Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-05-23 00:46:20 2020-05-23 00:50:32 252 seconds Show Options Show Log
route = inetsim
2020-05-13 09:30:34,000 [root] INFO: Date set to: 20200523T00:47:02, timeout set to: 200
2020-05-23 00:47:02,062 [root] DEBUG: Starting analyzer from: C:\tmplodztmkc
2020-05-23 00:47:02,062 [root] DEBUG: Storing results at: C:\MrsejE
2020-05-23 00:47:02,062 [root] DEBUG: Pipe server name: \\.\PIPE\DDblsBCl
2020-05-23 00:47:02,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-05-23 00:47:02,062 [root] INFO: Analysis package "Extraction" has been specified.
2020-05-23 00:47:02,062 [root] DEBUG: Trying to import analysis package "Extraction"...
2020-05-23 00:47:02,078 [root] DEBUG: Imported analysis package "Extraction".
2020-05-23 00:47:02,078 [root] DEBUG: Trying to initialize analysis package "Extraction"...
2020-05-23 00:47:02,078 [root] DEBUG: Initialized analysis package "Extraction".
2020-05-23 00:47:02,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-05-23 00:47:02,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-05-23 00:47:02,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-05-23 00:47:02,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-05-23 00:47:02,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-05-23 00:47:02,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-05-23 00:47:02,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-05-23 00:47:02,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-05-23 00:47:02,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-05-23 00:47:02,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-05-23 00:47:02,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-05-23 00:47:02,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-05-23 00:47:02,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-05-23 00:47:02,234 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-05-23 00:47:02,234 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-05-23 00:47:02,234 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-05-23 00:47:02,234 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-05-23 00:47:02,234 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-05-23 00:47:02,234 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-05-23 00:47:02,234 [lib.api.screenshot] DEBUG: Importing 'math'
2020-05-23 00:47:02,234 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-05-23 00:47:02,359 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-05-23 00:47:02,359 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-05-23 00:47:02,359 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-05-23 00:47:02,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-05-23 00:47:02,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-05-23 00:47:02,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-05-23 00:47:02,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-05-23 00:47:02,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-05-23 00:47:02,375 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-05-23 00:47:02,375 [root] DEBUG: Initialized auxiliary module "Browser".
2020-05-23 00:47:02,375 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-05-23 00:47:02,375 [root] DEBUG: Started auxiliary module Browser
2020-05-23 00:47:02,375 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-05-23 00:47:02,375 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-05-23 00:47:02,390 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-05-23 00:47:02,390 [root] DEBUG: Started auxiliary module Curtain
2020-05-23 00:47:02,390 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-05-23 00:47:02,390 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-05-23 00:47:02,390 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-05-23 00:47:02,390 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-05-23 00:47:02,812 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-05-23 00:47:02,812 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-05-23 00:47:02,812 [root] DEBUG: Started auxiliary module DigiSig
2020-05-23 00:47:02,812 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-05-23 00:47:02,812 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-05-23 00:47:02,812 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-05-23 00:47:02,843 [root] DEBUG: Started auxiliary module Disguise
2020-05-23 00:47:02,843 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-05-23 00:47:02,843 [root] DEBUG: Initialized auxiliary module "Human".
2020-05-23 00:47:02,843 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-05-23 00:47:02,859 [root] DEBUG: Started auxiliary module Human
2020-05-23 00:47:02,859 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-05-23 00:47:02,859 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-05-23 00:47:02,859 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-05-23 00:47:02,859 [root] DEBUG: Started auxiliary module Procmon
2020-05-23 00:47:02,859 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-05-23 00:47:02,859 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-05-23 00:47:02,859 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-05-23 00:47:02,859 [root] DEBUG: Started auxiliary module Screenshots
2020-05-23 00:47:02,859 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-05-23 00:47:02,859 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-05-23 00:47:02,859 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-05-23 00:47:02,875 [root] DEBUG: Started auxiliary module Sysmon
2020-05-23 00:47:02,875 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-05-23 00:47:02,875 [root] DEBUG: Initialized auxiliary module "Usage".
2020-05-23 00:47:02,875 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-05-23 00:47:02,875 [root] DEBUG: Started auxiliary module Usage
2020-05-23 00:47:02,875 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL option
2020-05-23 00:47:02,875 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2020-05-23 00:47:02,875 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a loader option
2020-05-23 00:47:02,875 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a loader_64 option
2020-05-23 00:47:02,937 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\_6981343.exe" with arguments "" with pid 4476
2020-05-23 00:47:02,937 [lib.api.process] INFO: Monitor config for process 4476: C:\tmplodztmkc\dll\4476.ini
2020-05-23 00:47:02,937 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-05-23 00:47:02,937 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 00:47:02,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\hbmDDjx.dll, loader C:\tmplodztmkc\bin\VhvrZJv.exe
2020-05-23 00:47:03,000 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DDblsBCl.
2020-05-23 00:47:03,000 [root] DEBUG: Loader: Injecting process 4476 (thread 4328) with C:\tmplodztmkc\dll\hbmDDjx.dll.
2020-05-23 00:47:03,000 [root] DEBUG: Process image base: 0x00400000
2020-05-23 00:47:03,015 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\hbmDDjx.dll.
2020-05-23 00:47:03,015 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 00:47:03,015 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\hbmDDjx.dll.
2020-05-23 00:47:03,015 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4476
2020-05-23 00:47:05,015 [lib.api.process] INFO: Successfully resumed process with pid 4476
2020-05-23 00:47:05,171 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 00:47:05,234 [root] DEBUG: DLL loaded at 0x03750000: C:\Windows\system32\WerFault.exe (0x5b000 bytes).
2020-05-23 00:47:05,234 [root] DEBUG: Allocation: 0x003C0000 - 0x003C3000, size: 0x3000, protection: 0x40.
2020-05-23 00:47:05,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 00:47:05,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 00:47:05,249 [root] DEBUG: ProcessImageBase: EP 0x0000D825 image base 0x00400000 size 0x0 entropy 5.726676e+00.
2020-05-23 00:47:05,249 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003C0000, size: 0x3000.
2020-05-23 00:47:05,249 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x003C0000.
2020-05-23 00:47:05,249 [root] DEBUG: AddTrackedRegion: New region at 0x003C0000 size 0x3000 added to tracked regions.
2020-05-23 00:47:05,249 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003C0000, TrackedRegion->RegionSize: 0x3000, thread 4328
2020-05-23 00:47:05,265 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4328 type 1 at address 0x003C0000, size 2 with Callback 0x6f4e7ee0.
2020-05-23 00:47:05,265 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003C0000
2020-05-23 00:47:05,265 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4328 type 1 at address 0x003C003C, size 4 with Callback 0x6f4e7b30.
2020-05-23 00:47:05,265 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003C003C
2020-05-23 00:47:05,265 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x003C0000 (size 0x3000).
2020-05-23 00:47:05,281 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-05-23 00:47:05,281 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0040C4FF (thread 4328)
2020-05-23 00:47:05,281 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003C0000.
2020-05-23 00:47:05,281 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3c0000: 0x44.
2020-05-23 00:47:05,296 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-05-23 00:47:05,296 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0040C4FF (thread 4328)
2020-05-23 00:47:05,296 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003C003C.
2020-05-23 00:47:05,296 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x45bff129 (at 0x003C003C).
2020-05-23 00:47:05,296 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003C0000 already exists for thread 4328 (process 4476), skipping.
2020-05-23 00:47:05,296 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003C0000.
2020-05-23 00:47:05,296 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0040C20F (thread 4328)
2020-05-23 00:47:05,312 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003C0000.
