Analysis

Category Package Started Completed Duration Options Log
FILE html 2019-10-09 21:17:48 2019-10-09 21:21:32 224 seconds Show Options Show Log
route = internet
procdump = 1
2019-10-09 22:17:48,015 [root] INFO: Date set to: 10-09-19, time set to: 21:17:48, timeout set to: 200
2019-10-09 22:17:48,015 [root] DEBUG: Starting analyzer from: C:\eyfylyll
2019-10-09 22:17:48,015 [root] DEBUG: Storing results at: C:\zmishicN
2019-10-09 22:17:48,015 [root] DEBUG: Pipe server name: \\.\PIPE\BCtecFan
2019-10-09 22:17:48,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-09 22:17:48,015 [root] INFO: Automatically selected analysis package "html"
2019-10-09 22:17:48,390 [root] DEBUG: Started auxiliary module Browser
2019-10-09 22:17:48,404 [root] DEBUG: Started auxiliary module Curtain
2019-10-09 22:17:48,404 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-09 22:17:48,967 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-10-09 22:17:48,967 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-09 22:17:48,967 [root] DEBUG: Started auxiliary module DigiSig
2019-10-09 22:17:48,997 [root] DEBUG: Started auxiliary module Disguise
2019-10-09 22:17:48,997 [root] DEBUG: Started auxiliary module Human
2019-10-09 22:17:48,997 [root] DEBUG: Started auxiliary module Screenshots
2019-10-09 22:17:49,013 [root] DEBUG: Started auxiliary module Sysmon
2019-10-09 22:17:49,013 [root] DEBUG: Started auxiliary module Usage
2019-10-09 22:17:49,013 [root] INFO: Analyzer: Package modules.packages.html does not specify a DLL option
2019-10-09 22:17:49,013 [root] INFO: Analyzer: Package modules.packages.html does not specify a DLL_64 option
2019-10-09 22:17:49,279 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""C:\Users\user\AppData\Local\Temp\ATT00001.htm"" with pid 1964
2019-10-09 22:17:49,279 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:17:49,279 [lib.api.process] INFO: 32-bit DLL to inject is C:\eyfylyll\dll\CUxNzdA.dll, loader C:\eyfylyll\bin\ZpVxJLi.exe
2019-10-09 22:17:49,293 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\BCtecFan.
2019-10-09 22:17:49,293 [root] DEBUG: Loader: Injecting process 1964 (thread 420) with C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:49,293 [root] DEBUG: Process image base: 0x00290000
2019-10-09 22:17:49,293 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:49,293 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00336000 - 0x77110000
2019-10-09 22:17:49,293 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x00340000.
2019-10-09 22:17:49,293 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:17:49,293 [root] DEBUG: Successfully injected DLL C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:49,293 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1964
2019-10-09 22:17:51,306 [lib.api.process] INFO: Successfully resumed process with pid 1964
2019-10-09 22:17:51,306 [root] INFO: Added new process to list with pid: 1964
2019-10-09 22:17:51,400 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:17:51,400 [root] DEBUG: Process dumps enabled.
2019-10-09 22:17:51,463 [root] INFO: Disabling sleep skipping.
2019-10-09 22:17:51,463 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:17:51,463 [root] INFO: Disabling sleep skipping.
2019-10-09 22:17:51,463 [root] INFO: Disabling sleep skipping.
2019-10-09 22:17:51,463 [root] INFO: Disabling sleep skipping.
2019-10-09 22:17:51,463 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1964 at 0x747e0000, image base 0x290000, stack from 0x1c2000-0x1d0000
2019-10-09 22:17:51,463 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "C:\Users\user\AppData\Local\Temp\ATT00001.htm".
2019-10-09 22:17:51,463 [root] INFO: Monitor successfully loaded in process with pid 1964.
2019-10-09 22:17:51,493 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-09 22:17:51,540 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-09 22:17:51,588 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-09 22:17:51,588 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 22:17:51,618 [root] DEBUG: DLL loaded at 0x74980000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 22:17:51,634 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-09 22:17:51,634 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-09 22:17:51,650 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-09 22:17:51,650 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-09 