Analysis

Category Package Started Completed Duration Options Log
FILE regsvr 2020-05-23 03:43:28 2020-05-23 03:47:47 259 seconds Show Options Show Log
route = inetsim
2020-05-13 09:29:14,292 [root] INFO: Date set to: 20200523T03:43:28, timeout set to: 200
2020-05-23 03:43:28,078 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-05-23 03:43:28,093 [root] DEBUG: Storing results at: C:\PFWrvlFRS
2020-05-23 03:43:28,093 [root] DEBUG: Pipe server name: \\.\PIPE\wZtfKHfdF
2020-05-23 03:43:28,093 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-05-23 03:43:28,093 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-05-23 03:43:28,093 [root] INFO: Automatically selected analysis package "regsvr"
2020-05-23 03:43:28,093 [root] DEBUG: Trying to import analysis package "regsvr"...
2020-05-23 03:43:28,109 [root] DEBUG: Imported analysis package "regsvr".
2020-05-23 03:43:28,109 [root] DEBUG: Trying to initialize analysis package "regsvr"...
2020-05-23 03:43:28,109 [root] DEBUG: Initialized analysis package "regsvr".
2020-05-23 03:43:28,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-05-23 03:43:28,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-05-23 03:43:28,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-05-23 03:43:28,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-05-23 03:43:28,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-05-23 03:43:28,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-05-23 03:43:28,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-05-23 03:43:28,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-05-23 03:43:28,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-05-23 03:43:28,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-05-23 03:43:28,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-05-23 03:43:28,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-05-23 03:43:28,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-05-23 03:43:28,203 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-05-23 03:43:28,203 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-05-23 03:43:28,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-05-23 03:43:28,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-05-23 03:43:28,203 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-05-23 03:43:28,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-05-23 03:43:28,203 [lib.api.screenshot] DEBUG: Importing 'math'
2020-05-23 03:43:28,203 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-05-23 03:43:28,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-05-23 03:43:28,359 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-05-23 03:43:28,359 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-05-23 03:43:28,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-05-23 03:43:28,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-05-23 03:43:28,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-05-23 03:43:28,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-05-23 03:43:28,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-05-23 03:43:28,375 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-05-23 03:43:28,375 [root] DEBUG: Initialized auxiliary module "Browser".
2020-05-23 03:43:28,375 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-05-23 03:43:28,390 [root] DEBUG: Started auxiliary module Browser
2020-05-23 03:43:28,390 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-05-23 03:43:28,406 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-05-23 03:43:28,406 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-05-23 03:43:28,406 [root] DEBUG: Started auxiliary module Curtain
2020-05-23 03:43:28,406 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-05-23 03:43:28,406 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-05-23 03:43:28,406 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-05-23 03:43:28,406 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-05-23 03:43:29,031 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-05-23 03:43:29,031 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-05-23 03:43:29,031 [root] DEBUG: Started auxiliary module DigiSig
2020-05-23 03:43:29,031 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-05-23 03:43:29,031 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-05-23 03:43:29,031 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-05-23 03:43:29,062 [root] DEBUG: Started auxiliary module Disguise
2020-05-23 03:43:29,062 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-05-23 03:43:29,062 [root] DEBUG: Initialized auxiliary module "Human".
2020-05-23 03:43:29,062 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-05-23 03:43:29,062 [root] DEBUG: Started auxiliary module Human
2020-05-23 03:43:29,062 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-05-23 03:43:29,062 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-05-23 03:43:29,062 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-05-23 03:43:29,062 [root] DEBUG: Started auxiliary module Procmon
2020-05-23 03:43:29,078 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-05-23 03:43:29,078 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-05-23 03:43:29,078 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-05-23 03:43:29,078 [root] DEBUG: Started auxiliary module Screenshots
2020-05-23 03:43:29,078 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-05-23 03:43:29,078 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-05-23 03:43:29,078 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-05-23 03:43:29,078 [root] DEBUG: Started auxiliary module Sysmon
2020-05-23 03:43:29,078 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-05-23 03:43:29,078 [root] DEBUG: Initialized auxiliary module "Usage".
2020-05-23 03:43:29,078 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-05-23 03:43:29,093 [root] DEBUG: Started auxiliary module Usage
2020-05-23 03:43:29,093 [root] INFO: Analyzer: Package modules.packages.regsvr does not specify a DLL option
