Detections

Yara:

REvil

Analysis

Category Package Started Completed Duration Options Log
FILE dll 2020-10-18 04:36:59 2020-10-18 04:38:14 75 seconds Show Options Show Log
route = tor
2020-05-13 09:25:36,180 [root] INFO: Date set to: 20201018T04:36:59, timeout set to: 200
2020-10-18 04:36:59,062 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-10-18 04:36:59,062 [root] DEBUG: Storing results at: C:\NPSjHy
2020-10-18 04:36:59,062 [root] DEBUG: Pipe server name: \\.\PIPE\cWEQeDr
2020-10-18 04:36:59,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-10-18 04:36:59,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 04:36:59,062 [root] INFO: Automatically selected analysis package "dll"
2020-10-18 04:36:59,062 [root] DEBUG: Importing analysis package "dll"...
2020-10-18 04:36:59,078 [root] DEBUG: Initializing analysis package "dll"...
2020-10-18 04:36:59,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 04:36:59,156 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 04:36:59,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 04:36:59,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 04:36:59,249 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 04:36:59,249 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 04:36:59,249 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 04:36:59,265 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 04:36:59,265 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 04:36:59,265 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 04:36:59,265 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 04:36:59,265 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 04:36:59,265 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 04:36:59,281 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 04:36:59,281 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 04:36:59,406 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 04:36:59,406 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 04:36:59,406 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 04:36:59,406 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 04:36:59,437 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 04:36:59,437 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 04:36:59,437 [root] DEBUG: Started auxiliary module Browser
2020-10-18 04:36:59,437 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 04:36:59,453 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 04:36:59,453 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 04:36:59,453 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 04:37:00,390 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 04:37:00,390 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 04:37:00,390 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 04:37:00,390 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 04:37:00,421 [modules.auxiliary.disguise] INFO: Disguising GUID to eb2410cd-7ac2-4eea-90f6-edbf82693808
2020-10-18 04:37:00,421 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 04:37:00,421 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 04:37:00,421 [root] DEBUG: Started auxiliary module Human
2020-10-18 04:37:00,421 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 04:37:00,437 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 04:37:00,437 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 04:37:00,437 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 04:37:00,437 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 04:37:00,437 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 04:37:00,437 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 04:37:00,437 [root] DEBUG: Started auxiliary module Usage
2020-10-18 04:37:00,437 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2020-10-18 04:37:00,437 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2020-10-18 04:37:00,437 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2020-10-18 04:37:00,437 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2020-10-18 04:37:00,515 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll",#1" with pid 4184
2020-10-18 04:37:00,515 [lib.api.process] INFO: Monitor config for process 4184: C:\tmp2ssujfce\dll\4184.ini
2020-10-18 04:37:00,531 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\byomLVsJ.dll, loader C:\tmp2ssujfce\bin\bUhKhQh.exe
2020-10-18 04:37:00,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cWEQeDr.
2020-10-18 04:37:00,578 [root] DEBUG: Loader: Injecting process 4184 (thread 424) with C:\tmp2ssujfce\dll\byomLVsJ.dll.
2020-10-18 04:37:00,578 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\byomLVsJ.dll.
2020-10-18 04:37:00,578 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 04:37:00,578 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\byomLVsJ.dll.
2020-10-18 04:37:02,593 [lib.api.process] INFO: Successfully resumed process with pid 4184
2020-10-18 04:37:02,843 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 04:37:02,875 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 04:37:02,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x6F9B0000 to global list.
