Analysis

Category Package Started Completed Duration Options Log
FILE dll 2020-06-30 14:01:26 2020-06-30 14:03:26 120 seconds Show Options Show Log
route = inetsim
2020-05-13 09:07:59,758 [root] INFO: Date set to: 20200630T14:00:33, timeout set to: 300
2020-06-30 14:00:33,093 [root] DEBUG: Starting analyzer from: C:\tmpnwhtwc92
2020-06-30 14:00:33,093 [root] DEBUG: Storing results at: C:\loMuVtQ
2020-06-30 14:00:33,093 [root] DEBUG: Pipe server name: \\.\PIPE\bpyjpakfZ
2020-06-30 14:00:33,093 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-30 14:00:33,093 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 14:00:33,093 [root] INFO: Automatically selected analysis package "dll"
2020-06-30 14:00:33,093 [root] DEBUG: Trying to import analysis package "dll"...
2020-06-30 14:00:33,109 [root] DEBUG: Imported analysis package "dll".
2020-06-30 14:00:33,109 [root] DEBUG: Trying to initialize analysis package "dll"...
2020-06-30 14:00:33,109 [root] DEBUG: Initialized analysis package "dll".
2020-06-30 14:00:33,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 14:00:33,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 14:00:33,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 14:00:33,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 14:00:33,390 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 14:00:33,421 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 14:00:33,421 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 14:00:33,437 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 14:00:33,437 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 14:00:33,437 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 14:00:33,453 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 14:00:33,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 14:00:33,453 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 14:00:33,453 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 14:00:33,453 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 14:00:33,453 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 14:00:33,453 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 14:00:33,453 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 14:00:33,453 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 14:00:33,453 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 14:00:33,453 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 14:00:35,046 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 14:00:35,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 14:00:35,125 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 14:00:35,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 14:00:35,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 14:00:35,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 14:00:35,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 14:00:35,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 14:00:35,156 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 14:00:35,156 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 14:00:35,156 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 14:00:35,156 [root] DEBUG: Started auxiliary module Browser
2020-06-30 14:00:35,156 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 14:00:35,156 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 14:00:35,156 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 14:00:35,156 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 14:00:35,156 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 14:00:35,156 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 14:00:35,156 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 14:00:35,171 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 14:00:35,640 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 14:00:35,640 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 14:00:35,640 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 14:00:35,640 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 14:00:35,640 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 14:00:35,640 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 14:00:35,671 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 14:00:35,671 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 14:00:35,671 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 14:00:35,671 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 14:00:35,671 [root] DEBUG: Started auxiliary module Human
2020-06-30 14:00:35,671 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 14:00:35,671 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 14:00:35,671 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 14:00:35,687 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 14:00:35,687 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 14:00:35,687 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 14:00:35,687 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 14:00:35,687 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 14:00:35,687 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 14:00:35,687 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 14:00:35,687 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 14:00:35,687 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 14:00:35,687 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 14:00:35,687 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 14:00:35,687 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 14:00:35,687 [root] DEBUG: Started auxiliary module Usage
2020-06-30 14:00:35,687 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2020-06-30 14:00:35,703 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2020-06-30 14:00:35,703 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2020-06-30 14:00:35,703 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2020-06-30 14:00:35,781 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll",#1" with pid 5372
2020-06-30 14:00:35,781 [lib.api.process] INFO: Monitor config for process 5372: C:\tmpnwhtwc92\dll\5372.ini
2020-06-30 14:00:35,781 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\jFkJQE.dll, loader C:\tmpnwhtwc92\bin\MarrYeM.exe
2020-06-30 14:00:35,906 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\bpyjpakfZ.
2020-06-30 14:00:35,906 [root] DEBUG: Loader: Injecting process 5372 (thread 832) with C:\tmpnwhtwc92\dll\jFkJQE.dll.
2020-06-30 14:00:35,906 [root] DEBUG: Process image base: 0x006B0000
2020-06-30 14:00:35,906 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\jFkJQE.dll.
2020-06-30 14:00:35,921 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 14:00:35,921 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\jFkJQE.dll.
2020-06-30 14:00:35,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5372
2020-06-30 14:00:37,921 [lib.api.process] INFO: Successfully resumed process with pid 5372
2020-06-30 14:00:38,296 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 14:00:38,296 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 14:00:38,312 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 14:00:38,312 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5372 at 0x69d30000, image base 0x6b0000, stack from 0x84000-0x90000