2020-05-23 03:43:29,093 [root] INFO: Analyzer: Package modules.packages.regsvr does not specify a DLL_64 option
2020-05-23 03:43:29,093 [root] INFO: Analyzer: Package modules.packages.regsvr does not specify a loader option
2020-05-23 03:43:29,093 [root] INFO: Analyzer: Package modules.packages.regsvr does not specify a loader_64 option
2020-05-23 03:43:29,203 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\regsvr32.exe" with arguments "C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll" with pid 596
2020-05-23 03:43:29,203 [lib.api.process] INFO: Monitor config for process 596: C:\tmp558c2t_g\dll\596.ini
2020-05-23 03:43:29,218 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\xkerYcgQ.dll, loader C:\tmp558c2t_g\bin\fSJnJfn.exe
2020-05-23 03:43:29,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wZtfKHfdF.
2020-05-23 03:43:29,312 [root] DEBUG: Loader: Injecting process 596 (thread 3004) with C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:29,312 [root] DEBUG: Process image base: 0x00770000
2020-05-23 03:43:29,312 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:29,312 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 03:43:29,328 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:29,328 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 596
2020-05-23 03:43:31,328 [lib.api.process] INFO: Successfully resumed process with pid 596
2020-05-23 03:43:31,500 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 03:43:31,515 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 03:43:31,515 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 03:43:31,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 596 at 0x6fa60000, image base 0x770000, stack from 0x2c5000-0x2d0000
2020-05-23 03:43:31,515 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\system32\regsvr32.exe" C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll.
2020-05-23 03:43:31,578 [root] INFO: loaded: b'596'
2020-05-23 03:43:31,578 [root] INFO: Loaded monitor into process with pid 596
2020-05-23 03:43:31,593 [root] INFO: Disabling sleep skipping.
2020-05-23 03:43:31,593 [root] INFO: Disabling sleep skipping.
2020-05-23 03:43:31,593 [root] INFO: Disabling sleep skipping.
2020-05-23 03:43:31,640 [root] DEBUG: Target DLL loaded at 0x6F750000: C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll (0x17000 bytes).
2020-05-23 03:43:31,640 [root] DEBUG: set_caller_info: Adding region at 0x6F750000 to caller regions list (ntdll::memcpy).
2020-05-23 03:43:31,656 [root] INFO: Announced 32-bit process name: cmd.exe pid: 4116
2020-05-23 03:43:31,656 [lib.api.process] INFO: Monitor config for process 4116: C:\tmp558c2t_g\dll\4116.ini
2020-05-23 03:43:31,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\xkerYcgQ.dll, loader C:\tmp558c2t_g\bin\fSJnJfn.exe
2020-05-23 03:43:31,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wZtfKHfdF.
2020-05-23 03:43:31,703 [root] DEBUG: Loader: Injecting process 4116 (thread 2684) with C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:31,703 [root] DEBUG: Process image base: 0x4A970000
2020-05-23 03:43:31,703 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:31,703 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-05-23 03:43:31,703 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-05-23 03:43:31,937 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 03:43:31,953 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 03:43:31,953 [root] INFO: Disabling sleep skipping.
2020-05-23 03:43:31,953 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4116 at 0x6fa60000, image base 0x4a970000, stack from 0x423000-0x520000
2020-05-23 03:43:31,953 [root] DEBUG: Commandline: C:\Windows\System32\cmd.exe \c c:\windows\system32\cmd.exe \c "calc.exe".
2020-05-23 03:43:32,015 [root] INFO: loaded: b'4116'
2020-05-23 03:43:32,015 [root] INFO: Loaded monitor into process with pid 4116
2020-05-23 03:43:32,015 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-05-23 03:43:32,015 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-05-23 03:43:32,015 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:32,125 [root] INFO: Announced 32-bit process name: cmd.exe pid: 4044
2020-05-23 03:43:32,125 [lib.api.process] INFO: Monitor config for process 4044: C:\tmp558c2t_g\dll\4044.ini
2020-05-23 03:43:32,125 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\xkerYcgQ.dll, loader C:\tmp558c2t_g\bin\fSJnJfn.exe
2020-05-23 03:43:32,171 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wZtfKHfdF.
2020-05-23 03:43:32,171 [root] DEBUG: Loader: Injecting process 4044 (thread 3008) with C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:32,171 [root] DEBUG: Process image base: 0x4A970000
2020-05-23 03:43:32,171 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:32,171 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-05-23 03:43:32,187 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-05-23 03:43:32,500 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-05-23 03:43:33,516 [root] DEBUG: Error -1073741502 (0xc0000142) - InjectDllViaThread: RtlCreateUserThread injection failed: (null)
2020-05-23 03:43:33,516 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-05-23 03:43:33,516 [root] DEBUG: Failed to inject DLL C:\tmp558c2t_g\dll\xkerYcgQ.dll.
2020-05-23 03:43:33,547 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4044, error: 4294967288
2020-05-23 03:43:33,547 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-05-23 03:43:33,625 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4116
2020-05-23 03:43:33,641 [root] DEBUG: GetHookCallerBase: thread 2684 (handle 0x0), return address 0x4A977302, allocation base 0x4A970000.
2020-05-23 03:43:33,641 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x4A970000.
2020-05-23 03:43:33,641 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 03:43:33,641 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4A970000.
