Analysis

Category Package Started Completed Duration Options Log
FILE generic 2019-10-09 21:37:28 2019-10-09 21:41:31 243 seconds Show Options Show Log
procdump = 1
2019-10-09 22:37:29,000 [root] INFO: Date set to: 10-09-19, time set to: 21:37:29, timeout set to: 200
2019-10-09 22:37:29,015 [root] DEBUG: Starting analyzer from: C:\docfruwfti
2019-10-09 22:37:29,015 [root] DEBUG: Storing results at: C:\WkyERynB
2019-10-09 22:37:29,015 [root] DEBUG: Pipe server name: \\.\PIPE\AlXrLtXJmQ
2019-10-09 22:37:29,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-09 22:37:29,015 [root] INFO: Automatically selected analysis package "generic"
2019-10-09 22:37:29,358 [root] DEBUG: Started auxiliary module Browser
2019-10-09 22:37:29,358 [root] DEBUG: Started auxiliary module Curtain
2019-10-09 22:37:29,358 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-09 22:37:29,888 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-10-09 22:37:29,888 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-09 22:37:29,888 [root] DEBUG: Started auxiliary module DigiSig
2019-10-09 22:37:29,904 [root] DEBUG: Started auxiliary module Disguise
2019-10-09 22:37:29,904 [root] DEBUG: Started auxiliary module Human
2019-10-09 22:37:29,904 [root] DEBUG: Started auxiliary module Screenshots
2019-10-09 22:37:29,904 [root] DEBUG: Started auxiliary module Sysmon
2019-10-09 22:37:29,904 [root] DEBUG: Started auxiliary module Usage
2019-10-09 22:37:29,904 [root] INFO: Analyzer: Package modules.packages.generic does not specify a DLL option
2019-10-09 22:37:29,904 [root] INFO: Analyzer: Package modules.packages.generic does not specify a DLL_64 option
2019-10-09 22:37:29,904 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\user\AppData\Local\Temp\yvBi3AjlQg"" with pid 1988
2019-10-09 22:37:29,904 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:37:29,904 [lib.api.process] INFO: 32-bit DLL to inject is C:\docfruwfti\dll\VXoUkscH.dll, loader C:\docfruwfti\bin\iFzQfxW.exe
2019-10-09 22:37:29,967 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AlXrLtXJmQ.
2019-10-09 22:37:29,967 [root] DEBUG: Loader: Injecting process 1988 (thread 1332) with C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:29,967 [root] DEBUG: Process image base: 0x4A770000
2019-10-09 22:37:29,967 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:29,967 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x4A7BC000 - 0x77110000
2019-10-09 22:37:29,967 [root] DEBUG: InjectDllViaIAT: Allocated 0x1a0 bytes for new import table at 0x4A7C0000.
2019-10-09 22:37:29,982 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:37:29,982 [root] DEBUG: Successfully injected DLL C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:29,982 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2019-10-09 22:37:31,994 [lib.api.process] INFO: Successfully resumed process with pid 1988
2019-10-09 22:37:31,994 [root] INFO: Added new process to list with pid: 1988
2019-10-09 22:37:32,042 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:37:32,042 [root] DEBUG: Process dumps enabled.
2019-10-09 22:37:32,088 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:37:32,088 [root] INFO: Disabling sleep skipping.
2019-10-09 22:37:32,088 [root] INFO: Disabling sleep skipping.
2019-10-09 22:37:32,088 [root] INFO: Disabling sleep skipping.
2019-10-09 22:37:32,088 [root] INFO: Disabling sleep skipping.
2019-10-09 22:37:32,088 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1988 at 0x747e0000, image base 0x4a770000, stack from 0x1d3000-0x2d0000
2019-10-09 22:37:32,088 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\cmd.exe" \c start \wait "" "C:\Users\user\AppData\Local\Temp\yvBi3AjlQg".
2019-10-09 22:37:32,088 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-10-09 22:37:32,104 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-10-09 22:37:32,119 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 22:37:32,151 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\SysWOW64\PROPSYS (0xf5000 bytes).
2019-10-09 22:37:32,151 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-09 22:37:32,151 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 22:37:32,181 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-10-09 22:37:32,181 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 22:37:32,197 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-10-09 22:37:32,290 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 22:37:32,290 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 22:37:32,290 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 22:37:32,306 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:37:32,322 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\SysWOW64\apphelp (0x4c000 bytes).
2019-10-09 22:37:32,555 [root] DEBUG: DLL loaded at 0x74980000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2019-10-09 22:37:32,602 [root] DEBUG: DLL unloaded from 0x75C10000.
2019-10-09 22:37:32,680 [root] INFO: Announced starting service "AppMgmt"
2019-10-09 22:37:32,680 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-10-09 22:37:32,727 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:37:32,727 [lib.api.process] INFO: 64-bit DLL to inject is C:\docfruwfti\dll\aHXotu.dll, loader C:\docfruwfti\bin\oGFjmUIq.exe
2019-10-09 22:37:32,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AlXrLtXJmQ.
2019-10-09 22:37:32,743 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\docfruwfti\dll\aHXotu.dll.
2019-10-09 22:37:32,743 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2019-10-09 22:37:32,743 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-09 22:37:32,743 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-09 22:37:32,743 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-09 22:37:32,805 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:37:32,805 [root] DEBUG: Process dumps enabled.
2019-10-09 22:37:32,805 [root] INFO: Disabling sleep skipping.
2019-10-09 22:37:32,852 [root] WARNING: Unable to place hook on LockResource
2019-10-09 22:37:32,852 [root] WARNING: Unable to hook LockResource
2019-10-09 22:37:32,900 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x0000000002DA6000-0x0000000002DB0000
2019-10-09 22:37:32,900 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-10-09 22:37:32,900 [root] INFO: Added new process to list with pid: 460
2019-10-09 22:37:32,900 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-10-09 22:37:32,900 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 22:37:32,900 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 22:37:32,900 [root] DEBUG: Successfully injected DLL C:\docfruwfti\dll\aHXotu.dll.
