Analysis

Category Package Started Completed Duration Options Log
FILE dll 2020-06-05 14:52:15 2020-06-05 14:58:32 377 seconds Show Options Show Log
procdump = yes
2020-05-13 09:30:50,438 [root] INFO: Date set to: 20200605T14:52:14, timeout set to: 200
2020-06-05 14:52:14,062 [root] DEBUG: Starting analyzer from: C:\tmplodztmkc
2020-06-05 14:52:14,062 [root] DEBUG: Storing results at: C:\SMThxbDVrT
2020-06-05 14:52:14,062 [root] DEBUG: Pipe server name: \\.\PIPE\zumbIYaBza
2020-06-05 14:52:14,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-05 14:52:14,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 14:52:14,062 [root] INFO: Automatically selected analysis package "dll"
2020-06-05 14:52:14,062 [root] DEBUG: Trying to import analysis package "dll"...
2020-06-05 14:52:14,125 [root] DEBUG: Imported analysis package "dll".
2020-06-05 14:52:14,125 [root] DEBUG: Trying to initialize analysis package "dll"...
2020-06-05 14:52:14,125 [root] DEBUG: Initialized analysis package "dll".
2020-06-05 14:52:14,437 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 14:52:14,437 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 14:52:14,437 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 14:52:14,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 14:52:14,531 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 14:52:14,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 14:52:14,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 14:52:14,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 14:52:14,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 14:52:14,765 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 14:52:14,765 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 14:52:14,843 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 14:52:14,843 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 14:52:14,921 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 14:52:14,921 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 14:52:14,921 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 14:52:14,921 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 14:52:14,921 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 14:52:14,921 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 14:52:14,921 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 14:52:14,921 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 14:52:16,296 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 14:52:16,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 14:52:16,359 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 14:52:16,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 14:52:16,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 14:52:16,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 14:52:16,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 14:52:16,390 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 14:52:16,390 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 14:52:16,390 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 14:52:16,390 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 14:52:16,390 [root] DEBUG: Started auxiliary module Browser
2020-06-05 14:52:16,390 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 14:52:16,390 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 14:52:16,390 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 14:52:16,390 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 14:52:16,390 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 14:52:16,390 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 14:52:16,390 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 14:52:16,390 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 14:52:17,125 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 14:52:17,140 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 14:52:17,140 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 14:52:17,140 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 14:52:17,140 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 14:52:17,140 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 14:52:17,156 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 14:52:17,156 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 14:52:17,156 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 14:52:17,156 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 14:52:17,156 [root] DEBUG: Started auxiliary module Human
2020-06-05 14:52:17,156 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 14:52:17,156 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 14:52:17,156 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 14:52:17,171 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 14:52:17,171 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 14:52:17,171 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 14:52:17,171 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 14:52:17,171 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 14:52:17,171 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 14:52:17,171 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 14:52:17,171 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 14:52:17,171 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 14:52:17,171 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 14:52:17,171 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 14:52:17,171 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 14:52:17,171 [root] DEBUG: Started auxiliary module Usage
