Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-09-11 14:24:44 2019-09-11 14:28:32 228 seconds Show Options Show Log
route = internet
procdump = 0
2019-09-11 15:24:45,000 [root] INFO: Date set to: 09-11-19, time set to: 14:24:45, timeout set to: 200
2019-09-11 15:24:45,030 [root] DEBUG: Starting analyzer from: C:\syxyrpelnm
2019-09-11 15:24:45,030 [root] DEBUG: Storing results at: C:\MusksWW
2019-09-11 15:24:45,030 [root] DEBUG: Pipe server name: \\.\PIPE\RyWTPVlI
2019-09-11 15:24:45,030 [root] INFO: Analysis package "Extraction" has been specified.
2019-09-11 15:24:45,374 [root] DEBUG: Started auxiliary module Browser
2019-09-11 15:24:45,374 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 15:24:45,374 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 15:24:46,575 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-09-11 15:24:46,575 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 15:24:46,575 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 15:24:46,575 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 15:24:46,575 [root] DEBUG: Started auxiliary module Human
2019-09-11 15:24:46,575 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 15:24:46,575 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 15:24:46,575 [root] DEBUG: Started auxiliary module Usage
2019-09-11 15:24:46,575 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-09-11 15:24:46,575 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2019-09-11 15:24:46,621 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\mal.exe" with arguments "" with pid 532
2019-09-11 15:24:46,638 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-09-11 15:24:46,638 [lib.api.process] INFO: 32-bit DLL to inject is C:\syxyrpelnm\dll\hgrqPkA.dll, loader C:\syxyrpelnm\bin\HDGygqf.exe
2019-09-11 15:24:46,700 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RyWTPVlI.
2019-09-11 15:24:46,700 [root] DEBUG: Loader: Injecting process 532 (thread 1220) with C:\syxyrpelnm\dll\hgrqPkA.dll.
2019-09-11 15:24:46,700 [root] DEBUG: Process image base: 0x00400000
2019-09-11 15:24:46,700 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\syxyrpelnm\dll\hgrqPkA.dll.
2019-09-11 15:24:46,700 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00480000 - 0x77110000
2019-09-11 15:24:46,700 [root] DEBUG: InjectDllViaIAT: Allocated 0x164 bytes for new import table at 0x00480000.
2019-09-11 15:24:46,700 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 15:24:46,700 [root] DEBUG: Successfully injected DLL C:\syxyrpelnm\dll\hgrqPkA.dll.
2019-09-11 15:24:46,700 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 532
2019-09-11 15:24:48,711 [lib.api.process] INFO: Successfully resumed process with pid 532
2019-09-11 15:24:48,711 [root] INFO: Added new process to list with pid: 532
2019-09-11 15:24:48,759 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 15:24:48,759 [root] DEBUG: Process dumps disabled.
2019-09-11 15:24:48,805 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 15:24:48,805 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:48,822 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:48,822 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:48,822 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:48,822 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 15:24:48,822 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3b0000
2019-09-11 15:24:48,822 [root] DEBUG: Debugger initialised.
2019-09-11 15:24:48,822 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 532 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 15:24:48,822 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\mal.exe".
2019-09-11 15:24:48,822 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1498, Entropy 7.149893e+00
2019-09-11 15:24:48,822 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-09-11 15:24:48,822 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-09-11 15:24:48,822 [root] INFO: Monitor successfully loaded in process with pid 532.
2019-09-11 15:24:48,884 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0x6000 added to tracked regions.
2019-09-11 15:24:48,884 [root] DEBUG: ProtectionHandler: Address: 0x00480000 (alloc base 0x00480000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2019-09-11 15:24:48,884 [root] DEBUG: ProtectionHandler: New code detected at (0x00480000), scanning for PE images.
2019-09-11 15:24:48,884 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00486000.
2019-09-11 15:24:48,884 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x486000.
2019-09-11 15:24:48,884 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00486000.
2019-09-11 15:24:48,884 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x486000.
2019-09-11 15:24:48,884 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00480000, TrackedRegion->RegionSize: 0x6000, thread 1220
2019-09-11 15:24:48,884 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xe0, Size=0x2, Address=0x00480000 and Type=0x1.
2019-09-11 15:24:48,884 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1220 type 1 at address 0x00480000, size 2 with Callback 0x747e7630.
2019-09-11 15:24:48,884 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00480000
2019-09-11 15:24:48,884 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xe0, Size=0x4, Address=0x0048003C and Type=0x1.
2019-09-11 15:24:48,884 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1220 type 1 at address 0x0048003C, size 4 with Callback 0x747e7250.
2019-09-11 15:24:48,884 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0048003C
2019-09-11 15:24:48,884 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00480000.
2019-09-11 15:24:48,884 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-09-11 15:24:48,930 [root] DEBUG: ProtectionHandler: Address 0x00480000 already in tracked region at 0x00480000.
2019-09-11 15:24:48,930 [root] DEBUG: ProtectionHandler: Address: 0x00480000 (alloc base 0x00480000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2019-09-11 15:24:48,930 [root] DEBUG: ProtectionHandler: Increased region size at 0x00480000 to 0xa000.
2019-09-11 15:24:48,930 [root] DEBUG: ProtectionHandler: New code detected at (0x00480000), scanning for PE images.
2019-09-11 15:24:48,930 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x0048A000.
2019-09-11 15:24:48,946 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x48a000.
2019-09-11 15:24:48,946 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x0048A000.
2019-09-11 15:24:48,946 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x48a000.
2019-09-11 15:24:48,946 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00480000, TrackedRegion->RegionSize: 0xa000, thread 1220
2019-09-11 15:24:48,946 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xe0, Size=0x2, Address=0x00480000 and Type=0x1.
2019-09-11 15:24:48,946 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1220 type 1 at address 0x00480000, size 2 with Callback 0x747e7630.
2019-09-11 15:24:48,946 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00480000
2019-09-11 15:24:48,946 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xe0, Size=0x4, Address=0x0048003C and Type=0x1.
2019-09-11 15:24:48,946 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1220 type 1 at address 0x0048003C, size 4 with Callback 0x747e7250.
2019-09-11 15:24:48,946 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0048003C
2019-09-11 15:24:48,946 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00480000.
2019-09-11 15:24:49,023 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-09-11 15:24:49,757 [root] DEBUG: Allocation: 0x03600000 - 0x03603000, size: 0x3000, protection: 0x40.
2019-09-11 15:24:49,757 [root] DEBUG: AddTrackedRegion: Region at 0x03600000 size 0x3000 added to tracked regions.
2019-09-11 15:24:49,757 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x03600000, TrackedRegion->RegionSize: 0x3000, thread 1220
2019-09-11 15:24:49,757 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00480000 to 0x03600000.
2019-09-11 15:24:49,757 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x0048A000.
2019-09-11 15:24:49,757 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x48a000.
2019-09-11 15:24:49,757 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x0048A000.
2019-09-11 15:24:49,773 [root] DEBUG: DumpMemory: CAPE output file C:\MusksWW\CAPE\532_119269528149241411392019 successfully created, size 0x10000
2019-09-11 15:24:49,773 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:49,773 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:49,773 [root] DEBUG: DumpMemory: CAPE output file C:\MusksWW\CAPE\532_165679016549241411392019 successfully created, size 0xa000
2019-09-11 15:24:49,789 [root] INFO: Added new CAPE file to list with path: C:\MusksWW\CAPE\532_165679016549241411392019
2019-09-11 15:24:49,789 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xa000.
2019-09-11 15:24:49,789 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:49,789 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x48a000.
2019-09-11 15:24:49,789 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xe0, Size=0x2, Address=0x03600000 and Type=0x1.
2019-09-11 15:24:49,789 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1220 type 1 at address 0x03600000, size 2 with Callback 0x747e7630.
2019-09-11 15:24:49,789 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x03600000
2019-09-11 15:24:49,789 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xe0, Size=0x4, Address=0x0360003C and Type=0x1.