2020-10-18 04:37:02,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 and local view 0x6F980000 to global list.
2020-10-18 04:37:02,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 and local view 0x6F980000 to global list.
2020-10-18 04:37:02,984 [root] DEBUG: Target DLL loaded at 0x6F980000: C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe (0x21000 bytes).
2020-10-18 04:37:02,984 [root] DEBUG: set_caller_info: Adding region at 0x6F980000 to caller regions list (kernel32::CreateThread).
2020-10-18 04:37:02,984 [root] DEBUG: set_caller_info: Calling region at 0x6F980000 skipped.
2020-10-18 04:37:02,984 [root] DEBUG: DLL loaded at 0x76A70000: C:\Windows\syswow64\crypt32 (0x122000 bytes).
2020-10-18 04:37:02,984 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-10-18 04:37:03,000 [root] DEBUG: DLL loaded at 0x6EA70000: C:\Windows\SysWOW64\winhttp (0x58000 bytes).
2020-10-18 04:37:03,000 [root] DEBUG: DLL loaded at 0x6EA20000: C:\Windows\SysWOW64\webio (0x50000 bytes).
2020-10-18 04:37:03,000 [root] DEBUG: DLL loaded at 0x6F940000: C:\Windows\SysWOW64\winmm (0x32000 bytes).
2020-10-18 04:37:03,015 [root] DEBUG: DLL loaded at 0x6F9B0000: C:\Windows\SysWOW64\rstrtmgr (0x28000 bytes).
2020-10-18 04:37:03,015 [root] DEBUG: DLL loaded at 0x6F900000: C:\Windows\SysWOW64\ncrypt (0x39000 bytes).
2020-10-18 04:37:03,015 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\bcrypt (0x17000 bytes).
2020-10-18 04:37:03,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x148 and local view 0x03FF0000 to global list.
2020-10-18 04:37:03,685 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-10-18 04:37:06,429 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x158 and local view 0x04940000 to global list.
2020-10-18 04:37:07,851 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x18400.
2020-10-18 04:37:07,861 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x021A0020.
2020-10-18 04:37:07,871 [root] DEBUG: DLL unloaded from 0x76700000.
2020-10-18 04:37:07,873 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 04:37:07,875 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x021A0020.
2020-10-18 04:37:07,893 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4184
2020-10-18 04:37:07,895 [root] DEBUG: GetHookCallerBase: thread 424 (handle 0x0), return address 0x000A1368, allocation base 0x000A0000.
2020-10-18 04:37:07,898 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x6F980000.
2020-10-18 04:37:07,900 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 04:37:07,903 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x6F980000.
2020-10-18 04:37:07,905 [root] DEBUG: DumpPE: Error: Invalid PE file or invalid PE header.
2020-10-18 04:37:07,907 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x6F980000, dumping memory region.
2020-10-18 04:37:07,909 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x0267576B.
2020-10-18 04:37:07,914 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 04:37:07,916 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0267576B.
2020-10-18 04:37:07,920 [root] DEBUG: DumpPE: Error: Invalid PE file or invalid PE header.
2020-10-18 04:37:07,922 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x0267576B, dumping memory region.
2020-10-18 04:37:08,192 [root] DEBUG: DLL unloaded from 0x76680000.
2020-10-18 04:37:08,201 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4184
2020-10-18 04:37:08,270 [root] DEBUG: GetHookCallerBase: thread 424 (handle 0x0), return address 0x000A1368, allocation base 0x000A0000.
2020-10-18 04:37:08,275 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x6F980000.
2020-10-18 04:37:08,284 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 04:37:08,287 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x6F980000.
2020-10-18 04:37:08,289 [root] DEBUG: DumpPE: Error: Invalid PE file or invalid PE header.
2020-10-18 04:37:08,291 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x6F980000, dumping memory region.
2020-10-18 04:37:08,293 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x0267576B.
2020-10-18 04:37:08,295 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 04:37:08,301 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0267576B.
2020-10-18 04:37:08,308 [root] DEBUG: DumpPE: Error: Invalid PE file or invalid PE header.
2020-10-18 04:37:08,312 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x0267576B, dumping memory region.
2020-10-18 04:37:08,321 [root] INFO: Process with pid 4184 has terminated
2020-10-18 04:37:13,744 [root] INFO: Process list is empty, terminating analysis.
2020-10-18 04:37:14,744 [root] INFO: Created shutdown mutex.
2020-10-18 04:37:15,744 [root] INFO: Shutting down package.
2020-10-18 04:37:15,744 [root] INFO: Stopping auxiliary modules.
2020-10-18 04:37:16,166 [lib.common.results] WARNING: File C:\NPSjHy\bin\procmon.xml doesn't exist anymore
2020-10-18 04:37:16,166 [root] INFO: Finishing auxiliary modules.
2020-10-18 04:37:16,166 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 04:37:16,181 [root] WARNING: Folder at path "C:\NPSjHy\debugger" does not exist, skip.
2020-10-18 04:37:16,181 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-10-18 04:36:59 2020-10-18 04:38:14