2020-05-23 00:47:05,312 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003C0000 already exists for thread 4328 (process 4476), skipping.
2020-05-23 00:47:05,312 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3c0000: 0xe8.
2020-05-23 00:47:05,312 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-05-23 00:47:05,312 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0040C20F (thread 4328)
2020-05-23 00:47:05,312 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003C0000.
2020-05-23 00:47:05,312 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003C0000 already exists for thread 4328 (process 4476), skipping.
2020-05-23 00:47:05,312 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3c0000: 0xe8.
2020-05-23 00:47:05,312 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-05-23 00:47:05,359 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0040C20F (thread 4328)
2020-05-23 00:47:05,359 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003C003C.
2020-05-23 00:47:05,359 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x45bff156 (at 0x003C003C).
2020-05-23 00:47:05,359 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003C0000 already exists for thread 4328 (process 4476), skipping.
2020-05-23 00:47:05,359 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003C0000.
2020-05-23 00:47:05,375 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0040C20F (thread 4328)
2020-05-23 00:47:05,375 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003C003C.
2020-05-23 00:47:05,375 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x45bf5756 (at 0x003C003C).
2020-05-23 00:47:05,375 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003C0000 already exists for thread 4328 (process 4476), skipping.
2020-05-23 00:47:05,375 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003C0000.
2020-05-23 00:47:05,375 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0040C20F (thread 4328)
2020-05-23 00:47:05,375 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003C003C.
2020-05-23 00:47:05,375 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x45335756 (at 0x003C003C).
2020-05-23 00:47:05,375 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003C0000 already exists for thread 4328 (process 4476), skipping.
2020-05-23 00:47:05,390 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003C0000.
2020-05-23 00:47:05,421 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0040C20F (thread 4328)
2020-05-23 00:47:05,500 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003C003C.
2020-05-23 00:47:05,500 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x003C003C).
2020-05-23 00:47:05,500 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003C0000 already exists for thread 4328 (process 4476), skipping.
2020-05-23 00:47:05,500 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003C0000.
2020-05-23 00:47:07,156 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003C0000 (thread 4328)
2020-05-23 00:47:07,156 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x003C0000 (allocation base 0x003C0000).
2020-05-23 00:47:07,171 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3c0000 - 0x3c3000.
2020-05-23 00:47:07,171 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x003C0000.
2020-05-23 00:47:07,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x003C003C.
2020-05-23 00:47:07,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x003C0000.
2020-05-23 00:47:07,187 [root] DEBUG: ShellcodeExecCallback: About to scan region for a PE image (base 0x003C0000, size 0x3000).
2020-05-23 00:47:07,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x3c0000 - 0x3c3000.
2020-05-23 00:47:07,234 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3c053f
2020-05-23 00:47:07,234 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-05-23 00:47:07,234 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x003C053F.
2020-05-23 00:47:07,234 [root] INFO: ('dump_file', 'C:\\MrsejE\\CAPE\\4476_588155600478823652020', b'8;?C:\\Users\\Louise\\AppData\\Local\\Temp\\_6981343.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\_6981343.exe;?0x003C0000;?', ['4476'], 'CAPE')
2020-05-23 00:47:07,312 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x2000.
2020-05-23 00:47:07,312 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c153f-0x3c3000.
2020-05-23 00:47:07,312 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2020-05-23 00:47:07,328 [root] DEBUG: set_caller_info: Adding region at 0x003C0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-05-23 00:47:07,328 [root] DEBUG: DLL loaded at 0x6F860000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-05-23 00:47:07,328 [root] DEBUG: DLL loaded at 0x6F810000: C:\Windows\system32\webio (0x50000 bytes).
2020-05-23 00:47:07,453 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 00:47:07,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 00:47:07,468 [root] DEBUG: ProcessImageBase: EP 0x0000D825 image base 0x00400000 size 0x0 entropy 5.726676e+00.
2020-05-23 00:47:07,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-05-23 00:47:07,468 [root] DEBUG: ProtectionHandler: Adding region at 0x003D1000 to tracked regions.
2020-05-23 00:47:07,468 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x003D1000.
2020-05-23 00:47:07,468 [root] DEBUG: AddTrackedRegion: New region at 0x003D0000 size 0x1000 added to tracked regions: EntryPoint 0x1a9c, Entropy 2.361830e+00
2020-05-23 00:47:07,468 [root] DEBUG: ProtectionHandler: Address: 0x003D1000 (alloc base 0x003D0000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x20
2020-05-23 00:47:07,468 [root] DEBUG: ProtectionHandler: Increased region size at 0x003D1000 to 0x2000.
2020-05-23 00:47:07,484 [root] DEBUG: ProtectionHandler: New code detected at (0x003D0000), scanning for PE images.
2020-05-23 00:47:07,484 [root] DEBUG: DumpPEsInRange: Scanning range 0x3d0000 - 0x3d2000.
2020-05-23 00:47:07,484 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3d0000
2020-05-23 00:47:07,484 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x003D0000
2020-05-23 00:47:07,484 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 00:47:07,484 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x003D0000.
2020-05-23 00:47:07,484 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001A9C.
2020-05-23 00:47:07,484 [root] INFO: ('dump_file', 'C:\\MrsejE\\CAPE\\4476_658078152747623652020', b'8;?C:\\Users\\Louise\\AppData\\Local\\Temp\\_6981343.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\_6981343.exe;?0x003D0000;?', ['4476'], 'CAPE')
2020-05-23 00:47:07,531 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2000.
2020-05-23 00:47:07,531 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3d1000-0x3d2000.
2020-05-23 00:47:07,531 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x003D0000 - 0x003D2000.
2020-05-23 00:47:07,531 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x003D0000.
2020-05-23 00:47:07,531 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3d0000 - 0x3d2000.
2020-05-23 00:47:07,531 [root] DEBUG: set_caller_info: Adding region at 0x003D0000 to caller regions list (shell32::SHGetFolderPathW).
2020-05-23 00:47:07,546 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-05-23 00:47:07,546 [root] DEBUG: DLL loaded at 0x76780000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-05-23 00:47:07,562 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-05-23 00:47:07,562 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-05-23 00:47:07,562 [root] DEBUG: DLL loaded at 0x6F7D0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-05-23 00:47:07,562 [root] DEBUG: DLL unloaded from 0x74130000.
2020-05-23 00:47:07,578 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-05-23 00:47:07,578 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-05-23 00:47:07,578 [root] DEBUG: DLL loaded at 0x6F800000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-05-23 00:47:07,593 [root] DEBUG: DLL loaded at 0x6F8C0000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-05-23 00:47:07,593 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-05-23 00:47:07,593 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-05-23 00:47:07,593 [root] DEBUG: DLL loaded at 0x6F7C0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-05-23 00:47:21,843 [root] INFO: Disabling sleep skipping.
2020-05-23 00:48:21,843 [root] DEBUG: DLL unloaded from 0x6F860000.
2020-05-23 00:50:25,093 [root] INFO: Analysis timeout hit, terminating analysis.
2020-05-23 00:50:25,093 [lib.api.process] INFO: Terminate event set for process 4476
2020-05-23 00:50:25,109 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 4476).
2020-05-23 00:50:25,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-05-23 00:50:25,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-05-23 00:50:25,109 [root] DEBUG: ProcessImageBase: EP 0x0000D825 image base 0x00400000 size 0x0 entropy 5.726676e+00.
2020-05-23 00:50:25,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-05-23 00:50:25,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003D0000.
2020-05-23 00:50:25,125 [root] DEBUG: Terminate Event: Skipping dump of process 4476
2020-05-23 00:50:25,125 [lib.api.process] INFO: Termination confirmed for process 4476
2020-05-23 00:50:25,125 [root] INFO: Terminate event set for process 4476.
2020-05-23 00:50:25,125 [root] INFO: Created shutdown mutex.
2020-05-23 00:50:25,125 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 4476
2020-05-23 00:50:26,125 [root] INFO: Shutting down package.
2020-05-23 00:50:26,125 [root] INFO: Stopping auxiliary modules.
2020-05-23 00:50:26,296 [lib.common.results] WARNING: File C:\MrsejE\bin\procmon.xml doesn't exist anymore
2020-05-23 00:50:26,296 [root] INFO: Finishing auxiliary modules.
2020-05-23 00:50:26,296 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-05-23 00:50:26,296 [root] WARNING: Folder at path "C:\MrsejE\debugger" does not exist, skip.
2020-05-23 00:50:26,296 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_4 win7x64_8 KVM 2020-05-23 00:46:20 2020-05-23 00:50:32

