Analysis

Category Package Started Completed Duration Options Log
FILE dll 2020-03-24 09:04:56 2020-03-24 09:05:24 28 seconds Show Options Show Log
route = internet
procdump = 1
2020-03-24 09:04:56,000 [root] INFO: Date set to: 03-24-20, time set to: 09:04:56, timeout set to: 200
2020-03-24 09:04:56,015 [root] DEBUG: Starting analyzer from: C:\wikhjvq
2020-03-24 09:04:56,015 [root] DEBUG: Storing results at: C:\WytfHKi
2020-03-24 09:04:56,015 [root] DEBUG: Pipe server name: \\.\PIPE\vuGOzU
2020-03-24 09:04:56,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-03-24 09:04:56,015 [root] INFO: Automatically selected analysis package "dll"
2020-03-24 09:04:56,576 [root] DEBUG: Started auxiliary module Browser
2020-03-24 09:04:56,576 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 09:04:56,576 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 09:04:56,997 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 09:04:56,997 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 09:04:56,997 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 09:04:56,997 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 09:04:56,997 [root] DEBUG: Started auxiliary module Human
2020-03-24 09:04:56,997 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 09:04:56,997 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 09:04:56,997 [root] DEBUG: Started auxiliary module Usage
2020-03-24 09:04:56,997 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2020-03-24 09:04:57,013 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2020-03-24 09:04:57,059 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll",#1" with pid 1836
2020-03-24 09:04:57,059 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:04:57,059 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\uNokpdAb.dll, loader C:\wikhjvq\bin\sNKeMXa.exe
2020-03-24 09:04:57,075 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\vuGOzU.
2020-03-24 09:04:57,092 [root] DEBUG: Loader: Injecting process 1836 (thread 332) with C:\wikhjvq\dll\uNokpdAb.dll.
2020-03-24 09:04:57,092 [root] DEBUG: Process image base: 0x00360000
2020-03-24 09:04:57,092 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wikhjvq\dll\uNokpdAb.dll.
2020-03-24 09:04:57,092 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:04:57,092 [root] DEBUG: Successfully injected DLL C:\wikhjvq\dll\uNokpdAb.dll.
2020-03-24 09:04:57,092 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1836
2020-03-24 09:04:59,104 [lib.api.process] INFO: Successfully resumed process with pid 1836
2020-03-24 09:04:59,104 [root] INFO: Added new process to list with pid: 1836
2020-03-24 09:04:59,243 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:04:59,243 [root] DEBUG: Process dumps enabled.
2020-03-24 09:04:59,290 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:04:59,290 [root] INFO: Disabling sleep skipping.
2020-03-24 09:04:59,290 [root] INFO: Disabling sleep skipping.
2020-03-24 09:04:59,290 [root] INFO: Disabling sleep skipping.
2020-03-24 09:04:59,290 [root] INFO: Disabling sleep skipping.
2020-03-24 09:04:59,290 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1836 at 0x74880000, image base 0x360000, stack from 0xc4000-0xd0000
2020-03-24 09:04:59,290 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll",#1.
2020-03-24 09:04:59,290 [root] INFO: Monitor successfully loaded in process with pid 1836.
2020-03-24 09:04:59,306 [root] DEBUG: Target DLL loaded at 0x10000000: C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll (0x44000 bytes).
2020-03-24 09:04:59,306 [root] DEBUG: GetHookCallerBase: thread 332 (handle 0x0), return address 0x003614ED, allocation base 0x00360000.
2020-03-24 09:04:59,306 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00360000.
2020-03-24 09:04:59,306 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:04:59,306 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00360000.
2020-03-24 09:04:59,322 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000178C.
2020-03-24 09:04:59,322 [root] DEBUG: set_caller_info: Adding region at 0x02270000 to caller regions list (kernel32::GetSystemTime).
2020-03-24 09:04:59,322 [root] INFO: Added new CAPE file to list with path: C:\WytfHKi\CAPE\1836_5856137565941224232020
2020-03-24 09:04:59,322 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xaa00.
2020-03-24 09:04:59,322 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x10000000.
2020-03-24 09:04:59,322 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x10000000
2020-03-24 09:04:59,322 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:04:59,322 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x10000000.
2020-03-24 09:04:59,322 [root] DEBUG: DumpProcess: Module entry point VA is 0x00042C20.
2020-03-24 09:04:59,322 [root] INFO: Added new CAPE file to list with path: C:\WytfHKi\CAPE\1836_909853365941224232020
2020-03-24 09:04:59,322 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x42400.
2020-03-24 09:04:59,322 [root] DEBUG: DLL unloaded from 0x10000000.
2020-03-24 09:05:00,279 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-03-24 09:05:00,279 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 09:05:01,292 [root] DEBUG: DLL unloaded from 0x758B0000.
2020-03-24 09:05:01,309 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:05:01,309 [root] INFO: Notified of termination of process with pid 1836.
2020-03-24 09:05:07,206 [root] INFO: Process list is empty, terminating analysis.
2020-03-24 09:05:08,220 [root] INFO: Created shutdown mutex.
2020-03-24 09:05:09,233 [root] INFO: Shutting down package.
2020-03-24 09:05:09,233 [root] INFO: Stopping auxiliary modules.
2020-03-24 09:05:09,233 [root] INFO: Finishing auxiliary modules.
2020-03-24 09:05:09,233 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 09:05:09,233 [root] WARNING: File at path "C:\WytfHKi\debugger" does not exist, skip.
2020-03-24 09:05:09,233 [root] INFO: Analysis completed.

