Analysis

Category Package Started Completed Duration Log
FILE exe 2019-10-10 00:07:27 2019-10-10 00:11:49 262 seconds Show Log
2019-10-10 01:07:43,015 [root] INFO: Date set to: 10-10-19, time set to: 00:07:43, timeout set to: 200
2019-10-10 01:07:43,279 [root] DEBUG: Starting analyzer from: C:\dzsxmmejnl
2019-10-10 01:07:43,279 [root] DEBUG: Storing results at: C:\YmekFDVOz
2019-10-10 01:07:43,279 [root] DEBUG: Pipe server name: \\.\PIPE\qAMgLyAr
2019-10-10 01:07:43,279 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:07:43,279 [root] INFO: Automatically selected analysis package "exe"
2019-10-10 01:07:45,308 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:07:45,308 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:07:45,308 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:07:46,509 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-10-10 01:07:46,509 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:07:46,509 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:07:46,525 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:07:46,525 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:07:46,525 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:07:46,540 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:07:46,540 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:07:46,540 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-10-10 01:07:46,540 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-10-10 01:07:46,555 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\tmp1d80nbei.exe" with arguments "" with pid 1044
2019-10-10 01:07:46,555 [lib.api.process] INFO: 32-bit DLL to inject is C:\dzsxmmejnl\dll\GKoQqlHf.dll, loader C:\dzsxmmejnl\bin\BdqSvlz.exe
2019-10-10 01:07:46,572 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\qAMgLyAr.
2019-10-10 01:07:46,588 [root] DEBUG: Loader: Injecting process 1044 (thread 1472) with C:\dzsxmmejnl\dll\GKoQqlHf.dll.
2019-10-10 01:07:46,588 [root] DEBUG: Process image base: 0x00BF0000
2019-10-10 01:07:46,588 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-10-10 01:07:46,588 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-10-10 01:07:46,588 [root] DEBUG: Successfully injected DLL C:\dzsxmmejnl\dll\GKoQqlHf.dll.
2019-10-10 01:07:46,588 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1044
2019-10-10 01:07:48,599 [lib.api.process] INFO: Successfully resumed process with pid 1044
2019-10-10 01:07:48,599 [root] INFO: Added new process to list with pid: 1044
2019-10-10 01:07:48,849 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:07:49,427 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1044 at 0x74e80000, image base 0xbf0000, stack from 0x185000-0x190000
2019-10-10 01:07:49,427 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\tmp1d80nbei.exe".
2019-10-10 01:07:49,427 [root] INFO: Monitor successfully loaded in process with pid 1044.
2019-10-10 01:07:49,427 [root] DEBUG: set_caller_info: Adding region at 0x021D0000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:07:49,441 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-10-10 01:07:49,457 [root] DEBUG: DLL loaded at 0x74760000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x69b000 bytes).
2019-10-10 01:07:49,457 [root] DEBUG: DLL loaded at 0x74680000: C:\Windows\system32\MSVCR110_CLR0400 (0xd3000 bytes).
2019-10-10 01:07:49,473 [root] INFO: Disabling sleep skipping.
2019-10-10 01:07:49,505 [root] DEBUG: DLL loaded at 0x72280000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni (0x102e000 bytes).
2019-10-10 01:07:50,237 [root] DEBUG: DLL loaded at 0x745F0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x7d000 bytes).
