Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 13:59:31 2020-06-05 14:05:20 349 seconds Show Options Show Log
route = tor
2020-05-13 09:25:40,915 [root] INFO: Date set to: 20200605T13:45:08, timeout set to: 200
2020-06-05 13:45:08,062 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-06-05 13:45:08,062 [root] DEBUG: Storing results at: C:\YvbiCMCWyP
2020-06-05 13:45:08,062 [root] DEBUG: Pipe server name: \\.\PIPE\TcAEOsQTF
2020-06-05 13:45:08,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-05 13:45:08,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 13:45:08,062 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 13:45:08,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 13:45:08,156 [root] DEBUG: Imported analysis package "exe".
2020-06-05 13:45:08,156 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 13:45:08,156 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 13:45:08,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 13:45:08,312 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 13:45:08,312 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 13:45:08,421 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 13:45:08,421 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 13:45:08,609 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 13:45:08,609 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 13:45:08,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 13:45:08,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 13:45:08,687 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 13:45:08,687 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 13:45:08,812 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 13:45:08,812 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 13:45:08,875 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 13:45:08,875 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 13:45:08,875 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 13:45:08,875 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 13:45:08,875 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 13:45:08,875 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 13:45:08,906 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 13:45:08,921 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 13:45:09,640 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 13:45:09,640 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 13:45:09,656 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 13:45:09,656 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 13:45:09,656 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 13:45:09,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 13:45:09,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 13:45:09,687 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 13:45:09,687 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 13:45:09,687 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 13:45:09,687 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 13:45:09,687 [root] DEBUG: Started auxiliary module Browser
2020-06-05 13:45:09,687 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 13:45:09,687 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 13:45:09,687 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 13:45:09,687 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 13:45:09,687 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 13:45:09,687 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 13:45:09,687 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 13:45:09,687 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 13:45:10,249 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 13:45:10,249 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 13:45:10,265 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 13:45:10,265 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 13:45:10,265 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 13:45:10,265 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 13:45:10,281 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 13:45:10,281 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 13:45:10,281 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 13:45:10,281 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 13:45:10,296 [root] DEBUG: Started auxiliary module Human
2020-06-05 13:45:10,296 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 13:45:10,296 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 13:45:10,296 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 13:45:10,296 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 13:45:10,296 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 13:45:10,296 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 13:45:10,296 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 13:45:10,296 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 13:45:10,296 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 13:45:10,312 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 13:45:10,312 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 13:45:10,312 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 13:45:10,312 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 13:45:10,312 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 13:45:10,312 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 13:45:10,312 [root] DEBUG: Started auxiliary module Usage
2020-06-05 13:45:10,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 13:45:10,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 13:45:10,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 13:45:10,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 13:45:10,421 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\Shipping Details_PDF.scr" with arguments "" with pid 4672
2020-06-05 13:45:10,437 [lib.api.process] INFO: Monitor config for process 4672: C:\tmp2ssujfce\dll\4672.ini
2020-06-05 13:45:10,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\VuNBHjq.dll, loader C:\tmp2ssujfce\bin\iKTTDfi.exe
2020-06-05 13:45:10,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TcAEOsQTF.
2020-06-05 13:45:10,578 [root] DEBUG: Loader: Injecting process 4672 (thread 2332) with C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:10,593 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:10,593 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:10,609 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:10,609 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:10,640 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4672
2020-06-05 13:45:12,640 [lib.api.process] INFO: Successfully resumed process with pid 4672
