Analysis

Category Package Started Completed Duration Options Log
FILE dll 2020-10-18 06:29:01 2020-10-18 06:30:05 64 seconds Show Options Show Log
route = tor
2020-05-13 09:25:35,977 [root] INFO: Date set to: 20201018T06:29:01, timeout set to: 200
2020-10-18 06:29:01,062 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-10-18 06:29:01,062 [root] DEBUG: Storing results at: C:\TizZjlQnd
2020-10-18 06:29:01,062 [root] DEBUG: Pipe server name: \\.\PIPE\PeqXxfd
2020-10-18 06:29:01,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-10-18 06:29:01,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 06:29:01,062 [root] INFO: Automatically selected analysis package "dll"
2020-10-18 06:29:01,062 [root] DEBUG: Importing analysis package "dll"...
2020-10-18 06:29:01,125 [root] DEBUG: Initializing analysis package "dll"...
2020-10-18 06:29:01,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 06:29:01,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 06:29:01,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 06:29:01,218 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 06:29:01,265 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 06:29:01,265 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 06:29:01,281 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 06:29:01,281 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 06:29:01,281 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 06:29:01,281 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 06:29:01,281 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 06:29:01,281 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 06:29:01,281 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 06:29:01,296 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 06:29:01,296 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 06:29:01,468 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 06:29:01,484 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 06:29:01,484 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 06:29:01,484 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 06:29:01,484 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 06:29:01,500 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 06:29:01,500 [root] DEBUG: Started auxiliary module Browser
2020-10-18 06:29:01,500 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 06:29:01,500 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 06:29:01,500 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 06:29:01,500 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 06:29:02,312 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 06:29:02,312 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 06:29:02,328 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 06:29:02,328 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 06:29:02,359 [modules.auxiliary.disguise] INFO: Disguising GUID to 546ad6b2-9506-44df-9b9f-490c791d92d2
2020-10-18 06:29:02,359 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 06:29:02,359 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 06:29:02,359 [root] DEBUG: Started auxiliary module Human
2020-10-18 06:29:02,359 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 06:29:02,359 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 06:29:02,359 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 06:29:02,359 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 06:29:02,375 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 06:29:02,375 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 06:29:02,375 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 06:29:02,375 [root] DEBUG: Started auxiliary module Usage
2020-10-18 06:29:02,375 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2020-10-18 06:29:02,375 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2020-10-18 06:29:02,375 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2020-10-18 06:29:02,375 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2020-10-18 06:29:02,500 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\Louise\AppData\Local\Temp\33ddd8c3de4e04952fc8.dll",#1" with pid 424
2020-10-18 06:29:02,500 [lib.api.process] INFO: Monitor config for process 424: C:\tmp2ssujfce\dll\424.ini
2020-10-18 06:29:02,500 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\jtFoSG.dll, loader C:\tmp2ssujfce\bin\iIiHVxF.exe
2020-10-18 06:29:02,546 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PeqXxfd.
2020-10-18 06:29:02,546 [root] DEBUG: Loader: Injecting process 424 (thread 4120) with C:\tmp2ssujfce\dll\jtFoSG.dll.
2020-10-18 06:29:02,546 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\jtFoSG.dll.
2020-10-18 06:29:02,546 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:29:02,562 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\jtFoSG.dll.
2020-10-18 06:29:04,562 [lib.api.process] INFO: Successfully resumed process with pid 424
2020-10-18 06:29:04,765 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:29:04,843 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:29:04,843 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:29:04,859 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 424 at 0x6fa40000, image base 0x230000, stack from 0x304000-0x310000
2020-10-18 06:29:04,859 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" "C:\Users\Louise\AppData\Local\Temp\33ddd8c3de4e04952fc8.dll",#1
2020-10-18 06:29:04,906 [root] INFO: Loaded monitor into process with pid 424
2020-10-18 06:29:04,906 [root] INFO: Disabling sleep skipping.
2020-10-18 06:29:04,921 [root] INFO: Disabling sleep skipping.
2020-10-18 06:29:04,921 [root] INFO: Disabling sleep skipping.
2020-10-18 06:29:04,921 [root] INFO: Disabling sleep skipping.
2020-10-18 06:29:04,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x114 and local view 0x00240000 to global list.
2020-10-18 06:29:04,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x118 and local view 0x00240000 to global list.
2020-10-18 06:29:04,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc and local view 0x00AE0000 to global list.
2020-10-18 06:29:04,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x120 and local view 0x03B20000 to global list.
2020-10-18 06:29:05,571 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-10-18 06:29:06,607 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x130 and local view 0x04470000 to global list.
2020-10-18 06:29:06,607 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 424
2020-10-18 06:29:06,607 [root] DEBUG: GetHookCallerBase: thread 4120 (handle 0x0), return address 0x00231368, allocation base 0x00230000.
2020-10-18 06:29:06,623 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00230000.
2020-10-18 06:29:06,623 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:29:06,623 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00230000.
2020-10-18 06:29:06,623 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001798.
2020-10-18 06:29:06,685 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2020-10-18 06:29:06,685 [root] DEBUG: DLL unloaded from 0x76680000.
2020-10-18 06:29:06,732 [root] INFO: Process with pid 424 has terminated
2020-10-18 06:29:12,638 [root] INFO: Process list is empty, terminating analysis.
2020-10-18 06:29:13,638 [root] INFO: Created shutdown mutex.
2020-10-18 06:29:14,638 [root] INFO: Shutting down package.
2020-10-18 06:29:14,638 [root] INFO: Stopping auxiliary modules.
2020-10-18 06:29:14,998 [lib.common.results] WARNING: File C:\TizZjlQnd\bin\procmon.xml doesn't exist anymore
2020-10-18 06:29:15,013 [root] INFO: Finishing auxiliary modules.
2020-10-18 06:29:15,013 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 06:29:15,013 [root] WARNING: Folder at path "C:\TizZjlQnd\debugger" does not exist, skip.
2020-10-18 06:29:15,013 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-10-18 06:29:01 2020-10-18 06:30:05