2020-06-05 14:52:17,171 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2020-06-05 14:52:17,171 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2020-06-05 14:52:17,171 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2020-06-05 14:52:17,171 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2020-06-05 14:52:17,203 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\sysnative\rundll32.exe" with arguments ""C:\Users\Louise\AppData\Local\Temp\farpay.dll",#1" with pid 3512
2020-06-05 14:52:17,203 [lib.api.process] INFO: Monitor config for process 3512: C:\tmplodztmkc\dll\3512.ini
2020-06-05 14:52:17,203 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:52:17,203 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\UWdKJdSB.dll, loader C:\tmplodztmkc\bin\EMEjWWxN.exe
2020-06-05 14:52:17,281 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zumbIYaBza.
2020-06-05 14:52:17,281 [root] DEBUG: Loader: Injecting process 3512 (thread 3548) with C:\tmplodztmkc\dll\UWdKJdSB.dll.
2020-06-05 14:52:17,296 [root] DEBUG: Process image base: 0x00000000FFFC0000
2020-06-05 14:52:17,296 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\UWdKJdSB.dll.
2020-06-05 14:52:17,296 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-05 14:52:17,296 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-05 14:52:17,546 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:52:17,546 [root] DEBUG: Process dumps disabled.
2020-06-05 14:52:17,546 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:52:17,562 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 3512 at 0x000000006F500000, image base 0x00000000FFFC0000, stack from 0x0000000000254000-0x0000000000260000
2020-06-05 14:52:17,562 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\sysnative\rundll32.exe" "C:\Users\Louise\AppData\Local\Temp\farpay.dll",#1.
2020-06-05 14:52:17,609 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-05 14:52:17,609 [root] WARNING: b'Unable to hook LockResource'
2020-06-05 14:52:17,640 [root] INFO: loaded: b'3512'
2020-06-05 14:52:17,640 [root] INFO: Loaded monitor into process with pid 3512
2020-06-05 14:52:17,656 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 14:52:17,656 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 14:52:17,671 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\UWdKJdSB.dll.
2020-06-05 14:52:19,703 [lib.api.process] INFO: Successfully resumed process with pid 3512
2020-06-05 14:52:21,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x8c amd local view 0x000000006F460000 to global list.
2020-06-05 14:52:21,109 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20 amd local view 0x000000006F400000 to global list.
2020-06-05 14:52:21,125 [root] DEBUG: Target DLL loaded at 0x000000006F400000: C:\Users\Louise\AppData\Local\Temp\farpay.dll (0x51000 bytes).
2020-06-05 14:52:21,125 [root] DEBUG: set_caller_info: Adding region at 0x000000006F400000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-05 14:52:21,125 [root] DEBUG: set_caller_info: Calling region at 0x000000006F400000 skipped.
2020-06-05 14:52:21,140 [root] DEBUG: set_caller_info: Adding region at 0x00000000001B0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-05 14:52:21,203 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-06-05 14:52:21,203 [root] INFO: ('dump_file', 'C:\\SMThxbDVrT\\CAPE\\3512_3029873442152205562020', b'9;?C:\\Windows\\sysnative\\rundll32.exe;?C:\\Windows\\sysnative\\rundll32.exe;?0x00000000001B0000;?', ['3512'], 'CAPE')
2020-06-05 14:52:21,234 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\SMThxbDVrT\CAPE\3512_3029873442152205562020 (size 0x163f)
2020-06-05 14:52:21,234 [root] DEBUG: set_caller_info: Adding region at 0x00000000003F0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-05 14:52:21,249 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x4effff
2020-06-05 14:52:21,343 [root] INFO: ('dump_file', 'C:\\SMThxbDVrT\\CAPE\\3512_12737651462152205562020', b'9;?C:\\Windows\\sysnative\\rundll32.exe;?C:\\Windows\\sysnative\\rundll32.exe;?0x00000000003F0000;?', ['3512'], 'CAPE')
2020-06-05 14:52:21,406 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\SMThxbDVrT\CAPE\3512_12737651462152205562020 (size 0x63ffa)
2020-06-05 14:52:21,515 [root] DEBUG: DLL loaded at 0x000007FEFBEB0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2020-06-05 14:52:21,515 [root] DEBUG: DLL loaded at 0x000007FEFCB80000: C:\Windows\system32\profapi (0xf000 bytes).
2020-06-05 14:52:21,562 [root] DEBUG: DLL loaded at 0x000007FEFA9C0000: C:\Windows\system32\WTSAPI32 (0x11000 bytes).
2020-06-05 14:52:21,625 [root] DEBUG: DLL loaded at 0x000007FEF6C10000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2020-06-05 14:52:21,625 [root] DEBUG: DLL loaded at 0x000007FEF6BA0000: C:\Windows\system32\webio (0x65000 bytes).
2020-06-05 14:52:22,671 [root] DEBUG: set_caller_info: Adding region at 0x0000000000110000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-05 14:52:22,671 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x0000000000110000.
2020-06-05 14:52:23,750 [root] DEBUG: set_caller_info: Adding region at 0x0000000000050000 to caller regions list (advapi32::GetUserNameW).
2020-06-05 14:52:23,796 [root] INFO: ('dump_file', 'C:\\SMThxbDVrT\\CAPE\\3512_10954627282352205562020', b'9;?C:\\Windows\\sysnative\\rundll32.exe;?C:\\Windows\\sysnative\\rundll32.exe;?0x0000000000050000;?', ['3512'], 'CAPE')
2020-06-05 14:52:23,843 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\SMThxbDVrT\CAPE\3512_10954627282352205562020 (size 0x3f)
