Analysis Report · CAPE Sandbox

Detection(s):

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE	dll	2026-03-05 12:06:25	2026-03-05 12:11:00	275s
Reports	JSON

Analysis Log

2026-03-05 02:28:18,418 [root] INFO: Date set to: 20260305T12:06:39, timeout set to: 200
2026-03-05 12:06:39,119 [root] DEBUG: Starting analyzer from: C:\nk6xk99a
2026-03-05 12:06:39,134 [root] DEBUG: Storing results at: C:\CNBZxSuxbk
2026-03-05 12:06:39,134 [root] DEBUG: Pipe server name: \\.\PIPE\YaQoJwDnKP
2026-03-05 12:06:39,150 [root] DEBUG: Python path: C:\Python310
2026-03-05 12:06:39,150 [root] INFO: analysis running as an admin
2026-03-05 12:06:39,150 [root] INFO: analysis package specified: "dll"
2026-03-05 12:06:39,150 [root] DEBUG: importing analysis package module: "modules.packages.dll"...
2026-03-05 12:06:39,150 [root] DEBUG: imported analysis package "dll"
2026-03-05 12:06:39,150 [root] DEBUG: initializing analysis package "dll"...
2026-03-05 12:06:39,150 [lib.common.common] INFO: wrapping
2026-03-05 12:06:39,197 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-03-05 12:06:39,197 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\sample_from_94fc2177.dll
2026-03-05 12:06:39,197 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2026-03-05 12:06:39,197 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2026-03-05 12:06:39,197 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2026-03-05 12:06:39,197 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2026-03-05 12:06:39,260 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-03-05 12:06:39,353 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-03-05 12:06:39,510 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-03-05 12:06:39,682 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-03-05 12:06:40,134 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-03-05 12:06:40,244 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-03-05 12:06:40,291 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-03-05 12:06:40,557 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2026-03-05 12:06:40,619 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-03-05 12:06:40,635 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-03-05 12:06:40,650 [root] DEBUG: Initialized auxiliary module "Browser"
2026-03-05 12:06:40,713 [root] DEBUG: attempting to configure 'Browser' from data
2026-03-05 12:06:40,853 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-03-05 12:06:40,853 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-03-05 12:06:40,853 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-03-05 12:06:40,853 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-03-05 12:06:40,853 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-03-05 12:06:40,853 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-03-05 12:06:40,869 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-03-05 12:06:40,869 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-03-05 12:06:41,556 [modules.auxiliary.digisig] DEBUG: File is not signed
2026-03-05 12:06:41,572 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-03-05 12:06:41,619 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-03-05 12:06:41,619 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-03-05 12:06:41,619 [root] DEBUG: attempting to configure 'Disguise' from data
2026-03-05 12:06:41,619 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-03-05 12:06:41,619 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-03-05 12:06:41,619 [modules.auxiliary.disguise] INFO: Disguising GUID to 44557234-068c-4192-843c-c7efad0ffaff
2026-03-05 12:06:41,635 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-03-05 12:06:41,635 [root] DEBUG: Initialized auxiliary module "Human"
2026-03-05 12:06:41,635 [root] DEBUG: attempting to configure 'Human' from data
2026-03-05 12:06:41,635 [root] DEBUG: module Human does not support data configuration, ignoring
2026-03-05 12:06:41,635 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-03-05 12:06:41,650 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-03-05 12:06:41,650 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-03-05 12:06:41,650 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-03-05 12:06:41,650 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-03-05 12:06:41,650 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-03-05 12:06:41,681 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-03-05 12:06:41,681 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-03-05 12:06:41,697 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-03-05 12:06:41,697 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-03-05 12:06:41,697 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-03-05 12:06:41,713 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 656
2026-03-05 12:06:41,744 [lib.api.process] INFO: Monitor config for <Process 656 lsass.exe>: C:\nk6xk99a\dll\656.ini
2026-03-05 12:06:41,791 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-03-05 12:06:42,010 [lib.api.process] INFO: 64-bit DLL to inject is C:\nk6xk99a\dll\kIbmqzp.dll, loader C:\nk6xk99a\bin\mRtDbfjg.exe