MalScore

3.5

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 09:04:56 2020-03-24 09:05:23

File Details

File Name 15cbcf94cc3b95751a5ab9ff4d9ea476b0709bae96baee8fc0da1e47825b8c11
File Size 271360 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 464fda8f007754e76388a6948c454f7d
SHA1 b99e7d3f5a77da0362a271a58a53f6981135822a
SHA256 15cbcf94cc3b95751a5ab9ff4d9ea476b0709bae96baee8fc0da1e47825b8c11
SHA512 a79005519ea0a633a267ebdcfc89520fcdf1a45725b54195a09c2b880051db37e65808c4826ed8d4fb12238fd2928c203f72fec8b3f5375599f45244e17b5e95
CRC32 7CDEF7BA
Ssdeep 3072:CkduwovB04GkH5yiMG2hzqgVfOpOvLxo1sS22PUj1z0iK3DZ4Id+raPA8WiX6qqT:NWpZEZ24BMb/Qo9AOnk3
TrID
  • 42.7% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 19.2% (.EXE) OS/2 Executable (generic) (2029/13)
  • 18.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 18.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
The binary contains an unknown PE section name indicative of packing
unknown section: name: UPX0, entropy: 6.62, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00026000, virtual_size: 0x00026000
unknown section: name: UPX1, entropy: 4.46, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0001c000, virtual_size: 0x0001c000
The executable is compressed using UPX
section: name: UPX0, entropy: 6.62, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00026000, virtual_size: 0x00026000

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll
C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll.124.Manifest
C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\en-US\rundll32.exe.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll
C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll.124.Manifest
C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\en-US\rundll32.exe.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe0\xb6\x90\xc8\xa7EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe0\xb6\x90\xc8\xa7EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoCreateInstance
oleaut32.dll.#500
Local\MSCTF.Asm.MutexDefault1

PE Information

Image Base 0x10000000
Entry Point 0x10042c20
Reported Checksum 0x00000000
Actual Checksum 0x0004f8e0
Minimum OS Version 6.0
Compile Time 2020-02-07 08:08:30

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
UPX0 0x00001000 0x00026000 0x00026000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.62
UPX1 0x00027000 0x0001c000 0x0001c000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.46
.rsrc 0x00043000 0x00001000 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00