2020-06-05 14:52:23,843 [root] DEBUG: DumpRegion: Dumped stack region from 0x0000000000050000, size 0x1000.
2020-06-05 14:52:24,046 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 248, handle 0xcc.
2020-06-05 14:52:24,046 [root] DEBUG: OpenProcessHandler: Image base for process 248 (handle 0xcc): 0x0000000048200000.
2020-06-05 14:52:24,046 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 328, handle 0xcc.
2020-06-05 14:52:24,046 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 376, handle 0xcc.
2020-06-05 14:52:24,046 [root] DEBUG: OpenProcessHandler: Image base for process 376 (handle 0xcc): 0x00000000FF140000.
2020-06-05 14:52:24,062 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 384, handle 0xcc.
2020-06-05 14:52:24,062 [root] DEBUG: OpenProcessHandler: Image base for process 384 (handle 0xcc): 0x0000000049830000.
2020-06-05 14:52:24,062 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 412, handle 0xcc.
2020-06-05 14:52:24,062 [root] DEBUG: OpenProcessHandler: Image base for process 412 (handle 0xcc): 0x00000000FFE60000.
2020-06-05 14:52:24,062 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 472, handle 0xcc.
2020-06-05 14:52:24,062 [root] DEBUG: OpenProcessHandler: Image base for process 472 (handle 0xcc): 0x00000000FF540000.
2020-06-05 14:52:24,062 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 480, handle 0xcc.
2020-06-05 14:52:24,078 [root] DEBUG: OpenProcessHandler: Image base for process 480 (handle 0xcc): 0x00000000FFA50000.
2020-06-05 14:52:24,078 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 488, handle 0xcc.
2020-06-05 14:52:24,078 [root] DEBUG: OpenProcessHandler: Image base for process 488 (handle 0xcc): 0x00000000FFD60000.
2020-06-05 14:52:24,078 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 592, handle 0xcc.
2020-06-05 14:52:24,078 [root] DEBUG: OpenProcessHandler: Image base for process 592 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,078 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 672, handle 0xcc.
2020-06-05 14:52:24,093 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 768, handle 0xcc.
2020-06-05 14:52:24,093 [root] DEBUG: OpenProcessHandler: Image base for process 768 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,093 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 800, handle 0xcc.
2020-06-05 14:52:24,093 [root] DEBUG: OpenProcessHandler: Image base for process 800 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,093 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 824, handle 0xcc.
2020-06-05 14:52:24,093 [root] DEBUG: OpenProcessHandler: Image base for process 824 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,109 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 848, handle 0xcc.
2020-06-05 14:52:24,109 [root] DEBUG: OpenProcessHandler: Image base for process 848 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,109 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 320, handle 0xcc.
2020-06-05 14:52:24,109 [root] DEBUG: OpenProcessHandler: Image base for process 320 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,109 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 308, handle 0xcc.
2020-06-05 14:52:24,109 [root] DEBUG: OpenProcessHandler: Image base for process 308 (handle 0xcc): 0x00000000FF910000.
2020-06-05 14:52:24,125 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1028, handle 0xcc.
2020-06-05 14:52:24,125 [root] DEBUG: OpenProcessHandler: Image base for process 1028 (handle 0xcc): 0x00000000FFDE0000.
2020-06-05 14:52:24,125 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1100, handle 0xcc.
2020-06-05 14:52:24,125 [root] DEBUG: OpenProcessHandler: Image base for process 1100 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,125 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1264, handle 0xcc.
2020-06-05 14:52:24,125 [root] DEBUG: OpenProcessHandler: Image base for process 1264 (handle 0xcc): 0x000000013FD10000.
2020-06-05 14:52:24,125 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1344, handle 0xcc.
2020-06-05 14:52:24,125 [root] DEBUG: OpenProcessHandler: Image base for process 1344 (handle 0xcc): 0x00000000FF480000.
2020-06-05 14:52:24,140 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1352, handle 0xcc.
2020-06-05 14:52:24,140 [root] DEBUG: OpenProcessHandler: Image base for process 1352 (handle 0xcc): 0x0000000000B10000.
2020-06-05 14:52:24,140 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1428, handle 0xcc.
2020-06-05 14:52:24,140 [root] DEBUG: OpenProcessHandler: Image base for process 1428 (handle 0xcc): 0x00000000FF360000.
2020-06-05 14:52:24,140 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1436, handle 0xcc.
2020-06-05 14:52:24,140 [root] DEBUG: OpenProcessHandler: Image base for process 1436 (handle 0xcc): 0x00000000FFE40000.
2020-06-05 14:52:24,140 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1608, handle 0xcc.
2020-06-05 14:52:24,140 [root] DEBUG: OpenProcessHandler: Image base for process 1608 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,156 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1972, handle 0xcc.
2020-06-05 14:52:24,156 [root] DEBUG: OpenProcessHandler: Image base for process 1972 (handle 0xcc): 0x00000000FFAF0000.
2020-06-05 14:52:24,156 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1636, handle 0xcc.
2020-06-05 14:52:24,156 [root] DEBUG: OpenProcessHandler: Image base for process 1636 (handle 0xcc): 0x00000000012E0000.