2019-09-11 15:24:49,789 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1220 type 1 at address 0x0360003C, size 4 with Callback 0x747e7250.
2019-09-11 15:24:49,789 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0360003C
2019-09-11 15:24:49,789 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x03600000 (size 0x3000).
2019-09-11 15:24:49,789 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 15:24:49,789 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0046277F (thread 1220)
2019-09-11 15:24:49,789 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x03600000.
2019-09-11 15:24:49,789 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x03600000 and Type=0x0.
2019-09-11 15:24:49,789 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3600000: 0xbe.
2019-09-11 15:24:49,789 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:49,789 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0046277F (thread 1220)
2019-09-11 15:24:49,789 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0360003C.
2019-09-11 15:24:49,789 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xb9bf8bfc (at 0x0360003C).
2019-09-11 15:24:49,789 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x03600000 already exists for thread 1220 (process 532), skipping.
2019-09-11 15:24:49,789 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x03600000.
2019-09-11 15:24:49,789 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00462EAE (thread 1220)
2019-09-11 15:24:49,789 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0360003C.
2019-09-11 15:24:49,789 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x11eb90d2 (at 0x0360003C).
2019-09-11 15:24:49,789 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x03600000 already exists for thread 1220 (process 532), skipping.
2019-09-11 15:24:49,789 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x03600000.
2019-09-11 15:24:49,789 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00462EAE (thread 1220)
2019-09-11 15:24:49,789 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x03600000.
2019-09-11 15:24:49,803 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x03600000 already exists for thread 1220 (process 532), skipping.
2019-09-11 15:24:49,803 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3600000: 0x90.
2019-09-11 15:24:49,803 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:49,803 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x03600000 (thread 1220)
2019-09-11 15:24:49,803 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x03600000 (allocation base 0x03600000).
2019-09-11 15:24:49,803 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x03600000, size 0x3000).
2019-09-11 15:24:49,803 [root] DEBUG: DumpPEsInRange: Scanning range 0x03600000 - 0x03603000.
2019-09-11 15:24:49,803 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3600000-0x3603000.
2019-09-11 15:24:49,803 [root] DEBUG: DumpMemory: CAPE output file C:\MusksWW\CAPE\532_148314982049241811392019 successfully created, size 0x3000
2019-09-11 15:24:49,803 [root] INFO: Added new CAPE file to list with path: C:\MusksWW\CAPE\532_148314982049241811392019
2019-09-11 15:24:49,803 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x03600000 (size 0x3000).
2019-09-11 15:24:49,803 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3600000 - 0x3603000.
2019-09-11 15:24:49,803 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x03600000.
2019-09-11 15:24:49,803 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0360003C.
2019-09-11 15:24:49,803 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x03600000.
2019-09-11 15:24:49,803 [root] DEBUG: set_caller_info: Adding region at 0x03600000 to caller regions list.
2019-09-11 15:24:49,851 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\IPHlpApi (0x1c000 bytes).
2019-09-11 15:24:49,851 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-09-11 15:24:49,851 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-09-11 15:24:49,851 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2019-09-11 15:24:49,851 [root] DEBUG: DLL loaded at 0x74520000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2019-09-11 15:24:49,851 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-09-11 15:24:49,867 [root] DEBUG: Allocation: 0x04390000 - 0x2058F000, size: 0x1c1ff000, protection: 0x40.
2019-09-11 15:24:49,867 [root] DEBUG: AddTrackedRegion: Region at 0x04390000 size 0x1c1ff000 added to tracked regions.
2019-09-11 15:24:49,867 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x04390000, TrackedRegion->RegionSize: 0x1c1ff000, thread 1220
2019-09-11 15:24:49,867 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x03600000 to 0x04390000.
2019-09-11 15:24:49,867 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xe0, Size=0x2, Address=0x04390000 and Type=0x1.
2019-09-11 15:24:49,867 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1220 type 1 at address 0x04390000, size 2 with Callback 0x747e7630.
2019-09-11 15:24:49,867 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x04390000
2019-09-11 15:24:49,867 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xe0, Size=0x4, Address=0x0439003C and Type=0x1.
2019-09-11 15:24:49,867 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1220 type 1 at address 0x0439003C, size 4 with Callback 0x747e7250.
2019-09-11 15:24:49,867 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0439003C
2019-09-11 15:24:49,867 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x04390000 (size 0x1c1ff000).
2019-09-11 15:24:49,881 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x036004B8 (thread 1220)
2019-09-11 15:24:49,881 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x04390000.
2019-09-11 15:24:49,881 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x04390000 and Type=0x0.
2019-09-11 15:24:49,881 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4390000: 0xc.
2019-09-11 15:24:49,881 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:49,881 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-09-11 15:24:49,898 [root] DEBUG: DLL unloaded from 0x00400000.
2019-09-11 15:24:49,914 [root] INFO: Announced 32-bit process name: mal.exe pid: 1988
2019-09-11 15:24:49,914 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-09-11 15:24:49,914 [lib.api.process] INFO: 32-bit DLL to inject is C:\syxyrpelnm\dll\hgrqPkA.dll, loader C:\syxyrpelnm\bin\HDGygqf.exe
2019-09-11 15:24:49,914 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RyWTPVlI.
2019-09-11 15:24:49,914 [root] DEBUG: Loader: Injecting process 1988 (thread 420) with C:\syxyrpelnm\dll\hgrqPkA.dll.
2019-09-11 15:24:49,914 [root] DEBUG: Process image base: 0x00400000
2019-09-11 15:24:49,914 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\syxyrpelnm\dll\hgrqPkA.dll.
2019-09-11 15:24:49,914 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00480000 - 0x77110000
2019-09-11 15:24:49,914 [root] DEBUG: InjectDllViaIAT: Allocated 0x164 bytes for new import table at 0x00480000.
2019-09-11 15:24:49,914 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 15:24:49,914 [root] DEBUG: Successfully injected DLL C:\syxyrpelnm\dll\hgrqPkA.dll.
2019-09-11 15:24:49,914 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2019-09-11 15:24:50,210 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 15:24:50,226 [root] DEBUG: Process dumps disabled.
2019-09-11 15:24:50,226 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:50,240 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 15:24:50,240 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 15:24:50,256 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3b0000
2019-09-11 15:24:50,256 [root] DEBUG: Debugger initialised.
2019-09-11 15:24:50,256 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1988 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 15:24:50,256 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\mal.exe".
2019-09-11 15:24:50,256 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1498, Entropy 7.149893e+00
2019-09-11 15:24:50,256 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-09-11 15:24:50,256 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-09-11 15:24:50,272 [root] INFO: Added new process to list with pid: 1988
2019-09-11 15:24:50,272 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-09-11 15:24:50,272 [root] DEBUG: AddTrackedRegion: Region at 0x003C0000 size 0x6000 added to tracked regions.
2019-09-11 15:24:50,272 [root] DEBUG: ProtectionHandler: Address: 0x003C0000 (alloc base 0x003C0000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2019-09-11 15:24:50,272 [root] DEBUG: ProtectionHandler: New code detected at (0x003C0000), scanning for PE images.
2019-09-11 15:24:50,272 [root] DEBUG: DumpPEsInRange: Scanning range 0x003C0000 - 0x003C6000.
2019-09-11 15:24:50,272 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3c6000.
2019-09-11 15:24:50,272 [root] DEBUG: DumpPEsInRange: Scanning range 0x003C0000 - 0x003C6000.
2019-09-11 15:24:50,272 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3c6000.
2019-09-11 15:24:50,272 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003C0000, TrackedRegion->RegionSize: 0x6000, thread 420
2019-09-11 15:24:50,288 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x003C0000 and Type=0x1.
2019-09-11 15:24:50,288 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 420 type 1 at address 0x003C0000, size 2 with Callback 0x747e7630.
2019-09-11 15:24:50,288 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003C0000
2019-09-11 15:24:50,303 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x003C003C and Type=0x1.