File Details

File Name iNYDKhvj.exe
File Size 119296 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
PE timestamp 2020-08-20 12:25:13
MD5 3398acd9c723cd396604dd1cad60e5ba
SHA1 6893a2168067bac514144c18e1c50f59363c8e29
SHA256 b8fcf275ea5024bc10bd51f4db8f59d01822b9ec61e7a5ada8bf6290954933b2
SHA512 f6590082fc0ba2505cd181178fbf6f04d7a3e2ec7cbb3671dc5c6faf55a1959e6edf3ea0c529187a680e990bade20f4506e21734687071d6bc450ebe8ec5408b
CRC32 10E2AF6C
Ssdeep 1536:CPp8kFF4+utlznGEvCrUmUYwGOmpX2yaICS4Aa7A7IeLubrWCxd4ZL/a9qt3VpSL:8vnuGqfGOqVB7IeLmbm5ywtj8
ClamAV
  • Win.Ransomware.Sodinokibi-7013612-0
CAPE Yara
  • REvil Payload - Author: R3MRUM
Download Download ZIP Resubmit sample

Signatures

Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4184 trigged the Yara rule 'REvil'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: rundll32.exe, PID 4184
Dynamic (imported) function loading detected
DynamicLoader: iNYDKhvj.exe.dll/
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
The binary contains an unknown PE section name indicative of packing
unknown section: name: .cfg, entropy: 5.69, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000c800, virtual_size: 0x0000c800
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe
Network activity detected but not expressed in API logs
CAPE detected the REvil malware family
File has been identified by 52 Antiviruses on VirusTotal as malicious
Bkav: W32.AIDetectVM.malware2
Elastic: malicious (high confidence)
MicroWorld-eScan: DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D
FireEye: Generic.mg.3398acd9c723cd39
CAT-QuickHeal: Trojan.GenericRI.S15761436
McAfee: Sodinokibi!3398ACD9C723
Cylance: Unsafe
Sangfor: Malware
K7AntiVirus: Trojan ( 0056be0b1 )
K7GW: Trojan ( 0056e0ac1 )
CrowdStrike: win/malicious_confidence_100% (D)
Invincea: ML/PE-A + Troj/Sodino-BU
Cyren: W32/Kryptik.AKW.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Avast: Win32:Trojan-gen
ClamAV: Win.Ransomware.Sodinokibi-7013612-0
Kaspersky: HEUR:Trojan-Ransom.Win32.Crypmod.vho
BitDefender: DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D
NANO-Antivirus: Virus.Win32.Gen.ccmw
Tencent: Malware.Win32.Gencirc.10cdfd66
Ad-Aware: DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D
Emsisoft: DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D (B)
F-Secure: Trojan.TR/Crypt.XPACK.Gen
DrWeb: Trojan.Encoder.30497
Zillya: Trojan.Filecoder.Win32.15648
TrendMicro: Ransom.Win32.SODINOKIBI.SMTH
McAfee-GW-Edition: Sodinokibi!3398ACD9C723
Sophos: Troj/Sodino-BU
Ikarus: Trojan-Ransom.Sodinokibi
GData: DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D
Avira: TR/Crypt.XPACK.Gen
Antiy-AVL: Trojan[Ransom]/Win32.Crypmod
Arcabit: DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D
ZoneAlarm: HEUR:Trojan-Ransom.Win32.Crypmod.vho
Microsoft: Ransom:Win32/Revil.SI!MTB
Cynet: Malicious (score: 100)
AhnLab-V3: Trojan/Win32.RL_Ransom.R290570
BitDefenderTheta: Gen:[email protected]
ALYac: DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D
MAX: malware (ai score=89)
VBA32: BScope.Trojan.DelShad
Malwarebytes: Ransom.Sodinokibi
ESET-NOD32: a variant of Win32/Filecoder.Sodinokibi.H
TrendMicro-HouseCall: Ransom.Win32.SODINOKIBI.SMTH
Rising: Ransom.Sodinokibi!1.CB12 (CLASSIC)
Yandex: Trojan.Filecoder!WJN/QawkQHA
SentinelOne: DFI - Malicious PE
Fortinet: W32/Sodinokibi.H!tr.ransom
AVG: Win32:Trojan-gen
Panda: Trj/GdSda.A
Qihoo-360: HEUR/QVM40.1.A943.Malware.Gen
Clamav Hits in Target/Dropped/SuriExtracted
b8fcf275ea5024bc10bd51f4db8f59d01822b9ec61e7a5ada8bf6290954933b2: Win.Ransomware.Sodinokibi-7013612-0, target, type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.142.114.176 [VT] Ireland
Y 13.107.42.23 [VT] United States