2019-10-09 22:37:33,944 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2980
2019-10-09 22:37:33,944 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:37:33,944 [lib.api.process] INFO: 64-bit DLL to inject is C:\docfruwfti\dll\aHXotu.dll, loader C:\docfruwfti\bin\oGFjmUIq.exe
2019-10-09 22:37:33,944 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AlXrLtXJmQ.
2019-10-09 22:37:33,944 [root] DEBUG: Loader: Injecting process 2980 (thread 2988) with C:\docfruwfti\dll\aHXotu.dll.
2019-10-09 22:37:33,944 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-09 22:37:33,944 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\docfruwfti\dll\aHXotu.dll.
2019-10-09 22:37:33,944 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFA1B000 - 0x000007FEFF430000
2019-10-09 22:37:33,944 [root] DEBUG: InjectDllViaIAT: Allocated 0x210 bytes for new import table at 0x00000000FFA20000.
2019-10-09 22:37:33,944 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:37:33,944 [root] DEBUG: Successfully injected DLL C:\docfruwfti\dll\aHXotu.dll.
2019-10-09 22:37:33,944 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2980
2019-10-09 22:37:33,944 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2980
2019-10-09 22:37:33,944 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:37:33,944 [lib.api.process] INFO: 64-bit DLL to inject is C:\docfruwfti\dll\aHXotu.dll, loader C:\docfruwfti\bin\oGFjmUIq.exe
2019-10-09 22:37:33,944 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AlXrLtXJmQ.
2019-10-09 22:37:33,944 [root] DEBUG: Loader: Injecting process 2980 (thread 2988) with C:\docfruwfti\dll\aHXotu.dll.
2019-10-09 22:37:33,944 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-09 22:37:33,944 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\docfruwfti\dll\aHXotu.dll.
2019-10-09 22:37:33,944 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-09 22:37:33,944 [root] DEBUG: Successfully injected DLL C:\docfruwfti\dll\aHXotu.dll.
2019-10-09 22:37:33,944 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2980
2019-10-09 22:37:33,960 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:37:33,960 [root] DEBUG: Process dumps enabled.
2019-10-09 22:37:33,960 [root] INFO: Disabling sleep skipping.
2019-10-09 22:37:33,960 [root] WARNING: Unable to place hook on LockResource
2019-10-09 22:37:33,960 [root] WARNING: Unable to hook LockResource
2019-10-09 22:37:33,976 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:37:33,976 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2980 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x0000000000215000-0x0000000000220000
2019-10-09 22:37:33,976 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-10-09 22:37:33,976 [root] INFO: Added new process to list with pid: 2980
2019-10-09 22:37:33,976 [root] INFO: Monitor successfully loaded in process with pid 2980.
2019-10-09 22:37:33,992 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-09 22:37:34,023 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-09 22:37:34,023 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-10-09 22:37:34,069 [root] DEBUG: DLL loaded at 0x000007FEF9860000: c:\windows\system32\appmgmts (0x34000 bytes).
2019-10-09 22:37:34,101 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: c:\windows\system32\USERENV (0x1e000 bytes).
2019-10-09 22:37:34,101 [root] DEBUG: DLL loaded at 0x000007FEFD020000: c:\windows\system32\profapi (0xf000 bytes).
2019-10-09 22:37:34,101 [root] DEBUG: DLL loaded at 0x000007FEF4CE0000: c:\windows\system32\adsldpc (0x3d000 bytes).
2019-10-09 22:37:34,101 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-10-09 22:37:34,131 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-09 22:37:34,163 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:37:34,210 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-10-09 22:37:34,226 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-09 22:37:34,240 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-09 22:37:34,240 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-10-09 22:37:34,240 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-09 22:37:34,335 [root] INFO: Announced 32-bit process name: rundll32.exe pid: 368
2019-10-09 22:37:34,335 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:37:34,335 [lib.api.process] INFO: 32-bit DLL to inject is C:\docfruwfti\dll\VXoUkscH.dll, loader C:\docfruwfti\bin\iFzQfxW.exe
2019-10-09 22:37:34,335 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AlXrLtXJmQ.
2019-10-09 22:37:34,335 [root] DEBUG: Loader: Injecting process 368 (thread 2116) with C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:34,335 [root] DEBUG: Process image base: 0x00890000
2019-10-09 22:37:34,349 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:34,349 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0089E000 - 0x77110000
2019-10-09 22:37:34,349 [root] DEBUG: InjectDllViaIAT: Allocated 0x1b4 bytes for new import table at 0x008A0000.
2019-10-09 22:37:34,349 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:37:34,349 [root] DEBUG: Successfully injected DLL C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:34,349 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 368
2019-10-09 22:37:34,365 [root] INFO: Announced 32-bit process name: rundll32.exe pid: 368
2019-10-09 22:37:34,365 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:37:34,365 [lib.api.process] INFO: 32-bit DLL to inject is C:\docfruwfti\dll\VXoUkscH.dll, loader C:\docfruwfti\bin\iFzQfxW.exe
2019-10-09 22:37:34,365 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AlXrLtXJmQ.
2019-10-09 22:37:34,365 [root] DEBUG: Loader: Injecting process 368 (thread 2116) with C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:34,365 [root] DEBUG: Process image base: 0x00890000
2019-10-09 22:37:34,381 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:34,381 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-09 22:37:34,381 [root] DEBUG: Successfully injected DLL C:\docfruwfti\dll\VXoUkscH.dll.
2019-10-09 22:37:34,381 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 368
2019-10-09 22:37:34,381 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\system32\sfc (0x3000 bytes).
2019-10-09 22:37:34,397 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\system32\sfc_os (0xd000 bytes).
2019-10-09 22:37:34,397 [root] DEBUG: DLL unloaded from 0x74970000.
