CAPE

Triggered CAPE Tasks: Task #29487: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-01-10 03:25:47 2019-01-10 03:29:37 230 seconds Show Options Show Log
route = internet
procdump = 1
2019-01-10 03:25:47,015 [root] INFO: Date set to: 01-10-19, time set to: 03:25:47, timeout set to: 200
2019-01-10 03:25:47,046 [root] DEBUG: Starting analyzer from: C:\ubrmzzgi
2019-01-10 03:25:47,046 [root] DEBUG: Storing results at: C:\AKVXkirIZc
2019-01-10 03:25:47,046 [root] DEBUG: Pipe server name: \\.\PIPE\PBPOhBZqs
2019-01-10 03:25:47,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-10 03:25:47,046 [root] INFO: Automatically selected analysis package "exe"
2019-01-10 03:25:48,293 [root] DEBUG: Started auxiliary module Browser
2019-01-10 03:25:48,293 [root] DEBUG: Started auxiliary module Curtain
2019-01-10 03:25:48,293 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-01-10 03:25:48,293 [root] DEBUG: Started auxiliary module DigiSig
2019-01-10 03:25:48,293 [root] DEBUG: Started auxiliary module Disguise
2019-01-10 03:25:48,293 [root] DEBUG: Started auxiliary module Human
2019-01-10 03:25:48,309 [root] DEBUG: Started auxiliary module Screenshots
2019-01-10 03:25:48,309 [root] DEBUG: Started auxiliary module Sysmon
2019-01-10 03:25:48,309 [root] DEBUG: Started auxiliary module Usage
2019-01-10 03:25:48,309 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-01-10 03:25:48,309 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-01-10 03:25:48,605 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe" with arguments "" with pid 1620
2019-01-10 03:25:48,605 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:25:48,605 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubrmzzgi\dll\FcEeRORk.dll, loader C:\ubrmzzgi\bin\KtZboPp.exe
2019-01-10 03:25:48,621 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1620
2019-01-10 03:25:50,634 [lib.api.process] INFO: Successfully resumed process with pid 1620
2019-01-10 03:25:50,634 [root] INFO: Added new process to list with pid: 1620
2019-01-10 03:25:50,680 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:25:50,680 [root] DEBUG: Process dumps enabled.
2019-01-10 03:25:50,711 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1620 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:25:50,711 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe".
2019-01-10 03:25:50,711 [root] INFO: Monitor successfully loaded in process with pid 1620.
2019-01-10 03:25:50,711 [root] INFO: Announced 32-bit process name:  pid: 1636996
2019-01-10 03:25:50,711 [root] INFO: Added new process to list with pid: 1636996
2019-01-10 03:25:50,711 [lib.api.process] WARNING: The process with pid 1636996 is not alive, injection aborted
2019-01-10 03:25:51,648 [root] INFO: Process with pid 1636996 has terminated
2019-01-10 03:25:56,905 [root] DEBUG: set_caller_info: Adding region at 0x00530000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 03:25:56,905 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrLoadDll).
2019-01-10 03:25:56,937 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 03:25:56,951 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 03:25:56,951 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 03:25:56,951 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 03:25:56,951 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 03:25:56,967 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 03:25:56,999 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 03:25:56,999 [root] INFO: Disabling sleep skipping.
2019-01-10 03:26:04,658 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 03:26:04,690 [root] INFO: Announced 32-bit process name: winsvcs.exe pid: 2616
2019-01-10 03:26:04,690 [root] INFO: Added new process to list with pid: 2616
2019-01-10 03:26:04,690 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:26:04,690 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubrmzzgi\dll\FcEeRORk.dll, loader C:\ubrmzzgi\bin\KtZboPp.exe
2019-01-10 03:26:04,690 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2616
2019-01-10 03:26:04,706 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:26:04,706 [root] DEBUG: Process dumps enabled.
2019-01-10 03:26:04,706 [root] INFO: Disabling sleep skipping.
2019-01-10 03:26:04,706 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2616 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:26:04,706 [root] DEBUG: Commandline: C:\Windows\495060393034060\winsvcs.exe.
2019-01-10 03:26:04,706 [root] INFO: Monitor successfully loaded in process with pid 2616.
2019-01-10 03:26:04,706 [root] INFO: Announced 32-bit process name:  pid: 1636996
2019-01-10 03:26:04,706 [root] INFO: Added new process to list with pid: 1636996
2019-01-10 03:26:04,706 [lib.api.process] WARNING: The process with pid 1636996 is not alive, injection aborted
2019-01-10 03:26:04,877 [root] INFO: Process with pid 1636996 has terminated
2019-01-10 03:26:05,204 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1620
2019-01-10 03:26:05,204 [root] DEBUG: GetHookCallerBase: thread 1752 (handle 0x0), return address 0x00403CD0, allocation base 0x00400000.
2019-01-10 03:26:05,204 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 03:26:05,204 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 03:26:05,204 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000103C.
2019-01-10 03:26:05,204 [root] INFO: Added new CAPE file to list with path: C:\AKVXkirIZc\CAPE\1620_878323933526510412019
2019-01-10 03:26:05,204 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8800.
2019-01-10 03:26:05,220 [root] DEBUG: DLL unloaded from 0x75140000.
2019-01-10 03:26:05,220 [root] INFO: Notified of termination of process with pid 1620.
2019-01-10 03:26:05,907 [root] INFO: Process with pid 1620 has terminated
2019-01-10 03:26:10,773 [root] DEBUG: set_caller_info: Adding region at 0x00490000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 03:26:10,773 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrLoadDll).
2019-01-10 03:26:10,773 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 03:26:10,773 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 03:26:10,773 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 03:26:10,773 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 03:26:10,773 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 03:26:10,773 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 03:26:10,789 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 03:26:17,855 [root] DEBUG: DLL loaded at 0x742E0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-01-10 03:26:17,918 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-01-10 03:26:17,934 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-01-10 03:26:17,966 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-01-10 03:26:17,980 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-01-10 03:26:17,980 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-01-10 03:26:17,996 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-01-10 03:26:18,012 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 03:26:18,012 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-01-10 03:26:18,028 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\system32\rasman (0x15000 bytes).
2019-01-10 03:26:18,043 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-01-10 03:26:18,043 [root] DEBUG: DLL unloaded from 0x747E0000.
2019-01-10 03:26:18,059 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-01-10 03:26:18,059 [root] DEBUG: DLL unloaded from 0x75600000.
2019-01-10 03:26:18,059 [root] DEBUG: DLL unloaded from 0x742C0000.
2019-01-10 03:26:18,075 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-01-10 03:26:18,105 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-01-10 03:26:18,121 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-01-10 03:26:18,121 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-01-10 03:26:18,137 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-01-10 03:26:18,153 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-01-10 03:26:18,167 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-01-10 03:26:18,167 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-01-10 03:26:18,200 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-01-10 03:26:18,214 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-01-10 03:26:18,230 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-01-10 03:26:18,246 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-01-10 03:26:18,292 [root] DEBUG: DLL loaded at 0x74240000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-01-10 03:26:18,309 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-01-10 03:26:18,355 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-01-10 03:26:18,401 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-01-10 03:26:18,417 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-01-10 03:26:18,417 [root] DEBUG: DLL loaded at 0x741D0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-01-10 03:26:18,417 [root] DEBUG: DLL loaded at 0x741B0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-01-10 03:26:18,417 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-01-10 03:26:18,434 [root] DEBUG: DLL unloaded from 0x74850000.
2019-01-10 03:26:18,434 [root] DEBUG: DLL unloaded from 0x741B0000.
2019-01-10 03:26:18,621 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 03:26:18,621 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-01-10 03:26:20,726 [root] DEBUG: DLL unloaded from 0x75600000.
2019-01-10 03:26:23,846 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 03:26:23,861 [root] INFO: Announced 32-bit process name: 2748840743.exe pid: 2724
2019-01-10 03:26:23,861 [root] INFO: Added new process to list with pid: 2724
2019-01-10 03:26:23,861 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:26:23,861 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubrmzzgi\dll\FcEeRORk.dll, loader C:\ubrmzzgi\bin\KtZboPp.exe
2019-01-10 03:26:23,861 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2724
2019-01-10 03:26:23,894 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:26:23,894 [root] DEBUG: Process dumps enabled.
2019-01-10 03:26:23,894 [root] INFO: Disabling sleep skipping.
2019-01-10 03:26:23,908 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2724 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:26:23,924 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\2748840743.exe.
2019-01-10 03:26:23,924 [root] INFO: Monitor successfully loaded in process with pid 2724.
2019-01-10 03:26:28,262 [root] INFO: Announced 32-bit process name: 3056729674.exe pid: 2092
2019-01-10 03:26:28,292 [root] INFO: Added new process to list with pid: 2092
2019-01-10 03:26:28,323 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:26:28,385 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubrmzzgi\dll\FcEeRORk.dll, loader C:\ubrmzzgi\bin\KtZboPp.exe
2019-01-10 03:26:28,433 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2092
2019-01-10 03:26:28,480 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:26:28,526 [root] DEBUG: Process dumps enabled.
2019-01-10 03:26:28,588 [root] INFO: Disabling sleep skipping.