22:17:51,650 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-09 22:17:51,650 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 22:17:51,680 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 22:17:51,697 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2019-10-09 22:17:51,711 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-09 22:17:51,711 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-09 22:17:51,711 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 22:17:51,711 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-09 22:17:51,727 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-09 22:17:51,789 [root] DEBUG: DLL loaded at 0x74360000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-09 22:17:51,805 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-09 22:17:51,805 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 22:17:51,805 [root] DEBUG: DLL unloaded from 0x74360000.
2019-10-09 22:17:51,805 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 22:17:51,805 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 22:17:51,822 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 22:17:51,836 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-09 22:17:51,961 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 22:17:51,961 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 22:17:51,961 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 22:17:51,977 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:17:51,977 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-09 22:17:52,039 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2292
2019-10-09 22:17:52,039 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:17:52,039 [lib.api.process] INFO: 32-bit DLL to inject is C:\eyfylyll\dll\CUxNzdA.dll, loader C:\eyfylyll\bin\ZpVxJLi.exe
2019-10-09 22:17:52,039 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\BCtecFan.
2019-10-09 22:17:52,039 [root] DEBUG: Loader: Injecting process 2292 (thread 2296) with C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:52,039 [root] DEBUG: Process image base: 0x00290000
2019-10-09 22:17:52,039 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:52,039 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00336000 - 0x003B0000
2019-10-09 22:17:52,039 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x00340000.
2019-10-09 22:17:52,039 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:17:52,039 [root] DEBUG: Successfully injected DLL C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:52,039 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2292
2019-10-09 22:17:52,039 [root] DEBUG: DLL unloaded from 0x00290000.
2019-10-09 22:17:52,039 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-09 22:17:52,039 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2292
2019-10-09 22:17:52,039 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:17:52,039 [lib.api.process] INFO: 32-bit DLL to inject is C:\eyfylyll\dll\CUxNzdA.dll, loader C:\eyfylyll\bin\ZpVxJLi.exe
2019-10-09 22:17:52,055 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\BCtecFan.
2019-10-09 22:17:52,055 [root] DEBUG: Loader: Injecting process 2292 (thread 2296) with C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:52,055 [root] DEBUG: Process image base: 0x00290000
2019-10-09 22:17:52,055 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:52,055 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-09 22:17:52,055 [root] DEBUG: Successfully injected DLL C:\eyfylyll\dll\CUxNzdA.dll.
2019-10-09 22:17:52,055 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2292
2019-10-09 22:17:52,055 [root] DEBUG: DLL loaded at 0x74240000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-09 22:17:52,055 [root] DEBUG: DLL loaded at 0x74220000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-09 22:17:52,055 [root] DEBUG: DLL unloaded from 0x74240000.
2019-10-09 22:17:52,055 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:17:52,055 [root] DEBUG: Process dumps enabled.
2019-10-09 22:17:52,055 [root] INFO: Disabling sleep skipping.
2019-10-09 22:17:52,055 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-09 22:17:52,055 [root] DEBUG: DLL unloaded from 0x74220000.
2019-10-09 22:17:52,055 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-10-09 22:17:52,055 [root] DEBUG: DLL unloaded from 0x74220000.
