Analysis

Category Package Started Completed Duration Options Log
FILE QakBot 2019-09-11 11:04:31 2019-09-11 11:05:13 42 seconds Show Options Show Log
bp1 = 17887
bp0 = 42225
2019-09-11 12:04:32,000 [root] INFO: Date set to: 09-11-19, time set to: 11:04:32, timeout set to: 200
2019-09-11 12:04:32,015 [root] DEBUG: Starting analyzer from: C:\ksmaert
2019-09-11 12:04:32,015 [root] DEBUG: Storing results at: C:\POCebfAImL
2019-09-11 12:04:32,015 [root] DEBUG: Pipe server name: \\.\PIPE\oVaDxsbJn
2019-09-11 12:04:32,015 [root] INFO: Analysis package "QakBot" has been specified.
2019-09-11 12:04:32,312 [root] DEBUG: Started auxiliary module Browser
2019-09-11 12:04:32,312 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 12:04:32,312 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 12:04:32,529 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-09-11 12:04:32,529 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 12:04:32,529 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 12:04:32,529 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 12:04:32,529 [root] DEBUG: Started auxiliary module Human
2019-09-11 12:04:32,529 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 12:04:32,529 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 12:04:32,529 [root] DEBUG: Started auxiliary module Usage
2019-09-11 12:04:32,529 [root] INFO: Analyzer: DLL set to QakBot.dll from package modules.packages.QakBot
2019-09-11 12:04:32,529 [root] INFO: Analyzer: Package modules.packages.QakBot does not specify a DLL_64 option
2019-09-11 12:04:32,561 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe" with arguments "" with pid 1756
2019-09-11 12:04:32,561 [lib.api.process] INFO: Option 'bp1' with value '17887' sent to monitor
2019-09-11 12:04:32,561 [lib.api.process] INFO: Option 'bp0' with value '42225' sent to monitor
2019-09-11 12:04:32,561 [lib.api.process] INFO: Option 'base-on-api' with value 'NtWaitForSingleObject' sent to monitor
2019-09-11 12:04:32,561 [lib.api.process] INFO: 32-bit DLL to inject is C:\ksmaert\dll\ZGGEuz.dll, loader C:\ksmaert\bin\iJXgbCz.exe
2019-09-11 12:04:32,592 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVaDxsbJn.
2019-09-11 12:04:32,592 [root] DEBUG: Loader: Injecting process 1756 (thread 828) with C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:32,592 [root] DEBUG: Process image base: 0x00400000
2019-09-11 12:04:32,592 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:32,592 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x004AF000 - 0x77110000
2019-09-11 12:04:32,592 [root] DEBUG: InjectDllViaIAT: Allocated 0x1ec bytes for new import table at 0x004B0000.
2019-09-11 12:04:32,592 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 12:04:32,592 [root] DEBUG: Successfully injected DLL C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:32,592 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1756
2019-09-11 12:04:34,605 [lib.api.process] INFO: Successfully resumed process with pid 1756
2019-09-11 12:04:34,605 [root] INFO: Added new process to list with pid: 1756
2019-09-11 12:04:34,667 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-09-11 12:04:34,667 [root] DEBUG: bp1 set to 0x45df
2019-09-11 12:04:34,667 [root] DEBUG: bp0 set to 0xa4f1
2019-09-11 12:04:34,667 [root] DEBUG: Added 'NtWaitForSingleObject' to base-on-API list.
2019-09-11 12:04:34,730 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 12:04:34,730 [root] INFO: Disabling sleep skipping.
2019-09-11 12:04:34,730 [root] INFO: Disabling sleep skipping.
2019-09-11 12:04:34,730 [root] INFO: Disabling sleep skipping.
2019-09-11 12:04:34,730 [root] INFO: Disabling sleep skipping.
2019-09-11 12:04:34,730 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x350000
2019-09-11 12:04:34,730 [root] DEBUG: Debugger initialised.
2019-09-11 12:04:34,730 [root] DEBUG: CAPE initialised: 32-bit QakBot package loaded in process 1756 at 0x74940000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 12:04:34,730 [root] INFO: Monitor successfully loaded in process with pid 1756.
2019-09-11 12:04:34,744 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-09-11 12:04:34,760 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 2272.
2019-09-11 12:04:34,760 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1116.
2019-09-11 12:04:34,760 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 512.
2019-09-11 12:04:34,760 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 2168.
2019-09-11 12:04:34,760 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-09-11 12:04:34,760 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-09-11 12:04:34,760 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-09-11 12:04:34,760 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-09-11 12:04:34,776 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:34,776 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:34,776 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:34,776 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:34,776 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2019-09-11 12:04:34,792 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2019-09-11 12:04:34,792 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2019-09-11 12:04:34,792 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\netutils (0x9000 bytes).
2019-09-11 12:04:34,792 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\system32\srvcli (0x19000 bytes).
2019-09-11 12:04:34,792 [root] DEBUG: GetHookCallerBase: thread 2272 (handle 0x0), return address 0x0355FB44, allocation base 0x03460000.
2019-09-11 12:04:34,792 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03460000.
2019-09-11 12:04:34,808 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\system32\LOGONCLI (0x22000 bytes).
2019-09-11 12:04:34,822 [root] DEBUG: GetHookCallerBase: thread 512 (handle 0x0), return address 0x0335FB44, allocation base 0x03260000.
2019-09-11 12:04:34,822 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03260000.
2019-09-11 12:04:34,822 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03260000.
2019-09-11 12:04:34,822 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03360000.
2019-09-11 12:04:34,822 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03260000.
2019-09-11 12:04:34,822 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03260000.
2019-09-11 12:04:34,822 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03460000.
2019-09-11 12:04:34,822 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03360000.
2019-09-11 12:04:34,822 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03560000.
2019-09-11 12:04:34,822 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03560000.
2019-09-11 12:04:35,384 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-09-11 12:04:35,415 [root] INFO: Announced 32-bit process name: wgEdgfH.exe pid: 2692
2019-09-11 12:04:35,415 [lib.api.process] INFO: Option 'bp1' with value '17887' sent to monitor
2019-09-11 12:04:35,415 [lib.api.process] INFO: Option 'bp0' with value '42225' sent to monitor
2019-09-11 12:04:35,415 [lib.api.process] INFO: Option 'base-on-api' with value 'NtWaitForSingleObject' sent to monitor
2019-09-11 12:04:35,415 [lib.api.process] INFO: 32-bit DLL to inject is C:\ksmaert\dll\ZGGEuz.dll, loader C:\ksmaert\bin\iJXgbCz.exe
2019-09-11 12:04:35,415 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVaDxsbJn.
2019-09-11 12:04:35,415 [root] DEBUG: Loader: Injecting process 2692 (thread 2740) with C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:35,415 [root] DEBUG: Process image base: 0x00400000
2019-09-11 12:04:35,415 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:35,415 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x004AF000 - 0x77110000
2019-09-11 12:04:35,415 [root] DEBUG: InjectDllViaIAT: Allocated 0x1ec bytes for new import table at 0x004B0000.
2019-09-11 12:04:35,415 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 12:04:35,415 [root] DEBUG: Successfully injected DLL C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:35,415 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2692
