Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 14:04:56 2020-06-05 14:12:22 446 seconds Show Options Show Log
route = tor
2020-05-13 09:30:42,094 [root] INFO: Date set to: 20200605T13:45:10, timeout set to: 200
2020-06-05 13:45:10,062 [root] DEBUG: Starting analyzer from: C:\tmplodztmkc
2020-06-05 13:45:10,078 [root] DEBUG: Storing results at: C:\gGOQexcgh
2020-06-05 13:45:10,078 [root] DEBUG: Pipe server name: \\.\PIPE\kZAbmA
2020-06-05 13:45:10,078 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-05 13:45:10,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 13:45:10,078 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 13:45:10,078 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 13:45:10,109 [root] DEBUG: Imported analysis package "exe".
2020-06-05 13:45:10,109 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 13:45:10,109 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 13:45:10,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 13:45:10,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 13:45:10,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 13:45:10,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 13:45:10,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 13:45:10,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 13:45:10,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 13:45:10,249 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 13:45:10,249 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 13:45:10,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 13:45:10,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 13:45:10,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 13:45:10,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 13:45:10,296 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 13:45:10,296 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 13:45:10,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 13:45:10,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 13:45:10,296 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 13:45:10,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 13:45:10,312 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 13:45:10,312 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 13:45:10,968 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 13:45:10,984 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 13:45:11,015 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 13:45:11,015 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 13:45:11,015 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 13:45:11,015 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 13:45:11,015 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 13:45:11,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 13:45:11,046 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 13:45:11,046 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 13:45:11,046 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 13:45:11,046 [root] DEBUG: Started auxiliary module Browser
2020-06-05 13:45:11,046 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 13:45:11,046 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 13:45:11,046 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 13:45:11,046 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 13:45:11,046 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 13:45:11,046 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 13:45:11,046 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 13:45:11,046 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 13:45:12,343 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 13:45:12,343 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 13:45:12,359 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 13:45:12,359 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 13:45:12,359 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 13:45:12,359 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 13:45:12,406 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 13:45:12,406 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 13:45:12,406 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 13:45:12,406 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 13:45:12,421 [root] DEBUG: Started auxiliary module Human
2020-06-05 13:45:12,421 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 13:45:12,421 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 13:45:12,421 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 13:45:12,421 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 13:45:12,421 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 13:45:12,421 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 13:45:12,421 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 13:45:12,421 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 13:45:12,437 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 13:45:12,437 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 13:45:12,437 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 13:45:12,437 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 13:45:12,437 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 13:45:12,437 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 13:45:12,437 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 13:45:12,437 [root] DEBUG: Started auxiliary module Usage
2020-06-05 13:45:12,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 13:45:12,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 13:45:12,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 13:45:12,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 13:45:12,546 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\Catalogue.exe" with arguments "" with pid 3428
2020-06-05 13:45:12,546 [lib.api.process] INFO: Monitor config for process 3428: C:\tmplodztmkc\dll\3428.ini
2020-06-05 13:45:12,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:12,625 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:12,625 [root] DEBUG: Loader: Injecting process 3428 (thread 3924) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:12,625 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:12,625 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:12,625 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:12,671 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:12,671 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3428
2020-06-05 13:45:16,031 [lib.api.process] INFO: Successfully resumed process with pid 3428
2020-06-05 13:45:16,562 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:16,578 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:16,578 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:16,593 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3428 at 0x6f3e0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 13:45:16,593 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Catalogue.exe".
2020-06-05 13:45:16,656 [root] INFO: loaded: b'3428'
2020-06-05 13:45:16,656 [root] INFO: Loaded monitor into process with pid 3428
2020-06-05 13:45:16,656 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,656 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,671 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,671 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x03950000 to global list.
2020-06-05 13:45:16,921 [root] DEBUG: DLL loaded at 0x73220000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 13:45:17,234 [root] DEBUG: DLL loaded at 0x6FAC0000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-06-05 13:45:17,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x04090000 to global list.
2020-06-05 13:45:17,437 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:17,453 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:17,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x03C20000 to global list.
2020-06-05 13:45:17,718 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 13:45:17,718 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 13:45:29,750 [root] DEBUG: set_caller_info: Adding region at 0x00430000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:29,750 [root] DEBUG: set_caller_info: Adding region at 0x01D40000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:29,765 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1d40000
2020-06-05 13:45:29,781 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3428_6315848632925235562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?0x01D40000;?', ['3428'], 'CAPE')
2020-06-05 13:45:29,812 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gGOQexcgh\CAPE\3428_6315848632925235562020 (size 0xffe)
2020-06-05 13:45:29,812 [root] DEBUG: DumpRegion: Dumped stack region from 0x01D40000, size 0x1000.
2020-06-05 13:45:29,812 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3428_9035095882925235562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?0x00430000;?', ['3428'], 'CAPE')
2020-06-05 13:45:29,843 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gGOQexcgh\CAPE\3428_9035095882925235562020 (size 0x328b)
2020-06-05 13:45:29,843 [root] DEBUG: DumpRegion: Dumped stack region from 0x00430000, size 0x8000.
2020-06-05 13:45:32,593 [root] INFO: Announced 32-bit process name: Catalogue.exe pid: 3216
2020-06-05 13:45:32,593 [lib.api.process] INFO: Monitor config for process 3216: C:\tmplodztmkc\dll\3216.ini
2020-06-05 13:45:32,609 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:32,640 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:32,640 [root] DEBUG: Loader: Injecting process 3216 (thread 3000) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,640 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:32,640 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,640 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:32,656 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,656 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3216
2020-06-05 13:45:32,687 [root] INFO: Announced 32-bit process name: Catalogue.exe pid: 3216
2020-06-05 13:45:32,687 [lib.api.process] INFO: Monitor config for process 3216: C:\tmplodztmkc\dll\3216.ini
2020-06-05 13:45:32,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:32,718 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:32,718 [root] DEBUG: Loader: Injecting process 3216 (thread 3000) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,718 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:32,718 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,718 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:32,718 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,734 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3216
2020-06-05 13:45:32,734 [root] INFO: Announced 32-bit process name: Catalogue.exe pid: 3216
2020-06-05 13:45:32,734 [lib.api.process] INFO: Monitor config for process 3216: C:\tmplodztmkc\dll\3216.ini
2020-06-05 13:45:32,734 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:32,765 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:32,765 [root] DEBUG: Loader: Injecting process 3216 (thread 0) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,765 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:32,765 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3000, handle 0xc4