2019-09-11 15:24:50,319 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 420 type 1 at address 0x003C003C, size 4 with Callback 0x747e7250.
2019-09-11 15:24:50,319 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003C003C
2019-09-11 15:24:50,319 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x003C0000.
2019-09-11 15:24:50,319 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-09-11 15:24:50,335 [root] DEBUG: ProtectionHandler: Address 0x003C0000 already in tracked region at 0x003C0000.
2019-09-11 15:24:50,335 [root] DEBUG: ProtectionHandler: Address: 0x003C0000 (alloc base 0x003C0000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2019-09-11 15:24:50,335 [root] DEBUG: ProtectionHandler: Increased region size at 0x003C0000 to 0xa000.
2019-09-11 15:24:50,335 [root] DEBUG: ProtectionHandler: New code detected at (0x003C0000), scanning for PE images.
2019-09-11 15:24:50,335 [root] DEBUG: DumpPEsInRange: Scanning range 0x003C0000 - 0x003CA000.
2019-09-11 15:24:50,335 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3ca000.
2019-09-11 15:24:50,335 [root] DEBUG: DumpPEsInRange: Scanning range 0x003C0000 - 0x003CA000.
2019-09-11 15:24:50,335 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3ca000.
2019-09-11 15:24:50,335 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003C0000, TrackedRegion->RegionSize: 0xa000, thread 420
2019-09-11 15:24:50,349 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x003C0000 and Type=0x1.
2019-09-11 15:24:50,365 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 420 type 1 at address 0x003C0000, size 2 with Callback 0x747e7630.
2019-09-11 15:24:50,365 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003C0000
2019-09-11 15:24:50,365 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x003C003C and Type=0x1.
2019-09-11 15:24:50,365 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 420 type 1 at address 0x003C003C, size 4 with Callback 0x747e7250.
2019-09-11 15:24:50,381 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003C003C
2019-09-11 15:24:50,381 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x003C0000.
2019-09-11 15:24:50,490 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-09-11 15:24:51,223 [root] DEBUG: Allocation: 0x004E0000 - 0x004E3000, size: 0x3000, protection: 0x40.
2019-09-11 15:24:51,223 [root] DEBUG: AddTrackedRegion: Region at 0x004E0000 size 0x3000 added to tracked regions.
2019-09-11 15:24:51,223 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x004E0000, TrackedRegion->RegionSize: 0x3000, thread 420
2019-09-11 15:24:51,223 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x003C0000 to 0x004E0000.
2019-09-11 15:24:51,223 [root] DEBUG: DumpPEsInRange: Scanning range 0x003C0000 - 0x003CA000.
2019-09-11 15:24:51,223 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3ca000.
2019-09-11 15:24:51,223 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003C0000 - 0x003CA000.
2019-09-11 15:24:51,223 [root] DEBUG: DumpMemory: CAPE output file C:\MusksWW\CAPE\1988_40214604851241411392019 successfully created, size 0x10000
2019-09-11 15:24:51,240 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3c0000
2019-09-11 15:24:51,240 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003C0000 size 0x10000.
2019-09-11 15:24:51,240 [root] DEBUG: DumpMemory: CAPE output file C:\MusksWW\CAPE\1988_107276398451241411392019 successfully created, size 0xa000
2019-09-11 15:24:51,240 [root] INFO: Added new CAPE file to list with path: C:\MusksWW\CAPE\1988_107276398451241411392019
2019-09-11 15:24:51,240 [root] DEBUG: DumpRegion: Dumped base address 0x003C0000, size 0xa000.
2019-09-11 15:24:51,240 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003C0000.
2019-09-11 15:24:51,240 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3c0000 - 0x3ca000.
2019-09-11 15:24:51,255 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x004E0000 and Type=0x1.
2019-09-11 15:24:51,255 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 420 type 1 at address 0x004E0000, size 2 with Callback 0x747e7630.
2019-09-11 15:24:51,270 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x004E0000
2019-09-11 15:24:51,270 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x004E003C and Type=0x1.
2019-09-11 15:24:51,286 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 420 type 1 at address 0x004E003C, size 4 with Callback 0x747e7250.
2019-09-11 15:24:51,286 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x004E003C
2019-09-11 15:24:51,286 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x004E0000 (size 0x3000).
2019-09-11 15:24:51,302 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 15:24:51,302 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0046277F (thread 420)
2019-09-11 15:24:51,302 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x004E0000.
2019-09-11 15:24:51,302 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x004E0000 and Type=0x0.
2019-09-11 15:24:51,302 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4e0000: 0xbe.
2019-09-11 15:24:51,302 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:51,318 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0046277F (thread 420)
2019-09-11 15:24:51,318 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x004E003C.
2019-09-11 15:24:51,318 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xb9bf8bfc (at 0x004E003C).
2019-09-11 15:24:51,318 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x004E0000 already exists for thread 420 (process 1988), skipping.
2019-09-11 15:24:51,318 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x004E0000.
2019-09-11 15:24:51,332 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00462EAE (thread 420)
2019-09-11 15:24:51,332 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x004E003C.
2019-09-11 15:24:51,332 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x11eb90d2 (at 0x004E003C).
2019-09-11 15:24:51,332 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x004E0000 already exists for thread 420 (process 1988), skipping.
2019-09-11 15:24:51,332 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x004E0000.
2019-09-11 15:24:51,332 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00462EAE (thread 420)
2019-09-11 15:24:51,332 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x004E0000.
2019-09-11 15:24:51,332 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x004E0000 already exists for thread 420 (process 1988), skipping.
2019-09-11 15:24:51,332 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4e0000: 0x90.
2019-09-11 15:24:51,332 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:51,348 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004E0000 (thread 420)
2019-09-11 15:24:51,348 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x004E0000 (allocation base 0x004E0000).
2019-09-11 15:24:51,348 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x004E0000, size 0x3000).
2019-09-11 15:24:51,348 [root] DEBUG: DumpPEsInRange: Scanning range 0x004E0000 - 0x004E3000.
2019-09-11 15:24:51,348 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4e0000-0x4e3000.
2019-09-11 15:24:51,348 [root] DEBUG: DumpMemory: CAPE output file C:\MusksWW\CAPE\1988_118806741451241811392019 successfully created, size 0x3000
2019-09-11 15:24:51,364 [root] INFO: Added new CAPE file to list with path: C:\MusksWW\CAPE\1988_118806741451241811392019
2019-09-11 15:24:51,364 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x004E0000 (size 0x3000).
2019-09-11 15:24:51,364 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4e0000 - 0x4e3000.
2019-09-11 15:24:51,364 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x004E0000.
2019-09-11 15:24:51,364 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x004E003C.
2019-09-11 15:24:51,364 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x004E0000.
2019-09-11 15:24:51,364 [root] DEBUG: set_caller_info: Adding region at 0x004E0000 to caller regions list.
2019-09-11 15:28:10,499 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-09-11 15:28:10,499 [root] INFO: Created shutdown mutex.
2019-09-11 15:28:11,513 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 532
2019-09-11 15:28:11,513 [root] INFO: Terminate event set for process 532.
2019-09-11 15:28:11,513 [root] INFO: Terminating process 532 before shutdown.
2019-09-11 15:28:11,513 [root] INFO: Waiting for process 532 to exit.
2019-09-11 15:28:11,996 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 532).
2019-09-11 15:28:11,996 [root] DEBUG: DumpPEsInRange: Scanning range 0x04390000 - 0x2058F000.
2019-09-11 15:28:12,526 [root] INFO: Waiting for process 532 to exit.
2019-09-11 15:28:13,555 [root] INFO: Waiting for process 532 to exit.
2019-09-11 15:28:14,210 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4390000-0x2058f000.
2019-09-11 15:28:14,210 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x04390000 - 0x2058F000.
2019-09-11 15:28:14,569 [root] INFO: Waiting for process 532 to exit.
2019-09-11 15:28:15,584 [lib.api.process] INFO: Successfully terminated process with pid 532.
2019-09-11 15:28:15,584 [root] INFO: Waiting for process 532 to exit.
2019-09-11 15:28:16,598 [root] INFO: Terminating process 1988 before shutdown.
2019-09-11 15:28:16,598 [root] INFO: Shutting down package.
2019-09-11 15:28:16,598 [root] INFO: Stopping auxiliary modules.
2019-09-11 15:28:16,598 [root] INFO: Finishing auxiliary modules.
2019-09-11 15:28:16,598 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 15:28:16,598 [root] WARNING: File at path "C:\MusksWW\debugger" does not exist, skip.
2019-09-11 15:28:16,598 [root] INFO: Analysis completed.