2020-05-23 03:43:33,641 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-05-23 03:43:33,657 [root] INFO: b'C:\\PFWrvlFRS\\CAPE\\4116_5982499733331123652020|4116|0;?C:\\Windows\\SysWOW64\\cmd.exe;?C:\\Windows\\SysWOW64\\cmd.exe;?'
2020-05-23 03:43:33,657 [root] INFO: cape
2020-05-23 03:43:33,657 [root] INFO: ('dump_file', 'C:\\PFWrvlFRS\\CAPE\\4116_5982499733331123652020', b'0;?C:\\Windows\\SysWOW64\\cmd.exe;?C:\\Windows\\SysWOW64\\cmd.exe;?', ['4116'], 'procdump')
2020-05-23 03:43:33,735 [root] INFO: ('dump_file', 'C:\\PFWrvlFRS\\CAPE\\4116_5982499733331123652020', '', False, 'files')
2020-05-23 03:43:33,750 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2020-05-23 03:43:33,766 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-05-23 03:43:33,766 [root] WARNING: Unable to open termination event for pid 4116.
2020-05-23 03:43:33,844 [root] DEBUG: DLL loaded at 0x6F720000: C:\Windows\SysWOW64\DUser (0x2f000 bytes).
2020-05-23 03:43:33,891 [root] DEBUG: DLL loaded at 0x6FED0000: C:\Windows\system32\xmllite (0x2f000 bytes).
2020-05-23 03:43:33,969 [root] DEBUG: DLL unloaded from 0x6FED0000.
2020-05-23 03:43:34,652 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-05-23 03:43:35,727 [root] DEBUG: DLL unloaded from 0x76070000.
2020-05-23 03:43:35,790 [root] DEBUG: DLL unloaded from 0x6F720000.
2020-05-23 03:43:35,790 [root] DEBUG: DLL unloaded from 0x73950000.
2020-05-23 03:43:35,790 [root] DEBUG: DLL unloaded from 0x77290000.
2020-05-23 03:43:35,790 [root] DEBUG: GetHookCallerBase: thread 3004 (handle 0x0), return address 0x0077241B, allocation base 0x00770000.
2020-05-23 03:43:35,790 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x6F750000.
2020-05-23 03:43:35,805 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 03:43:35,805 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x6F750000.
2020-05-23 03:43:35,836 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000133E.
2020-05-23 03:43:35,836 [root] DEBUG: set_caller_info: Adding region at 0x01DF0000 to caller regions list (kernel32::GetSystemTime).
2020-05-23 03:43:35,852 [root] INFO: b'C:\\PFWrvlFRS\\CAPE\\596_8126424201551123652020|596|0;?C:\\Windows\\SysWOW64\\regsvr32.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\sgvHFK.dll;?'
2020-05-23 03:43:35,852 [root] INFO: cape
2020-05-23 03:43:35,852 [root] INFO: ('dump_file', 'C:\\PFWrvlFRS\\CAPE\\596_8126424201551123652020', b'0;?C:\\Windows\\SysWOW64\\regsvr32.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\sgvHFK.dll;?', ['596'], 'procdump')
2020-05-23 03:43:35,930 [root] INFO: ('dump_file', 'C:\\PFWrvlFRS\\CAPE\\596_8126424201551123652020', '', False, 'files')
2020-05-23 03:43:35,961 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x14200.
2020-05-23 03:43:35,961 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x00770000.
2020-05-23 03:43:35,977 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 03:43:35,977 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00770000.
2020-05-23 03:43:35,977 [root] DEBUG: DumpProcess: Module entry point VA is 0x000027C1.
2020-05-23 03:43:36,008 [root] INFO: b'C:\\PFWrvlFRS\\CAPE\\596_19941736791551123652020|596|0;?C:\\Windows\\SysWOW64\\regsvr32.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\sgvHFK.dll;?'
2020-05-23 03:43:36,008 [root] INFO: cape
2020-05-23 03:43:36,024 [root] INFO: ('dump_file', 'C:\\PFWrvlFRS\\CAPE\\596_19941736791551123652020', b'0;?C:\\Windows\\SysWOW64\\regsvr32.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\sgvHFK.dll;?', ['596'], 'procdump')
2020-05-23 03:43:36,055 [root] INFO: ('dump_file', 'C:\\PFWrvlFRS\\CAPE\\596_19941736791551123652020', '', False, 'files')
2020-05-23 03:43:36,086 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3e00.
2020-05-23 03:43:36,102 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x01DF0000.
2020-05-23 03:43:36,118 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1df0000
2020-05-23 03:43:36,118 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01DF0000 size 0x400000.
2020-05-23 03:43:36,165 [root] INFO: ('dump_file', 'C:\\PFWrvlFRS\\CAPE\\596_19438136541651123652020', b'9;?C:\\Windows\\SysWOW64\\regsvr32.exe;?C:\\Windows\\SysWOW64\\regsvr32.exe;?0x01DF0000;?', ['596'], 'CAPE')
2020-05-23 03:43:36,211 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\PFWrvlFRS\CAPE\596_19438136541651123652020 (size 0xfff)
2020-05-23 03:43:36,211 [root] DEBUG: DumpRegion: Dumped stack region from 0x01DF0000, size 0x1000.
2020-05-23 03:43:36,227 [root] DEBUG: DLL unloaded from 0x6F750000.
2020-05-23 03:43:36,227 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-05-23 03:43:36,243 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-05-23 03:43:36,243 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-05-23 03:43:36,243 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-05-23 03:43:36,258 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-05-23 03:43:36,258 [root] WARNING: Unable to open termination event for pid 596.
2020-05-23 03:46:51,555 [root] INFO: Analysis timeout hit, terminating analysis.
2020-05-23 03:46:51,555 [lib.api.process] ERROR: Failed to open terminate event for pid 596
2020-05-23 03:46:51,555 [root] INFO: Terminate event set for process 596.
2020-05-23 03:46:51,602 [lib.api.process] ERROR: Failed to open terminate event for pid 4116
2020-05-23 03:46:51,602 [root] INFO: Terminate event set for process 4116.
2020-05-23 03:46:51,618 [root] INFO: Created shutdown mutex.
2020-05-23 03:46:52,618 [root] INFO: Shutting down package.
2020-05-23 03:46:52,649 [root] INFO: Stopping auxiliary modules.
2020-05-23 03:46:52,790 [lib.common.results] WARNING: File C:\PFWrvlFRS\bin\procmon.xml doesn't exist anymore
2020-05-23 03:46:52,790 [root] INFO: Finishing auxiliary modules.
2020-05-23 03:46:52,790 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-05-23 03:46:52,790 [root] WARNING: Folder at path "C:\PFWrvlFRS\debugger" does not exist, skip.
2020-05-23 03:46:52,805 [root] WARNING: Monitor injection attempted but failed for process 4044.
2020-05-23 03:46:52,805 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-05-23 03:43:28 2020-05-23 03:47:47