2020-06-05 13:45:32,765 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:32,765 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x00401564)
2020-06-05 13:45:32,765 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,781 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-05 13:45:32,781 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:32,781 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,781 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3216
2020-06-05 13:45:32,781 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3428_1792795362226235562020', b'4;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?3216;?', ['3428'], 'CAPE')
2020-06-05 13:45:32,812 [root] INFO: Announced 32-bit process name: Catalogue.exe pid: 3216
2020-06-05 13:45:32,812 [lib.api.process] INFO: Monitor config for process 3216: C:\tmplodztmkc\dll\3216.ini
2020-06-05 13:45:32,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:32,828 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:32,828 [root] DEBUG: Loader: Injecting process 3216 (thread 0) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,828 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:32,843 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3000, handle 0xc4
2020-06-05 13:45:32,843 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:32,843 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x00401564)
2020-06-05 13:45:32,843 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,843 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:32,843 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,843 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3216
2020-06-05 13:45:32,875 [root] INFO: Announced 32-bit process name: Catalogue.exe pid: 3216
2020-06-05 13:45:32,875 [lib.api.process] INFO: Monitor config for process 3216: C:\tmplodztmkc\dll\3216.ini
2020-06-05 13:45:32,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:32,906 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:32,906 [root] DEBUG: Loader: Injecting process 3216 (thread 3000) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,906 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:32,921 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x00401564)
2020-06-05 13:45:32,921 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,921 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:32,921 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:32,937 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3216
2020-06-05 13:45:32,937 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3428_18969904962226235562020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?3216;?', ['3428'], 'CAPE')
2020-06-05 13:45:33,031 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3428_7385893172326235562020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?3216;?', ['3428'], 'CAPE')
2020-06-05 13:45:33,281 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3428_20537411102326235562020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?3216;?', ['3428'], 'CAPE')
2020-06-05 13:45:33,312 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-05 13:45:33,328 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:33,328 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:33,328 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:33,328 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:33,343 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3216 at 0x6f3e0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 13:45:33,343 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Catalogue.exe".
2020-06-05 13:45:33,343 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1436
2020-06-05 13:45:33,359 [lib.api.process] INFO: Monitor config for process 1436: C:\tmplodztmkc\dll\1436.ini
2020-06-05 13:45:33,359 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\KBIHAVZ.dll, loader C:\tmplodztmkc\bin\yBVICljt.exe
2020-06-05 13:45:33,390 [root] INFO: loaded: b'3216'
2020-06-05 13:45:33,390 [root] INFO: Loaded monitor into process with pid 3216
2020-06-05 13:45:33,406 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:33,406 [root] DEBUG: Loader: Injecting process 1436 (thread 0) with C:\tmplodztmkc\dll\KBIHAVZ.dll.
2020-06-05 13:45:33,406 [root] DEBUG: set_caller_info: Adding region at 0x001B0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:33,406 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDF000 Local PEB 0x000007FFFFFDC000 Local TEB 0x000007FFFFFDE000: The operation completed successfully.
2020-06-05 13:45:33,406 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1440, handle 0xa8
2020-06-05 13:45:33,406 [root] DEBUG: set_caller_info: Adding region at 0x01ED0000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:33,406 [root] DEBUG: Process image base: 0x00000000FFE40000
2020-06-05 13:45:33,406 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-05 13:45:33,421 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-05 13:45:33,421 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1ed0000
2020-06-05 13:45:33,421 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01ED0000 size 0x400000.
2020-06-05 13:45:33,437 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:33,437 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:33,453 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:33,453 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 1436 at 0x0000000072A50000, image base 0x00000000FFE40000, stack from 0x0000000004AF2000-0x0000000004B00000
2020-06-05 13:45:33,453 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-06-05 13:45:33,484 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3216_12903968413325235562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?0x01ED0000;?', ['3216'], 'CAPE')
2020-06-05 13:45:33,515 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gGOQexcgh\CAPE\3216_12903968413325235562020 (size 0xffe)
2020-06-05 13:45:33,515 [root] DEBUG: DumpRegion: Dumped stack region from 0x01ED0000, size 0x1000.
2020-06-05 13:45:33,531 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3216_2577984303325235562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?0x001B0000;?', ['3216'], 'CAPE')
2020-06-05 13:45:33,546 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gGOQexcgh\CAPE\3216_2577984303325235562020 (size 0x328b)
2020-06-05 13:45:33,546 [root] DEBUG: DumpRegion: Dumped stack region from 0x001B0000, size 0x100000.
2020-06-05 13:45:33,625 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-05 13:45:33,625 [root] WARNING: b'Unable to hook LockResource'
2020-06-05 13:45:33,734 [root] INFO: loaded: b'1436'
2020-06-05 13:45:33,750 [root] INFO: Loaded monitor into process with pid 1436
2020-06-05 13:45:33,750 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 13:45:33,765 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 13:45:33,765 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\KBIHAVZ.dll.
2020-06-05 13:45:33,781 [root] WARNING: Unable to open termination event for pid 3428.
2020-06-05 13:45:33,906 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFDD8428D7D6FCF1CD.TMP', '', False, 'files')
2020-06-05 13:45:34,015 [root] INFO: b'C:\\gGOQexcgh\\CAPE\\3428_9952195942326235562020|3428|0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?'
2020-06-05 13:45:34,015 [root] INFO: cape
2020-06-05 13:45:34,031 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3428_9952195942326235562020', b'0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Catalogue.exe;?', ['3428'], 'procdump')
2020-06-05 13:45:34,093 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\3428_9952195942326235562020', '', False, 'files')
2020-06-05 13:45:35,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x75180000 to global list.
2020-06-05 13:45:35,500 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-05 13:45:35,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x03AF0000 to global list.
2020-06-05 13:45:35,562 [root] DEBUG: DLL loaded at 0x70E70000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-05 13:45:35,578 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-05 13:45:35,593 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 13:45:35,625 [root] DEBUG: DLL loaded at 0x73F70000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-06-05 13:45:35,640 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-06-05 13:45:35,671 [root] DEBUG: DLL loaded at 0x740A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-05 13:45:35,703 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-05 13:45:35,765 [root] DEBUG: DLL loaded at 0x70E40000: C:\Windows\System32\shdocvw (0x2f000 bytes).
2020-06-05 13:45:35,781 [root] DEBUG: DLL loaded at 0x76650000: C:\Windows\SysWOW64\urlmon (0x124000 bytes).
2020-06-05 13:45:35,796 [root] DEBUG: DLL loaded at 0x76330000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:35,796 [root] DEBUG: DLL loaded at 0x75F00000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:35,812 [root] DEBUG: DLL loaded at 0x75EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-05 13:45:35,812 [root] DEBUG: DLL loaded at 0x76320000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:35,828 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:35,828 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\version (0x9000 bytes).
2020-06-05 13:45:35,843 [root] DEBUG: DLL loaded at 0x74A00000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-05 13:45:35,859 [root] DEBUG: DLL loaded at 0x75170000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-06-05 13:45:35,859 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-06-05 13:45:35,875 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-06-05 13:45:35,890 [root] DEBUG: DLL loaded at 0x732B0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 13:45:35,890 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-06-05 13:45:35,906 [root] DEBUG: DLL loaded at 0x75E60000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-06-05 13:45:35,906 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-06-05 13:45:35,921 [root] DEBUG: DLL loaded at 0x73210000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:35,921 [root] DEBUG: DLL unloaded from 0x75180000.
2020-06-05 13:45:35,953 [root] INFO: Announced 32-bit process name: filename1.exe pid: 2088
2020-06-05 13:45:35,968 [lib.api.process] INFO: Monitor config for process 2088: C:\tmplodztmkc\dll\2088.ini
2020-06-05 13:45:36,000 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:36,031 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:36,046 [root] DEBUG: Loader: Injecting process 2088 (thread 4228) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:36,046 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:36,046 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:36,078 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:36,078 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:36,109 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2088
2020-06-05 13:45:36,140 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2088, ImageBase: 0x00400000
2020-06-05 13:45:36,156 [root] INFO: Announced 32-bit process name: filename1.exe pid: 2088