2020-06-05 14:52:24,156 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2108, handle 0xcc.
2020-06-05 14:52:24,171 [root] DEBUG: OpenProcessHandler: Image base for process 2108 (handle 0xcc): 0x00000000FF560000.
2020-06-05 14:52:24,171 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2776, handle 0xcc.
2020-06-05 14:52:24,171 [root] DEBUG: OpenProcessHandler: Image base for process 2776 (handle 0xcc): 0x00000000010D0000.
2020-06-05 14:52:24,171 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2836, handle 0xcc.
2020-06-05 14:52:24,171 [root] DEBUG: OpenProcessHandler: Image base for process 2836 (handle 0xcc): 0x000000013F440000.
2020-06-05 14:52:24,171 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3196, handle 0xcc.
2020-06-05 14:52:24,171 [root] DEBUG: OpenProcessHandler: Image base for process 3196 (handle 0xcc): 0x00000000FF330000.
2020-06-05 14:52:24,171 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1076, handle 0xcc.
2020-06-05 14:52:24,187 [root] DEBUG: OpenProcessHandler: Image base for process 1076 (handle 0xcc): 0x0000000001220000.
2020-06-05 14:52:24,187 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5104, handle 0xcc.
2020-06-05 14:52:24,187 [root] DEBUG: OpenProcessHandler: Image base for process 5104 (handle 0xcc): 0x00000000FF480000.
2020-06-05 14:52:24,187 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4468, handle 0xcc.
2020-06-05 14:52:24,203 [root] DEBUG: OpenProcessHandler: Image base for process 4468 (handle 0xcc): 0x00000000FFF10000.
2020-06-05 14:52:24,203 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2548, handle 0xcc.
2020-06-05 14:52:24,203 [root] DEBUG: OpenProcessHandler: Image base for process 2548 (handle 0xcc): 0x0000000001220000.
2020-06-05 14:52:24,218 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3512, handle 0xcc.
2020-06-05 14:52:24,218 [root] DEBUG: OpenProcessHandler: Image base for process 3512 (handle 0xcc): 0x00000000FFFC0000.
2020-06-05 14:52:24,484 [root] DEBUG: DLL loaded at 0x000007FEFED20000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-06-05 14:52:24,484 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\NSI (0x8000 bytes).
2020-06-05 14:52:24,812 [root] DEBUG: DLL unloaded from 0x0000000076BC0000.
2020-06-05 14:52:24,859 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\cryptsp (0x18000 bytes).
2020-06-05 14:52:24,937 [root] DEBUG: DLL loaded at 0x000007FEFC000000: C:\Windows\system32\credssp (0xa000 bytes).
2020-06-05 14:52:24,968 [root] DEBUG: DLL unloaded from 0x000007FEFC3B0000.
2020-06-05 14:52:25,109 [root] DEBUG: DLL loaded at 0x000007FEFC350000: C:\Windows\system32\mswsock (0x55000 bytes).
2020-06-05 14:52:25,218 [root] DEBUG: DLL loaded at 0x000007FEFBDA0000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-06-05 14:52:25,234 [root] DEBUG: DLL loaded at 0x000007FEFC340000: C:\Windows\System32\wship6 (0x7000 bytes).
2020-06-05 14:52:25,234 [root] DEBUG: DLL loaded at 0x000007FEFC1D0000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2020-06-05 14:52:25,281 [root] DEBUG: DLL loaded at 0x000007FEFA850000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-06-05 14:52:25,296 [root] DEBUG: DLL loaded at 0x000007FEFA840000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-06-05 14:52:25,328 [root] DEBUG: DLL loaded at 0x000007FEF9B40000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-06-05 14:52:39,640 [root] DEBUG: DLL loaded at 0x000007FEFA560000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2020-06-05 14:52:39,656 [root] DEBUG: DLL loaded at 0x000007FEFA4E0000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2020-06-05 14:52:39,765 [root] DEBUG: DLL unloaded from 0x0000000076DE0000.
2020-06-05 14:52:39,984 [root] DEBUG: DLL loaded at 0x000007FEFCC50000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-06-05 14:52:40,281 [root] DEBUG: GetHookCallerBase: thread 3548 (handle 0x0), return address 0x00000000FFFC2F6B, allocation base 0x00000000FFFC0000.
2020-06-05 14:52:40,296 [root] DEBUG: DLL unloaded from 0x000000006F400000.
2020-06-05 14:52:40,296 [root] DEBUG: DLL unloaded from 0x000007FEF8950000.
2020-06-05 14:52:40,296 [root] DEBUG: DLL unloaded from 0x0000000076BC0000.
2020-06-05 14:52:40,296 [root] DEBUG: DLL unloaded from 0x000007FEF8950000.
2020-06-05 14:52:40,296 [root] DEBUG: DLL unloaded from 0x0000000076BC0000.
2020-06-05 14:52:40,296 [root] DEBUG: DLL unloaded from 0x000007FEFC000000.
2020-06-05 14:52:40,718 [root] DEBUG: DLL unloaded from 0x000007FEFED70000.
2020-06-05 14:52:40,718 [root] WARNING: Unable to open termination event for pid 3512.
2020-06-05 14:55:39,875 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 14:55:39,875 [lib.api.process] ERROR: Failed to open terminate event for pid 3512
2020-06-05 14:55:39,875 [root] INFO: Terminate event set for process 3512.
2020-06-05 14:55:39,875 [root] INFO: Created shutdown mutex.
2020-06-05 14:55:40,875 [root] INFO: Shutting down package.
2020-06-05 14:55:40,875 [root] INFO: Stopping auxiliary modules.
2020-06-05 14:55:41,000 [lib.common.results] WARNING: File C:\SMThxbDVrT\bin\procmon.xml doesn't exist anymore
2020-06-05 14:55:41,000 [root] INFO: Finishing auxiliary modules.
2020-06-05 14:55:41,000 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 14:55:41,000 [root] WARNING: Folder at path "C:\SMThxbDVrT\debugger" does not exist, skip.
2020-06-05 14:55:41,000 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_4 win7x64_8 KVM 2020-06-05 14:52:15 2020-06-05 14:58:32