MalScore

7.9

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 14:24:44 2019-09-11 14:28:30

File Details

File Name mal.exe
File Size 516992 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ea0461537f2ea57681e8804ebbf1bdb8
SHA1 91a7473b9f2d0c6083d980219cf8a350a8153c2b
SHA256 2f6b670a4dc200859fd98ec9bb9fb8ca35695a61c009ad920349f7f2e3c38a34
SHA512 6d098c2f068ed1cfe1ae86e401ce2bfe0d7136a64e76e85cd9caa6f6d4020dc6ebb623319548382c17330110963067536cb915f7fe41a3aadcf033863ea10be4
CRC32 ADB935E4
Ssdeep 12288:57vLIGsdwpvAoAnuwG9xcroWwRiGlEGajh:57fSolJ9xUjkVEGEh
TrID
  • 42.7% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 19.2% (.EXE) OS/2 Executable (generic) (2029/13)
  • 18.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 18.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 532 trigged the Yara rule 'embedded_win_api'
Hit: PID 532 trigged the Yara rule 'shellcode'
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: USER32.dll/EnumThreadWindows
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteProfileStringA
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/GetLongPathNameA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: IPHlpApi.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: shell32.DLL/ShellExecuteA
DynamicLoader: shell32.DLL/SHCreateDirectoryExA
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: kernel32.dll/WaitForDebugEvent
DynamicLoader: kernel32.dll/ContinueDebugEvent
DynamicLoader: kernel32.dll/DebugActiveProcessStop
DynamicLoader: kernel32.dll/OutputDebugStringW
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: USER32.dll/EnumThreadWindows
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteProfileStringA
CAPE extracted potentially suspicious content
mal.exe: Extracted Shellcode
mal.exe: Extracted Shellcode
mal.exe: Extracted Shellcode
Performs some HTTP requests
url: http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
url: http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEA68GTXVKUpZS08ycHsKCrk%3D
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.48, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00077000, virtual_size: 0x00076a10
Installs itself for autorun at Windows startup
file: C:\Windows\win.ini
file: C:\Windows\win.ini
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.51.123.27 [VT] Netherlands
N 104.86.110.88 [VT] Netherlands

