Analysis

Category Package Started Completed Duration Log
FILE generic 2019-10-10 00:11:50 2019-10-10 00:16:07 257 seconds Show Log
2019-10-10 01:11:51,015 [root] INFO: Date set to: 10-10-19, time set to: 00:11:51, timeout set to: 200
2019-10-10 01:11:51,108 [root] DEBUG: Starting analyzer from: C:\tuiqhfewe
2019-10-10 01:11:51,108 [root] DEBUG: Storing results at: C:\QxvvpRb
2019-10-10 01:11:51,108 [root] DEBUG: Pipe server name: \\.\PIPE\wSnEUpAywm
2019-10-10 01:11:51,108 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:11:51,108 [root] INFO: Automatically selected analysis package "generic"
2019-10-10 01:11:54,384 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:11:54,384 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:11:54,384 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:11:57,552 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-10-10 01:11:57,552 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:11:57,552 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:11:57,552 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:11:57,552 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:11:57,566 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:11:57,566 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:11:57,566 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:11:57,566 [root] INFO: Analyzer: Package modules.packages.generic does not specify a DLL option
2019-10-10 01:11:57,566 [root] INFO: Analyzer: Package modules.packages.generic does not specify a DLL_64 option
2019-10-10 01:11:57,566 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\user\AppData\Local\Temp\tmp8nvc_gmr"" with pid 1912
2019-10-10 01:11:57,566 [lib.api.process] INFO: 32-bit DLL to inject is C:\tuiqhfewe\dll\dPnoEI.dll, loader C:\tuiqhfewe\bin\dvxAWFb.exe
2019-10-10 01:11:57,582 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wSnEUpAywm.
2019-10-10 01:11:57,582 [root] DEBUG: Loader: Injecting process 1912 (thread 1580) with C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:11:57,582 [root] DEBUG: Process image base: 0x4A6D0000
2019-10-10 01:11:57,582 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:11:57,582 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x4A71C000 - 0x77A00000
2019-10-10 01:11:57,582 [root] DEBUG: InjectDllViaIAT: Allocated 0x1a0 bytes for new import table at 0x4A720000.
2019-10-10 01:11:57,582 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:11:57,582 [root] DEBUG: Successfully injected DLL C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:11:57,582 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1912
2019-10-10 01:11:59,595 [lib.api.process] INFO: Successfully resumed process with pid 1912
2019-10-10 01:11:59,595 [root] INFO: Added new process to list with pid: 1912
2019-10-10 01:11:59,703 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:59,859 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:11:59,859 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:59,859 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:59,859 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:59,859 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:59,875 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1912 at 0x74ec0000, image base 0x4a6d0000, stack from 0xf3000-0x1f0000
2019-10-10 01:11:59,875 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\cmd.exe" \c start \wait "" "C:\Users\user\AppData\Local\Temp\tmp8nvc_gmr".
2019-10-10 01:11:59,875 [root] INFO: Monitor successfully loaded in process with pid 1912.
2019-10-10 01:11:59,907 [root] DEBUG: DLL loaded at 0x759C0000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-10-10 01:11:59,923 [root] DEBUG: DLL loaded at 0x74D10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-10 01:11:59,984 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\SysWOW64\PROPSYS (0xf5000 bytes).
2019-10-10 01:11:59,984 [root] DEBUG: DLL loaded at 0x76BF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 01:11:59,984 [root] DEBUG: DLL loaded at 0x77090000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 01:12:00,141 [root] DEBUG: DLL loaded at 0x74F90000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-10-10 01:12:00,141 [root] DEBUG: DLL loaded at 0x75970000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 01:12:00,187 [root] DEBUG: DLL loaded at 0x74C00000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-10-10 01:12:00,312 [root] DEBUG: DLL loaded at 0x768D0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:12:00,312 [root] DEBUG: DLL loaded at 0x75940000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:12:00,312 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:12:00,328 [root] DEBUG: DLL unloaded from 0x759C0000.