2020-06-30 14:00:38,359 [root] INFO: Loaded monitor into process with pid 5372
2020-06-30 14:00:38,359 [root] INFO: Disabling sleep skipping.
2020-06-30 14:00:38,375 [root] INFO: Disabling sleep skipping.
2020-06-30 14:00:38,375 [root] INFO: Disabling sleep skipping.
2020-06-30 14:00:38,375 [root] INFO: Disabling sleep skipping.
2020-06-30 14:00:39,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xac amd local view 0x6AFA0000 to global list.
2020-06-30 14:00:39,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xb8 amd local view 0x6A690000 to global list.
2020-06-30 14:00:39,312 [root] DEBUG: DLL loaded at 0x72BE0000: C:\Windows\SYSTEM32\MSCOREE (0x4a000 bytes).
2020-06-30 14:00:39,312 [root] DEBUG: Target DLL loaded at 0x6A690000: C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll (0x1b000 bytes).
2020-06-30 14:00:39,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76480000 for section view with handle 0xac.
2020-06-30 14:00:39,312 [root] DEBUG: DLL loaded at 0x76480000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-30 14:00:39,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76120000 for section view with handle 0xac.
2020-06-30 14:00:39,312 [root] DEBUG: DLL loaded at 0x76120000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-30 14:00:39,312 [root] DEBUG: set_caller_info: Adding region at 0x00050000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 14:00:39,328 [root] DEBUG: set_caller_info: Adding region at 0x01530000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 14:00:39,328 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 14:00:39,328 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1530000
2020-06-30 14:00:39,343 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01530000 size 0x400000.
2020-06-30 14:00:39,343 [root] DEBUG: DumpPEsInRange: Scanning range 0x1530000 - 0x1531000.
2020-06-30 14:00:39,343 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1530000-0x1531000.
2020-06-30 14:00:39,406 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\loMuVtQ\CAPE\5372_101224623839201630262020 (size 0xffe)
2020-06-30 14:00:39,421 [root] DEBUG: DumpRegion: Dumped stack region from 0x01530000, size 0x1000.
2020-06-30 14:00:39,421 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00050000.
2020-06-30 14:00:39,421 [root] DEBUG: set_caller_info: Adding region at 0x00540000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 14:00:39,437 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00540000.
2020-06-30 14:00:39,437 [root] DEBUG: set_caller_info: Adding region at 0x00120000 to caller regions list (advapi32::RegOpenKeyExW).
2020-06-30 14:00:39,531 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x21ffff
2020-06-30 14:00:39,531 [root] DEBUG: DumpMemory: Nothing to dump at 0x00120000!
2020-06-30 14:00:39,531 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x120000-0x184000.
2020-06-30 14:00:39,593 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\loMuVtQ\CAPE\5372_157746769639201630262020 (size 0x63ffe)
2020-06-30 14:00:39,593 [root] DEBUG: DumpRegion: Dumped stack region from 0x00120000, size 0x64000.
2020-06-30 14:00:39,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 amd local view 0x703E0000 to global list.
2020-06-30 14:00:39,593 [root] DEBUG: DLL loaded at 0x703E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 14:00:39,593 [root] DEBUG: DLL unloaded from 0x76020000.
2020-06-30 14:00:39,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x00260000 to global list.
2020-06-30 14:00:39,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c amd local view 0x00260000 to global list.
2020-06-30 14:00:39,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x118 amd local view 0x00260000 to global list.
2020-06-30 14:00:39,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x114 amd local view 0x00260000 to global list.
2020-06-30 14:00:39,625 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 14:00:39,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3c amd local view 0x00260000 to global list.
2020-06-30 14:00:39,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11c amd local view 0x00260000 to global list.
2020-06-30 14:00:39,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x130 amd local view 0x00220000 to global list.
2020-06-30 14:00:39,656 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-30 14:00:39,656 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-30 14:00:39,656 [root] DEBUG: DLL loaded at 0x735C0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2020-06-30 14:00:39,671 [root] DEBUG: DLL loaded at 0x6E080000: C:\Windows\system32\napinsp (0x10000 bytes).
2020-06-30 14:00:39,671 [root] DEBUG: DLL loaded at 0x6DCE0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2020-06-30 14:00:39,687 [root] DEBUG: DLL loaded at 0x71530000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-30 14:00:39,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x03540000 to global list.
2020-06-30 14:00:40,109 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-06-30 14:00:41,196 [root] DEBUG: GetHookCallerBase: thread 832 (handle 0x0), return address 0x006B24C5, allocation base 0x006B0000.
2020-06-30 14:00:41,211 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x6A690000.
2020-06-30 14:00:41,211 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 14:00:41,211 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x6A690000.
2020-06-30 14:00:41,211 [root] DEBUG: DumpProcess: Error - entry point too big: 0x857254e, ignoring.
2020-06-30 14:00:41,290 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x19400.
2020-06-30 14:00:41,290 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x006B0000.
2020-06-30 14:00:41,290 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 14:00:41,290 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x006B0000.
2020-06-30 14:00:41,305 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001798.
2020-06-30 14:00:41,321 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2020-06-30 14:00:41,321 [root] DEBUG: DLL unloaded from 0x6A690000.
2020-06-30 14:00:41,321 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-30 14:00:41,336 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-30 14:00:41,336 [root] DEBUG: DLL unloaded from 0x703E0000.
2020-06-30 14:00:41,336 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-30 14:00:41,352 [root] INFO: Process with pid 5372 has terminated
2020-06-30 14:00:46,977 [root] INFO: Process list is empty, terminating analysis.
2020-06-30 14:00:47,977 [root] INFO: Created shutdown mutex.
2020-06-30 14:00:48,977 [root] INFO: Shutting down package.
2020-06-30 14:00:48,977 [root] INFO: Stopping auxiliary modules.
2020-06-30 14:00:49,071 [lib.common.results] WARNING: File C:\loMuVtQ\bin\procmon.xml doesn't exist anymore
2020-06-30 14:00:49,071 [root] INFO: Finishing auxiliary modules.
2020-06-30 14:00:49,071 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 14:00:49,086 [root] WARNING: Folder at path "C:\loMuVtQ\debugger" does not exist, skip.
2020-06-30 14:00:49,086 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_1 win7_1 KVM 2020-06-30 14:01:26 2020-06-30 14:03:26

