Analysis

Category Package Started Completed Duration Options Log
URL ie 2019-10-09 21:02:28 2019-10-09 21:06:17 229 seconds Show Options Show Log
route = internet
procdump = 1
2019-10-09 22:02:29,000 [root] INFO: Date set to: 10-09-19, time set to: 21:02:29, timeout set to: 200
2019-10-09 22:02:29,015 [root] DEBUG: Starting analyzer from: C:\pmgtokfzz
2019-10-09 22:02:29,015 [root] DEBUG: Storing results at: C:\TqAjzFIpGL
2019-10-09 22:02:29,015 [root] DEBUG: Pipe server name: \\.\PIPE\ejDTTPwSI
2019-10-09 22:02:29,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-09 22:02:29,015 [root] INFO: Automatically selected analysis package "ie"
2019-10-09 22:02:29,358 [root] DEBUG: Started auxiliary module Browser
2019-10-09 22:02:29,358 [root] DEBUG: Started auxiliary module Curtain
2019-10-09 22:02:29,358 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2019-10-09 22:02:29,358 [root] DEBUG: Started auxiliary module DigiSig
2019-10-09 22:02:29,358 [root] DEBUG: Started auxiliary module Disguise
2019-10-09 22:02:29,358 [root] DEBUG: Started auxiliary module Human
2019-10-09 22:02:29,358 [root] DEBUG: Started auxiliary module Screenshots
2019-10-09 22:02:29,358 [root] DEBUG: Started auxiliary module Sysmon
2019-10-09 22:02:29,358 [root] DEBUG: Started auxiliary module Usage
2019-10-09 22:02:29,358 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2019-10-09 22:02:29,358 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2019-10-09 22:02:29,483 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""http://www.wisecleaner.com/templates/js/ajax.js"" with pid 3036
2019-10-09 22:02:29,483 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:02:29,483 [lib.api.process] INFO: 32-bit DLL to inject is C:\pmgtokfzz\dll\DYcFIgN.dll, loader C:\pmgtokfzz\bin\azpgbGM.exe
2019-10-09 22:02:29,546 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ejDTTPwSI.
2019-10-09 22:02:29,546 [root] DEBUG: Loader: Injecting process 3036 (thread 3040) with C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:29,546 [root] DEBUG: Process image base: 0x00F50000
2019-10-09 22:02:29,546 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:29,546 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00FF6000 - 0x77110000
2019-10-09 22:02:29,546 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x01000000.
2019-10-09 22:02:29,546 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:02:29,546 [root] DEBUG: Successfully injected DLL C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:29,546 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3036
2019-10-09 22:02:31,558 [lib.api.process] INFO: Successfully resumed process with pid 3036
2019-10-09 22:02:31,558 [root] INFO: Added new process to list with pid: 3036
2019-10-09 22:02:31,651 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:02:31,651 [root] DEBUG: Process dumps enabled.
2019-10-09 22:02:31,730 [root] INFO: Disabling sleep skipping.
2019-10-09 22:02:31,730 [root] INFO: Disabling sleep skipping.
2019-10-09 22:02:31,730 [root] INFO: Disabling sleep skipping.
2019-10-09 22:02:31,730 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:02:31,730 [root] INFO: Disabling sleep skipping.
2019-10-09 22:02:31,730 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3036 at 0x74940000, image base 0xf50000, stack from 0x402000-0x410000
2019-10-09 22:02:31,730 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "http:\www.wisecleaner.com\templates\js\ajax.js".
2019-10-09 22:02:31,730 [root] INFO: Monitor successfully loaded in process with pid 3036.
2019-10-09 22:02:31,744 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-09 22:02:31,822 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-09 22:02:31,854 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-09 22:02:31,869 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 22:02:31,901 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 22:02:31,917 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-09 22:02:31,917 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-09 22:02:31,931 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-09 22:02:31,931 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-09 22:02:31,931 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-09 22:02:31,931 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 22:02:31,947 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 22:02:31,963 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2019-10-09 22:02:31,979 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-09 22:02:31,979 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-09 22:02:31,979 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 22:02:31,994 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-09 22:02:31,994 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-09 22:02:32,072 [root] DEBUG: DLL loaded at 0x74360000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-09 22:02:32,072 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-09 22:02:32,072 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 22:02:32,072 [root] DEBUG: DLL unloaded from 0x74360000.
2019-10-09 22:02:32,072 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 22:02:32,072 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 22:02:32,104 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 22:02:32,104 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-09 22:02:32,197 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-09 22:02:32,197 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-09 22:02:32,229 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2292
