Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-09-11 19:53:00 2019-09-11 19:56:49 229 seconds Show Options Show Log
route = internet
procdump = 0
2019-09-11 20:53:03,000 [root] INFO: Date set to: 09-11-19, time set to: 19:53:03, timeout set to: 200
2019-09-11 20:53:03,015 [root] DEBUG: Starting analyzer from: C:\ubyjah
2019-09-11 20:53:03,015 [root] DEBUG: Storing results at: C:\NPYrMnv
2019-09-11 20:53:03,015 [root] DEBUG: Pipe server name: \\.\PIPE\xaxLXsvumW
2019-09-11 20:53:03,015 [root] INFO: Analysis package "Extraction" has been specified.
2019-09-11 20:53:03,483 [root] DEBUG: Started auxiliary module Browser
2019-09-11 20:53:03,499 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 20:53:03,499 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 20:53:05,339 [modules.auxiliary.digisig] DEBUG: File has a valid signature.
2019-09-11 20:53:05,339 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 20:53:05,339 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 20:53:05,355 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 20:53:05,355 [root] DEBUG: Started auxiliary module Human
2019-09-11 20:53:05,355 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 20:53:05,355 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 20:53:05,355 [root] DEBUG: Started auxiliary module Usage
2019-09-11 20:53:05,355 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-09-11 20:53:05,355 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2019-09-11 20:53:05,463 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\EE1039B.exe" with arguments "" with pid 2084
2019-09-11 20:53:05,463 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-09-11 20:53:05,463 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubyjah\dll\JfHtYKo.dll, loader C:\ubyjah\bin\LpoUzdY.exe
2019-09-11 20:53:05,542 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xaxLXsvumW.
2019-09-11 20:53:05,542 [root] DEBUG: Loader: Injecting process 2084 (thread 2276) with C:\ubyjah\dll\JfHtYKo.dll.
2019-09-11 20:53:05,542 [root] DEBUG: Process image base: 0x00400000
2019-09-11 20:53:05,542 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ubyjah\dll\JfHtYKo.dll.
2019-09-11 20:53:05,542 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00428000 - 0x77110000
2019-09-11 20:53:05,542 [root] DEBUG: InjectDllViaIAT: Allocated 0xf34 bytes for new import table at 0x00430000.
2019-09-11 20:53:05,542 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 20:53:05,542 [root] DEBUG: Successfully injected DLL C:\ubyjah\dll\JfHtYKo.dll.
2019-09-11 20:53:05,558 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2084
2019-09-11 20:53:07,569 [lib.api.process] INFO: Successfully resumed process with pid 2084
2019-09-11 20:53:07,569 [root] INFO: Added new process to list with pid: 2084
2019-09-11 20:53:07,601 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 20:53:07,601 [root] DEBUG: Process dumps disabled.
2019-09-11 20:53:07,648 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 20:53:07,648 [root] INFO: Disabling sleep skipping.
2019-09-11 20:53:07,648 [root] INFO: Disabling sleep skipping.
2019-09-11 20:53:07,648 [root] INFO: Disabling sleep skipping.
2019-09-11 20:53:07,648 [root] INFO: Disabling sleep skipping.
2019-09-11 20:53:07,648 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 20:53:07,648 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3d0000
2019-09-11 20:53:07,648 [root] DEBUG: Debugger initialised.
2019-09-11 20:53:07,648 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2084 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 20:53:07,648 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\EE1039B.exe".
2019-09-11 20:53:07,648 [root] DEBUG: AddTrackedRegion: EntryPoint 0x117dc, Entropy 4.564793e+00
2019-09-11 20:53:07,648 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-09-11 20:53:07,648 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-09-11 20:53:07,648 [root] INFO: Monitor successfully loaded in process with pid 2084.
2019-09-11 20:53:07,680 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\uxtheme (0x80000 bytes).
2019-09-11 20:53:07,680 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\userenv (0x17000 bytes).
2019-09-11 20:53:07,680 [root] DEBUG: DLL loaded at 0x74390000: C:\Windows\system32\profapi (0xb000 bytes).
2019-09-11 20:53:07,680 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\system32\setupapi (0x19d000 bytes).
2019-09-11 20:53:07,680 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-09-11 20:53:07,680 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-09-11 20:53:07,680 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-09-11 20:53:07,680 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-09-11 20:53:07,710 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\dwmapi (0x13000 bytes).
2019-09-11 20:53:07,726 [root] DEBUG: DLL loaded at 0x74230000: C:\Windows\system32\oleacc (0x3c000 bytes).
2019-09-11 20:53:07,742 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\version (0x9000 bytes).
2019-09-11 20:53:07,757 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\system32\comres (0x13e000 bytes).
2019-09-11 20:53:07,757 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\system32\clbcatq (0x83000 bytes).
2019-09-11 20:53:07,757 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\system32\shell32 (0xc4a000 bytes).
2019-09-11 20:53:07,773 [root] DEBUG: ProtectionHandler: Address 0x00400000 already in tracked region at 0x00400000.
2019-09-11 20:53:07,773 [root] DEBUG: ProtectionHandler: Address: 0x00400000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x40
2019-09-11 20:53:07,773 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00400000 to 0x40.
2019-09-11 20:53:07,773 [root] DEBUG: AddTrackedRegion: EntryPoint 0x117dc, Entropy 4.910702e+00
2019-09-11 20:53:07,773 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x12000 added to tracked regions.
2019-09-11 20:53:07,773 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x11000, NewAccessProtection: 0x40
2019-09-11 20:53:07,773 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000.
2019-09-11 20:53:07,773 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x11000, NewAccessProtection: 0x20
2019-09-11 20:53:07,773 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2019-09-11 20:53:07,773 [root] DEBUG: AddTrackedRegion: EntryPoint 0x117dc, Entropy 4.910702e+00
2019-09-11 20:53:07,773 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x28000 added to tracked regions.
2019-09-11 20:53:07,773 [root] DEBUG: ProtectionHandler: Address: 0x0041B000 (alloc base 0x00400000), NumberOfBytesToProtect: 0xd000, NewAccessProtection: 0x40
2019-09-11 20:53:07,944 [root] INFO: Announced 32-bit process name: EE1039B.tmp pid: 2036
2019-09-11 20:53:07,944 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-09-11 20:53:07,944 [lib.api.process] INFO: 32-bit DLL to inject is C:\ubyjah\dll\JfHtYKo.dll, loader C:\ubyjah\bin\LpoUzdY.exe
2019-09-11 20:53:07,960 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\xaxLXsvumW.
2019-09-11 20:53:07,960 [root] DEBUG: Loader: Injecting process 2036 (thread 2680) with C:\ubyjah\dll\JfHtYKo.dll.
2019-09-11 20:53:07,960 [root] DEBUG: Process image base: 0x00400000
2019-09-11 20:53:07,960 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ubyjah\dll\JfHtYKo.dll.
2019-09-11 20:53:07,960 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0052D000 - 0x77110000
2019-09-11 20:53:07,960 [root] DEBUG: InjectDllViaIAT: Allocated 0x3978 bytes for new import table at 0x00530000.
2019-09-11 20:53:07,960 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 20:53:07,960 [root] DEBUG: Successfully injected DLL C:\ubyjah\dll\JfHtYKo.dll.
2019-09-11 20:53:07,960 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2036
2019-09-11 20:53:07,976 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 20:53:07,976 [root] DEBUG: Process dumps disabled.
2019-09-11 20:53:07,976 [root] INFO: Disabling sleep skipping.
2019-09-11 20:53:07,976 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 20:53:07,976 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 20:53:07,976 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x290000
2019-09-11 20:53:07,976 [root] DEBUG: Debugger initialised.
2019-09-11 20:53:07,976 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2036 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 20:53:07,976 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp" \SL5="$901E0,10231439,121344,C:\Users\user\AppData\Local\Temp\EE1039B.exe".
2019-09-11 20:53:07,976 [root] DEBUG: AddTrackedRegion: EntryPoint 0x10156c, Entropy 6.222715e+00
2019-09-11 20:53:07,976 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-09-11 20:53:07,976 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-09-11 20:53:07,976 [root] INFO: Added new process to list with pid: 2036
2019-09-11 20:53:07,976 [root] INFO: Monitor successfully loaded in process with pid 2036.
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\uxtheme (0x80000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\userenv (0x17000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x74390000: C:\Windows\system32\profapi (0xb000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\system32\setupapi (0x19d000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\dwmapi (0x13000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x74230000: C:\Windows\system32\oleacc (0x3c000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\system32\comres (0x13e000 bytes).
2019-09-11 20:53:07,992 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\system32\clbcatq (0x83000 bytes).