2019-10-10 01:07:50,237 [root] DEBUG: DLL loaded at 0x76BF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 01:07:50,269 [root] DEBUG: DLL loaded at 0x73940000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni (0x99a000 bytes).
2019-10-10 01:07:50,332 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni (0x194000 bytes).
2019-10-10 01:07:50,346 [root] DEBUG: DLL loaded at 0x71630000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni (0xc4f000 bytes).
2019-10-10 01:07:51,953 [root] DEBUG: set_caller_info: Adding region at 0x002F0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-10-10 01:07:52,562 [root] DEBUG: DLL loaded at 0x743D0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2019-10-10 01:07:53,217 [root] DEBUG: DLL loaded at 0x74FC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32 (0x84000 bytes).
2019-10-10 01:07:53,763 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-10 01:07:53,795 [root] DEBUG: set_caller_info: Adding region at 0x00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-10 01:07:53,857 [root] DEBUG: DLL loaded at 0x743B0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x12000 bytes).
2019-10-10 01:07:55,729 [root] DEBUG: DLL loaded at 0x774A0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-10 01:07:55,729 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-10 01:07:55,744 [root] DEBUG: DLL loaded at 0x75570000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-10-10 01:07:55,744 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-10 01:07:55,744 [root] DEBUG: DLL loaded at 0x73790000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-10 01:07:55,744 [root] DEBUG: DLL loaded at 0x736A0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\1f56d5786274992934de0c900431c447\System.Configuration.ni (0xf0000 bytes).
2019-10-10 01:07:55,931 [root] DEBUG: DLL loaded at 0x70ED0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d91f3556f8011a5d48e1448e3fa8df9e\System.Xml.ni (0x751000 bytes).
2019-10-10 01:07:56,898 [root] DEBUG: DLL loaded at 0x73510000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus (0x190000 bytes).
2019-10-10 01:07:57,305 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2019-10-10 01:07:57,305 [root] DEBUG: DLL loaded at 0x734F0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2019-10-10 01:07:57,305 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-10 01:07:57,319 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-10 01:11:10,385 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-10 01:11:10,385 [root] INFO: Created shutdown mutex.
2019-10-10 01:11:11,400 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1044
2019-10-10 01:11:11,400 [root] DEBUG: Terminate Event: Skipping dump of process 1044
2019-10-10 01:11:11,400 [root] INFO: Terminate event set for process 1044.
2019-10-10 01:11:11,400 [root] INFO: Terminating process 1044 before shutdown.
2019-10-10 01:11:11,400 [root] INFO: Waiting for process 1044 to exit.
2019-10-10 01:11:11,400 [root] DEBUG: Terminate Event: Shutdown complete for process 1044 but failed to inform analyzer.
2019-10-10 01:11:12,414 [root] INFO: Shutting down package.
2019-10-10 01:11:12,414 [root] INFO: Stopping auxiliary modules.
2019-10-10 01:11:12,414 [root] INFO: Finishing auxiliary modules.
2019-10-10 01:11:12,414 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 01:11:12,414 [root] WARNING: File at path "C:\YmekFDVOz\debugger" does not exist, skip.
2019-10-10 01:11:12,414 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-04 target-04 ESX 2019-10-10 00:07:27 2019-10-10 00:11:47

