Analysis

Category Package Started Completed Duration Options Log
FILE dll 2020-10-18 06:26:59 2020-10-18 06:27:58 59 seconds Show Options Show Log
route = tor
2020-05-13 09:25:35,383 [root] INFO: Date set to: 20201018T06:26:58, timeout set to: 200
2020-10-18 06:26:58,046 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-10-18 06:26:58,046 [root] DEBUG: Storing results at: C:\HsFkoVCyJw
2020-10-18 06:26:58,046 [root] DEBUG: Pipe server name: \\.\PIPE\PxjVCcbc
2020-10-18 06:26:58,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-10-18 06:26:58,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 06:26:58,062 [root] INFO: Automatically selected analysis package "dll"
2020-10-18 06:26:58,062 [root] DEBUG: Importing analysis package "dll"...
2020-10-18 06:26:58,218 [root] DEBUG: Initializing analysis package "dll"...
2020-10-18 06:26:58,375 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 06:26:58,375 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 06:26:58,453 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 06:26:58,484 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 06:26:58,531 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 06:26:58,531 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 06:26:58,546 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 06:26:58,546 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 06:26:58,546 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 06:26:58,546 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 06:26:58,546 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 06:26:58,546 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 06:26:58,546 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 06:26:58,562 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 06:26:58,562 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 06:26:58,843 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 06:26:58,843 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 06:26:58,859 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 06:26:58,859 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 06:26:58,859 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 06:26:58,875 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 06:26:58,875 [root] DEBUG: Started auxiliary module Browser
2020-10-18 06:26:58,875 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 06:26:58,875 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 06:26:58,875 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 06:26:58,875 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 06:26:59,296 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 06:26:59,312 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 06:26:59,312 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 06:26:59,312 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 06:26:59,328 [modules.auxiliary.disguise] INFO: Disguising GUID to a47aca12-1e56-41bc-8866-5aa5cbe34e15
2020-10-18 06:26:59,328 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 06:26:59,328 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 06:26:59,328 [root] DEBUG: Started auxiliary module Human
2020-10-18 06:26:59,328 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 06:26:59,343 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 06:26:59,343 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 06:26:59,343 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 06:26:59,343 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 06:26:59,343 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 06:26:59,343 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 06:26:59,343 [root] DEBUG: Started auxiliary module Usage
2020-10-18 06:26:59,343 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2020-10-18 06:26:59,343 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2020-10-18 06:26:59,343 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2020-10-18 06:26:59,343 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2020-10-18 06:26:59,390 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\Louise\AppData\Local\Temp\f24699bcf599e3351032.dll",#1" with pid 424
2020-10-18 06:26:59,390 [lib.api.process] INFO: Monitor config for process 424: C:\tmp2ssujfce\dll\424.ini
2020-10-18 06:26:59,390 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\VMaqPzWE.dll, loader C:\tmp2ssujfce\bin\rgfUrgk.exe
2020-10-18 06:26:59,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PxjVCcbc.
2020-10-18 06:26:59,437 [root] DEBUG: Loader: Injecting process 424 (thread 4120) with C:\tmp2ssujfce\dll\VMaqPzWE.dll.
2020-10-18 06:26:59,437 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\VMaqPzWE.dll.
2020-10-18 06:26:59,437 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:26:59,453 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\VMaqPzWE.dll.
2020-10-18 06:27:01,453 [lib.api.process] INFO: Successfully resumed process with pid 424
2020-10-18 06:27:01,687 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:27:01,687 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:27:01,703 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:27:01,703 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 424 at 0x6fa40000, image base 0x990000, stack from 0x254000-0x260000
2020-10-18 06:27:01,796 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" "C:\Users\Louise\AppData\Local\Temp\f24699bcf599e3351032.dll",#1
2020-10-18 06:27:01,859 [root] INFO: Loaded monitor into process with pid 424
2020-10-18 06:27:02,125 [root] INFO: Disabling sleep skipping.
2020-10-18 06:27:02,125 [root] INFO: Disabling sleep skipping.
2020-10-18 06:27:02,125 [root] INFO: Disabling sleep skipping.
2020-10-18 06:27:02,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 and local view 0x038D0000 to global list.
2020-10-18 06:27:02,654 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-10-18 06:27:03,670 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x12c and local view 0x04220000 to global list.
2020-10-18 06:27:03,670 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 424
2020-10-18 06:27:03,670 [root] DEBUG: GetHookCallerBase: thread 4120 (handle 0x0), return address 0x00991368, allocation base 0x00990000.
2020-10-18 06:27:03,670 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00990000.
2020-10-18 06:27:03,702 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:27:03,702 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00990000.
2020-10-18 06:27:03,702 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001798.
2020-10-18 06:27:03,780 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2020-10-18 06:27:03,780 [root] DEBUG: DLL unloaded from 0x76680000.
2020-10-18 06:27:03,811 [root] INFO: Process with pid 424 has terminated
2020-10-18 06:27:09,545 [root] INFO: Process list is empty, terminating analysis.
2020-10-18 06:27:10,545 [root] INFO: Created shutdown mutex.
2020-10-18 06:27:11,545 [root] INFO: Shutting down package.
2020-10-18 06:27:11,545 [root] INFO: Stopping auxiliary modules.
2020-10-18 06:27:11,874 [lib.common.results] WARNING: File C:\HsFkoVCyJw\bin\procmon.xml doesn't exist anymore
2020-10-18 06:27:11,874 [root] INFO: Finishing auxiliary modules.
2020-10-18 06:27:11,874 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 06:27:11,874 [root] WARNING: Folder at path "C:\HsFkoVCyJw\debugger" does not exist, skip.
2020-10-18 06:27:11,889 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-10-18 06:26:59 2020-10-18 06:27:58