2020-06-05 13:45:12,984 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:12,984 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:13,000 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:13,000 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4672 at 0x70440000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 13:45:13,000 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Shipping Details_PDF.scr".
2020-06-05 13:45:13,046 [root] INFO: loaded: b'4672'
2020-06-05 13:45:13,046 [root] INFO: Loaded monitor into process with pid 4672
2020-06-05 13:45:13,046 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:13,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x03A10000 to global list.
2020-06-05 13:45:13,265 [root] DEBUG: DLL loaded at 0x735B0000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 13:45:13,328 [root] DEBUG: DLL loaded at 0x70B50000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-06-05 13:45:13,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x100 amd local view 0x03F00000 to global list.
2020-06-05 13:45:13,359 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:13,375 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:13,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c amd local view 0x03E30000 to global list.
2020-06-05 13:45:13,531 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 13:45:13,531 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 13:45:25,109 [root] DEBUG: set_caller_info: Adding region at 0x00420000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:25,296 [root] DEBUG: set_caller_info: Adding region at 0x01F00000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:25,328 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1f00000
2020-06-05 13:45:25,328 [root] INFO: ('dump_file', 'C:\\YvbiCMCWyP\\CAPE\\4672_157290896252546662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?0x01F00000;?', ['4672'], 'CAPE')
2020-06-05 13:45:25,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YvbiCMCWyP\CAPE\4672_157290896252546662020 (size 0x50634)
2020-06-05 13:45:25,437 [root] DEBUG: DumpRegion: Dumped stack region from 0x01F00000, size 0x7f000.
2020-06-05 13:45:25,468 [root] INFO: ('dump_file', 'C:\\YvbiCMCWyP\\CAPE\\4672_107927873252546662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?0x00420000;?', ['4672'], 'CAPE')
2020-06-05 13:45:25,484 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YvbiCMCWyP\CAPE\4672_107927873252546662020 (size 0x32a3)
2020-06-05 13:45:25,484 [root] DEBUG: DumpRegion: Dumped stack region from 0x00420000, size 0x8000.
2020-06-05 13:45:28,718 [root] INFO: Announced 32-bit process name: Shipping Details_PDF.scr pid: 3508
2020-06-05 13:45:28,718 [lib.api.process] INFO: Monitor config for process 3508: C:\tmp2ssujfce\dll\3508.ini
2020-06-05 13:45:28,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\VuNBHjq.dll, loader C:\tmp2ssujfce\bin\iKTTDfi.exe
2020-06-05 13:45:28,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TcAEOsQTF.
2020-06-05 13:45:28,968 [root] DEBUG: Loader: Injecting process 3508 (thread 1100) with C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:28,968 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:28,968 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:28,968 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:28,968 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:28,984 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3508
2020-06-05 13:45:29,031 [root] INFO: Announced 32-bit process name: Shipping Details_PDF.scr pid: 3508
2020-06-05 13:45:29,031 [lib.api.process] INFO: Monitor config for process 3508: C:\tmp2ssujfce\dll\3508.ini
2020-06-05 13:45:29,031 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\VuNBHjq.dll, loader C:\tmp2ssujfce\bin\iKTTDfi.exe
2020-06-05 13:45:29,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TcAEOsQTF.
2020-06-05 13:45:29,046 [root] DEBUG: Loader: Injecting process 3508 (thread 1100) with C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,046 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:29,062 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,062 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:29,062 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,062 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3508
2020-06-05 13:45:29,078 [root] INFO: Announced 32-bit process name: Shipping Details_PDF.scr pid: 3508
2020-06-05 13:45:29,078 [lib.api.process] INFO: Monitor config for process 3508: C:\tmp2ssujfce\dll\3508.ini
2020-06-05 13:45:29,078 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\VuNBHjq.dll, loader C:\tmp2ssujfce\bin\iKTTDfi.exe
2020-06-05 13:45:29,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TcAEOsQTF.
2020-06-05 13:45:29,093 [root] DEBUG: Loader: Injecting process 3508 (thread 0) with C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,093 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:29,093 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1100, handle 0xc4
2020-06-05 13:45:29,109 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:29,109 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C0)
2020-06-05 13:45:29,109 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,109 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-05 13:45:29,109 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:29,109 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,109 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3508
2020-06-05 13:45:29,218 [root] INFO: ('dump_file', 'C:\\YvbiCMCWyP\\CAPE\\4672_141103446192646662020', b'4;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?3508;?', ['4672'], 'CAPE')
2020-06-05 13:45:29,249 [root] INFO: Announced 32-bit process name: Shipping Details_PDF.scr pid: 3508
2020-06-05 13:45:29,249 [lib.api.process] INFO: Monitor config for process 3508: C:\tmp2ssujfce\dll\3508.ini
2020-06-05 13:45:29,249 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\VuNBHjq.dll, loader C:\tmp2ssujfce\bin\iKTTDfi.exe
2020-06-05 13:45:29,281 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TcAEOsQTF.
2020-06-05 13:45:29,281 [root] DEBUG: Loader: Injecting process 3508 (thread 0) with C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,281 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:29,281 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1100, handle 0xc4
2020-06-05 13:45:29,281 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:29,281 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C0)
2020-06-05 13:45:29,281 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,281 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:29,296 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,296 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3508
2020-06-05 13:45:29,296 [root] INFO: Announced 32-bit process name: Shipping Details_PDF.scr pid: 3508
2020-06-05 13:45:29,296 [lib.api.process] INFO: Monitor config for process 3508: C:\tmp2ssujfce\dll\3508.ini