2019-09-11 12:04:35,415 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 828.
2019-09-11 12:04:35,415 [root] DEBUG: GetHookCallerBase: thread 828 (handle 0xc4), return address 0x00404175, allocation base 0x00400000.
2019-09-11 12:04:35,415 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00400000.
2019-09-11 12:04:35,415 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x0040B0F1.
2019-09-11 12:04:35,415 [root] DEBUG: 0x40b0f1 (02) 0000                     ADD [EAX], AL
2019-09-11 12:04:35,415 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x004051DF.
2019-09-11 12:04:35,415 [root] DEBUG: 0x4051df (01) f4                       HLT
2019-09-11 12:04:35,431 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00400000.
2019-09-11 12:04:35,431 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-09-11 12:04:35,431 [root] DEBUG: bp1 set to 0x45df
2019-09-11 12:04:35,431 [root] DEBUG: bp0 set to 0xa4f1
2019-09-11 12:04:35,431 [root] DEBUG: Added 'NtWaitForSingleObject' to base-on-API list.
2019-09-11 12:04:35,431 [root] INFO: Disabling sleep skipping.
2019-09-11 12:04:35,431 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 12:04:35,431 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1d0000
2019-09-11 12:04:35,431 [root] DEBUG: Debugger initialised.
2019-09-11 12:04:35,431 [root] DEBUG: CAPE initialised: 32-bit QakBot package loaded in process 2692 at 0x74940000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 12:04:35,431 [root] INFO: Added new process to list with pid: 2692
2019-09-11 12:04:35,431 [root] INFO: Monitor successfully loaded in process with pid 2692.
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\netutils (0x9000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\system32\srvcli (0x19000 bytes).
2019-09-11 12:04:35,447 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\system32\LOGONCLI (0x22000 bytes).
2019-09-11 12:04:36,023 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 2740.
2019-09-11 12:04:36,023 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:36,023 [root] DEBUG: GetHookCallerBase: thread 2740 (handle 0xc4), return address 0x0040363E, allocation base 0x00400000.
2019-09-11 12:04:36,023 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00400000.
2019-09-11 12:04:36,023 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x0040B0F1.
2019-09-11 12:04:36,023 [root] DEBUG: 0x40b0f1 (02) 0000                     ADD [EAX], AL
2019-09-11 12:04:36,023 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x004051DF.
2019-09-11 12:04:36,023 [root] DEBUG: 0x4051df (01) f4                       HLT
2019-09-11 12:04:36,023 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00400000.
2019-09-11 12:04:36,023 [root] INFO: Notified of termination of process with pid 2692.
2019-09-11 12:04:36,023 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\wtsapi32 (0xd000 bytes).
2019-09-11 12:04:36,055 [root] DEBUG: DLL loaded at 0x744A0000: C:\Windows\system32\WINSTA (0x29000 bytes).
2019-09-11 12:04:36,071 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 828.
2019-09-11 12:04:36,071 [root] DEBUG: GetHookCallerBase: thread 828 (handle 0xc4), return address 0x0040F725, allocation base 0x00400000.
2019-09-11 12:04:36,086 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00400000.
2019-09-11 12:04:36,101 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x0040B0F1.
2019-09-11 12:04:36,118 [root] DEBUG: 0x40b0f1 (02) 0000                     ADD [EAX], AL
2019-09-11 12:04:36,118 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x004051DF.
2019-09-11 12:04:36,118 [root] DEBUG: 0x4051df (01) f4                       HLT
2019-09-11 12:04:36,118 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00400000.
2019-09-11 12:04:36,134 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2019-09-11 12:04:36,243 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-09-11 12:04:36,257 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-09-11 12:04:36,289 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-09-11 12:04:36,335 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-09-11 12:04:36,351 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-09-11 12:04:36,368 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-09-11 12:04:36,414 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-09-11 12:04:36,460 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-09-11 12:04:36,507 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1324.
2019-09-11 12:04:36,507 [root] DEBUG: GetHookCallerBase: thread 1324 (handle 0x0), return address 0x044BF9B8, allocation base 0x043C0000.
2019-09-11 12:04:36,539 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x043C0000.
2019-09-11 12:04:36,569 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x043C0000.
2019-09-11 12:04:36,569 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1324.
2019-09-11 12:04:36,569 [root] DEBUG: GetHookCallerBase: thread 1324 (handle 0x0), return address 0x044BF9B8, allocation base 0x043C0000.
2019-09-11 12:04:36,569 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x043C0000.
2019-09-11 12:04:36,585 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x043C0000.
2019-09-11 12:04:36,585 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1324.
2019-09-11 12:04:36,585 [root] DEBUG: GetHookCallerBase: thread 1324 (handle 0x0), return address 0x044BF9B8, allocation base 0x043C0000.
2019-09-11 12:04:36,601 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x043C0000.
2019-09-11 12:04:36,601 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x043C0000.
2019-09-11 12:04:36,601 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-09-11 12:04:36,632 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-09-11 12:04:36,632 [root] INFO: Process with pid 2692 has terminated
2019-09-11 12:04:36,632 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-09-11 12:04:36,664 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2808
2019-09-11 12:04:36,664 [lib.api.process] INFO: Option 'bp1' with value '17887' sent to monitor
2019-09-11 12:04:36,664 [lib.api.process] INFO: Option 'bp0' with value '42225' sent to monitor
2019-09-11 12:04:36,664 [lib.api.process] INFO: Option 'base-on-api' with value 'NtWaitForSingleObject' sent to monitor
2019-09-11 12:04:36,664 [lib.api.process] INFO: 32-bit DLL to inject is C:\ksmaert\dll\ZGGEuz.dll, loader C:\ksmaert\bin\iJXgbCz.exe
2019-09-11 12:04:36,680 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVaDxsbJn.
2019-09-11 12:04:36,680 [root] DEBUG: Loader: Injecting process 2808 (thread 2860) with C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:36,680 [root] DEBUG: Process image base: 0x4A770000
2019-09-11 12:04:36,694 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:36,694 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x4A7BC000 - 0x77110000
2019-09-11 12:04:36,694 [root] DEBUG: InjectDllViaIAT: Allocated 0x19c bytes for new import table at 0x4A7C0000.
2019-09-11 12:04:36,694 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 12:04:36,710 [root] DEBUG: Successfully injected DLL C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:36,710 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2808
2019-09-11 12:04:36,710 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-09-11 12:04:36,710 [root] DEBUG: DLL unloaded from 0x74380000.
2019-09-11 12:04:36,710 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-09-11 12:04:36,710 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-09-11 12:04:36,710 [root] DEBUG: bp1 set to 0x45df
2019-09-11 12:04:36,710 [root] DEBUG: bp0 set to 0xa4f1
2019-09-11 12:04:36,726 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-09-11 12:04:36,726 [root] DEBUG: Added 'NtWaitForSingleObject' to base-on-API list.
2019-09-11 12:04:36,726 [root] DEBUG: DLL unloaded from 0x74380000.
2019-09-11 12:04:36,726 [root] INFO: Disabling sleep skipping.
2019-09-11 12:04:36,726 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 828.
2019-09-11 12:04:36,726 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 12:04:36,726 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:36,726 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x270000