2020-06-05 13:45:36,156 [lib.api.process] INFO: Monitor config for process 2088: C:\tmplodztmkc\dll\2088.ini
2020-06-05 13:45:36,187 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:36,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:36,187 [root] DEBUG: Loader: Injecting process 2088 (thread 4228) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:36,203 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:36,218 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:36,234 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:36,234 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:36,234 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2088
2020-06-05 13:45:36,234 [root] DEBUG: DLL unloaded from 0x76650000.
2020-06-05 13:45:36,281 [root] DEBUG: DLL unloaded from 0x75180000.
2020-06-05 13:45:36,281 [root] DEBUG: DLL unloaded from 0x70E40000.
2020-06-05 13:45:36,281 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:36,296 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:36,296 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2088 at 0x6f3e0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 13:45:36,296 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.exe".
2020-06-05 13:45:36,296 [root] WARNING: Unable to open termination event for pid 3216.
2020-06-05 13:45:36,328 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3216).
2020-06-05 13:45:36,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x040B0000 to global list.
2020-06-05 13:45:36,453 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:36,468 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:36,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x03C30000 to global list.
2020-06-05 13:45:36,515 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 13:45:36,515 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 13:45:41,328 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4E90000 to caller regions list (ntdll::NtClose).
2020-06-05 13:45:41,375 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF4E90000 skipped.
2020-06-05 13:45:41,437 [root] DEBUG: DLL unloaded from 0x000007FEF59A0000.
2020-06-05 13:45:41,484 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF59A0000 to caller regions list (ntdll::NtFreeVirtualMemory).
2020-06-05 13:45:41,593 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF59A0000 skipped.
2020-06-05 13:45:41,656 [root] DEBUG: DLL unloaded from 0x000007FEF61E0000.
2020-06-05 13:45:41,718 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF61E0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-05 13:45:41,734 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF61E0000 skipped.
2020-06-05 13:45:41,781 [root] DEBUG: DLL unloaded from 0x000007FEF4E30000.
2020-06-05 13:45:41,828 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5920000 to caller regions list (ntdll::NtClose).
2020-06-05 13:45:41,828 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5920000 skipped.
2020-06-05 13:45:41,843 [root] DEBUG: DLL unloaded from 0x000007FEF4E90000.
2020-06-05 13:45:41,875 [root] DEBUG: DLL unloaded from 0x000007FEF05C0000.
2020-06-05 13:45:42,000 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF05C0000 to caller regions list (ntdll::NtClose).
2020-06-05 13:45:42,031 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF05C0000 skipped.
2020-06-05 13:45:42,093 [root] DEBUG: DLL unloaded from 0x000007FEFD9A0000.
2020-06-05 13:45:42,093 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFED20000 to caller regions list (ntdll::NtClose).
2020-06-05 13:45:42,125 [root] DEBUG: set_caller_info: Calling region at 0x000007FEFED20000 skipped.
2020-06-05 13:45:50,812 [root] DEBUG: set_caller_info: Adding region at 0x00530000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:50,812 [root] DEBUG: set_caller_info: Adding region at 0x01F50000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:50,828 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1f50000
2020-06-05 13:45:50,828 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01F50000 size 0x400000.
2020-06-05 13:45:50,843 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\2088_13157236285025235562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\subfolder1\\filename1.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\subfolder1\\filename1.exe;?0x01F50000;?', ['2088'], 'CAPE')
2020-06-05 13:45:50,890 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gGOQexcgh\CAPE\2088_13157236285025235562020 (size 0x50634)
2020-06-05 13:45:50,890 [root] DEBUG: DumpRegion: Dumped stack region from 0x01F50000, size 0x7f000.
2020-06-05 13:45:50,890 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\2088_7721539905025235562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\subfolder1\\filename1.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\subfolder1\\filename1.exe;?0x00530000;?', ['2088'], 'CAPE')
2020-06-05 13:45:50,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gGOQexcgh\CAPE\2088_7721539905025235562020 (size 0x328b)
2020-06-05 13:45:50,953 [root] DEBUG: DumpRegion: Dumped stack region from 0x00530000, size 0x8000.
2020-06-05 13:45:53,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x114 amd local view 0x75180000 to global list.
2020-06-05 13:45:53,187 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-05 13:45:53,203 [root] INFO: Announced 32-bit process name: filename1.exe pid: 3192
2020-06-05 13:45:53,203 [lib.api.process] INFO: Monitor config for process 3192: C:\tmplodztmkc\dll\3192.ini
2020-06-05 13:45:53,218 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:53,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:53,265 [root] DEBUG: Loader: Injecting process 3192 (thread 3624) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,281 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:53,281 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,281 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:53,281 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,296 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3192
2020-06-05 13:45:53,296 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-05 13:45:53,328 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 13:45:53,328 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3192, ImageBase: 0x00400000
2020-06-05 13:45:53,328 [root] INFO: Announced 32-bit process name: filename1.exe pid: 3192
2020-06-05 13:45:53,328 [lib.api.process] INFO: Monitor config for process 3192: C:\tmplodztmkc\dll\3192.ini
2020-06-05 13:45:53,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:53,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:53,359 [root] DEBUG: Loader: Injecting process 3192 (thread 3624) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,375 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:53,390 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,390 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:53,390 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,421 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3192
2020-06-05 13:45:53,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x130 to target process 3192.
2020-06-05 13:45:53,421 [root] INFO: Announced 32-bit process name: filename1.exe pid: 3192
2020-06-05 13:45:53,437 [lib.api.process] INFO: Monitor config for process 3192: C:\tmplodztmkc\dll\3192.ini
2020-06-05 13:45:53,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\IBnfPif.dll, loader C:\tmplodztmkc\bin\VvjGFfr.exe
2020-06-05 13:45:53,468 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kZAbmA.
2020-06-05 13:45:53,468 [root] DEBUG: Loader: Injecting process 3192 (thread 0) with C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,484 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:53,484 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3624, handle 0xc4
2020-06-05 13:45:53,484 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:53,484 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x00401564)
2020-06-05 13:45:53,500 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,500 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-05 13:45:53,500 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:53,500 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\IBnfPif.dll.
2020-06-05 13:45:53,515 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3192
2020-06-05 13:45:53,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x13c amd local view 0x00540000 to global list.
2020-06-05 13:45:59,093 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFC4B2906AECFB6DD9.TMP', '', False, 'files')
2020-06-05 13:45:59,109 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2088).
2020-06-05 13:45:59,109 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 13:46:04,781 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF3A10000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-05 13:46:19,953 [root] DEBUG: DLL unloaded from 0x000007FEFD7A0000.
2020-06-05 13:48:36,343 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 13:48:36,343 [lib.api.process] ERROR: Failed to open terminate event for pid 3428
2020-06-05 13:48:36,343 [root] INFO: Terminate event set for process 3428.
2020-06-05 13:48:36,343 [lib.api.process] ERROR: Failed to open terminate event for pid 3216
2020-06-05 13:48:36,343 [root] INFO: Terminate event set for process 3216.
2020-06-05 13:48:36,359 [lib.api.process] INFO: Terminate event set for process 1436
2020-06-05 13:48:36,375 [root] DEBUG: Terminate Event: Attempting to dump process 1436
2020-06-05 13:48:37,125 [root] INFO: b'C:\\gGOQexcgh\\CAPE\\1436_4806760723748195562020|1436|0;?C:\\Windows\\explorer.exe;?C:\\Windows\\explorer.exe;?'
2020-06-05 13:48:37,125 [root] INFO: cape
2020-06-05 13:48:37,125 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\1436_4806760723748195562020', b'0;?C:\\Windows\\explorer.exe;?C:\\Windows\\explorer.exe;?', ['1436'], 'procdump')
2020-06-05 13:48:37,328 [root] INFO: ('dump_file', 'C:\\gGOQexcgh\\CAPE\\1436_4806760723748195562020', '', False, 'files')
2020-06-05 13:48:37,390 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x314800.
2020-06-05 13:48:37,406 [lib.api.process] INFO: Termination confirmed for process 1436
2020-06-05 13:48:37,406 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1436
2020-06-05 13:48:37,406 [root] INFO: Terminate event set for process 1436.
2020-06-05 13:48:37,437 [root] INFO: Created shutdown mutex.
2020-06-05 13:48:38,437 [root] INFO: Shutting down package.
2020-06-05 13:48:38,437 [root] INFO: Stopping auxiliary modules.
2020-06-05 13:48:38,578 [lib.common.results] WARNING: File C:\gGOQexcgh\bin\procmon.xml doesn't exist anymore
2020-06-05 13:48:38,578 [root] INFO: Finishing auxiliary modules.
2020-06-05 13:48:38,578 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 13:48:38,578 [root] INFO: Uploading files at path "C:\gGOQexcgh\debugger" 
2020-06-05 13:48:38,593 [root] WARNING: Monitor injection attempted but failed for process 2088.
2020-06-05 13:48:38,593 [root] WARNING: Monitor injection attempted but failed for process 3192.
2020-06-05 13:48:38,593 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_4 win7x64_8 KVM 2020-06-05 14:04:56 2020-06-05 14:12:22

