Analysis

Category Package Started Completed Duration Options Log
URL ie 2019-10-08 11:15:38 2019-10-08 11:19:26 228 seconds Show Options Show Log
route = internet
procdump = 1
2019-10-08 12:15:38,000 [root] INFO: Date set to: 10-08-19, time set to: 11:15:38, timeout set to: 200
2019-10-08 12:15:38,000 [root] DEBUG: Starting analyzer from: C:\epyfuwi
2019-10-08 12:15:38,000 [root] DEBUG: Storing results at: C:\gZakWW
2019-10-08 12:15:38,000 [root] DEBUG: Pipe server name: \\.\PIPE\VkGmEcQYHF
2019-10-08 12:15:38,000 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-08 12:15:38,000 [root] INFO: Automatically selected analysis package "ie"
2019-10-08 12:15:38,467 [root] DEBUG: Started auxiliary module Browser
2019-10-08 12:15:38,467 [root] DEBUG: Started auxiliary module Curtain
2019-10-08 12:15:38,467 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2019-10-08 12:15:38,467 [root] DEBUG: Started auxiliary module DigiSig
2019-10-08 12:15:38,483 [root] DEBUG: Started auxiliary module Disguise
2019-10-08 12:15:38,483 [root] DEBUG: Started auxiliary module Human
2019-10-08 12:15:38,483 [root] DEBUG: Started auxiliary module Screenshots
2019-10-08 12:15:38,483 [root] DEBUG: Started auxiliary module Sysmon
2019-10-08 12:15:38,483 [root] DEBUG: Started auxiliary module Usage
2019-10-08 12:15:38,483 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2019-10-08 12:15:38,483 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2019-10-08 12:15:38,638 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""https://promosurvey3.info/"" with pid 1728
2019-10-08 12:15:38,654 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-08 12:15:38,654 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\YbOMoi.dll, loader C:\epyfuwi\bin\cNGdmsJ.exe
2019-10-08 12:15:38,763 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\VkGmEcQYHF.
2019-10-08 12:15:38,763 [root] DEBUG: Loader: Injecting process 1728 (thread 2120) with C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:38,763 [root] DEBUG: Process image base: 0x00EB0000
2019-10-08 12:15:38,763 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:38,763 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00F56000 - 0x77110000
2019-10-08 12:15:38,763 [root] DEBUG: InjectDllViaIAT: Allocated 0x214 bytes for new import table at 0x00F60000.
2019-10-08 12:15:38,763 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-08 12:15:38,763 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:38,763 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1728
2019-10-08 12:15:40,776 [lib.api.process] INFO: Successfully resumed process with pid 1728
2019-10-08 12:15:40,776 [root] INFO: Added new process to list with pid: 1728
2019-10-08 12:15:40,854 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-08 12:15:40,854 [root] DEBUG: Process dumps enabled.
2019-10-08 12:15:40,931 [root] INFO: Disabling sleep skipping.
2019-10-08 12:15:40,931 [root] INFO: Disabling sleep skipping.
2019-10-08 12:15:40,931 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-08 12:15:40,931 [root] INFO: Disabling sleep skipping.
2019-10-08 12:15:40,931 [root] INFO: Disabling sleep skipping.
2019-10-08 12:15:40,931 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1728 at 0x74940000, image base 0xeb0000, stack from 0x142000-0x150000
2019-10-08 12:15:40,931 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https:\promosurvey3.info\".
2019-10-08 12:15:40,931 [root] INFO: Monitor successfully loaded in process with pid 1728.
2019-10-08 12:15:40,963 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-08 12:15:40,994 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-08 12:15:41,026 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-08 12:15:41,026 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-08 12:15:41,056 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-08 12:15:41,072 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-08 12:15:41,072 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-08 12:15:41,088 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-08 12:15:41,088 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-08 12:15:41,088 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-08 12:15:41,088 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-08 12:15:41,119 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-08 12:15:41,134 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2019-10-08 12:15:41,151 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-08 12:15:41,151 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-08 12:15:41,151 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-08 12:15:41,151 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-08 12:15:41,165 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-08 12:15:41,229 [root] DEBUG: DLL loaded at 0x74360000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-08 12:15:41,229 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-08 12:15:41,229 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-08 12:15:41,229 [root] DEBUG: DLL unloaded from 0x74360000.
2019-10-08 12:15:41,229 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-08 12:15:41,229 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-08 12:15:41,243 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-08 12:15:41,259 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-08 12:15:41,354 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-08 12:15:41,354 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-08 12:15:41,368 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2296