2019-10-09 22:37:34,397 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-09 22:37:34,413 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:37:34,413 [root] DEBUG: DLL unloaded from 0x74980000.
2019-10-09 22:37:34,413 [root] DEBUG: DLL unloaded from 0x742A0000.
2019-10-09 22:37:34,413 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:37:34,569 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:37:34,569 [root] DEBUG: Process dumps enabled.
2019-10-09 22:37:34,569 [root] INFO: Disabling sleep skipping.
2019-10-09 22:37:34,569 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:37:34,569 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 368 at 0x747e0000, image base 0x890000, stack from 0x2d4000-0x2e0000
2019-10-09 22:37:34,569 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\user\AppData\Local\Temp\yvBi3AjlQg.
2019-10-09 22:37:34,584 [root] INFO: Added new process to list with pid: 368
2019-10-09 22:37:34,584 [root] INFO: Monitor successfully loaded in process with pid 368.
2019-10-09 22:37:34,615 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 22:37:34,677 [root] DEBUG: DLL loaded at 0x74080000: C:\Windows\SysWOW64\UxTheme (0x80000 bytes).
2019-10-09 22:37:34,786 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\SysWOW64\PROPSYS (0xf5000 bytes).
2019-10-09 22:37:34,802 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\SysWOW64\WindowsCodecs (0xfb000 bytes).
2019-10-09 22:37:35,130 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 22:37:35,130 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\EhStorShell (0x31000 bytes).
2019-10-09 22:37:35,130 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 22:37:35,130 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 22:37:35,130 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 22:37:35,441 [root] DEBUG: DLL loaded at 0x73E20000: C:\Windows\system32\ntshrui (0x70000 bytes).
2019-10-09 22:37:35,457 [root] DEBUG: DLL loaded at 0x73F60000: C:\Windows\SysWOW64\srvcli (0x19000 bytes).
2019-10-09 22:37:35,489 [root] DEBUG: DLL loaded at 0x73F50000: C:\Windows\SysWOW64\cscapi (0xb000 bytes).
2019-10-09 22:37:35,519 [root] DEBUG: DLL loaded at 0x73F40000: C:\Windows\SysWOW64\slc (0xa000 bytes).
2019-10-09 22:37:35,614 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-10-09 22:37:35,614 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 22:37:35,614 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-09 22:37:36,424 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:38,516 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:40,605 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:42,696 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:44,786 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:46,815 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:48,842 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:50,933 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:53,023 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:55,114 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:57,203 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:37:59,295 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:01,384 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:03,476 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:05,565 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:07,655 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:09,746 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:11,775 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:13,865 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:15,956 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:18,046 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:20,073 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:22,164 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:24,255 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:26,345 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:28,436 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:30,526 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:32,615 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:34,707 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:36,796 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:38,888 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:40,977 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:43,068 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:45,158 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:47,249 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:49,276 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:51,305 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:53,332 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:55,424 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:57,513 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:38:59,604 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:01,631 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:03,723 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:05,812 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:07,904 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:09,993 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:12,084 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:14,111 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:16,203 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:18,292 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:20,384 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:22,411 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:24,502 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:26,592 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:28,683 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:30,773 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:32,864 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:34,953 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:36,982 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:39,072 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:41,163 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:43,253 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:45,344 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:47,371 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:49,461 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:51,552 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:53,642 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:55,671 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:57,698 