2019-09-11 12:04:36,726 [root] DEBUG: GetHookCallerBase: thread 828 (handle 0xc4), return address 0x0040363E, allocation base 0x00400000.
2019-09-11 12:04:36,726 [root] DEBUG: Debugger initialised.
2019-09-11 12:04:36,726 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00400000.
2019-09-11 12:04:36,726 [root] DEBUG: CAPE initialised: 32-bit QakBot package loaded in process 2808 at 0x74940000, image base 0x4a770000, stack from 0x173000-0x270000
2019-09-11 12:04:36,726 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x0040B0F1.
2019-09-11 12:04:36,726 [root] INFO: Added new process to list with pid: 2808
2019-09-11 12:04:36,742 [root] DEBUG: 0x40b0f1 (02) 0000                     ADD [EAX], AL
2019-09-11 12:04:36,742 [root] INFO: Monitor successfully loaded in process with pid 2808.
2019-09-11 12:04:36,742 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x004051DF.
2019-09-11 12:04:36,742 [root] DEBUG: 0x4051df (01) f4                       HLT
2019-09-11 12:04:36,742 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00400000.
2019-09-11 12:04:36,742 [root] DEBUG: DLL unloaded from 0x74870000.
2019-09-11 12:04:36,757 [root] INFO: Notified of termination of process with pid 1756.
2019-09-11 12:04:36,757 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1552.
2019-09-11 12:04:36,757 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-09-11 12:04:36,757 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:36,757 [root] DEBUG: GetHookCallerBase: thread 1552 (handle 0x0), return address 0x035AF9D0, allocation base 0x034B0000.
2019-09-11 12:04:36,773 [root] INFO: Announced 32-bit process name: PING.EXE pid: 2672
2019-09-11 12:04:36,773 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x034B0000.
2019-09-11 12:04:36,773 [lib.api.process] INFO: Option 'bp1' with value '17887' sent to monitor
2019-09-11 12:04:36,773 [lib.api.process] INFO: Option 'bp0' with value '42225' sent to monitor
2019-09-11 12:04:36,773 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x034B0000.
2019-09-11 12:04:36,773 [lib.api.process] INFO: Option 'base-on-api' with value 'NtWaitForSingleObject' sent to monitor
2019-09-11 12:04:36,773 [lib.api.process] INFO: 32-bit DLL to inject is C:\ksmaert\dll\ZGGEuz.dll, loader C:\ksmaert\bin\iJXgbCz.exe
2019-09-11 12:04:36,773 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVaDxsbJn.
2019-09-11 12:04:36,773 [root] DEBUG: Loader: Injecting process 2672 (thread 1468) with C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:36,773 [root] DEBUG: Process image base: 0x00190000
2019-09-11 12:04:36,773 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:36,773 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00198000 - 0x00260000
2019-09-11 12:04:36,773 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x001A0000.
2019-09-11 12:04:36,773 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 12:04:36,789 [root] DEBUG: Successfully injected DLL C:\ksmaert\dll\ZGGEuz.dll.
2019-09-11 12:04:36,789 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2672
2019-09-11 12:04:36,789 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 2860.
2019-09-11 12:04:36,789 [root] DEBUG: GetHookCallerBase: thread 2860 (handle 0xd0), return address 0x4A773BFC, allocation base 0x4A770000.
2019-09-11 12:04:36,789 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x4A770000.
2019-09-11 12:04:36,789 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-09-11 12:04:36,789 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x4A77B0F1.
2019-09-11 12:04:36,789 [root] DEBUG: bp1 set to 0x45df
2019-09-11 12:04:36,789 [root] DEBUG: 0x4a77b0f1 (02) ebff                     JMP 0x1
2019-09-11 12:04:36,789 [root] DEBUG: bp0 set to 0xa4f1
2019-09-11 12:04:36,789 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x4A7751DF.
2019-09-11 12:04:36,789 [root] DEBUG: Added 'NtWaitForSingleObject' to base-on-API list.
2019-09-11 12:04:36,789 [root] DEBUG: 0x4a7751df (01) fc                       CLD
2019-09-11 12:04:36,803 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x4A770000.
2019-09-11 12:04:36,803 [root] INFO: Disabling sleep skipping.
2019-09-11 12:04:36,803 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 12:04:36,803 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xd0000
2019-09-11 12:04:36,803 [root] DEBUG: Debugger initialised.
2019-09-11 12:04:36,803 [root] DEBUG: CAPE initialised: 32-bit QakBot package loaded in process 2672 at 0x74940000, image base 0x190000, stack from 0x116000-0x120000
2019-09-11 12:04:36,819 [root] INFO: Added new process to list with pid: 2672
2019-09-11 12:04:36,819 [root] INFO: Monitor successfully loaded in process with pid 2672.
2019-09-11 12:04:36,819 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:36,819 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:36,819 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00192976, allocation base 0x00190000.
2019-09-11 12:04:36,819 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:36,835 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:36,835 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 2348.
2019-09-11 12:04:36,835 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:36,835 [root] DEBUG: GetHookCallerBase: thread 2348 (handle 0x0), return address 0x01D0F708, allocation base 0x01CD0000.
2019-09-11 12:04:36,835 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:36,835 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x01CD0000.
2019-09-11 12:04:36,835 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:36,835 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x01CD0000.
2019-09-11 12:04:36,835 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:36,835 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:36,835 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x001922F0, allocation base 0x00190000.
2019-09-11 12:04:36,835 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:36,835 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:36,835 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:36,851 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:36,851 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:36,851 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:36,851 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-09-11 12:04:36,851 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-09-11 12:04:36,867 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:36,867 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 596.
2019-09-11 12:04:36,867 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00192431, allocation base 0x00190000.
2019-09-11 12:04:36,867 [root] DEBUG: GetHookCallerBase: thread 596 (handle 0x0), return address 0x0336F9CC, allocation base 0x03330000.
2019-09-11 12:04:36,867 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:36,867 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03330000.
2019-09-11 12:04:36,867 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03330000.
2019-09-11 12:04:36,867 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:36,867 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:36,867 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:36,881 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:36,881 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:37,647 [root] INFO: Process with pid 1756 has terminated
2019-09-11 12:04:37,895 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:37,895 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 596.
2019-09-11 12:04:37,895 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00192431, allocation base 0x00190000.
2019-09-11 12:04:37,895 [root] DEBUG: GetHookCallerBase: thread 596 (handle 0x0), return address 0x0336F9CC, allocation base 0x03330000.
2019-09-11 12:04:37,895 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:37,895 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03330000.
2019-09-11 12:04:37,895 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:37,895 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03330000.