2020-06-05 13:45:29,296 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\VuNBHjq.dll, loader C:\tmp2ssujfce\bin\iKTTDfi.exe
2020-06-05 13:45:29,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TcAEOsQTF.
2020-06-05 13:45:29,328 [root] DEBUG: Loader: Injecting process 3508 (thread 1100) with C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,328 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:29,328 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C0)
2020-06-05 13:45:29,328 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,328 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:29,328 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\VuNBHjq.dll.
2020-06-05 13:45:29,328 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3508
2020-06-05 13:45:29,343 [root] INFO: ('dump_file', 'C:\\YvbiCMCWyP\\CAPE\\4672_744905379192646662020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?3508;?', ['4672'], 'CAPE')
2020-06-05 13:45:29,500 [root] INFO: ('dump_file', 'C:\\YvbiCMCWyP\\CAPE\\4672_1094925932192646662020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?3508;?', ['4672'], 'CAPE')
2020-06-05 13:45:29,562 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-05 13:45:29,578 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:29,578 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:29,593 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:29,593 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:29,593 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3508 at 0x70440000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 13:45:29,593 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Shipping Details_PDF.scr".
2020-06-05 13:45:29,640 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1428
2020-06-05 13:45:29,640 [root] INFO: loaded: b'3508'
2020-06-05 13:45:29,640 [lib.api.process] INFO: Monitor config for process 1428: C:\tmp2ssujfce\dll\1428.ini
2020-06-05 13:45:29,640 [root] INFO: Loaded monitor into process with pid 3508
2020-06-05 13:45:29,656 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp2ssujfce\dll\KzjJvUnp.dll, loader C:\tmp2ssujfce\bin\alGotbNx.exe
2020-06-05 13:45:29,656 [root] DEBUG: set_caller_info: Adding region at 0x001B0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:29,656 [root] DEBUG: set_caller_info: Adding region at 0x02010000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:29,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TcAEOsQTF.
2020-06-05 13:45:29,687 [root] DEBUG: Loader: Injecting process 1428 (thread 0) with C:\tmp2ssujfce\dll\KzjJvUnp.dll.
2020-06-05 13:45:29,687 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD5000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFD7000: The operation completed successfully.
2020-06-05 13:45:29,687 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1452, handle 0xa8
2020-06-05 13:45:29,687 [root] DEBUG: Process image base: 0x00000000FF230000
2020-06-05 13:45:29,687 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x2010000
2020-06-05 13:45:29,687 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-05 13:45:29,687 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02010000 size 0x400000.
2020-06-05 13:45:29,687 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-05 13:45:29,703 [root] INFO: ('dump_file', 'C:\\YvbiCMCWyP\\CAPE\\3508_1455397800292546662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?0x02010000;?', ['3508'], 'CAPE')
2020-06-05 13:45:29,703 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:29,703 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:29,718 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:29,718 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 1428 at 0x0000000072EA0000, image base 0x00000000FF230000, stack from 0x00000000084D2000-0x00000000084E0000
2020-06-05 13:45:29,718 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-06-05 13:45:29,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YvbiCMCWyP\CAPE\3508_1455397800292546662020 (size 0x109af)
2020-06-05 13:45:29,765 [root] DEBUG: DumpRegion: Dumped stack region from 0x02010000, size 0x7f000.
2020-06-05 13:45:29,781 [root] INFO: ('dump_file', 'C:\\YvbiCMCWyP\\CAPE\\3508_603270142292546662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Shipping Details_PDF.scr;?0x001B0000;?', ['3508'], 'CAPE')
2020-06-05 13:45:29,812 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\YvbiCMCWyP\CAPE\3508_603270142292546662020 (size 0x32a3)
2020-06-05 13:45:29,812 [root] DEBUG: DumpRegion: Dumped stack region from 0x001B0000, size 0x100000.
2020-06-05 13:45:29,875 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-05 13:45:29,875 [root] WARNING: b'Unable to hook LockResource'
2020-06-05 13:45:30,078 [root] INFO: loaded: b'1428'
2020-06-05 13:45:30,078 [root] INFO: Loaded monitor into process with pid 1428
2020-06-05 13:45:30,343 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 13:45:30,359 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 13:45:30,359 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\KzjJvUnp.dll.
2020-06-05 13:45:30,375 [root] WARNING: Unable to open termination event for pid 4672.
2020-06-05 13:45:30,531 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DF54FD4E0F545BCDD3.TMP', '', False, 'files')
2020-06-05 13:45:30,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xee0 amd local view 0x0000000003EA0000 to global list.
2020-06-05 13:45:32,062 [root] WARNING: Unable to open termination event for pid 3508.
2020-06-05 13:45:32,171 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3508
2020-06-05 13:48:33,448 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 13:48:33,448 [lib.api.process] ERROR: Failed to open terminate event for pid 4672
2020-06-05 13:48:33,448 [root] INFO: Terminate event set for process 4672.
2020-06-05 13:48:33,463 [lib.api.process] ERROR: Failed to open terminate event for pid 3508
2020-06-05 13:48:33,463 [root] INFO: Terminate event set for process 3508.
2020-06-05 13:48:33,463 [lib.api.process] ERROR: Failed to open terminate event for pid 1428
2020-06-05 13:48:33,463 [root] INFO: Terminate event set for process 1428.
2020-06-05 13:48:33,463 [root] INFO: Created shutdown mutex.
2020-06-05 13:48:34,463 [root] INFO: Shutting down package.
2020-06-05 13:48:34,463 [root] INFO: Stopping auxiliary modules.
2020-06-05 13:48:34,620 [lib.common.results] WARNING: File C:\YvbiCMCWyP\bin\procmon.xml doesn't exist anymore
2020-06-05 13:48:34,620 [root] INFO: Finishing auxiliary modules.
2020-06-05 13:48:34,620 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 13:48:34,620 [root] WARNING: Folder at path "C:\YvbiCMCWyP\debugger" does not exist, skip.
2020-06-05 13:48:34,620 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-06-05 13:59:31 2020-06-05 14:05:20