2019-10-10 01:12:00,437 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\SysWOW64\apphelp (0x4c000 bytes).
2019-10-10 01:12:00,890 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2019-10-10 01:12:01,249 [root] DEBUG: DLL unloaded from 0x766D0000.
2019-10-10 01:12:01,483 [root] INFO: Announced starting service "AppMgmt"
2019-10-10 01:12:01,483 [root] INFO: Attaching to Service Control Manager (services.exe - pid 464)
2019-10-10 01:12:01,561 [lib.api.process] INFO: 64-bit DLL to inject is C:\tuiqhfewe\dll\uQwLozy.dll, loader C:\tuiqhfewe\bin\anNcqGIT.exe
2019-10-10 01:12:01,592 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wSnEUpAywm.
2019-10-10 01:12:01,608 [root] DEBUG: Loader: Injecting process 464 (thread 0) with C:\tuiqhfewe\dll\uQwLozy.dll.
2019-10-10 01:12:01,608 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 528, handle 0x84
2019-10-10 01:12:01,608 [root] DEBUG: Process image base: 0x00000000FF330000
2019-10-10 01:12:01,608 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-10 01:12:01,608 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-10 01:12:01,654 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:12:01,654 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:01,779 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:12:01,795 [root] WARNING: Unable to hook LockResource
2019-10-10 01:12:01,872 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 464 at 0x0000000074AF0000, image base 0x00000000FF330000, stack from 0x0000000002D06000-0x0000000002D10000
2019-10-10 01:12:01,872 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-10-10 01:12:01,872 [root] INFO: Added new process to list with pid: 464
2019-10-10 01:12:01,872 [root] INFO: Monitor successfully loaded in process with pid 464.
2019-10-10 01:12:01,872 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 01:12:01,888 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 01:12:01,888 [root] DEBUG: Successfully injected DLL C:\tuiqhfewe\dll\uQwLozy.dll.
2019-10-10 01:12:02,917 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1320
2019-10-10 01:12:02,917 [lib.api.process] INFO: 64-bit DLL to inject is C:\tuiqhfewe\dll\uQwLozy.dll, loader C:\tuiqhfewe\bin\anNcqGIT.exe
2019-10-10 01:12:02,917 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wSnEUpAywm.
2019-10-10 01:12:02,917 [root] DEBUG: Loader: Injecting process 1320 (thread 932) with C:\tuiqhfewe\dll\uQwLozy.dll.
2019-10-10 01:12:02,917 [root] DEBUG: Process image base: 0x00000000FF680000
2019-10-10 01:12:02,917 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tuiqhfewe\dll\uQwLozy.dll.
2019-10-10 01:12:02,917 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF68B000 - 0x000007FEFFD20000
2019-10-10 01:12:02,917 [root] DEBUG: InjectDllViaIAT: Allocated 0x210 bytes for new import table at 0x00000000FF690000.
2019-10-10 01:12:02,917 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:12:02,917 [root] DEBUG: Successfully injected DLL C:\tuiqhfewe\dll\uQwLozy.dll.
2019-10-10 01:12:02,917 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1320
2019-10-10 01:12:02,917 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1320
2019-10-10 01:12:02,917 [lib.api.process] INFO: 64-bit DLL to inject is C:\tuiqhfewe\dll\uQwLozy.dll, loader C:\tuiqhfewe\bin\anNcqGIT.exe
2019-10-10 01:12:02,934 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wSnEUpAywm.
2019-10-10 01:12:02,934 [root] DEBUG: Loader: Injecting process 1320 (thread 932) with C:\tuiqhfewe\dll\uQwLozy.dll.
2019-10-10 01:12:02,934 [root] DEBUG: Process image base: 0x00000000FF680000
2019-10-10 01:12:02,934 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tuiqhfewe\dll\uQwLozy.dll.
2019-10-10 01:12:02,934 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:12:02,934 [root] DEBUG: Successfully injected DLL C:\tuiqhfewe\dll\uQwLozy.dll.
2019-10-10 01:12:02,934 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1320
2019-10-10 01:12:02,934 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:12:02,934 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:02,948 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:12:02,948 [root] WARNING: Unable to hook LockResource
2019-10-10 01:12:02,964 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:12:02,964 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1320 at 0x0000000074AF0000, image base 0x00000000FF680000, stack from 0x0000000000225000-0x0000000000230000
2019-10-10 01:12:02,964 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-10-10 01:12:02,964 [root] INFO: Added new process to list with pid: 1320