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll
C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll.123.Manifest
C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll.124.Manifest
C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
A:
B:
E:
F:
G:
H:
I:
J:
K:
L:
M:
N:
O:
P:
Q:
R:
S:
T:
U:
V:
W:
X:
Y:
Z:
C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll
C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll.123.Manifest
C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll.124.Manifest
C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\iNYDKhvj.exe.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter
HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\Hv4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\KxGe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\I0sZQ
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\Z2iI9s
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\SaDZyFI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\productName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\MNxNEs3W
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\iNYDKhvj.exe.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\SaDZyFI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\productName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\MNxNEs3W
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\Hv4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\KxGe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\I0sZQ
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\Z2iI9s
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\SaDZyFI
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter\MNxNEs3W
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
ole32.dll.CreateStreamOnHGlobal
ole32.dll.CoInitializeEx
ole32.dll.CoInitializeSecurity
ole32.dll.CoCreateInstance
ole32.dll.CoUninitialize
ole32.dll.CoSetProxyBlanket
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#500
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1
Global\B82BDE5C-41BF-B191-BAAC-0D2BF3B3F85A

BinGraph Download graph

2020-10-18T04:38:29.588639 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x10000000 0x1000407c 0x00000000 0x0002bb14 5.1 2020-08-20 12:25:13 0a72a27bb4f50c4e03f53b443def2069

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x0000b164 0x0000b200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.rdata 0x0000b600 0x0000d000 0x00002d46 0x00002e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.82
.data 0x0000e400 0x00010000 0x00002018 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.48
.cfg 0x00010200 0x00013000 0x0000c800 0x0000c800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.69
.reloc 0x0001ca00 0x00020000 0x00000694 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.96

Imports

0x1000d000 lstrlenW
0x1000d004 CloseHandle
0x1000d008 SetErrorMode
0x1000d00c CreateThread
0x1000d010 VerSetConditionMask
0x1000d014 GetExitCodeProcess
0x1000d018 VerifyVersionInfoW
0x1000d02c MessageBoxW
0x1000d030 wsprintfW
0x1000d020 VariantClear
0x1000d024 VariantInit