File Details

File Name 33ddd8c3de4e04952fc8.dll
File Size 376609 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
PE timestamp 2020-10-17 19:31:52
MD5 33ddd8c3de4e04952fc85088503b59bd
SHA1 11d15a7a774ae573beb19bf8c679e727c091d919
SHA256 4c140b009e1f5360dfa41c20dee364c1cd3a8576081582a7514d63405506e92d
SHA512 626c12d822a49f611c8d41aafeafa99dbf31d13bd6d96b5676d8c64ac4b77636d6736017a3b631b8ff5c9130569e16a29b13962809c8287dd3938cbf4cf83369
CRC32 349A1566
Ssdeep 3072:Ow9Y2zTzsk7nw0WPV4CZZSj91H50Adp8j7Z2ZxSF/P5lGrdyPPz844r9dzdY5Zyc:Oj2z3niEj9ZqZ+S9MIP499bYutYShsmc
Download Download ZIP Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
Network activity detected but not expressed in API logs
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.105.208.173 [VT] United Kingdom

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\33ddd8c3de4e04952fc8.dll
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Louise\AppData\Local\Temp\33ddd8c3de4e04952fc8.dll
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#500
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1

BinGraph Download graph

2020-10-18T06:30:17.709006 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/ Nothing to display.
!This program cannot be run in DOS mode.
.text
`.rdata4
@.rdata3
@.rdata2
@.rdata
@.data
.rsrc
@.reloc
#:@=I
v3 _?
_i84s
tO|k'
.++v#
2rNQ/
HS-da
a3]n:
q ,o_
U\E<2
.~T4`
jifub
O>:]`
W -;",
9g=HrDLhk
7!3<X
h~jJ0
,Mx?H
N5z/3
Z3\0{6
s*`_oE
USD#$
Jr%<S&
g[)o~
R(Vp$,
:eAA{S
Q'(LX
1N/RBW
l1GCI6
oU%].
"usFW
@!P<>
]NRrzU]
K)1c_c]
%8;hp
XAjmYj
|6XqV
OjDf_
#Y5VD8
`*+9R
mt=ys)
^`?"e
>iCOO
+lv%%
(h0ks
]Uum.
1e"M[q
d,J{wI8
co.w~yH
)`Fg;
8BUsE
&FO%A
kPD*&
elpLq
p{st&
tLPL*K,q
^DOf-
XtI>67(i
DJ7f#
CJA'D
uj{inf
{v1*8
a9mM&^
9Z&e5
}na'$
i_li3
V*i,Q
o%g$V
:\yEf
!Rr*(n
>0(I|
gACA*
r^!.4
=[Rhj
S#IFt-&
`#wMD%
_c`zl
"&#|3
eQ9*E\
"B{tPW
EKiqc
D'jNN6
#MA<3K
FX[XC
\_#`>O
:JuSH
s79w]{
{/]&<X
.ujc`^qE
3We<g
U[J/Zw
mut^`
'R<qe}G
jm>na
1(*a;
>_[~D
J_sp>/
x}&.}
)rl/?
-=1\uSky
FC/4{
5YqP)m
Qju|_
2_o(0
fK{?*3f
QrcFg
CLo?V
.:pqq
rI#apY
|V4CP
a]t="`
vaYzo7
--cU0:
--*kn
)\nh[
FZW_:
;D~}l
%i5ycp
<Wb`{
$%AC.
ofM$,
gz=k1
HLG."
2d^0+
Vf`$2
%<P?_
3'FbS
Cf8~&
TGD|:
QM!wpGn
,z/(#
se| j