2019-09-11 12:04:37,895 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:37,895 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:37,911 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:37,911 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:38,926 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:38,926 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 596.
2019-09-11 12:04:39,299 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00192431, allocation base 0x00190000.
2019-09-11 12:04:39,299 [root] DEBUG: GetHookCallerBase: thread 596 (handle 0x0), return address 0x0336F9CC, allocation base 0x03330000.
2019-09-11 12:04:39,299 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:39,299 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03330000.
2019-09-11 12:04:39,299 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:39,299 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:39,299 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03330000.
2019-09-11 12:04:39,299 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:39,299 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:39,299 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:40,313 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:40,313 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 596.
2019-09-11 12:04:40,313 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00192431, allocation base 0x00190000.
2019-09-11 12:04:40,313 [root] DEBUG: GetHookCallerBase: thread 596 (handle 0x0), return address 0x0336F9CC, allocation base 0x03330000.
2019-09-11 12:04:40,313 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:40,313 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03330000.
2019-09-11 12:04:40,313 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:40,313 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03330000.
2019-09-11 12:04:40,313 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:40,313 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:40,313 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:40,313 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:41,328 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 596.
2019-09-11 12:04:41,328 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:41,328 [root] DEBUG: GetHookCallerBase: thread 596 (handle 0x0), return address 0x0336F9CC, allocation base 0x03330000.
2019-09-11 12:04:41,328 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00192431, allocation base 0x00190000.
2019-09-11 12:04:41,328 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03330000.
2019-09-11 12:04:41,328 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:41,328 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03330000.
2019-09-11 12:04:41,328 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:41,328 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:41,328 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:41,328 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:41,328 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:42,342 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:42,342 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 596.
2019-09-11 12:04:42,342 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00192431, allocation base 0x00190000.
2019-09-11 12:04:42,342 [root] DEBUG: GetHookCallerBase: thread 596 (handle 0x0), return address 0x0336F9CC, allocation base 0x03330000.
2019-09-11 12:04:42,342 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:42,342 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x03330000.
2019-09-11 12:04:42,342 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,342 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x03330000.
2019-09-11 12:04:42,342 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,342 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,342 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,342 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:42,342 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:42,342 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00191758, allocation base 0x00190000.
2019-09-11 12:04:42,358 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:42,358 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,358 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,358 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,358 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,358 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:42,358 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:42,358 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x001927D7, allocation base 0x00190000.
2019-09-11 12:04:42,358 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:42,358 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,358 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,358 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,374 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,374 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:42,374 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:42,374 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x001927D7, allocation base 0x00190000.
2019-09-11 12:04:42,374 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:42,374 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,374 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,374 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,374 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,374 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:42,374 [root] DEBUG: DLL unloaded from 0x74BE0000.
2019-09-11 12:04:42,388 [root] DEBUG: DLL unloaded from 0x74BF0000.
2019-09-11 12:04:42,388 [root] DEBUG: DLL unloaded from 0x75140000.
2019-09-11 12:04:42,388 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 1468.
2019-09-11 12:04:42,388 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:42,388 [root] DEBUG: GetHookCallerBase: thread 1468 (handle 0xd4), return address 0x00191B2A, allocation base 0x00190000.
2019-09-11 12:04:42,388 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x00190000.
2019-09-11 12:04:42,388 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,388 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,388 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x00190000.
2019-09-11 12:04:42,388 [root] DEBUG: 0x190000 (01) 4d                       DEC EBP
2019-09-11 12:04:42,404 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x00190000.
2019-09-11 12:04:42,404 [root] INFO: Notified of termination of process with pid 2672.
2019-09-11 12:04:42,732 [root] INFO: Process with pid 2672 has terminated
2019-09-11 12:04:42,763 [root] DEBUG: DLL unloaded from 0x75140000.
2019-09-11 12:04:42,763 [root] DEBUG: Base-on-API: NtWaitForSingleObject call detected in thread 2860.
2019-09-11 12:04:42,763 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 12:04:42,763 [root] DEBUG: GetHookCallerBase: thread 2860 (handle 0xd0), return address 0x4A777302, allocation base 0x4A770000.
2019-09-11 12:04:42,779 [root] DEBUG: SetInitialBreakpoints: ImageBase set to 0x4A770000.
2019-09-11 12:04:42,779 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x4A77B0F1.
2019-09-11 12:04:42,779 [root] DEBUG: 0x4a77b0f1 (02) ebff                     JMP 0x1
2019-09-11 12:04:42,779 [root] DEBUG: FileOffsetToVA: Debug - VA = 0x4A7751DF.
2019-09-11 12:04:42,779 [root] DEBUG: 0x4a7751df (01) fc                       CLD
2019-09-11 12:04:42,779 [root] DEBUG: Base-on-API: Failed to set breakpoints on 0x4A770000.
2019-09-11 12:04:42,779 [root] INFO: Notified of termination of process with pid 2808.
2019-09-11 12:04:43,746 [root] INFO: Process with pid 2808 has terminated
2019-09-11 12:04:56,927 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 12:04:57,941 [root] INFO: Created shutdown mutex.
2019-09-11 12:04:58,956 [root] INFO: Shutting down package.
2019-09-11 12:04:58,956 [root] INFO: Stopping auxiliary modules.
2019-09-11 12:04:58,956 [root] INFO: Finishing auxiliary modules.
2019-09-11 12:04:58,956 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 12:04:58,956 [root] WARNING: File at path "C:\POCebfAImL\debugger" does not exist, skip.
2019-09-11 12:04:58,956 [root] INFO: Analysis completed.