!This program cannot be run in DOS mode.
[Rich
.text
`.rdata
@.data
.reloc
Pj h`
uo9M
u`9M
XuQ9M
XuB9M
u=j Ph`
tJj.Xf
WWWWWRP
WWSSWWj
@SVWj
Dj Sj
YY_^[
YY_^]
@SVW3
j\Zf;
9x$|%
~(SWV
t<SSSh
CSVh4
VVVVVWQ
PSSh#
PWSh6
t<jzja
jzjaf
WVSQW
QQQQQQQP
f9>u-
SVu:W3
SSPSj
f90t<
SSSSj
SSWVj
PWWh^
QQSVW
Y(j+X
wft]-
v"SSS
YY_^[]
v(SSV
@_^[]
VVVVP
@_^[]
Wj0_;
OH_^[]
3^83^`3
3F(3FP3Fx3
3N,3NT3N|3
3V<3Vd3
~ 3~H3~p3
3^@3^h3
3F03FX3
3N43N\3
3VD3Vl3
^$3^L3^t3
3C43M
3C<3M
3Cd3M
3Gl3M
3K 3M
3Gt3M
pSVW3
VW9Z$
@_^[]
K.$(
3]YYA4
Y%$K?U
I$7<Z?
+UbVRcFbWY-SID
OR#\B
DE7`$X
Z4:^>6
&<V;AJ
.WPQ(%,4][[^
1T-^/2-B\a?
*Y_/O$E*0#b?'JL[U(Z)6<
V=)Y5a
"(UB(3 4L",$T24
?L %'cJP=a.TRK>
expand 32-byte kexpand 16-byte k
=j&&LZ66lA??~
S11b?
e##F^
t,,X.
M;;va
}{))R>
gK99r
!H88p
c!!B0
f""D~**T
V22dN::t
o%%Jr..\$
x((Pz
)w--Z
T00`P
&&Lj66lZ??~A
O44h\
s11bS
R##Fe
&''Ni
>//^q
, @`
99rKJJ
u!!Bc
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
55j_WW
g+V}+
&Lj&6lZ6?~A?
R;vM;
9rK9J
M3fU3
P<xD<
~=zG=d
"Df"*T~*
2dV2:tN:
$Hl$\
7nY7m
x%Jo%.\r.
p>|B>
a5j_5W
U(Px(
ggV}++
Lj&&lZ66~A??
h\44Q
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
pp|B>>q
aaj_55
UUPx((
cccc||||wwww{{{{
kkkkoooo
gggg++++
YYYYGGGG
&&&&6666????
nnnnZZZZ
RRRR;;;;
[[[[jjjj
9999JJJJLLLLXXXX
CCCCMMMM3333
PPPP<<<<
~~~~====dddd]]]]
ssss````
""""****
2222::::
$$$$\\\\
7777mmmm
llllVVVV
eeeezzzz
xxxx%%%%....
pppp>>>>
ffffHHHH
aaaa5555WWWW
UUUU((((
BBBBhhhhAAAA
QSeA~
!tX)i
='9-6d
aiKwZ
;fD4~
_jbF~T
11#?*0
t\lHBW
QPeA~S
0 Umv
SbEwd
\h!T[
.6$:g
>4$8,@
p\lHtW
`3SbE
+HpXhE
pZlNr
T6$:.
wZiK
!tI)i
`3QbE
T[$:.6
;f[4~
_TbF~
h8,4$
2Ht\l
00006666
CCCCDDDD
TTTT{{{{
####====
ffff((((
vvvv[[[[
IIIImmmm
%%%%rrrr
]]]]eeee
llllppppHHHHPPPP
FFFFWWWW
kkkk::::
AAAAOOOOgggg
tttt""""
nnnnGGGG
VVVV>>>>KKKK
yyyy
YYYY''''
____````QQQQ
;;;;MMMM
ccccUUUU!!!!
lstrlenW
CloseHandle
SetErrorMode
CreateThread
VerSetConditionMask
GetExitCodeProcess
VerifyVersionInfoW
KERNEL32.dll
wsprintfW
MessageBoxW
USER32.dll
OLEAUT32.dll
h`KKz
)xKAx%
=G,*.
vEiIb
}7=w]
8vX}P3
f9zd9`
,6G_TN
~MF:@
q4)MAx
HOZl 4&>
`|.P*
kJ5"E
\@d*K
ZGiIO
/ry-D&
#;P7=
SYpa6
2CK"d
m;8SG
f*9qA7
#Vt>*
_AOS|
*jc1O
(^3.kF2
*9zC|l
MQ"Dc
(>=)V
b,eHYiK
{*{z08
sgqhh
h7[_>
z&ecy
]_8Ll
8o[]"
np2UZQHyohvUKtTKdxeaXh756Lzk9We2
7o4JS
Q>QV*
Bb*3HJ
{.3z$X
T>K&U
D<&(J
=}(1
`WNg3
-ah67
g3+J-
^ROpi
}A"-Z
"Fyhc
>h"4Do
4Sc|z
zc_S^
uI. M
=XOS:
{~[X(VGEy
;$f4|-[
|])Yp
{ib-K
G'0b2
Qy7a'
^{O'|rb
@>bT1
qH#l\
rLn+X
dFgPG
7_kHf
'"vP{ o7
P&h9I
#}3nuF#
0ZTT{
0]ujk
iUez&S
++/F4
Pff&>
q'|b+
.9$"/(
Qjg P
$$JEeJ
sp75zUaHm
vD6ZJ
fI4$j
7WZlQ
(QI3m
Pbaq6
k0I8}f
?'7E<
t3-~Y
Ie?$g
Qq9`9z
:kdau
C5qY7
#`T|}
C9$5m
1>bWb
-JV '
,p>;{
{Z}}W
*55S[
_Z9>t
Edtw_
eqMG;>aEP\M~
u3Rv+
!v]R"
247n)
UQkWN
txW+)
Z\}[6ep
%>\9q
QOJX~\+
z'@^2
rkd3}%
GM95C\d
[\0-_
1V9h8
/m&ox
N*uS"
_(7BY
T(I`ISGcy
@g\a1
nx$I_
b[;tY