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:39:59,789 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:01,880 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:03,970 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:06,061 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:08,151 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:10,178 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:12,269 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:14,296 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:16,325 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:18,415 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:20,506 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:22,596 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:24,687 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:26,776 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:28,868 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:30,957 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:33,049 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:35,138 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:37,229 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:39,319 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:41,410 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:43,500 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:45,591 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:47,680 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:49,772 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:51,799 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:53,890 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:55,917 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:58,009 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:40:58,678 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-09 22:40:58,678 [root] INFO: Created shutdown mutex.
2019-10-09 22:40:59,693 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1988
2019-10-09 22:40:59,693 [root] INFO: Terminate event set for process 1988.
2019-10-09 22:40:59,693 [root] INFO: Terminating process 1988 before shutdown.
2019-10-09 22:40:59,693 [root] INFO: Waiting for process 1988 to exit.
2019-10-09 22:40:59,693 [root] DEBUG: Terminate Event: Attempting to dump process 1988
2019-10-09 22:40:59,693 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x4A770000.
2019-10-09 22:40:59,693 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 22:40:59,693 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4A770000.
2019-10-09 22:40:59,693 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2019-10-09 22:40:59,709 [root] INFO: Added new CAPE file to list with path: C:\WkyERynB\CAPE\1988_17484574959402193102019
2019-10-09 22:40:59,709 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x48200.
2019-10-09 22:40:59,709 [root] DEBUG: Terminate Event: Skipping dump of process 1988
2019-10-09 22:40:59,709 [root] DEBUG: Terminate Event: Shutdown complete for process 1988 but failed to inform analyzer.
2019-10-09 22:41:03,062 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2980
2019-10-09 22:41:03,062 [root] DEBUG: Terminate Event: Attempting to dump process 2980
2019-10-09 22:41:03,062 [root] INFO: Terminate event set for process 2980.
2019-10-09 22:41:03,062 [root] INFO: Terminating process 2980 before shutdown.
2019-10-09 22:41:03,062 [root] INFO: Waiting for process 2980 to exit.
2019-10-09 22:41:03,078 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFA10000.
2019-10-09 22:41:03,078 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 22:41:03,078 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFA10000.
2019-10-09 22:41:03,078 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2019-10-09 22:41:03,125 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:41:05,246 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:41:07,430 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:41:09,536 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:41:09,645 [root] INFO: Waiting for process 2980 to exit.
2019-10-09 22:41:09,661 [root] INFO: Added new CAPE file to list with path: C:\WkyERynB\CAPE\2980_11298398323412193102019
2019-10-09 22:41:09,693 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6600.
2019-10-09 22:41:10,676 [root] INFO: Waiting for process 2980 to exit.
2019-10-09 22:41:10,676 [root] DEBUG: Terminate Event: Skipping dump of process 2980
2019-10-09 22:41:10,690 [root] DEBUG: Terminate Event: Shutdown complete for process 2980 but failed to inform analyzer.
2019-10-09 22:41:11,690 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 368
2019-10-09 22:41:11,690 [root] INFO: Terminate event set for process 368.
2019-10-09 22:41:11,690 [root] INFO: Terminating process 368 before shutdown.
2019-10-09 22:41:11,690 [root] INFO: Waiting for process 368 to exit.
2019-10-09 22:41:11,690 [root] DEBUG: Terminate Event: Attempting to dump process 368
2019-10-09 22:41:11,690 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:41:11,704 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00890000.
2019-10-09 22:41:12,703 [root] INFO: Waiting for process 368 to exit.
2019-10-09 22:41:12,703 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 22:41:12,766 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00890000.
2019-10-09 22:41:12,782 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000178C.
2019-10-09 22:41:12,782 [root] INFO: Added new CAPE file to list with path: C:\WkyERynB\CAPE\368_40039546412412193102019
2019-10-09 22:41:13,717 [root] INFO: Waiting for process 368 to exit.
2019-10-09 22:41:13,717 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xaa00.
2019-10-09 22:41:13,717 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-09 22:41:13,749 [root] DEBUG: Terminate Event: Skipping dump of process 368
2019-10-09 22:41:13,779 [root] DEBUG: Terminate Event: Shutdown complete for process 368 but failed to inform analyzer.
2019-10-09 22:41:13,811 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\SysWOW64\netutils (0x9000 bytes).
2019-10-09 22:41:14,732 [root] INFO: Shutting down package.
2019-10-09 22:41:14,732 [root] INFO: Stopping auxiliary modules.
2019-10-09 22:41:14,732 [root] INFO: Finishing auxiliary modules.
2019-10-09 22:41:14,732 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-09 22:41:14,732 [root] WARNING: File at path "C:\WkyERynB\debugger" does not exist, skip.
2019-10-09 22:41:14,732 [root] INFO: Analysis completed.