File Details

File Name _6981343.exe
File Size 208896 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2020-05-22 11:24:09
MD5 3b82f69f02e87b41cb2f59b5ffa83143
SHA1 3c112035583e43c268e09db9993e2f4625167989
SHA256 df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
SHA512 9e5744a3955d74db19a0907dabe0129d0ca3e7165e160eb58e6d1c1afa4d00c863fe758ac1b0bddc0b17428e09a82568d20d14eff1865eadbb27ee7ebb4ec0f0
CRC32 0E0581EC
Ssdeep 3072:ZJBeETvF3THd0gojWGr9UeofzrgYIfDLMdaj1fE5ol1QNH14uHWJt:jBtNBNoqet3uMj1sBH9
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4476 trigged the Yara rule 'Bokbot'
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: SHELL32.dll/SHGetFolderPathA
DynamicLoader: WINHTTP.dll/WinHttpSetStatusCallback
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: WS2_32.dll/
File has been identified by 6 Antiviruses on VirusTotal as malicious
McAfee: Emotet-FQQ!3B82F69F02E8
BitDefenderTheta: Gen:[email protected]!Bsdi
APEX: Malicious
Endgame: malicious (high confidence)
Webroot: W32.Trojan.Gen
Rising: Trojan.Kryptik!1.C627 (CLASSIC)
CAPE extracted potentially suspicious content
_6981343.exe: Extracted PE Image: 32-bit executable
_6981343.exe: [{'name': 'Bokbot', 'meta': {'author': '@r0ny_123', 'description': 'Bokbot loader (unpacked)', 'cape_type': 'Bokbot'}, 'strings': [b'QQSUV\x8b\xea\x89L$\x103\xd2W\x8b|$\x1c\x8b\xc2\x88\[email protected]=\x00\x01\x00\x00r\xf5\x8a\xca\x8b\xda\x8bD$\x14\x0f\xb6\xf2\x8a\x14;\x8a\x04\x06\x02\xc2\x02\xc8\x88L$\x13\x0f\xb6\xc9\x8a\x049\x88\x04;\x8dF\x01\x88\x1493\xd2\x8aL$\x13\xf7\xf5C\x81\xfb\x00\x01\x00\x00r\xcb_^][YY\xc3', b'\x8bV\x04\x8dD$\x0c\x8b\x0eUP\xe8C\xff\xff\xff\x8bn\x0cY\x85\xedtMW\x8b~\x10\x8b\xc3\x8bv\x08+\xf7\xfe\xc3\x0f\xb6\xdb\x8aL\x1c\x14\x0f\xb6\xd1\x02\xc2\x0f\xb6\xc0\x89D$\x10\x8aD\x04\x14\x88D\x1c\x14\x8bD$\x10\x88L\x04\x14\x8aD\x1c\x14\x02\xc2\x0f\xb6\xc0\x8aD\x04\x142\x04>\x88\x07G\x8bD$\x10\x83\xed\x01u\xbf_3\[email protected]]\xeb\x02'], 'addresses': {'s1': 4823, 's2': 4650}}]
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\_6981343.exe
Created network traffic indicative of malicious activity
signature: ET DNS Query to a *.pw domain - Likely Hostile
signature: ET DNS Query to a *.top domain - Likely Hostile

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
cryptocrio.pw [VT] 46.17.98.48 [VT]
cryptocrio.top [VT] 46.17.98.48 [VT]

Summary

C:\Users\Louise\AppData\Local\Louise\
C:\Users\Louise\AppData\Local\Louise\etjoac.png
C:\Users\Louise\AppData\Local\Louise\etjoac.png
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
advapi32.dll.GetUserNameA
shell32.dll.SHGetFolderPathA
winhttp.dll.WinHttpSetStatusCallback
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpConnect
kernel32.dll.HeapReAlloc
kernel32.dll.MultiByteToWideChar
kernel32.dll.ExitProcess
kernel32.dll.lstrcpyA
kernel32.dll.Sleep
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.GetModuleFileNameA
kernel32.dll.CreateDirectoryA
kernel32.dll.lstrcatA
kernel32.dll.lstrlenA
kernel32.dll.GetFileSize
kernel32.dll.HeapAlloc
kernel32.dll.CloseHandle
kernel32.dll.CreateFileA
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.ReadFile
kernel32.dll.WriteFile
user32.dll.wsprintfA
ws2_32.dll.GetAddrInfoW
rpcrt4.dll.RpcBindingFree
ws2_32.dll.#116