2019-01-10 03:26:28,635 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2092 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:26:28,697 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\3056729674.exe.
2019-01-10 03:26:28,760 [root] INFO: Monitor successfully loaded in process with pid 2092.
2019-01-10 03:26:28,822 [root] INFO: Announced 32-bit process name:  pid: 1636996
2019-01-10 03:26:28,838 [root] INFO: Added new process to list with pid: 1636996
2019-01-10 03:26:28,901 [lib.api.process] WARNING: The process with pid 1636996 is not alive, injection aborted
2019-01-10 03:26:29,026 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 03:26:29,322 [root] INFO: Process with pid 1636996 has terminated
2019-01-10 03:26:30,773 [root] DEBUG: DLL unloaded from 0x741E0000.
2019-01-10 03:26:30,773 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-01-10 03:26:30,867 [root] DEBUG: DLL unloaded from 0x75600000.
2019-01-10 03:26:31,038 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 03:27:02,894 [root] DEBUG: set_caller_info: Adding region at 0x005F0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 03:27:02,894 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 03:27:02,894 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 03:27:02,908 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 03:27:02,908 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 03:27:02,940 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 03:27:02,940 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 03:27:02,940 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 03:27:05,046 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 03:27:05,062 [root] INFO: Announced 32-bit process name: winsvcs.exe pid: 2316
2019-01-10 03:27:05,062 [root] INFO: Added new process to list with pid: 2316
2019-01-10 03:27:05,062 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:27:05,078 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubrmzzgi\dll\FcEeRORk.dll, loader C:\ubrmzzgi\bin\KtZboPp.exe
2019-01-10 03:27:05,092 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2316
2019-01-10 03:27:05,108 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:27:05,124 [root] DEBUG: Process dumps enabled.
2019-01-10 03:27:05,140 [root] INFO: Disabling sleep skipping.
2019-01-10 03:27:05,155 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2316 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:27:05,171 [root] DEBUG: Commandline: C:\Windows\806084767800850\winsvcs.exe.
2019-01-10 03:27:05,171 [root] INFO: Monitor successfully loaded in process with pid 2316.
2019-01-10 03:27:29,523 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2724
2019-01-10 03:27:29,523 [root] DEBUG: GetHookCallerBase: thread 2700 (handle 0x0), return address 0x00403CD0, allocation base 0x00400000.
2019-01-10 03:27:29,523 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 03:27:29,553 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 03:27:29,585 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000103C.
2019-01-10 03:27:29,601 [root] INFO: Added new CAPE file to list with path: C:\AKVXkirIZc\CAPE\2724_19338951732927510412019
2019-01-10 03:27:29,615 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8800.
2019-01-10 03:27:29,615 [root] DEBUG: DLL unloaded from 0x75140000.
2019-01-10 03:27:29,631 [root] INFO: Notified of termination of process with pid 2724.
2019-01-10 03:27:29,694 [root] INFO: Process with pid 2724 has terminated
2019-01-10 03:28:14,200 [root] DEBUG: set_caller_info: Adding region at 0x005B0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 03:28:14,200 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 03:28:14,217 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 03:28:14,217 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 03:28:14,217 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 03:28:14,217 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 03:28:14,217 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 03:28:14,217 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 03:28:35,526 [root] DEBUG: DLL loaded at 0x742E0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-01-10 03:28:35,526 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-01-10 03:28:35,542 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-01-10 03:28:35,542 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-01-10 03:28:35,542 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-01-10 03:28:35,542 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-01-10 03:28:35,542 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-01-10 03:28:35,542 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 03:28:35,542 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-01-10 03:28:35,558 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\system32\rasman (0x15000 bytes).
2019-01-10 03:28:35,558 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-01-10 03:28:35,558 [root] DEBUG: DLL unloaded from 0x75600000.
2019-01-10 03:28:35,558 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-01-10 03:28:35,558 [root] DEBUG: DLL unloaded from 0x742C0000.
2019-01-10 03:28:35,558 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 03:28:35,558 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-01-10 03:28:35,558 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-01-10 03:28:35,572 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-01-10 03:28:35,572 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2019-01-10 03:28:35,572 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-01-10 03:28:35,572 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-01-10 03:28:35,572 [root] DEBUG: DLL loaded at 0x741D0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-01-10 03:28:35,588 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-01-10 03:28:35,588 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-01-10 03:28:35,588 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-01-10 03:28:35,588 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-01-10 03:28:35,588 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-01-10 03:28:35,588 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-01-10 03:28:35,588 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-01-10 03:28:35,605 [root] DEBUG: DLL loaded at 0x74240000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-01-10 03:28:36,072 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-01-10 03:28:36,072 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-01-10 03:28:36,072 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-01-10 03:28:36,072 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-01-10 03:28:36,151 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 03:28:36,165 [root] INFO: Announced 32-bit process name: 2477229783.exe pid: 2784
2019-01-10 03:28:36,165 [root] INFO: Added new process to list with pid: 2784
2019-01-10 03:28:36,165 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:28:36,165 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubrmzzgi\dll\FcEeRORk.dll, loader C:\ubrmzzgi\bin\KtZboPp.exe
2019-01-10 03:28:36,181 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2784
2019-01-10 03:28:36,181 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:28:36,181 [root] DEBUG: Process dumps enabled.
2019-01-10 03:28:36,197 [root] INFO: Disabling sleep skipping.
2019-01-10 03:28:36,197 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2784 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:28:36,197 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\2477229783.exe.
2019-01-10 03:28:36,197 [root] INFO: Monitor successfully loaded in process with pid 2784.
2019-01-10 03:28:37,118 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 03:28:38,085 [root] INFO: Announced 32-bit process name: 3009414284.exe pid: 1220
2019-01-10 03:28:38,131 [root] INFO: Added new process to list with pid: 1220
2019-01-10 03:28:38,210 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:28:38,381 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubrmzzgi\dll\FcEeRORk.dll, loader C:\ubrmzzgi\bin\KtZboPp.exe
2019-01-10 03:28:38,506 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1220
2019-01-10 03:28:38,647 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:28:38,770 [root] DEBUG: Process dumps enabled.
2019-01-10 03:28:38,895 [root] INFO: Disabling sleep skipping.
2019-01-10 03:28:38,990 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1220 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:28:39,130 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\3009414284.exe.
2019-01-10 03:28:39,255 [root] INFO: Monitor successfully loaded in process with pid 1220.
2019-01-10 03:28:39,411 [root] INFO: Announced 32-bit process name:  pid: 1636996
2019-01-10 03:28:39,473 [root] INFO: Added new process to list with pid: 1636996
2019-01-10 03:28:39,566 [lib.api.process] WARNING: The process with pid 1636996 is not alive, injection aborted
2019-01-10 03:28:40,035 [root] INFO: Process with pid 1636996 has terminated
2019-01-10 03:28:45,667 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-01-10 03:28:45,681 [root] DEBUG: DLL unloaded from 0x74A40000.
2019-01-10 03:28:46,009 [root] DEBUG: DLL unloaded from 0x75600000.
2019-01-10 03:28:46,213 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 03:29:15,243 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-01-10 03:29:15,243 [root] INFO: Created shutdown mutex.
2019-01-10 03:29:16,257 [root] INFO: Setting terminate event for process 2616.
2019-01-10 03:29:16,257 [root] DEBUG: Terminate Event: Attempting to dump process 2616
2019-01-10 03:29:16,257 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 03:29:16,257 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 03:29:16,273 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000103C.
2019-01-10 03:29:16,273 [root] INFO: Added new CAPE file to list with path: C:\AKVXkirIZc\CAPE\2616_2143891361629310412019
2019-01-10 03:29:16,289 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8800.
2019-01-10 03:29:16,773 [root] INFO: Setting terminate event for process 2092.
2019-01-10 03:29:17,288 [root] INFO: Setting terminate event for process 2316.
2019-01-10 03:29:17,288 [root] DEBUG: Terminate Event: Attempting to dump process 2316
2019-01-10 03:29:17,288 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 03:29:17,288 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 03:29:17,288 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000103C.
2019-01-10 03:29:17,302 [root] INFO: Added new CAPE file to list with path: C:\AKVXkirIZc\CAPE\2316_2032473601729310412019
2019-01-10 03:29:17,302 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8800.
2019-01-10 03:29:17,802 [root] INFO: Setting terminate event for process 2784.
2019-01-10 03:29:18,316 [root] INFO: Setting terminate event for process 1220.
2019-01-10 03:29:18,832 [root] INFO: Shutting down package.
2019-01-10 03:29:18,832 [root] INFO: Stopping auxiliary modules.
2019-01-10 03:29:18,832 [root] INFO: Finishing auxiliary modules.
2019-01-10 03:29:18,832 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-01-10 03:29:18,832 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-01-10 03:25:47 2019-01-10 03:29:32