2019-10-09 22:02:32,229 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:02:32,229 [lib.api.process] INFO: 32-bit DLL to inject is C:\pmgtokfzz\dll\DYcFIgN.dll, loader C:\pmgtokfzz\bin\azpgbGM.exe
2019-10-09 22:02:32,229 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ejDTTPwSI.
2019-10-09 22:02:32,229 [root] DEBUG: Loader: Injecting process 2292 (thread 2296) with C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:32,229 [root] DEBUG: Process image base: 0x00F50000
2019-10-09 22:02:32,229 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:32,229 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00FF6000 - 0x77110000
2019-10-09 22:02:32,229 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x01000000.
2019-10-09 22:02:32,229 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:02:32,229 [root] DEBUG: Successfully injected DLL C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:32,229 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2292
2019-10-09 22:02:32,229 [root] DEBUG: DLL unloaded from 0x00F50000.
2019-10-09 22:02:32,229 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2292
2019-10-09 22:02:32,229 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:02:32,229 [lib.api.process] INFO: 32-bit DLL to inject is C:\pmgtokfzz\dll\DYcFIgN.dll, loader C:\pmgtokfzz\bin\azpgbGM.exe
2019-10-09 22:02:32,229 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ejDTTPwSI.
2019-10-09 22:02:32,229 [root] DEBUG: Loader: Injecting process 2292 (thread 2296) with C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:32,229 [root] DEBUG: Process image base: 0x00F50000
2019-10-09 22:02:32,229 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:32,229 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-09 22:02:32,229 [root] DEBUG: Successfully injected DLL C:\pmgtokfzz\dll\DYcFIgN.dll.
2019-10-09 22:02:32,229 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2292
2019-10-09 22:02:32,243 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-09 22:02:32,243 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-09 22:02:32,243 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-09 22:02:32,243 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:02:32,243 [root] DEBUG: Process dumps enabled.
2019-10-09 22:02:32,243 [root] INFO: Disabling sleep skipping.
2019-10-09 22:02:32,243 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-09 22:02:32,243 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-10-09 22:02:32,243 [root] DEBUG: DLL unloaded from 0x74320000.
2019-10-09 22:02:32,243 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:02:32,243 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2292 at 0x74940000, image base 0xf50000, stack from 0x3e2000-0x3f0000
2019-10-09 22:02:32,243 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3036 CREDAT:79873.
2019-10-09 22:02:32,243 [root] INFO: Added new process to list with pid: 2292
2019-10-09 22:02:32,243 [root] INFO: Monitor successfully loaded in process with pid 2292.
2019-10-09 22:02:32,243 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 22:02:32,259 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-09 22:02:32,259 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-09 22:02:32,259 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-09 22:02:32,259 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-09 22:02:32,259 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 22:02:32,259 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-09 22:02:32,259 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-09 22:02:32,276 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-09 22:02:32,290 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-09 22:02:32,290 [root] DEBUG: DLL loaded at 0x742D0000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2019-10-09 22:02:32,306 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 22:02:32,306 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-09 22:02:32,306 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-09 22:02:32,306 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-09 22:02:32,306 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-09 22:02:32,322 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-09 22:02:32,322 [root] DEBUG: DLL loaded at 0x74270000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-09 22:02:32,322 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-09 22:02:32,322 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 22:02:32,322 [root] DEBUG: DLL unloaded from 0x74270000.
2019-10-09 22:02:32,322 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-09 22:02:32,338 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-09 22:02:32,338 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:02:32,338 [lib.api.process] INFO: 64-bit DLL to inject is C:\pmgtokfzz\dll\DhMCxKp.dll, loader C:\pmgtokfzz\bin\SUafvDZl.exe
2019-10-09 22:02:32,338 [root] DEBUG: DLL loaded at 0x74210000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 22:02:32,354 [root] DEBUG: DLL loaded at 0x741F0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-09 22:02:32,354 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-09 22:02:32,354 [root] DEBUG: DLL unloaded from 0x74810000.