:oA.Lr
\^)bMee
M-##u
taxQ9
m5_wB
TM8`By
3 xVVW[6
3AS&3
8#fZk
~]s|
_T[-p
:L6ojcm
s}#&C
lz?Q0-
:sLa:u
`.Tg^c0
`$v6e
yJVL-
HK`R"h&
TFS<;
;}nlS
uMX8{
44FZ(
ptQr1
>W{sp
+&YRf
h(DpU
g>jN"
/%uEf`
xk&FY
??"D!7n7C
3IrW|
nA!<)I
=]vw6
Q6AO/
(aeo7
{\nud
Bc&C_
.,N[_A
>UBuUc
?JKq4
NwlWf
sFTFF
?[{)L
b6&}L
`zTx
\j#\+
Pq^Ck8
R/g"lT
}p`dD}
%m|}K
r/gJ|0CR
MT1ut
cTg48"
1<1L1h1
2+282?2G2L2Q2V2n2
4&4/4D4P4Z4b4j4r4z4
425<5y5
656R6m6
6&7;7
8D9X9b9u9
:/:M:f:
;!;2;H;w;
<%<:<?<P<]<p<x<
2'292D2O2T2n2
4(585H5n5
7U7l7
8=8^8
8,9A9I9O9h9y9
<P<[<d<
=K?`?
181=1C1
10272B2H2P2
3-3?3
464X4
5#6<6B6L6T6f6x6
848S8f8x8
949;9R9
:":C:g:
;B;x;
<:<V<v<
040:0M0R0Z0
252O2
4!4)4F4
5;5K5T5[5e5
7N7_7j7z7
8,8}8
979Q9
9H:a:
:O;h;w;
>4>N>e>
>=?D?S?W?
$0:0E0^0
2G2]2
3&3+363F3m3
4C4d4
6&6,6?6
7 7m7t7y7
8:8E8P8w8
9%:g:
70797E9P9d9
:#:(:8:=:M:R:b:i:
:9;~;
=#>\>
0,1`1
2?2I2b2}2
2Q3`3
686G6
8#8E8q8
8$9=9d9
1/292E2R2o2v2
3#303:3T3^3k3x3
3&4<4O4d4
505Z5p5
5N6e6y6
808<8l8
9R9c9s9
@0D0H0L0P0T0
ServicesActive
__ProviderArchitecture
Double run not allowed!
vmcompute.exe
vmms.exe
vmwp.exe
svchost.exe

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.AIDetectVM.malware2 Elastic malicious (high confidence) MicroWorld-eScan DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D
FireEye Generic.mg.3398acd9c723cd39 CAT-QuickHeal Trojan.GenericRI.S15761436 McAfee Sodinokibi!3398ACD9C723
Cylance Unsafe VIPRE Clean SUPERAntiSpyware Clean
Sangfor Malware K7AntiVirus Trojan ( 0056be0b1 ) Alibaba Clean
K7GW Trojan ( 0056e0ac1 ) CrowdStrike win/malicious_confidence_100% (D) Invincea ML/PE-A + Troj/Sodino-BU
Baidu Clean Cyren W32/Kryptik.AKW.gen!Eldorado Symantec ML.Attribute.HighConfidence
TotalDefense Clean APEX Malicious Avast Win32:Trojan-gen
ClamAV Win.Ransomware.Sodinokibi-7013612-0 Kaspersky HEUR:Trojan-Ransom.Win32.Crypmod.vho BitDefender DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D
NANO-Antivirus Virus.Win32.Gen.ccmw Paloalto Clean AegisLab Clean
Tencent Malware.Win32.Gencirc.10cdfd66 Ad-Aware DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D TACHYON Clean
Emsisoft DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D (B) Comodo Clean F-Secure Trojan.TR/Crypt.XPACK.Gen
DrWeb Trojan.Encoder.30497 Zillya Trojan.Filecoder.Win32.15648 TrendMicro Ransom.Win32.SODINOKIBI.SMTH
McAfee-GW-Edition Sodinokibi!3398ACD9C723 CMC Clean Sophos Troj/Sodino-BU
Ikarus Trojan-Ransom.Sodinokibi GData DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D Jiangmin Clean
Webroot Clean Avira TR/Crypt.XPACK.Gen Antiy-AVL Trojan[Ransom]/Win32.Crypmod
Kingsoft Clean Arcabit DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D ViRobot Clean
ZoneAlarm HEUR:Trojan-Ransom.Win32.Crypmod.vho Microsoft Ransom:Win32/Revil.SI!MTB Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_Ransom.R290570 Acronis Clean BitDefenderTheta Gen:[email protected]