File Details

File Name sgvHFK.dll
File Size 79872 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
PE timestamp 2017-12-18 16:14:44
MD5 62cb6a2a517351472698f669a845f91c
SHA1 31c2e2b490c94430ba10675da73b00e39f6fa626
SHA256 c25812f5c1b6f74ec686a928461601c305da29e6c36bbdce0637cc44d30f2c19
SHA512 be57c34e421e1c4b77296393b2b73dfb160d83ddf24168d20627bb59d8a2d064c87ea8e8a0f5855dbbdb87faa8c7b2217dedcf923ce718e3964ec510601e80f2
CRC32 A3A8B0ED
Ssdeep 1536:yXXE+OMwnpuRSFIOcDqRFUQ4oRARuasWFYcdAZmie1:5+e8RSFIOLR6iAwe5AsiS
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: regsvr32.exe, PID 596
Dynamic (imported) function loading detected
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: sgvHFK.dll/DllRegisterServer
DynamicLoader: kernel32.dll/AreFileApisANSI
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: COMCTL32.dll/LoadIconWithScaleDown
DynamicLoader: ntdll.dll/RtlRunEncodeUnicodeString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlRunDecodeUnicodeString
DynamicLoader: DUser.dll/InitGadgets
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: USER32.dll/RegisterMessagePumpHook
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: DUser.dll/CreateGadget
DynamicLoader: DUser.dll/SetGadgetMessageFilter
DynamicLoader: DUser.dll/SetGadgetStyle
DynamicLoader: DUser.dll/SetGadgetRootInfo
DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: xmllite.dll/CreateXmlReader
DynamicLoader: xmllite.dll/CreateXmlReaderInputWithEncodingName
DynamicLoader: DUser.dll/FindStdColor
DynamicLoader: OLEAUT32.dll/
DynamicLoader: DUser.dll/SetGadgetParent
DynamicLoader: DUser.dll/GetDUserModule
DynamicLoader: xmllite.dll/CreateXmlReader
DynamicLoader: xmllite.dll/CreateXmlReaderInputWithEncodingName
DynamicLoader: DUser.dll/AttachWndProcW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/InterlockedPopEntrySList
DynamicLoader: kernel32.dll/InterlockedPushEntrySList
DynamicLoader: kernel32.dll/InterlockedCompareExchange
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: DUser.dll/GetGadgetRect
DynamicLoader: DUser.dll/GetGadgetRgn
DynamicLoader: DUser.dll/GetGadgetTicket
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: DUser.dll/GetGadgetFocus
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: DUser.dll/SetGadgetFocus
DynamicLoader: DUser.dll/DUserSendEvent
DynamicLoader: DUser.dll/SetGadgetRect
DynamicLoader: UxTheme.dll/BufferedPaintInit
DynamicLoader: UxTheme.dll/BeginBufferedPaint
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: UxTheme.dll/GetBufferedPaintDC
DynamicLoader: UxTheme.dll/GetBufferedPaintTargetDC
DynamicLoader: UxTheme.dll/EndBufferedPaint
DynamicLoader: DUser.dll/ForwardGadgetMessage
DynamicLoader: DUser.dll/DisableContainerHwnd
DynamicLoader: UxTheme.dll/BufferedPaintUnInit
DynamicLoader: DUser.dll/DUserFlushMessages
DynamicLoader: DUser.dll/DUserFlushDeferredMessages
DynamicLoader: DUser.dll/DeleteHandle
DynamicLoader: USER32.dll/UnregisterMessagePumpHook
DynamicLoader: DUser.dll/DetachWndProc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
File has been identified by 8 Antiviruses on VirusTotal as malicious
Qihoo-360: Generic/Trojan.c8b
ClamAV: Win.Malware.Agent-7761733-0
Rising: Malware.Undefined!8.C (CLOUD)
F-Secure: Trojan.TR/Agent.bdld
Webroot: W32.Trojan.Gen
Avira: TR/Agent.bdld
AegisLab: Trojan.Win32.Generic.4!c
Ikarus: not-a-virus:POC.CalcSec
CAPE extracted potentially suspicious content
regsvr32.exe: Extracted Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\sgvHFK.dll
Uses Windows utilities for basic functionality
command: C:\Windows\system32\cmd.exe /c c:\windows\system32\cmd.exe /c "calc.exe"
command: c:\windows\system32\cmd.exe /c "calc.exe"
Network activity detected but not expressed in API logs