2019-10-08 12:15:41,368 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-08 12:15:41,368 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\YbOMoi.dll, loader C:\epyfuwi\bin\cNGdmsJ.exe
2019-10-08 12:15:41,368 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\VkGmEcQYHF.
2019-10-08 12:15:41,368 [root] DEBUG: Loader: Injecting process 2296 (thread 2332) with C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:41,368 [root] DEBUG: Process image base: 0x00EB0000
2019-10-08 12:15:41,368 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:41,368 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00F56000 - 0x77110000
2019-10-08 12:15:41,368 [root] DEBUG: InjectDllViaIAT: Allocated 0x214 bytes for new import table at 0x00F60000.
2019-10-08 12:15:41,368 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-08 12:15:41,368 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:41,384 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2296
2019-10-08 12:15:41,384 [root] DEBUG: DLL unloaded from 0x00EB0000.
2019-10-08 12:15:41,384 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2296
2019-10-08 12:15:41,384 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-08 12:15:41,384 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\YbOMoi.dll, loader C:\epyfuwi\bin\cNGdmsJ.exe
2019-10-08 12:15:41,384 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\VkGmEcQYHF.
2019-10-08 12:15:41,384 [root] DEBUG: Loader: Injecting process 2296 (thread 2332) with C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:41,384 [root] DEBUG: Process image base: 0x00EB0000
2019-10-08 12:15:41,384 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:41,384 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-08 12:15:41,384 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\YbOMoi.dll.
2019-10-08 12:15:41,384 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2296
2019-10-08 12:15:41,384 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-08 12:15:41,384 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-08 12:15:41,384 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-08 12:15:41,384 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-08 12:15:41,384 [root] DEBUG: Process dumps enabled.
2019-10-08 12:15:41,384 [root] INFO: Disabling sleep skipping.
2019-10-08 12:15:41,400 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-08 12:15:41,400 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-10-08 12:15:41,400 [root] DEBUG: DLL unloaded from 0x74320000.
2019-10-08 12:15:41,400 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-08 12:15:41,400 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2296 at 0x74940000, image base 0xeb0000, stack from 0x2a2000-0x2b0000
2019-10-08 12:15:41,400 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1728 CREDAT:79873.
2019-10-08 12:15:41,400 [root] INFO: Added new process to list with pid: 2296
2019-10-08 12:15:41,400 [root] INFO: Monitor successfully loaded in process with pid 2296.
2019-10-08 12:15:41,400 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-08 12:15:41,400 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-08 12:15:41,400 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-08 12:15:41,400 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-08 12:15:41,400 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-08 12:15:41,400 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-08 12:15:41,400 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-08 12:15:41,415 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-08 12:15:41,415 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-08 12:15:41,431 [root] DEBUG: DLL loaded at 0x742D0000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2019-10-08 12:15:41,431 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-08 12:15:41,447 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-08 12:15:41,447 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-08 12:15:41,447 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-08 12:15:41,447 [root] DEBUG: DLL loaded at 0x74290000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-08 12:15:41,447 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-08 12:15:41,447 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-08 12:15:41,447 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-08 12:15:41,447 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-08 12:15:41,447 [root] DEBUG: DLL unloaded from 0x74290000.
2019-10-08 12:15:41,447 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-08 12:15:41,463 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-08 12:15:41,463 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-08 12:15:41,463 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-08 12:15:41,463 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\evQisa.dll, loader C:\epyfuwi\bin\PaUDWxlh.exe
2019-10-08 12:15:41,477 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-08 12:15:41,477 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-08 12:15:41,477 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-08 12:15:41,477 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\VkGmEcQYHF.
2019-10-08 12:15:41,477 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\epyfuwi\dll\evQisa.dll.