File Details

File Name Shipping Details_PDF.scr
File Size 81920 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2011-02-12 08:58:29
MD5 9a52f6ef61faa876d036e2d5e25dad8a
SHA1 06e5bb871f78265b35ed2c772bb56c7d65e2b4f1
SHA256 7f950bc31a7a30c03b8e703b1f59673a787674452e9c258e8343f9504486a559
SHA512 cbba9e4981506845d4f428ef83e6ca717c1a7002fa6a7d07a965227ab3ffb26d92fd9e525dd2830aa108036447572be4d9b2f20fade4a18ed9a92e92827f083d
CRC32 25B6FA36
Ssdeep 768:1fqZ5X7IYkCOQCRww+1PefMrfLmhwbTNaJA1mvdgnxCz01j2SQOPUVoZtsC7upD6:pqDrdLtw4NLswDwvTqIOPUVktsC78
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4672 trigged the Yara rule 'shellcode_patterns'
Hit: PID 4672 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 4672 trigged the Yara rule 'HeavensGate'
Hit: PID 4672 trigged the Yara rule 'GuLoader'
Creates RWX memory
NtSetInformationThread: attempt to hide thread from debugger
Possible date expiration check, exits too soon after checking local time
process: Shipping Details_PDF.scr, PID 3508
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoUninitialize
CAPE extracted potentially suspicious content
Shipping Details_PDF.scr: Unpacked Shellcode
Shipping Details_PDF.scr: GuLoader
Shipping Details_PDF.scr: Unpacked Shellcode
Shipping Details_PDF.scr: Injected PE Image: 32-bit DLL
Shipping Details_PDF.scr: Injected PE Image: 32-bit executable
Shipping Details_PDF.scr: Unpacked Shellcode
Multiple direct IP connections
direct_ip_connections: Made direct connections to 6 unique IP addresses
Unconventionial language used in binary resources: Catalan
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 6.84, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00010000, virtual_size: 0x0000f06c
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\Shipping Details_PDF.scr
Uses Windows utilities for basic functionality
command: "C:\Users\Louise\AppData\Local\Temp\Shipping Details_PDF.scr"
Behavioural detection: Injection (Process Hollowing)
Injection: Shipping Details_PDF.scr(4672) -> Shipping Details_PDF.scr(3508)
Executed a process and injected code into it, probably while unpacking
Injection: Shipping Details_PDF.scr(4672) -> Shipping Details_PDF.scr(3508)
Behavioural detection: Injection (inter-process)
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key
data: C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.vbs
Network activity detected but not expressed in API logs
File has been identified by 17 Antiviruses on VirusTotal as malicious
McAfee: Fareit-FST!9A52F6EF61FA
Cylance: Unsafe
Sangfor: Malware
BitDefenderTheta: Gen:[email protected]
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
Rising: Downloader.Guloader!1.C738 (CLOUD)
Trapmine: suspicious.low.ml.score
SentinelOne: DFI - Suspicious PE
Avira: TR/Injector.piagf
Endgame: malicious (high confidence)
Microsoft: PWS:Win32/Fareit.AB!MTB
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Malwarebytes: Trojan.MalPack.VB
ESET-NOD32: a variant of Win32/Injector.EMGX
eGambit: Unsafe.AI_Score_100%
CrowdStrike: win/malicious_confidence_90% (W)
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - RigEK
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.142.114.176 [VT] Ireland
Y 52.114.159.32 [VT] United States
Y 23.211.5.239 [VT] Netherlands
Y 216.58.210.14 [VT] United States
Y 13.107.42.23 [VT] United States

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\Shipping Details_PDF.scr.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\Louise\AppData\Local\Temp\~DF54FD4E0F545BCDD3.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Users\Louise\AppData\Local\Temp
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp\subfolder1
C:\Windows\SysWOW64\shell32.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\~DF54FD4E0F545BCDD3.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Windows\SysWOW64\shell32.dll
C:\Users\Louise\AppData\Local\Temp\~DF54FD4E0F545BCDD3.TMP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\startbogstavs\Caponized9
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Tuberculomas\Coatninger
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\Shipping Details_PDF.scr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\Shipping Details_PDF.scr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Shipping Details_PDF.scr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
asycfilt.dll.FilterCreateInstance
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.NlsGetCacheUpdateCount
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.GetCalendarInfoW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoInitializeEx
ole32.dll.CreateBindCtx
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#320
ole32.dll.StringFromGUID2
comctl32.dll.#324
comctl32.dll.#323
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
ole32.dll.CoUninitialize
"C:\Users\Louise\AppData\Local\Temp\Shipping Details_PDF.scr"

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004014c0 0x0001da4f 0x0001da4f 4.0 2011-02-12 08:58:29 32f6eaa4b2217208f12113acef308b2f 51af3111923325f7f380d5da8c404354 bd7000b040e5195e2c6c6ebd16d96641

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0000f06c 0x00010000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.84
.data 0x00011000 0x00011000 0x00000e8c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00012000 0x00012000 0x00001584 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.11

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000123cc 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.05 None
RT_ICON 0x000123cc 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.05 None
RT_ICON 0x000123cc 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.05 None
RT_GROUP_ICON 0x0001239c 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 3.07 None
RT_VERSION 0x00012150 0x0000024c LANG_CATALAN SUBLANG_DEFAULT 3.25 None