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\System32\cmd.exe
C:\Windows\SysWOW64\en-US\regsvr32.exe.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\regsvr32.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\COMCTL32.dll.mui
C:\Windows\SysWOW64\imageres.dll
C:\Users\Louise\AppData\Local\Temp
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll
C:\Windows\SysWOW64\en-US\regsvr32.exe.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\COMCTL32.dll.mui
C:\Windows\SysWOW64\imageres.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\regsvr32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_CURRENT_USER\Control Panel\Desktop\LanguageConfiguration
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
sgvhfk.dll.DllRegisterServer
kernel32.dll.AreFileApisANSI
user32.dll.SetProcessDPIAware
comctl32.dll.LoadIconWithScaleDown
ntdll.dll.RtlRunEncodeUnicodeString
ntdll.dll.RtlInitUnicodeString
ntdll.dll.RtlRunDecodeUnicodeString
duser.dll.InitGadgets
user32.dll.RegisterMessagePumpHook
uxtheme.dll.IsThemeActive
duser.dll.CreateGadget
duser.dll.SetGadgetMessageFilter
duser.dll.SetGadgetStyle
duser.dll.SetGadgetRootInfo
dwmapi.dll.DwmIsCompositionEnabled
uxtheme.dll.IsAppThemed
ole32.dll.CreateStreamOnHGlobal
xmllite.dll.CreateXmlReader
xmllite.dll.CreateXmlReaderInputWithEncodingName
duser.dll.FindStdColor
oleaut32.dll.#6
duser.dll.SetGadgetParent
duser.dll.GetDUserModule
duser.dll.AttachWndProcW
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.InterlockedPopEntrySList
kernel32.dll.InterlockedPushEntrySList
kernel32.dll.InterlockedCompareExchange
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.OpenThemeData
duser.dll.GetGadgetRect
duser.dll.GetGadgetRgn
duser.dll.GetGadgetTicket
uxtheme.dll.EnableThemeDialogTexture
duser.dll.GetGadgetFocus
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
duser.dll.SetGadgetFocus
duser.dll.DUserSendEvent
duser.dll.SetGadgetRect
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
gdi32.dll.GdiIsMetaPrintDC
uxtheme.dll.GetBufferedPaintDC
uxtheme.dll.GetBufferedPaintTargetDC
uxtheme.dll.EndBufferedPaint
duser.dll.ForwardGadgetMessage
duser.dll.DisableContainerHwnd
uxtheme.dll.BufferedPaintUnInit
duser.dll.DUserFlushMessages
duser.dll.DUserFlushDeferredMessages
duser.dll.DeleteHandle
user32.dll.UnregisterMessagePumpHook
duser.dll.DetachWndProc
kernel32.dll.FlsFree
oleaut32.dll.#500
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
C:\Windows\system32\cmd.exe /c c:\windows\system32\cmd.exe /c "calc.exe"
c:\windows\system32\cmd.exe /c "calc.exe"
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Exported DLL Name
0x10000000 0x1000133e 0x00000000 0x0001c95a 6.0 2017-12-18 16:14:44 ee6098cc31d97137c683adf69ebbdeea calc.dll

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x0000bea4 0x0000c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.60
.rdata 0x0000c400 0x0000d000 0x00005928 0x00005a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.90
.data 0x00011e00 0x00013000 0x00001178 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.03
.rsrc 0x00012600 0x00015000 0x000001e0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.71
.reloc 0x00012800 0x00016000 0x00000e48 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.22