2019-09-11 20:53:08,023 [root] DEBUG: Allocation: 0x00550000 - 0x00551000, size: 0x1000, protection: 0x40.
2019-09-11 20:53:08,038 [root] DEBUG: AddTrackedRegion: Region at 0x00550000 size 0x1000 added to tracked regions.
2019-09-11 20:53:08,148 [root] DEBUG: DLL loaded at 0x740B0000: C:\Windows\system32\shfolder (0x5000 bytes).
2019-09-11 20:53:08,148 [root] DEBUG: DLL loaded at 0x74080000: C:\Windows\system32\Rstrtmgr (0x28000 bytes).
2019-09-11 20:53:08,148 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\ncrypt (0x38000 bytes).
2019-09-11 20:53:08,148 [root] DEBUG: DLL loaded at 0x74020000: C:\Windows\system32\bcrypt (0x17000 bytes).
2019-09-11 20:53:08,148 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-09-11 20:53:08,148 [root] DEBUG: DLL loaded at 0x73FE0000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2019-09-11 20:53:08,194 [root] DEBUG: DLL unloaded from 0x743A0000.
2019-09-11 20:53:08,303 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-09-11 20:53:08,413 [root] DEBUG: DLL loaded at 0x73F80000: C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf (0x58000 bytes).
2019-09-11 20:53:08,474 [root] DEBUG: DLL loaded at 0x73EE0000: C:\Windows\system32\MSFTEDIT (0x94000 bytes).
2019-09-11 20:53:08,709 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:10,736 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:13,342 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:15,369 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:17,398 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:19,489 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:21,578 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:23,607 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:25,697 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:27,788 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:29,815 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:31,905 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:33,996 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:36,086 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:38,177 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:40,267 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:42,296 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:44,323 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:46,351 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:48,441 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:50,532 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:52,622 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:54,713 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:56,803 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:53:58,894 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:00,984 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:03,075 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:05,165 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:07,194 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:09,283 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:11,374 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:13,464 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:15,555 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:17,645 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:19,736 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:21,825 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:23,854 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:25,944 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:27,987 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:30,016 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:32,107 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:34,197 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:36,288 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:38,378 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:40,467 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:42,559 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:44,648 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:46,740 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:48,829 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:50,920 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:52,947 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:55,039 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:57,144 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:54:59,250 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:01,295 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:03,384 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:05,413 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:07,440 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:09,530 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:11,621 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:13,711 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:15,802 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:17,892 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:19,983 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:22,010 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:24,101 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:26,130 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:28,157 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:30,247 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:32,338 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:34,428 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:36,457 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:38,484 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:40,513 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:42,602 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:44,694 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:46,783 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:48,812 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:50,839 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:52,930 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:55,036 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:57,065 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:55:59,092 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:01,198 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:03,289 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:05,316 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:07,407 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:09,497 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:11,526 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:13,615 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:15,707 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:17,796 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:19,903 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:21,993 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:24,084 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:26,174 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:28,265 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:29,357 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-09-11 20:56:29,357 [root] INFO: Created shutdown mutex.
2019-09-11 20:56:30,355 [modules.auxiliary.human] INFO: Found button "I &accept the agreement", clicking it
2019-09-11 20:56:30,371 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2084
2019-09-11 20:56:30,371 [root] INFO: Terminate event set for process 2084.
2019-09-11 20:56:30,371 [root] INFO: Terminating process 2084 before shutdown.
2019-09-11 20:56:30,371 [root] INFO: Waiting for process 2084 to exit.
2019-09-11 20:56:30,371 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 2084).
2019-09-11 20:56:30,371 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2084
2019-09-11 20:56:31,384 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2036
2019-09-11 20:56:31,384 [root] INFO: Terminate event set for process 2036.
2019-09-11 20:56:31,384 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 2036).
2019-09-11 20:56:31,384 [root] INFO: Terminating process 2036 before shutdown.
2019-09-11 20:56:31,400 [root] INFO: Waiting for process 2036 to exit.
2019-09-11 20:56:31,400 [root] DEBUG: DumpPEsInRange: Scanning range 0x00550000 - 0x00551000.
2019-09-11 20:56:31,400 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x550000-0x551000.
2019-09-11 20:56:31,400 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00550000 - 0x00551000.
2019-09-11 20:56:31,415 [root] DEBUG: DumpMemory: CAPE output file C:\NPYrMnv\CAPE\2036_207141744031561911392019 successfully created, size 0x1000
2019-09-11 20:56:31,415 [root] INFO: Added new CAPE file to list with path: C:\NPYrMnv\CAPE\2036_207141744031561911392019
2019-09-11 20:56:31,415 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00550000, size 0x1000.
2019-09-11 20:56:31,415 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00550000.
2019-09-11 20:56:31,430 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x550000 - 0x551000.
2019-09-11 20:56:31,447 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2036
2019-09-11 20:56:32,414 [root] INFO: Shutting down package.
2019-09-11 20:56:32,414 [root] INFO: Stopping auxiliary modules.
2019-09-11 20:56:32,414 [root] INFO: Finishing auxiliary modules.
2019-09-11 20:56:32,414 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 20:56:32,414 [root] WARNING: File at path "C:\NPYrMnv\debugger" does not exist, skip.
2019-09-11 20:56:32,414 [root] INFO: Analysis completed.