File Details

File Name farpay.dll
File Size 313856 bytes
File Type PE32+ executable (DLL) (console) x86-64, for MS Windows
PE timestamp 2017-04-03 07:45:42
MD5 1923727ed0f8bd4705fd2061f4017a84
SHA1 abdfd928dddfaa34da27025f835308d3da5a473c
SHA256 fc92de051c9e383a9735b4396eb052530fefba8c10691c26eaeb9eb67b8a40ee
SHA512 e1c3cd53898b867f0cb5797067e3c6167709572531699d79ffc8c49239593255936ff77d3339479faa5e0aa77009e8c3240a5536c7e741523abe89c2c6221180
CRC32 C7A09945
Ssdeep 6144:HVpBblprE8XddFD6fnxcx7tdiVuHDoJQPXiBmi3v2reFD:H1b/r3FD6fKx7D8uHoNBmc2reFD
Download Download ZIP Resubmit sample

Signatures

Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3512 trigged the Yara rule 'shellcode_stack_strings'
Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: WTSAPI32.dll/WTSFreeMemory
DynamicLoader: WTSAPI32.dll/WTSQueryUserToken
DynamicLoader: WTSAPI32.dll/WTSEnumerateSessionsW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/K32GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetComputerNameExW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/K32EnumProcesses
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/ReadConsoleW
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileExA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/CompareStringW
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/GetLocaleInfoW
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/OutputDebugStringW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/WaitForSingleObjectEx
DynamicLoader: kernel32.dll/RtlCaptureContext
DynamicLoader: kernel32.dll/RtlLookupFunctionEntry
DynamicLoader: kernel32.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/InitializeSListHead
DynamicLoader: kernel32.dll/RtlPcToFileHeader
DynamicLoader: kernel32.dll/RtlUnwindEx
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/InterlockedFlushSList
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleHandleExW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/IsValidLocale
DynamicLoader: kernel32.dll/GetUserDefaultLCID
DynamicLoader: kernel32.dll/EnumSystemLocalesW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpAddRequestHeaders
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpWriteData
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/InitOnceExecuteOnce
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleEx
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: kernel32.dll/GetSystemTimePreciseAsFileTime
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/WakeConditionVariable
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/TryAcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/SleepConditionVariableSRW
DynamicLoader: kernel32.dll/CreateThreadpoolWork
DynamicLoader: kernel32.dll/SubmitThreadpoolWork
DynamicLoader: kernel32.dll/CloseThreadpoolWork
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: farpay.dll/
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: SHLWAPI.dll/
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/FlsFree
CAPE extracted potentially suspicious content
rundll32.exe: Unpacked Shellcode
rundll32.exe: Unpacked Shellcode
rundll32.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\farpay.dll
File has been identified by 17 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Razy.677686
Cylance: Unsafe
CrowdStrike: win/malicious_confidence_70% (D)
ESET-NOD32: a variant of Win64/Kryptik.BVG
Kaspersky: UDS:DangerousObject.Multi.Generic
BitDefender: Gen:Variant.Razy.677686
Rising: Trojan.Detplock!8.4A0D (TFE:4:C2a7idCOBrG)
Endgame: malicious (high confidence)
FireEye: Generic.mg.1923727ed0f8bd47
Emsisoft: Gen:Variant.Razy.677686 (B)
Arcabit: Trojan.Razy.DA5736
ZoneAlarm: UDS:DangerousObject.Multi.Generic
ALYac: Gen:Variant.Razy.677686
MAX: malware (ai score=86)
Ad-Aware: Gen:Variant.Razy.677686
Ikarus: Trojan.Win64.Crypt
GData: Gen:Variant.Razy.677686