2019-10-09 22:17:52,055 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:17:52,071 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2292 at 0x747e0000, image base 0x290000, stack from 0x4a2000-0x4b0000
2019-10-09 22:17:52,071 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1964 CREDAT:79873.
2019-10-09 22:17:52,071 [root] INFO: Added new process to list with pid: 2292
2019-10-09 22:17:52,071 [root] INFO: Monitor successfully loaded in process with pid 2292.
2019-10-09 22:17:52,071 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 22:17:52,071 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-09 22:17:52,071 [root] DEBUG: DLL loaded at 0x74210000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-09 22:17:52,071 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-09 22:17:52,071 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-09 22:17:52,071 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 22:17:52,071 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-09 22:17:52,071 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-09 22:17:52,086 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-09 22:17:52,101 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-09 22:17:52,101 [root] DEBUG: DLL loaded at 0x741D0000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2019-10-09 22:17:52,118 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-09 22:17:52,118 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 22:17:52,134 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-09 22:17:52,134 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-09 22:17:52,134 [root] DEBUG: DLL loaded at 0x741C0000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-09 22:17:52,134 [root] DEBUG: DLL loaded at 0x741B0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-09 22:17:52,148 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-09 22:17:52,148 [root] DEBUG: DLL loaded at 0x74130000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-09 22:17:52,148 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-09 22:17:52,148 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 22:17:52,148 [root] DEBUG: DLL unloaded from 0x74130000.
2019-10-09 22:17:52,148 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 22:17:52,148 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL loaded at 0x74110000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:17:52,164 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL loaded at 0x740E0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-09 22:17:52,164 [root] DEBUG: DLL unloaded from 0x74960000.
2019-10-09 22:17:52,164 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-09 22:17:52,180 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:17:52,180 [lib.api.process] INFO: 64-bit DLL to inject is C:\eyfylyll\dll\psDpxMp.dll, loader C:\eyfylyll\bin\jOpUdtoW.exe
2019-10-09 22:17:52,180 [root] DEBUG: DLL unloaded from 0x740F0000.
2019-10-09 22:17:52,180 [root] DEBUG: DLL loaded at 0x74980000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 22:17:52,180 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\BCtecFan.
2019-10-09 22:17:52,180 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\eyfylyll\dll\psDpxMp.dll.
2019-10-09 22:17:52,180 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-09 22:17:52,257 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:17:52,257 [root] DEBUG: Process dumps enabled.
2019-10-09 22:17:52,257 [root] INFO: Disabling sleep skipping.
2019-10-09 22:17:52,305 [root] WARNING: Unable to place hook on LockResource
2019-10-09 22:17:52,305 [root] WARNING: Unable to hook LockResource
2019-10-09 22:17:52,382 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x0000000074000000, image base 0x00000000FF900000, stack from 0x0000000004382000-0x0000000004390000
2019-10-09 22:17:52,414 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-09 22:17:52,414 [root] INFO: Added new process to list with pid: 1632
2019-10-09 22:17:52,414 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-09 22:17:52,414 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 22:17:52,414 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 22:17:52,414 [root] DEBUG: Successfully injected DLL C:\eyfylyll\dll\psDpxMp.dll.
2019-10-09 22:17:52,446 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\system32\IEUI (0x2d000 bytes).