File Details

File Name f24699bcf599e3351032.dll
File Size 41709 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
PE timestamp 2020-10-06 03:52:45
MD5 f24699bcf599e3351032eeceef7f9b62
SHA1 9dd630d087a7cc367d46914888ae444feaa6d819
SHA256 f3a8a9aa53b8694b31e7584950d80eb276a1ed6cfab24cb392eed78d546ea9f9
SHA512 31b4a38636f4f724480648092b9b7cef0af88cffce9a9e6efc1e5dfaf779a31f1e1a21a95e078b388f00949e3e18f37d222accfb103cea7315ae7b551f519b35
CRC32 A01CAC34
Ssdeep 768:L7nS4oGVxWGjj5UHwL5bQW7/CsWnAnYZ8Ttnl7l6yce7:LrS3ixBjj5UQaW75WAY6TtnfLX
Download Download ZIP Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Network activity detected but not expressed in API logs
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\f24699bcf599e3351032.dll
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Louise\AppData\Local\Temp\f24699bcf599e3351032.dll
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#500
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1

BinGraph Download graph

2020-10-18T06:28:10.610659 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/ Nothing to display.
!This program cannot be run in DOS mode.
.text
`.rdata
@.data2
.data
.rsrc
@.reloc
wOfCile}
SirthalPOote^t
L$bra/yEx<
qeH\n
}Eet1cmp-_th<
)qtr!cnA}
keA}Eet
"Th}s pvggr
5i c5jno8 be
runtmn
GS Agde2
_2sda
rel3c
H$8cx$0
J?jQQ
dnL$(
m\$xN
jUiD$|T
i\$8mt$
jM$H|
c.D$D50jT
1D$4Z
L$pM|$hMt$Lf
i QS$
i0!H$
g+OJ5h
Z)SU%
$kZk&
$kjk&
dkjgf
$kJg&
j*1}$4
O11$T
}L$Li
kVWg{
t$pk&,
L$,i"
P#hlS`
Xw\^Vw
s+2OS
#d|zg
{dX#h
H# !P#
lx0jD>
lH:i?~S
H(8QQ
t#Ow$h
=#|$L
s$HoL$t
]8#Lm;#PN
F;p[{
sL$4~z
OPQ0#
|2lOP
dTQSk
2fMQP
+y$(e
i(|7#
E#D$Y
op#<Q
wsL$8
dvt$ t
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.6 49190 13.107.42.23 443
192.168.1.6 49192 13.107.42.23 443
192.168.1.6 49189 52.142.114.176 443