MalScore

6.3

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 11:04:32 2019-09-11 11:05:13

File Details

File Name e1ba86ca89b38e861b8bacb23ec9ccf5b9bbb47a6e012a5502e1f1e33bd01dde
File Size 704512 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 65b56c397706faeffeb98f5b59e9d6c7
SHA1 92e2cc1372d7b7d480a68c94baa22a33bab221f8
SHA256 e1ba86ca89b38e861b8bacb23ec9ccf5b9bbb47a6e012a5502e1f1e33bd01dde
SHA512 f4be8243b1d1140b60987bde3a4f64c8f9ed706cba1f297e787ba90fb260c6167f16500d0fb10dc18d5bd177797bfcf89ad51394c097290ba57dfdffe6f517cb
CRC32 939DE834
Ssdeep 12288:OLx4QlvnmOXIjsinKr0AVW+8VUAk098R2/SOFB8yjArpFCI1vgJA4xrxYS:OLxDvnmdjs+Kr0AVW+EUz098Y/jm5Vgj
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Possible date expiration check, exits too soon after checking local time
process: wgEdgfH.exe, PID 1756
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: msvcrt.dll/strncpy
DynamicLoader: msvcrt.dll/_ftol2_sse
DynamicLoader: msvcrt.dll/_ltoa
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/_wtol
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/memset
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: SHLWAPI.dll/wvnsprintfA
DynamicLoader: SHLWAPI.dll/wvnsprintfW
DynamicLoader: SHLWAPI.dll/StrStrW
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/PathUnquoteSpacesW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/lstrcpynW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/GetEnvironmentVariableA
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/FindResourceA
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetWindowsDirectoryW
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: USER32.dll/CharUpperBuffA
DynamicLoader: USER32.dll/CharUpperBuffW
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: ADVAPI32.dll/RegisterServiceCtrlHandlerA
DynamicLoader: ADVAPI32.dll/StartServiceCtrlDispatcherA
DynamicLoader: ADVAPI32.dll/SetServiceStatus
DynamicLoader: ADVAPI32.dll/EqualSid
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: ADVAPI32.dll/RegLoadKeyW
DynamicLoader: ADVAPI32.dll/RegUnLoadKeyW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/SetFileSecurityW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: NETAPI32.dll/NetApiBufferFree
DynamicLoader: NETAPI32.dll/NetUserEnum
DynamicLoader: NETAPI32.dll/NetGetDCName
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentDirectoryA
DynamicLoader: kernel32.dll/SetCurrentDirectoryA
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/MoveFileA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetVolumeInformationA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/InterlockedCompareExchange
DynamicLoader: ntdll.dll/ZwQueryInformationThread
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyA
DynamicLoader: ADVAPI32.dll/RegEnumValueA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegDeleteValueA
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/SetEntriesInAclA
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoA
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/LookupAccountSidA
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: SHELL32.dll/ShellExecuteA
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtDuplicateObject
DynamicLoader: ntdll.dll/NtQueryObject
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: USER32.dll/PostMessageA
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/UnregisterClassA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: wtsapi32.dll/WTSQueryUserToken
DynamicLoader: wtsapi32.dll/WTSEnumerateSessionsW
DynamicLoader: wtsapi32.dll/WTSFreeMemory
DynamicLoader: WINSTA.dll/WinStationEnumerateW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: WINSTA.dll/WinStationFreeMemory
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamGetCompatibilityMode
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamEnumerateUsersInDomain
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaQueryInformationPolicy
DynamicLoader: netutils.dll/NetApiBufferAllocate
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: msvcrt.dll/strncpy
DynamicLoader: msvcrt.dll/_ftol2_sse
DynamicLoader: msvcrt.dll/_ltoa
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/_wtol
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/memset
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: SHLWAPI.dll/wvnsprintfA
DynamicLoader: SHLWAPI.dll/wvnsprintfW
DynamicLoader: SHLWAPI.dll/StrStrW
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/PathUnquoteSpacesW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/lstrcpynW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/GetEnvironmentVariableA
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/FindResourceA
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetWindowsDirectoryW
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: USER32.dll/CharUpperBuffA
DynamicLoader: USER32.dll/CharUpperBuffW
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: ADVAPI32.dll/RegisterServiceCtrlHandlerA
DynamicLoader: ADVAPI32.dll/StartServiceCtrlDispatcherA
DynamicLoader: ADVAPI32.dll/SetServiceStatus
DynamicLoader: ADVAPI32.dll/EqualSid
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: ADVAPI32.dll/RegLoadKeyW
DynamicLoader: ADVAPI32.dll/RegUnLoadKeyW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/SetFileSecurityW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: NETAPI32.dll/NetApiBufferFree
DynamicLoader: NETAPI32.dll/NetUserEnum
DynamicLoader: NETAPI32.dll/NetGetDCName
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentDirectoryA
DynamicLoader: kernel32.dll/SetCurrentDirectoryA
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/MoveFileA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetVolumeInformationA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/InterlockedCompareExchange
DynamicLoader: ntdll.dll/ZwQueryInformationThread
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyA
DynamicLoader: ADVAPI32.dll/RegEnumValueA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegDeleteValueA
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/SetEntriesInAclA
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoA
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/LookupAccountSidA
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: SHELL32.dll/ShellExecuteA
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtDuplicateObject
DynamicLoader: ntdll.dll/NtQueryObject
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: USER32.dll/PostMessageA
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/UnregisterClassA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: mswsock.dll/WSPStartup
DynamicLoader: wshtcpip.dll/WSHOpenSocket
DynamicLoader: wshtcpip.dll/WSHOpenSocket2
DynamicLoader: wshtcpip.dll/WSHJoinLeaf
DynamicLoader: wshtcpip.dll/WSHNotify
DynamicLoader: wshtcpip.dll/WSHGetSocketInformation
DynamicLoader: wshtcpip.dll/WSHSetSocketInformation
DynamicLoader: wshtcpip.dll/WSHGetSockaddrType
DynamicLoader: wshtcpip.dll/WSHGetWildcardSockaddr
DynamicLoader: wshtcpip.dll/WSHGetBroadcastSockaddr
DynamicLoader: wshtcpip.dll/WSHAddressToString
DynamicLoader: wshtcpip.dll/WSHStringToAddress
DynamicLoader: wshtcpip.dll/WSHIoctl
A process created a hidden window
Process: wgEdgfH.exe -> C:\Users\user\AppData\Local\Temp\wgEdgfH.exe /C
Process: wgEdgfH.exe -> cmd.exe
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x000a0000, virtual_size: 0x000a28fc
A ping command was executed with the -n argument possibly to delay analysis
command: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
command: cmd.exe /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
command: C:\Windows\system32\PING.EXE ping.exe -n 6 127.0.0.1
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
command: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
command: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
command: cmd.exe /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
command: cmd.exe /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
command: cmd.exe /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
command: C:\Windows\system32\PING.EXE ping.exe -n 6 127.0.0.1