2019-10-10 01:12:02,964 [root] INFO: Monitor successfully loaded in process with pid 1320.
2019-10-10 01:12:03,026 [root] DEBUG: DLL loaded at 0x000007FEFD840000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 01:12:03,105 [root] DEBUG: DLL loaded at 0x000007FEFE380000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-10 01:12:03,105 [root] DEBUG: DLL loaded at 0x000007FEFFC30000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-10-10 01:12:03,213 [root] DEBUG: DLL loaded at 0x000007FEFB1C0000: c:\windows\system32\appmgmts (0x34000 bytes).
2019-10-10 01:12:03,292 [root] DEBUG: DLL loaded at 0x000007FEFCCA0000: c:\windows\system32\USERENV (0x1e000 bytes).
2019-10-10 01:12:03,292 [root] DEBUG: DLL loaded at 0x000007FEFD910000: c:\windows\system32\profapi (0xf000 bytes).
2019-10-10 01:12:03,308 [root] DEBUG: DLL loaded at 0x000007FEF9D20000: c:\windows\system32\adsldpc (0x3d000 bytes).
2019-10-10 01:12:03,308 [root] DEBUG: DLL loaded at 0x000007FEFE880000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-10-10 01:12:03,447 [root] DEBUG: DLL loaded at 0x000007FEFD8F0000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-10 01:12:03,526 [root] DEBUG: DLL unloaded from 0x759C0000.
2019-10-10 01:12:03,635 [root] DEBUG: DLL loaded at 0x77610000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-10-10 01:12:03,931 [root] DEBUG: DLL loaded at 0x77120000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-10 01:12:04,026 [root] DEBUG: DLL loaded at 0x772A0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 01:12:04,072 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-10-10 01:12:04,072 [root] DEBUG: DLL loaded at 0x76C80000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-10 01:12:04,664 [root] INFO: Announced 32-bit process name: rundll32.exe pid: 996
2019-10-10 01:12:04,664 [lib.api.process] INFO: 32-bit DLL to inject is C:\tuiqhfewe\dll\dPnoEI.dll, loader C:\tuiqhfewe\bin\dvxAWFb.exe
2019-10-10 01:12:04,680 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wSnEUpAywm.
2019-10-10 01:12:04,680 [root] DEBUG: Loader: Injecting process 996 (thread 812) with C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:12:04,680 [root] DEBUG: Process image base: 0x00990000
2019-10-10 01:12:04,680 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:12:04,680 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0099E000 - 0x77A00000
2019-10-10 01:12:04,680 [root] DEBUG: InjectDllViaIAT: Allocated 0x1b4 bytes for new import table at 0x009A0000.
2019-10-10 01:12:04,680 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:12:04,680 [root] DEBUG: Successfully injected DLL C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:12:04,696 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 996
2019-10-10 01:12:04,743 [root] INFO: Announced 32-bit process name: rundll32.exe pid: 996
2019-10-10 01:12:04,743 [lib.api.process] INFO: 32-bit DLL to inject is C:\tuiqhfewe\dll\dPnoEI.dll, loader C:\tuiqhfewe\bin\dvxAWFb.exe
2019-10-10 01:12:04,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wSnEUpAywm.
2019-10-10 01:12:04,743 [root] DEBUG: Loader: Injecting process 996 (thread 812) with C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:12:04,743 [root] DEBUG: Process image base: 0x00990000
2019-10-10 01:12:04,743 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:12:04,743 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:12:04,743 [root] DEBUG: Successfully injected DLL C:\tuiqhfewe\dll\dPnoEI.dll.
2019-10-10 01:12:04,759 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 996
2019-10-10 01:12:04,805 [root] DEBUG: DLL loaded at 0x74AE0000: C:\Windows\system32\sfc (0x3000 bytes).
2019-10-10 01:12:04,884 [root] DEBUG: DLL loaded at 0x74AD0000: C:\Windows\system32\sfc_os (0xd000 bytes).
2019-10-10 01:12:04,961 [root] DEBUG: DLL unloaded from 0x74AE0000.
2019-10-10 01:12:04,976 [root] DEBUG: DLL unloaded from 0x77610000.
2019-10-10 01:12:04,993 [root] DEBUG: DLL unloaded from 0x759C0000.
2019-10-10 01:12:04,993 [root] DEBUG: DLL unloaded from 0x74BD0000.
2019-10-10 01:12:04,993 [root] DEBUG: DLL unloaded from 0x74C10000.
2019-10-10 01:12:04,993 [root] DEBUG: DLL unloaded from 0x759C0000.
2019-10-10 01:12:05,398 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:12:05,414 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:05,414 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:12:05,414 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 996 at 0x74ec0000, image base 0x990000, stack from 0x254000-0x260000