File Details

File Name tmp1d80nbei
File Size 28672 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 4d96f10b994636e5416889ed560a03ce
SHA1 781ad7135d5887b2346ff30b2c569f0978c4659b
SHA256 ff0bd8f8dee90ba71a491f17b9fda52c918ef9d3580d562029268a99b7410e19
SHA512 29114a2d97ea3cd36a3525fd601cde57dde5b1062292767b707e93c365b0949d8d74d2877b1ab80eccb06b2a7d43f055b3be83be25fc53b6c056adc249e9431c
CRC32 4744042A
Ssdeep 384:0QN4p/KPU0c+XCMDgSC3wkVVgsOWVw84AE1L9p3ibKPZdMNAwF46/UW4:0QN4p/lWyMDg9gkos9MBl9p3lmA/t
TrID
  • 55.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73294/58/13)
  • 21.0% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 9.9% (.SCR) Windows screen saver (13101/52/3)
  • 5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 3.4% (.EXE) Win32 Executable (generic) (4508/7/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
The PE file contains a PDB path
pdbpath: Z:\Tools\Sakabota_Tools\Utility\Micosoft_Visual_Studio_2010_Experss\PRJT\Sakabota\Diezen\Diezen\obj\x86\Release\taskhost.pdb
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: MSCOREE.DLL/CLRCreateInstance
DynamicLoader: mscoreei.dll/CLRCreateInstance
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: KERNEL32.dll/AddVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/QueryThreadCycleTime
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetSysColorW
DynamicLoader: KERNEL32.dll/ReleaseMutex
DynamicLoader: KERNEL32.dll/CreateMutex
DynamicLoader: KERNEL32.dll/CreateMutexW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: USER32.dll/SetWindowText
DynamicLoader: USER32.dll/SetWindowTextW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: KERNEL32.dll/GetStartupInfo
DynamicLoader: KERNEL32.dll/GetStartupInfoW
DynamicLoader: ws2_32.dll/WSAStartup
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: ws2_32.dll/WSASocket
DynamicLoader: ws2_32.dll/WSASocketW
DynamicLoader: ws2_32.dll/setsockopt
DynamicLoader: ws2_32.dll/WSAEventSelect
DynamicLoader: ws2_32.dll/ioctlsocket
DynamicLoader: ws2_32.dll/closesocket
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/CreateIconFromResourceEx
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMenu
DynamicLoader: USER32.dll/GetWindowPlacement
DynamicLoader: USER32.dll/EnableMenuItem
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/SetWindowPos
DynamicLoader: USER32.dll/GetWindowTextLength
DynamicLoader: USER32.dll/GetWindowTextLengthW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetWindowText
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: USER32.dll/RedrawWindow
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/SetFocus
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: USER32.dll/GetMonitorInfo
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: GDI32.dll/CreateDC
DynamicLoader: GDI32.dll/CreateDCW
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: GDI32.dll/GetCurrentObject
DynamicLoader: GDI32.dll/SaveDC
DynamicLoader: GDI32.dll/GetNearestColor
DynamicLoader: GDI32.dll/CreateSolidBrush
DynamicLoader: USER32.dll/FillRect
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/RestoreDC
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/IsWindowUnicode
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/BeginPaint
DynamicLoader: ws2_32.dll/GetAddrInfoW
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: ws2_32.dll/freeaddrinfo
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipCreateHalftonePalette
DynamicLoader: GDI32.dll/SelectPalette
DynamicLoader: USER32.dll/EndPaint
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: KERNEL32.dll/FormatMessage
DynamicLoader: KERNEL32.dll/FormatMessageW
DynamicLoader: KERNEL32.dll/GetStdHandle

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
pasta58.com [VT]

Summary

PE Information

Image Base 0x00400000
Entry Point 0x004086de
Reported Checksum 0x00000000
Actual Checksum 0x0000ba1f
Minimum OS Version 4.0
PDB Path Z:\Tools\Sakabota_Tools\Utility\Micosoft_Visual_Studio_2010_Experss\PRJT\Sakabota\Diezen\Diezen\obj\x86\Release\taskhost.pdb
Compile Time 2018-10-10 11:03:39
Import Hash f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00002000 0x000066e4 0x00006800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.37
.rsrc 0x0000a000 0x000003a8 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.99
.reloc 0x0000c000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.08