Resources

Name Offset Size Language Sub-language Entropy File type
RT_MANIFEST 0x00015060 0x0000017d LANG_ENGLISH SUBLANG_ENGLISH_US 4.91 None

Imports

0x1000d008 GetCurrentProcess
0x1000d00c TerminateProcess
0x1000d018 GetCurrentProcessId
0x1000d01c GetCurrentThreadId
0x1000d024 InitializeSListHead
0x1000d028 IsDebuggerPresent
0x1000d02c GetStartupInfoW
0x1000d030 GetModuleHandleW
0x1000d034 InterlockedFlushSList
0x1000d038 RtlUnwind
0x1000d03c GetLastError
0x1000d040 SetLastError
0x1000d044 EnterCriticalSection
0x1000d048 LeaveCriticalSection
0x1000d04c DeleteCriticalSection
0x1000d054 TlsAlloc
0x1000d058 TlsGetValue
0x1000d05c TlsSetValue
0x1000d060 TlsFree
0x1000d064 FreeLibrary
0x1000d068 GetProcAddress
0x1000d06c LoadLibraryExW
0x1000d070 ExitProcess
0x1000d074 GetModuleHandleExW
0x1000d078 GetModuleFileNameA
0x1000d07c MultiByteToWideChar
0x1000d080 WideCharToMultiByte
0x1000d084 HeapFree
0x1000d088 HeapAlloc
0x1000d08c CloseHandle
0x1000d090 WaitForSingleObject
0x1000d094 GetExitCodeProcess
0x1000d098 CreateProcessA
0x1000d09c GetFileAttributesExW
0x1000d0a0 FindClose
0x1000d0a4 FindFirstFileExA
0x1000d0a8 FindNextFileA
0x1000d0ac IsValidCodePage
0x1000d0b0 GetACP
0x1000d0b4 GetOEMCP
0x1000d0b8 GetCPInfo
0x1000d0bc GetCommandLineA
0x1000d0c0 GetCommandLineW
0x1000d0c4 GetEnvironmentStringsW
0x1000d0d0 CompareStringW
0x1000d0d4 LCMapStringW
0x1000d0d8 GetProcessHeap
0x1000d0dc GetStdHandle
0x1000d0e0 GetFileType
0x1000d0e4 GetStringTypeW
0x1000d0e8 HeapSize
0x1000d0ec HeapReAlloc
0x1000d0f0 SetStdHandle
0x1000d0f4 FlushFileBuffers
0x1000d0f8 WriteFile
0x1000d0fc GetConsoleCP
0x1000d100 GetConsoleMode
0x1000d104 SetFilePointerEx
0x1000d108 CreateFileW
0x1000d10c WriteConsoleW
0x1000d110 DecodePointer
0x1000d114 RaiseException