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
shr-links.com [VT] 92.38.163.14 [VT]

Summary

C:\Users\Louise\AppData\Local\Temp\farpay.dll
C:\Users\Louise\AppData\Local\Temp\farpay.dll.123.Manifest
C:\Users\Louise\AppData\Local\Temp\farpay.dll.124.Manifest
C:\Users\Louise\AppData\Local\Temp\farpay.dll.2.Manifest
C:\Windows\sysnative\rundll32.exe
C:\Windows\sysnative\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\sysnative\api-ms-win-core-localization-l1-2-1.DLL
C:\Users\Louise\AppData\Local\Temp\farpay.dll
C:\Users\Louise\AppData\Local\Temp\farpay.dll.123.Manifest
C:\Users\Louise\AppData\Local\Temp\farpay.dll.124.Manifest
C:\Users\Louise\AppData\Local\Temp\farpay.dll.2.Manifest
C:\Windows\sysnative\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualFree
userenv.dll.CreateEnvironmentBlock
userenv.dll.DestroyEnvironmentBlock
wtsapi32.dll.WTSFreeMemory
wtsapi32.dll.WTSQueryUserToken
wtsapi32.dll.WTSEnumerateSessionsW
kernel32.dll.SetFilePointerEx
kernel32.dll.HeapFree
kernel32.dll.GetCurrentProcess
kernel32.dll.K32GetModuleFileNameExW
kernel32.dll.GetTempPathW
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.WaitForSingleObject
kernel32.dll.GetVersionExW
kernel32.dll.GetComputerNameExW
kernel32.dll.OpenProcess
kernel32.dll.HeapSize
kernel32.dll.MultiByteToWideChar
kernel32.dll.GetLastError
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalFree
kernel32.dll.HeapReAlloc
kernel32.dll.CloseHandle
kernel32.dll.WriteConsoleW
kernel32.dll.HeapAlloc
kernel32.dll.K32EnumProcesses
kernel32.dll.DeleteCriticalSection
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetProcessHeap
kernel32.dll.CreateProcessW
kernel32.dll.WideCharToMultiByte
kernel32.dll.WriteProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.ReadProcessMemory
kernel32.dll.CreateRemoteThread
kernel32.dll.CreateFileW
kernel32.dll.FlushFileBuffers
kernel32.dll.SetStdHandle
kernel32.dll.SetEndOfFile
kernel32.dll.ReadFile
kernel32.dll.ReadConsoleW
kernel32.dll.RaiseException
kernel32.dll.TlsSetValue
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetCommandLineW
kernel32.dll.GetCommandLineA
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.FindNextFileA
kernel32.dll.FindFirstFileExA
kernel32.dll.FindClose
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.GetStringTypeW
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.SetLastError
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.CreateEventW
kernel32.dll.TlsAlloc
kernel32.dll.TlsGetValue
kernel32.dll.TlsFree
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.CompareStringW
kernel32.dll.LCMapStringW
kernel32.dll.GetLocaleInfoW
kernel32.dll.GetCPInfo
kernel32.dll.IsDebuggerPresent
kernel32.dll.OutputDebugStringW
kernel32.dll.SetEvent
kernel32.dll.ResetEvent
kernel32.dll.WaitForSingleObjectEx
kernel32.dll.RtlCaptureContext
kernel32.dll.RtlLookupFunctionEntry
kernel32.dll.RtlVirtualUnwind
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.TerminateProcess
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.GetStartupInfoW
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetCurrentThreadId
kernel32.dll.InitializeSListHead
kernel32.dll.RtlPcToFileHeader
kernel32.dll.RtlUnwindEx
kernel32.dll.FreeLibrary
kernel32.dll.LoadLibraryExW
kernel32.dll.InterlockedFlushSList
kernel32.dll.ExitProcess
kernel32.dll.GetModuleHandleExW
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetACP
kernel32.dll.GetStdHandle
kernel32.dll.GetFileType
kernel32.dll.IsValidLocale
kernel32.dll.GetUserDefaultLCID
kernel32.dll.EnumSystemLocalesW
kernel32.dll.GetExitCodeProcess
kernel32.dll.CreateProcessA
kernel32.dll.GetFileAttributesExW
kernel32.dll.WriteFile
user32.dll.wsprintfW
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.OpenProcessToken
advapi32.dll.CreateProcessAsUserW
advapi32.dll.GetUserNameW
advapi32.dll.LookupPrivilegeValueW
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
winhttp.dll.WinHttpGetProxyForUrl
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpWriteData
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
kernel32.dll.FlsFree
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
farpay.dll.#1
shlwapi.dll.StrCmpNW
shlwapi.dll.#153
ws2_32.dll.GetAddrInfoW
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoTaskMemAlloc
ole32.dll.StringFromIID
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIfEntry2
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
ole32.dll.CoTaskMemFree
nsi.dll.NsiFreeTable
ole32.dll.CoUninitialize
rpcrt4.dll.RpcBindingFree