2019-10-10 01:12:05,414 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\user\AppData\Local\Temp\tmp8nvc_gmr.
2019-10-10 01:12:05,414 [root] INFO: Added new process to list with pid: 996
2019-10-10 01:12:05,414 [root] INFO: Monitor successfully loaded in process with pid 996.
2019-10-10 01:12:05,507 [root] DEBUG: DLL loaded at 0x74D10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-10 01:12:05,569 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\SysWOW64\UxTheme (0x80000 bytes).
2019-10-10 01:12:05,742 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\SysWOW64\PROPSYS (0xf5000 bytes).
2019-10-10 01:12:05,773 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\SysWOW64\WindowsCodecs (0xfb000 bytes).
2019-10-10 01:12:07,769 [root] DEBUG: DLL loaded at 0x77090000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 01:12:07,769 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\EhStorShell (0x31000 bytes).
2019-10-10 01:12:07,769 [root] DEBUG: DLL loaded at 0x768D0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:12:07,769 [root] DEBUG: DLL loaded at 0x75940000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:12:07,785 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:12:10,250 [root] DEBUG: DLL loaded at 0x747A0000: C:\Windows\system32\ntshrui (0x70000 bytes).
2019-10-10 01:12:10,250 [root] DEBUG: DLL loaded at 0x74780000: C:\Windows\SysWOW64\srvcli (0x19000 bytes).
2019-10-10 01:12:10,328 [root] DEBUG: DLL loaded at 0x74770000: C:\Windows\SysWOW64\cscapi (0xb000 bytes).
2019-10-10 01:12:10,390 [root] DEBUG: DLL loaded at 0x74760000: C:\Windows\SysWOW64\slc (0xa000 bytes).
2019-10-10 01:12:10,671 [root] DEBUG: DLL loaded at 0x74F90000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-10-10 01:12:10,671 [root] DEBUG: DLL loaded at 0x75970000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 01:12:10,671 [root] DEBUG: DLL unloaded from 0x759C0000.
2019-10-10 01:12:11,841 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:13,868 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:15,960 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:18,049 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:20,140 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:28,611 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:30,701 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:39,530 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:46,441 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:51,028 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:53,118 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:55,147 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:57,236 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:12:59,265 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:01,355 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:03,446 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:05,473 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:07,563 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:09,654 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:11,683 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:13,726 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:15,769 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:17,891 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:19,982 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:22,072 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:24,163 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:26,394 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:28,421 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:30,450 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:32,539 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:34,630 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:36,720 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:38,749 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:40,776 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:42,867 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:44,957 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:47,048 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:49,138 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:51,229 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:53,319 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:55,440 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:57,530 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:13:59,684 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:01,775 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:03,865 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:05,954 