File Details

File Name Catalogue.exe
File Size 131072 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2009-08-14 17:30:54
MD5 0281699d16d6466c44df867bc0009d56
SHA1 b32687fb6dd5713583089016afb8e412fa73b29b
SHA256 d7e975690cea31ddff67f92f89ee45cf24f09d9e3f7e91b8f3ee6305d23e52d5
SHA512 fa0c7b0fe45877132f3116e5eaeda1e3005127d889200e8f64b542c4feb5a99634309bfa615a7316f97da49e575f3fab43bd975f7dafc23a9c13490505820282
CRC32 59540978
Ssdeep 3072:jWfEcuDynDs19hjEkjHotk3PV55hkXuq3pKXE9LKzp:SscuDYs1PvjIS3PV6UE9+
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2088 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2088 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 2088 trigged the Yara rule 'HeavensGate'
Hit: PID 2088 trigged the Yara rule 'GuLoader'
Hit: PID 3428 trigged the Yara rule 'shellcode_get_eip'
Creates RWX memory
NtSetInformationThread: attempt to hide thread from debugger
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
Reads data out of its own binary image
self_read: process: Catalogue.exe, pid: 3216, offset: 0x00000000, length: 0x00020000
CAPE extracted potentially suspicious content
filename1.exe: Unpacked Shellcode
filename1.exe: GuLoader
Catalogue.exe: Injected PE Image: 32-bit executable
Catalogue.exe: Unpacked Shellcode
Catalogue.exe: Unpacked Shellcode
filename1.exe: Unpacked Shellcode
Catalogue.exe: Injected PE Image: 32-bit DLL
Catalogue.exe: Injected PE Image: 32-bit DLL
Unconventionial language used in binary resources: Chinese (Traditional)
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.45, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0001c000, virtual_size: 0x0001bcf0
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\Catalogue.exe
Behavioural detection: Injection (Process Hollowing)
Injection: Catalogue.exe(3428) -> Catalogue.exe(3216)
Executed a process and injected code into it, probably while unpacking
Injection: Catalogue.exe(3428) -> Catalogue.exe(3216)
Behavioural detection: Injection (inter-process)
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key
data: C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.vbs
Network activity detected but not expressed in API logs
File has been identified by 23 Antiviruses on VirusTotal as malicious
Bkav: HW32.Packed.
McAfee: Fareit-FST!0281699D16D6
Cylance: Unsafe
Sangfor: Malware
Alibaba: Trojan:Win32/Fareit.dcb6edd2
CrowdStrike: win/malicious_confidence_80% (W)
TrendMicro: TROJ_FRS.VSNTF420
BitDefenderTheta: Gen:[email protected]@bkb
TrendMicro-HouseCall: TROJ_FRS.VSNTF420
Kaspersky: UDS:DangerousObject.Multi.Generic
Paloalto: generic.ml
Endgame: malicious (high confidence)
McAfee-GW-Edition: BehavesLike.Win32.VBObfus.ch
SentinelOne: DFI - Suspicious PE
Trapmine: malicious.moderate.ml.score
APEX: Malicious
Avira: TR/Injector.fxnps
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Microsoft: PWS:Win32/Fareit.AB!MTB
Malwarebytes: Trojan.GuLoader
ESET-NOD32: a variant of Win32/Injector.EMGU
Rising: Downloader.Guloader!1.C738 (CLOUD)
AVG: FileRepMetagen [Malware]
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - RigEK
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.114.7.38 [VT] Hong Kong
Y 13.107.42.23 [VT] United States

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\Catalogue.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\Louise\AppData\Local\Temp\~DFDD8428D7D6FCF1CD.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Users\Louise\AppData\Local\Temp
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp\subfolder1
C:\Windows\SysWOW64\shell32.dll
C:\Users\Louise\AppData\Local\Temp\Catalogue.exe
C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.exe
\??\MountPointManager
C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.vbs
C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.exe.cfg
C:\Users\Louise\AppData\Local\Temp\~DFC4B2906AECFB6DD9.TMP
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\~DFDD8428D7D6FCF1CD.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Windows\SysWOW64\shell32.dll
C:\Users\Louise\AppData\Local\Temp\Catalogue.exe
C:\Users\Louise\AppData\Local\Temp\~DFC4B2906AECFB6DD9.TMP
C:\Users\Louise\AppData\Local\Temp\~DFDD8428D7D6FCF1CD.TMP
C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.exe
C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.vbs
C:\Users\Louise\AppData\Local\Temp\~DFC4B2906AECFB6DD9.TMP
C:\Users\Louise\AppData\Local\Temp\~DFC4B2906AECFB6DD9.TMP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\Catalogue.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\Catalogue.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Catalogue.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
asycfilt.dll.FilterCreateInstance
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetCalendarInfoW
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoInitializeEx
ole32.dll.CreateBindCtx
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#320
ole32.dll.StringFromGUID2
comctl32.dll.#324
comctl32.dll.#323
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
ole32.dll.CoUninitialize
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
ntdll.dll.EtwUnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
"C:\Users\Louise\AppData\Local\Temp\Catalogue.exe"
"C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.exe"
C:\Users\Louise\AppData\Local\Temp\subfolder1\filename1.exe

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x00401564 0x0002fa2c 0x0002fa2c 4.0 2009-08-14 17:30:54 1fdb9226aae9b71cf5516a5bb8a96bc5 83f3aab6c908e4b7959ab31087e2ffc3 90776f0f4fac42977346fa32761d845f

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0001bcf0 0x0001c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.45
.data 0x0001d000 0x0001d000 0x00000aa8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0001e000 0x0001e000 0x000015cc 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.13

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x0001e414 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.98 None
RT_ICON 0x0001e414 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.98 None
RT_ICON 0x0001e414 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.98 None
RT_GROUP_ICON 0x0001e3e4 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 3.07 None
RT_VERSION 0x0001e150 0x00000294 LANG_CHINESE SUBLANG_CHINESE_TRADITIONAL 3.27 None