2019-10-09 22:17:52,446 [root] DEBUG: DLL loaded at 0x73FC0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-09 22:17:52,492 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-09 22:17:52,507 [root] DEBUG: DLL unloaded from 0x742A0000.
2019-10-09 22:17:52,523 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-09 22:17:52,555 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-09 22:17:52,726 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-09 22:17:52,773 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Windows\system32\xmllite (0x2f000 bytes).
2019-10-09 22:17:52,851 [root] DEBUG: DLL loaded at 0x73D60000: C:\Windows\system32\explorerframe (0x16f000 bytes).
2019-10-09 22:17:52,881 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\system32\DUser (0x2f000 bytes).
2019-10-09 22:17:52,914 [root] DEBUG: DLL loaded at 0x73C70000: C:\Windows\system32\DUI70 (0xb2000 bytes).
2019-10-09 22:17:53,038 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-09 22:17:53,038 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-09 22:17:53,053 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-09 22:17:53,053 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-09 22:17:53,053 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-09 22:17:53,053 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-09 22:17:53,053 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-09 22:17:53,053 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-09 22:17:53,069 [root] DEBUG: DLL loaded at 0x73BD0000: C:\Windows\system32\msfeeds (0x96000 bytes).
2019-10-09 22:17:53,163 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-10-09 22:17:53,163 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-09 22:17:53,210 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-10-09 22:17:53,226 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-09 22:17:53,226 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-09 22:17:53,240 [root] DEBUG: DLL loaded at 0x73B80000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim (0x11000 bytes).
2019-10-09 22:17:53,240 [root] DEBUG: DLL loaded at 0x73AE0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2019-10-09 22:17:53,256 [root] DEBUG: DLL loaded at 0x72EE0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80 (0x87000 bytes).
2019-10-09 22:17:53,272 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper (0x10000 bytes).
2019-10-09 22:17:53,552 [root] DEBUG: DLL loaded at 0x72DA0000: C:\PROGRA~2\MICROS~1\Office14\URLREDIR (0x91000 bytes).
2019-10-09 22:17:53,552 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-09 22:17:53,569 [root] DEBUG: DLL loaded at 0x72ED0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2019-10-09 22:17:53,569 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90 (0xa3000 bytes).
2019-10-09 22:17:53,569 [root] DEBUG: DLL loaded at 0x72EB0000: C:\PROGRA~2\MICROS~1\Office14\MSOHEV (0x14000 bytes).
2019-10-09 22:17:53,615 [root] DEBUG: DLL loaded at 0x72EA0000: C:\Program Files (x86)\Java\jre7\bin\jp2ssv (0xf000 bytes).
2019-10-09 22:17:53,631 [root] DEBUG: DLL loaded at 0x72CE0000: C:\Program Files (x86)\Java\jre7\bin\MSVCR100 (0xbe000 bytes).
2019-10-09 22:17:53,647 [root] DEBUG: set_caller_info: Adding region at 0x044E0000 to caller regions list (ntdll::LdrLoadDll).
2019-10-09 22:17:53,661 [root] DEBUG: set_caller_info: Adding region at 0x01F40000 to caller regions list (advapi32::RegOpenKeyExA).
2019-10-09 22:17:53,694 [root] DEBUG: DLL loaded at 0x72E40000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-09 22:17:53,865 [root] DEBUG: DLL loaded at 0x72720000: C:\Windows\SysWOW64\mshtml (0x5b7000 bytes).
2019-10-09 22:17:53,881 [root] DEBUG: DLL loaded at 0x726F0000: C:\Windows\SysWOW64\msls31 (0x2a000 bytes).
2019-10-09 22:17:53,943 [root] DEBUG: DLL loaded at 0x726D0000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2019-10-09 22:17:53,973 [root] DEBUG: DLL loaded at 0x72E40000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-09 22:17:54,006 [root] DEBUG: DLL loaded at 0x726C0000: C:\Windows\system32\msimtf (0xb000 bytes).
2019-10-09 22:17:54,255 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-09 22:17:54,302 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6120000 to caller regions list (shell32::SHGetFolderPathW).
2019-10-09 22:17:54,332 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 22:17:54,457 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 22:17:54,614 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico" does not exist, skip.