MalScore

4.5

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-09 21:37:28 2019-10-09 21:41:28

File Details

File Name 14a5e094dc1876973bfa10aa09868139
File Size 125688 bytes
File Type Mach-O fat file with 2 architectures
MD5 14a5e094dc1876973bfa10aa09868139
SHA1 3c5502b5e5d8e6acdb1d9d757dd768b3c516ca16
SHA256 9105361d4206d8ed675c40e41624d63142c953e76e94d55309a382d1dde4633c
SHA512 2c06fc6f6d2eea88bb85c6c7df01e4caec9253d935e25184f91c5e4e714df059f4c43a96e875f69966bf79c73e3749536c2f748b25e23b723ac6f2c835f65dce
CRC32 40F076CE
Ssdeep 3072:gcB93pMBQaa4u4xB3OS53Lqyz7RQpYKFMCMqtc7ma3Oqh:hKzx/leFFMy4
TrID
  • 100.0% (.) Mac OS X Universal Binary executable (4000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: PROPSYS.dll/PSCreateMemoryPropertyStore
DynamicLoader: PROPSYS.dll/PSPropertyBag_WriteDWORD
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadDWORD
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadBSTR
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadStrAlloc
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: PROPSYS.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: PROPSYS.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ole32.dll/CoAllowSetForegroundWindow
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/InstallApplication
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/SaferGetPolicyInformation
DynamicLoader: sfc.dll/SfcIsFileProtected
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: KERNELBASE.dll/SetThreadStackGuarantee
DynamicLoader: KERNELBASE.dll/SetThreadStackGuarantee
DynamicLoader: KERNELBASE.dll/SetThreadStackGuarantee
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: appmgmts.dll/ServiceMain
DynamicLoader: appmgmts.dll/SvchostPushServiceGlobals
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: SHELL32.dll/OpenAs_RunDLLW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/InitCommonControlsEx
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: SHELL32.dll/
DynamicLoader: PROPSYS.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: comctl32.dll/ImageList_CoCreateInstance
DynamicLoader: WindowsCodecs.dll/WICCreateImagingFactory_Proxy
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: comctl32.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: comctl32.dll/
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: PROPSYS.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: PROPSYS.dll/PSCreateDelayedMultiplexPropertyStore
DynamicLoader: PROPSYS.dll/PSCreatePropertyStoreFromObject
DynamicLoader: SHELL32.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeExW
DynamicLoader: VERSION.dll/GetFileVersionInfoExW
DynamicLoader: PROPSYS.dll/
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: PROPSYS.dll/PSCoerceToCanonicalValue
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/PropVariantToVariant
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: PROPSYS.dll/VariantToString
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
Harvests information related to installed mail clients
key: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\Hidden
key: HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook\Capabilities
key: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