File Details

File Name k8EH9uRpZ
File Size 100352 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-21 16:51:23
MD5 834fbacdff8eaaf8163b00175e1dfff0
SHA1 a636c33b41dfb92312a6c8379169a80a6b57d02f
SHA256 47ce0f84aceaca95dfa327d9bf9c1eeacbde6cf5a4673bb2a4c96d1938958835
SHA512 824cce42249d66b36826c17ba974cf932d3b2c0f48ebd85c195be6743187a15e53610546480f9dededa059847d48c9deb27eb99ed95c2ed4b242a8599331387d
CRC32 35C9FB59
Ssdeep 3072:iYKwcf9/azKSFThJEg/AOJ0fuTzhH7VwWQnw:xcly5thJl/Ag0fuTz/Qw
Download Download ZIP Resubmit sample

Signatures

Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 5372 trigged the Yara rule 'embedded_pe'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: rundll32.exe, PID 5372
Dynamic (imported) function loading detected
DynamicLoader: MSCOREE.DLL/_CorExeMain
DynamicLoader: MSCOREE.DLL/_CorImageUnloading
DynamicLoader: MSCOREE.DLL/_CorValidateImage
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetDateFormatEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetTimeFormatEx
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/IsValidLocaleName
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleExW
DynamicLoader: kernel32.dll/SetFileInformationByHandleW
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/AreFileApisANSI
DynamicLoader: k8EH9uRpZ.dll/
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: ADVAPI32.dll/EventUnregister
CAPE extracted potentially suspicious content
rundll32.exe: Unpacked Shellcode
rundll32.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ
Anomalous .NET characteristics
anomalous_version: Assembly version is set to 0