Imports

0x401000 None
0x401004 None
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaVarMove
0x401014 __vbaFreeVar
0x401018 __vbaStrVarMove
0x40101c __vbaFreeVarList
0x401020 _adj_fdiv_m64
0x401024 None
0x401028 __vbaFreeObjList
0x40102c None
0x401030 _adj_fprem1
0x401034 __vbaStrCat
0x401038 None
0x40103c None
0x401044 None
0x401048 _adj_fdiv_m32
0x40104c None
0x401050 None
0x401054 None
0x401058 __vbaObjSet
0x40105c _adj_fdiv_m16i
0x401060 None
0x401064 _adj_fdivr_m16i
0x401068 None
0x40106c __vbaFpR8
0x401070 _CIsin
0x401074 __vbaChkstk
0x401078 EVENT_SINK_AddRef
0x40107c None
0x401080 __vbaStrCmp
0x401084 __vbaVarTstEq
0x401088 None
0x40108c None
0x401090 None
0x401094 __vbaCastObjVar
0x401098 None
0x40109c _adj_fpatan
0x4010a0 None
0x4010a4 EVENT_SINK_Release
0x4010a8 __vbaUI1I2
0x4010ac _CIsqrt
0x4010b4 __vbaExceptHandler
0x4010b8 None
0x4010bc None
0x4010c0 _adj_fprem
0x4010c4 _adj_fdivr_m64
0x4010c8 None
0x4010cc None
0x4010d0 __vbaFPException
0x4010d4 None
0x4010d8 _CIlog
0x4010dc __vbaNew2
0x4010e0 _adj_fdiv_m32i
0x4010e4 _adj_fdivr_m32i
0x4010e8 __vbaStrCopy
0x4010ec __vbaFreeStrList
0x4010f0 None
0x4010f4 _adj_fdivr_m32
0x4010f8 _adj_fdiv_r
0x4010fc None
0x401100 None
0x401104 None
0x401108 None
0x40110c __vbaVarDup
0x401110 None
0x401118 _CIatan
0x40111c __vbaStrMove
0x401120 __vbaUI1Str
0x401124 _allmul
0x401128 None
0x40112c _CItan
0x401130 None
0x401134 _CIexp
0x401138 __vbaFreeStr
0x40113c __vbaFreeObj