No static analysis available.
h__TEXT
__text
__TEXT
__picsymbol_stub__TEXT
$__picsymbolstub1__TEXT
__cstring
__TEXT
__literal8
__TEXT
__const
__TEXT
__constructor
__TEXT
__destructor
__TEXT
__literal4
__TEXT
__textcoal_nt
__TEXT
__StaticInit
__TEXT
__eh_frame
__TEXT
__DATA
__data
__DATA
__dyld
__DATA
__la_symbol_ptr
__DATA
__nl_symbol_ptr
__DATA
__datacoal_nt
__DATA
__const
__DATA
__mod_init_func
__DATA
__mod_term_func
__DATA
__gcc_except_tab__DATA
__bss
__DATA
8__LINKEDIT
/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
/System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime
/usr/lib/libSystem.B.dylib
8B=x8
allocateMenuID
REALinRuntime
releaseMenuID
PluginRegisterControl
PluginInterpretConstantValue
PluginDefaultControlFont
PluginDefaultControlCaption
PluginDefaultControlFontSize
REALLockObject
REALUnlockObject
REALLockString
REALUnlockString
GetInterfaceRoutine
lockPictureDescription
unlockPictureDescription
drawPicturePrimitive
GetEventInstancePPC
GetControlBounds
GetControlVisible
REALGetControlEnabled
SelectGraphics
DrawOffscreenMacControl
REALInvalidateControl
REALSetSpecialBackground
getControlWindow
REALGetWindowHandle
PluginNewInstance
REALGetRBVersion
RuntimeRaiseException
GetTabPanelVisible
REALGetStringEncoding
REALIsHIViewWindow
REALGetPictureMask
REALGetStringCFString
REALGetStringSystemStr
ResolverPPC
RegisterPluginVersion
=#484
=#485
=#486
=#487
=#488
=#489
=#490
=#491
=#492
=#493
=#474
=#475
=#476
=#477
=#478
=#479
=#480
=#481
=#482
=#483
=#468
=#469
=#470
=#241
=#240
=#242
=#243
=#244
=#471
=#472
=#473
=#494
=#495
=#496
Appearance
Caption
String
CaptionAlign
Integer
CaptionPlacement
CaptionDelta
Picture
IconAlign
IconDX
IconDY
Bevel
HasMenu
Initial State
Value
Boolean
MenuValue
Behavior
ButtonType
integer
AcceptFocus
TextFont
string
TextSize
boolean
Italic
Underline
DeleteAllRows
AddRow(text As String)
AddSeparator
RemoveRow(row As Integer)
InsertRow(row As Integer, text As String)
List(row As Integer) As String
addActionNotificationReceiver(receiver As actionNotificationReceiver)
removeActionNotificationReceiver(receiver As actionNotificationReceiver)
MouseUp(X As Integer, Y As Integer) As Boolean
MouseDown(X As Integer, Y As Integer) As Boolean
Action
GotFocus
LostFocus
ActionSource
%1 pressed
BevelButton
ChasingArrows
ProgressWheel
=#497
=#498
Facing
DisclosureTriangle
Image
MouseDrag(X As Integer, Y As Integer)
MouseUp(X As Integer, Y As Integer)
ImageWell
GainedFocus
LittleArrows
UpDownArrows
Separator
Placard
=#499
=#500
=#501
=#502
=#503
=#504
=#505
=#506
PopupArrow
OutOfBoundsException
actionNotificationReceiver
PerformAction
System
SmallSystem
System.SystemFont
System.ApplicationFont
/Volumes/RBUS/Universal/utility.cpp
_REALPluginMain
_ActivateControl
_AppendMenu
_BlockMoveData
_CFRelease
_ChangeMenuItemAttributes
_CheckMenuItem
_ClipRect
_ClosePicture
_ClosePoly
_CountMenuItems
_CreateNewPort
_DeactivateControl
_DeleteMenu
_DeleteMenuItem
_DisableControl
_DisposeCTable
_DisposeControl
_DisposeGWorld
_DisposeMenu
_DisposePort
_DisposePtr
_DisposeRgn
_Draw1Control
_DrawText
_DrawThemeButton
_DrawThemeChasingArrows
_DrawThemePlacard
_EnableControl
_EraseRect
_FillPoly
_FillRect
_FramePoly
_FrameRect
_Gestalt
_GetBackColor
_GetBevelButtonContentInfo
_GetBevelButtonMenuValue
_GetCTable
_GetClip
_GetControlOwner
_GetControlReference
_GetControlValue
_GetFNum
_GetFontInfo
_GetForeColor
_GetGWorld
_GetPortPixMap
_GetPortTextFace
_GetPortTextFont
_GetPortTextSize
_GetQDGlobalsBlack
_GetQDGlobalsThePort
_GetThemeDrawingState
_GetThemeFont
_GetWindowFromPort
_GetWindowPort
_HandleControlClick
_HideControl
_HidePen
_HiliteControl
_InsertMenu
_InsertMenuItem
_InsetRect
_IsControlEnabled
_KillPicture
_KillPoly
_LineTo
_LocalToGlobal
_LockPixels
_MoveTo
_NewControl
_NewControlActionUPP
_NewGWorld
_NewMenu
_NewPtr
_NewRgn
_OffsetRect
_OpenPicture
_OpenPoly
_PopUpMenuSelect
_PtInRect
_RGBBackColor
_RGBForeColor
_RectRgn
_SendControlMessage
_SetBevelButtonContentInfo
_SetBevelButtonGraphicAlignment
_SetBevelButtonMenuValue
_SetBevelButtonTextAlignment
_SetBevelButtonTextPlacement
_SetClip
_SetControlAction
_SetControlBounds
_SetControlData
_SetControlFontStyle
_SetControlMinimum
_SetControlTitle
_SetControlTitleWithCFString
_SetControlValue
_SetControlVisibility
_SetGWorld
_SetIdentityMatrix
_SetImageWellContentInfo
_SetMenuItemText
_SetMenuItemTextWithCFString
_SetPort
_SetRect
_SetThemeDrawingState
_ShowControl
_ShowPen
_StdPix
_TestControl
_TextFace
_TextFont
_TextSize
_TextWidth
_TickCount
_UnlockPixels
___sF
___sinit
_abort
_fflush
_fprintf
_free
_malloc