Exports

Ordinal Address Name
1 0x10001000 DllCanUnloadNow
2 0x10001010 DllGetClassObject
3 0x10001020 DllRegisterServer
4 0x10001000 DllUnregisterServer
!This program cannot be run in DOS mode.
Rich\Zr
.text
`.rdata
@.data
.rsrc
@.reloc
Y__^[
5ineI
5ntel
t.hlA
URPQQh
BVj(j
SVWUj
;t$,v-
UQPXY]Y[
VVVVV
< t1<
QQSVW
PPPPP
QSSSSj
PPPPP
PPPPP
SWj\V
SSSSS
u"j\S
t.j/V
tVj/V
PPPPP
SSSSS
WWWWW
SSSPSW
u-PSSW
SSVWh
f9:t!V
WSVPP
SWj=V
SSSSS
PPPPP
j(hh
~0WPQ
PRPQh
PPPPP
SystP
emRoSPf
PPPPP
SSSSS
PPPPPPPP
9E WW
t2RWV
PPPPPWS
PP9E u:PPVWP
Y_[^]
D:( t
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
COMSPEC
cmd.exe
CorExitProcess
AreFileApisANSI
CompareStringEx
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
log10
log10
?5Wg4p
BC .=
%S#[k
"B <1=
#.X'=
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
c:\windows\system32\cmd.exe /c "calc.exe"
C:\Cigital\Tools\calc_security_poc\dll\dll\Release\calc.pdb
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.rsrc$01
.rsrc$02
calc.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
InterlockedFlushSList
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
CloseHandle
WaitForSingleObject
GetExitCodeProcess
CreateProcessA
GetFileAttributesExW
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
CompareStringW
LCMapStringW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleCP
GetConsoleMode
SetFilePointerEx
CreateFileW
WriteConsoleW
DecodePointer
RaiseException
KERNEL32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
1*1w1
3h3q3|3
4$4*444>4N4^4n4w4
5'5-535?5E5
7*878[899Y9c9~9
;U;i;p;
<:=e=
=U>h>
1 1O1d1~1
2)232A2\2m2y2
3-3;3G3S3g3}3
4'474I4N4S4z4
5(54595>5n5v5{5
6r6~6
7G7\7
9F:\:
;$;0;H;M;Y;^;r;9<@<R<[<
>L>W>
D0N0j0q0
2H2`2
2R3t3
5X5o5z5
6+606R6o6
7`8k8
849":,:9:l:y:
;$;+;>;n;
;N=S>3?c?
1 111<1Q1\1
5Z6d6
8f8|8
9%:?:V:]:z:
;#;J;_;o;|;
<$<1<K<R<\<~<
=*=1=
0T1{1*2
3%3?3N3X3e3o3
4*4<6i6
7G7P7T7Z7^7d7h7r7
8#868
8"9j9
;0;R;
<)<4<
<V=P>V>d>s>A?F?K?[?`?e?u?z?
0*0P0~0
1,1Q1j1
2/292U2`2e2j2
343>3Z3e3j3o3
404O4r4w4
5D5v5
6J6m6
7K7v7
8(838_8}8
8R9W9\9a9s93:
;3;g;o;
;Z<t<y<Q>k>z>
?(?5?C?Q?\?r?
72A2d2n2
3q3L4r6
182w2
7D8J8
91:K:
;3;I;
; <S<h<y<
<==Y=x=
=C>c>
3(3G3
4:5D5
6&63686F6
6U7q7
8%878I8j8|8
>$>N>%?
0'040d0
4D4N4i4
5!5)51595W5_5
:);F;V;
<\=g=r=x=
>+>>>]>
132R2
5-5C5Y5a5
=a>~>
4K4P4T4X4\4
8d9w9
;;<@<D<H<L<
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
;$;(;,;0;4;8;<;@;L;T;\;`;d;h;l;
<(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,48>@>H>P>X>`>h>p>x>
? ?([email protected]?H?P?X?`?h?p?x?
0 0([email protected]`0h0p0x0
1 1([email protected]`1h1p1x1
2 2([email protected]`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
\8d8l8t8|8
9$9,949<9
:@>`>|>
6(6,6
7 7$7(7,7074787<7
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
ext-ms-
mscoree.dll
ja-JP
zh-CN
ko-KR
zh-TW
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
((((( H
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean Qihoo-360 Generic/Trojan.c8b McAfee Clean
Cylance Clean VIPRE Clean SUPERAntiSpyware Clean
Sangfor Clean CrowdStrike Clean Alibaba Clean
K7GW Clean K7AntiVirus Clean TrendMicro Clean
Baidu Clean Cyren Clean Symantec Clean
ESET-NOD32 Clean APEX Clean Avast Clean
ClamAV Win.Malware.Agent-7761733-0 Kaspersky Clean BitDefender Clean
NANO-Antivirus Clean Paloalto Clean ViRobot Clean
Rising Malware.Undefined!8.C (CLOUD) Endgame Clean Sophos Clean
Comodo Clean F-Secure Trojan.TR/Agent.bdld DrWeb Clean
Zillya Clean Invincea Clean McAfee-GW-Edition Clean
Trapmine Clean FireEye Clean Emsisoft Clean
SentinelOne Clean F-Prot Clean Jiangmin Clean
Webroot W32.Trojan.Gen Avira TR/Agent.bdld Antiy-AVL Clean
Kingsoft Clean Microsoft Clean Arcabit Clean
AegisLab Trojan.Win32.Generic.4!c ZoneAlarm Clean Avast-Mobile Clean
GData Clean TACHYON Clean AhnLab-V3 Clean
Acronis Clean VBA32 Clean ALYac Clean
MAX Clean Ad-Aware Clean Malwarebytes Clean
Zoner Clean TrendMicro-HouseCall Clean Tencent Clean
Yandex Clean Ikarus not-a-virus:POC.CalcSec eGambit Clean
Fortinet Clean BitDefenderTheta Clean AVG Clean
Panda Clean MaxSecure Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.8 49744 1.1.1.1 53
192.168.1.8 51064 1.1.1.1 53
192.168.1.8 55051 1.1.1.1 53
192.168.1.8 63225 1.1.1.1 53
192.168.1.8 63471 1.1.1.1 53
192.168.1.8 65129 1.1.1.1 53
192.168.1.8 137 192.168.1.255 137
192.168.1.8 49744 8.8.8.8 53
192.168.1.8 51064 8.8.8.8 53
192.168.1.8 55051 8.8.8.8 53
192.168.1.8 63225 8.8.8.8 53
192.168.1.8 63471 8.8.8.8 53
192.168.1.8 65129 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Extracted Shellcode
Size 4095 bytes
Virtual Address 0x01DF0000
Process regsvr32.exe
PID 596
Path C:\Windows\SysWOW64\regsvr32.exe
MD5 aff3114a9f271c3f42cadaadf18cf78a
SHA1 5e064c7bd6023ed36ed1de70a55d29f7ec89c760
SHA256 bd2f1ebc45753997fae67358031cf7e83f4185223d1ada7381d27a478aa44e13
CRC32 5288C376
Ssdeep 24:A66oxrr0H4A//oJnFTDknzBScC0j9aLhDa4rJMetVEBPTpVBVDVSJA:zrr0H4SA5kT9aLhDa4rOy0Xfxz
Yara None matched
CAPE Yara None matched
Download Download zip