ALYac DeepScan:Generic.Ransom.Sodinokibi.8D2E7A7D MAX malware (ai score=89) VBA32 BScope.Trojan.DelShad
Malwarebytes Ransom.Sodinokibi Zoner Clean ESET-NOD32 a variant of Win32/Filecoder.Sodinokibi.H
TrendMicro-HouseCall Ransom.Win32.SODINOKIBI.SMTH Rising Ransom.Sodinokibi!1.CB12 (CLASSIC) Yandex Trojan.Filecoder!WJN/QawkQHA
SentinelOne DFI - Malicious PE eGambit Clean Fortinet W32/Sodinokibi.H!tr.ransom
MaxSecure Clean AVG Win32:Trojan-gen Panda Trj/GdSda.A
Qihoo-360 HEUR/QVM40.1.A943.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 52.142.114.176 [VT] Ireland
Y 13.107.42.23 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.1.6 49187 13.107.42.23 443
192.168.1.6 49189 13.107.42.23 443
192.168.1.6 49191 52.142.114.176 443

UDP

Source Source Port Destination Destination Port
192.168.1.6 137 192.168.1.255 137
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.6 8.8.8.8 3
192.168.1.6 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-10-18 04:38:00.945 192.168.1.6 [VT] 49186 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 04:38:00.953 192.168.1.6 [VT] 49187 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 04:38:03.457 192.168.1.6 [VT] 49189 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 04:38:03.458 192.168.1.6 [VT] 49188 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 04:38:03.458 192.168.1.6 [VT] 49190 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-10-18 04:38:00.953 192.168.1.6 [VT] 49186 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 04:38:03.455 192.168.1.6 [VT] 49187 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 04:38:03.457 192.168.1.6 [VT] 49189 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 04:38:03.458 192.168.1.6 [VT] 49188 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 04:38:03.458 192.168.1.6 [VT] 49190 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 04:38:03.458 192.168.1.6 [VT] 49191 52.142.114.176 [VT] 443 CN=g.msn.com ff:27:b1:2a:2d:fd:c6:ad:80:fe:57:c9:11:a1:d4:31:13:86:1d:5f TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-10-18 04:37:57.847 192.168.1.6 [VT] 49194 8.241.93.254 [VT] 80 None ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c05362e6e894290d None Microsoft-CryptoAPI/6.1 None 0
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.6 49186 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49187 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49188 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49189 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49190 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49191 52.142.114.176 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name rundll32.exe
PID 4184