2026-03-05 12:06:42,119 [root] DEBUG: Loader: Injecting process 656 with C:\nk6xk99a\dll\kIbmqzp.dll.
2026-03-05 12:06:42,213 [root] DEBUG: 656: Python path set to 'C:\Python310'.
2026-03-05 12:06:42,228 [root] DEBUG: 656: Disabling sleep skipping.
2026-03-05 12:06:42,228 [root] DEBUG: 656: TLS secret dump mode enabled.
2026-03-05 12:06:42,416 [root] DEBUG: 656: RtlInsertInvertedFunctionTable 0x00007FF97FCC090E, LdrpInvertedFunctionTableSRWLock 0x00007FF97FE1D500
2026-03-05 12:06:42,416 [root] DEBUG: 656: Monitor initialised: 64-bit capemon loaded in process 656 at 0x00007FF95C960000, thread 6864, image base 0x00007FF794EB0000, stack from 0x000000A277A72000-0x000000A277A80000
2026-03-05 12:06:42,416 [root] DEBUG: 656: Commandline: C:\Windows\system32\lsass.exe
2026-03-05 12:06:42,463 [root] DEBUG: 656: Hooked 5 out of 5 functions
2026-03-05 12:06:42,478 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-03-05 12:06:42,478 [root] DEBUG: Successfully injected DLL C:\nk6xk99a\dll\kIbmqzp.dll.
2026-03-05 12:06:42,494 [lib.api.process] INFO: Injected into 64-bit <Process 656 lsass.exe>
2026-03-05 12:06:42,494 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-03-05 12:06:42,978 [root] DEBUG: 656: TLS 1.2 secrets logged to: C:\CNBZxSuxbk\tlsdump\tlsdump.log
2026-03-05 12:07:13,291 [root] INFO: Restarting WMI Service
2026-03-05 12:07:13,588 [root] DEBUG: package modules.packages.dll does not support configure, ignoring
2026-03-05 12:07:13,588 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'
2026-03-05 12:07:13,588 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-03-05 12:07:13,869 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\sysnative\rundll32.exe" with arguments ""C:\Users\cape\AppData\Local\Temp\sample_from_94fc2177.dll",#1" with pid 4596
2026-03-05 12:07:13,869 [lib.api.process] INFO: Monitor config for <Process 4596 rundll32.exe>: C:\nk6xk99a\dll\4596.ini
2026-03-05 12:07:13,885 [lib.api.process] INFO: 64-bit DLL to inject is C:\nk6xk99a\dll\kIbmqzp.dll, loader C:\nk6xk99a\bin\mRtDbfjg.exe
2026-03-05 12:07:13,947 [root] DEBUG: Loader: Injecting process 4596 (thread 160) with C:\nk6xk99a\dll\kIbmqzp.dll.
2026-03-05 12:07:13,947 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-05 12:07:13,947 [root] DEBUG: Successfully injected DLL C:\nk6xk99a\dll\kIbmqzp.dll.
2026-03-05 12:07:13,966 [lib.api.process] INFO: Injected into 64-bit <Process 4596 rundll32.exe>
2026-03-05 12:07:15,994 [lib.api.process] INFO: Successfully resumed <Process 4596 rundll32.exe>
2026-03-05 12:07:16,010 [root] DEBUG: 4596: Python path set to 'C:\Python310'.
2026-03-05 12:07:16,104 [root] DEBUG: 4596: Disabling sleep skipping.
2026-03-05 12:07:16,104 [root] DEBUG: 4596: Dropped file limit defaulting to 100.
2026-03-05 12:07:16,385 [root] DEBUG: 4596: YaraInit: Compiled 44 rule files
2026-03-05 12:07:16,400 [root] DEBUG: 4596: YaraInit: Compiled rules saved to file C:\nk6xk99a\data\yara\capemon.yac
2026-03-05 12:07:16,447 [root] DEBUG: 4596: RtlInsertInvertedFunctionTable 0x00007FF97FCC090E, LdrpInvertedFunctionTableSRWLock 0x00007FF97FE1D500
2026-03-05 12:07:16,447 [root] DEBUG: 4596: YaraScan: Scanning 0x00007FF78B200000, size 0x16100
2026-03-05 12:07:16,447 [root] DEBUG: 4596: Monitor initialised: 64-bit capemon loaded in process 4596 at 0x00007FF95C960000, thread 160, image base 0x00007FF78B200000, stack from 0x000000C3E2141000-0x000000C3E2150000
2026-03-05 12:07:16,463 [root] DEBUG: 4596: Commandline: "C:\Windows\sysnative\rundll32.exe" "C:\Users\cape\AppData\Local\Temp\sample_from_94fc2177.dll",#1
2026-03-05 12:07:16,494 [root] DEBUG: 4596: hook_api: LdrpCallInitRoutine export address 0x00007FF97FCC99BC obtained via GetFunctionAddress
2026-03-05 12:07:16,697 [root] WARNING: b'Unable to place hook on LockResource'
2026-03-05 12:07:16,744 [root] DEBUG: 4596: set_hooks: Unable to hook LockResource
2026-03-05 12:07:16,806 [root] DEBUG: 4596: Hooked 627 out of 628 functions
2026-03-05 12:07:16,838 [root] DEBUG: 4596: Syscall hook installed, syscall logging level 1
2026-03-05 12:07:16,885 [root] DEBUG: 4596: RestoreHeaders: Restored original import table.
2026-03-05 12:07:16,931 [root] INFO: Loaded monitor into process with pid 4596
2026-03-05 12:07:16,963 [root] DEBUG: 4596: caller_dispatch: Added region at 0x00007FF78B200000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF78B206D01, thread 160).
2026-03-05 12:07:16,963 [root] DEBUG: 4596: YaraScan: Scanning 0x00007FF78B200000, size 0x16100
2026-03-05 12:07:16,994 [root] DEBUG: 4596: ProcessImageBase: Main module image at 0x00007FF78B200000 unmodified (entropy change 0.000000e+00)
2026-03-05 12:07:17,041 [root] DEBUG: 4596: DLL loaded at 0x00007FF974FC0000: C:\Windows\SYSTEM32\WINHTTP (0x10a000 bytes).
2026-03-05 12:07:17,072 [root] DEBUG: 4596: Target DLL loaded at 0x00007FF9693C0000: C:\Users\cape\AppData\Local\Temp\sample_from_94fc2177 (0xa8000 bytes).
2026-03-05 12:07:17,088 [root] DEBUG: 4596: YaraScan: Scanning 0x00007FF9693C0000, size 0xa7f2e
2026-03-05 12:07:17,150 [root] DEBUG: 4596: caller_dispatch: Added region at 0x00007FF9693C0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FF969438FC7, thread 160).