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\INTERNAL\__empty
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
\??\PIPE\samr
C:\Users\user\AppData\Local\Temp\wgEdgfH.exe.cfg
\??\MountPointManager
C:\hiberfil.sysss
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\ping.exe
C:\Users\user\AppData\Local\Temp\ping.exe.*
C:\Windows\System32\PING.EXE
C:\Users\user\AppData\Local\Temp\wgEdgfH.exe
C:\Windows\System32\calc.exe
\??\Nsi
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\PIPE\samr
C:\Windows\System32\calc.exe
\??\PIPE\samr
C:\Users\user\AppData\Local\Temp\wgEdgfH.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-500
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-501
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1002
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\Parameters\ExpectedDialupDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\wgEdgfH.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\Winsock
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\Parameters\ExpectedDialupDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualProtect
kernel32.dll.FreeConsole
kernel32.dll.FlsFree
kernel32.dll.SetUnhandledExceptionFilter
msvcrt.dll.strncpy
msvcrt.dll._ftol2_sse
msvcrt.dll._ltoa
msvcrt.dll._except_handler3
msvcrt.dll.strchr
msvcrt.dll._wtol
msvcrt.dll.memcpy
msvcrt.dll.memset
userenv.dll.GetUserProfileDirectoryW
shlwapi.dll.wvnsprintfA
shlwapi.dll.wvnsprintfW
shlwapi.dll.StrStrW
shlwapi.dll.StrStrIW
shlwapi.dll.StrStrIA
shlwapi.dll.PathUnquoteSpacesW
ole32.dll.CoInitialize
ole32.dll.CoCreateInstance
ole32.dll.CoUninitialize
ole32.dll.CoSetProxyBlanket
ole32.dll.CoInitializeSecurity
ole32.dll.CoInitializeEx
shell32.dll.CommandLineToArgvW
shell32.dll.ShellExecuteW
shell32.dll.SHGetFolderPathW
setupapi.dll.SetupDiGetDeviceRegistryPropertyA
setupapi.dll.SetupDiGetClassDevsA
setupapi.dll.SetupDiEnumDeviceInfo
setupapi.dll.SetupDiDestroyDeviceInfoList
kernel32.dll.SystemTimeToFileTime
kernel32.dll.GetSystemTime
kernel32.dll.Sleep
kernel32.dll.lstrcpynW
kernel32.dll.CloseHandle
kernel32.dll.SetEvent
kernel32.dll.SleepEx
kernel32.dll.OpenEventA
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetLastError
kernel32.dll.FreeLibrary
kernel32.dll.GetModuleHandleA
kernel32.dll.ExitProcess
kernel32.dll.GetDriveTypeW
kernel32.dll.lstrcmpiW
kernel32.dll.lstrcmpA
kernel32.dll.CopyFileW
kernel32.dll.GetCommandLineW
kernel32.dll.lstrlenW
kernel32.dll.lstrlenA
kernel32.dll.lstrcmpiA
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.HeapCreate
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetExitCodeProcess
kernel32.dll.WaitForSingleObject
kernel32.dll.TerminateProcess
kernel32.dll.ResumeThread
kernel32.dll.WideCharToMultiByte
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrcatA
kernel32.dll.lstrcatW
kernel32.dll.lstrcpyA
kernel32.dll.GetLocalTime
kernel32.dll.GetEnvironmentVariableA
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.GetFileSize
kernel32.dll.CreateMutexA
kernel32.dll.OpenMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.LocalAlloc
kernel32.dll.LoadResource
kernel32.dll.SizeofResource
kernel32.dll.FindResourceA
kernel32.dll.GetSystemInfo
kernel32.dll.GetVersionExA
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetComputerNameW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.SetEnvironmentVariableW
kernel32.dll.GetWindowsDirectoryW
kernel32.dll.GetTickCount
kernel32.dll.GetVolumeInformationW
kernel32.dll.GetModuleFileNameA
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.CreateEventA
kernel32.dll.GetThreadContext
kernel32.dll.TerminateThread
kernel32.dll.CreateThread
kernel32.dll.OpenProcess
kernel32.dll.VirtualFree
kernel32.dll.DeleteFileW
kernel32.dll.GetFileAttributesA
kernel32.dll.GetFileAttributesW
kernel32.dll.LocalFree
kernel32.dll.lstrcpyW
kernel32.dll.CreateDirectoryW
user32.dll.CharUpperBuffA
user32.dll.CharUpperBuffW
user32.dll.MessageBoxA
advapi32.dll.RegisterServiceCtrlHandlerA
advapi32.dll.StartServiceCtrlDispatcherA
advapi32.dll.SetServiceStatus
advapi32.dll.EqualSid
advapi32.dll.LookupAccountNameW
advapi32.dll.OpenProcessToken