Imports

0x401000 _CIcos
0x401004 _adj_fptan
0x401008 None
0x40100c __vbaFreeVar
0x401010 __vbaStrVarMove
0x401014 __vbaFreeVarList
0x401018 __vbaEnd
0x40101c None
0x401020 _adj_fdiv_m64
0x401024 __vbaFreeObjList
0x401028 None
0x40102c None
0x401030 _adj_fprem1
0x401034 None
0x401038 None
0x40103c __vbaStrCat
0x401040 None
0x401048 None
0x40104c _adj_fdiv_m32
0x401050 None
0x401054 None
0x401058 __vbaAryDestruct
0x40105c None
0x401060 __vbaObjSet
0x401064 _adj_fdiv_m16i
0x401068 None
0x40106c _adj_fdivr_m16i
0x401070 None
0x401074 None
0x401078 None
0x40107c __vbaFPFix
0x401080 None
0x401084 __vbaFpR8
0x401088 _CIsin
0x40108c None
0x401090 None
0x401094 None
0x401098 __vbaChkstk
0x40109c EVENT_SINK_AddRef
0x4010a4 __vbaStrCmp
0x4010a8 __vbaVarTstEq
0x4010ac __vbaR4Str
0x4010b0 None
0x4010b4 None
0x4010b8 _adj_fpatan
0x4010bc __vbaRedim
0x4010c0 None
0x4010c4 EVENT_SINK_Release
0x4010c8 None
0x4010cc __vbaUI1I2
0x4010d0 _CIsqrt
0x4010d8 __vbaExceptHandler
0x4010dc _adj_fprem
0x4010e0 _adj_fdivr_m64
0x4010e4 None
0x4010e8 __vbaFPException
0x4010ec None
0x4010f0 _CIlog
0x4010f4 None
0x4010f8 None
0x4010fc __vbaNew2
0x401100 __vbaR8Str
0x401104 _adj_fdiv_m32i
0x401108 _adj_fdivr_m32i
0x40110c __vbaStrCopy
0x401110 None
0x401114 __vbaVarSetObj
0x401118 None
0x40111c __vbaI4Str
0x401120 __vbaFreeStrList
0x401124 _adj_fdivr_m32
0x401128 _adj_fdiv_r
0x40112c None
0x401130 None
0x401134 __vbaVarDup
0x401138 None
0x40113c None
0x401140 None
0x401144 None
0x401148 _CIatan
0x40114c __vbaStrMove
0x401150 None
0x401154 None
0x401158 None
0x40115c _allmul
0x401160 None
0x401164 _CItan
0x401168 None
0x40116c _CIexp
0x401170 __vbaFreeStr
0x401174 __vbaFreeObj

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
grapefr
semis
Monograf5
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
_a9_J
z+Guh
%T?}:}h
knZ5\
#2/5r
$S+u\
hQy`lah<
\,gYx4
d?~14o
b5.4t
M#\y;JmF?
naa #
5GKIfPp|
#}E|n
7AL}-
.!|+,
j[]&VG
B)m#T
kQt?-">^
</h.n
I<=yw
]G}s8+
<K}q$Vri
>.h:W
r9Z*k
o##F}w5z
G<g?Z
f}J[t
fYQGB
i\v8)|:
K h[o9.
/|W~#
R:u*H
Z(K]Z
B2>Z.;
;z8fV
}Ji/Q
kXx/t|x/
/txz/.|
Rb|f9
|z?9|
06+t|
6+t|z/
t|x/H
Rn}g(
.x/t|
t|x/L
`XR/~
t|x/tx
.t~x/
6+]7#
EJ'ct
c:xx/t|x,t|x.v|
~Jm CJs
RwW{|
l$ B]q
`Ns\TFr
x/t|B
/%06'`v
/5 6'N
6+{Az
e\>2F
>+]x(H)
7\~Fu
|JjRvCr|
s|a/h|p/h|
/(|"/0|v/r|~/
AJj\E
#\Q]{
I/q]w
wCr^;"
/w[>?2
>+<jf
s]{ _F}
N/m|g/||t/q|~/z|w/l|#/
wCrO /
,KxCyL
_ujytn
x/t`EE
86']E
|Sl%og
/_?)<kK
[email protected]=CnL=AnJ=GnH=EyI/Bwz4
N$Bwy
-jdBwN$u
f-N$S
/_&BwW
H?_.BwV
^LBwy
<N$/
|Bw#s
E,JpN$LnA=LnC=NnE=HnG=Ju
.nmn7
G*@N=
'?+'?/`Mfy
g"}KV
D{TmS
~Zb-ZZ
u,VpH
u+=UeI
i:~nu+
->,G1
vs\Y\
6f9f~
jRZ|a
~&xGM
DrIos
qq2yr;
mNCm1
as_I
"1mo$
YA Gq
[*p>jb0/TZ/
R[9=W
$Db"W
/=MZD
aFeWQ
&V>>\
-iO{a
2>Ba~
qSk^6
3ksg$
>S_[xK
y5w:]
W<w7{#
xnI|C
sM]Z"aWl
&]Zaue~
Rr*)#
y)kv6K
u#HUx
h'r*}
o,qJ~
p.n%Y<
LE{/2iN
|?e,z
m }};W
2Vw<W
?fY<G
+NdG+>j
~"x_I
2Mg$-
b>>GQ
cx,e"[xn
{csiv
5sw:;
A_Ex7
3_d|h
>S0P9
~EZ3g
u]I^X
5)m|M
~&]x*Y
Kiq!"k{
=AL?*
mNzH*
Z{-x_
)\]o m
xDh$E
WK{j.
y$)/m
)-uYcs
$hcF]R1
^Y[u>
++\[~
7RyPCu"
5>byO
6gKwA
bv\&7~
Z}KT]5
(?~P}
u4dck
kz{]jS
Fwn%R
76-[r.
kI[u!
vdIhy~
Ow;lEQ
#^G}u
GM3My
kwVGI>Q
W&FYW
oj-g_
xoGy.
]&#Yc?
y<-q6
AI%Yc
{p}v>1
~ZH~n
~rkWW
X^jZB
+=HEqi/
vd.k>f
;+[4#`
=kVHcV
YFv#)
Q"9Tf
iY:TQG
qWr,x
4[^,9
7J`fK
U"[;+
o5,%.
9R4?<
dH~Cs&
"K+[O
]jWVW
mHy3D
*FM3:
D?+uf
_3.>a
l^W?7
*Eqo<
R\+In
W?3'lT
t?CYZO
fw5Iw;
Iq{e&
|;ggiw
.>f38^#
=k%<yo
#K)ZO
~jb*]@.
+ye[s
j^c*M`Y
fH,ba
5Q]R9bT2|
:V+]y
0yO[w}
.5MAw
`mnUG
V[_/8
|Eeyn
^->[D6
k/*8"
MkrdH:q^5
O]It{
hbXA{
o_~k2
Q__<j
^97Et