2019-10-09 22:17:59,355 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-09 22:17:59,355 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-09 22:17:59,355 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-09 22:17:59,466 [root] DEBUG: DLL unloaded from 0x000007FEFB9C0000.
2019-10-09 22:18:02,507 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-09 22:18:02,788 [root] DEBUG: DLL loaded at 0x72580000: C:\Windows\System32\msxml3 (0x133000 bytes).
2019-10-09 22:18:04,005 [root] DEBUG: DLL unloaded from 0x72720000.
2019-10-09 22:18:04,473 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 22:18:21,757 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-09 22:18:24,036 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-09 22:18:43,130 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-09 22:18:44,674 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 22:20:08,664 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-09 22:20:08,696 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-09 22:21:13,140 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-09 22:21:13,140 [root] INFO: Created shutdown mutex.
2019-10-09 22:21:14,154 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1964
2019-10-09 22:21:14,154 [root] DEBUG: Terminate Event: Attempting to dump process 1964
2019-10-09 22:21:14,154 [root] INFO: Terminate event set for process 1964.
2019-10-09 22:21:14,154 [root] INFO: Terminating process 1964 before shutdown.
2019-10-09 22:21:14,154 [root] INFO: Waiting for process 1964 to exit.
2019-10-09 22:21:14,154 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00290000.
2019-10-09 22:21:14,154 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 22:21:14,154 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00290000.
2019-10-09 22:21:14,154 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001C9A.
2019-10-09 22:21:14,200 [root] INFO: Added new CAPE file to list with path: C:\zmishicN\CAPE\1964_154140387314212193102019
2019-10-09 22:21:14,200 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa1e00.
2019-10-09 22:21:14,200 [root] DEBUG: Terminate Event: Skipping dump of process 1964
2019-10-09 22:21:14,200 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~DF72142DC6CAF13034.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~DF72142DC6CAF13034.TMP'
2019-10-09 22:21:14,200 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~DF5F3354F8D261A08E.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~DF5F3354F8D261A08E.TMP'
2019-10-09 22:21:14,216 [root] DEBUG: Terminate Event: Shutdown complete for process 1964 but failed to inform analyzer.
2019-10-09 22:21:15,167 [root] INFO: Terminating process 2292 before shutdown.
2019-10-09 22:21:15,167 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1632
2019-10-09 22:21:15,167 [root] INFO: Terminate event set for process 1632.
2019-10-09 22:21:15,167 [root] DEBUG: Terminate Event: Attempting to dump process 1632
2019-10-09 22:21:15,167 [root] INFO: Terminating process 1632 before shutdown.
2019-10-09 22:21:15,167 [root] INFO: Waiting for process 1632 to exit.
2019-10-09 22:21:15,167 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF900000.
2019-10-09 22:21:15,167 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 22:21:15,167 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF900000.
2019-10-09 22:21:15,167 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2019-10-09 22:21:15,260 [root] INFO: Added new CAPE file to list with path: C:\zmishicN\CAPE\1632_99886050315212193102019
2019-10-09 22:21:15,308 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2bac00.
2019-10-09 22:21:15,338 [root] DEBUG: Terminate Event: Skipping dump of process 1632
2019-10-09 22:21:15,355 [root] DEBUG: Terminate Event: Shutdown complete for process 1632 but failed to inform analyzer.
2019-10-09 22:21:16,168 [root] INFO: Shutting down package.
2019-10-09 22:21:16,168 [root] INFO: Stopping auxiliary modules.
2019-10-09 22:21:16,168 [root] INFO: Finishing auxiliary modules.
2019-10-09 22:21:16,168 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-09 22:21:16,168 [root] WARNING: File at path "C:\zmishicN\debugger" does not exist, skip.
2019-10-09 22:21:16,168 [root] WARNING: Monitor injection attempted but failed for process 1.
2019-10-09 22:21:16,168 [root] INFO: Analysis completed.