MalScore

6.1

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 19:53:02 2019-09-11 19:56:47

File Details

File Name EE1039B.exe
File Size 10669032 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 01e213c761f99144c75813a8af11b3d5
SHA1 d0137a387e8bacd98db4a6767260478f0f332808
SHA256 2c9eb14ecbb82a78d1d32d3db634ddfda05bfdb9bb5b85ef1764cae8d4dbbeee
SHA512 9357dca2ba976a51759f90ecfdb7aa7b04692517c64adb2423980b12e7184b6b972397ecb0698c7fc616d5aabf10db0f65949f179f67276ba9b4265807bd0a83
CRC32 62FDD08A
Ssdeep 196608:ixhZGxxllg40Z9nInnXRFbMZIi1aKkwmp3DWyiMROxzMNZnoAf6d1juWuAXtcyG:OCs424gZI9K7KKD2noACkW7ts
TrID
  • 42.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
  • 19.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 13.5% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 6.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
  • 6.0% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SetSearchPathMode
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExW
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: uxtheme.dll/EnableThemeDialogTexture
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/SetDllDirectoryW
DynamicLoader: kernel32.dll/SetSearchPathMode
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExW
DynamicLoader: oleaut32.dll/VariantChangeTypeEx
DynamicLoader: oleaut32.dll/VarNeg
DynamicLoader: oleaut32.dll/VarNot
DynamicLoader: oleaut32.dll/VarAdd
DynamicLoader: oleaut32.dll/VarSub
DynamicLoader: oleaut32.dll/VarMul
DynamicLoader: oleaut32.dll/VarDiv
DynamicLoader: oleaut32.dll/VarIdiv
DynamicLoader: oleaut32.dll/VarMod
DynamicLoader: oleaut32.dll/VarAnd
DynamicLoader: oleaut32.dll/VarOr
DynamicLoader: oleaut32.dll/VarXor
DynamicLoader: oleaut32.dll/VarCmp
DynamicLoader: oleaut32.dll/VarI4FromStr
DynamicLoader: oleaut32.dll/VarR4FromStr
DynamicLoader: oleaut32.dll/VarR8FromStr
DynamicLoader: oleaut32.dll/VarDateFromStr
DynamicLoader: oleaut32.dll/VarCyFromStr
DynamicLoader: oleaut32.dll/VarBoolFromStr
DynamicLoader: oleaut32.dll/VarBstrFromCy
DynamicLoader: oleaut32.dll/VarBstrFromDate
DynamicLoader: oleaut32.dll/VarBstrFromBool
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/WakeConditionVariable
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: USER32.dll/WINNLSEnableIME
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetConversionStatus
DynamicLoader: IMM32.DLL/ImmSetConversionStatus
DynamicLoader: IMM32.DLL/ImmSetOpenStatus
DynamicLoader: IMM32.DLL/ImmSetCompositionWindow
DynamicLoader: IMM32.DLL/ImmSetCompositionFontW
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: USER32.dll/AnimateWindow
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: comctl32.dll/InitializeFlatSB
DynamicLoader: comctl32.dll/UninitializeFlatSB
DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoAddRefServerProcess
DynamicLoader: ole32.dll/CoReleaseServerProcess
DynamicLoader: ole32.dll/CoResumeClassObjects
DynamicLoader: ole32.dll/CoSuspendClassObjects
DynamicLoader: uxtheme.dll/OpenThemeData
DynamicLoader: uxtheme.dll/CloseThemeData
DynamicLoader: uxtheme.dll/DrawThemeBackground
DynamicLoader: uxtheme.dll/DrawThemeText
DynamicLoader: uxtheme.dll/GetThemeBackgroundContentRect
DynamicLoader: uxtheme.dll/GetThemePartSize
DynamicLoader: uxtheme.dll/GetThemeTextExtent
DynamicLoader: uxtheme.dll/GetThemeTextMetrics
DynamicLoader: uxtheme.dll/GetThemeBackgroundRegion
DynamicLoader: uxtheme.dll/HitTestThemeBackground
DynamicLoader: uxtheme.dll/DrawThemeEdge
DynamicLoader: uxtheme.dll/DrawThemeIcon
DynamicLoader: uxtheme.dll/IsThemePartDefined
DynamicLoader: uxtheme.dll/IsThemeBackgroundPartiallyTransparent
DynamicLoader: uxtheme.dll/GetThemeColor
DynamicLoader: uxtheme.dll/GetThemeMetric
DynamicLoader: uxtheme.dll/GetThemeString
DynamicLoader: uxtheme.dll/GetThemeBool
DynamicLoader: uxtheme.dll/GetThemeInt
DynamicLoader: uxtheme.dll/GetThemeEnumValue
DynamicLoader: uxtheme.dll/GetThemePosition
DynamicLoader: uxtheme.dll/GetThemeFont
DynamicLoader: uxtheme.dll/GetThemeRect
DynamicLoader: uxtheme.dll/GetThemeMargins
DynamicLoader: uxtheme.dll/GetThemeIntList
DynamicLoader: uxtheme.dll/GetThemePropertyOrigin
DynamicLoader: uxtheme.dll/SetWindowTheme
DynamicLoader: uxtheme.dll/GetThemeFilename
DynamicLoader: uxtheme.dll/GetThemeSysColor
DynamicLoader: uxtheme.dll/GetThemeSysColorBrush
DynamicLoader: uxtheme.dll/GetThemeSysBool
DynamicLoader: uxtheme.dll/GetThemeSysSize
DynamicLoader: uxtheme.dll/GetThemeSysFont
DynamicLoader: uxtheme.dll/GetThemeSysString
DynamicLoader: uxtheme.dll/GetThemeSysInt
DynamicLoader: uxtheme.dll/IsThemeActive
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/GetWindowTheme
DynamicLoader: uxtheme.dll/EnableThemeDialogTexture
DynamicLoader: uxtheme.dll/IsThemeDialogTextureEnabled
DynamicLoader: uxtheme.dll/GetThemeAppProperties
DynamicLoader: uxtheme.dll/SetThemeAppProperties
DynamicLoader: uxtheme.dll/GetCurrentThemeName
DynamicLoader: uxtheme.dll/GetThemeDocumentationProperty
DynamicLoader: uxtheme.dll/DrawThemeParentBackground
DynamicLoader: uxtheme.dll/EnableTheming
DynamicLoader: USER32.dll/NotifyWinEvent
DynamicLoader: shell32.dll/SHPathPrepareForWriteW
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: shell32.dll/SHPathPrepareForWriteW
DynamicLoader: shell32.dll/SHCreateItemFromParsingName
DynamicLoader: kernel32.dll/VerSetConditionMask
DynamicLoader: kernel32.dll/VerifyVersionInfoW
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryA
DynamicLoader: ADVAPI32.dll/RegDeleteKeyExA
DynamicLoader: shell32.dll/SHGetKnownFolderPath
DynamicLoader: USER32.dll/DisableProcessWindowsGhosting
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: USER32.dll/ShutdownBlockReasonDestroy
DynamicLoader: USER32.dll/ShutdownBlockReasonCreate
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: Rstrtmgr.dll/RmStartSession
DynamicLoader: Rstrtmgr.dll/RmRegisterResources
DynamicLoader: Rstrtmgr.dll/RmGetList
DynamicLoader: Rstrtmgr.dll/RmShutdown
DynamicLoader: Rstrtmgr.dll/RmRestart
DynamicLoader: Rstrtmgr.dll/RmEndSession
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: USER32.dll/ShutdownBlockReasonDestroy
DynamicLoader: USER32.dll/ShutdownBlockReasonCreate
DynamicLoader: USER32.dll/ChangeWindowMessageFilterEx
DynamicLoader: uxtheme.dll/OpenThemeData
DynamicLoader: uxtheme.dll/CloseThemeData
DynamicLoader: uxtheme.dll/DrawThemeBackground
DynamicLoader: uxtheme.dll/DrawThemeText
DynamicLoader: uxtheme.dll/GetThemeBackgroundContentRect
DynamicLoader: uxtheme.dll/GetThemeBackgroundExtent
DynamicLoader: uxtheme.dll/GetThemePartSize
DynamicLoader: uxtheme.dll/GetThemeTextExtent
DynamicLoader: uxtheme.dll/GetThemeTextMetrics
DynamicLoader: uxtheme.dll/GetThemeBackgroundRegion
DynamicLoader: uxtheme.dll/HitTestThemeBackground
DynamicLoader: uxtheme.dll/DrawThemeEdge
DynamicLoader: uxtheme.dll/DrawThemeIcon
DynamicLoader: uxtheme.dll/IsThemePartDefined
DynamicLoader: uxtheme.dll/IsThemeBackgroundPartiallyTransparent
DynamicLoader: uxtheme.dll/GetThemeColor
DynamicLoader: uxtheme.dll/GetThemeMetric
DynamicLoader: uxtheme.dll/GetThemeString
DynamicLoader: uxtheme.dll/GetThemeBool
DynamicLoader: uxtheme.dll/GetThemeInt
DynamicLoader: uxtheme.dll/GetThemeEnumValue
DynamicLoader: uxtheme.dll/GetThemePosition
DynamicLoader: uxtheme.dll/GetThemeFont
DynamicLoader: uxtheme.dll/GetThemeRect
DynamicLoader: uxtheme.dll/GetThemeMargins
DynamicLoader: uxtheme.dll/GetThemeIntList
DynamicLoader: uxtheme.dll/GetThemePropertyOrigin
DynamicLoader: uxtheme.dll/SetWindowTheme
DynamicLoader: uxtheme.dll/GetThemeFilename
DynamicLoader: uxtheme.dll/GetThemeSysColor
DynamicLoader: uxtheme.dll/GetThemeSysColorBrush
DynamicLoader: uxtheme.dll/GetThemeSysBool
DynamicLoader: uxtheme.dll/GetThemeSysSize
DynamicLoader: uxtheme.dll/GetThemeSysFont
DynamicLoader: uxtheme.dll/GetThemeSysString
DynamicLoader: uxtheme.dll/GetThemeSysInt
DynamicLoader: uxtheme.dll/IsThemeActive
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/GetWindowTheme
DynamicLoader: uxtheme.dll/EnableThemeDialogTexture
DynamicLoader: uxtheme.dll/IsThemeDialogTextureEnabled
DynamicLoader: uxtheme.dll/GetThemeAppProperties
DynamicLoader: uxtheme.dll/SetThemeAppProperties
DynamicLoader: uxtheme.dll/GetCurrentThemeName
DynamicLoader: uxtheme.dll/GetThemeDocumentationProperty
DynamicLoader: uxtheme.dll/DrawThemeParentBackground
DynamicLoader: uxtheme.dll/EnableTheming
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: uxtheme.dll/OpenThemeData
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: SHLWAPI.dll/SHAutoComplete
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: uxtheme.dll/SetWindowTheme
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: uxtheme.dll/EnableThemeDialogTexture
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
Reads data out of its own binary image
self_read: process: EE1039B.exe, pid: 2084, offset: 0x009c1e8f, length: 0x0000baef
self_read: process: EE1039B.exe, pid: 2084, offset: 0x009cefa3, length: 0x0005d048
CAPE extracted potentially suspicious content
EE1039B.tmp: Extracted Shellcode
Performs some HTTP requests
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
url: http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D
url: http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEBJhLj3htDcVpyfcDQGSxrw%3D
Network activity detected but not expressed in API logs
Drops a binary and executes it
binary: C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.42.27.27 [VT] Netherlands
N 217.212.252.104 [VT] Finland
N 205.185.216.42 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT] A 205.185.216.42 [VT]
CNAME cds.d2s7q6s2.hwcdn.net [VT]
A 205.185.216.10 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
t2.symcb.com [VT] A 23.42.27.27 [VT]
CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
tl.symcd.com [VT]
crl.microsoft.com [VT] A 217.212.252.104 [VT]
A 217.212.252.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