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 171.239.179.93 [VT] Vietnam
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll.123.Manifest
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll.124.Manifest
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll.2.Manifest
C:\Windows\System32\rundll32.exe
C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll.config
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\System32\en-US\rundll32.exe.mui
C:\Windows\Fonts\staticcache.dat
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll.123.Manifest
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll.124.Manifest
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll.2.Manifest
C:\Windows\System32\rundll32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll.config
C:\Windows\System32\en-US\rundll32.exe.mui
C:\Windows\Fonts\staticcache.dat
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x7a60\x192EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x7a60\x192EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
mscoree.dll._CorExeMain
mscoree.dll._CorImageUnloading
mscoree.dll._CorValidateImage
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorDllMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.AreFileApisANSI
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
oleaut32.dll.#500
advapi32.dll.EventUnregister
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x10000000 0x10010f18 0x00000000 0x00026a6f 6.0 2020-06-21 16:51:23 8b4fd1375aeccba4a8270a55fe0855c0

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x0000ff1e 0x00010000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.66
.rdata 0x00010400 0x00011000 0x000069e4 0x00006a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.18
.data 0x00016e00 0x00018000 0x00001500 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.96
.reloc 0x00017800 0x0001a000 0x00000ee8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.29

Imports

0x1001110c WSASocketA
0x10011110 WSAConnect
0x10011114 WSAGetLastError
0x10011118 WSAStartup
0x1001111c gethostbyname
0x10011120 inet_ntoa
0x10011124 inet_addr
0x10011128 htons
0x10011000 HeapAlloc
0x10011004 CloseHandle
0x10011008 DecodePointer
0x1001100c GetConsoleMode
0x10011010 GetConsoleOutputCP
0x10011014 WriteConsoleW
0x10011018 CreateThread
0x1001101c CreateProcessA
0x10011028 GetCurrentProcess
0x1001102c TerminateProcess
0x10011038 GetCurrentProcessId
0x1001103c GetCurrentThreadId
0x10011044 InitializeSListHead
0x10011048 IsDebuggerPresent
0x1001104c GetStartupInfoW
0x10011050 GetModuleHandleW
0x10011054 WriteFile
0x10011058 InterlockedFlushSList
0x1001105c RtlUnwind
0x10011060 GetLastError
0x10011064 SetLastError
0x10011068 EnterCriticalSection
0x1001106c LeaveCriticalSection
0x10011070 DeleteCriticalSection
0x10011078 TlsAlloc
0x1001107c TlsGetValue
0x10011080 TlsSetValue
0x10011084 TlsFree
0x10011088 FreeLibrary
0x1001108c GetProcAddress
0x10011090 LoadLibraryExW
0x10011094 RaiseException
0x10011098 ExitProcess
0x1001109c GetModuleHandleExW
0x100110a0 GetModuleFileNameW
0x100110a4 HeapFree
0x100110a8 FlushFileBuffers
0x100110ac GetStdHandle
0x100110b0 GetFileType
0x100110b4 FindClose
0x100110b8 FindFirstFileExW
0x100110bc FindNextFileW
0x100110c0 IsValidCodePage
0x100110c4 GetACP
0x100110c8 GetOEMCP
0x100110cc GetCPInfo
0x100110d0 GetCommandLineA
0x100110d4 GetCommandLineW
0x100110d8 MultiByteToWideChar
0x100110dc WideCharToMultiByte
0x100110e0 GetEnvironmentStringsW
0x100110e8 LCMapStringW
0x100110ec GetProcessHeap
0x100110f0 SetFilePointerEx
0x100110f4 GetStringTypeW
0x100110f8 SetStdHandle
0x100110fc HeapSize
0x10011100 HeapReAlloc
0x10011104 CreateFileW
0x10011130 _CorDllMain