MalScore

5.9

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-09 21:17:48 2019-10-09 21:21:31

File Details

File Name ATT00001.htm
File Size 19452 bytes
File Type HTML document, ISO-8859 text, with very long lines, with CRLF line terminators
MD5 d9ec367aaf97dc33e4ae558f93efe8e3
SHA1 83bcbd286704077f346b30f6c1c0056cc645b876
SHA256 651afec008fb540a376edd43fee88056d3d6da24ed0256a08175d13ecdcfcd3e
SHA512 9885b5b2673bd0fb6bf627e25fd7cdbf088938020c74cbdb55997a9ab9d5b75c20df47e3cd31eac0c0401c4412a62cc8f1bf696ab7dddd1772949eb0601f9781
CRC32 65D72831
Ssdeep 384:9ige76wyp0VnVxZ2HCVtlFttVDh5jv2ttrCfKgAfyPc9cpFjcccjfsTRene4/u9b:kgcWinfZ2eKgoeJK2f9
TrID
  • Unknown!
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Dynamic (imported) function loading detected
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: SHELL32.dll/SHChangeNotifyRegisterThread
DynamicLoader: comctl32.dll/
DynamicLoader: IEShims.dll/IEShims_SetRedirectRegistryForThread
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_Add
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExW
DynamicLoader: MLANG.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExA
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: urlmon.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: AcroIEHelper.dll/StubInit
DynamicLoader: AcroIEHelper.dll/StubSetSite
DynamicLoader: AcroIEHelper.dll/StubOnQuit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: urlmon.dll/CreateIUriBuilder
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoW
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: urlmon.dll/CreateURLMonikerEx
DynamicLoader: urlmon.dll/CreateAsyncBindCtxEx
DynamicLoader: urlmon.dll/RegisterBindStatusCallback
DynamicLoader: urlmon.dll/CreateFormatEnumerator
DynamicLoader: urlmon.dll/UrlMkGetSessionOption
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabled
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IEFRAME.dll/
DynamicLoader: urlmon.dll/RegisterFormatEnumerator
DynamicLoader: urlmon.dll/RevokeBindStatusCallback
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: DWMAPI.DLL/DwmSetWindowAttribute
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: IEFRAME.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector
DynamicLoader: propsys.dll/PSCoerceToCanonicalValue
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: urlmon.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoA
DynamicLoader: urlmon.dll/CoInternetQueryInfo
DynamicLoader: WININET.dll/CommitUrlCacheEntryA
DynamicLoader: WININET.dll/FindFirstUrlCacheContainerA
DynamicLoader: WININET.dll/FindNextUrlCacheContainerA
DynamicLoader: WININET.dll/FindCloseUrlCache
DynamicLoader: WININET.dll/CreateUrlCacheContainerA
DynamicLoader: WININET.dll/CommitUrlCacheEntryW
DynamicLoader: urlmon.dll/
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: UxTheme.dll/BufferedPaintInit
DynamicLoader: UxTheme.dll/BufferedPaintRenderAnimation
DynamicLoader: UxTheme.dll/BeginBufferedAnimation
DynamicLoader: UxTheme.dll/DrawThemeParentBackground
DynamicLoader: UxTheme.dll/EndBufferedAnimation
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: DWMAPI.DLL/DwmInvalidateIconicBitmaps
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionWindow
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: IMM32.DLL/ImmGetCandidateWindow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
Performs some HTTP requests
url: http://www.bing.com/favicon.ico
Sniffs keystrokes
SetWindowsHookExW: Process: explorer.exe(1632)
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
regkeyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 204.79.197.200 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]

Summary

Process Tree


iexplore.exe, PID: 1964, Parent PID: 2480
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "C:\Users\user\AppData\Local\Temp\ATT00001.htm"
iexplore.exe, PID: 2292, Parent PID: 1964
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1964 CREDAT:79873
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 204.79.197.200 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49171 204.79.197.200 www.bing.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]

HTTP Requests

URI Data
http://www.bing.com/favicon.ico
GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.bing.com
Connection: Keep-Alive