Summary

C:\Windows\WindowsShell.Manifest
C:\Users\user\AppData\Local\Temp\EE1039B.ENG
C:\Users\user\AppData\Local\Temp\EE1039B.ENG.DLL
C:\Users\user\AppData\Local\Temp\EE1039B.EN
C:\Users\user\AppData\Local\Temp\EE1039B.EN.DLL
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Users\user\AppData\Local\Temp\netmsg.dll
C:\Windows\System32\netmsg.dll
C:\Users\user\AppData\Local\Temp\EE1039B.exe
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.ENG
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.ENG.DLL
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.EN
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.EN.DLL
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\netmsg.dll
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Temp\Setup Log 2019-09-12 #001.txt
C:\Users\user\AppData\Local\Temp\is-GU3PT.tmp
C:\Users\user\AppData\Local\Temp\is-GU3PT.tmp\_isetup
C:\Users\user\AppData\Local\Temp\is-GU3PT.tmp\_isetup\_setup64.tmp
C:\Windows\Fonts\staticcache.dat
c:\directory
C:\Windows\System32\imageres.dll
C:\Windows\System32\shell32.dll
C:\Windows\win.ini
C:\Windows\WindowsShell.Manifest
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\System32\netmsg.dll
C:\Users\user\AppData\Local\Temp\EE1039B.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Temp\Setup Log 2019-09-12 #001.txt
C:\Users\user\AppData\Local\Temp\is-GU3PT.tmp\_isetup\_setup64.tmp
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\imageres.dll
C:\Windows\System32\shell32.dll
C:\Windows\win.ini
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp
C:\Users\user\AppData\Local\Temp\Setup Log 2019-09-12 #001.txt
C:\Users\user\AppData\Local\Temp\is-GU3PT.tmp\_isetup\_setup64.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\CodeGear\Locales
HKEY_LOCAL_MACHINE\Software\CodeGear\Locales
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\EE1039B.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B6FF0794
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe6\xa9\xa0\xc8\xbeEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Verdana
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5A338121-B67D-48FC-A2EC-4B260D7E49BD}_is1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5A338121-B67D-48FC-A2EC-4B260D7E49BD}_is1
HKEY_LOCAL_MACHINE\software\redtitan
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B6FF0794
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe6\xa9\xa0\xc8\xbeEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
lpk.dll.LpkEditControl
kernel32.dll.SetDllDirectoryW
kernel32.dll.SetSearchPathMode
kernel32.dll.SetProcessDEPPolicy
kernel32.dll.GetDiskFreeSpaceExW
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.Wow64RevertWow64FsRedirection
kernel32.dll.GetUserDefaultUILanguage
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.EnableThemeDialogTexture
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
user32.dll.WINNLSEnableIME
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetConversionStatus
imm32.dll.ImmSetConversionStatus
imm32.dll.ImmSetOpenStatus
imm32.dll.ImmSetCompositionWindow
imm32.dll.ImmSetCompositionFontW
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmIsIME
imm32.dll.ImmNotifyIME
user32.dll.GetMonitorInfoA
user32.dll.GetSystemMetrics
user32.dll.EnumDisplayMonitors
cryptbase.dll.SystemFunction036
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
ole32.dll.CoCreateInstanceEx
ole32.dll.CoInitializeEx
ole32.dll.CoAddRefServerProcess
ole32.dll.CoReleaseServerProcess
ole32.dll.CoResumeClassObjects
ole32.dll.CoSuspendClassObjects
uxtheme.dll.OpenThemeData
uxtheme.dll.CloseThemeData
uxtheme.dll.DrawThemeBackground
uxtheme.dll.DrawThemeText
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.GetThemePartSize
uxtheme.dll.GetThemeTextExtent
uxtheme.dll.GetThemeTextMetrics
uxtheme.dll.GetThemeBackgroundRegion
uxtheme.dll.HitTestThemeBackground
uxtheme.dll.DrawThemeEdge
uxtheme.dll.DrawThemeIcon
uxtheme.dll.IsThemePartDefined
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.GetThemeColor
uxtheme.dll.GetThemeMetric
uxtheme.dll.GetThemeString
uxtheme.dll.GetThemeBool
uxtheme.dll.GetThemeInt
uxtheme.dll.GetThemeEnumValue
uxtheme.dll.GetThemePosition
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeRect
uxtheme.dll.GetThemeMargins
uxtheme.dll.GetThemeIntList
uxtheme.dll.GetThemePropertyOrigin
uxtheme.dll.SetWindowTheme
uxtheme.dll.GetThemeFilename
uxtheme.dll.GetThemeSysColor
uxtheme.dll.GetThemeSysColorBrush
uxtheme.dll.GetThemeSysBool
uxtheme.dll.GetThemeSysSize
uxtheme.dll.GetThemeSysFont
uxtheme.dll.GetThemeSysString
uxtheme.dll.GetThemeSysInt
uxtheme.dll.IsThemeActive
uxtheme.dll.IsAppThemed
uxtheme.dll.GetWindowTheme
uxtheme.dll.IsThemeDialogTextureEnabled
uxtheme.dll.GetThemeAppProperties
uxtheme.dll.SetThemeAppProperties
uxtheme.dll.GetCurrentThemeName
uxtheme.dll.GetThemeDocumentationProperty
uxtheme.dll.DrawThemeParentBackground
uxtheme.dll.EnableTheming
user32.dll.NotifyWinEvent
shell32.dll.SHPathPrepareForWriteW
shell32.dll.SHCreateItemFromParsingName
kernel32.dll.VerSetConditionMask
kernel32.dll.VerifyVersionInfoW