Assembly Information

Name x86
Version 0.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0

Type References

Assembly Type Name
mscorlib System.Object

!This program cannot be run in DOS mode.
Rich.n
.text
`.rdata
@.data
.reloc
Y__^[
5ineI
5Genu
URPQQh
BVj(j
SVWUj
;t$,v-
UQPXY]Y[
F4_^[]
F4_^[
A1<Fu
<ItC<Lt3<Tt#<h
A<lt'<tt
SWj P
F1<at
F1<gt
C;^8u
0^_[]
< t3<
PPPPP
PPPPP
u,PQRS
Wj0XPV
SPSVQ
SPjdVQ
-jd_;
PPPPP
PPPPP
SSSSj
SSSSS
WWWWW
zSSSSj
SVWh
*t`=+
*tD=+
f9:t!V
WSVPP
~1WPQ
f9<H}
wIPS3
PPPPP
9E WW
t1RWV
Y_[^]
PPPPPPPP
PPPPPWS
PP9E u:PPVWP
\0.F;
>@s5f
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
(null)
CorExitProcess
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
e+000
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
AreFileApisANSI
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
[aOni*{
eLK(w
~ $s%r
@b;zO]
iu+-,
obwQ4
v2!L.2
^<V7w
1#INF
1#QNAN
1#SNAN
1#IND
log10
log10
?5Wg4p
BC .=
%S#[k
"B <1=
#.X'=
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
v4.0.30319
#Strings
#GUID
#Blob
<Module>
Empty
mscorlib
Object
System
.ctor
x86.dll
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
WSAConnect
WSASocketA
WS2_32.dll
CreateThread
CreateProcessA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
KERNEL32.dll
InterlockedFlushSList
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
RaiseException
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
HeapFree
HeapAlloc
GetStdHandle
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetProcessHeap
SetFilePointerEx
GetStringTypeW
SetStdHandle
HeapSize
HeapReAlloc
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
DecodePointer
CloseHandle
CreateFileW
WriteConsoleW
_CorDllMain
mscoree.dll
171.239.179.93
%s%s%s%s
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0.03080>0[0a0t0
1"1(1o1
313>3_3d3}3
4$4?4W4
6#6.656U6[6a6g6m6s6z6
7 7)7H7W7`7m7
9 9Q9
:%:+:=:G:
<"<6<;<N<a<~<
>/>8>A>O>X>z>
171?1Q1^1
2E3Q3n4u4
5.5V5d5j5
6+676S6s6
8'8E8S8
:8:?:D:H:L:P:
:e=y=
=!><>A>F>a>n>w>|>
?+?0?5?V?f?
0%030
2$2(2,202
2D6j:r:y:
2$3U7n7
;$;q;~;
=S=[=e=n=
>$>->
1<2]2x2
3>4P4T4\4h4
5$575S5l5q5
6i:W;a;n;
<@<G<Z<
=A=G=
4d5?6F6n6
7%7>7W7u7
8H8]8o8|8
9%9/9
595T5a5o5}5
5>6{6
7:7q7
7>8N8h8
8q9w9
0%2k2
4Y4`4g4n4
5V5~5m7
999{9
9':N:
=1>6>;>K>P>U>e>j>o>
?&?R?[?
0.03080S0]0m0r0w0
1"1-12171X1h1
272I2U2b2i2s2
3;3S3n3y3
374>4E4L4Y4
696_6
;&;0;
=+===O=a=s=
>$>Y?
1&1l1{1
2.2i2p2
<r<x<
=4=I=Z=
=)>E>g>
0+1`1
1$2U2t2
3)4O4v4
708m8
< <2<z<
=,=5=>=
3^3h3
;q;};
<:<B<_<o<{<
>G>d>x>
0F1f1v1
4-4X4s4
5$5H5
9)999r9
;B=|>
/273H3&6+6=6[6o6u6"9
97:R:
;&<b=
81H1L1P1\1`1d1
2 2([email protected]`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
50;4;8;
(10181<[email protected]\1`1d1h1l1p1t1x1
3 3$3(3,3034383<[email protected]
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
4X8\8`8d8
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
? ?([email protected]?H?P?X?`?h?p?x?
0 0([email protected]`0h0p0x0
1 1([email protected]`1h1p1x1
2 2([email protected]`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
5 5([email protected]`5h5p5x5
9$9,949<9D9L9T9\9d9l9t9|9
9,;0;8;x?
81h1x1
1(7,7074787<[email protected]\7`7d7h7l7p7t7
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
(null)
mscoree.dll
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
ja-JP
zh-CN
ko-KR
zh-TW
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
((((( H
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 171.239.179.93 [VT] Vietnam
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.2 49189 171.239.179.93 3979