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0040d825 0x0003e512 0x0003e512 4.0 2020-05-22 11:24:09 5d80857374b49e1f7fbd71ef02d96b77 eb44ce8ae1cb0e8ceb423890dee5cc3e 3b5d3c7d207e37dceeedd301e35e2e58

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0001fe42 0x00020000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.29
.rdata 0x00021000 0x00021000 0x00007ea6 0x00008000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.72
.data 0x00029000 0x00029000 0x00004d29 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.61
.rsrc 0x0002b000 0x0002e000 0x00007cf4 0x00008000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.35

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_CURSOR 0x0003045c 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.36 None
RT_BITMAP 0x00030d18 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x00030d18 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x00030d18 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_BITMAP 0x00030d18 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 None
RT_ICON 0x00031144 0x000002e8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.87 None
RT_ICON 0x00031144 0x000002e8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.87 None
RT_MENU 0x00031650 0x00000166 LANG_ENGLISH SUBLANG_ENGLISH_US 3.18 None
RT_MENU 0x00031650 0x00000166 LANG_ENGLISH SUBLANG_ENGLISH_US 3.18 None
RT_MENU 0x00031650 0x00000166 LANG_ENGLISH SUBLANG_ENGLISH_US 3.18 None
RT_DIALOG 0x0003195c 0x000000e8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.07 None
RT_DIALOG 0x0003195c 0x000000e8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.07 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_STRING 0x00033220 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 None
RT_ACCELERATOR 0x0003324c 0x00000008 LANG_ENGLISH SUBLANG_ENGLISH_US 2.00 None
RT_RCDATA 0x00033254 0x00002544 LANG_ENGLISH SUBLANG_ENGLISH_US 7.97 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_CURSOR 0x00035900 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 None
RT_GROUP_ICON 0x00035938 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.22 None
RT_GROUP_ICON 0x00035938 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.22 None
RT_VERSION 0x0003594c 0x000003a8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.54 None

Imports

0x421098 RtlUnwind
0x42109c GetStartupInfoA
0x4210a0 GetCommandLineA
0x4210a4 ExitProcess
0x4210a8 RaiseException
0x4210ac HeapAlloc
0x4210b0 HeapFree
0x4210b4 CreateThread
0x4210b8 ExitThread
0x4210bc TerminateProcess
0x4210c0 HeapSize
0x4210c4 HeapReAlloc
0x4210c8 GetACP
0x4210e0 GetStdHandle
0x4210e4 GetFileType
0x4210e8 HeapDestroy
0x4210ec HeapCreate
0x4210f0 VirtualFree
0x4210f8 VirtualAlloc
0x4210fc IsBadWritePtr
0x421100 LCMapStringA
0x421104 LCMapStringW
0x421108 GetStringTypeA
0x42110c GetStringTypeW
0x421110 IsBadReadPtr
0x421114 IsBadCodePtr
0x421118 SetStdHandle
0x42111c FlushFileBuffers
0x421120 SetFilePointer
0x421124 WriteFile
0x421128 SetErrorMode
0x421130 GetOEMCP
0x421134 GetCPInfo
0x421138 GetProcessVersion
0x42113c GlobalFlags
0x421140 TlsGetValue
0x421144 LocalReAlloc
0x421148 TlsSetValue
0x421150 GlobalReAlloc
0x421158 TlsFree
0x42115c GlobalHandle
0x421164 TlsAlloc
0x42116c LocalFree
0x421170 LocalAlloc
0x421174 GetLastError
0x421178 MultiByteToWideChar
0x42117c WideCharToMultiByte
0x421184 GetModuleFileNameA
0x421188 GlobalAlloc
0x42118c lstrcmpA
0x421190 GetCurrentThread
0x421194 GlobalFree
0x421198 WaitForSingleObject
0x42119c MulDiv
0x4211a0 SetLastError
0x4211a8 SuspendThread
0x4211ac ResumeThread
0x4211b0 GlobalLock
0x4211b4 lstrcpynA
0x4211b8 GlobalUnlock
0x4211bc lstrlenA
0x4211c0 LoadLibraryA
0x4211c4 FreeLibrary
0x4211c8 LockResource
0x4211cc lstrcatA
0x4211d0 GetCurrentThreadId
0x4211d4 GlobalGetAtomNameA
0x4211d8 lstrcmpiA
0x4211dc GlobalAddAtomA
0x4211e0 GlobalFindAtomA
0x4211e4 GlobalDeleteAtom
0x4211e8 lstrcpyA
0x4211ec GetModuleHandleA
0x4211f0 GetProcAddress
0x4211f4 SetEvent
0x4211f8 CloseHandle
0x4211fc GetVersion
0x421200 CreateEventA
0x421204 LoadLibraryExW
0x421208 LoadLibraryExA
0x42120c FindResourceA
0x421210 LoadResource
0x421214 SizeofResource
0x421218 GetCurrentProcess
0x42121c SetHandleCount
0x421230 BringWindowToTop
0x421234 DefFrameProcA
0x421240 DrawMenuBar
0x421244 DefMDIChildProcA
0x421248 RedrawWindow
0x42124c GetActiveWindow
0x421250 DestroyMenu
0x421254 SetRectEmpty
0x421258 LoadAcceleratorsA
0x42125c ReleaseCapture
0x421260 SetCursor
0x421264 IsWindowEnabled
0x421268 GetDesktopWindow
0x42126c ShowWindow
0x421270 SetMenu
0x421274 ReuseDDElParam
0x421278 UnpackDDElParam
0x42127c IsDialogMessageA
0x421280 SetWindowTextA
0x421284 GetNextDlgTabItem
0x421288 EnableMenuItem
0x42128c CheckMenuItem
0x421290 SetMenuItemBitmaps
0x421294 ModifyMenuA
0x421298 GetMenuState
0x42129c LoadBitmapA
0x4212a4 GetCursorPos
0x4212a8 ValidateRect
0x4212ac TranslateMessage
0x4212b0 GetMessageA
0x4212b4 ClientToScreen
0x4212b8 BeginPaint
0x4212bc EndPaint
0x4212c0 TabbedTextOutA
0x4212c4 GrayStringA
0x4212cc EndDialog
0x4212d0 PostQuitMessage
0x4212d4 ShowOwnedPopups
0x4212d8 LoadStringA
0x4212dc GetClassNameA
0x4212e0 PtInRect
0x4212e4 GetSysColorBrush
0x4212e8 GetFocus
0x4212ec SetActiveWindow
0x4212f0 IsWindow
0x4212f4 SetFocus
0x4212f8 AdjustWindowRectEx
0x4212fc PostMessageA
0x421300 EqualRect
0x421304 DeferWindowPos
0x421308 BeginDeferWindowPos
0x42130c CopyRect
0x421310 EndDeferWindowPos
0x421314 IsWindowVisible
0x421318 GetTopWindow
0x42131c MessageBoxA
0x421320 GetParent
0x421324 GetCapture
0x421328 WinHelpA
0x42132c wsprintfA
0x421330 GetClassInfoA
0x421334 RegisterClassA
0x421338 GetMenu
0x42133c GetMenuItemCount
0x421340 GetSubMenu
0x421344 GetMenuItemID
0x421348 GetDlgItem
0x42134c GetWindowTextA
0x421350 GetDlgCtrlID
0x421354 GetKeyState
0x421358 DefWindowProcA
0x42135c DestroyWindow
0x421360 CreateWindowExA
0x421364 SetWindowsHookExA
0x421368 CallNextHookEx
0x42136c GetClassLongA
0x421370 SetPropA
0x421374 UnhookWindowsHookEx
0x421378 GetPropA
0x42137c CallWindowProcA
0x421380 RemovePropA
0x421384 GetMessageTime
0x421388 GetMessagePos
0x42138c GetLastActivePopup
0x421390 GetForegroundWindow
0x421394 SetForegroundWindow
0x421398 GetWindowLongA
0x42139c SetWindowLongA
0x4213a0 SetWindowPos
0x4213ac IsIconic
0x4213b0 GetWindowPlacement
0x4213b4 GetWindowRect
0x4213b8 GetSystemMetrics
0x4213bc UpdateWindow
0x4213c0 GetSystemMenu
0x4213c4 GetWindow
0x4213c8 EnumChildWindows
0x4213cc DrawTextA
0x4213d0 LoadIconA
0x4213d4 GetClientRect
0x4213d8 KillTimer
0x4213dc InvalidateRect
0x4213e0 GetSysColor
0x4213e4 SendDlgItemMessageA
0x4213e8 MapWindowPoints
0x4213ec PeekMessageA
0x4213f0 ScreenToClient
0x4213f4 DispatchMessageA
0x4213f8 FillRect
0x4213fc SetTimer
0x421400 GetDC
0x421404 ReleaseDC
0x421408 EnableWindow
0x42140c LoadCursorA
0x421410 SendMessageA
0x421414 LoadMenuA
0x421418 UnregisterClassA
0x42101c DeleteDC
0x421020 SaveDC
0x421024 RestoreDC
0x421028 SelectObject
0x42102c GetStockObject
0x421030 SetMapMode
0x421034 SetViewportOrgEx
0x421038 OffsetViewportOrgEx
0x42103c SetViewportExtEx
0x421040 ScaleViewportExtEx
0x421044 SetWindowExtEx
0x421048 ScaleWindowExtEx
0x42104c CreateBitmap
0x421050 DeleteObject
0x421054 CreateSolidBrush
0x421058 CreateHatchBrush
0x42105c PtVisible
0x421060 RectVisible
0x421064 TextOutA
0x421068 ExtTextOutA
0x42106c Escape
0x421070 SetBkColor
0x421074 GetObjectA
0x421078 SetTextColor
0x42107c GetClipBox
0x421080 BitBlt
0x421084 CreateCompatibleDC
0x42108c Ellipse
0x421090 GetDeviceCaps
0x421430 ChooseColorA
0x421420 OpenPrinterA
0x421424 DocumentPropertiesA
0x421428 ClosePrinter
0x421000 RegSetValueExA
0x421004 RegOpenKeyExA
0x421008 RegCreateKeyExA
0x42100c RegCloseKey
0x421224 DragQueryFileA
0x421228 DragFinish
0x421014 None