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:08,046 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:10,088 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:12,257 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:14,348 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:16,438 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:18,545 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:20,634 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:22,663 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:24,769 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:26,858 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:28,887 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:30,977 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:33,006 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:35,033 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:37,124 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:39,214 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:41,305 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:43,394 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:45,500 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:47,607 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:49,697 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:51,788 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:53,878 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:55,907 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:14:57,996 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:00,086 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:02,177 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:04,267 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:06,296 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:08,387 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:10,476 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:12,566 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:14,595 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:16,622 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:18,713 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:20,803 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:22,894 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:24,984 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:26,046 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-10 01:15:26,046 [root] INFO: Created shutdown mutex.
2019-10-10 01:15:27,059 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1912
2019-10-10 01:15:27,059 [root] INFO: Terminate event set for process 1912.
2019-10-10 01:15:27,059 [root] INFO: Terminating process 1912 before shutdown.
2019-10-10 01:15:27,059 [root] INFO: Waiting for process 1912 to exit.
2019-10-10 01:15:27,059 [root] DEBUG: Terminate Event: Skipping dump of process 1912
2019-10-10 01:15:27,059 [root] DEBUG: Terminate Event: Shutdown complete for process 1912 but failed to inform analyzer.
2019-10-10 01:15:27,746 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it
2019-10-10 01:15:28,105 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1320
2019-10-10 01:15:28,105 [root] DEBUG: Terminate Event: Skipping dump of process 1320
2019-10-10 01:15:28,105 [root] INFO: Terminate event set for process 1320.
2019-10-10 01:15:28,105 [root] INFO: Terminating process 1320 before shutdown.
2019-10-10 01:15:28,105 [root] DEBUG: Terminate Event: Shutdown complete for process 1320 but failed to inform analyzer.
2019-10-10 01:15:28,105 [root] INFO: Waiting for process 1320 to exit.
2019-10-10 01:15:29,118 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 996
2019-10-10 01:15:29,118 [root] INFO: Terminate event set for process 996.
2019-10-10 01:15:29,118 [root] INFO: Terminating process 996 before shutdown.
2019-10-10 01:15:29,118 [root] INFO: Waiting for process 996 to exit.
2019-10-10 01:15:29,773 [root] DEBUG: Terminate Event: Skipping dump of process 996
2019-10-10 01:15:29,773 [root] DEBUG: Terminate Event: Shutdown complete for process 996 but failed to inform analyzer.
2019-10-10 01:15:29,773 [root] DEBUG: DLL loaded at 0x750E0000: C:\Windows\SysWOW64\netutils (0x9000 bytes).
2019-10-10 01:15:30,132 [root] INFO: Shutting down package.
2019-10-10 01:15:30,132 [root] INFO: Stopping auxiliary modules.
2019-10-10 01:15:30,132 [root] INFO: Finishing auxiliary modules.
2019-10-10 01:15:30,132 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 01:15:30,132 [root] WARNING: File at path "C:\QxvvpRb\debugger" does not exist, skip.
2019-10-10 01:15:30,132 [root] INFO: Analysis completed.