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
ENADECE
Phenobarbi
dasypaed
"Exif
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
O\mSTXZf
hmq{io
oj>ojtq
I%I$~Y
I+N;?
~oje^
Eu3X[
`O:d_
9>V|}
SE[[{
T.dY.
Q[ky6
ui.ty
x~I4[VY
>|WIk
'q$2-
Yl4H.
8~&|O
2[]\/
=RFy<
Kvi7o
H$_5S
sm#mm
Gc}ukoy
Z+}V%m
w6/nAf
?u0\b
Ex]wZ\
\'w063
2X\7w0
+v0\7w0\
0z7wg
\7w`63
w1\7w0H7r0]7w`
s1\7w
5X6w0
!CvEV
w0\]wZ\
w0]7
`0\oF
7Q0\`
7^0\ov
7u0\`
`^7wXe2w0
0w7wg
7Q0\`
w0\B]
ww1\e
h6w0:
]wZ_]wZ]_w0\
0\6wf
w<\7
0]7wg67
\8wZ\]w
0t7wf
0^7wg
w2\7
7u0\`
7U0\`
l0\]w
7w1\`
CS467
_w0\w
'Z\e!
r0\CV
gw0\7
w \7F
4T7wE
2w8\7'
e|4!$
SK7wi
uL7w0\
2$\7w0
$T7w0S
7{0\d
w<\7F
w<\7t
\?w0]
w8\7)1
g<\7t
w \7F
)2\7$
4T7wE
0\7'Z^
5P?w0
7 \770
Z\]wZ\e
6\7-b
_o0L7w
0\'w0
/w \7
XH7g0\
(T7w0(m
-D7w0
|7wPS
NxWw0<8
Nx7w0
7wr(C
ISp\7'D5
|7GP(_
NxwwP
p<\7w
7s0\sw0\
0X7wg67
7s0\`
xN7w`67
e0\_w0
/s0\Q
0o0\7
wX7w0\
Y'c0\
p{p\7w
'w0\7
wH7w0\
;v0\7w0\
5P6w0
<]7wX\7w165
]wXC7x0
1\7w0\7
5T6w0
M|]sZ\]u
2w1\7
0\7w0
]wZ\]w
2s1\7
0\770
n1\7J
J3\77DU
7v0\ol0\8
7v0\7w \
w1\7$Z\
4]7w0\7w
r0]7w`
0|7wb
1[7v0
-w067
,]7w1
J?0)&
0\o `
XT7wh
7w0\7w0\7w0\5w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\
Lv0(0
NhTJpZY
XD7g0\
w0L7w`
pD7g0\
$\'w0
]wZ\]t
147w0
\9D+a9Z
;V+A9Z
;VYU$Rw
2X\7w0
u,7w0\
u(6w0\
]wZ\]w
2w1\7
0w063
w0\7w0\
7w0\7w0
7w0g{S8"=t
7w0wkS8
_w0]7
<1\7.
ia=r4
X8luL7w0\
|`8gj
Y7RWw9T
zT7w0\7w0\7w0\7w0\7w0\7w0\7w
0.7J0\7
d\rw}\gw
0j7G0r7
l\DwI\DwD\Rw]\
\kw0\
0j7C0
Y,CYc4R
2H9TW
_:C+g5Y
_+D+s)E
U2C!U.D
_2k%E2x
097F0r7
0.7F0\7
X|vky&
Tp=Kj
X|vky&
Tp=Kj
kS447u0\
&5MEM
&3+EU
r0\B7
@0\7)igsS4(>
XvL}TB
gcS4)
i0\7.
6w0\8
VU7wQ
7w067
Hc4(5
7w0\m
6w0\v4
7W0\8
v0\76sg$
sS4_sS8
0l7wE
3R(\7w
w0\2x
\7w1"
\7w3(5'h
?5T6w0
1\7'h
ww0\~
3R(\7w`
\7w6)A'h
\7w0S2
zg3dE
s#a8h
0\7J?CswE
}L4OB
E_8r~
w0\7T0\7>
7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\7w0\
w0\7,
5Xgw0
\'w1\
$#wEe
(\BDh
3_Jiz=
Kj#Q$
~ZQ/S
._6I%
<Egyu&
[=Yn5H
huKth
k?/t?=:
}t7^e
<Qqmk2
y$k$v
3-tS1
i4=SZ
DRKq/
8Ws=~
y.#o>T
x~I?w
_5[sm
kK]>YW~
Coq,s
U~_)~o
x^7I7,
]I4}/P
x]y_:
3333333
eUUUUW
951015=
%),//,)$
/96-*1H
$,6981)!
MGB?>>ABFL
dasypaed
Check1
michaels
FOENICULUM
Option3
agnusesavoc
Option2
Tatariskepi6
Option1
Line2
Line1
VB5!6&*
SOLRIGE
ENADECE
ENADECE
zr$HS
ENADECE
Phenobarbi
Prosstoaba
Agoniz
aboma
Busuutisubg
Scolopaceo
STAMA
surrealest
VESTI
circump
fessestr
Indflydelse
agnusesavoc
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Check1
Tatariskepi6
FOENICULUM
LYNNEDSLAGENE
kneeing
Bottomlessly
Deathcup
CROSSABILITY
kawaka
VISERENDE
Uanvendeliges
BRUGERANGIVNE
OLDFRUER
facsim
Eftergrelse3
VBA6.DLL
__vbaFpR8
__vbaVarMove
__vbaUI1Str
__vbaVarDup
__vbaFreeObjList
__vbaFreeObj
__vbaStrVarMove
__vbaFreeVarList
__vbaVarTstEq
__vbaFreeStr
__vbaStrCopy
__vbaUI1I2
__vbaCastObjVar
__vbaObjSet
__vbaHresultCheckObj
__vbaNew2
__vbaVarLateMemCallLd
__vbaFreeVar
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaStrCmp
Kystklima
Volstead5
PHTHIRIUS
Solod
Larvicidal
Foruroligelserne5
UNCONTEMPTIBLY
INSTRUKTIONSKURSUS
Vngerne
Tilhrendes4
Dveskolens8
Servicefunktioners5
EKSEKUTION
Diktere1
CHEFDOM
Lornness7
RANVEIG
Forpligtelseserklrings
metea
Irradiate5
Amuck7
BRANIFF
Bestvlede6
reaccelerated
Oinks
surstyle
sammenstds
refractional
TOTALERS
brdstudiers
Merling8
SATANIZE
DONNER
Driftsikkert6
Plastiskes9
VENSTRELINEAER
Skovhugsterne1
Heautomorphism1
Whoreishly
Bryggerkedels9
tH9=
tj9=
ty9=
@tp9=
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaVarTstEq
__vbaCastObjVar
_adj_fpatan
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarDup
__vbaVarLateMemCallLd
_CIatan
__vbaStrMove
__vbaUI1Str
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
951015=
%),//,)$
/96-*1H
$,6981)!
MGB?>>ABFL
eUUUUW
3333333
/ P6pL
/KPip
L3kOpEkLYZppyTY9i0RZwqFI8r197
Spiralsnoet6
somatological
annelides
Jurata
Sejrvindings
Upshoot3
KOMMUNALBESTYRELSE
aflvningerne
CONTAINMENT
CANCANENS
KATJES
medicean
FLERRIED
OLIGIST
Coatninger
Fodterapeuters
startbogstavs
Caponized9
Blokfljternes
TALVRDIEN
harpist
:20:2
Tuberculomas
Polydaemonist5
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040304B0
LegalCopyright
Internal
LegalTrademarks
Internal
ProductName
ENADECE
FileVersion
ProductVersion
InternalName
SOLRIGE
OriginalFilename
SOLRIGE.exe
/ P6pL
/KPip