@htPubcAcireT~
tufaAl3bc
Vi5yua3Kre"
`eHfcdlbL
NrefyeFnaeA
4htF.aeP(dnt*
dteAdle
xrcfyA
Ge[BodRaeF^aeNfbeA
HetJ`du#jFi
jNa2jW
bn bBS
@HMat
SV6vT
EJ?h\
Us`Wh
tkh~U;
WPF;_
OQFAn
.ndP\
9&W'V
fh$Pl
gzh_|
f.8P,
y$duF
-9;=P
VP+#}
!xp5
WcSP6
S[]]y
1p =4
ylPSyT
xc"uyE
#aPQF
8x;5B
C]~9F
h+`:l
tnY^oP,|
u~;VV
"zOWF
YUWi>4Pl
PI$`P,
V%&`P
]#!xA
OSFJ<
1.K^]-
=(8~=$9
@\^UWVL
EByVP
UF{OQ
=7P,@
XsZ]-
l0P\=
Xr"9N_
VW!>V
^>OPy
xBb==
i6_Pl
XTZ]-
ufh|P\
"^YO]
VVQf.
"}~`D
^]+i~
*9u.]2
@4!V9
x9F5+
PVFHo
r"Gqs
nc~uI
Tj\6
uvbs y
<VWVM
YtUj.
a|dyl
1T9]^
1VA_[
avP\}
K7MV&'
Ply\_
V9frP
uVT0u$
9q%#9p%
En9SVY^vQ,|
4_[{G
*S][+
^:UVV
NF2Pl
/Pj9~
?!PWv
bMNWvXr
*SZuM
OVVP1
EZau`O
XxsY]
USFtp
`~8,>
2|TWvd+
4\_%>
.>TWyd
'h(v^)
PY]]}
un`Nj
A$&%a$
)GA5N
#Lq!KG
jnc$jn
sbCLKZ|
j^<Pj.
E#@h4
PS6 6
h0_Z2
8+,"3
C+,bj
Mqo7u
WrVPF
'M$0+M$
j^@SP
OQvR~
PV9^qk\yTh
#rcD*!
byMj.
MJZNW%
*T\]my
")u44
9 j3h
_Zc1i
PVF7}
{O%Tf
.]Uhc
74R9\
;MVF9x
w7qHm
#!54L5
9u,9 v(hT
ok[1y
FP\[[
MZXSW
E>Ye=
E4Ye,&
PVFx`
7TMSF
t$WIh
W*MV99
MZaOj
^}^j9Y
FbfXN
o<0jn
q|dR!OX
0nS[]m
ypNj^
tT)7Z
].KKu
W[xFp8e
cdq 0
'YZ_UR
R[]-|
MWVrV
iwgj&^
jggV&^
50v#aj`xt
&kbsR
ySSFX
X3W]-
(XRW]
?MP6
u:@Sj.
dSVF
]2j"9
f!\D
29H9P
SGF4n
Q\;pM
2A7EjY&
OQVPG
"E}*Y
OWV#`
eO19y
XSW]-z
QePPVtF
q9KS6
s#Kh4
zKPVp]
vN,ic
o0s}j.
ICC4V
Ein!XIb
=}gXOX
x%NXw
o-2)S.
$I,[=
Aubk+fu
a+tSg!;o
?erAys
,jt+.fu
-tDj+It
.te!6fd
uaj;_n
c%tCl*at
*tO|3ec
)To#)
*2H)ll
1RYK1
2*^.2
4"eB4<e
Yr6"[
7TW/8
;;VB;
R&<)]d<
=$\x=n]
P:>xPc>
A48ea4>e
Zw5iZ
Wn8yU
PM9VV
]A<aQ
<5Rk=
=BO2>/O>>+O
\D1,X
:xON;
Ua=sV
[Y0&Y
0`XF1
Y`2tY
OT5u]
6ZZ;7
Pl:jP
:[OW;
<&U;<
0/Y`13Z
Wq2^W
Xe3iX
5YN%5
Q,8=QR8
8bQ!9
9yG":
Je;~I
<+T==
>MSU?
]n2X]
3_Km4zK
Fs8XF
Rd<zRv<
=VP&>
>xS|?
]60&aO0Za
^x1y^
[e2~[
J25xJ_5
6|G$7
F#:&CQ:
18AL1
A82O?
?94_?\4l?x4
3;7'4X7
8>3w8
8R3&<
5j4s5
6t4C7
9?29:
;685;$8M;
4r<c4
3~=)3
*@!0>@=0
0?9G1":
3U;Y4X;{4
5C4;5#6m5
7d:B:
7{:S4
2p<Q2
>S0$>
1&<52
<l3h<
3<<!4
<c2 =
=9/p>
9t0L<
0d;~1
3N=C3
3f8.4&=Q4
2Q982
:l1O:
;<7)<
2G> 3^>R4
:f0S:
9;1r9
1k8C2
;Y6/;)8
<\33>^
!\4f;
;V5};
:b'h;
>v#*?X$
=Z$A=
;S7k;B8
:5:8'
;!$g;
2u7K5O7
7,$r;^
<0.!D06!L0
1N $16 ,1. 416 <1. D16 L
!|1.!
2N $26 ,2. 426 <2.
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.105.208.173 [VT] United Kingdom