MalScore

4.5

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-04 target-04 ESX 2019-10-10 00:11:50 2019-10-10 00:16:04

File Details

File Name tmp8nvc_gmr
File Size 12800 bytes
File Type Composite Document File V2 Document, No summary info
MD5 0fbe65f904cf05822f9b2f95c301bfc0
SHA1 c207bbdda6967b1b7b237a5c8c8ead9a917428f4
SHA256 e41a766a05ec9ec095030dbf0da7f1439acc50124dbc6f69dd227e51aaf6791f
SHA512 04484c2f3bd016045f5fd67dc7544945f877a1d45966209f979b52fa1a3d52ed5acd251060337a9b09a031423fd4f44e90675cecee845eb6f926177823b081df
CRC32 109259BF
Ssdeep 192:mtSvWUnJVuejzGgudpZ0jOGtakutqJk1UaKt+n:mtk/nJYejr6Z0juLKWwt+n
TrID
  • 100.0% (.) Generic OLE2 / Multistream Compound File (8000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: PROPSYS.dll/PSCreateMemoryPropertyStore
DynamicLoader: PROPSYS.dll/PSPropertyBag_WriteDWORD
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadDWORD
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadBSTR
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadStrAlloc
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: PROPSYS.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: PROPSYS.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ole32.dll/CoAllowSetForegroundWindow
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/InstallApplication
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/SaferGetPolicyInformation
DynamicLoader: sfc.dll/SfcIsFileProtected
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: KERNELBASE.dll/SetThreadStackGuarantee
DynamicLoader: KERNELBASE.dll/SetThreadStackGuarantee
DynamicLoader: KERNELBASE.dll/SetThreadStackGuarantee
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: appmgmts.dll/ServiceMain
DynamicLoader: appmgmts.dll/SvchostPushServiceGlobals
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: SHELL32.dll/OpenAs_RunDLLW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/InitCommonControlsEx
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: SHELL32.dll/
DynamicLoader: PROPSYS.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: comctl32.dll/ImageList_CoCreateInstance
DynamicLoader: WindowsCodecs.dll/WICCreateImagingFactory_Proxy
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: comctl32.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: PROPSYS.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: PROPSYS.dll/PSCreateDelayedMultiplexPropertyStore
DynamicLoader: PROPSYS.dll/PSCreatePropertyStoreFromObject
DynamicLoader: SHELL32.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeExW
DynamicLoader: VERSION.dll/GetFileVersionInfoExW
DynamicLoader: PROPSYS.dll/
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: PROPSYS.dll/PSCoerceToCanonicalValue
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/PropVariantToVariant
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: PROPSYS.dll/VariantToString
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoCreateInstance
Harvests information related to installed mail clients
key: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\Hidden
key: HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook\Capabilities
key: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

No static analysis available.
0046}#
2.0#0#C:
\Windows
e2.tlb
omation
DF8D04C-
ram File
Microso
ft Share
d\OFFICE
BeThisDo
cumentG
ule1G
Define our malicious execution8
GruntStager.exe
http://192.168.10.7:8000'
TEMP$
Microsoft.XMLHTTP
on dow
ADODB.Stream$
Schedule.Service$
Get the root folder
Create a new task definition
Perform basic T1036 masquerading
Microsoft Update Service
Microsoft Corporation
Have the task run as the compromised user
Define a trigger for our service
LogonTriggerId
USERDOMAIN$
USERNAME$
PT1M
Delay service execution
Get settings
T1158: Hidden Files and Directories (and now services)
Prevent our service from timing-out
PT0S
Avoid duplicate services
Restart our service after 1 minute if we crash
PT1M
Restart our service many, many... many times
Ensure our service runs, regardless of the battery status
Define our service's action
Register our task
Microsoft Update Service
Manually execute our task
Sub Auto
MsgBox
"Hello
Sub Auto
MsgBox
"Hello
download9server-
Actions
ThisDocument
Module1
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\System32\stdole2.tlb#OLE Automation
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
tThisDocument
1Module1
Root Entry
Module1
ThisDocument
_VBA_PROJECT
PROJECT
PROJECTwm
This file is not on VirusTotal.

Process Tree

  • cmd.exe 1912 "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\user\AppData\Local\Temp\tmp8nvc_gmr"
    • rundll32.exe 996 "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\user\AppData\Local\Temp\tmp8nvc_gmr
  • services.exe 464 C:\Windows\system32\services.exe
    • svchost.exe 1320 C:\Windows\system32\svchost.exe -k netsvcs

cmd.exe, PID: 1912, Parent PID: 1512
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\user\AppData\Local\Temp\tmp8nvc_gmr"
services.exe, PID: 464, Parent PID: 376
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
svchost.exe, PID: 1320, Parent PID: 464
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
rundll32.exe, PID: 996, Parent PID: 1912
Full Path: C:\Windows\SysWOW64\rundll32.exe
Command Line: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\user\AppData\Local\Temp\tmp8nvc_gmr