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean FireEye Clean
CAT-QuickHeal Clean McAfee Fareit-FST!9A52F6EF61FA Cylance Unsafe
Zillya Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
Cybereason Clean Arcabit Clean Invincea Clean
BitDefenderTheta Gen:[email protected] F-Prot Clean Symantec Clean
TotalDefense Clean Baidu Clean APEX Malicious
Avast Clean ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Clean NANO-Antivirus Clean Paloalto Clean
ViRobot Clean Rising Downloader.Guloader!1.C738 (CLOUD) Ad-Aware Clean
Comodo Clean F-Secure Clean DrWeb Clean
VIPRE Clean TrendMicro Clean Fortinet Clean
Trapmine suspicious.low.ml.score CMC Clean Emsisoft Clean
SentinelOne DFI - Suspicious PE Cyren Clean Jiangmin Clean
Webroot Clean Avira TR/Injector.piagf MAX Clean
Antiy-AVL Clean Kingsoft Clean Endgame malicious (high confidence)
Microsoft PWS:Win32/Fareit.AB!MTB AegisLab Clean ZoneAlarm UDS:DangerousObject.Multi.Generic
Avast-Mobile Clean AhnLab-V3 Clean Acronis Clean
VBA32 Clean ALYac Clean TACHYON Clean
Malwarebytes Trojan.MalPack.VB Zoner Clean ESET-NOD32 a variant of Win32/Injector.EMGX
TrendMicro-HouseCall Clean Tencent Clean Yandex Clean
Ikarus Clean eGambit Unsafe.AI_Score_100% GData Clean
MaxSecure Clean AVG Clean Panda Clean
CrowdStrike win/malicious_confidence_90% (W) Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.142.114.176 [VT] Ireland
Y 52.114.159.32 [VT] United States
Y 23.211.5.239 [VT] Netherlands
Y 216.58.210.14 [VT] United States
Y 13.107.42.23 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.1.6 49188 13.107.42.23 443
192.168.1.6 49191 13.107.42.23 443
192.168.1.6 49220 13.107.42.23 443
192.168.1.6 49213 216.58.210.14 80
192.168.1.6 49212 216.58.212.131 443
192.168.1.6 49189 23.211.5.239 443
192.168.1.6 49194 23.211.5.239 443
192.168.1.6 31722 52.114.159.32 15082
192.168.1.6 29581 52.114.159.32 60959
192.168.1.6 10091 52.114.159.32 27273
192.168.1.6 6233 52.114.76.37 27119
192.168.1.6 49180 52.142.114.176 443
192.168.1.6 49207 52.158.209.219 443
192.168.1.6 49216 93.184.220.29 80
192.168.1.6 49184 93.184.221.240 80

UDP

Source Source Port Destination Destination Port
192.168.1.6 137 192.168.1.255 137
192.168.1.6 50764 8.8.8.8 53
192.168.1.6 50797 8.8.8.8 53
192.168.1.6 52348 8.8.8.8 53
192.168.1.6 52555 8.8.8.8 53
192.168.1.6 56219 8.8.8.8 53
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 60016 8.8.8.8 53
192.168.1.6 63241 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53
192.168.1.6 65048 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:01:55.352 192.168.1.6 [VT] 49185 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:01:59.414 192.168.1.6 [VT] 49188 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:00.570 192.168.1.6 [VT] 49190 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:01.041 192.168.1.6 [VT] 49192 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:01.075 192.168.1.6 [VT] 49191 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:07.292 192.168.1.6 [VT] 49193 23.211.5.239 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-05 14:02:09.421 192.168.1.6 [VT] 49194 23.211.5.239 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-05 14:02:18.697 192.168.1.6 [VT] 49207 52.158.209.219 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-05 14:02:59.480 192.168.1.6 [VT] 49211 52.142.114.176 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-05 14:03:01.063 192.168.1.6 [VT] 49212 216.58.212.131 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:03:49.079 144.208.213.45 [VT] 80 192.168.1.6 [VT] 49214 TCP 1 2018959 4 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation 1
2020-06-05 14:03:49.079 144.208.213.45 [VT] 80 192.168.1.6 [VT] 49214 TCP 1 2014520 7 ET INFO EXE - Served Attached HTTP Misc activity 3
2020-06-05 14:04:08.279 144.208.213.45 [VT] 80 192.168.1.6 [VT] 49214 TCP 1 2015744 4 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity 3
2020-06-05 14:04:31.485 192.168.1.6 [VT] 49219 216.58.212.131 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:04:33.038 192.168.1.6 [VT] 49220 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:01:49.908 192.168.1.6 [VT] 49180 52.142.114.176 [VT] 443 CN=g.msn.com 84:07:33:ed:86:d5:52:e5:ff:20:cd:89:1e:0a:3c:00:7b:68:0d:17 TLS 1.2
2020-06-05 14:01:55.474 192.168.1.6 [VT] 49185 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:01:59.458 192.168.1.6 [VT] 49188 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:01:59.759 192.168.1.6 [VT] 49189 23.211.5.239 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.sfx.ms 43:5a:ab:ca:cc:ab:86:4d:56:81:18:e3:e5:17:05:9b:0e:32:8c:38 TLS 1.2
2020-06-05 14:02:00.692 192.168.1.6 [VT] 49190 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:02:01.257 192.168.1.6 [VT] 49192 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:02:01.276 192.168.1.6 [VT] 49191 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:02:07.414 192.168.1.6 [VT] 49193 23.211.5.239 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.sfx.ms 43:5a:ab:ca:cc:ab:86:4d:56:81:18:e3:e5:17:05:9b:0e:32:8c:38 TLSv1
2020-06-05 14:02:09.427 192.168.1.6 [VT] 49194 23.211.5.239 [VT] 443 TLSv1
2020-06-05 14:02:18.720 192.168.1.6 [VT] 49207 52.158.209.219 [VT] 443 CN=watson.microsoft.com e1:6a:52:eb:a9:ec:f3:58:ca:9a:f9:fb:05:f8:bf:38:d8:76:1d:50 TLSv1
2020-06-05 14:02:59.630 192.168.1.6 [VT] 49211 52.142.114.176 [VT] 443 CN=g.msn.com 84:07:33:ed:86:d5:52:e5:ff:20:cd:89:1e:0a:3c:00:7b:68:0d:17 TLSv1
2020-06-05 14:03:01.063 192.168.1.6 [VT] 49212 216.58.212.131 [VT] 443 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com ea:2f:e9:4b:45:d4:c2:92:9d:3c:2f:d8:42:92:08:68:20:bd:86:ad TLS 1.2
2020-06-05 14:03:12.708 192.168.1.6 [VT] 49215 52.114.76.37 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-06-05 14:03:55.994 192.168.1.6 [VT] 49217 52.114.159.32 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-06-05 14:04:31.485 192.168.1.6 [VT] 49219 216.58.212.131 [VT] 443 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com ea:2f:e9:4b:45:d4:c2:92:9d:3c:2f:d8:42:92:08:68:20:bd:86:ad TLS 1.2
2020-06-05 14:04:33.160 192.168.1.6 [VT] 49220 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-05 14:01:55.557 192.168.1.6 [VT] 49184 93.184.221.240 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c05362e6e894290d application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-06-05 14:01:58.468 192.168.1.6 [VT] 49187 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:02:01.040 192.168.1.6 [VT] 49187 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:03:03.463 192.168.1.6 [VT] 49213 216.58.210.14 [VT] 80 302 redirector.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe text/html Microsoft BITS/7.5 None 0
2020-06-05 14:03:04.180 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 200 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 0
2020-06-05 14:03:14.220 192.168.1.6 [VT] 49216 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:03:31.412 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 6265
2020-06-05 14:03:49.431 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 10116
2020-06-05 14:03:55.825 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 10308
2020-06-05 14:03:56.825 192.168.1.6 [VT] 49218 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:04:00.912 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 14216
2020-06-05 14:04:03.521 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 14614
2020-06-05 14:04:05.990 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 29889
2020-06-05 14:04:08.282 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 63179
2020-06-05 14:04:10.821 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 106689
2020-06-05 14:04:13.474 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 144062
2020-06-05 14:04:15.959 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 179298
2020-06-05 14:04:18.521 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 202344
2020-06-05 14:04:20.476 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 189456
2020-06-05 14:04:23.178 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 218993
2020-06-05 14:04:25.459 192.168.1.6 [VT] 49214 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591365677&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 106147
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.6 49185 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49188 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49190 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49191 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49192 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49220 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49212 216.58.212.131 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49219 216.58.212.131 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49189 23.211.5.239 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49193 23.211.5.239 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49194 23.211.5.239 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49217 52.114.159.32 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49215 52.114.76.37 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49180 52.142.114.176 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49211 52.142.114.176 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49207 52.158.209.219 443 bafc6b01eae6f4350f5db6805ace208e unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion Privilege Escalation Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1060 - Registry Run Keys / Startup Folder
    • Signature - persistence_autorun