UDP

Source Source Port Destination Destination Port
192.168.1.6 56304 1.1.1.1 53
192.168.1.6 58697 1.1.1.1 53
192.168.1.6 63713 1.1.1.1 53
192.168.1.6 137 192.168.1.255 137
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.6 1.1.1.1 3
192.168.1.6 1.1.1.1 3
192.168.1.6 8.8.8.8 3
192.168.1.6 8.8.8.8 3
192.168.1.6 8.8.8.8 3
192.168.1.6 8.8.8.8 3
192.168.1.6 8.8.8.8 3
192.168.1.6 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-10-18 06:27:45.279 192.168.1.6 [VT] 49193 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:27:45.279 192.168.1.6 [VT] 49192 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:27:45.279 192.168.1.6 [VT] 49190 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:27:45.279 192.168.1.6 [VT] 49191 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:27:54.848 192.168.1.6 [VT] 49186 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-10-18 06:27:54.954 192.168.1.6 [VT] 49186 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.6 49186 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49190 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49191 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49192 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49193 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49189 52.142.114.176 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Process Name rundll32.exe
PID 424
Dump Size 45056 bytes
Module Path C:\Windows\SysWOW64\rundll32.exe
Type PE image: 32-bit executable
PE timestamp 2017-03-30 14:58:17
MD5 36a379064e5f26b3cca8c8796febba17
SHA1 1972f63982b44424cd87c5feb5bc427bda716302
SHA256 6f800716f0eeeb2cd7ecfbad4715949885ea10da7cc2c36057a5b1ea9a44189b
CRC32 91CE7D56
Ssdeep 768:BDDl80mGaaJ4MhXWy+R4bSEln5IyYpamDjobj8S:B/ikZJ4wp+R4ln5IUmDjoX
Dump Filename 6f800716f0eeeb2cd7ecfbad4715949885ea10da7cc2c36057a5b1ea9a44189b
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:28:11.760006 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

Processing ( 9.568 seconds )

  • 5.224 Suricata
  • 2.672 VirusTotal
  • 1.082 CAPE
  • 0.305 NetworkAnalysis
  • 0.113 Deduplicate
  • 0.085 AnalysisInfo
  • 0.058 BehaviorAnalysis
  • 0.01 ProcDump
  • 0.008 TargetInfo
  • 0.005 Debug
  • 0.005 peid
  • 0.001 Strings

Signatures ( 0.15200000000000005 seconds )

  • 0.032 antiav_detectreg
  • 0.013 infostealer_ftp
  • 0.012 territorial_disputes_sigs
  • 0.011 ransomware_files
  • 0.008 ransomware_extensions
  • 0.007 infostealer_im
  • 0.006 antianalysis_detectreg
  • 0.006 antiav_detectfile
  • 0.005 antidbg_windows
  • 0.004 antianalysis_detectfile
  • 0.004 antivm_vmware_keys
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_mail
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_keys
  • 0.003 geodo_banking_trojan
  • 0.002 guloader_apis
  • 0.002 antivm_vbox_files
  • 0.002 masquerade_process_name
  • 0.001 api_spamming
  • 0.001 betabot_behavior
  • 0.001 decoy_document
  • 0.001 infostealer_browser
  • 0.001 kibex_behavior
  • 0.001 NewtWire Behavior
  • 0.001 stealth_timeout
  • 0.001 tinba_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 browser_security
  • 0.001 disables_backups
  • 0.001 disables_browser_warn
  • 0.001 azorult_mutexes
  • 0.001 revil_mutexes
  • 0.001 recon_fingerprint
  • 0.001 lokibot_mutexes
  • 0.001 ursnif_behavior

Reporting ( 2.3989999999999996 seconds )

  • 2.393 BinGraph
  • 0.006 PCAP2CERT