DNS

Name Response Post-Analysis Lookup
s2.symcb.com [VT] CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
A 23.51.123.27 [VT]
sv.symcd.com [VT]
crl.microsoft.com [VT] A 104.86.110.73 [VT]
A 104.86.110.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\mal.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\*.*
C:\
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\win.ini
C:\Users\user\AppData\Local\Temp\IPHlpApi.DLL
C:\Windows\System32\IPHLPAPI.DLL
C:\Users\user\AppData\Local\Temp\WINNSI.DLL
C:\Windows\System32\winnsi.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\win.ini
C:\Windows\System32\IPHLPAPI.DLL
C:\Windows\System32\winnsi.dll
C:\Windows\win.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\mal.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVBVM60.DLL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
ole32.dll.CoCreateInstance
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetCalendarInfoW
user32.dll.EnumThreadWindows
kernel32.dll.Sleep
kernel32.dll.WriteProfileStringA
ntdll.dll.NtProtectVirtualMemory
kernel32.dll.CreateFileA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.GetFileSize
kernel32.dll.UnmapViewOfFile
kernel32.dll.VirtualProtectEx
kernel32.dll.GetLongPathNameA
kernel32.dll.TerminateProcess
iphlpapi.dll.GetAdaptersInfo
kernel32.dll.VirtualAllocEx
kernel32.dll.CreateProcessW
shell32.dll.ShellExecuteA
shell32.dll.SHCreateDirectoryExA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegSetValueExA
kernel32.dll.WaitForDebugEvent
kernel32.dll.ContinueDebugEvent
kernel32.dll.DebugActiveProcessStop
kernel32.dll.OutputDebugStringW
"C:\Users\user\AppData\Local\Temp\mal.exe"
Local\MSCTF.Asm.MutexDefault1

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00401498
Reported Checksum 0x000816b8
Actual Checksum 0x00089533
Minimum OS Version 4.0
Compile Time 2014-09-20 05:54:50
Import Hash 18ea235853311400cd8b68472283dd63

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00076a10 0x00077000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.48
.data 0x00078000 0x00006714 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0007f000 0x00000918 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.99

Overlay

Offset 0x0007a000
Size 0x00004380

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 None
0x40100c __vbaVarMove
0x401010 __vbaFreeVar
0x401014 __vbaFreeVarList
0x401018 __vbaEnd
0x40101c _adj_fdiv_m64
0x401020 None
0x401024 __vbaFreeObjList
0x401028 None
0x40102c _adj_fprem1
0x401030 __vbaStrCat
0x401034 None
0x401038 __vbaSetSystemError
0x401040 None
0x401044 _adj_fdiv_m32
0x401048 __vbaAryVar
0x40104c __vbaAryDestruct
0x401050 None
0x401054 None
0x401058 __vbaObjSet
0x40105c __vbaOnError
0x401060 _adj_fdiv_m16i
0x401064 __vbaObjSetAddref
0x401068 None
0x40106c _adj_fdivr_m16i
0x401070 None
0x401074 __vbaCyStr
0x401078 None
0x40107c __vbaFPFix
0x401080 __vbaFpR8
0x401084 _CIsin
0x401088 __vbaErase
0x40108c __vbaChkstk
0x401090 EVENT_SINK_AddRef
0x401094 __vbaStrCmp
0x401098 __vbaAryConstruct2
0x40109c __vbaVarTstEq
0x4010a0 __vbaObjVar
0x4010a4 DllFunctionCall
0x4010a8 _adj_fpatan
0x4010ac __vbaRedim
0x4010b0 EVENT_SINK_Release
0x4010b4 _CIsqrt
0x4010bc None
0x4010c0 __vbaFpCmpCy
0x4010c4 __vbaExceptHandler
0x4010c8 None
0x4010cc None
0x4010d0 _adj_fprem
0x4010d4 _adj_fdivr_m64
0x4010d8 None
0x4010dc __vbaFPException
0x4010e0 None
0x4010e4 _CIlog
0x4010e8 None
0x4010ec __vbaNew2
0x4010f0 None
0x4010f4 __vbaR8Str
0x4010f8 None
0x4010fc _adj_fdiv_m32i
0x401100 _adj_fdivr_m32i
0x401104 __vbaStrCopy
0x401108 __vbaVarSetObj
0x40110c __vbaI4Str
0x401110 None
0x401114 __vbaFreeStrList
0x401118 _adj_fdivr_m32
0x40111c _adj_fdiv_r
0x401120 None
0x401124 None
0x401128 __vbaVarTstNe
0x40112c None
0x401130 None
0x401134 __vbaVarDup
0x401138 __vbaFpI4
0x401140 __vbaVarCopy
0x401144 _CIatan
0x401148 __vbaStrMove
0x40114c __vbaAryCopy
0x401150 _allmul
0x401154 _CItan
0x401158 _CIexp
0x40115c __vbaFreeObj
0x401160 __vbaFreeStr