__TEXT
__text
__TEXT
__cstring
__TEXT
__textcoal_nt
__TEXT
__const
__TEXT
__literal8
__TEXT
__constructor
__TEXT
__destructor
__TEXT
__literal4
__TEXT
__const_coal
__TEXT
__StaticInit
__TEXT
__DATA
__data
__DATA
__dyld
__DATA
__const
__DATA
__const_coal
__DATA
__mod_init_func
__DATA
__common
__DATA
__bss
__DATA
__IMPORT
__jump_table
__IMPORT
__pointers
__IMPORT
__LINKEDIT
/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
/System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime
/usr/lib/libstdc++.6.dylib
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/usr/lib/libSystem.B.dylib
__cxa_atexit
__cxa_finalize
atexit
RegisterPluginVersion
allocateMenuID
REALinRuntime
releaseMenuID
PluginDefaultControlFont
PluginDefaultControlCaption
PluginDefaultControlFontSize
REALLockObject
REALUnlockObject
REALLockString
PluginInterpretConstantValue
REALUnlockString
GetInterfaceRoutine
lockPictureDescription
unlockPictureDescription
drawPicturePrimitive
GetEventInstance
GetControlBounds
GetControlVisible
REALGetControlEnabled
SelectGraphics
DrawOffscreenMacControl
REALInvalidateControl
REALSetSpecialBackground
getControlWindow
REALGetWindowHandle
PluginNewInstance
REALGetRBVersion
PluginRegisterControl
RuntimeRaiseException
GetTabPanelVisible
REALGetStringEncoding
REALIsHIViewWindow
REALGetPictureMask
REALGetStringCFString
REALGetStringSystemStr
PopupArrow
MouseDown(X As Integer, Y As Integer) As Boolean
MouseDrag(X As Integer, Y As Integer)
MouseUp(X As Integer, Y As Integer)
Appearance
Facing
Integer
=#499
=#500
=#501
=#502
=#503
=#504
=#505
=#506
Placard
Initial State
Value
Boolean
Separator
UpDownArrows
Behavior
AcceptFocus
LittleArrows
GainedFocus
LostFocus
ImageWell
Image
Picture
DisclosureTriangle
Action
GotFocus
=#497
=#498
ProgressWheel
ChasingArrows
BevelButton
ActionSource
%1 pressed
MouseUp(X As Integer, Y As Integer) As Boolean
DeleteAllRows
AddRow(text As String)
AddSeparator
RemoveRow(row As Integer)
InsertRow(row As Integer, text As String)
List(row As Integer) As String
addActionNotificationReceiver(receiver As actionNotificationReceiver)
removeActionNotificationReceiver(receiver As actionNotificationReceiver)
Caption
String
CaptionAlign
CaptionPlacement
CaptionDelta
IconAlign
IconDX
IconDY
Bevel
HasMenu
MenuValue
ButtonType
integer
TextFont
string
TextSize
boolean
Italic
Underline
=#494
=#495
=#496
=#471
=#472
=#473
=#468
=#469
=#470
=#241
=#240
=#242
=#243
=#244
=#474
=#475
=#476
=#477
=#478
=#479
=#480
=#481
=#482
=#483
=#488
=#489
=#490
=#491
=#492
=#493
=#484
=#485
=#486
=#487
OutOfBoundsException
PerformAction
actionNotificationReceiver
System
SmallSystem
System.SystemFont
System.ApplicationFont
/Volumes/RBUS/REALbasic/REALbasic Xcode/../../Universal/utility.cpp
_REALPluginMain
_ActivateControl
_AppendMenu
_CFRelease
_ChangeMenuItemAttributes
_CheckMenuItem
_ClipRect
_ClosePicture
_ClosePoly
_CountMenuItems
_CreateNewPort
_DeactivateControl
_DeleteMenu
_DeleteMenuItem
_DisableControl
_DisposeCTable
_DisposeControl
_DisposeGWorld
_DisposeMenu
_DisposePort
_DisposePtr
_DisposeRgn
_Draw1Control
_DrawText
_DrawThemeButton
_DrawThemeChasingArrows
_DrawThemePlacard
_EnableControl
_EraseRect
_FillPoly
_FillRect
_FramePoly
_FrameRect
_Gestalt
_GetBackColor
_GetBevelButtonContentInfo
_GetBevelButtonMenuValue
_GetCTable
_GetClip
_GetControlOwner
_GetControlReference
_GetControlValue
_GetFNum
_GetFontInfo
_GetForeColor
_GetGWorld
_GetPortPixMap
_GetPortTextFace
_GetPortTextFont
_GetPortTextSize
_GetQDGlobalsBlack
_GetQDGlobalsThePort
_GetThemeDrawingState
_GetThemeFont
_GetWindowFromPort
_GetWindowPort
_HandleControlClick
_HideControl
_HidePen
_HiliteControl
_InsertMenu
_InsertMenuItem
_InsetRect
_IsControlEnabled
_KillPicture
_KillPoly
_LineTo
_LocalToGlobal
_LockPixels
_MoveTo
_NewControl
_NewControlActionUPP
_NewGWorld
_NewMenu
_NewPtr
_NewRgn
_OffsetRect
_OpenPicture
_OpenPoly
_PopUpMenuSelect
_PtInRect
_RGBBackColor
_RGBForeColor
_RectRgn
_SendControlMessage
_SetBevelButtonContentInfo
_SetBevelButtonGraphicAlignment
_SetBevelButtonMenuValue
_SetBevelButtonTextAlignment
_SetBevelButtonTextPlacement
_SetClip
_SetControlAction
_SetControlBounds
_SetControlData
_SetControlFontStyle
_SetControlMinimum
_SetControlTitle
_SetControlTitleWithCFString
_SetControlValue
_SetControlVisibility
_SetGWorld
_SetIdentityMatrix
_SetImageWellContentInfo
_SetMenuItemText
_SetMenuItemTextWithCFString
_SetPort
_SetRect
_SetThemeDrawingState
_ShowControl
_ShowPen
_StdPix
_TestControl
_TextFace
_TextFont
_TextSize
_TextWidth
_TickCount
_UnlockPixels
__ZdlPv
___cxa_guard_acquire
___cxa_guard_release
___sF
__keymgr_get_and_lock_processwide_ptr
__keymgr_get_and_lock_processwide_ptr_2
__keymgr_set_and_unlock_processwide_ptr
_abort
_calloc
_dlopen
_dlsym
_fflush
_fprintf
_free
_malloc
_memmove
This file is not on VirusTotal.