!This program cannot be run in DOS mode.
%RichLv
.text
`.rdata
@.data
.rsrc
D$LQP
L$(WQ
D$,RP
D$(UP
L$X_^][d
#D$ P
D$DWUQRP
L$8^d
L$h^d
L$lPj
QSUVW
_^][Y
D$4SUVWj
L$LQR
L$0_^]
t=hx!B
t,hd!B
VPVj0
QQSVWd
X_^[]
SVWUj
t.;t$$t(
uRFGHt
VWjtj
Yt)W3
YY_^[
sO;>|C;~
QQSVW
t:jtj
u?jtj
QQSVW
QQSVW
wBVSP
?=t"U
t#SSUP
t$$VSS
_^][YY
HSVWh
VC20XC00U
PPPPPPPP
uFWWj
tMWWS
PPPPPPPP
PPPPPPPP
VWuBhXAB
tPh<AB
^}%95d
HSVHWtgHHtF
YYF;5
FGQPS
~\j$j
X_^[]
PQQQQQ
u*9] t
VwltB
PPPPhd
SUVWj
tvWWWWU
ug9|$
te9|$
WWWWU
F,_^][
E SVj
(wqt\HHtS
tFHt>
t>Ht Ht
F(t]P
QSUVWj
n0SSSSU
_SSSSU
Ph_^][Y
VVUVS
_^][Y
tuHHt
tD9_Pt?
9X tn
~0PPW
Phx4B
tAhx5B
Yt&h\6B
ShMuA
~<j j
WWWWW
X_^[]
QQSVW
WWWWh
u 9D$
QQSVW
9FDu/W
WWWWSWh
X_^[]Y
SSSSS
_^][Y
SUVWtT
u09t$
9nPtWSW
9HPtL9L$
_^][Y
_[^]Y
F$ ]t
F(,!B
X_^[]
PX_^[
QQSVW
P|C;]
PSSSSS
SSSSS
t1Ht'Ht
9\$ t
FXWPj
VHtNHteHub3
u 9QX
_j X;
@(2eA
PhH8B
_^]YY
QQSVW
u5SVW
PWVWWW
WVWWW
9^xu2
^,_^][
CTempWnd
AfxOldWndProc423
AfxWnd42s
AfxControlBar42s
AfxMDIFrame42s
AfxFrameOrView42s
AfxOleControl42s
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
DISPLAY
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
InitCommonControlsEx
COMCTL32.DLL
CMDIChildWnd
CMDIFrameWnd
mdiclient
CTempMenu
CMenu
CFrameWnd
MSWHEEL_ROLLMSG
CCmdTarget
CWinThread
CTempGdiObject
CTempDC
CBitmap
CBrush
CGdiObject
CPaintDC
CClientDC
CUserException
CResourceException
CDialog
MS Sans Serif
MS Shell Dlg
CColorDialog
CWinApp
PreviewPages
Settings
CNotSupportedException
CMemoryException
CException
combobox
CMapPtrToPtr
CObject
CPtrList
System
commdlg_SetRGBColor
commdlg_help
commdlg_ColorOK
commdlg_FileNameOK
commdlg_ShareViolation
commdlg_LBSelChangedNotify
software
CFileDialog
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
(8PX
700WP
`h````
ppxxxx
(null)
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
string too long
invalid string position
Unknown exception
WaitForSingleObject
GetCurrentProcess
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
LoadLibraryExW
CreateEventA
GetVersion
CloseHandle
SetEvent
GetProcAddress
GetModuleHandleA
lstrcpyA
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
lstrcmpiA
GlobalGetAtomNameA
GetCurrentThreadId
lstrcatA
LockResource
FreeLibrary
LoadLibraryA
lstrlenA
GlobalUnlock
lstrcpynA
GlobalLock
ResumeThread
SuspendThread
InterlockedDecrement
SetLastError
MulDiv
GlobalFree
GetCurrentThread
lstrcmpA
GlobalAlloc
GetModuleFileNameA
InterlockedIncrement
WideCharToMultiByte
MultiByteToWideChar
GetLastError
LocalAlloc
LocalFree
InitializeCriticalSection
TlsAlloc
DeleteCriticalSection
GlobalHandle
TlsFree
LeaveCriticalSection
GlobalReAlloc
EnterCriticalSection
TlsSetValue
LocalReAlloc
TlsGetValue
GlobalFlags
GetProcessVersion
GetCPInfo
GetOEMCP
WritePrivateProfileStringA
SetErrorMode
WriteFile
SetFilePointer
FlushFileBuffers
RtlUnwind
GetStartupInfoA
GetCommandLineA
ExitProcess
RaiseException
HeapAlloc
HeapFree
CreateThread
ExitThread
TerminateProcess
HeapSize
HeapReAlloc
GetACP
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
VirtualFree
SetUnhandledExceptionFilter
VirtualAlloc
IsBadWritePtr
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
IsBadReadPtr
IsBadCodePtr
SetStdHandle
KERNEL32.dll
LoadMenuA
SendMessageA
LoadCursorA
EnableWindow
ReleaseDC
GetDC
SetTimer
FillRect
GetSysColor
InvalidateRect
KillTimer
GetClientRect
LoadIconA
DrawTextA
EnumChildWindows
GetWindow
GetSystemMenu
UpdateWindow
GetSystemMetrics
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
RegisterWindowMessageA
SetWindowPos
SetWindowLongA
GetWindowLongA
SetForegroundWindow
GetForegroundWindow
GetLastActivePopup
GetMessagePos
GetMessageTime
RemovePropA
CallWindowProcA
GetPropA
UnhookWindowsHookEx
SetPropA
GetClassLongA
CallNextHookEx
SetWindowsHookExA
CreateWindowExA
DestroyWindow
DefWindowProcA
GetKeyState
GetDlgCtrlID
GetWindowTextA
GetDlgItem
GetMenuItemID
GetSubMenu
GetMenuItemCount
GetMenu
RegisterClassA
GetClassInfoA
wsprintfA
WinHelpA
GetCapture
GetParent
MessageBoxA
GetTopWindow
IsWindowVisible
EndDeferWindowPos
CopyRect
BeginDeferWindowPos
DeferWindowPos
EqualRect
ScreenToClient
AdjustWindowRectEx
SetFocus
IsWindow
SetActiveWindow
GetFocus
DispatchMessageA
PeekMessageA
MapWindowPoints
SendDlgItemMessageA
PostMessageA
BringWindowToTop
DefFrameProcA
TranslateMDISysAccel
TranslateAcceleratorA
DrawMenuBar
DefMDIChildProcA
RedrawWindow
GetActiveWindow
DestroyMenu
SetRectEmpty
LoadAcceleratorsA