2026-03-05 12:07:17,150 [root] DEBUG: 4596: caller_dispatch: Scanning calling region at 0x00007FF9693C0000...
2026-03-05 12:07:17,775 [root] DEBUG: 4596: set_hooks_by_export_directory: Hooked 0 out of 628 functions
2026-03-05 12:07:17,775 [root] DEBUG: 4596: DLL loaded at 0x00007FF97B2E0000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-03-05 12:07:17,791 [root] DEBUG: 4596: DLL loaded at 0x00007FF97DC80000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2026-03-05 12:07:17,869 [root] DEBUG: 4596: DLL loaded at 0x00007FF97ADB0000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-03-05 12:07:17,978 [root] DEBUG: 4596: DLL loaded at 0x00007FF97EC20000: C:\Windows\System32\MSCTF (0x115000 bytes).
2026-03-05 12:07:18,072 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:07:18,072 [root] DEBUG: 4596: DLL loaded at 0x00007FF96B590000: C:\Windows\SYSTEM32\webio (0x98000 bytes).
2026-03-05 12:07:18,088 [root] DEBUG: 4596: DLL loaded at 0x00007FF97CAC0000: C:\Windows\system32\mswsock (0x6a000 bytes).
2026-03-05 12:07:18,103 [root] DEBUG: 4596: DLL loaded at 0x00007FF97C7B0000: C:\Windows\SYSTEM32\IPHLPAPI (0x3b000 bytes).
2026-03-05 12:07:18,213 [root] DEBUG: 4596: DLL loaded at 0x00007FF97F3D0000: C:\Windows\System32\NSI (0x8000 bytes).
2026-03-05 12:07:18,213 [root] DEBUG: 4596: DLL loaded at 0x00007FF976120000: C:\Windows\SYSTEM32\WINNSI (0xb000 bytes).
2026-03-05 12:07:21,635 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:07:24,807 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:07:37,994 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:07:41,166 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:07:44,338 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:07:58,447 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:01,619 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:04,791 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:17,978 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:21,182 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:24,353 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:37,541 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:40,729 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:43,900 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:08:57,088 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:00,275 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:03,463 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:16,635 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:19,806 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:22,994 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:36,197 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:39,369 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:42,541 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:55,713 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:09:58,869 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:10:02,041 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:10:15,229 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:10:18,400 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:10:21,572 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:10:34,775 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:10:36,572 [root] INFO: Analysis timeout hit, terminating analysis
2026-03-05 12:10:36,572 [lib.api.process] INFO: Terminate event set for <Process 4596 rundll32.exe>
2026-03-05 12:10:36,572 [root] DEBUG: 4596: Terminate Event: Attempting to dump process 4596
2026-03-05 12:10:36,572 [root] DEBUG: 4596: DoProcessDump: Skipping process dump as code is identical on disk.
2026-03-05 12:10:36,588 [lib.api.process] INFO: Termination confirmed for <Process 4596 rundll32.exe>
2026-03-05 12:10:36,588 [root] INFO: Terminate event set for process 4596
2026-03-05 12:10:36,588 [root] INFO: Created shutdown mutex
2026-03-05 12:10:36,588 [root] DEBUG: 4596: Terminate Event: monitor shutdown complete for process 4596
2026-03-05 12:10:37,604 [root] INFO: Shutting down package
2026-03-05 12:10:37,604 [root] INFO: Stopping auxiliary modules
2026-03-05 12:10:37,619 [root] INFO: Stopping auxiliary module: Browser
2026-03-05 12:10:37,619 [root] INFO: Stopping auxiliary module: Human
2026-03-05 12:10:37,947 [root] DEBUG: 4596: DLL loaded at 0x00007FF964250000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-03-05 12:10:38,416 [root] INFO: Stopping auxiliary module: Screenshots
2026-03-05 12:10:38,744 [root] INFO: Finishing auxiliary modules
2026-03-05 12:10:38,744 [root] INFO: Shutting down pipe server and dumping dropped files
2026-03-05 12:10:38,760 [root] WARNING: Folder at path "C:\CNBZxSuxbk\debugger" does not exist, skipping
2026-03-05 12:10:38,760 [root] INFO: Uploading files at path "C:\CNBZxSuxbk\tlsdump"
2026-03-05 12:10:38,760 [lib.common.results] INFO: Uploading file C:\CNBZxSuxbk\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 12056; Max size: 100000000
2026-03-05 12:10:38,775 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10x64	win10x64	KVM	2026-03-05 12:06:25	2026-03-05 12:10:59