2019-10-09 22:02:32,354 [root] DEBUG: DLL unloaded from 0x741F0000.
2019-10-09 22:02:32,354 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ejDTTPwSI.
2019-10-09 22:02:32,354 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\pmgtokfzz\dll\DhMCxKp.dll.
2019-10-09 22:02:32,354 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-09 22:02:32,354 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 22:02:32,354 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 22:02:32,354 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 22:02:32,384 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:02:32,384 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:02:32,384 [root] DEBUG: Process dumps enabled.
2019-10-09 22:02:32,384 [root] INFO: Disabling sleep skipping.
2019-10-09 22:02:32,384 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 22:02:32,400 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-09 22:02:32,415 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 22:02:32,415 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 22:02:32,447 [root] WARNING: Unable to place hook on LockResource
2019-10-09 22:02:32,447 [root] WARNING: Unable to hook LockResource
2019-10-09 22:02:32,447 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 22:02:32,525 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x0000000074100000, image base 0x00000000FF900000, stack from 0x0000000003AC2000-0x0000000003AD0000
2019-10-09 22:02:32,525 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-09 22:02:32,525 [root] INFO: Added new process to list with pid: 1632
2019-10-09 22:02:32,525 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-09 22:02:32,540 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 22:02:32,540 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 22:02:32,540 [root] DEBUG: Successfully injected DLL C:\pmgtokfzz\dll\DhMCxKp.dll.
2019-10-09 22:02:32,555 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\system32\IEUI (0x2d000 bytes).
2019-10-09 22:02:32,572 [root] DEBUG: DLL loaded at 0x73FC0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-09 22:02:32,602 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-09 22:02:32,634 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-09 22:02:32,634 [root] DEBUG: DLL unloaded from 0x74000000.
2019-10-09 22:02:32,650 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-09 22:02:32,665 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-09 22:02:32,852 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 22:02:32,852 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 22:02:32,852 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 22:02:32,852 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:02:32,868 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Windows\system32\xmllite (0x2f000 bytes).
2019-10-09 22:04:49,430 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-09 22:04:49,461 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-09 22:05:53,344 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-09 22:05:53,344 [root] INFO: Created shutdown mutex.
2019-10-09 22:05:54,358 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 3036
2019-10-09 22:05:54,358 [root] INFO: Terminate event set for process 3036.
2019-10-09 22:05:54,358 [root] INFO: Terminating process 3036 before shutdown.
2019-10-09 22:05:54,358 [root] INFO: Waiting for process 3036 to exit.
2019-10-09 22:05:55,371 [root] INFO: Waiting for process 3036 to exit.
2019-10-09 22:05:56,385 [root] INFO: Waiting for process 3036 to exit.
2019-10-09 22:05:57,400 [root] INFO: Waiting for process 3036 to exit.
2019-10-09 22:05:58,414 [lib.api.process] INFO: Successfully terminated process with pid 3036.
2019-10-09 22:05:58,414 [root] INFO: Waiting for process 3036 to exit.
2019-10-09 22:05:59,427 [root] INFO: Terminating process 2292 before shutdown.
2019-10-09 22:05:59,427 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1632
2019-10-09 22:05:59,427 [root] INFO: Terminate event set for process 1632.
2019-10-09 22:05:59,427 [root] DEBUG: Terminate Event: Attempting to dump process 1632
2019-10-09 22:05:59,427 [root] INFO: Terminating process 1632 before shutdown.
2019-10-09 22:05:59,427 [root] INFO: Waiting for process 1632 to exit.
2019-10-09 22:05:59,427 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF900000.
2019-10-09 22:05:59,427 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 22:05:59,427 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF900000.
2019-10-09 22:05:59,427 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2019-10-09 22:05:59,552 [root] INFO: Added new CAPE file to list with path: C:\TqAjzFIpGL\CAPE\1632_15839218525952193102019
2019-10-09 22:05:59,552 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2baa00.
2019-10-09 22:05:59,552 [root] DEBUG: Terminate Event: Skipping dump of process 1632
2019-10-09 22:05:59,552 [root] DEBUG: Terminate Event: Shutdown complete for process 1632 but failed to inform analyzer.
2019-10-09 22:06:00,430 [root] INFO: Shutting down package.
2019-10-09 22:06:00,430 [root] INFO: Stopping auxiliary modules.
2019-10-09 22:06:00,430 [root] INFO: Finishing auxiliary modules.
2019-10-09 22:06:00,430 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-09 22:06:00,430 [root] WARNING: File at path "C:\TqAjzFIpGL\debugger" does not exist, skip.
2019-10-09 22:06:00,430 [root] INFO: Analysis completed.