Process Tree

  • cmd.exe 1988 "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\user\AppData\Local\Temp\yvBi3AjlQg"
    • rundll32.exe 368 "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\user\AppData\Local\Temp\yvBi3AjlQg
  • services.exe 460 C:\Windows\system32\services.exe
    • svchost.exe 2980 C:\Windows\system32\svchost.exe -k netsvcs

cmd.exe, PID: 1988, Parent PID: 2480
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\user\AppData\Local\Temp\yvBi3AjlQg"
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
svchost.exe, PID: 2980, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
rundll32.exe, PID: 368, Parent PID: 1988
Full Path: C:\Windows\SysWOW64\rundll32.exe
Command Line: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\user\AppData\Local\Temp\yvBi3AjlQg

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name cmd.exe
PID 1988
Dump Size 295424 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
MD5 00c9b48d6fbf27568c1cf700262b714e
SHA1 46372c4dfee5052e8ee24fafbd40afe02bdc35a9
SHA256 235c0b1f0010a92e11a4ded94404b8954c4a7c1eaa6e59c9095364540cd07de3
CRC32 843F917D
Ssdeep 3072:jGN0WQ/otSfr845bJ3s+DklqGIeC9sUqJpcYkrjyGe:6NvQ/pfP9XcwzqpcYkrm
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 235c0b1f0010a92e11a4ded94404b8954c4a7c1eaa6e59c9095364540cd07de3
Download
Process Name svchost.exe
PID 2980
Dump Size 26112 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
MD5 9d924357e7f54009cd8e4051e4de63b9
SHA1 67ad647823973a3415a50a7e04d790996173af00
SHA256 57d4036a2586f246bd00caa2af2428ec1a130b03948ed69e6f2e4a2ea9ece0dd
CRC32 4BD27FDC
Ssdeep 384:OZvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCE/lWPWSsEsj45RCOvoj2PKW9C56:uWkX7q+f5TYvVeZMmn+0C4x/EbvK2PK
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 57d4036a2586f246bd00caa2af2428ec1a130b03948ed69e6f2e4a2ea9ece0dd
Download
Process Name rundll32.exe
PID 368
Dump Size 43520 bytes
Module Path C:\Windows\SysWOW64\rundll32.exe
Type PE image: 32-bit executable
MD5 d07c147bf2b1bad6aced96867d82ad97
SHA1 88d9b782b49c0784574f8e673e3051c30154b74f
SHA256 288eb2eb27f0624a6ba00242420da1ba2999e80861aa42f9cfc2b2dc9feaf29a
CRC32 01AE482E
Ssdeep 768:rqDXt1uRlYalSRqbSEln5IyYpamDjobj8S:ro9URlBSRqln5IUmDjoX
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 288eb2eb27f0624a6ba00242420da1ba2999e80861aa42f9cfc2b2dc9feaf29a
Download

Comments



No comments posted

Processing ( 2.249 seconds )

  • 1.092 BehaviorAnalysis
  • 0.422 CAPE
  • 0.357 ProcDump
  • 0.21 Deduplicate
  • 0.085 TrID
  • 0.063 TargetInfo
  • 0.007 NetworkAnalysis
  • 0.007 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 1.159 seconds )

  • 0.265 antiav_detectreg
  • 0.132 antidbg_windows
  • 0.09 infostealer_ftp
  • 0.055 antianalysis_detectreg
  • 0.05 infostealer_im
  • 0.044 stealth_timeout
  • 0.038 infostealer_mail
  • 0.032 NewtWire Behavior
  • 0.032 decoy_document
  • 0.031 api_spamming
  • 0.029 antivm_vbox_keys
  • 0.028 antivm_generic_scsi
  • 0.02 recon_programs
  • 0.019 antivm_vmware_keys
  • 0.019 recon_fingerprint
  • 0.015 kibex_behavior
  • 0.013 antivm_parallels_keys
  • 0.013 antivm_xen_keys
  • 0.013 darkcomet_regkeys
  • 0.011 betabot_behavior
  • 0.01 uac_bypass_eventvwr
  • 0.01 geodo_banking_trojan
  • 0.009 antivm_generic_services
  • 0.009 antivm_generic_diskreg
  • 0.008 Doppelganging
  • 0.008 antivm_generic_disk
  • 0.008 antivm_vpc_keys
  • 0.008 ransomware_files
  • 0.007 antivm_vbox_window
  • 0.007 mimics_filetime
  • 0.006 stealth_file
  • 0.006 virus
  • 0.006 antiav_detectfile
  • 0.005 bootkit
  • 0.005 reads_self
  • 0.005 antisandbox_script_timer
  • 0.004 injection_runpe
  • 0.004 injection_createremotethread
  • 0.004 InjectionCreateRemoteThread
  • 0.004 antivm_xen_keys
  • 0.004 antivm_hyperv_keys
  • 0.004 bypass_firewall
  • 0.004 infostealer_bitcoin
  • 0.004 packer_armadillo_regkey
  • 0.004 ransomware_extensions
  • 0.004 remcos_regkeys
  • 0.003 InjectionInterProcess
  • 0.003 InjectionProcessHollowing
  • 0.003 persistence_autorun
  • 0.003 hancitor_behavior
  • 0.003 antivm_generic_bios
  • 0.003 antivm_generic_cpu
  • 0.003 antivm_generic_system
  • 0.002 antiemu_wine_func
  • 0.002 Extraction
  • 0.002 dynamic_function_loading
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 antivm_vbox_libs
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 exploit_heapspray
  • 0.001 stack_pivot
  • 0.001 infostealer_browser
  • 0.001 exploit_getbasekerneladdress
  • 0.001 Vidar Behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 infostealer_browser_password
  • 0.001 InjectionSetWindowLong
  • 0.001 neshta_files
  • 0.001 cerber_behavior
  • 0.001 kovter_behavior
  • 0.001 antidbg_devices
  • 0.001 antiemu_wine_reg
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn

Reporting ( 0.027 seconds )

  • 0.027 CompressResults
Task ID 94385
Mongo ID 5d9e5415f69fab997c67b424
Cuckoo release 1.3-CAPE
Delete