Dump Size 99328 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\iNYDKhvj.exe.dll
Type PE image: 32-bit DLL
PE timestamp 2020-08-20 12:25:13
MD5 f6cccca7ac1f4f104f6291e259e148f7
SHA1 74d1c08890a686e5ddcced8e67502cbc4232b442
SHA256 ca5501c0bc3f7501e9ef3b744a0ce09de7951bdab953bf2775111d78bc2b47ee
CRC32 1979DEEC
Ssdeep 1536:n4Hz8rATSaI2jTEsUirU4zXOjp92jlICS4A67APaIeLubrWCxd4ZL/a9qt3VpShl:2TTrhJhXO1NZSIeLmbm5ywtj8
ClamAV
  • Win.Ransomware.Sodinokibi-7013612-0
CAPE Yara
  • REvil Payload - Author: R3MRUM
Dump Filename ca5501c0bc3f7501e9ef3b744a0ce09de7951bdab953bf2775111d78bc2b47ee
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T04:38:30.763531 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_unknown_pe_section_name

    Processing ( 9.896 seconds )

    • 5.258 Suricata
    • 1.61 CAPE
    • 0.867 TargetInfo
    • 0.742 ProcDump
    • 0.528 Static
    • 0.277 NetworkAnalysis
    • 0.267 VirusTotal
    • 0.118 Deduplicate
    • 0.111 BehaviorAnalysis
    • 0.105 AnalysisInfo
    • 0.005 Debug
    • 0.005 peid
    • 0.003 Strings

    Signatures ( 0.21000000000000008 seconds )

    • 0.04 antiav_detectreg
    • 0.016 infostealer_ftp
    • 0.015 territorial_disputes_sigs
    • 0.011 ransomware_files
    • 0.009 antiav_detectfile
    • 0.009 infostealer_im
    • 0.008 antianalysis_detectreg
    • 0.008 ransomware_extensions
    • 0.005 antidbg_windows
    • 0.005 antianalysis_detectfile
    • 0.005 infostealer_bitcoin
    • 0.005 infostealer_mail
    • 0.004 persistence_autorun
    • 0.004 antivm_vbox_keys
    • 0.004 masquerade_process_name
    • 0.003 decoy_document
    • 0.003 modifies_attachment_manager
    • 0.003 antivm_vbox_files
    • 0.003 antivm_vmware_keys
    • 0.003 geodo_banking_trojan
    • 0.002 antivm_vbox_libs
    • 0.002 api_spamming
    • 0.002 guloader_apis
    • 0.002 exec_crash
    • 0.002 kibex_behavior
    • 0.002 NewtWire Behavior
    • 0.002 stealth_timeout
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_xen_keys
    • 0.002 browser_security
    • 0.002 disables_backups
    • 0.001 antiav_360_libs
    • 0.001 antivm_generic_disk
    • 0.001 betabot_behavior
    • 0.001 infostealer_browser
    • 0.001 mimics_filetime
    • 0.001 network_tor
    • 0.001 reads_self
    • 0.001 accesses_recyclebin
    • 0.001 shifu_behavior
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vmware_files
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 bot_drive
    • 0.001 modify_proxy
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 qulab_files
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 recon_fingerprint
    • 0.001 lokibot_mutexes
    • 0.001 ursnif_behavior

    Reporting ( 2.768 seconds )

    • 2.485 BinGraph
    • 0.27 MITRE_TTPS
    • 0.013 PCAP2CERT