2019-10-08 12:15:41,477 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1636, handle 0x84
2019-10-08 12:15:41,477 [root] DEBUG: Process image base: 0x00000000FF900000
2019-10-08 12:15:41,477 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-08 12:15:41,477 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-08 12:15:41,493 [root] DEBUG: DLL loaded at 0x74210000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-08 12:15:41,493 [root] DEBUG: DLL loaded at 0x741F0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-08 12:15:41,493 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-08 12:15:41,493 [root] DEBUG: DLL unloaded from 0x74810000.
2019-10-08 12:15:41,493 [root] DEBUG: DLL unloaded from 0x741F0000.
2019-10-08 12:15:41,540 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-08 12:15:41,540 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-08 12:15:41,540 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-08 12:15:41,555 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-08 12:15:41,555 [root] DEBUG: Process dumps enabled.
2019-10-08 12:15:41,555 [root] INFO: Disabling sleep skipping.
2019-10-08 12:15:41,572 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-08 12:15:41,572 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-08 12:15:41,588 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-08 12:15:41,602 [root] WARNING: Unable to place hook on LockResource
2019-10-08 12:15:41,602 [root] WARNING: Unable to hook LockResource
2019-10-08 12:15:41,665 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x0000000074100000, image base 0x00000000FF900000, stack from 0x0000000003AB2000-0x0000000003AC0000
2019-10-08 12:15:41,680 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-08 12:15:41,680 [root] INFO: Added new process to list with pid: 1632
2019-10-08 12:15:41,680 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-08 12:15:41,697 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-08 12:15:41,697 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-08 12:15:41,697 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\evQisa.dll.
2019-10-08 12:15:41,711 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\system32\IEUI (0x2d000 bytes).
2019-10-08 12:15:41,727 [root] DEBUG: DLL loaded at 0x73FC0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-08 12:15:41,759 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-08 12:15:41,775 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-08 12:15:41,775 [root] DEBUG: DLL unloaded from 0x74000000.
2019-10-08 12:15:41,805 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-08 12:15:41,836 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-08 12:15:41,961 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-08 12:15:41,961 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-08 12:15:41,961 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-08 12:15:41,961 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-08 12:15:41,993 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Windows\system32\xmllite (0x2f000 bytes).
2019-10-08 12:17:59,039 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-08 12:17:59,071 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-08 12:19:02,562 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-08 12:19:02,562 [root] INFO: Created shutdown mutex.
2019-10-08 12:19:03,576 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1728
2019-10-08 12:19:03,576 [root] INFO: Terminate event set for process 1728.
2019-10-08 12:19:03,576 [root] INFO: Terminating process 1728 before shutdown.
2019-10-08 12:19:03,576 [root] INFO: Waiting for process 1728 to exit.
2019-10-08 12:19:04,591 [root] INFO: Waiting for process 1728 to exit.
2019-10-08 12:19:05,605 [root] INFO: Waiting for process 1728 to exit.
2019-10-08 12:19:06,618 [root] INFO: Waiting for process 1728 to exit.
2019-10-08 12:19:07,632 [lib.api.process] INFO: Successfully terminated process with pid 1728.
2019-10-08 12:19:07,632 [root] INFO: Waiting for process 1728 to exit.
2019-10-08 12:19:08,647 [root] INFO: Terminating process 2296 before shutdown.
2019-10-08 12:19:08,647 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1632
2019-10-08 12:19:08,647 [root] INFO: Terminate event set for process 1632.
2019-10-08 12:19:08,647 [root] DEBUG: Terminate Event: Attempting to dump process 1632
2019-10-08 12:19:08,647 [root] INFO: Terminating process 1632 before shutdown.
2019-10-08 12:19:08,647 [root] INFO: Waiting for process 1632 to exit.
2019-10-08 12:19:08,647 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF900000.
2019-10-08 12:19:08,647 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF900000.
2019-10-08 12:19:08,647 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2019-10-08 12:19:08,724 [root] INFO: Added new CAPE file to list with path: C:\gZakWW\CAPE\1632_2351244768191182102019
2019-10-08 12:19:08,740 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2baa00.
2019-10-08 12:19:08,740 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1632
2019-10-08 12:19:09,647 [root] INFO: Shutting down package.
2019-10-08 12:19:09,647 [root] INFO: Stopping auxiliary modules.
2019-10-08 12:19:09,647 [root] INFO: Finishing auxiliary modules.
2019-10-08 12:19:09,647 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-08 12:19:09,647 [root] WARNING: File at path "C:\gZakWW\debugger" does not exist, skip.
2019-10-08 12:19:09,647 [root] INFO: Analysis completed.