.rsrc
URPQQh
SVWUj
u2Vj@h
bad allocation
address family not supported
address in use
address not available
already connected
argument list too long
argument out of domain
bad address
bad file descriptor
bad message
broken pipe
connection aborted
connection already in progress
connection refused
connection reset
cross device link
destination address required
device or resource busy
directory not empty
executable format error
file exists
file too large
filename too long
function not supported
host unreachable
identifier removed
illegal byte sequence
inappropriate io control operation
interrupted
invalid argument
invalid seek
io error
is a directory
message size
network down
network reset
network unreachable
no buffer space
no child process
no link
no lock available
no message available
no message
no protocol option
no space on device
no stream resources
no such device or address
no such device
no such file or directory
no such process
not a directory
not a socket
not a stream
not connected
not enough memory
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
owner dead
permission denied
protocol error
protocol not supported
read only file system
resource deadlock would occur
resource unavailable try again
result out of range
state not recoverable
stream timeout
text file busy
timed out
too many files open in system
too many files open
too many links
too many symbolic link levels
value too large
wrong protocol type
unknown error
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
InitOnceExecuteOnce
CreateEventExW
CreateSemaphoreW
CreateSemaphoreExW
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
CreateSymbolicLinkW
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleEx
SetFileInformationByHandle
GetSystemTimePreciseAsFileTime
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
InitializeSRWLock
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
SleepConditionVariableSRW
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
CompareStringEx
GetLocaleInfoEx
LCMapStringEx
0123456789abcdefghijklmnopqrstuvwxyz
0123456789abcdefghijklmnopqrstuvwxyz
bad array new length
bad exception
EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer
Main Invoked.
Main Returned.
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`h````
(null)
COMSPEC
cmd.exe
CorExitProcess
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
e+000
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
AreFileApisANSI
EnumSystemLocalesEx
GetUserDefaultLocaleName
IsValidLocaleName
LCIDToLocaleName
LocaleNameToLCID
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
log10
1#INF
1#QNAN
1#SNAN
1#IND
=\uI=
Eb2]A=
2ieO=
|W8A=
V%A+=
>,'1D=
?g)([|X>=
r7Yr7=
.K="=
b<log10
BC .=
"B <1=
#.X'=
?Unknown exception
bad cast
bad locale name
iostream
iostream stream error
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~
Failed to open the target process
[-] %s. Error=%d
Failed to inject the DLL
[-] %s. Error=%d
shutdown /r /t
5xReflective
vector<T> too long
invalid string position
string too long
map/set<T> too long
InvokeMainViaCRT
"Main Invoked."
FileName
ExitMainViaCRT
"Main Returned."
FileName
Microsoft.CRTProvider
.text
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCC
.CRT$XCL
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.gfids$x
.gfids$y
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AV_Locimp@locale@std@@
.?AVbad_alloc@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
.?AVbad_array_new_length@std@@
.?AVbad_exception@std@@
.?AVfailure@ios_base@std@@
.?AVruntime_error@std@@
.?AV?$basic_stringbuf@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@
.?AVios_base@std@@
.?AVerror_category@std@@
.?AVsystem_error@std@@
.?AVCAtlException@ATL@@
.?AV_Facet_base@std@@
.?AV_Generic_error_category@std@@
.?AU_Crt_new_delete@std@@
.?AV?$_Iosb@H@std@@
.?AV_Iostream_error_category@std@@
.?AVbad_cast@std@@
.?AUctype_base@std@@
.?AV?$basic_ostream@_WU?$char_traits@_W@std@@@std@@
.?AVfacet@locale@std@@
.?AV?$basic_ios@_WU?$char_traits@_W@std@@@std@@
.?AV?$basic_istream@_WU?$char_traits@_W@std@@@std@@
.?AV_System_error@std@@
.?AV?$ctype@_W@std@@
.?AV?$basic_istringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@
.?AV?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@
.?AVexception@std@@
.?AV?$basic_ostringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@
GetVersionExW
GetComputerNameExW
OpenProcess
HeapSize
MultiByteToWideChar
GetLastError
GlobalAlloc
GlobalFree
HeapReAlloc
CloseHandle
RaiseException
HeapAlloc
K32EnumProcesses
DecodePointer
WaitForSingleObject
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
CreateProcessW
WideCharToMultiByte
WriteProcessMemory
VirtualAllocEx
ReadProcessMemory
CreateRemoteThread
ReadConsoleW
InitializeCriticalSectionEx
GetTempPathW
K32GetModuleFileNameExW
GetCurrentProcess
ReadFile
SetEndOfFile
WriteConsoleW
SetFilePointerEx
CreateFileW
FlushFileBuffers
SetStdHandle
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindNextFileA
GetStringTypeW
EnterCriticalSection
LeaveCriticalSection
EncodePointer
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
IsDebuggerPresent
OutputDebugStringW
SetEvent
ResetEvent
WaitForSingleObjectEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
InitializeSListHead
RtlUnwind
FreeLibrary
LoadLibraryExW
GetModuleFileNameW
InterlockedFlushSList
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
GetACP
GetStdHandle
GetFileType
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetExitCodeProcess
CreateProcessA
GetFileAttributesExW
WriteFile
GetConsoleCP
GetConsoleMode
FindClose
FindFirstFileExA
HeapFree
SystemFunction036
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
GetUserNameW
wsprintfW
WinHttpQueryHeaders
WinHttpReadData
WinHttpOpenRequest
WinHttpSetOption
WinHttpCloseHandle
WinHttpGetIEProxyConfigForCurrentUser
WinHttpAddRequestHeaders
WinHttpWriteData
WinHttpSendRequest
WinHttpSetTimeouts
WinHttpConnect
WinHttpCrackUrl
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpReceiveResponse
WinHttpGetProxyForUrl
.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
ZAa`C
kernel32.dll
zh-CHS
ar-SA
bg-BG
ca-ES
zh-TW
cs-CZ
da-DK
de-DE
el-GR
en-US
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
ja-JP
ko-KR
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
zh-CN
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
ko-kr
kok-in
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
advapi32
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
(null)
mscoree.dll
LC_ALL
LC_COLLATE
LC_CTYPE
LC_MONETARY
LC_NUMERIC
LC_TIME
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
api-ms-win-appmodel-runtime-l1-1-1
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l2-1-1
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
user32
UTF-8
UTF-16LEUNICODE
american
american english
american-english
australian
belgian
canadian
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
dutch-belgian
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
french-belgian
french-canadian
french-luxembourg
french-swiss
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
irish-english
italian-swiss
norwegian
norwegian-bokmal
norwegian-nynorsk
portuguese-brazilian
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
spanish-uruguay
spanish-venezuela
swedish-finland
swiss
america
britain
china
czech
england
great britain
holland
hong-kong
new-zealand
pr china
pr-china
puerto-rico
slovak
south africa
south korea
south-africa
south-korea
trinidad & tobago
united-kingdom
united-states
CONOUT$
atlTraceGeneral
atlTraceCOM
atlTraceQI
atlTraceRegistrar
atlTraceRefcount
atlTraceWindowing
atlTraceControls
atlTraceHosting
atlTraceDBClient
atlTraceDBProvider
atlTraceSnapin
atlTraceNotImpl
atlTraceAllocation
atlTraceException
atlTraceTime
atlTraceCache
atlTraceStencil
atlTraceString
atlTraceMap
atlTraceUtil
atlTraceSecurity
atlTraceSync
atlTraceISAPI
ForceRemove
NoRemove
Delete
AppID
CLSID
Component Categories
FileType
Interface
Hardware
SECURITY
SYSTEM
Software
TypeLib
Invalid DateTime
Invalid DateTimeSpan
WinHttpClient
%%%02X
SeDebugPrivilege
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
&OSA=
EXCEL.EXE
https://ms-break.com/rrrdd1
Content-Length:
RD86R
.6.exe
\build
a([a-zA-Z0-9])
b([ \t])
c([a-zA-Z])
d([0-9])
h([0-9a-fA-F])
q("[^"]*")|('[^']*')
w([a-zA-Z]+)
z([0-9]+)
Cookie:
charset={[A-Za-z0-9\-_]+}
Content-Length: {[0-9]+}
Location: {[0-9]+}
Set-Cookie:\b*{.+?}\n
utf-8
{<html>}
{</html>}
This file is not on VirusTotal.