File Details

File Name 2019-01-08-malware-downloader.exe
File Size 152576 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 44a81be517e01ab33abdba541a239b6e
SHA1 2890c3be34e4189fe0a11b4e60ff2b3203fcdd2a
SHA256 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
SHA512 3361688b857d7e5db7fb5c9606a8e17c1487fb7e6dda9ed69d3c6c89ed94c51abb7e935971d35884bd71a8a55cc1bf436ea28997d404b50f91921895438515a0
CRC32 3328869D
Ssdeep 3072:MupWc+2g2yM2BSwgtNSGv551zDb/Wvn006luxHE:MupxMcBDSGlzDbuvn00c
TrID
  • 34.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
  • 26.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 23.1% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 3.7% (.EXE) Win32 Executable (generic) (4508/7/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: bPbihjIjedK.exe, PID 1620
A process attempted to delay the analysis task.
Process: winsvcs.exe tried to sleep 784 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: bPbihjIjedK.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: winsvcs.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 2748840743.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: winsvcs.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/Module32FirstW
Drops a binary and executes it
binary: C:\Users\user\AppData\Local\Temp\3009414284.exe
binary: C:\Users\user\AppData\Local\Temp\2748840743.exe
binary: C:\Users\user\AppData\Local\Temp\2477229783.exe
binary: C:\Windows\806084767800850\winsvcs.exe
binary: C:\Windows\495060393034060\winsvcs.exe
binary: C:\Users\user\AppData\Local\Temp\3056729674.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://92.63.197.48/1.exe
suspicious_request: http://92.63.197.48/2.exe
suspicious_request: http://92.63.197.48/3.exe
suspicious_request: http://92.63.197.48/5.exe
suspicious_request: http://92.63.197.48/4.exe
Performs some HTTP requests
url: http://slpsrgpsrhojifdij.ru/1.exe
url: http://slpsrgpsrhojifdij.ru/2.exe
url: http://slpsrgpsrhojifdij.ru/3.exe
url: http://slpsrgpsrhojifdij.ru/4.exe
url: http://slpsrgpsrhojifdij.ru/5.exe
url: http://92.63.197.48/1.exe
url: http://92.63.197.48/2.exe
url: http://92.63.197.48/3.exe
url: http://92.63.197.48/5.exe
url: http://92.63.197.48/4.exe
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe:Zone.Identifier
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: winsvcs.exe (2616) called API NtClose 500152 times
Spam: 3056729674.exe (2092) called API NtClose 500152 times
Spam: bPbihjIjedK.exe (1620) called API NtClose 500152 times
Spam: 3009414284.exe (1220) called API NtClose 500152 times
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\806084767800850\winsvcs.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\806084767800850\winsvcs.exe
Creates a hidden or system file
file: C:\Windows\495060393034060
file: C:\Windows\495060393034060\winsvcs.exe
file: C:\Windows\806084767800850
file: C:\Windows\806084767800850\winsvcs.exe
Operates on local firewall's policies and settings
Creates a copy of itself
copy: C:\Windows\495060393034060\winsvcs.exe
Attempts to disable System Restore
Attempts to modify or disable Security Center warnings