UDP

Source Source Port Destination Destination Port
192.168.1.2 64006 1.1.1.1 53
192.168.1.2 137 192.168.1.255 137
192.168.1.2 64006 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name rundll32.exe
PID 5372
Dump Size 103424 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll
Type PE image: 32-bit DLL
PE timestamp 2020-06-21 16:51:23
MD5 32f1cdd6e48cf8498682eb59f7443c84
SHA1 5a112b4ffe98ffaa7dc3cf2034d3113b5dd02e81
SHA256 c942b30311fa8ba268cfa430e8e011c3ba3278f822b81f0a6304afe2fc7433c4
CRC32 6B788AE2
Ssdeep 3072:R16vwPJCbZxQTCSXxh+DDku7sdgu223HTJZGHnw:RwYQt2xhh+Pku4dgu22Ww
Dump Filename c942b30311fa8ba268cfa430e8e011c3ba3278f822b81f0a6304afe2fc7433c4
Download Download Zip

BinGraph Download graph

Process Name rundll32.exe
PID 5372
Dump Size 45056 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\k8EH9uRpZ.dll
Type PE image: 32-bit executable
PE timestamp 2017-03-30 14:58:17
MD5 265243cce34e52dcfe83e2b6babdbbfd
SHA1 5497e236629efafba77e006c2944ccf2a73f8b6f
SHA256 819b93816d0f2c706870c216db461b41e207df60ad53b2808ba73d74fa430236
CRC32 3B9A9D61
Ssdeep 768:GTD2Z0GYPAPYXN+R4bSEln5IyYpamDjobj8S:w2KLPAPY9+R4ln5IUmDjoX
Dump Filename 819b93816d0f2c706870c216db461b41e207df60ad53b2808ba73d74fa430236
Download Download Zip

BinGraph Download graph

JSON Report Download
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature

    Processing ( 8.92 seconds )

    • 5.441 Suricata
    • 1.998 BehaviorAnalysis
    • 0.681 Static
    • 0.215 static_dotnet
    • 0.15 Deduplicate
    • 0.148 VirusTotal
    • 0.125 CAPE
    • 0.049 AnalysisInfo
    • 0.037 ProcDump
    • 0.031 NetworkAnalysis
    • 0.023 TargetInfo
    • 0.008 Strings
    • 0.007 Debug
    • 0.007 peid

    Signatures ( 0.2050000000000001 seconds )

    • 0.036 antiav_detectreg
    • 0.014 infostealer_ftp
    • 0.014 territorial_disputes_sigs
    • 0.01 ransomware_files
    • 0.009 infostealer_im
    • 0.008 antiav_detectfile
    • 0.008 ransomware_extensions
    • 0.007 antianalysis_detectreg
    • 0.005 antidbg_windows
    • 0.005 antianalysis_detectfile
    • 0.005 infostealer_bitcoin
    • 0.005 masquerade_process_name
    • 0.004 antivm_vbox_keys
    • 0.004 infostealer_mail
    • 0.003 api_spamming
    • 0.003 decoy_document
    • 0.003 guloader_apis
    • 0.003 persistence_autorun
    • 0.003 stealth_timeout
    • 0.003 antivm_vbox_files
    • 0.002 antivm_generic_disk
    • 0.002 dynamic_function_loading
    • 0.002 exec_crash
    • 0.002 kibex_behavior
    • 0.002 mimics_filetime
    • 0.002 NewtWire Behavior
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_vmware_keys
    • 0.002 antivm_xen_keys
    • 0.002 geodo_banking_trojan
    • 0.001 Doppelganging
    • 0.001 InjectionCreateRemoteThread
    • 0.001 Unpacker
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_scsi
    • 0.001 betabot_behavior
    • 0.001 bootkit
    • 0.001 hancitor_behavior
    • 0.001 infostealer_browser_password
    • 0.001 injection_createremotethread
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 network_tor
    • 0.001 reads_self
    • 0.001 shifu_behavior
    • 0.001 stealth_file
    • 0.001 tinba_behavior
    • 0.001 virus
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vmware_files
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 masslogger_files
    • 0.001 predatorthethief_files
    • 0.001 qulab_files
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 recon_fingerprint
    • 0.001 lokibot_mutexes

    Reporting ( 7.0809999999999995 seconds )

    • 6.528 BinGraph
    • 0.494 JsonDump
    • 0.057 MITRE_TTPS
    • 0.002 PCAP2CERT