BinGraph Download graph

Process Name cmd.exe
PID 4116
Dump Size 302592 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:00:27
MD5 6dc17360e56811ceeb630bc98f183b5a
SHA1 d3d8f190566c386f9965a42f6e2e557d52e8af89
SHA256 38c604475857d79f0d59472c3bb10b4e93431ca3e86c6a00e936828f1ee6e943
CRC32 FEBA9DFD
Ssdeep 3072:A3UJfIty/L8VK57CzExx/VjpmlQLiBDpcvAkMjyGez1c:A3ofp/cKdCzExx58QupcvAkMmt+
Dump Filename 38c604475857d79f0d59472c3bb10b4e93431ca3e86c6a00e936828f1ee6e943
Download Download Zip

BinGraph Download graph

Process Name regsvr32.exe
PID 596
Dump Size 82432 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll
Type PE image: 32-bit DLL
PE timestamp 2017-12-18 16:14:44
MD5 5ff65e65fb27a86ecf3579dfa434dbf5
SHA1 853aead24a105fdce0b645e9b07bc9f098740817
SHA256 389be13d562fef873fc6d94d7a318a2662abad97355d8d159c19fc5ff10eb702
CRC32 6183D57A
Ssdeep 1536:w57o9wuJFLZZBUTQXa+Ijy3BuonRufCsWo+X0cdgbaLe1:VwE+8Xa+P3zwWgbaLS
Dump Filename 389be13d562fef873fc6d94d7a318a2662abad97355d8d159c19fc5ff10eb702
Download Download Zip

BinGraph Download graph

Process Name regsvr32.exe
PID 596
Dump Size 15872 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll
Type PE image: 32-bit executable
PE timestamp 2009-07-13 23:58:32
MD5 0b44f1c9dafd6754af6bd35f2e80e83b
SHA1 f836d6df7a15b59ac35287d58df0d7b7190009e8
SHA256 f3b064b9bb2eb6ffc35f70f39f258ed8ecfde113effeb35f0238587bf75900c0
CRC32 F5848D92
Ssdeep 384:ThIKm8SOSPaagnXGPdemsRVg2iV5ZQWr+TLHWM:D/STiZasHRaXnULL
Dump Filename f3b064b9bb2eb6ffc35f70f39f258ed8ecfde113effeb35f0238587bf75900c0
Download Download Zip

BinGraph Download graph

Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature

    Processing ( 8.226999999999999 seconds )

    • 5.266 Suricata
    • 0.945 Static
    • 0.71 peid
    • 0.529 NetworkAnalysis
    • 0.285 VirusTotal
    • 0.161 CAPE
    • 0.132 Deduplicate
    • 0.109 BehaviorAnalysis
    • 0.046 ProcDump
    • 0.021 AnalysisInfo
    • 0.015 TargetInfo
    • 0.004 Debug
    • 0.004 Strings

    Signatures ( 0.17200000000000007 seconds )

    • 0.03 antiav_detectreg
    • 0.027 antidbg_windows
    • 0.012 infostealer_ftp
    • 0.011 territorial_disputes_sigs
    • 0.01 ransomware_files
    • 0.007 antiav_detectfile
    • 0.007 infostealer_im
    • 0.006 antianalysis_detectreg
    • 0.006 ransomware_extensions
    • 0.005 infostealer_bitcoin
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_mail
    • 0.004 masquerade_process_name
    • 0.003 persistence_autorun
    • 0.003 antivm_vbox_files
    • 0.003 antivm_vbox_keys
    • 0.002 api_spamming
    • 0.002 decoy_document
    • 0.002 NewtWire Behavior
    • 0.002 antivm_vmware_keys
    • 0.002 geodo_banking_trojan
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_disk
    • 0.001 antivm_vbox_window
    • 0.001 betabot_behavior
    • 0.001 kibex_behavior
    • 0.001 mimics_filetime
    • 0.001 stealth_timeout
    • 0.001 tinba_behavior
    • 0.001 virus
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_parallels_keys
    • 0.001 antivm_vmware_files
    • 0.001 antivm_vpc_keys
    • 0.001 antivm_xen_keys
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 qulab_files
    • 0.001 revil_mutexes
    • 0.001 recon_fingerprint

    Reporting ( 4.378 seconds )

    • 4.311 BinGraph
    • 0.059 MITRE_TTPS
    • 0.008 PCAP2CERT