Screenshots


Hosts

Direct IP Country Name
N 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
slpsrgpsrhojifdij.ru [VT] A 92.63.197.48 [VT]
osheoufhusheoghuesd.ru [VT] NXDOMAIN [VT]
ofheofosugusghuhush.ru [VT]
suieiusiueiuiuushgf.ru [VT]
fuiueufiiehfueghuhf.ru [VT]
sisoefjsuhuhaudhhed.ru [VT]
opllforgirsoofuhohu.ru [VT]
eooeoeooejesfiehfii.ru [VT]
oefosfishiudhiusegf.ru [VT]
aaeiauebfaneifuaeif.ru [VT]
naibfiahdiauehihhre.ru [VT]
auaeuiihaehifhahaud.ru [VT]
oieoaidhhaidhiehheg.ru [VT]
fisiuuiedesubdibesd.ru [VT]
efiiuehdiahiuediaug.ru [VT]
sfiushidhseiugiuseh.ru [VT]
oeiieieisijdingisgf.ru [VT]
aiisiaueuefiuhiehgu.ru [VT]
sfsiuhieghaughaoeho.ru [VT]
hpptlhptdkoodsokdke.ru [VT]
eneebgieeiieieiddrt.ru [VT]
eniaebivaiebifaibef.ru [VT]
mmginsiridnsinnsgir.ru [VT]
gmndaudnahgahghaohh.ru [VT]
aefaidihabevbabifba.ru [VT]
rgijirshisjriijdijh.ru [VT]
aiehazegfageigfzgei.ru [VT]
foaeodheuabguaegubr.ru [VT]
guhaohadueoanavbvbf.ru [VT]
orsodaououaebufbeob.ru [VT]
eaiiakeiohoueghoaur.ru [VT]
naiebiaifzgfaezgdzr.ru [VT]
gaeuhdobaoebuagoaoe.ru [VT]
giuahfoaoeubfouaena.ru [VT]
rgsouhdoauenodaeufb.ru [VT]
eoguaonedonaodabobg.ru [VT]
gouaondoaudbaebobgu.ru [VT]
giohuoaehdoueofbaur.ru [VT]
gnaoedoaoounauubueu.ru [VT]
gbobaebaodebuoueofu.ru [VT]
srgouosehohedohaeoh.ru [VT]
goauhoednoaueouabbe.ru [VT]
gnaednouebaoubefoub.ru [VT]
plpaedjaofheagoahdg.ru [VT]
guaeudueaennnaenuen.ru [VT]
rgoonedoauneuoebuae.ru [VT]
afaounodouoeuueofua.ru [VT]

Summary

C:\Users\user\AppData\Local\Temp\msvcr100.dll
C:\Windows\System32\msvcr100.dll
C:\Windows\system\msvcr100.dll
C:\Windows\msvcr100.dll
C:\Windows\System32\wbem\msvcr100.dll
C:\Windows\System32\WindowsPowerShell\v1.0\msvcr100.dll
C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe:Zone.Identifier
C:\Windows\495060393034060\winsvcs.exe
C:\Windows\495060393034060
C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe
C:\Windows\495060393034060\msvcr100.dll
C:\Windows\495060393034060\winsvcs.exe:Zone.Identifier
\Device\KsecDD
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Local\Temp\2748840743.exe
C:\Users\user\AppData\Local\Temp\3056729674.exe
C:\Users\user\AppData\Local\Temp\2748840743.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3056729674.exe:Zone.Identifier
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\806084767800850\winsvcs.exe
C:\Windows\806084767800850
C:\Windows\806084767800850\msvcr100.dll
C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2477229783.exe
C:\Users\user\AppData\Local\Temp\2477229783.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3009414284.exe
C:\Users\user\AppData\Local\Temp\3009414284.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\2748840743.exe
C:\Windows\495060393034060\winsvcs.exe
C:\Users\user\AppData\Local\Temp\2748840743.exe
C:\Users\user\AppData\Local\Temp\3056729674.exe
C:\Windows\806084767800850\winsvcs.exe
C:\Users\user\AppData\Local\Temp\2477229783.exe
C:\Users\user\AppData\Local\Temp\3009414284.exe
C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe:Zone.Identifier
C:\Windows\495060393034060\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2748840743.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3056729674.exe:Zone.Identifier
C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2477229783.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3009414284.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableFileTracing
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileTracingMask
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableConsoleTracing
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\ConsoleTracingMask
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\MaxFileSize
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileDirectory
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableFileTracing
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileTracingMask
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableConsoleTracing
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\ConsoleTracingMask
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\MaxFileSize
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe3\xa9\x98\xc8\xa0EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableFileTracing
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileTracingMask
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableConsoleTracing
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\ConsoleTracingMask
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\MaxFileSize
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileDirectory
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableFileTracing
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileTracingMask
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableConsoleTracing
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\ConsoleTracingMask
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\MaxFileSize
\xe3\xa9\x98\xc8\xa0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe3\xa9\x98\xc8\xa0EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.Module32FirstW
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
kernel32.dll.GetVersionExA
kernel32.dll.TerminateProcess
kernel32.dll.ExitProcess
kernel32.dll.SetErrorMode
msvcrt.dll._controlfp
msvcrt.dll._except_handler3
msvcrt.dll.__set_app_type
msvcrt.dll.isalpha
msvcrt.dll.__p__fmode
msvcrt.dll.__p__commode
msvcrt.dll._adjust_fdiv
msvcrt.dll.__setusermatherr
msvcrt.dll._initterm
msvcrt.dll.__getmainargs
msvcrt.dll._acmdln
msvcrt.dll.exit
msvcrt.dll._XcptFilter
msvcrt.dll._exit
msvcrt.dll._snprintf
msvcrt.dll.wcsstr
msvcrt.dll.srand
msvcrt.dll.rand
msvcrt.dll._snwprintf
msvcrt.dll.isdigit
msvcrt.dll.memset
msvcrt.dll.memcpy
wininet.dll.InternetOpenUrlA
wininet.dll.HttpQueryInfoA
wininet.dll.InternetCloseHandle
wininet.dll.InternetReadFile
wininet.dll.InternetOpenUrlW
wininet.dll.InternetOpenW
wininet.dll.InternetOpenA
urlmon.dll.URLDownloadToFileW
shlwapi.dll.PathFileExistsW
shlwapi.dll.PathFindFileNameA
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetFileAttributesW
kernel32.dll.CopyFileW
kernel32.dll.CreateDirectoryW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.GetDriveTypeW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.DeleteFileW
kernel32.dll.CloseHandle
kernel32.dll.WriteFile
kernel32.dll.GetTickCount
kernel32.dll.GlobalUnlock
kernel32.dll.ExitThread
kernel32.dll.Sleep
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.FindNextFileW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetVolumeInformationW
kernel32.dll.CreateProcessW
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.CreateFileW
kernel32.dll.GetStartupInfoA
kernel32.dll.GetModuleHandleA
kernel32.dll.CreateThread
kernel32.dll.CreateMutexA
kernel32.dll.GetLastError
user32.dll.OpenClipboard
user32.dll.EmptyClipboard
user32.dll.GetClipboardData
user32.dll.CloseClipboard
user32.dll.SetClipboardData
advapi32.dll.RegQueryValueExW
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegCloseKey
advapi32.dll.RegSetValueExW
advapi32.dll.RegCreateKeyExA
shell32.dll.ShellExecuteW
ole32.dll.CoInitialize
ole32.dll.CoCreateInstance
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
ole32.dll.CoInitializeEx
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
ole32.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
C:\Windows\495060393034060\winsvcs.exe
C:\Users\user\AppData\Local\Temp\2748840743.exe
C:\Users\user\AppData\Local\Temp\3056729674.exe
C:\Windows\806084767800850\winsvcs.exe
C:\Users\user\AppData\Local\Temp\2477229783.exe
C:\Users\user\AppData\Local\Temp\3009414284.exe
596030303050
IESQMMUTEX_0_208
650870850508

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040612b
Reported Checksum 0x00030a82
Actual Checksum 0x00030a82
Minimum OS Version 5.1
Compile Time 2017-10-14 21:00:54
Import Hash c07e3df57b355727f548e05ac8faa5e9
Exported DLL Name \x8e\x01LookupPrivilegeNameA

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00013dae 0x00013e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.rdata 0x00015000 0x00004300 0x00004400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.28
.data 0x0001a000 0x0000bf68 0x00009600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.02
.rsrc 0x00026000 0x00001828 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.93
.reloc 0x00028000 0x00001cac 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.69