.text
`.data
.rsrc
MSVBVM60.DLL
HForm1arten
Form1Teno
Form1Pepi2
Form1Unde
Form1Land8
Form1spurt
Form1Dino
Form1besgs
Form1tale
Form1Sight8
Form1GOLD
Form1Noodl
Form1Rokke
Form1hreti
Form1Abst5
Form1Gadea
Form1Loft
Form1Inla
Form1ceva
Form1Jorop7
Form1Urin8
Form1Wilde8
Form1Stmaa1
Form1STRBE
Form1Forre4
Form1Pheno6
Form1Kluns
Form1Hyste
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Grns5
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Huma
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Land
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Barik
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Unglu8
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Stoc7
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1vedke
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Unpa
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1COPA
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1unco
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Tris8
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Foto7
<Vx]q
4%w>S
BcFH+i
U:c^H
ZNgtF
8hQWd
#5$9o
MkKo|=
Form1Bill
Form1Arbej9
Form1Aero7
Form1asbk
VB5!6&*
Form1STARC
Form1arten
Form1arten
Form1Teno
Form1Cosm5
Form1Nonm9
Form1Soma
Form1ENDOS
Form1Rimos
Form1uspok
Form1RERI
Form1Opge2
Form1Consi
Form1HALVV
Form1mohn
Form1Saft9
Form1Tris8
Form1Arbej9
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Form1hreti
Form1Bill
Form1Unde
Form1Stmaa1
Form1Land
Form1ceva
Form1Loft
Form1Wilde8
Form1Hyste
Form1Noodl
Form1asbk
Form1Sight8
Form1Barik
Form1Foto7
Form1Grns5
Form1Forre4
Form1Abst5
Form1COPA
Form1vedke
Form1unco
Form1GOLD
Form1Huma
Form1Pheno6
Form1Land8
Form1Stoc7
Form1Unpa
Form1Dino
Form1Jorop7
Form1tale
Form1Unglu8
shell32.dll
SHFileOperationA
kernel32
GetConsoleTitleA
GlobalMemoryStatus
LocalShrink
ADVAPI32.DLL
FreeSid
gdi32
Polygon
Process32Next
OpenThreadToken
RemoveFontResourceA
USER32
GetThreadDesktop
ExtEscape
GetCursorPos
GetStringTypeA
IsValidLocale
ContinueDebugEvent
GetStdHandle
IsDBCSLeadByte
SetLocalTime
GetSystemMetrics
FindWindowExA
GetSystemPaletteEntries
Form1mild
CallMsgFilterA
GetPropA
OffsetWindowOrgEx
OpenFileMappingA
CreatePipe
IsRectEmpty
ImmGetConversionListA
DdeFreeStringHandle
IsBadHugeReadPtr
OpenIcon
AddAtomA
SetMessageQueue
GetMenuItemCount
WinExec
GlobalAlloc
CreateDialogParamA
WNetGetUniversalNameA
imm32.dll
ImmReleaseContext
PurgeComm
CombineTransform
GetWindowDC
CloseClipboard
CharLowerA
winmm.dll
midiOutGetID
midiStreamClose
Form1SPEC
mmioSetBuffer
ExpandEnvironmentStringsA
ChildWindowFromPoint
GetDefaultCommConfigA
CreatePalette
Form1SPNDE
ExtractAssociatedIconA
SetBkMode
EscapeCommFunction
SetBoundsRect
SetFileSecurityA
VirtualFree
GetTimeFormatA
LoadLibraryExA
winspool.drv
FindClosePrinterChangeNotification
CountClipboardFormats
GetWinMetaFileBits
GetFormA
WriteConsoleOutputCharacterA
ImmDestroyContext
GetCurrentProcessId
RemoveMenu
GlobalFix
ImmCreateContext
joyGetNumDev
FindNextPrinterChangeNotification
EnumMonitorsA
WriteConsoleOutputA
GetMenuItemInfoA
EnumFontFamiliesA
SetCaretPos
GetTapeParameters
GetTextAlign
OpenEventLog
GetOEMCP
EnumThreadWindows
kernel32
GetXystemDirectoryW
GetXurrencyFormatW
mimmo
Form_Paint
VBA6.DLL
__vbaSetSystemError
__vbaOnError
__vbaErase
Form1Inte7
__vbaAryVar
__vbaAryCopy
__vbaEnd
__vbaVarCopy
__vbaR8Str
__vbaFPFix
__vbaVarMove
__vbaRedim
__vbaObjSet
__vbaAryDestruct
__vbaFreeObjList
Form1LANDH
__vbaFpR8
__vbaVarLateMemCallLd
__vbaCyStr
__vbaFpCmpCy
t__vbaVarSetObj
__vbaVarDup
__vbaStrCopy
__vbaFreeStrList
__vbaStrCmp
__vbaObjVar
__vbaObjSetAddref
__vbaFreeVar
__vbaFreeStr
__vbaStrCat
__vbaStrMove
__vbaI4Str
__vbaVarTstNe
__vbaFreeObj
__vbaNew2
__vbaHresultCheckObj
__vbaFpI4
__vbaFreeVarList
__vbaVarTstEq
__vbaAryConstruct2
Form1deac
Form1Cloc7
Form1apht
Form1Dispu
Form1kkke
Form1Roman
Form1Brudf
Form1OVER
Form1HEXAD
L*Form1BETR
Form1MLKER
Form1aaben
Form1Thyro
Form1TOVR
Form1Kalve
Form1Depo7
Form1AUTOC
Form1Vrag2
Form1PAPI
Form1Have4
Form1cont
Form1Unio3
Form1Afla2
Form1STEM
Form1paral
Form1Kibse5
Form1Skumm8
Form1TEST
Form1pleur
Form1kden
Form1Besee8
Form1SMIT
Form1STACC
Form1Cloc
Form1BROBY
Form1hydr
Form1BORG
Form1Ades9
Form1Gnat1
Form1Coac8
Form1Thesm6
Form1Deme7
Form1conj
Form1ejer
Form1SMLE
Form1SVARS
Form1Verno8
Form1annul
Form1MAHO
Form1tolbo
Form1Unas6
Form1ARBE
Form1SKATT
Form1Sand8
Form1AFSHA
Form1ALKOH
Form1zooph
Form1Afko2
Form1Berry8
Form1SLIP
Form1MICR
Form1OPACI
Form1KINES
Form1Topi8
Form1Ddsga1
Form1Kvaks
Form1lovel
Form1Hanny
Form1Fixat
Form1Lnst
Form1UAARE
Form1Finsk7
Form1trill
Form1Deli2
Form1preex
Form1Omlbc
Form1SERVO
Form1dhou
Form1Bedoy
Form1maksi
Form1KUFFE
Form1NONIN
Form1cili
Form1CIGAR
Form1Tsnin5
Form1karto
Form1BALAL
Form1Prot5
Form1BESVR
Form1dram
Form1CLER
Form1Hymen4
Form1Hitc
Form1Raako
Form1Guli
Form1Emuls
Form1Chon8
Form1Mode
Form1resp
Form1tamg
Form1mill
Form1hast
Form1apote
Form1evan
Form1forma
Form1DESS
Form1hila
Form1Birdl
Form1Neoek
Form1euda
Form1tafd
Form1ISENK
Form1Passe
Form1Kath
Form1Polyt5
Form1Kulti7
Form1FAKL
Form1COMA
Form1Farve7
Form1Unpne
Form1rhodo
Form1SAMME
Form1Reno3
Form1rette
Form1akkla
Form1OMLAS
Form1Bruge6
Form1Birr7
Form1Chris6
Form1vela
Form1quabs
Form1fore
Form1Gauss7
Form1mask
Form1splat
Form1rmerg
Form1Coun
Form1foss
Form1Repu3
Form1PLAC
Form1Rant6
Form1Skri
Form1SAMS
Form1DIRE
Form1sali
Form1Resat
Form1guss
Form1Simo3
Form1suga
Form1Komma
Form1Triu
Form1Agua
Form1unbul
Form1hopk
Form1Squa1
Form1EGNSB