    Processing ( 19.220000000000002 seconds )

    • 12.76 NetworkAnalysis
    • 5.257 Suricata
    • 0.611 CAPE
    • 0.199 VirusTotal
    • 0.175 Deduplicate
    • 0.09 BehaviorAnalysis
    • 0.081 Static
    • 0.019 AnalysisInfo
    • 0.012 TargetInfo
    • 0.005 Dropped
    • 0.005 peid
    • 0.004 Debug
    • 0.002 Strings

    Signatures ( 0.20800000000000007 seconds )

    • 0.048 antiav_detectreg
    • 0.018 infostealer_ftp
    • 0.017 territorial_disputes_sigs
    • 0.013 ransomware_files
    • 0.011 infostealer_im
    • 0.01 antianalysis_detectreg
    • 0.008 ransomware_extensions
    • 0.007 antiav_detectfile
    • 0.006 antidbg_windows
    • 0.005 antianalysis_detectfile
    • 0.005 antivm_vbox_keys
    • 0.005 infostealer_bitcoin
    • 0.005 infostealer_mail
    • 0.004 persistence_autorun
    • 0.004 masquerade_process_name
    • 0.003 antivm_vbox_files
    • 0.003 antivm_vmware_keys
    • 0.002 api_spamming
    • 0.002 decoy_document
    • 0.002 kibex_behavior
    • 0.002 stealth_timeout
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_xen_keys
    • 0.002 geodo_banking_trojan
    • 0.001 Doppelganging
    • 0.001 InjectionCreateRemoteThread
    • 0.001 antiemu_wine_func
    • 0.001 betabot_behavior
    • 0.001 dynamic_function_loading
    • 0.001 exec_crash
    • 0.001 network_tor
    • 0.001 rat_nanocore
    • 0.001 NewtWire Behavior
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vmware_files
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 bypass_firewall
    • 0.001 disables_browser_warn
    • 0.001 qulab_files
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 recon_fingerprint

    Reporting ( 272.474 seconds )

    • 264.409 PCAP2CERT
    • 8.022 BinGraph
    • 0.042 MITRE_TTPS
    • 0.001 SubmitCAPE