Imports

Library KERNEL32.dll:
0x415028 TerminateThread
0x41502c TerminateProcess
0x415030 SetComputerNameExW
0x415034 GetLastError
0x415038 GetProcAddress
0x415040 SetCommMask
0x415048 VirtualProtect
0x415050 DuplicateHandle
0x415054 LoadLibraryW
0x415058 CloseHandle
0x415060 GetThreadTimes
0x415064 lstrcpyA
0x41506c CreateFileA
0x415070 GetLocaleInfoW
0x415074 LoadLibraryA
0x415078 GlobalAlloc
0x41507c GetProcessTimes
0x415080 EnumTimeFormatsA
0x415084 GetDriveTypeA
0x415088 EscapeCommFunction
0x41508c GetModuleHandleW
0x415090 GetCommProperties
0x415094 GetCurrentProcess
0x4150a0 ExitProcess
0x4150a4 FlushFileBuffers
0x4150a8 WriteConsoleW
0x4150ac GetConsoleOutputCP
0x4150b0 WriteConsoleA
0x4150bc Sleep
0x4150d0 HeapFree
0x4150dc IsDebuggerPresent
0x4150e0 GetCommandLineA
0x4150e4 GetStartupInfoA
0x4150e8 RtlUnwind
0x4150ec RaiseException
0x4150f0 LCMapStringA
0x4150f4 WideCharToMultiByte
0x4150f8 MultiByteToWideChar
0x4150fc LCMapStringW
0x415100 GetCPInfo
0x415104 HeapAlloc
0x415108 HeapCreate
0x41510c VirtualFree
0x415110 VirtualAlloc
0x415114 HeapReAlloc
0x415118 TlsGetValue
0x41511c TlsAlloc
0x415120 TlsSetValue
0x415124 TlsFree
0x415128 SetLastError
0x41512c GetCurrentThreadId
0x415130 ReadFile
0x415134 WriteFile
0x415138 GetConsoleCP
0x41513c GetConsoleMode
0x415140 GetStdHandle
0x415144 GetModuleFileNameA
0x415158 SetHandleCount
0x41515c GetFileType
0x415164 GetTickCount
0x415168 GetCurrentProcessId
0x415170 HeapSize
0x415174 GetACP
0x415178 GetOEMCP
0x41517c IsValidCodePage
0x415180 GetUserDefaultLCID
0x415184 GetLocaleInfoA
0x415188 EnumSystemLocalesA
0x41518c IsValidLocale
0x415190 GetStringTypeA
0x415194 GetStringTypeW
0x41519c SetFilePointer
0x4151a0 SetStdHandle
Library USER32.dll:
0x4151b0 GetScrollRange
0x4151b4 GetPropW
0x4151b8 PostMessageW
0x4151bc GetFocus
0x4151c0 SetScrollRange
Library GDI32.dll:
0x41501c EndPath
0x415020 FillPath
Library ADVAPI32.dll:
0x415004 GetUserNameA
Library MSIMG32.dll:
0x4151a8 TransparentBlt
Library WINHTTP.dll:
0x4151c8 WinHttpOpen
0x4151cc WinHttpCloseHandle