S:nF'g
pbF-&
CdtQE1
)<A+B
_nw}*I.&
in5%eP
-uEw\
Ymyp[
<Iqe3K
;UN>_
j4DKy]
;[5Yo
Sq uN
nePIm
QYj^r
O3aF#
uR2\E
ucc2$
Q+.x,
4X.tZ
'{UGK
ae*w-
]5.^69b
1Lcgb
GjkJf
6I-RF
zP3I^
|^Y?7]
?.9U=?
>lP"Y
7w9#4
%),//,)$
/96-*1H
MGB?>>ABFL
Monograf5
enkind
Option3
Vestvggensiod
Option2
lawful
Option1
Line2
Line1
VB5!6&*
pudstel
grapefr
grapefr
grapefr
semis
KULDEGYS
lawful
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
enkind
Vestvggensiod
Supernovaens8
anastasja
platynotal
stnkproppers
FISKES
UVANTE
OUTBREATHED
Genskabelsernes2
KLARVASK
Technicalises
Byraadssalen6
PIQUANTLY
VBA6.DLL
__vbaR4Str
__vbaI4Str
__vbaFreeObjList
__vbaVarSetObj
__vbaStrVarMove
__vbaR8Str
__vbaFPFix
__vbaGenerateBoundsError
__vbaFpR8
__vbaAryDestruct
__vbaRedim
__vbaObjSet
__vbaStrCopy
__vbaUI1I2
__vbaEnd
__vbaFreeObj
__vbaFreeStr
__vbaHresultCheckObj
__vbaNew2
__vbaFreeVar
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaStrCmp
__vbaFreeVarList
__vbaVarDup
__vbaVarTstEq
uberegnelige
Jarp7
Conjugateness5
defensible
nightmarish
Kulhydrats
SUPERINTENDING
SAMBAS
FALLIT
Toastier
BRUNALGERNES
AFMRKNINGSSTRIBERNE
Postvsen4
edderdunsdyner
REFORMISTERNE
fejlskrivningens
klient
TREAARIG
Semivibration
SHAFFER
isogone
SAMMENSVEJSES
SURVIVOR
bedizen
TIOLOGIERS
Manhandle
BEENTO
RhxpA
PhlqA
tj9=8
Ph4~A
PhH~A
tj9=8
PhX~A
Phh~A
Phh~A
Phh~A
PhPtA
Ph|~A
PhX~A
PhX~A
jDhtqA
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFPFix
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaVarTstEq
__vbaR4Str
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
__vbaR8Str
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaVarSetObj
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarDup
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
%),//,)$
/96-*1H
MGB?>>ABFL
/ P6pL
,/KPip
-P?pR
SPIDERWEBBING
nettosalgsprisers
bykongen
SUBINOCULATION
ideomotion
overdigest
Limniad7
magnetise
SPECIALTEGNS
unpneumatic
kvindenavn
schloss
mandarin
omslynget
Generindringerne2
TAVSHEDSLOEFTE
Skaarne
Drivhusgasser
Gyldigheden3
Bulanda
STENOPAIC
Squalling
terebral
Printerks
Polysensuousness8
DYRLGERNES
glossolalia
Metump
Tyksakkenes
nedgrer
jebusi
Ratificeringer
anticogitative
agricolist
Phiale7
KONFLIKTFYLDTES
gadeslgere
Gregarine
zamang
CLODPATED
BRNDEVINSGLASSETS
Brnefdselsdagene
ARRAYING
Ajlen
Apicad
NANOSOMA
Stokroserne
LACKIES
paperer
Obsesses
COPULAS
Cunye
INDGANGSSIGNALET
BARBERERNES
Torfaceous
outhire
Cisset
Aspidistraerne1
Paschalist
monopolitical
Trowels1
Skuboppernes5
Selfmovement3
unintermission
Torer
calycozoa
Forarme
FARSRETTER
Proappreciation9
Unsing
Threpe9
Levealders
Retstillingers
Landingsbanernes2
rhinoscopic
BASIFIER
Interjection
Reliquefied2
Unpinned3
erias
DIAPASONS
hvningens
Phytins
UBLODIG
ACTUALISATION
Caryatids
Sjaskeris5
Ansvarslsestes
WRETCHEDNESS
Rundstrikning3
ARBEJDSTILBUDDENES
Kaskoforsikringen7
BODICE
Suppositoriernes
SALMONET
Bedragene1
Galactoid
minesprngtes
Andelsboligforening9
GERMANISING
GGEGEMMERS
Rubiaceous3
TILSTANDSMNGDES
sparged
hawer
Iltindholdene5
Opretteliges6
Bilamellated
HUDFLETTE
CENOTAPHS
DACTYLOSYMPHYSIS
UFRAKTIONERET
MISDISPOSE
Icterus
forraadnelsesprocessers
unbrewed
MARVELLED
Adresseliste
heltid
Ekslibriset
Skimmer4
UNSTRICKEN
cifre
Spaadomsevners
Understaaet9
Short Time
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040404B0
LegalCopyright
Influenc River Agglomerate
LegalTrademarks
Influenc River Agglomerate
ProductName
grapefr
FileVersion
ProductVersion
InternalName
pudstel
OriginalFilename
pudstel.exe
/ P6pL
,/KPip
-P?pR