MalScore

2.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-08 11:15:38 2019-10-08 11:19:24

URL Details

URL
https://promosurvey3.info/

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Dynamic (imported) function loading detected
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: IEUI.dll/InitGadgets
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: propsys.dll/PSGetPropertyKeyFromName
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_GetIconSize
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: MSCTF.dll/SetInputScopes2
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: IEUI.dll/CreateGadget
DynamicLoader: IEUI.dll/SetGadgetMessageFilter
DynamicLoader: IEUI.dll/SetGadgetStyle
DynamicLoader: IEUI.dll/SetGadgetRootInfo
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

Process Tree


iexplore.exe, PID: 1728, Parent PID: 2480
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https://promosurvey3.info/"
iexplore.exe, PID: 2296, Parent PID: 1728
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1728 CREDAT:79873
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name explorer.exe
PID 1632
Dump Size 2861568 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 e385900f2b07ae55621677226f33830a
SHA1 2100951bf34ce3964cba5701b19d3a8e01ee2373
SHA256 2773a69c7db804fa35a8fbe1e06e0c9a52d460a9286ae339e1dabc5a1406014f
CRC32 A51387F2
Ssdeep 49152:kxrceI/lIRYraisQhFCUu3vYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:GrcPlIWOvYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 2773a69c7db804fa35a8fbe1e06e0c9a52d460a9286ae339e1dabc5a1406014f
Download

Comments



No comments posted

Processing ( 12.602 seconds )

  • 10.253 Static
  • 1.543 ProcDump
  • 0.733 BehaviorAnalysis
  • 0.061 Deduplicate
  • 0.006 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.888 seconds )

  • 0.604 antidbg_windows
  • 0.042 stealth_timeout
  • 0.038 antiav_detectreg
  • 0.031 antivm_vbox_window
  • 0.025 api_spamming
  • 0.024 antisandbox_script_timer
  • 0.014 infostealer_ftp
  • 0.008 antianalysis_detectreg
  • 0.008 infostealer_im
  • 0.008 ransomware_files
  • 0.007 antivm_vbox_keys
  • 0.005 antivm_generic_scsi
  • 0.005 antivm_vmware_keys
  • 0.005 infostealer_mail
  • 0.004 antiav_detectfile
  • 0.003 persistence_autorun
  • 0.003 ransomware_extensions
  • 0.002 bootkit
  • 0.002 Doppelganging
  • 0.002 recon_programs
  • 0.002 antivm_generic_services
  • 0.002 mimics_filetime
  • 0.002 kibex_behavior
  • 0.002 antivm_generic_disk
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_vbox_files
  • 0.002 antivm_xen_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 recon_fingerprint
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 uac_bypass_eventvwr
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 stack_pivot
  • 0.001 injection_createremotethread
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 InjectionCreateRemoteThread
  • 0.001 InjectionProcessHollowing
  • 0.001 infostealer_browser_password
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 virus
  • 0.001 kovter_behavior
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vpc_keys
  • 0.001 bot_drive
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 ie_martian_children

Reporting ( 0.004 seconds )

  • 0.004 CompressResults
Task ID 94114
Mongo ID 5d9c70d22896bfeded6faf9c
Cuckoo release 1.3-CAPE
Delete