Exports

Ordinal Address Name
101678 0x6e8500de
101679 0x74a15064
101680 0x44870068
101681 0x2e723349
101682 0xac6c64
101683 0x659302af
101684 0x63a55374
101685 0x74a97275
101686 0x73a54479
101687 0x70a97263
101688 0x43b26f74
101689 0x72b46e6f
101690 0x406c6f
101691 0x6f8c018e
101692 0x70b56b6f
101693 0x76a97250
101694 0x67a56c69
101695 0x6da14e65
101696 0x404165
101697 0x65870141
101698 0x63a55374
101699 0x74a97275
101700 0x73a54479
101701 0x70a97263
101702 0x43b26f74
101703 0x72b46e6f
101704 0x406c6f
101705 0x6587015e
101706 0x65b35574
101707 0x6da14e72
101708 0x404165
101709 0x6e890178
101710 0x61a97469
101711 0x79936574
101712 0x6da57473
101713 0x74b56853
101714 0x6eb76f64
101715 0x1820057
101716 0x53b46547
101717 0x72b56365
101718 0x44b97469
101719 0x72a37365
101720 0x6fb47069
101721 0x63a14472
101722 0x4481006c
101723 0x49904156
101724 0x646e3233
101725 0x406c6c
101726 0x72940003
101727 0x70b36e61
101728 0x6ea57261
101729 0x74ac4274
101730 0x538d0000
101731 0x33874d49
101732 0x6ca42e32
101733 0x48006c
101734 0x48ae6957
101735 0x43b07474
101736 0x65b36f6c
101737 0x64ae6148
101738 0x40656c
101739 0x69970010
101740 0x74b4486e
101741 0x65b04f70
101742 0x4997006e
101743 0x5494484e
101744 0x6ca42e50
101745 0x300006c
101746 0x65b46e49
101747 0x63af6c72
101748 0x49a4656b
101749 0x65b2636e
101750 0x74ae656d
101751 0x2fc0000
101752 0x65b46e49
101753 0x63af6c72
101754 0x44a4656b
101755 0x65b26365
101756 0x74ae656d
101757 0x4610000
101758 0x65a56c53
101759 0x2f40070
101760 0x74a96e49
101761 0x69ac6169
101762 0x7283657a
101763 0x63a97469
101764 0x65936c61
101765 0x6fa97463
101766 0xfe006e
101767 0x65ac6544
101768 0x72836574
101769 0x63a97469
101770 0x65936c61
101771 0x6fa97463
101772 0x119006e
101773 0x65b46e45
101774 0x69b24372
101775 0x61a36974
101776 0x63a5536c
101777 0x6eaf6974
101778 0x32f0000
101779 0x76a1654c
101780 0x69b24365
101781 0x61a36974
101782 0x63a5536c
101783 0x6eaf6974
101784 0x2e10000
101785 0x70a16548
101786 0x65a57246
101787 0x47e0000
101788 0x61a86e55
101789 0x65ac646e
101790 0x63b84564
101791 0x69b47065
101792 0x69866e6f
101793 0x72a5746c
101794 0x4550000
101795 0x55b46553
101796 0x6ea1686e
101797 0x64a56c64
101798 0x65a37845
101799 0x6fa97470
101800 0x6ca9466e
101801 0xb26574
101802 0x738902d1
101803 0x75a26544
101804 0x72a56767
101805 0x73a57250
101806 0xb46e65
101807 0x6587016f
101808 0x6daf4374
101809 0x64ae616d
101810 0x65ae694c
101811 0x2790041
101812 0x53b46547
101813 0x74b26174
101814 0x6e897075
101815 0x816f66
101816 0x74920392
101817 0x77ae556c
101818 0xa46e69
101819 0x6192035a
101820 0x45a57369
101821 0x70a56378
101822 0x6eaf6974
101823 0x3210000
101824 0x618d434c
101825 0x72b45370
101826 0x41a76e69
101827 0x4ba0000
101828 0x65a46957
101829 0x72a16843
101830 0x758d6f54
101831 0x42a9746c
101832 0xa57479
101833 0x758d031a
101834 0x42a9746c
101835 0x54a57479
101836 0x64a9576f
101837 0x61a84365
101838 0x3230072
101839 0x618d434c
101840 0x72b45370
101841 0x57a76e69
101842 0x19b0000
101843 0x43b46547
101844 0x66ae4950
101845 0x2dd006f
101846 0x70a16548
101847 0x6fac6c41
101848 0x2df0063
101849 0x70a16548
101850 0x61a57243
101851 0x406574
101852 0x69960457
101853 0x61b57472
101854 0x65b2466c
101855 0x4940065
101856 0x74b26956
101857 0x41ac6175
101858 0x63af6c6c
101859 0x2e40000
101860 0x70a16548
101861 0x6c816552
101862 0xa36f6c
101863 0x6c940434
101864 0x74a54773
101865 0x75ac6156
101866 0x4720065
101867 0x41b36c54
101868 0x63af6c6c
101869 0x4750000
101870 0x53b36c54
101871 0x61967465
101872 0xa5756c
101873 0x6c940433
101874 0x65b24673
101875 0x42c0065
101876 0x4cb46553
101877 0x45b47361
101878 0x72af7272
101879 0x1ed0000
101880 0x43b46547
101881 0x65b27275
101882 0x6894746e
101883 0x64a16572
101884 0x406449
101885 0x65920368
101886 0x69866461
101887 0x40656c
101888 0x7297048d
101889 0x46a57469
101890 0xa56c69
101891 0x65870183
101892 0x6eaf4374
101893 0x65ac6f73
101894 0x405043
101895 0x65870195
101896 0x6eaf4374
101897 0x65ac6f73
101898 0x65a46f4d
101899 0x27b0000
101900 0x53b46547
101901 0x61886474
101902 0x65ac646e
101903 0x2340000
101904 0x4db46547
101905 0x6cb5646f
101906 0x6ca94665
101907 0x6da14e65
101908 0x404165
101909 0x7286014a
101910 0x6e856565
101911 0x6fb26976
101912 0x6ea56d6e
101913 0x72b45374
101914 0x73a76e69
101915 0x1ff0041
101916 0x45b46547
101917 0x72a9766e
101918 0x65ad6e6f
101919 0x7493746e
101920 0x67ae6972
101921 0x18b0073
101922 0x65a57246
101923 0x69b66e45
101924 0x6dae6f72
101925 0x53b46e65
101926 0x6ea97274
101927 0x977367
101928 0x658701c1
101929 0x76ae4574
101930 0x6eaf7269
101931 0x74ae656d
101932 0x69b27453
101933 0x57b3676e
101934 0x4280000
101935 0x48b46553
101936 0x6ca46e61
101937 0x75af4365
101938 0x40746e
101939 0x658701d7
101940 0x6ca94674
101941 0x70b95465
101942 0x3940065
101943 0x72a57551
101944 0x72a55079
101945 0x6db26f66
101946 0x65a36e61
101947 0x6eb56f43
101948 0xb26574
101949 0x65870266
101950 0x63a95474
101951 0x75af436b
101952 0x40746e
101953 0x658701aa
101954 0x72b54374
101955 0x74ae6572
101956 0x63af7250
101957 0x49b37365
101958 0x28f0064
101959 0x53b46547
101960 0x65b47379
101961 0x6da9546d
101962 0x46b34165
101963 0x54a56c69
101964 0xa56d69
101965 0x658802a6
101966 0x69937061
101967 0x40657a
101968 0x65870152
101969 0x50834174
101970 0x2530000
101971 0x4fb46547
101972 0x50834d45
101973 0x31b0000
101974 0x61967349
101975 0x43a4696c
101976 0x50a5646f
101977 0xa56761
101978 0x6587026d
101979 0x65b35574
101980 0x66a54472
101981 0x74ac7561
101982 0x4489434c
101983 0x2280000
101984 0x4cb46547
101985 0x6ca1636f
101986 0x66ae4965
101987 0x40416f
101988 0x6e8500f8
101989 0x79936d75
101990 0x6da57473
101991 0x61a36f4c
101992 0x41b3656c
101993 0x31d0000
101994 0x61967349
101995 0x4ca4696c
101996 0x6ca1636f
101997 0x27d0065
101998 0x53b46547
101999 0x6ea97274
102000 0x70b95467
102001 0x404165
102002 0x65870240
102003 0x72b45374
102004 0x54a76e69
102005 0x57a57079
102006 0x2f50000
102007 0x74a96e49
102008 0x69ac6169
102009 0x7283657a
102010 0x63a97469
102011 0x65936c61
102012 0x6fa97463
102013 0x64ae416e
102014 0x6ea97053
102015 0x6eb56f43
102016 0x41f0074
102017 0x46b46553
102018 0x50a56c69
102019 0x74ae696f
102020 0x407265
102021 0x659303fc
102022 0x64b45374
102023 0x64ae6148
102024 0x40656c
102025 0x72970482
102026 0x43a57469
102027 0x6fb36e6f
102028 0x81656c
102029 0x65870199
102030 0x6eaf4374
102031 0x65ac6f73
102032 0x70b4754f
102033 0x50837475
102034 0x4cc0000
102035 0x74a97257
102036 0x6eaf4365
102037 0x65ac6f73
102038 0x1810057
102039 0x73b56c46
102040 0x6ca94668
102041 0x66b54265
102042 0x73b26566
102043 0x3310000
102044 0x64a16f4c
102045 0x72a2694c
102046 0x41b97261
102047 0x22a0000
102048 0x4cb46547
102049 0x6ca1636f
102050 0x66ae4965
102051 0x40576f
102052 0x72830078
102053 0x65b46165
102054 0x65ac6946
102055 0x400041
.text
`.rdata
@.data
.rsrc
@.reloc
YQPVh
uQh\RA
GWh TA
QW@Ph
;5POB
t hxcA
t$h8\A
;5@OB
Yh$RA
9=,?B
FVh TA
;5POB
;=@OB
SVWUj
95d3B
95d3B
bad allocation
string too long
invalid string position
Unknown exception
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
(null)
`h````
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
bad allocation
VirtualAlloc
Module32FirstW
zedoxirivixavizozesafacanemafi
kernel
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
vector<T> too long
bad cast
ExitProcess
SetConsoleTextAttribute
GetCurrentProcess
GetCommProperties
GetModuleHandleW
EscapeCommFunction
EnumTimeFormatsA
GetDriveTypeA
GetProcessTimes
GlobalAlloc
LoadLibraryW
TerminateThread
TerminateProcess
SetComputerNameExW
GetLastError
GetProcAddress
SetProcessWorkingSetSize
SetCommMask
GetProcessAffinityMask
VirtualProtect
CreateToolhelp32Snapshot
DuplicateHandle
SetProcessShutdownParameters
CloseHandle
GetFileInformationByHandle
GetThreadTimes
lstrcpyA
LocalFileTimeToFileTime
KERNEL32.dll
GetPropW
GetScrollRange
SetScrollRange
GetFocus
PostMessageW
USER32.dll
FillPath
EndPath
GDI32.dll
SetSecurityDescriptorControl
LookupPrivilegeNameA
GetSecurityDescriptorControl
GetUserNameA
InitiateSystemShutdownW
GetSecurityDescriptorDacl
ADVAPI32.dll
TransparentBlt
MSIMG32.dll
WinHttpCloseHandle
WinHttpOpen
WINHTTP.dll
InterlockedIncrement
InterlockedDecrement
Sleep
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
GetStartupInfoA
RtlUnwind
RaiseException
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
GetCPInfo
HeapAlloc
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
ReadFile
WriteFile
GetConsoleCP
GetConsoleMode
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapSize
GetACP
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
InitializeCriticalSectionAndSpinCount
SetFilePointer
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LoadLibraryA
GetLocaleInfoW
CreateFileA
.?AV_Locimp@locale@std@@
.?AVout_of_range@std@@
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
.?AVtype_info@@
.?AVbad_exception@std@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AV?$ctype@D@std@@
.?AUctype_base@std@@
.?AVfacet@locale@std@@
.?AV?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$_Iosb@H@std@@
.?AVios_base@std@@
zacesilotamomoxi
detavu gosugugozebejegikivejoxegafu
.?AVruntime_error@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVfailure@ios_base@std@@
,/'5#
?1?#*$
59(,$/4"
*=" 1
--8'7
",35
);(%3
:(/='4!=%
. 63!
+($;!11'
.?AVlength_error@std@@
.?AVbad_cast@std@@
.?AVbad_alloc@std@@
>J?l?
>)?I?W?\?
30<4<
=,=L=
KERNEL32.DLL
(null)
mscoree.dll
kernel32.dll
hulonexesodamerureladu padocatuzumuruyajehu zikafupodecigosasetidiyojeyu xamilodedonekutiguyiloyojimi
VS_VERSION_INFO
StringFileInfo
457aa56b
InternalName
xesifun.exe
ProductVersion
5.8.1.75
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