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Exported DLL Name
0x10000000 0x10001fc7 0x00000000 0x0005037a 5.2 2017-04-03 07:45:42 fc29e4eeb40d38bb93ff059a6133a992 Paiera.dll

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x00008b2c 0x00008c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.30
.data 0x00009000 0x0000a000 0x00042fe1 0x00043000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.35
.pdata 0x0004c000 0x0004d000 0x0000027c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.01
.tls 0x0004c400 0x0004e000 0x00000025 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.02
.CRT 0x0004c600 0x0004f000 0x00000010 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.reloc 0x0004c800 0x00050000 0x00000048 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.25

Imports

0x1000a0c8 SetClipboardData
0x1000a000 GetACP
0x1000a008 RtlLookupFunctionEntry
0x1000a010 GetEnvironmentStringsW
0x1000a018 GetVersionExA
0x1000a020 GetEnvironmentStrings
0x1000a028 GetProcessHeap
0x1000a030 GetTickCount
0x1000a038 GetCommandLineW
0x1000a040 GetModuleHandleA
0x1000a048 VirtualAlloc
0x1000a050 GetCommandLineA
0x1000a058 GetOEMCP
0x1000a060 GetCurrentProcessId
0x1000a068 RtlCaptureContext
0x1000a070 GetLastError
0x1000a078 LocalFree
0x1000a080 GlobalAlloc
0x1000a088 GetCurrentThread
0x1000a090 TerminateProcess
0x1000a098 GetCurrentProcess
0x1000a0b0 IsDebuggerPresent
0x1000a0b8 RtlVirtualUnwind

Exports

Ordinal Address Name
1 0x10007780 iniB
2 0x10007780 iniC
!This program cannot be run in DOS mode.
.text
`.data
.pdata
@.tls
@.reloc
D$$%1u
D$,'/
D$hL?3
D$(%V
D$,9D$8
D$d&,
D$`9D$`uf
D$<%I
D$$L7
D$ 9D$$|?H
D$49D$4|
XQRSV
WUARASAT
AUAVAWI
D$ ?C
9D$$u
D$(`]
D$<9D$L
D$D%W
D$H9D$8
9D$pu*
D$\y_
D$ n6I
D$DH5
D$0$,
9D$tt*
D$x`n
D$09D$x
D$|U~
D$DmR
D$p9D$|tG
D$h9D$ t
D$L%m
D$\]n
|$\P|A
D$`D(
|$hmu|H
|$dv1
D$lzn
D$tw0
D$|Xn
D$0)A
D$|%t
D$X$=?
D$PSDs
|$l-t4
|$l!o
D$\9D$PuX
D$8DMa
D$L![
D$89D$(t/
D$\Xhr
D$8%\
|$,G2
D$L[k
|$`\u-H
D$dN5
D$dnvO
D$(fS
D$X?-
D$P#?p
D$P9D$0u
D$,[L
D$8P{#
D$X%j
D$p|J
D$,aw
D$L9D$,
D$`htX
|$xEy0
D$(Ta
D$L9D$X
D$h>H
D$dI3
D$X%F
D$XE3
KISn[Q
Found Tone for %d msec
kernel32
cdaudio.pdb
cdaudio.pdb
Call Tx Uinfo=%d
EV_HMAC_ACTION_DLS_FILL
Unmatched \(
SetClipboardData
USER32.dll
GetEnvironmentStringsW
GetVersionExA
GetEnvironmentStrings
GetProcessHeap
GetTickCount
GetCommandLineW
GetModuleHandleA
VirtualAlloc
GetCommandLineA
GetOEMCP
GetCurrentProcessId
GetACP
GetLastError
LocalFree
GlobalAlloc
GetCurrentThread
KERNEL32.dll
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
Paiera.dll