kernel32.dll.GetNativeSystemInfo
kernel32.dll.IsWow64Process
kernel32.dll.GetSystemWow64DirectoryA
advapi32.dll.RegDeleteKeyExA
shell32.dll.SHGetKnownFolderPath
user32.dll.DisableProcessWindowsGhosting
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
ole32.dll.CoCreateInstance
advapi32.dll.CheckTokenMembership
user32.dll.ShutdownBlockReasonDestroy
user32.dll.ShutdownBlockReasonCreate
kernel32.dll.GetSystemWow64DirectoryW
shfolder.dll.SHGetFolderPathW
rstrtmgr.dll.RmStartSession
rstrtmgr.dll.RmRegisterResources
rstrtmgr.dll.RmGetList
rstrtmgr.dll.RmShutdown
rstrtmgr.dll.RmRestart
rstrtmgr.dll.RmEndSession
bcryptprimitives.dll.GetHashInterface
user32.dll.ChangeWindowMessageFilterEx
uxtheme.dll.GetThemeBackgroundExtent
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
user32.dll.MonitorFromRect
shlwapi.dll.SHAutoComplete
comctl32.dll.#411
comctl32.dll.#410
ole32.dll.CLSIDFromString
comctl32.dll.#413
user32.dll.MonitorFromWindow
gdi32.dll.GdiIsMetaPrintDC
"C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp" /SL5="$901E0,10231439,121344,C:\Users\user\AppData\Local\Temp\EE1039B.exe"
Local\MSCTF.Asm.MutexDefault1
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
DefaultTabtip-MainUI

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x004117dc
Reported Checksum 0x00a36de3
Actual Checksum 0x00a36de3
Minimum OS Version 5.0
Compile Time 2016-04-06 14:39:04
Import Hash 20dd26497880c05caed9305b3c8b9109

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000f244 0x0000f400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.38
.itext 0x00011000 0x00000f64 0x00001000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.73
.data 0x00012000 0x00000c88 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.30
.bss 0x00013000 0x000056bc 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00019000 0x00000e04 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.60
.tls 0x0001a000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0001b000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.20
.rsrc 0x0001c000 0x0000b200 0x0000b200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.15

Overlay

Offset 0x0001da00
Size 0x00a0f1e8

Imports

Library oleaut32.dll:
0x419304 SysFreeString
0x419308 SysReAllocStringLen
0x41930c SysAllocStringLen
Library advapi32.dll:
0x419314 RegQueryValueExW
0x419318 RegOpenKeyExW
0x41931c RegCloseKey
Library user32.dll:
0x419324 GetKeyboardType
0x419328 LoadStringW
0x41932c MessageBoxA
0x419330 CharNextW
Library kernel32.dll:
0x419338 GetACP
0x41933c Sleep
0x419340 VirtualFree
0x419344 VirtualAlloc
0x419348 GetSystemInfo
0x41934c GetTickCount
0x419354 GetVersion
0x419358 GetCurrentThreadId
0x41935c VirtualQuery
0x419360 WideCharToMultiByte
0x419364 MultiByteToWideChar
0x419368 lstrlenW
0x41936c lstrcpynW
0x419370 LoadLibraryExW
0x419374 GetThreadLocale
0x419378 GetStartupInfoA
0x41937c GetProcAddress
0x419380 GetModuleHandleW
0x419384 GetModuleFileNameW
0x419388 GetLocaleInfoW
0x41938c GetCommandLineW
0x419390 FreeLibrary
0x419394 FindFirstFileW
0x419398 FindClose
0x41939c ExitProcess
0x4193a0 WriteFile
0x4193a8 RtlUnwind
0x4193ac RaiseException
0x4193b0 GetStdHandle
0x4193b4 CloseHandle
Library kernel32.dll:
0x4193bc TlsSetValue
0x4193c0 TlsGetValue
0x4193c4 LocalAlloc
0x4193c8 GetModuleHandleW
Library user32.dll:
0x4193d0 CreateWindowExW
0x4193d4 TranslateMessage
0x4193d8 SetWindowLongW
0x4193dc PeekMessageW
0x4193e4 MessageBoxW
0x4193e8 LoadStringW
0x4193ec GetSystemMetrics
0x4193f0 ExitWindowsEx
0x4193f4 DispatchMessageW
0x4193f8 DestroyWindow
0x4193fc CharUpperBuffW
0x419400 CallWindowProcW
Library kernel32.dll:
0x419408 WriteFile
0x41940c WideCharToMultiByte
0x419410 WaitForSingleObject
0x419414 VirtualQuery
0x419418 VirtualProtect
0x41941c VirtualFree
0x419420 VirtualAlloc
0x419424 SizeofResource
0x419428 SignalObjectAndWait
0x41942c SetLastError
0x419430 SetFilePointer
0x419434 SetEvent
0x419438 SetErrorMode
0x41943c SetEndOfFile
0x419440 ResetEvent
0x419444 RemoveDirectoryW
0x419448 ReadFile
0x41944c MultiByteToWideChar
0x419450 LockResource
0x419454 LoadResource
0x419458 LoadLibraryW
0x419460 GetVersionExW
0x419464 GetVersion
0x41946c GetThreadLocale
0x419470 GetSystemInfo
0x419474 GetSystemDirectoryW
0x419478 GetStdHandle
0x41947c GetProcAddress
0x419480 GetModuleHandleW
0x419484 GetModuleFileNameW
0x419488 GetLocaleInfoW
0x41948c GetLastError
0x419490 GetFullPathNameW
0x419494 GetFileSize
0x419498 GetFileAttributesW
0x41949c GetExitCodeProcess
0x4194a4 GetDiskFreeSpaceW
0x4194a8 GetCurrentProcess
0x4194ac GetCommandLineW
0x4194b0 GetCPInfo
0x4194b4 InterlockedExchange
0x4194bc FreeLibrary
0x4194c0 FormatMessageW
0x4194c4 FindResourceW
0x4194c8 EnumCalendarInfoW
0x4194cc DeleteFileW
0x4194d0 CreateProcessW
0x4194d4 CreateFileW
0x4194d8 CreateEventW
0x4194dc CreateDirectoryW
0x4194e0 CloseHandle
Library advapi32.dll:
0x4194e8 RegQueryValueExW
0x4194ec RegOpenKeyExW
0x4194f0 RegCloseKey
0x4194f4 OpenProcessToken
Library comctl32.dll:
0x419500 InitCommonControls
Library kernel32.dll:
0x419508 Sleep
Library advapi32.dll:

.text
`.itext
`.data
.idata
.rdata
@.rsrc
AnsiString
FastMM Borland Edition (c) 2004 - 2008 Pierre le Riche / Professional Software Development
An unexpected memory leak has occurred.
The sizes of unexpected leaked medium and large blocks are:
bytes:
Unknown
AnsiString
UnicodeString
Unexpected Memory Leak
#5@:A
)=<:A
Uhk:@
PhT>@
VWUUh(?@
PhbA@
UhMB@
Uh`C@
0123456789ABCDEF
UhJT@
GetLongPathNameW
Uhhb@
Uh>j@
Uh j@
Exception0n@
t&f=0
r@f=9
WVUSj
TSetupLanguageEntry=
SetDefaultDllDirectories
SetDllDirectoryW
SetSearchPathMode
SetProcessDEPPolicy
Error
Runtime error at 00000000
Inno Setup Setup Data (5.5.7) (u)
Inno Setup Messages (5.5.3) (u)
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
advapi32.dll
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
user32.dll
GetKeyboardType
LoadStringW
MessageBoxA
CharNextW
kernel32.dll
GetACP
Sleep
VirtualFree
VirtualAlloc
GetSystemInfo
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenW
lstrcpynW
LoadLibraryExW
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetCommandLineW
FreeLibrary
FindFirstFileW
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
CloseHandle
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleW
user32.dll
CreateWindowExW
TranslateMessage
SetWindowLongW
PeekMessageW
MsgWaitForMultipleObjects
MessageBoxW
LoadStringW
GetSystemMetrics
ExitWindowsEx
DispatchMessageW
DestroyWindow
CharUpperBuffW
CallWindowProcW
kernel32.dll
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
SizeofResource
SignalObjectAndWait
SetLastError
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
RemoveDirectoryW
ReadFile
MultiByteToWideChar
LockResource
LoadResource
LoadLibraryW
GetWindowsDirectoryW
GetVersionExW
GetVersion
GetUserDefaultLangID
GetThreadLocale
GetSystemInfo
GetSystemDirectoryW
GetStdHandle
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetLastError
GetFullPathNameW
GetFileSize
GetFileAttributesW
GetExitCodeProcess
GetEnvironmentVariableW
GetDiskFreeSpaceW
GetCurrentProcess
GetCommandLineW
GetCPInfo
InterlockedExchange
InterlockedCompareExchange
FreeLibrary
FormatMessageW
FindResourceW
EnumCalendarInfoW
DeleteFileW
CreateProcessW
CreateFileW
CreateEventW
CreateDirectoryW
CloseHandle
advapi32.dll
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
comctl32.dll
InitCommonControls
kernel32.dll
Sleep
advapi32.dll
AdjustTokenPrivileges
wxr""/p
r""/p
wr""/p
wwwwwwwxp
wwwwwwww
SetupLdr
RedirFunc
7PathFunc
SysUtils
eCharacter
KWindows
UTypes
SysInit
System
"RTLConsts
SysConst
YStrUtils
ImageHlp
CmnFunc2
VerInfo
AFileClass
Int64Em
cInstFunc
6MsgIDs
Compress
Struct
*ShellAPI
3Messages
SetupEnt
JLZMADecompSmall
SXPTheme
SafeDLLPath
oeYX(
!*69{B|
S8w{.:W>/
JE[H_Y
5O'38:D
zAVJI
lfqv'9~N'
1Uc'Y
xNu]Z
@,vvC;Cta
{RSt_
1%.lr EW
02[^OJ
7D]`5
=BEsBC
ht/4xM
SJJ%=@}ijZ
fucr*
3\g0,
B8&\4
n\GB4
*#KEg5/
8NBOUv$
HU~I@
BR~_tp
P6I(Y
DPuK tz{s
Q1@uWY=
IA[8H
+#i_h;8
\-=(+
}1>u=f'
a33E5
kSfAU
]ucVI
VH68;)
d.A?W;
y7N>T
b%]N~
*W6=S
gzJp.
X2&d#%
}2p1N
[(](J
t9\;<
9hfgY
-tL\Ie
mx;kF
^R=F-
d@!YP
c^,,2
a,FuC
WqX9~WE
?*}AA
kgy,(F\
Xu\K\
WKcxit
e<Bf~
|]Yc9$
Z@vrB[
ye0dC)]
goCFs
uq3>+E$
h{x2>
@*4A!n
&R(:B
pC1mt
s2I}FvJ
KX,zR
7.;;u
!Ivow
]!\pQ
Y|;b1
u[W1S
(Rl7|
Wy/W`!F^I
4~T~2
*2O-5X(CS
U^J@-
fDm*2
mkF_x
Mt(!E
?XjCA
eSmzb^2"j
1FDR3h
sA=2l
w>5yD:
w/2!o
ZO.<XdMe[;:}L
5@{nN
`.54C
m.1y|@
paaF}
A[ [O@r8u
6J@Un
b4X/.
M''/C91
cV$s<
"dQVXJ
:sM{|4
3iFIL
8<lob+
G.![R
~9Z'2 $
U heQ
bly$d
Vig6'
CR0Bx
*A8b)jM
ayq!Q
|fiP,=]
?r9SY
GNQ(g
a6n=H~u:
yMx"m
1]kE7
|0+4N
RHwps_
pYU`<
RXI0#&
?Cdnq
T4U[h
"*z\B
$<kvQ
w.rLu
CDC|ZoRT
C<4QO
dC&!q
Q1!_N
D){Bu
Lk"S$k
by-Bt
Os*Qr
O|1bR
"&{v5
g&{)j^U
XWSR9
md_v*
WvDj'
TgGwTI P
4`IfC'p
,qQNF
gV/x,
+v%4n
1'1[S
VONXJ
VMg9b|
-?}JZ
fDa/n
4~A]s
}Gp?V
h,BVJQ
8=nk5
iDEO-
%|`~@9.
<.QW-
bGSoF-
p7SG(x
n"rap
]*#6x
v>WX"
?em2V
bVAOS
O55kw
IydTE
h394R
!tzyk
S68i#
y'JI7V
Y?.#g
>7&U[UY+
){Run
a.z4z
Qb@:[
pzsZP
%"q~"qI
;"1SI
KN|H]qa
lq+#=
MOGrF
k(UkG_
+'r-i
s:<"UO
7 PTp
X:&gr
sb}FW
#U`z;
{ZJ7^d0
;4YJT
lOpR8?
<Dg03
4SAz%
A<5m$
"!-'|
}\veC
QgDY$
OXC0Hr
bcsg+
HRO3t
MS6}s
%T3BgJ
C!LG~
,YOhE
><QH*z
$_Jp"
7a;z%+u
OpH>X
7zQp""
Iu@~o
H\]dj
pp`m;
1eBm-
Aby;[
w"#8Tf
w@o*>E
iZTLoz
l Keb
u0R+7
j\I9%@#|E~
QFNSe/Pi]
c)#@4
|Mydj3bf~h
P]lRA
NHRQK
e/EQL$
rE;!)X
Z2=Y0UJ
4iNf7
#Xwe/C
ELr\L
ICa3w
`.Lvbu
t}Cv1
dzkD"
oXOGx
FLReX
O*(Y_
gP+Fq
i[Jqy
n.I]+
VfXb
+:B#K
[4Mq0C
*s[r@
"mni?
wnigg
%_uS@q
lEQh<1dI
Ng6M7
.ME}A
0qBImK-
:pQ5T
^ZuB!q
ViUFS
8hh|Hv!Mw7
[rw"-
8ENXg
FpN:T
$J/Oo
+`</}
]q5X"*
VY6Aih
|t\k$
_3jNK/gu
>yfy|D1
@xg%L,
ar[H[
ohDf*_
~XCrnm
Inno Setup Setup Data (5.5.7) (u)
9hfWXP'K
k^g,V
DE i2
J}+[B
Em=@a
3st9CO
=y=||m
39zH%,x6
yFew$H
mBzSCB
d(zJ?
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
kernel32.dll
Software\CodeGear\Locales
Software\Borland\Locales
Software\Borland\Delphi\Locales
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExW
USERPROFILE
GetUserDefaultUILanguage
kernel32.dll
.DEFAULT\Control Panel\International
Locale
Control Panel\Desktop\ResourceLocale
[ExceptObject=nil]
File I/O error %d
Compressed block is corrupted
Compressed block is corrupted
Compressed block is corrupted
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
Unknown
Itanium
The setup files are corrupted. Please obtain a new copy of the program.
SeShutdownPrivilege
/SPAWNWND=
/Lang=
/HELP
The setup files are corrupted. Please obtain a new copy of the program.
For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Setup
kernel32.dll
uxtheme.dll
userenv.dll
setupapi.dll
apphelp.dll
propsys.dll
dwmapi.dll
cryptbase.dll
oleacc.dll
version.dll
profapi.dll
comres.dll
clbcatq.dll
Wow64DisableWow64FsRedirection
kernel32.dll
Wow64RevertWow64FsRedirection
shell32.dll
InnoSetupLdrWindow
STATIC
/SL5="$%x,%d,%d,
MAINICON(
Invalid file name - %s
Thursday
Write$Error creating variant or safe array)Variant or safe array index out of bounds
Invalid pointer operation
0@P`
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
This installation was built with Inno Setup.
CompanyName
RedTitan Technology Ltd
FileDescription
RedTitan EscapeE Setup
FileVersion
LegalCopyright
1997-2018 RedTitan Ltd.
ProductName
RedTitan EscapeE
ProductVersion
10.39.3.0
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree

  • EE1039B.exe 2084
    • EE1039B.tmp 2036 /SL5="$901E0,10231439,121344,C:\Users\user\AppData\Local\Temp\EE1039B.exe"

EE1039B.exe, PID: 2084, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\EE1039B.exe
Command Line: "C:\Users\user\AppData\Local\Temp\EE1039B.exe"
EE1039B.tmp, PID: 2036, Parent PID: 2084
Full Path: C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp
Command Line: "C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp" /SL5="$901E0,10231439,121344,C:\Users\user\AppData\Local\Temp\EE1039B.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.42.27.27 [VT] Netherlands
N 217.212.252.104 [VT] Finland
N 205.185.216.42 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49161 205.185.216.42 www.download.windowsupdate.com 80
192.168.35.21 49177 217.212.252.104 crl.microsoft.com 80
192.168.35.21 49162 23.42.27.27 t2.symcb.com 80
192.168.35.21 49163 23.42.27.27 t2.symcb.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT] A 205.185.216.42 [VT]
CNAME cds.d2s7q6s2.hwcdn.net [VT]
A 205.185.216.10 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
t2.symcb.com [VT] A 23.42.27.27 [VT]
CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
tl.symcd.com [VT]
crl.microsoft.com [VT] A 217.212.252.104 [VT]
A 217.212.252.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

HTTP Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEHGgtzaV3bGvwjsrmhjuVMs%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: t2.symcb.com

http://tl.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEBJhLj3htDcVpyfcDQGSxrw%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFBjxN%2BWY73bfUnSOp7HDKJ%2Fbx0wQUV4abVLi%2BpimK5PbC4hMYiYXN3LcCEBJhLj3htDcVpyfcDQGSxrw%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: tl.symcd.com