bPbihjIjedK.exe, PID: 1620, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe
Command Line: "C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe"
winsvcs.exe, PID: 2616, Parent PID: 1620
Full Path: C:\Windows\495060393034060\winsvcs.exe
Command Line: C:\Windows\495060393034060\winsvcs.exe
2748840743.exe, PID: 2724, Parent PID: 2616
Full Path: C:\Users\user\AppData\Local\Temp\2748840743.exe
Command Line: C:\Users\user\AppData\Local\Temp\2748840743.exe
3056729674.exe, PID: 2092, Parent PID: 2616
Full Path: C:\Users\user\AppData\Local\Temp\3056729674.exe
Command Line: C:\Users\user\AppData\Local\Temp\3056729674.exe
winsvcs.exe, PID: 2316, Parent PID: 2724
Full Path: C:\Windows\806084767800850\winsvcs.exe
Command Line: C:\Windows\806084767800850\winsvcs.exe
2477229783.exe, PID: 2784, Parent PID: 2316
Full Path: C:\Users\user\AppData\Local\Temp\2477229783.exe
Command Line: C:\Users\user\AppData\Local\Temp\2477229783.exe
3009414284.exe, PID: 1220, Parent PID: 2316
Full Path: C:\Users\user\AppData\Local\Temp\3009414284.exe
Command Line: C:\Users\user\AppData\Local\Temp\3009414284.exe

Hosts

Direct IP Country Name
N 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49168 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49169 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49170 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49171 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49174 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49175 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49177 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49179 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49187 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49190 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49191 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49192 92.63.197.48 slpsrgpsrhojifdij.ru 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 49407 8.8.8.8 53
192.168.35.21 49507 8.8.8.8 53
192.168.35.21 49793 8.8.8.8 53
192.168.35.21 50026 8.8.8.8 53
192.168.35.21 50105 8.8.8.8 53
192.168.35.21 50506 8.8.8.8 53
192.168.35.21 50603 8.8.8.8 53
192.168.35.21 51201 8.8.8.8 53
192.168.35.21 51369 8.8.8.8 53
192.168.35.21 51900 8.8.8.8 53
192.168.35.21 51910 8.8.8.8 53
192.168.35.21 51968 8.8.8.8 53
192.168.35.21 52399 8.8.8.8 53
192.168.35.21 52471 8.8.8.8 53
192.168.35.21 52956 8.8.8.8 53
192.168.35.21 53414 8.8.8.8 53
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 53719 8.8.8.8 53
192.168.35.21 54169 8.8.8.8 53
192.168.35.21 54941 8.8.8.8 53
192.168.35.21 55165 8.8.8.8 53
192.168.35.21 55192 8.8.8.8 53
192.168.35.21 56004 8.8.8.8 53
192.168.35.21 56514 8.8.8.8 53
192.168.35.21 56531 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 57334 8.8.8.8 53
192.168.35.21 57702 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 58453 8.8.8.8 53
192.168.35.21 59473 8.8.8.8 53
192.168.35.21 59742 8.8.8.8 53
192.168.35.21 61029 8.8.8.8 53
192.168.35.21 61115 8.8.8.8 53
192.168.35.21 63030 8.8.8.8 53
192.168.35.21 63148 8.8.8.8 53
192.168.35.21 63336 8.8.8.8 53
192.168.35.21 63526 8.8.8.8 53
192.168.35.21 63549 8.8.8.8 53
192.168.35.21 64235 8.8.8.8 53
192.168.35.21 64292 8.8.8.8 53
192.168.35.21 64523 8.8.8.8 53
192.168.35.21 64801 8.8.8.8 53
192.168.35.21 64869 8.8.8.8 53
192.168.35.21 64891 8.8.8.8 53
192.168.35.21 64992 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
slpsrgpsrhojifdij.ru [VT] A 92.63.197.48 [VT]
osheoufhusheoghuesd.ru [VT] NXDOMAIN [VT]
ofheofosugusghuhush.ru [VT]
suieiusiueiuiuushgf.ru [VT]
fuiueufiiehfueghuhf.ru [VT]
sisoefjsuhuhaudhhed.ru [VT]
opllforgirsoofuhohu.ru [VT]
eooeoeooejesfiehfii.ru [VT]
oefosfishiudhiusegf.ru [VT]
aaeiauebfaneifuaeif.ru [VT]
naibfiahdiauehihhre.ru [VT]
auaeuiihaehifhahaud.ru [VT]
oieoaidhhaidhiehheg.ru [VT]
fisiuuiedesubdibesd.ru [VT]
efiiuehdiahiuediaug.ru [VT]
sfiushidhseiugiuseh.ru [VT]
oeiieieisijdingisgf.ru [VT]
aiisiaueuefiuhiehgu.ru [VT]
sfsiuhieghaughaoeho.ru [VT]
hpptlhptdkoodsokdke.ru [VT]
eneebgieeiieieiddrt.ru [VT]
eniaebivaiebifaibef.ru [VT]
mmginsiridnsinnsgir.ru [VT]
gmndaudnahgahghaohh.ru [VT]
aefaidihabevbabifba.ru [VT]
rgijirshisjriijdijh.ru [VT]
aiehazegfageigfzgei.ru [VT]
foaeodheuabguaegubr.ru [VT]
guhaohadueoanavbvbf.ru [VT]
orsodaououaebufbeob.ru [VT]
eaiiakeiohoueghoaur.ru [VT]
naiebiaifzgfaezgdzr.ru [VT]
gaeuhdobaoebuagoaoe.ru [VT]
giuahfoaoeubfouaena.ru [VT]
rgsouhdoauenodaeufb.ru [VT]
eoguaonedonaodabobg.ru [VT]
gouaondoaudbaebobgu.ru [VT]
giohuoaehdoueofbaur.ru [VT]
gnaoedoaoounauubueu.ru [VT]
gbobaebaodebuoueofu.ru [VT]
srgouosehohedohaeoh.ru [VT]
goauhoednoaueouabbe.ru [VT]
gnaednouebaoubefoub.ru [VT]
plpaedjaofheagoahdg.ru [VT]
guaeudueaennnaenuen.ru [VT]
rgoonedoauneuoebuae.ru [VT]
afaounodouoeuueofua.ru [VT]