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 077eb5d924c84ec41447ad7795b38734
SHA1 e3b4793862bb370db5ddd3cb5e607034172336e1
SHA256 06813b4ee292b191c05cb15febfba874e7f4caac47a8c3081041a20880708209
CRC32 E2F624C0
Ssdeep 48:q3xbTpYVfruSYufruXYsfAjYmeKZ6MYCI:qZTuVfrutufruIsfAc26Lv
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019101020191011\index.dat
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019101020191011\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 15f1793d145ef06def1cba376628eef7
SHA1 b267c307bdb05bc416fa9a058b804f13e27afa57
SHA256 fe25e0555372ef6dce5e8510446a4441ab2c289bfcca834e9afbd45601da2622
CRC32 7BD6EC3E
Ssdeep 3:qRFiJ2totWIltvlVl:qjyx
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
File Size 237 bytes
File Type PNG image data, 16 x 16, 4-bit colormap, non-interlaced
MD5 9fb559a691078558e77d6848202f6541
SHA1 ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
SHA256 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
CRC32 FC87942A
Ssdeep 6:6v/lhPIF6R/C+u1fXNg1XQ3yslRtNO+cKvAElRApGCp:6v/7b/C1fm1ZslRTvAElR47
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Web Slice Gallery~.feed-ms
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
File Size 28672 bytes
File Type Composite Document File V2 Document, No summary info
MD5 d4cc7ce677b6ab7b521a1659aed301c8
SHA1 e1f036a56474983c11b5369dc6d46f158b0d4e0e
SHA256 3e23031a2b91f47683115473ce73964a196b68405153b815af14f7bde5032586
CRC32 E843F4D5
Ssdeep 12:Jw77mFQCb777777777777777777777777777777/FJl8vbf+8Gc7777777777777:Jsbf+8/2As4WYiit
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name {3FE57866-EADA-11E9-8662-000C2940B9FB}.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3FE57866-EADA-11E9-8662-000C2940B9FB}.dat
File Size 6656 bytes
File Type Composite Document File V2 Document, No summary info
MD5 2a960f0ebdddf77243ac1d9554db0122
SHA1 555fc083292de6da64b0815a54764dc2b6525ea8
SHA256 b196c7d78653aea894b10a28ffa5599422e1b15f1ab67b026ed7b8c658dc3e03
CRC32 ACFB5DF3
Ssdeep 96:AQcAc0JcYdKU9AcPcAc0JcWM4hM4mM4/KAAcn:AQj9J/KUKcPj9JzM4hM4mM4/Ktcn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name RecoveryStore.{3FE57865-EADA-11E9-8662-000C2940B9FB}.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3FE57865-EADA-11E9-8662-000C2940B9FB}.dat
File Size 3584 bytes
File Type Composite Document File V2 Document, No summary info
MD5 1962d267f7135c6d30676554803c4e2c
SHA1 91f25d516a162b98be67fe1954cb206f78d3c8f6
SHA256 1e7920f03d960134fb1bdcd86393304b2f5b2d6dae5d678b84d41ff38232ae17
CRC32 B43E94B1
Ssdeep 12:rl0YmGF2wrEg5+IaCrI017+FZncDrEgmf+IaCy8qgQNlTq1tPm0lt8lt:rIw5/KoGv/TQNlW1tR8
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 77efa4dac284f3f974b8d40d93c7ec4e
SHA1 75a44ccaeaf00d6fe42ae79a01de1ede76dc714e
SHA256 62d9d86b810aa8a48ba6d26eebccf909707aaa21676cf389231c04fc4de37068
CRC32 94CC488A
Ssdeep 6:qjyx67mBw3YWkBCMQ2xqjFL3xJy2EV6HlrFSQXUEZ+lX1+/:qjnyBw3YWkBCB2UBu2EyrgQQ1u
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 e02b5c7b25280da487209bd48b4163f9
SHA1 7d440a9292567af8570c34e52d03aed14405ae00
SHA256 42bc5d24dab11bbeb8fd93b797b3c5b7e70fee667293a32691767580f1a01a73
CRC32 9703369D
Ssdeep 48:qsLf/ZJLH3ZxqT/mf7RCpwV+4igHDt/UwbmXhBgkBVGWYCIh:qsb/Zp/q0lV9Nbojbm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
File Size 65536 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 ca96fce04d3b34dff1652215d47bd356
SHA1 5c3508533c79e04c4e9844a192c4673752cb72d6
SHA256 d2602e2e5981f493b64aee782920d4b00e9f4044a9fde2931a2158d88ab0fc13
CRC32 08E3CD9B
Ssdeep 384:OWQjxBNPrNa73dg3skdVQnQeW+4fTJ16ziXrAsjCCtn/NJ03:4BNaCdBr/CSl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name iexplore.exe
PID 1964
Dump Size 663040 bytes
Module Path C:\Program Files (x86)\Internet Explorer\iexplore.exe
Type PE image: 32-bit executable
MD5 6caa306afd8b65abbbeed1fdaa9c5968
SHA1 76bd1330b4cf2b756b64700b4b00455d874954a5
SHA256 0f52e2ff5e76471ea5152167e347160af4be78f536fe78f2e08dbd46b95d873e
CRC32 C1E4A705
Ssdeep 12288:+PX+pd167QhE0s7+jM+M6ugRfMMkIM7ovX+pd167QhE0u7+:yE6Ehg7mM+M6RkMkIM7gE6Eh67
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 0f52e2ff5e76471ea5152167e347160af4be78f536fe78f2e08dbd46b95d873e
Download
Process Name explorer.exe
PID 1632
Dump Size 2862080 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 ad3b43ac201e6149d4df813042fec182
SHA1 e2a79e035e2f05bd4075b16dc7c8bb8ad63eda9e
SHA256 7ec34a5733204af0ca509d47fb51886c7c4ff322850c25f9e3098b96107ff4d8
CRC32 56C0AAD1
Ssdeep 49152:gxrceI/lIRYraisQhFCUuxvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:6rcPlIWcvYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 7ec34a5733204af0ca509d47fb51886c7c4ff322850c25f9e3098b96107ff4d8
Download