TCP

Source Source Port Destination Destination Port
13.107.42.23 443 192.168.1.6 49192
192.168.1.6 49187 13.107.42.23 443
192.168.1.6 49189 13.107.42.23 443
192.168.1.6 49185 52.142.114.176 443
52.142.114.176 443 192.168.1.6 49189

UDP

Source Source Port Destination Destination Port
192.168.1.6 137 192.168.1.255 137
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.6 8.8.8.8 3
192.168.1.6 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-10-18 06:29:54.891 192.168.1.6 [VT] 49186 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:29:57.105 192.168.1.6 [VT] 49188 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:29:57.757 192.168.1.6 [VT] 49189 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:29:57.861 192.168.1.6 [VT] 49190 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-10-18 06:29:57.927 192.168.1.6 [VT] 49187 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-10-18 06:29:54.572 192.168.1.6 [VT] 49185 52.142.114.176 [VT] 443 CN=g.msn.com ff:27:b1:2a:2d:fd:c6:ad:80:fe:57:c9:11:a1:d4:31:13:86:1d:5f TLS 1.2
2020-10-18 06:29:54.996 192.168.1.6 [VT] 49186 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:29:57.573 192.168.1.6 [VT] 49188 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:29:57.859 192.168.1.6 [VT] 49189 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:29:57.927 192.168.1.6 [VT] 49190 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-10-18 06:29:58.072 192.168.1.6 [VT] 49187 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-10-18 06:29:46.497 192.168.1.6 [VT] 49194 93.184.221.240 [VT] 80 None ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c05362e6e894290d None Microsoft-CryptoAPI/6.1 None 0
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.6 49186 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49187 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49188 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49189 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49190 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.6 49185 52.142.114.176 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Process Name rundll32.exe
PID 424
Dump Size 45056 bytes
Module Path C:\Windows\SysWOW64\rundll32.exe
Type PE image: 32-bit executable
PE timestamp 2017-03-30 14:58:17
MD5 394b951aa036f15004d2b28320c83252
SHA1 3b80a46a9fdd657780ccec349109b16a8544b531
SHA256 d70b8088755d1ffebc45ab3796d84a616174489aa0ea9f4477855bc74ee8ed0d
CRC32 7441B7C1
Ssdeep 768:dDYNsOPw3gx2Xz+R4bSEln5IyYpamDjobj8S:9Yej3gx2D+R4ln5IUmDjoX
Dump Filename d70b8088755d1ffebc45ab3796d84a616174489aa0ea9f4477855bc74ee8ed0d
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T06:30:18.907362 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

Processing ( 7.513 seconds )

  • 5.231 Suricata
  • 1.305 CAPE
  • 0.43 VirusTotal
  • 0.225 NetworkAnalysis
  • 0.116 Deduplicate
  • 0.088 AnalysisInfo
  • 0.058 BehaviorAnalysis
  • 0.035 TargetInfo
  • 0.01 ProcDump
  • 0.005 Debug
  • 0.005 peid
  • 0.005 Strings

Signatures ( 0.15000000000000005 seconds )

  • 0.032 antiav_detectreg
  • 0.013 infostealer_ftp
  • 0.012 territorial_disputes_sigs
  • 0.011 ransomware_files
  • 0.008 ransomware_extensions
  • 0.007 infostealer_im
  • 0.006 antianalysis_detectreg
  • 0.006 antiav_detectfile
  • 0.005 antidbg_windows
  • 0.004 antianalysis_detectfile
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_mail
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_keys
  • 0.003 geodo_banking_trojan
  • 0.002 guloader_apis
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vmware_keys
  • 0.002 masquerade_process_name
  • 0.001 api_spamming
  • 0.001 betabot_behavior
  • 0.001 decoy_document
  • 0.001 infostealer_browser
  • 0.001 kibex_behavior
  • 0.001 NewtWire Behavior
  • 0.001 stealth_timeout
  • 0.001 tinba_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 browser_security
  • 0.001 disables_backups
  • 0.001 disables_browser_warn
  • 0.001 azorult_mutexes
  • 0.001 revil_mutexes
  • 0.001 recon_fingerprint
  • 0.001 lokibot_mutexes
  • 0.001 ursnif_behavior

Reporting ( 2.585 seconds )

  • 2.572 BinGraph
  • 0.013 PCAP2CERT