HTTP Requests

URI Data
http://slpsrgpsrhojifdij.ru/1.exe
GET /1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/2.exe
GET /2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/3.exe
GET /3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/4.exe
GET /4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/5.exe
GET /5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://92.63.197.48/1.exe
GET /1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/2.exe
GET /2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/3.exe
GET /3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/5.exe
GET /5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/4.exe
GET /4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name winsvcs.exe
Associated Filenames
C:\Windows\495060393034060\winsvcs.exe
File Size 152576 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 44a81be517e01ab33abdba541a239b6e
SHA1 2890c3be34e4189fe0a11b4e60ff2b3203fcdd2a
SHA256 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
CRC32 3328869D
Ssdeep 3072:MupWc+2g2yM2BSwgtNSGv551zDb/Wvn006luxHE:MupxMcBDSGlzDbuvn00c
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 2748840743.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\2748840743.exe
C:\Windows\806084767800850\winsvcs.exe
C:\Users\user\AppData\Local\Temp\2477229783.exe
File Size 539648 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cb9d7ff8deb972b96917e88e0d56adac
SHA1 8ca2b46c42c7b413e9a24bdf2790f9260af0facf
SHA256 c2cb48209e590289e62a2e461ef9b00078b104aa359bdc02b64c695c9eb8cd27
CRC32 2161DC8B
Ssdeep 3072:G7UpE9lqoZ/WLpwsUPg7YSU2RrygKjFvwwwwwwlwwwwww2wwww4ByXrMlseFaEkX:G7V93ZeLpw1eU2RrygKFErMeeF3k
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 3056729674.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\3056729674.exe
C:\Users\user\AppData\Local\Temp\3009414284.exe
File Size 1209856 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a14a3a3036a1706408443e28399a15c1
SHA1 6e5cf7cbfddca89f0f8e54b7ba8f169cf6769237
SHA256 b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
CRC32 E4E5533F
Ssdeep 24576:35mjsJNJuudqiKKES942zSl3DU0pqsDnRctBfdoJJlp/5LFYgNYpp6A3:35SstuCeS942G9DU0tRkfeJ/FqWYt3
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Sorry! No CAPE files.
Process Name bPbihjIjedK.exe
PID 1620
Dump Size 34816 bytes
Module Path C:\Users\user\AppData\Local\Temp\bPbihjIjedK.exe
Type PE image: 32-bit executable
MD5 d1cf02949a50e60449e9b9d18886ad36
SHA1 860af83f7b7d9122770e6b67edb9e2ed48d6aa03
SHA256 3fff6352c85a67a83602ea4d8d68b2550e79fad5393792252dc7ddf038393476
CRC32 24646F6A
Ssdeep 768:ncbmwwftKmCFSWK/r87wccjhAu0UXBnrJP:ncb/wftKbtMj3rJ
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 3fff6352c85a67a83602ea4d8d68b2550e79fad5393792252dc7ddf038393476
Download
Process Name 2748840743.exe
PID 2724
Dump Size 34816 bytes
Module Path C:\Users\user\AppData\Local\Temp\2748840743.exe
Type PE image: 32-bit executable
MD5 612d759790facbbbdfbff5178aa95c66
SHA1 cb838f28fe3fbfbc3e630a94291be35aa9ec7fb2
SHA256 02c265f83fc5bb03684f5158ffe73eede073f9a9fdac56bb2530b66569083b84
CRC32 12CF52FF
Ssdeep 768:zcbmwwftKmCFStK/r87wcTjhAu0UXBnTJP:zcb/wftKAtDj3TJ
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 02c265f83fc5bb03684f5158ffe73eede073f9a9fdac56bb2530b66569083b84
Download
Process Name winsvcs.exe
PID 2616
Dump Size 34816 bytes
Module Path C:\Windows\495060393034060\winsvcs.exe
Type PE image: 32-bit executable
MD5 d0fab9c1dd3333e18b51c58753ef0a4c
SHA1 4edb69ef223d533199c8d510abc2512ebd802184
SHA256 3656be57fd64348ac8a03a0998386d167adb7c4d46383af6a7da1a503e8ab1d8
CRC32 C3672BD9
Ssdeep 768:ncbmwwftKmCFSWK/r87wccjhAu0UXBnsJP:ncb/wftKbtMj3sJ
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 3656be57fd64348ac8a03a0998386d167adb7c4d46383af6a7da1a503e8ab1d8
Download
Process Name winsvcs.exe
PID 2316
Dump Size 34816 bytes
Module Path C:\Windows\806084767800850\winsvcs.exe
Type PE image: 32-bit executable
MD5 f179a5f267e66340d37121395ecf4e8d
SHA1 498bdbb85548450aff796bee9bb40c5f5cc65f5f
SHA256 480416649715caffb1deea28b80b7d51ef822e95a3a596be601c16c35653f39e
CRC32 B29EDC6B
Ssdeep 768:zcbmwwftKmCFStK/r87wcTjhAu0UXBnbJP:zcb/wftKAtDj3bJ
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 480416649715caffb1deea28b80b7d51ef822e95a3a596be601c16c35653f39e
Download

Comments



No comments posted

Processing ( 218.519 seconds )

  • 213.165 BehaviorAnalysis
  • 1.922 CAPE
  • 1.244 Dropped
  • 0.728 NetworkAnalysis
  • 0.663 Static
  • 0.376 ProcDump
  • 0.274 TargetInfo
  • 0.095 TrID
  • 0.036 Deduplicate
  • 0.009 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug
  • 0.001 config_decoder

Signatures ( 70.272 seconds )

  • 13.739 antivm_generic_disk
  • 9.548 api_spamming
  • 9.399 bootkit
  • 8.988 decoy_document
  • 6.779 mimics_filetime
  • 5.311 virus
  • 5.186 reads_self
  • 5.1 stealth_file
  • 4.63 hancitor_behavior
  • 1.285 stealth_timeout
  • 0.067 webmail_phish
  • 0.04 secure_login_phish
  • 0.036 generic_phish
  • 0.023 network_document_http
  • 0.022 stealth_network
  • 0.018 wscript_downloader_http
  • 0.015 antisandbox_sleep
  • 0.01 antiav_detectreg
  • 0.004 persistence_autorun
  • 0.004 antiav_detectfile
  • 0.004 infostealer_ftp
  • 0.004 ransomware_files
  • 0.003 antiemu_wine_func
  • 0.003 dynamic_function_loading
  • 0.003 securityxploded_modules
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.003 network_torgateway
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 Doppelganging
  • 0.002 sets_autoconfig_url
  • 0.002 infostealer_browser_password
  • 0.002 ransomware_message
  • 0.002 kovter_behavior
  • 0.002 multiple_useragents
  • 0.002 antianalysis_detectreg
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 infostealer_mail
  • 0.001 mimics_agent
  • 0.001 tinba_behavior
  • 0.001 disables_spdy
  • 0.001 rat_nanocore
  • 0.001 exploit_getbasekerneladdress
  • 0.001 exploit_gethaldispatchtable
  • 0.001 antivm_vbox_libs
  • 0.001 InjectionCreateRemoteThread
  • 0.001 ipc_namedpipe
  • 0.001 disables_wfp
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 recon_checkip

Reporting ( 0.014 seconds )

  • 0.012 SubmitCAPE
  • 0.002 CompressResults
Task ID 29484
Mongo ID 5c36bf31f28488708e45b614
Cuckoo release 1.3-CAPE
Delete