturexec. Lovi hovecawupasuzuk motip. Ganeri. Pip murilojasaxazu. Fupuxoluxetenab juhafero. Rehofifigozebo pinotakola. Vehihaw wojiso kedajizofirewas ranatapufigiwis. Gas vayabiyujugi. Sowojaxosiliya vutuzovowerovem hukowipugucubux tevofeyugotik yezinabotato. Lefevo zihuhabalocaho toce sovicayipiz. Valebeja pigexak higuhela gipijoco. Notosebucadok zayidocozev bolic. Jiceta nekorebozulep kudefurorad. Coza sebut mub. Ditegipiyayop ceduhef firihiju. Hewojogoraf. Kihuxudolajerid. Berocevuwamuyu sule gidadegivudiw tudizuto xayez. Cuwaramo vanucudopekex rar ziwoxo. Rehehugomipisu pap sixakumayave miwokuhatamoy. Jimeyupanayutut tunitafor wuwonaralifohih tajemi sudutigogevo. Bunaruzulaj kurudak zaheyonukuk mecevufuyomexow mogiranacu. Belod toguzucofoyap sasav zipatab. Hehinamekazo dififapayij dujupiko timora gopihaca. Wagoyujesukak rena. Sakaxeyafumi kavexorijavez notubunagola. Jujatexekat. Dok hunumokup xilapug giniwukeverut. Pepopovif xov. Fahopak. Yiwegocexubemi refazepo jozafucu kulokawamu. Yovibuyojeyoko gelajujom molimaniyunar fetisinoyar tijerulocikirub. Wacobuvisawup galutu nazulekikuf
B(null)
KERNEL32.DLL
mscoree.dll
muporupacegal
JAFUJADI
GesatokorZGaporujufoma ruyeco diyarocipike vugezibo xerudunipuvi yukuraxib rok lusevefihego jucarago
CutazemefivokiwXGevugehocim mimazonat honije loruporibunefe huvixuzawok gusejawuyise gejejic rujimuyemid
Focedor lisa masegpRozelatujivev welil heloba weyicokegaw tebutivodiwocix kenabavekuzod soguf jiwulujenuti hocaxevus walavegotimewuaTuviyafehajede riwasimihuregob hoyixo mahacamugojo wajevaweye xuyirehegebil jonoviwa nahemubuhoda
Figi,Sabuledol mimadi gimabuxuburasil muzec navub8Xowijirakujaga jef coweyof dekogiyipenewa jexexeharocamehLofasahinedawu zesopowi lup feveyo cohaso mukaladiyaya xogucotoz zinuremaremucet cobafuzegoko zivutuxunu
KugodevepevNNec xubiji hubadehalehof wijiw yigijeyuvuf sewo dihavulal fifet hifaxixujaxobe
This file is not on VirusTotal.

Process Tree


ezKxNfXW.tmp.exe, PID: 420, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\ezKxNfXW.tmp.exe
Command Line: "C:\Users\user\AppData\Local\Temp\ezKxNfXW.tmp.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.824 seconds )

  • 0.176 Static
  • 0.168 Deduplicate
  • 0.131 CAPE
  • 0.125 TargetInfo
  • 0.104 AnalysisInfo
  • 0.088 TrID
  • 0.018 Strings
  • 0.007 NetworkAnalysis
  • 0.005 BehaviorAnalysis
  • 0.001 Debug
  • 0.001 peid

Signatures ( 0.044 seconds )

  • 0.008 ransomware_files
  • 0.007 antiav_detectreg
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 masquerade_process_name

Reporting ( 0.0 seconds )

Task ID 131444
Mongo ID 5e7974c622fb4f13386d51f9
Cuckoo release 1.3-CAPE
Delete