Full Results

Engine Signature Engine Signature Engine Signature
Bkav HW32.Packed. MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean McAfee Fareit-FST!0281699D16D6 Cylance Unsafe
Zillya Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Trojan:Win32/Fareit.dcb6edd2 K7GW Clean
CrowdStrike win/malicious_confidence_80% (W) TrendMicro TROJ_FRS.VSNTF420 BitDefenderTheta Gen:[email protected]@bkb
Cyren Clean Symantec Clean TotalDefense Clean
Baidu Clean TrendMicro-HouseCall TROJ_FRS.VSNTF420 Avast Clean
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean Paloalto generic.ml AegisLab Clean
Tencent Clean Endgame malicious (high confidence) Comodo Clean
F-Secure Clean DrWeb Clean VIPRE Clean
Invincea Clean McAfee-GW-Edition BehavesLike.Win32.VBObfus.ch SentinelOne DFI - Suspicious PE
Trapmine malicious.moderate.ml.score FireEye Clean Sophos Clean
APEX Malicious F-Prot Clean Jiangmin Clean
Webroot Clean Avira TR/Injector.fxnps Fortinet Clean
Antiy-AVL Clean Kingsoft Clean Arcabit Clean
ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean
Microsoft PWS:Win32/Fareit.AB!MTB TACHYON Clean AhnLab-V3 Clean
Acronis Clean VBA32 Clean ALYac Clean
MAX Clean Ad-Aware Clean Malwarebytes Trojan.GuLoader
Zoner Clean ESET-NOD32 a variant of Win32/Injector.EMGU Rising Downloader.Guloader!1.C738 (CLOUD)
Yandex Clean Ikarus Clean eGambit Clean
GData Clean AVG FileRepMetagen [Malware] Cybereason Clean
Panda Clean Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.114.7.38 [VT] Hong Kong
Y 13.107.42.23 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.1.9 49173 13.107.42.23 443
192.168.1.9 49175 13.107.42.23 443
192.168.1.9 49197 13.107.42.23 443
192.168.1.9 20674 52.114.7.38 33136
192.168.1.9 30098 52.114.7.38 63525
192.168.1.9 8355 52.114.7.38 17996
192.168.1.9 22582 52.114.7.38 45037
192.168.1.9 49193 52.158.209.219 443
192.168.1.9 49195 93.184.221.240 80