ReleaseCapture
SetCursor
IsWindowEnabled
GetDesktopWindow
ShowWindow
SetMenu
ReuseDDElParam
UnpackDDElParam
IsDialogMessageA
SetWindowTextA
GetNextDlgTabItem
EnableMenuItem
CheckMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
LoadBitmapA
GetMenuCheckMarkDimensions
GetCursorPos
ValidateRect
TranslateMessage
GetMessageA
ClientToScreen
BeginPaint
EndPaint
TabbedTextOutA
GrayStringA
CreateDialogIndirectParamA
EndDialog
PostQuitMessage
ShowOwnedPopups
LoadStringA
GetClassNameA
PtInRect
GetSysColorBrush
USER32.dll
GetDeviceCaps
Ellipse
CreateCompatibleBitmap
CreateCompatibleDC
BitBlt
GetClipBox
SetTextColor
SetBkColor
GetObjectA
CreateBitmap
DeleteDC
SaveDC
RestoreDC
SelectObject
GetStockObject
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
DeleteObject
CreateSolidBrush
CreateHatchBrush
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
GDI32.dll
ChooseColorA
comdlg32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
WINSPOOL.DRV
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegSetValueExA
ADVAPI32.dll
DragFinish
DragQueryFileA
SHELL32.dll
COMCTL32.dll
UnregisterClassA
CBounceWnd
Not enough timers available for this window.
MDI:Bounce
Hello, World!
CMainFrame
Bounce
Hello
383669855
KERNEL32.dll
SFBZDMGpTH0uo8HY9FWoeHUNkY4fKFfSeQnB8dneYCM2HYnup4LP7BDcbuhPIKKp
j5T910HSZZJoJ4lvoHmIbx8Z7wY0Cs2spd
CBounceThread
BounceMTChildWnd
wwwwww
wwwwww
wwwwww
wwwwww
wwwwww
wwwwww
wwwwww
wwwwww
IVb"G
31}`0
oL>>J
<%Rzl
|R|S ~x}
p3lB
Xf&;|
c[x>XU
v~a3s
)\QK%
U6E,h>
0%7Z^
bjz ^
LEX7vO
@gzb^
yH#LLHnd
8Z1QO
;mWt!
Z_"wb
}~Wxa
kg:8P
@3CH<
@s|=|
"XA O
!V{li1\+i'j
yO[(w
(qy6/
jWc?j
zmV'D
ySFSY
mO-yJJ
O~3q>#
%nYFn;
!lE2)6s
hV$ic
q3~so
s04G[
Wq09`x
<3%4/
jm9n:
~:Q'Hy
5,4%YV
Q .ve
'H/%^%
rFoP?
hs4Q8
]yk=.4
V9B2pox
Bjjjj
(null)
WerFault.exe
((((( H
&File
New &Bounce
New &Hello
E&xit
&Help
&About MDI...
&File
New &Bounce
New &Hello
E&xit
&Color
&Black
&Green
B&lue
&White
&Custom...
&Speed
&Slow
&Fast
&Window
&Cascade
&Tile
&Arrange &Icons
&Help
&About MDI...
&File
New &Bounce
New &Hello
E&xit
&Color
&Black
&Green
B&lue
&White
&Custom...
&Window
&Cascade
&Tile
&Arrange &Icons
&Help
&About MDI...
About MDI
MS Sans Serif
Microsoft Windows
Microsoft Foundation Classes
MDI Sample
Version 9.0
MS Shell Dlg
&New
Cancel
&Help
MDI Windows ApplicationsThis sample application can be run only on versions of Windows that support the WIN32 API for multi-thread support.
MDI Windows Application
Ready
Save As
All Files (*.*)
Untitled
an unnamed file
&Hide
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Out of memory.
An unknown error has occurred.
Linked %s
Unknown Type
Invalid filename.
Failed to open document.
Failed to save document.
Save changes to %1? Failed to create empty document.
The file is too large to open.
Could not start print job.
Failed to launch help.
Internal application error.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Please enter an integer.
Please enter a number.*Please enter an integer between %1 and %2.(Please enter a number between %1 and %2.(Please enter no more than %1 characters.
Please select a button.*Please enter an integer between 0 and 255. Please enter a positive integer. Please enter a date and/or time.
Please enter a currency.
Unexpected file format.V%1
Cannot find this file.
Please verify that the correct path and file name are given.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
6The file is not supported by a Document Object server.A%1
Unable to register document.
The document may already be open.
#Unable to read write-only property.#Unable to write read-only property.
#Unable to load mail system support.
Mail system DLL is invalid.!Send Mail failed to send message.
No error occurred.-An unknown error occurred while accessing %1.
%1 was not found.
%1 contains an invalid path.=%1 could not be opened because there are too many open files.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on %15A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
%1 has a bad format."%1 contained an unexpected object. %1 contains an incorrect schema.
pixels
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Network Configuration Objects
FileVersion
6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName
netcfgx.dll
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
netcfgx.dll
ProductName
Microsoft
Windows
Operating System
ProductVersion
6.1.7601.17514
VarFileInfo
Translation