Imports

Library mscoree.dll:
0x402000 _CorExeMain

.text
`.rsrc
@.reloc
v4.0.30319
#Strings
#GUID
#Blob
<Module>
taskhost.exe
LASTINPUTINFO
diezen
IdleTimeFinder
StringCipher
Program
Diezen
mscorlib
System
ValueType
Object
cbSize
dwTime
GetLastInputInfo
GetLastError
IdleTime
GetLastInputTime
Encrypt
Decrypt
ALPHA_PIXEL
RED_PIXEL
GREEN_PIXEL
BLUE_PIXEL
Task_Name
Finish
First
TCP_DNS
System.Net.Sockets
TcpClient
System.Net
IPEndPoint
Chenged_Host
Feed_Only_User_Active
User_is_Active
Diezen_Sleep
Diezen_Sleep_NUM
Host_Port
New_User
uniq_ID
is_Back_Door
System.Windows.Forms
My_Form
NetworkStream
stream
trying_to_send_Picture
screenShot_number
screenShot
Reciver_File_tcp
Main_Core
readBuffer
Whoami
output
System.Diagnostics
Process
ExecuteCommand
DataReceivedEventArgs
OutputDataReceived
ERutputDataReceived
Get_File
IsFileLocked
Self_Distruct
IsDirectoryWritable
Send_File_TCP
Path_To_Upgrade
SetSCH
GetPublicIP
System.Drawing
System.Drawing.Imaging
BitmapData
bmData
Screen_shot_Availabel
taskexistance
.ctor
clearText
cipherText
Server_
Text_To_send
Sending_File
Recive_File
command
Report
sender
filename
exit_then
dirPath
throwIfFails
File_Path
delete
taskname
System.Runtime.Versioning
TargetFrameworkAttribute
System.Reflection
AssemblyTitleAttribute
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
AssemblyCultureAttribute
System.Runtime.InteropServices
ComVisibleAttribute
GuidAttribute
AssemblyVersionAttribute
AssemblyFileVersionAttribute
System.Resources
NeutralResourcesLanguageAttribute
System.Security.Permissions
SecurityPermissionAttribute
SecurityAction
DebuggableAttribute
DebuggingModes
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
taskhost
StructLayoutAttribute
LayoutKind
DllImportAttribute
User32.dll
Kernel32.dll
Marshal
SizeOf
Environment
get_TickCount
UInt32
ToString
Exception
System.Net.NetworkInformation
IPGlobalProperties
GetIPGlobalProperties
get_DomainName
String
Concat
get_MachineName
get_UserName
op_Inequality
Console
WriteLine
STAThreadAttribute
<Main>b__6
System.Threading
ThreadStart
CS$<>9__CachedAnonymousMethodDelegate7
CompilerGeneratedAttribute
Application
EnableVisualStyles
SetCompatibleTextRenderingDefault
Control
set_Text
FormBorderStyle
set_FormBorderStyle
Color
get_Orange
set_TransparencyKey
set_BackColor
set_ShowInTaskbar
Thread
ApartmentState
set_ApartmentState
Start
Mutex
Split
op_Equality
Assembly
GetExecutingAssembly
get_Location
IPAddress
TryParse
IPHostEntry
GetHostEntry
get_AddressList
Convert
ToInt32
Socket
get_Client
set_ReceiveTimeout
set_SendTimeout
set_ExclusiveAddressUse
Connect
get_Connected
SocketShutdown
Shutdown
Disconnect
Close
Contains
IndexOf
Remove
get_Chars
Write
ProcessStartInfo
set_Arguments
ProcessWindowStyle
set_WindowStyle
set_CreateNoWindow
set_FileName
Sleep
ToSingle
System.IO
GetFileName
Boolean
SpecialFolder
GetFolderPath
Directory
GetCurrentDirectory
GetFileNameWithoutExtension
Substring
GetEntryAssembly
AssemblyName
GetName
Version
get_Version
Format
get_Message
set_Blocking
GetStream
System.Text
Encoding
get_ASCII
GetBytes
Stream
MemoryStream
Screen
get_PrimaryScreen
Rectangle
get_Bounds
get_Width
get_Height
Bitmap
Graphics
Image
FromImage
get_Size
CopyFromScreen
ImageFormat
get_Png
ToArray
Int32
GetBuffer
Flush
IDisposable
Dispose
get_ReceiveBufferSize
GetString
FileStream
FileMode
FileAccess
FileInfo
get_Length
set_RedirectStandardOutput
set_RedirectStandardError
set_UseShellExecute
set_StartInfo
set_EnableRaisingEvents
DataReceivedEventHandler
add_ErrorDataReceived
add_OutputDataReceived
BeginErrorReadLine
BeginOutputReadLine
WaitForExit
get_Data
get_NewLine
ToBase64String
ReadAllBytes
StringBuilder
Append
FileShare
IOException
GetRandomFileName
Combine
FileOptions
Create
WebRequest
WebResponse
GetResponse
GetResponseStream
StreamReader
TextReader
ReadToEnd
PixelFormat
get_PixelFormat
ImageLockMode
LockBits
get_Stride
get_Scan0
IntPtr
op_Explicit
UnlockBits
get_StandardOutput
.cctor
System.Security
UnverifiableCodeAttribute
SystemInfo
Host Porcess For Windows Task
Microsoft
System Information
2020
$74f58a95-3b09-4a71-97e0-fb0a4adf68b8
0.6.0.0
Z:\Tools\Sakabota_Tools\Utility\Micosoft_Visual_Studio_2010_Experss\PRJT\Sakabota\Diezen\Diezen\obj\x86\Release\taskhost.pdb
_CorExeMain
mscoree.dll
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
Host Porcess For Windows Task
CompanyName
Microsoft
FileDescription
SystemInfo
FileVersion
0.6.0.0
InternalName
taskhost.exe
LegalCopyright
2020
OriginalFilename
taskhost.exe
ProductName
System Information
ProductVersion
0.6.0.0
Assembly Version
0.6.0.0
This file is not on VirusTotal.