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean DrWeb Clean MicroWorld-eScan Gen:Variant.Razy.677686
CMC Clean CAT-QuickHeal Clean McAfee Clean
Cylance Unsafe Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Clean Alibaba Clean
K7GW Clean CrowdStrike win/malicious_confidence_70% (D) Invincea Clean
BitDefenderTheta Clean F-Prot Clean Symantec Clean
ESET-NOD32 a variant of Win64/Kryptik.BVG APEX Clean TotalDefense Clean
Avast Clean ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Razy.677686 NANO-Antivirus Clean Paloalto Clean
AegisLab Clean Rising Trojan.Detplock!8.4A0D (TFE:4:C2a7idCOBrG) Endgame malicious (high confidence)
Sophos Clean Comodo Clean F-Secure Clean
Baidu Clean VIPRE Clean TrendMicro Clean
McAfee-GW-Edition Clean Trapmine Clean FireEye Generic.mg.1923727ed0f8bd47
Emsisoft Gen:Variant.Razy.677686 (B) SentinelOne Clean Cyren Clean
Jiangmin Clean Webroot Clean Avira Clean
Fortinet Clean Antiy-AVL Clean Kingsoft Clean
Arcabit Trojan.Razy.DA5736 ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic
Avast-Mobile Clean Microsoft Clean TACHYON Clean
AhnLab-V3 Clean Acronis Clean VBA32 Clean
ALYac Gen:Variant.Razy.677686 MAX malware (ai score=86) Ad-Aware Gen:Variant.Razy.677686
Malwarebytes Clean Zoner Clean TrendMicro-HouseCall Clean
Tencent Clean Yandex Clean Ikarus Trojan.Win64.Crypt
eGambit Clean GData Gen:Variant.Razy.677686 MaxSecure Clean
AVG Clean Panda Clean Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.9 51751 1.1.1.1 53
192.168.1.9 53599 1.1.1.1 53
192.168.1.9 54609 1.1.1.1 53
192.168.1.9 55233 1.1.1.1 53
192.168.1.9 55319 1.1.1.1 53
192.168.1.9 59058 1.1.1.1 53
192.168.1.9 59225 1.1.1.1 53
192.168.1.9 63630 1.1.1.1 53
192.168.1.9 64674 1.1.1.1 53
192.168.1.9 137 192.168.1.255 137
192.168.1.9 51751 8.8.8.8 53
192.168.1.9 53599 8.8.8.8 53
192.168.1.9 54609 8.8.8.8 53
192.168.1.9 55233 8.8.8.8 53
192.168.1.9 55319 8.8.8.8 53
192.168.1.9 59058 8.8.8.8 53
192.168.1.9 59225 8.8.8.8 53
192.168.1.9 63630 8.8.8.8 53
192.168.1.9 64674 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
shr-links.com [VT] 92.38.163.14 [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature

    Processing ( 7.047 seconds )

    • 5.214 Suricata
    • 0.947 NetworkAnalysis
    • 0.232 CAPE
    • 0.218 Static
    • 0.178 VirusTotal
    • 0.158 BehaviorAnalysis
    • 0.034 Deduplicate
    • 0.031 TargetInfo
    • 0.02 AnalysisInfo
    • 0.006 peid
    • 0.005 Strings
    • 0.004 Debug

    Signatures ( 0.13100000000000003 seconds )

    • 0.016 antiav_detectreg
    • 0.01 infostealer_ftp
    • 0.01 ransomware_files
    • 0.007 territorial_disputes_sigs
    • 0.006 antiav_detectfile
    • 0.006 ransomware_extensions
    • 0.005 infostealer_bitcoin
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_im
    • 0.003 api_spamming
    • 0.003 decoy_document
    • 0.003 persistence_autorun
    • 0.003 stealth_timeout
    • 0.003 antianalysis_detectreg
    • 0.003 infostealer_mail
    • 0.003 masquerade_process_name
    • 0.002 Doppelganging
    • 0.002 antiemu_wine_func
    • 0.002 antivm_generic_disk
    • 0.002 lsass_credential_dumping
    • 0.002 dynamic_function_loading
    • 0.002 NewtWire Behavior
    • 0.002 antivm_vbox_files
    • 0.002 antivm_vbox_keys
    • 0.002 network_torgateway
    • 0.001 InjectionInterProcess
    • 0.001 InjectionCreateRemoteThread
    • 0.001 InjectionProcessHollowing
    • 0.001 betabot_behavior
    • 0.001 bootkit
    • 0.001 infostealer_browser_password
    • 0.001 injection_createremotethread
    • 0.001 injection_runpe
    • 0.001 kibex_behavior
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 mimics_filetime
    • 0.001 reads_self
    • 0.001 tinba_behavior
    • 0.001 virus
    • 0.001 antidbg_devices
    • 0.001 antivm_parallels_keys
    • 0.001 antivm_vmware_keys
    • 0.001 geodo_banking_trojan
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 qulab_files
    • 0.001 network_dns_opennic
    • 0.001 revil_mutexes

    Reporting ( 3.059 seconds )

    • 3.012 BinGraph
    • 0.043 MITRE_TTPS
    • 0.004 PCAP2CERT