Comments



No comments posted

Processing ( 6.402 seconds )

  • 2.311 CAPE
  • 2.07 ProcDump
  • 1.506 BehaviorAnalysis
  • 0.198 Dropped
  • 0.18 Deduplicate
  • 0.084 TrID
  • 0.021 TargetInfo
  • 0.013 Strings
  • 0.011 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.002 Static
  • 0.001 Debug

Signatures ( 1.369 seconds )

  • 0.447 antidbg_windows
  • 0.166 antiav_detectreg
  • 0.071 stealth_timeout
  • 0.06 infostealer_ftp
  • 0.053 decoy_document
  • 0.052 NewtWire Behavior
  • 0.052 api_spamming
  • 0.035 antivm_generic_scsi
  • 0.035 antianalysis_detectreg
  • 0.033 infostealer_im
  • 0.025 antivm_vbox_window
  • 0.025 infostealer_mail
  • 0.02 antisandbox_script_timer
  • 0.019 stealth_file
  • 0.018 antivm_generic_services
  • 0.017 antivm_vbox_keys
  • 0.015 recon_programs
  • 0.012 antivm_vmware_keys
  • 0.009 mimics_filetime
  • 0.009 antivm_generic_disk
  • 0.009 antivm_xen_keys
  • 0.009 darkcomet_regkeys
  • 0.008 Doppelganging
  • 0.008 kibex_behavior
  • 0.008 antivm_parallels_keys
  • 0.008 ransomware_files
  • 0.008 recon_fingerprint
  • 0.007 uac_bypass_eventvwr
  • 0.007 betabot_behavior
  • 0.007 antiav_detectfile
  • 0.007 geodo_banking_trojan
  • 0.006 bootkit
  • 0.006 reads_self
  • 0.006 virus
  • 0.005 antivm_generic_diskreg
  • 0.005 antivm_vpc_keys
  • 0.005 infostealer_bitcoin
  • 0.004 hancitor_behavior
  • 0.003 injection_runpe
  • 0.003 injection_createremotethread
  • 0.003 InjectionCreateRemoteThread
  • 0.003 InjectionProcessHollowing
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_files
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 InjectionInterProcess
  • 0.002 stack_pivot
  • 0.002 antiemu_wine_func
  • 0.002 infostealer_browser_password
  • 0.002 dynamic_function_loading
  • 0.002 vawtrak_behavior
  • 0.002 kovter_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_xen_keys
  • 0.002 antivm_hyperv_keys
  • 0.002 browser_security
  • 0.002 bypass_firewall
  • 0.002 disables_browser_warn
  • 0.002 packer_armadillo_regkey
  • 0.002 remcos_regkeys
  • 0.001 tinba_behavior
  • 0.001 antivm_vbox_libs
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 exploit_heapspray
  • 0.001 exploit_getbasekerneladdress
  • 0.001 dridex_behavior
  • 0.001 Vidar Behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 InjectionSetWindowLong
  • 0.001 neshta_files
  • 0.001 cerber_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 network_torgateway

Reporting ( 0.022 seconds )

  • 0.022 CompressResults
Task ID 94382
Mongo ID 5d9e4f69f69fab997c67b3bd
Cuckoo release 1.3-CAPE
Delete