File Details

File Information

File Name	sample_from_94fc2177.dll
File Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
File Size	655360 bytes
MD5	5abd96ba0adce161517b32097bd2acd3
SHA1	20eb206964b6f02eea4719e9ab42bc2a786af65f
SHA256	c9c6ab6c4051f649d7da8acd12ffbf26f8eaeb6c1ace6df290f944ce2992b35a VT MWDB Bazaar
SHA3-384	76ca763a32e5ef49f12799e57cc0fae15c2703c710ed4616ae3bb6fdfd04172f6991d12d308b11e1666ad2abb3d93f25
CRC32	CC7AC173
TLSH	T17FD49C08E552D2EDD257C17186920B29A7B2B4B10518AFFB21B2C7B01FABBF85F5C711
Ssdeep	12288:QPlhw6UTcci9AAyxY4b0Pj/bMzncwUTt9ezX:QjwVcci9Lyx0Pj/mcwh
Yara	IsPE64 - IsDLL - IsWindowsGUI -

Tools: PE Strings Gen BinGraph

VirusTotal (43/76) - Phantomremote

Full Results

Bkav W64.AIDetectMalware

Lionic Trojan.Win32.PhantomRemote.m!c

MicroWorld-eScan Gen:Variant.Tedy.793805

CTX dll.backdoor.generic

ALYac Gen:Variant.Tedy.793805

VIPRE Gen:Variant.Tedy.793805

Sangfor Trojan.Win32.Save.a

K7AntiVirus Backdoor ( 006da25f1 )

BitDefender Gen:Variant.Tedy.793805

K7GW Backdoor ( 006da25f1 )

CrowdStrike win/malicious_confidence_100% (W)

Symantec ML.Attribute.HighConfidence

Elastic malicious (high confidence)

ESET-NOD32 Win64/Agent.AWJ trojan

APEX Malicious

TrendMicro-HouseCall TROJ_GEN.R002H09BD26

Paloalto generic.ml

Kaspersky HEUR:Backdoor.Win64.PhantomRemote.gen

Alibaba Backdoor:Application/Generic.a2d96270

Rising Backdoor.PhantomRemote!8.1D35E (CLOUD)