Process Tree


tmp1d80nbei.exe, PID: 1044, Parent PID: 1252
Full Path: C:\Users\user\AppData\Local\Temp\tmp1d80nbei.exe
Command Line: "C:\Users\user\AppData\Local\Temp\tmp1d80nbei.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.35.24 50728 8.8.8.8 53
192.168.35.24 51506 8.8.8.8 53
192.168.35.24 51591 8.8.8.8 53
192.168.35.24 52929 8.8.8.8 53
192.168.35.24 54600 8.8.8.8 53
192.168.35.24 57959 8.8.8.8 53
192.168.35.24 58799 8.8.8.8 53
192.168.35.24 58844 8.8.8.8 53
192.168.35.24 61677 8.8.8.8 53
192.168.35.24 64144 8.8.8.8 53
192.168.35.24 64540 8.8.8.8 53
192.168.35.24 64894 8.8.8.8 53
192.168.35.24 64985 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
pasta58.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.551 seconds )

  • 0.144 BehaviorAnalysis
  • 0.103 TrID
  • 0.086 Static
  • 0.062 static_dotnet
  • 0.042 Deduplicate
  • 0.035 CAPE
  • 0.035 TargetInfo
  • 0.032 NetworkAnalysis
  • 0.007 AnalysisInfo
  • 0.004 Strings
  • 0.001 Debug

Signatures ( 0.136 seconds )

  • 0.014 antiav_detectreg
  • 0.011 ransomware_files
  • 0.007 stealth_timeout
  • 0.007 antiav_detectfile
  • 0.007 infostealer_ftp
  • 0.005 NewtWire Behavior
  • 0.005 api_spamming
  • 0.005 decoy_document
  • 0.005 infostealer_bitcoin
  • 0.004 antidbg_windows
  • 0.004 infostealer_im
  • 0.003 antianalysis_detectreg
  • 0.003 antivm_vbox_files
  • 0.003 infostealer_mail
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 Doppelganging
  • 0.002 antiemu_wine_func
  • 0.002 dynamic_function_loading
  • 0.002 persistence_autorun
  • 0.002 antianalysis_detectfile
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 InjectionInterProcess
  • 0.001 bootkit
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 exploit_heapspray
  • 0.001 injection_runpe
  • 0.001 exploit_getbasekerneladdress
  • 0.001 stealth_file
  • 0.001 injection_createremotethread
  • 0.001 antivm_generic_services
  • 0.001 betabot_behavior
  • 0.001 mimics_filetime
  • 0.001 exploit_gethaldispatchtable
  • 0.001 InjectionCreateRemoteThread
  • 0.001 InjectionProcessHollowing
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 Extraction
  • 0.001 reads_self
  • 0.001 antivm_generic_disk
  • 0.001 infostealer_browser_password
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 kovter_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 rat_pcclient
  • 0.001 recon_fingerprint

Reporting ( 0.002 seconds )

  • 0.002 CompressResults
Task ID 94391
Mongo ID 5d9e7747c3c009112d67b3ee
Cuckoo release 1.3-CAPE
Delete