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name c016366b-7126-46ca-b36b-592a3d95a60b
Associated Filenames
C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
File Size 12 bytes
File Type data
MD5 5e3e1be9545b676fc470ee220cf1789f
SHA1 c73f0708bb213063c9f5e2dc93b2ad8969860b9c
SHA256 9a84732577e095814f7bd91b93e3d3c980392674c1320655781479c66ba8b912
CRC32 E52F0677
Ssdeep 3:Wln:i
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 1.518 seconds )

  • 1.132 BehaviorAnalysis
  • 0.218 Deduplicate
  • 0.09 TrID
  • 0.033 CAPE
  • 0.018 TargetInfo
  • 0.012 Dropped
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.002 Debug
  • 0.001 Strings

Signatures ( 1.165 seconds )

  • 0.271 antiav_detectreg
  • 0.111 antidbg_windows
  • 0.093 infostealer_ftp
  • 0.056 antianalysis_detectreg
  • 0.052 infostealer_im
  • 0.044 stealth_timeout
  • 0.038 infostealer_mail
  • 0.032 decoy_document
  • 0.031 NewtWire Behavior
  • 0.031 api_spamming
  • 0.029 antivm_generic_scsi
  • 0.028 antivm_vbox_keys
  • 0.021 recon_programs
  • 0.019 antivm_vmware_keys
  • 0.019 recon_fingerprint
  • 0.015 kibex_behavior
  • 0.013 antivm_parallels_keys
  • 0.013 antivm_xen_keys
  • 0.013 darkcomet_regkeys
  • 0.011 betabot_behavior
  • 0.01 uac_bypass_eventvwr
  • 0.01 antivm_generic_services
  • 0.01 geodo_banking_trojan
  • 0.009 antivm_generic_disk
  • 0.009 antivm_generic_diskreg
  • 0.009 antivm_vpc_keys
  • 0.008 Doppelganging
  • 0.008 mimics_filetime
  • 0.008 ransomware_files
  • 0.007 antiav_detectfile
  • 0.006 bootkit
  • 0.006 stealth_file
  • 0.006 antivm_vbox_window
  • 0.006 reads_self
  • 0.006 virus
  • 0.005 injection_createremotethread
  • 0.005 InjectionCreateRemoteThread
  • 0.004 injection_runpe
  • 0.004 InjectionProcessHollowing
  • 0.004 antisandbox_script_timer
  • 0.004 hancitor_behavior
  • 0.004 antivm_xen_keys
  • 0.004 antivm_hyperv_keys
  • 0.004 bypass_firewall
  • 0.004 infostealer_bitcoin
  • 0.004 packer_armadillo_regkey
  • 0.004 remcos_regkeys
  • 0.003 InjectionInterProcess
  • 0.003 persistence_autorun
  • 0.003 antivm_generic_bios
  • 0.003 antivm_generic_cpu
  • 0.003 antivm_generic_system
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 antiemu_wine_func
  • 0.002 Extraction
  • 0.002 infostealer_browser_password
  • 0.002 dynamic_function_loading
  • 0.002 kovter_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 antivm_vbox_libs
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 exploit_heapspray
  • 0.001 rat_luminosity
  • 0.001 stack_pivot
  • 0.001 infostealer_browser
  • 0.001 exploit_getbasekerneladdress
  • 0.001 injection_explorer
  • 0.001 Vidar Behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 InjectionSetWindowLong
  • 0.001 neshta_files
  • 0.001 cerber_behavior
  • 0.001 antidbg_devices
  • 0.001 antiemu_wine_reg
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn

Reporting ( 0.029 seconds )

  • 0.029 CompressResults
Task ID 94395
Mongo ID 5d9e78c3c3c009112d67ce5c
Cuckoo release 1.3-CAPE
Delete