http://crl.microsoft.com/pki/crl/products/WinPCA.crl
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 02 Dec 2015 18:30:06 GMT
If-None-Match: "0cb60772f2dd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name EE1039B.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp
File Size 1182712 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e329db4314d9ed933804bc44e137df30
SHA1 8617abb78b8524335d1fee05d30328eab55b195a
SHA256 eb31ed285a479965f5de8ebae27b3ef6a24682f8ff79745ddead223110d734e1
CRC32 BD2521F5
Ssdeep 24576:xtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt2:vqTytRFk6ek1Lf
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name _setup64.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\is-GU3PT.tmp\_isetup\_setup64.tmp
File Size 6144 bytes
File Type PE32+ executable (console) x86-64, for MS Windows
MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
CRC32 2CDCC338
Ssdeep 96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Setup Log 2019-09-12 #001.txt
Associated Filenames
C:\Users\user\AppData\Local\Temp\Setup Log 2019-09-12 #001.txt
File Size 4006 bytes
File Type UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 5b50a8615e4a96ca5bcc62c3cfaa78a4
SHA1 eddff58eae66aed0763e1a2538e98e07b044891c
SHA256 fb35b847bb114d9fd8afed3bf1c7c567961caed5da3284f6625fa895ffec7563
CRC32 EA6353FD
Ssdeep 48:SSXMdpGbOBOo8WIcRsCVsfE2binfp4bvPfxPvEkREK3Spcv0o706gGtDEh:SisDwceCP2binh4bvPfxPvEkREK3Btgh
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
\xef\xbb\xbf2019-09-12 06:53:08.101   Log opened. (Time zone: UTC+01:00)
2019-09-12 06:53:08.101   Setup version: Inno Setup version 5.5.9 (u)
2019-09-12 06:53:08.101   Original Setup EXE: C:\Users\user\AppData\Local\Temp\EE1039B.exe
2019-09-12 06:53:08.101   Setup command line: /SL5="$901E0,10231439,121344,C:\Users\user\AppData\Local\Temp\EE1039B.exe" 
2019-09-12 06:53:08.101   Windows version: 6.1.7601 SP1  (NT platform: Yes)
2019-09-12 06:53:08.101   64-bit Windows: Yes
2019-09-12 06:53:08.101   Processor architecture: x64
2019-09-12 06:53:08.101   User privileges: Administrative
2019-09-12 06:53:08.101   64-bit install mode: No
2019-09-12 06:53:08.132   Created temporary directory: C:\Users\user\AppData\Local\Temp\is-GU3PT.tmp
2019-09-12 06:53:08.569   
2019-09-12 06:53:08.569   **** [LogPreInstallFindings] Contents of C:\\WINDOWS\\WIN.INI
2019-09-12 06:53:08.569                1 ; for 16-bit app support
2019-09-12 06:53:08.569                2 [fonts]
2019-09-12 06:53:08.569                3 [extensions]
2019-09-12 06:53:08.569                4 [mci extensions]
2019-09-12 06:53:08.569                5 [files]
2019-09-12 06:53:08.569                6 [Mail]
2019-09-12 06:53:08.569                7 MAPI=1
2019-09-12 06:53:08.569                8 CMCDLLNAME32=mapi32.dll
2019-09-12 06:53:08.569                9 CMC=1
2019-09-12 06:53:08.569               10 MAPIX=1
2019-09-12 06:53:08.569               11 MAPIXVER=1.0.0.1
2019-09-12 06:53:08.569               12 OLEMessaging=1
2019-09-12 06:53:08.569               13 [MCI Extensions.BAK]
2019-09-12 06:53:08.569               14 3g2=MPEGVideo
2019-09-12 06:53:08.569               15 3gp=MPEGVideo
2019-09-12 06:53:08.569               16 3gp2=MPEGVideo
2019-09-12 06:53:08.569               17 3gpp=MPEGVideo
2019-09-12 06:53:08.569               18 aac=MPEGVideo
2019-09-12 06:53:08.569               19 adt=MPEGVideo
2019-09-12 06:53:08.569               20 adts=MPEGVideo
2019-09-12 06:53:08.569               21 m2t=MPEGVideo
2019-09-12 06:53:08.569               22 m2ts=MPEGVideo
2019-09-12 06:53:08.569               23 m2v=MPEGVideo
2019-09-12 06:53:08.569               24 m4a=MPEGVideo
2019-09-12 06:53:08.569               25 m4v=MPEGVideo
2019-09-12 06:53:08.569               26 mod=MPEGVideo
2019-09-12 06:53:08.569               27 mov=MPEGVideo
2019-09-12 06:53:08.569               28 mp4=MPEGVideo
2019-09-12 06:53:08.569               29 mp4v=MPEGVideo
2019-09-12 06:53:08.569               30 mts=MPEGVideo
2019-09-12 06:53:08.569               31 ts=MPEGVideo
2019-09-12 06:53:08.569               32 tts=MPEGVideo
2019-09-12 06:53:08.569   
2019-09-12 06:53:08.569   **** [LogPreInstallFindings] Contents of registry at software\redtitan
2019-09-12 06:53:08.569   
2019-09-12 06:53:08.569   
2019-09-12 06:53:08.569   **** 2 [ScanForOldInstallation] No Old RT.INI found in WIN.INI
2019-09-12 06:53:08.569   **** [ScanForOldInstallationDigHard] Operation Mode 0
2019-09-12 06:53:08.569   
2019-09-12 06:53:08.569   **** [LogOldInstallationContext] Installation Context
2019-09-12 06:53:08.569   **** [LogOldInstallationContext] Operation Mode ... Clean Installation
2019-09-12 06:53:08.569   Context:
2019-09-12 06:53:08.569       Ctx_DDFFileStore 
2019-09-12 06:53:08.569       Ctx_DefaultPaperSize 
2019-09-12 06:53:08.569       Ctx_DemoFont 
2019-09-12 06:53:08.569       Ctx_FontFiles 
2019-09-12 06:53:08.569       Ctx_InstallRootDir 
2019-09-12 06:53:08.569       Ctx_RTINILocation 
2019-09-12 06:53:08.569       Ctx_UserFiles 
2019-09-12 06:53:08.569       Ctx_DDFInstalled 0
2019-09-12 06:53:08.569       Ctx_DocDesignInstalled 0
2019-09-12 06:53:08.569       Ctx_DSCInstalled 0
2019-09-12 06:53:08.569       Ctx_EscapeEInstalled 0
2019-09-12 06:53:08.569       Ctx_FontImageInstalled 0
2019-09-12 06:53:08.569       Ctx_ImageInstalled 0
2019-09-12 06:53:08.569       Ctx_NDPInstalled 0
2019-09-12 06:53:08.569       Ctx_UberedInstalled 0
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00550000
Process EE1039B.tmp
PID 2036
Path C:\Users\user\AppData\Local\Temp\is-FDP1N.tmp\EE1039B.tmp
MD5 0d62da431be989d3f482b115562bd200
SHA1 ee46311a2104e967060b6d0f540aa3980838e5c3
SHA256 a3f613edba5316d65da8fe316a856c8c5407789927f92f7f3002cc5caab42acb
CRC32 B28121FF
Ssdeep 96:1XJTJv5jiQHJzpvZjCQ3sYJ/l4dySPMYn/vIswzZF07PeyvFpBEvkx8OhfrCy:1XJTJv5j5HJzpvZjCQ3sYJYy01n/vRi4
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 25.663 seconds )

  • 10.084 Static
  • 5.212 CAPE
  • 4.323 TargetInfo
  • 3.933 Deduplicate
  • 0.772 Dropped
  • 0.653 Strings
  • 0.368 BehaviorAnalysis
  • 0.275 TrID
  • 0.037 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.302 seconds )

  • 0.167 antidbg_windows
  • 0.019 stealth_timeout
  • 0.014 antiav_detectreg
  • 0.013 api_spamming
  • 0.013 decoy_document
  • 0.008 antivm_vbox_window
  • 0.007 ransomware_files
  • 0.006 antisandbox_script_timer
  • 0.006 infostealer_ftp
  • 0.004 antiav_detectfile
  • 0.003 persistence_autorun
  • 0.003 antianalysis_detectreg
  • 0.003 infostealer_im
  • 0.003 infostealer_mail
  • 0.003 ransomware_extensions
  • 0.002 antivm_generic_services
  • 0.002 antivm_generic_scsi
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 Doppelganging
  • 0.001 exploit_getbasekerneladdress
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 mimics_filetime
  • 0.001 infostealer_browser_password
  • 0.001 dynamic_function_loading
  • 0.001 InjectionSetWindowLong
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 90433
Mongo ID 5d79519feac9b186706349c7
Cuckoo release 1.3-CAPE
Delete