Process Tree

  • rundll32.exe 1836 "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll",#1

rundll32.exe, PID: 1836, Parent PID: 2480
Full Path: C:\Windows\SysWOW64\rundll32.exe
Command Line: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll",#1

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name rundll32.exe
PID 1836
Dump Size 43520 bytes
Module Path C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll
Type PE image: 32-bit executable
MD5 e060b555e63b7697d744a295d99ef38e
SHA1 2b8930808d7380142557e0097554afb5a59176c8
SHA256 6c27651ac37a7a1f37330d59a2dae5cf880d68b1fa997a7d8bb9b3363461ea03
CRC32 0745BC71
Ssdeep 768:oZDAIofvPqtOAacSRqbSEln5IyYpamDjobj8S:oJADHqt7SRqln5IUmDjoX
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 6c27651ac37a7a1f37330d59a2dae5cf880d68b1fa997a7d8bb9b3363461ea03
Process Name rundll32.exe
PID 1836
Dump Size 271360 bytes
Module Path C:\Users\user\AppData\Local\Temp\MOQB3DLOh7LjUq8.dll
Type PE image: 32-bit DLL
MD5 30ee248e8610e7108f4475ca0b23c83d
SHA1 e5f81315594b58cb267712a38641d7e68c763966
SHA256 c4805a803540600bd0da3a14fd465d5ff3d8468011349aa5de6684ba371dafae
CRC32 F08217EF
Ssdeep 3072:vkduwovB04GkH5yiMG2hzqgVfOpOvLxo1sS22PUj1z0iK3DZ4Id+raPA8WiX6qqD:2WpZEZ24BMb/Qo9AOnqp
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename c4805a803540600bd0da3a14fd465d5ff3d8468011349aa5de6684ba371dafae

Comments



No comments posted

Processing ( 1.149 seconds )

  • 0.394 CAPE
  • 0.199 ProcDump
  • 0.177 Static
  • 0.127 TargetInfo
  • 0.094 TrID
  • 0.088 Deduplicate
  • 0.041 BehaviorAnalysis
  • 0.017 Strings
  • 0.006 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.062 seconds )

  • 0.011 antiav_detectreg
  • 0.008 ransomware_files
  • 0.005 infostealer_ftp
  • 0.003 antidbg_windows
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 NewtWire Behavior
  • 0.001 api_spamming
  • 0.001 betabot_behavior
  • 0.001 decoy_document
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name
  • 0.001 recon_fingerprint

Reporting ( 0.0 seconds )

Task ID 131466
Mongo ID 5e79cd5622fb4f13386d6fd6
Cuckoo release 1.3-CAPE
Delete