Form1Play
Form1KVOTE
Form1cacod
Form1Napoo5
Form1Over2
Form1Ident3
Form1bedri
Form1Gover
Form1Temae
Form1Tilb
Form1PRIS
Form1lovl
Form1Pessi
Form1Amido
Form1Toile3
Form1CYKE
Form1Seve7
Form1jaevn
Form1Desp
Form1OLOM
Form1Manip
Form1Trak4
Form1Xylo6
Form1Forsk8
Form1krak
Form1flyve
Form1Simul8
Form1Latt8
Form1JIGGE
Form1Overv7
Form1eksp
Form1MILJB
Form1skil
Form1Swim
Form1haand
Form1Disp
Form1dehu
Form1Bist
Form1Nunci
Form1GRAN
Form1tank
Form1Homa2
Form1ENDOS
Form1DISHW
Form1DISHW
Form1Deme7
Form1ALKOH
Form1Gemol
Form1Verno8
Form1annul
Form1tolbo
Form1Ergo5
Form1SKATT
Form1Sand8
Form1AFSHA
Form1SALGS
Form1Unas6
Form1Afpr
Form1SMLE
Form1ejer
Form1Thesm6
Form1SVARS
Form1Vand
Form1conj
Form1ARBE
Form1Blys6
Form1molrr
Form1MAHO
Form1Jack
Form1Saft9
Form1bioge
Form1bioge
Form1Overv7
Form1dehu
Form1JIGGE
Form1Nedst
Form1flyve
Form1MILJB
Form1Homa2
Form1Swim
Form1Afvb8
Form1Unde
Form1Latt8
Form1staph
Form1Disp
Form1bevis
Form1tank
Form1Simul8
Form1GRAN
Form1Nunci
Form1Rudim
Form1haand
Form1eksp
Form1Bane
Form1skil
Form1Micro5
Form1FORB
Form1Bist
Form1Soma
Form1BLIND
Form1BLIND
Form1paral
Form1unpro
Form1Skumm8
Form1Cloc
Form1pleur
Form1Kirke9
Form1Kibse5
Form1STACC
Form1OVER
Form1BORG
Form1STNN
Form1Ades9
Form1Coac8
Form1kden
Form1SPECT
Form1BROBY
Form1hydr
Form1Peric6
Form1SMIT
Form1Besee8
Form1SOREL
Form1TEST
Form1Uove
Form1Gnat1
Form1Valgm6
Form1Opge2
Form1Bedi
Form1Bedi
Form1Kath
Form1perri
Form1FAKL
Form1OMLAS
Form1Drif
Form1Bruge6
Form1indus
Form1Kulti7
Form1Reno3
Form1akkla
Form1ISENK
Form1Passe
Form1rhodo
Form1OVER
Form1PSAL
Form1rette
Form1Tonal6
Form1Polyt5
Form1SAMME
Form1Term3
Form1Farve7
Form1nimin
Form1COMA
Form1tafd
Form1Unpne
Form1sugge
Form1Okseh
Form1uspok
Form1Leas
Form1Leas
Form1NONIN
Form1Tsnin5
Form1styr
Form1dram
Form1helhe
Form1CLER
Form1UNBE
Form1Bedoy
Form1preex
Form1CIGAR
Form1maksi
Form1KUFFE
Form1SERVO
Form1Prot5
Form1Hurr
Form1karto
Form1Paat5
Form1Hymen4
Form1Deli2
Form1cili
Form1Samme1
Form1dhou
Form1BALAL
Form1decri
Form1Omlbc
Form1Semo
Form1BESVR
Form1Nonm9
Form1Heter
Form1Heter
Form1Depo7
Form1MLKER
Form1OPRET
Form1Unio3
Form1Konf3
Form1TOVR
Form1Hvert
Form1STEM
Form1azoti
Form1cont
Form1Afla2
Form1sled
Form1PAPI
Form1TRIH
Form1aaben
Form1Upsl5
Form1BETR
Form1Nove3
Form1AUTOC
Form1Vrag2
Form1KLATT
Form1Kalve
Form1Rater2
Form1Thyro
Form1ANTI
Form1Sulp
Form1Have4
Form1Miln
Form1Outs8
Form1Cosm5
Form1Acca
Form1Acca
Form1mild
Form1kkke
Form1Brudf
Form1HEXAD
Form1perni
Form1deac
Form1Kiwac5
Form1Cloc7
Form1Inte7
Form1Supp
Form1apht
Form1Roman
Form1UDGA
Form1over
Form1LANDH
Form1SCHIZ
Form1optil
Form1SPNDE
Form1MITTE
Form1Mercu9
Form1Dispu
Form1ENHED
Form1SPEC
Form1Thre6
Form1Vacuo
Form1Farse3
Form1HALVV
Form1TYMPA
Form1TYMPA
Form1Napoo5
Form1estat
Form1Komma
Form1Slag
Form1Play
Form1STEN
Form1Triu
Form1Ident3
Form1futte
Form1bedri
Form1prob
Form1hopk
Form1TRUE
Form1unbul
Form1Resat
Form1ROMAN
Form1Agua
Form1Tils
Form1Squa1
Form1Salta9
Form1suga
Form1Over2
Form1Simo3
Form1guss
Form1Shar
Form1cacod
Form1udva
Form1KVOTE
Form1POTLE
Form1EGNSB
Form1Kron3
Form1samse
Form1Consi
Form1Mand5
Form1Mand5
Form1Birr7
Form1mask
Form1CARBO
Form1Skri
Form1Chris6
Form1Rant6
Form1TRIMM
Form1quabs
Form1rmerg
Form1Part3
Form1Gauss7
Form1Repu3
Form1foss
Form1splat
Form1SAMS
Form1alkal
Form1PLAC
Form1Mank7
Form1DIRE
Form1sjofl
Form1FLUID
Form1vela
Form1fore
Form1sali
Form1Jawb9
Form1Coun
Form1ANST
Form1RERI
Form1Blaar
Form1Blaar
Form1Birdl
Form1Gant1
Form1resp
Form1Emuls
Form1Centr4
Form1euda
Form1FEODO
Form1DESS
Form1hila
Form1skntc
Form1Raako
Form1Guli
Form1hast
Form1navn
Form1evan
Form1tamg
Form1AAREM
Form1mill
Form1elek
Form1Hitc
Form1MECHA
Form1Mode
Form1Immun7
Form1apote
Form1DSETT
Form1forma
Form1TITUL
Form1Neoek
Form1pikad
Form1Botr
Form1Chon8
Form1Metat
Form1Mark
Form1mohn
Form1Ligeb
Form1Ligeb
Form1Xylo6
Form1Genne
Form1jaevn
Form1ACERB
Form1CYKE
Form1Manip
Form1Uptil
Form1Seve7
Form1BOVV
Form1lovl
Form1Ball4
Form1Forsk8
Form1BARSL
Form1Gover
Form1krak
Form1Temae
Form1cemen
Form1Desp
Form1SIBYL
Form1Trak4
Form1Efter
Form1PRIS
Form1Dopa
Form1Toile3
Form1Igang4
Form1Tilb
Form1Amido
Form1KUNST
Form1OLOM
Form1Birk4
Form1Pessi
Form1pleu
Form1Rimos
Form1fave
Form1fave
Form1UAARE
Form1Finsk7
Form1Beanf5
Form1Hanny
Form1Margi7
Form1KINES
Form1MICR
Form1Prou1
Form1lovel
Form1Lnst
Form1Bagmn
Form1Ddsga1
Form1Dash
Form1trill
Form1Wouf
Form1zooph
Form1Topi8
Form1ultr
Form1Berry8
Form1Afko2
Form1srti
Form1Fixat
Form1Kvaks
Form1APPA
Form1OPACI
Form1SLIP
Form1Succ
Form1capri
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryVar
__vbaAryDestruct
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaCyStr
__vbaFPFix
__vbaFpR8
_CIsin
__vbaErase
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaAryConstruct2
__vbaVarTstEq
__vbaObjVar
DllFunctionCall
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaFpCmpCy
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
__vbaR8Str
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaVarSetObj
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaVarDup
__vbaFpI4
__vbaVarLateMemCallLd
__vbaVarCopy
_CIatan
__vbaStrMove
__vbaAryCopy
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
q4w958
tQrJ7ROzULwnQ7coYkWhcjlneqwnUN107
FX6u3FyBAHVrr49
thVsqWCEj9xqCzACb142
HuV122
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004B0
ProductName
Form1emht
FileVersion
5.00.0004
ProductVersion
5.00.0004
InternalName
OriginalFilename
xid.exe
jhkfdkjhkjhdfs
This file is not on VirusTotal.