MalScore

2.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-09 21:02:28 2019-10-09 21:06:15

URL Details

URL
http://www.wisecleaner.com/templates/js/ajax.js

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Dynamic (imported) function loading detected
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: IEUI.dll/InitGadgets
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: propsys.dll/PSGetPropertyKeyFromName
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_GetIconSize
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: MSCTF.dll/SetInputScopes2
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: IEUI.dll/CreateGadget
DynamicLoader: IEUI.dll/SetGadgetMessageFilter
DynamicLoader: IEUI.dll/SetGadgetStyle
DynamicLoader: IEUI.dll/SetGadgetRootInfo
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

Process Tree


iexplore.exe, PID: 3036, Parent PID: 2484
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "http://www.wisecleaner.com/templates/js/ajax.js"
iexplore.exe, PID: 2292, Parent PID: 3036
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3036 CREDAT:79873
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name explorer.exe
PID 1632
Dump Size 2861568 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 7ee9d91db5040b1c953a67ecb26b6290
SHA1 74cd590869ccb4c9930be00ef0499dfdc0c6751a
SHA256 c98812bde260ab6016d17a948c47c5982c46a27fde071a6e135a48222a685bbd
CRC32 2C0F5CA5
Ssdeep 49152:kxrceI/lIRYraisQhFCUuOvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:GrcPlIW/vYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename c98812bde260ab6016d17a948c47c5982c46a27fde071a6e135a48222a685bbd
Download

Comments



No comments posted

Processing ( 12.631 seconds )

  • 10.015 Static
  • 1.584 ProcDump
  • 0.927 BehaviorAnalysis
  • 0.091 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.006 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.931 seconds )

  • 0.616 antidbg_windows
  • 0.04 stealth_timeout
  • 0.038 antiav_detectreg
  • 0.035 antivm_vbox_window
  • 0.029 NewtWire Behavior
  • 0.027 antisandbox_script_timer
  • 0.026 api_spamming
  • 0.014 infostealer_ftp
  • 0.008 antianalysis_detectreg
  • 0.008 infostealer_im
  • 0.008 ransomware_files
  • 0.005 antivm_generic_scsi
  • 0.005 infostealer_mail
  • 0.004 antiav_detectfile
  • 0.004 antivm_vbox_keys
  • 0.003 mimics_filetime
  • 0.003 persistence_autorun
  • 0.003 ransomware_extensions
  • 0.002 bootkit
  • 0.002 Doppelganging
  • 0.002 recon_programs
  • 0.002 antivm_generic_services
  • 0.002 kibex_behavior
  • 0.002 antivm_generic_disk
  • 0.002 virus
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_xen_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 recon_fingerprint
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 uac_bypass_eventvwr
  • 0.001 antivm_vbox_libs
  • 0.001 InjectionInterProcess
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 stack_pivot
  • 0.001 exploit_getbasekerneladdress
  • 0.001 injection_createremotethread
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 InjectionCreateRemoteThread
  • 0.001 InjectionProcessHollowing
  • 0.001 infostealer_browser_password
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 kovter_behavior
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vpc_keys
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 ie_martian_children

Reporting ( 0.004 seconds )

  • 0.004 CompressResults
Task ID 94377
Mongo ID 5d9e4bdfc3c009112d67b3c3
Cuckoo release 1.3-CAPE
Delete