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean Qihoo-360 Clean McAfee Emotet-FQQ!3B82F69F02E8
ALYac Clean Cylance Clean Zillya Clean
Sangfor Clean K7AntiVirus Clean Alibaba Clean
K7GW Clean CrowdStrike Clean Arcabit Clean
Invincea Clean BitDefenderTheta Gen:[email protected]!Bsdi Cyren Clean
Symantec Clean ESET-NOD32 Clean Baidu Clean
APEX Malicious Paloalto Clean ClamAV Clean
Kaspersky Clean BitDefender Clean NANO-Antivirus Clean
ViRobot Clean SUPERAntiSpyware Clean Avast Clean
Tencent Clean Endgame malicious (high confidence) Sophos Clean
Comodo Clean F-Secure Clean DrWeb Clean
VIPRE Clean TrendMicro Clean McAfee-GW-Edition Clean
Trapmine Clean FireEye Clean Emsisoft Clean
Ikarus Clean F-Prot Clean Jiangmin Clean
Webroot W32.Trojan.Gen Avira Clean Antiy-AVL Clean
Kingsoft Clean Microsoft Clean AegisLab Clean
ZoneAlarm Clean Avast-Mobile Clean GData Clean
TACHYON Clean AhnLab-V3 Clean Acronis Clean
VBA32 Clean MAX Clean Ad-Aware Clean
Malwarebytes Clean Zoner Clean TrendMicro-HouseCall Clean
Rising Trojan.Kryptik!1.C627 (CLASSIC) Yandex Clean SentinelOne Clean
eGambit Clean Fortinet Clean AVG Clean
Cybereason Clean Panda Clean MaxSecure Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.9 49327 1.1.1.1 53
192.168.1.9 49929 1.1.1.1 53
192.168.1.9 51751 1.1.1.1 53
192.168.1.9 52107 1.1.1.1 53
192.168.1.9 52387 1.1.1.1 53
192.168.1.9 53599 1.1.1.1 53
192.168.1.9 54190 1.1.1.1 53
192.168.1.9 54609 1.1.1.1 53
192.168.1.9 55233 1.1.1.1 53
192.168.1.9 55319 1.1.1.1 53
192.168.1.9 57024 1.1.1.1 53
192.168.1.9 57309 1.1.1.1 53
192.168.1.9 57353 1.1.1.1 53
192.168.1.9 57511 1.1.1.1 53
192.168.1.9 59058 1.1.1.1 53
192.168.1.9 59225 1.1.1.1 53
192.168.1.9 62673 1.1.1.1 53
192.168.1.9 62770 1.1.1.1 53
192.168.1.9 63034 1.1.1.1 53
192.168.1.9 63630 1.1.1.1 53
192.168.1.9 64185 1.1.1.1 53
192.168.1.9 64603 1.1.1.1 53
192.168.1.9 64674 1.1.1.1 53
192.168.1.9 137 192.168.1.255 137
192.168.1.9 49327 8.8.8.8 53
192.168.1.9 49929 8.8.8.8 53
192.168.1.9 51751 8.8.8.8 53
192.168.1.9 52107 8.8.8.8 53
192.168.1.9 52387 8.8.8.8 53
192.168.1.9 53599 8.8.8.8 53
192.168.1.9 54190 8.8.8.8 53
192.168.1.9 54609 8.8.8.8 53
192.168.1.9 55233 8.8.8.8 53
192.168.1.9 55319 8.8.8.8 53
192.168.1.9 57024 8.8.8.8 53
192.168.1.9 57309 8.8.8.8 53
192.168.1.9 57353 8.8.8.8 53
192.168.1.9 57511 8.8.8.8 53
192.168.1.9 59058 8.8.8.8 53
192.168.1.9 59225 8.8.8.8 53
192.168.1.9 62673 8.8.8.8 53
192.168.1.9 62770 8.8.8.8 53
192.168.1.9 63034 8.8.8.8 53
192.168.1.9 63630 8.8.8.8 53
192.168.1.9 64185 8.8.8.8 53
192.168.1.9 64603 8.8.8.8 53
192.168.1.9 64674 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
cryptocrio.pw [VT] 46.17.98.48 [VT]
cryptocrio.top [VT] 46.17.98.48 [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
1.1.1.1 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3
8.8.8.8 192.168.1.9 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-05-23 00:47:12.190 192.168.1.9 [VT] 59225 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:13.176 192.168.1.9 [VT] 59225 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:14.176 192.168.1.9 [VT] 59225 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:16.176 192.168.1.9 [VT] 59225 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:16.176 192.168.1.9 [VT] 59225 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:20.175 192.168.1.9 [VT] 59225 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:20.176 192.168.1.9 [VT] 59225 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:31.431 192.168.1.9 [VT] 54609 8.8.8.8 [VT] 53 UDP 1 2023883 3 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:42.681 192.168.1.9 [VT] 55319 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:42.681 192.168.1.9 [VT] 55319 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:42.682 192.168.1.9 [VT] 55319 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:42.683 192.168.1.9 [VT] 55319 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:42.684 192.168.1.9 [VT] 55319 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:42.684 192.168.1.9 [VT] 55319 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:47:42.685 192.168.1.9 [VT] 55319 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:05.186 192.168.1.9 [VT] 63630 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:05.187 192.168.1.9 [VT] 63630 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:05.187 192.168.1.9 [VT] 63630 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:05.188 192.168.1.9 [VT] 63630 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:05.189 192.168.1.9 [VT] 63630 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:05.189 192.168.1.9 [VT] 63630 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:05.190 192.168.1.9 [VT] 63630 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:16.442 192.168.1.9 [VT] 54190 8.8.8.8 [VT] 53 UDP 1 2023883 3 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:27.699 192.168.1.9 [VT] 57309 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:27.700 192.168.1.9 [VT] 57309 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:27.701 192.168.1.9 [VT] 57309 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:27.702 192.168.1.9 [VT] 57309 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:27.702 192.168.1.9 [VT] 57309 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:27.703 192.168.1.9 [VT] 57309 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:27.703 192.168.1.9 [VT] 57309 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:50.212 192.168.1.9 [VT] 64185 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:50.213 192.168.1.9 [VT] 64185 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:50.214 192.168.1.9 [VT] 64185 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:50.215 192.168.1.9 [VT] 64185 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:50.215 192.168.1.9 [VT] 64185 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:50.216 192.168.1.9 [VT] 64185 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:48:50.217 192.168.1.9 [VT] 64185 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:12.709 192.168.1.9 [VT] 57511 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:13.707 192.168.1.9 [VT] 57511 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:13.708 192.168.1.9 [VT] 57511 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:15.707 192.168.1.9 [VT] 57511 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:15.708 192.168.1.9 [VT] 57511 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:15.709 192.168.1.9 [VT] 57511 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:15.709 192.168.1.9 [VT] 57511 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:26.965 192.168.1.9 [VT] 49327 1.1.1.1 [VT] 53 UDP 1 2023883 3 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:38.213 192.168.1.9 [VT] 57024 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:38.216 192.168.1.9 [VT] 57024 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:38.216 192.168.1.9 [VT] 57024 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:38.217 192.168.1.9 [VT] 57024 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:38.217 192.168.1.9 [VT] 57024 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:38.218 192.168.1.9 [VT] 57024 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:49:38.218 192.168.1.9 [VT] 57024 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:00.710 192.168.1.9 [VT] 63034 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:00.711 192.168.1.9 [VT] 63034 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:00.712 192.168.1.9 [VT] 63034 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:00.712 192.168.1.9 [VT] 63034 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:00.713 192.168.1.9 [VT] 63034 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:00.714 192.168.1.9 [VT] 63034 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:00.714 192.168.1.9 [VT] 63034 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:11.960 192.168.1.9 [VT] 52107 8.8.8.8 [VT] 53 UDP 1 2023883 3 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:23.214 192.168.1.9 [VT] 52387 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:23.214 192.168.1.9 [VT] 52387 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:23.215 192.168.1.9 [VT] 52387 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:23.216 192.168.1.9 [VT] 52387 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:23.216 192.168.1.9 [VT] 52387 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:23.217 192.168.1.9 [VT] 52387 1.1.1.1 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2
2020-05-23 00:50:23.218 192.168.1.9 [VT] 52387 8.8.8.8 [VT] 53 UDP 1 2016778 6 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic 2