UDP

Source Source Port Destination Destination Port
192.168.1.9 137 192.168.1.255 137
192.168.1.9 51751 8.8.8.8 53
192.168.1.9 53599 8.8.8.8 53
192.168.1.9 54609 8.8.8.8 53
192.168.1.9 55233 8.8.8.8 53
192.168.1.9 55319 8.8.8.8 53
192.168.1.9 59058 8.8.8.8 53
192.168.1.9 59225 8.8.8.8 53
192.168.1.9 64674 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:08:57.916 192.168.1.9 [VT] 49172 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:08:58.653 192.168.1.9 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:08:58.655 192.168.1.9 [VT] 49173 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:08:58.776 192.168.1.9 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:08:58.776 192.168.1.9 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:09:39.512 192.168.1.9 [VT] 49193 52.158.209.219 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-05 14:12:16.252 192.168.1.9 [VT] 49197 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:12:16.499 192.168.1.9 [VT] 49198 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:08:57.916 192.168.1.9 [VT] 49172 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:08:58.655 192.168.1.9 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:08:58.851 192.168.1.9 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:08:58.895 192.168.1.9 [VT] 49173 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:08:58.935 192.168.1.9 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:09:39.671 192.168.1.9 [VT] 49193 52.158.209.219 [VT] 443 CN=watson.microsoft.com e1:6a:52:eb:a9:ec:f3:58:ca:9a:f9:fb:05:f8:bf:38:d8:76:1d:50 TLSv1
2020-06-05 14:10:31.737 192.168.1.9 [VT] 49194 52.114.7.38 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-06-05 14:12:16.380 192.168.1.9 [VT] 49197 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:12:16.624 192.168.1.9 [VT] 49198 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-05 14:10:34.151 192.168.1.9 [VT] 49195 93.184.221.240 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?46c58957ce829b9f application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-06-05 14:10:35.073 192.168.1.9 [VT] 49196 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.9 49172 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49197 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49198 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49194 52.114.7.38 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49193 52.158.209.219 443 bafc6b01eae6f4350f5db6805ace208e unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name explorer.exe
PID 1436
Dump Size 3229696 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
PE timestamp 2016-08-29 15:04:30
MD5 d32f5ebdd67490347b57da1bacea613f
SHA1 7499ffdaf83d7fd1fc59f080bf40ea85e0d69660
SHA256 b3923b80f28b9e01a9d10977a87e475af47a6b62b736d1bf7ca516851561e8f6
CRC32 68D97876
Ssdeep 98304:OAQexfNvYYYYYYYYYYYRYYYYYYYYYYE3ia0eojk221:OAQexfNl3r7ojk22
Dump Filename b3923b80f28b9e01a9d10977a87e475af47a6b62b736d1bf7ca516851561e8f6
Download Download Zip

BinGraph Download graph

Defense Evasion Privilege Escalation Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1060 - Registry Run Keys / Startup Folder
    • Signature - persistence_autorun

    Processing ( 8.468 seconds )

    • 5.205 Suricata
    • 1.371 CAPE
    • 0.814 BehaviorAnalysis
    • 0.391 VirusTotal
    • 0.292 NetworkAnalysis
    • 0.191 ProcDump
    • 0.116 Static
    • 0.029 Deduplicate
    • 0.018 AnalysisInfo
    • 0.017 peid
    • 0.013 TargetInfo
    • 0.004 Debug
    • 0.004 Dropped
    • 0.003 Strings

    Signatures ( 1.2199999999999978 seconds )

    • 0.866 antidbg_windows
    • 0.047 antiav_detectreg
    • 0.036 antivm_vbox_window
    • 0.028 antisandbox_script_timer
    • 0.025 stealth_timeout
    • 0.022 decoy_document
    • 0.02 api_spamming
    • 0.018 NewtWire Behavior
    • 0.018 infostealer_ftp
    • 0.017 territorial_disputes_sigs
    • 0.012 ransomware_files
    • 0.01 antianalysis_detectreg
    • 0.01 infostealer_im
    • 0.007 antiav_detectfile
    • 0.007 ransomware_extensions
    • 0.005 antivm_vbox_keys
    • 0.005 infostealer_mail
    • 0.004 persistence_autorun
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_bitcoin
    • 0.004 masquerade_process_name
    • 0.003 antivm_vmware_keys
    • 0.002 Doppelganging
    • 0.002 InjectionCreateRemoteThread
    • 0.002 antivm_generic_disk
    • 0.002 exec_crash
    • 0.002 kibex_behavior
    • 0.002 mimics_filetime
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_vbox_files
    • 0.002 antivm_xen_keys
    • 0.002 geodo_banking_trojan
    • 0.001 InjectionInterProcess
    • 0.001 antidebug_guardpages
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_scsi
    • 0.001 antivm_vbox_libs
    • 0.001 betabot_behavior
    • 0.001 bootkit
    • 0.001 dynamic_function_loading
    • 0.001 hancitor_behavior
    • 0.001 hawkeye_behavior
    • 0.001 infostealer_browser_password
    • 0.001 injection_createremotethread
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 reads_self
    • 0.001 shifu_behavior
    • 0.001 stealth_file
    • 0.001 tinba_behavior
    • 0.001 virus
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 qulab_files
    • 0.001 revil_mutexes
    • 0.001 recon_fingerprint

    Reporting ( 10.582 seconds )

    • 10.529 BinGraph
    • 0.035 MITRE_TTPS
    • 0.018 PCAP2CERT