Process Tree


mal.exe, PID: 532, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\mal.exe
Command Line: "C:\Users\user\AppData\Local\Temp\mal.exe"
mal.exe, PID: 1988, Parent PID: 532
Full Path: C:\Users\user\AppData\Local\Temp\mal.exe
Command Line: "C:\Users\user\AppData\Local\Temp\mal.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.51.123.27 [VT] Netherlands
N 104.86.110.88 [VT] Netherlands

TCP

Source Source Port Destination Destination Port
192.168.35.21 49173 104.86.110.88 crl.microsoft.com 80
192.168.35.21 49160 23.51.123.27 s2.symcb.com 80
192.168.35.21 49161 23.51.123.27 s2.symcb.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
s2.symcb.com [VT] CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
A 23.51.123.27 [VT]
sv.symcd.com [VT]
crl.microsoft.com [VT] A 104.86.110.73 [VT]
A 104.86.110.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

HTTP Requests

URI Data
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com

http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEA68GTXVKUpZS08ycHsKCrk%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEA68GTXVKUpZS08ycHsKCrk%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcd.com

http://crl.microsoft.com/pki/crl/products/WinPCA.crl
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 02 Dec 2015 18:30:06 GMT
If-None-Match: "0cb60772f2dd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name win.ini
Associated Filenames
C:\Windows\win.ini
File Size 509 bytes
File Type ASCII text, with CRLF line terminators
MD5 d2a2412bddba16d60ec63bd9550d933f
SHA1 deb3d3bdc9055f0b4909b31d3048446848fae0e1
SHA256 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
CRC32 BF84F0B8
Ssdeep 12:F4Yv65RdlpcgbtrMv4Fblu0N5ZSESow46T:F30jpPtpxP5ZY4E
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
[kernel32]
kernel32=kernel32
Type Extracted Shellcode
Size 40960 bytes
Virtual Address 0x00480000
Process mal.exe
PID 532
Path C:\Users\user\AppData\Local\Temp\mal.exe
MD5 1ace7367be781e5e3891b37d42559607
SHA1 533f766894cfca339754468f32f7e7d0f7e25a0c
SHA256 a84b5b745c2595cb71bad0f6dd6d1e99bb0f0aac9090d77379cf18ee676d7bea
CRC32 95D0F8FC
Ssdeep 384:ezmj7F1JAum443Ei0nQxngPUUmAnAXRRYs:ezSpm44DgPQIMF
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 12288 bytes
Virtual Address 0x03600000
Process mal.exe
PID 532
Path C:\Users\user\AppData\Local\Temp\mal.exe
MD5 ad67e261a78b0027124a7fcaafe4ce3b
SHA1 7630e470fcc693702fe5a8ddb5d35256d80a270e
SHA256 ae2ef682dabb4cb2274cecc2f8fd56d59a53494829917ae1a4f8e2616a7ca8b2
CRC32 521B87EF
Ssdeep 192:gwpWwC6bpO1YTtkIanDuuSdAOr1nfDS0ed41PSL:g0WwC6E1PIan3aLSZd4lS
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 40960 bytes
Virtual Address 0x003C0000
Process mal.exe
PID 1988
Path C:\Users\user\AppData\Local\Temp\mal.exe
MD5 4fb7f1d50c6be387c3f5bf34e4de8dca
SHA1 fc561d69f3c88ecdc6c145bc80531c76ecd1e549
SHA256 0f13ba2f985081bf2244ef49e8737b0b32eb4197642a3ea5616933ca5318e33d
CRC32 4922850E
Ssdeep 384:ezEDJDVcrApjs9jkRQQ0+d4JSHMVWChMKj:ezEhVcvkyLXgghNj
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 8.397 seconds )

  • 6.672 BehaviorAnalysis
  • 0.923 Static
  • 0.35 CAPE
  • 0.246 TargetInfo
  • 0.107 TrID
  • 0.032 Deduplicate
  • 0.032 Strings
  • 0.018 NetworkAnalysis
  • 0.011 Dropped
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 2.911 seconds )

  • 0.355 injection_createremotethread
  • 0.327 InjectionCreateRemoteThread
  • 0.324 Doppelganging
  • 0.306 antidebug_guardpages
  • 0.264 InjectionProcessHollowing
  • 0.261 injection_runpe
  • 0.255 stealth_timeout
  • 0.232 InjectionInterProcess
  • 0.189 decoy_document
  • 0.171 api_spamming
  • 0.137 stack_pivot
  • 0.035 antidbg_windows
  • 0.01 antiav_detectreg
  • 0.006 ransomware_files
  • 0.004 infostealer_ftp
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 persistence_autorun
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 antiemu_wine_func
  • 0.001 antivm_vbox_window
  • 0.001 betabot_behavior
  • 0.001 ransomware_message
  • 0.001 antivm_generic_disk
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 antisandbox_script_timer
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 90421
Mongo ID 5d7904af2851828535632325
Cuckoo release 1.3-CAPE
Delete