advapi32.dll.OpenThreadToken
advapi32.dll.GetTokenInformation
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.ConvertSidToStringSidW
advapi32.dll.RegLoadKeyW
advapi32.dll.RegUnLoadKeyW
advapi32.dll.RegSetValueExW
advapi32.dll.RegQueryValueExW
advapi32.dll.SetFileSecurityW
advapi32.dll.RegDeleteValueW
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegCloseKey
advapi32.dll.RegEnumValueW
advapi32.dll.LookupAccountSidW
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.GetSidSubAuthority
advapi32.dll.CreateProcessAsUserW
netapi32.dll.NetApiBufferFree
netapi32.dll.NetUserEnum
netapi32.dll.NetGetDCName
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.Module32First
kernel32.dll.Module32Next
kernel32.dll.CreateRemoteThread
kernel32.dll.WriteProcessMemory
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualFreeEx
kernel32.dll.SetLastError
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.SetCurrentDirectoryA
kernel32.dll.CreateProcessA
kernel32.dll.SetFilePointer
kernel32.dll.SetEndOfFile
kernel32.dll.FindFirstFileA
kernel32.dll.FindNextFileA
kernel32.dll.FindClose
kernel32.dll.CreateFileA
kernel32.dll.CreateFileW
kernel32.dll.ReadFile
kernel32.dll.WriteFile
kernel32.dll.DeleteFileA
kernel32.dll.GetCurrentThreadId
kernel32.dll.MoveFileA
kernel32.dll.CreateDirectoryA
kernel32.dll.GetVolumeInformationA
kernel32.dll.OpenThread
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.VirtualProtectEx
kernel32.dll.InterlockedCompareExchange
ntdll.dll.ZwQueryInformationThread
ntdll.dll.RtlGetVersion
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegQueryInfoKeyA
advapi32.dll.RegEnumValueA
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegSetValueExA
advapi32.dll.RegQueryValueExA
advapi32.dll.RegDeleteValueA
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.SetEntriesInAclA
advapi32.dll.SetNamedSecurityInfoA
advapi32.dll.FreeSid
advapi32.dll.LookupAccountSidA
shell32.dll.ShellExecuteA
kernel32.dll.CreateProcessW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.IsWow64Process
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ntdll.dll.NtQuerySystemInformation
ntdll.dll.NtDuplicateObject
ntdll.dll.NtQueryObject
user32.dll.FindWindowA
user32.dll.SendMessageA
user32.dll.PostMessageA
user32.dll.GetForegroundWindow
user32.dll.RegisterClassExA
user32.dll.CreateWindowExA
user32.dll.ShowWindow
user32.dll.UpdateWindow
user32.dll.GetMessageA
user32.dll.TranslateMessage
user32.dll.DispatchMessageA
user32.dll.DestroyWindow
user32.dll.UnregisterClassA
user32.dll.DefWindowProcA
user32.dll.PostQuitMessage
wtsapi32.dll.WTSQueryUserToken
wtsapi32.dll.WTSEnumerateSessionsW
wtsapi32.dll.WTSFreeMemory
winsta.dll.WinStationEnumerateW
advapi32.dll.CreateWellKnownSid
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingSetAuthInfoExW
sechost.dll.LookupAccountNameLocalW
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.RpcBindingFree
winsta.dll.WinStationFreeMemory
samlib.dll.SamConnect
samlib.dll.SamGetCompatibilityMode
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
samlib.dll.SamFreeMemory
samlib.dll.SamOpenDomain
samlib.dll.SamEnumerateUsersInDomain
samlib.dll.SamCloseHandle
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaQueryInformationPolicy
netutils.dll.NetApiBufferAllocate
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaClose
netutils.dll.NetApiBufferFree
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
oleaut32.dll.#9
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
mswsock.dll.WSPStartup
wshtcpip.dll.WSHOpenSocket
wshtcpip.dll.WSHOpenSocket2
wshtcpip.dll.WSHJoinLeaf
wshtcpip.dll.WSHNotify
wshtcpip.dll.WSHGetSocketInformation
wshtcpip.dll.WSHSetSocketInformation
wshtcpip.dll.WSHGetSockaddrType
wshtcpip.dll.WSHGetWildcardSockaddr
wshtcpip.dll.WSHGetBroadcastSockaddr
wshtcpip.dll.WSHAddressToString
wshtcpip.dll.WSHStringToAddress
wshtcpip.dll.WSHIoctl
C:\Users\user\AppData\Local\Temp\wgEdgfH.exe /C
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
cmd.exe /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
C:\Windows\system32\PING.EXE ping.exe -n 6 127.0.0.1
nipefkb