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Extracted PE Image: 32-bit executable
Size 8192 bytes
Virtual Address 0x003C0000
Process _6981343.exe
PID 4476
Path C:\Users\Louise\AppData\Local\Temp\_6981343.exe
PE timestamp 2020-04-15 13:09:01
MD5 10e9edc27fc082dde37413caf778f979
SHA1 b9e277ff53d1ef099369c900c8360967f9f4e720
SHA256 8b8895538a2b673fa3e187547a01fa60bc98ca94d9e3d0e37e16c4a5aa4c882f
CRC32 5CD5905A
Ssdeep 192:/56iXvwj608jijUhR4CbvpSC0Ss9C1DD:/5VfRhRZpxA9C1
Yara None matched
CAPE Yara
  • Bokbot Bokbot - Author: @r0ny_123
Download Download zip

BinGraph Download graph

Sorry! No process dumps.
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature

    Processing ( 10.753 seconds )

    • 5.251 Suricata
    • 3.444 NetworkAnalysis
    • 0.912 Static
    • 0.641 peid
    • 0.202 VirusTotal
    • 0.099 Deduplicate
    • 0.079 CAPE
    • 0.07 BehaviorAnalysis
    • 0.024 TargetInfo
    • 0.022 AnalysisInfo
    • 0.005 Strings
    • 0.004 Debug

    Signatures ( 0.07600000000000003 seconds )

    • 0.01 ransomware_files
    • 0.008 antiav_detectreg
    • 0.006 ransomware_extensions
    • 0.005 antiav_detectfile
    • 0.004 infostealer_ftp
    • 0.004 territorial_disputes_sigs
    • 0.003 persistence_autorun
    • 0.003 antianalysis_detectfile
    • 0.003 infostealer_bitcoin
    • 0.003 infostealer_im
    • 0.002 api_spamming
    • 0.002 antivm_vbox_files
    • 0.002 infostealer_mail
    • 0.002 masquerade_process_name
    • 0.002 network_torgateway
    • 0.001 antiemu_wine_func
    • 0.001 betabot_behavior
    • 0.001 decoy_document
    • 0.001 dynamic_function_loading
    • 0.001 infostealer_browser_password
    • 0.001 kibex_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 NewtWire Behavior
    • 0.001 stealth_timeout
    • 0.001 tinba_behavior
    • 0.001 antianalysis_detectreg
    • 0.001 antivm_vbox_keys
    • 0.001 geodo_banking_trojan
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 network_dns_opennic
    • 0.001 revil_mutexes

    Reporting ( 1.758 seconds )

    • 1.693 BinGraph
    • 0.044 MITRE_TTPS
    • 0.021 PCAP2CERT