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00401450
Reported Checksum 0x00000000
Actual Checksum 0x000b271f
Minimum OS Version 5.0
Compile Time 2019-09-10 21:57:15
Import Hash cae14a1256284f3b54a6bd8e0c38f315

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00002392 0x00003000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.22
.rdata 0x00004000 0x00000878 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.09
.data 0x00005000 0x000a28fc 0x000a0000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.96
.rsrc 0x000a8000 0x00006f76 0x00007000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.09

Imports

Library MPRAPI.dll:
Library RPCRT4.dll:
0x404028 UuidFromStringA
Library KERNEL32.dll:
0x404010 ResumeThread
0x404018 GetModuleHandleA
Library USERENV.dll:
Library CRYPT32.dll:
Library Secur32.dll:
0x404030 MakeSignature
Library IMM32.dll:
Library ole32.dll:
0x404040 CoTreatAsClass

.text
`.rdata
@.data
.rsrc
,1SUV
D$0AA
in1zbrowsers,
usersG7themanasaOSPusedV
dofpassedodriverZhktestingyear,
quray
a8WmpasTeamgweb
You3FLbresetsrocketmany
4it,into0tests.61love
9oProduction.severalruni
BetaEasterDamostyinKfs
onConisjpreferred
platform.1oannouncements.
iTheelephant
ChromewindowFirefox2
TKdownload3DN
OctobergforfqrQso
fromengine,jfromthemidnightnew1
fromsome2015,macOS,Atomy
vupdateEhelpmemalwareexplaining
theeoplouts2008.288malware),scottatBW
bQlGoogle0match
myapp.exe
MprAdminInterfaceTransportAdd
MPRAPI.dll
UuidFromStringA
RPCRT4.dll
GetModuleHandleA
ResumeThread
ApplicationRecoveryInProgress
KERNEL32.dll
RsopResetPolicySettingStatus
USERENV.dll
CertCreateSelfSignCertificate
CRYPT32.dll
MakeSignature
Secur32.dll
ImmDisableTextFrameService
IMM32.dll
CoTreatAsClass
ole32.dll
ykxf5fT
;\d=gj+:
?We}z
^PPp]
$b} 7
0{o+#JuV
@f9lJ
ftp@'`
s;^.gk2
4h+}KiK
ok.7F
WW~H,
$Z)ab
C.H@@
t`gmH@@
"}dH@@
Q(H@@
n2%H@@
2 H@@
v,H@@
J=H@@
:gH@@
,k,H@@
=)H@@
g0}H@@
$TH@@
_YH@@
cirnH@@
S4H@@
=jH@@
=]H@@
%}H@@
N!H@@
wiH@@
hGH@@
(/H@@
G4H@@
\J/H@@
ocMH@@
DCH@@
>?9@AAAAAAAAAAAA
@ABCD,EFGHGIJKL
123456789:9;<=
!"#$
wwwwwwwwwwwwp
pDDDDDDD@
pDDDDDDD@
pDDDDDDD@
pDDDDDDDDDDDDp
wwwwwwwwwwwwwp
/SDMain
uAppEvnts
&Controls
5Themes
UTypes
SysInit
System
SysUtils
ImageHlp
KWindows
SysConst
CommCtrl
sActiveX
3Messages
CUxTheme
SyncObjs
^Classes
"RTLConsts
QTypInfo
CVariants
$VarUtils
+Graphics
Consts
8Registry
IniFiles
Forms
StdActns
(ShlObj
UrlMon
?WinInet
RegStr
*ShellAPI
YStrUtils
Clipbrd
ImgList
Dialogs
IDlgs
ExtCtrls
GraphUtil
dStdCtrls
EActnList
vMenus
Contnrs
Printers
WWinSpool
3CommDlg
FlatSB
RHelpIntfs
MultiMon
pkWER
MAINICON
$No topic-based help system installed
No help found for context
&Ignore
Not enough timers available
Canvas does not allow drawing
List index out of bounds (%d)+Out of memory while expanding memory stream
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Exception in safecall method
Floating point overflow
VS_VERSION_INFO
StringFileInfo
180904b0
Comments
Helps Spybot-S&D with WSC
CompanyName
Sun Microsystems, Inc.
FileDescription
Spybot-S&D Security Center launcher
FileVersion
1, 0, 0, 6
InternalName
SDMain
LegalCopyright
2006-2008 Sun Microsystems, Inc. All rights reserved.
LegalTrademarks
Spybot and Spybot - Search & Destroy are registered trademarks.
OriginalFilename
SDMain.exe
ProductName
Spybot - Search & Destroy
ProductVersion
1, 6, 0, 0
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree

  • wgEdgfH.exe 1756
    • wgEdgfH.exe 2692 /C
    • cmd.exe 2808 "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"

wgEdgfH.exe, PID: 1756, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\wgEdgfH.exe
Command Line: "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
wgEdgfH.exe, PID: 2692, Parent PID: 1756
Full Path: C:\Users\user\AppData\Local\Temp\wgEdgfH.exe
Command Line: C:\Users\user\AppData\Local\Temp\wgEdgfH.exe /C
cmd.exe, PID: 2808, Parent PID: 1756
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\user\AppData\Local\Temp\wgEdgfH.exe"
PING.EXE, PID: 2672, Parent PID: 2808
Full Path: C:\Windows\SysWOW64\PING.EXE
Command Line: ping.exe -n 6 127.0.0.1

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name wgEdgfH.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\wgEdgfH.exe
File Size 776192 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 60b7c0fead45f2066e5b805a91f4f0fc
SHA1 9018a7d6cdbe859a430e8794e73381f77c840be0
SHA256 80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22
CRC32 8D8F5F8E
Ssdeep 6144:Jv7Wc4dyC7dXNBzn68YoC+6VoQSkgrpZHqk61peBN1L+I8pfezYeWHMzyy14pL1k:JvSbJxPRC+XQSxb6Dc7RwIWHeGL7GOK
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 4.109 seconds )

  • 1.136 Static
  • 1.063 CAPE
  • 0.996 Dropped
  • 0.384 BehaviorAnalysis
  • 0.321 TargetInfo
  • 0.117 TrID
  • 0.046 Strings
  • 0.033 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.135 seconds )

  • 0.015 mimics_filetime
  • 0.011 decoy_document
  • 0.011 antiav_detectreg
  • 0.01 Doppelganging
  • 0.01 api_spamming
  • 0.006 ransomware_files
  • 0.005 infostealer_ftp
  • 0.004 antivm_generic_disk
  • 0.003 malicious_dynamic_function_loading
  • 0.003 bootkit
  • 0.003 stealth_file
  • 0.003 antiemu_wine_func
  • 0.003 dynamic_function_loading
  • 0.003 virus
  • 0.003 stealth_timeout
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 reads_self
  • 0.002 infostealer_browser_password
  • 0.002 persistence_autorun
  • 0.002 kovter_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 exploit_getbasekerneladdress
  • 0.001 injection_createremotethread
  • 0.001 betabot_behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 InjectionCreateRemoteThread
  • 0.001 InjectionProcessHollowing
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 90404
Mongo ID 5d78d4f2eac9b18670630be6
Cuckoo release 1.3-CAPE
Delete