Sophos Mal/Generic-S

Zillya Trojan.Agent.Win64.168080

McAfeeD ti!C9C6AB6C4051

Trapmine malicious.moderate.ml.score

Emsisoft Gen:Variant.Tedy.793805 (B)

Ikarus Trojan.Win64.Agent

GData Win64.Backdoor.PhantomRemote.A

Google Detected

Varist W64/ABBackdoor.IVEU-6587

Antiy-AVL Trojan[Backdoor]/Win64.PhantomRemote

Kingsoft Win64.Backdoor.PhantomRemot.gen

Arcabit Trojan.Tedy.DC1CCD

Microsoft Trojan:Win32/Wacatac.B!ml

Cynet Malicious (score: 100)

DeepInstinct MALICIOUS

Cylance Unsafe

Tencent Malware.Win32.Gencirc.14a8b8b6

TrellixENS Artemis!5ABD96BA0ADC

MaxSecure Trojan.Malware.391580069.susgen

Fortinet W32/PossibleThreat

AVG Win64:MalwareX-gen [Misc]

Avast Win64:MalwareX-gen [Misc]

alibabacloud Backdoor:Win/PhantomRemote.gyf

Strings

-ffff.
!ffffff.
frexp
ext-ms-
 [_^A^A_
az-AZ-Cyrl
es-CL
WM>HD
fE9,Fu
is a directory
[]_^A\A]A^A_
/fff.
belgian
D8t$ht
bad locale name
sa-in
D$Hf;
 new[]
%CRdA
"cUxu>M
WinHttpOpen
.?AVbad_exception@std@@
holland
quz-pe
(D$0f
@8{(u
f;\$L
LocalFree
)>6{1n
fa-IR
owner dead
hong-kong
SetLastError
D$h9t$P
0A_A^A\
protocol not supported
K~Je#>!
api-ms-win-rtcore-ntuser-window-l1-1-0
BB\'G
LCIDToLocaleName
1zfhl
en-PH
zh-sg
K\ff.
ar-om
\Z{>Y
french-luxembourg
1#SNAN
ar-iq
January
lv-LV
not a stream
he-il
es-gt
FindFirstFileExW
S(HcS0
|$(E3
L$Hf;
s WATAUAVAWH
string too long
</assembly>
    <security>
D$xf;
e([_^A\A]A^A_]
D$(H;
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
&ffff.
@SVWH
ar-ae
de-de
GetModuleFileNameW
r| NVt
InitializeCriticalSectionAndSpinCount
french-swiss
ntelA
`vector constructor iterator'
CloseHandle
@8k(t
AVVWSH
D$pfA;
L$49K
4zfhl
french-canadian
UVWSH
WAVAWH
cy-GB
 Type Descriptor'
2?i=E
.?AV?$ctype@D@std@@
&domain=
[_^A\A^A_]
id-id
england
D$0HcH
m rgu
user32
`eh vector vbase constructor iterator'
en-GB
u+!D$0
f;\$D
gu-in
UWAVH
=R "Au
<htl<jt\<lt4<tt$<wt
log10
vi-vn
.?AVbad_array_new_length@std@@
pxTpZ
D;{Hu
hy-am
E0HcH
|$0E1
G~&=H
irish-english
|$ E3
H[_^A\A]A^A_]
too many files open in system
lt-lt
af-ZA
rvf;\$d
UVWATAUAVAW
_ffffff.
Gfff.
chinese-hongkong
A_A^A\_^[]
D$`f;
tEHcR
UUUUUU
HeapFree
es-MX
kok-in
fD9 tMH
ole32.dll
it-IT
chinese-simplified
t$8H+
@SUVWATAVAWH
gu-IN
9TZ7~MhL
L$xf;
sq-al
HcE_L
tr-tr
resource unavailable try again
`default constructor closure'
 Complete Object Locator'
no lock available
H;XXs
CompareStringEx
hr-ba
D$hf;
RtlVirtualUnwind
ar-dz
c [1>H'
quz-EC
;D$hsL
@.reloc
AreFileApisANSI
D$ I;R
en-ph
nn-no
February
kernel32.dll
+L$HA
 A_A^A\_^
A^A]A\_^[]
\$ UVWATAUAVAWH
!x-sys-default-locale
fD9,Au
WinHttpCrackUrl
F,u=H
AWAVAUATVWUS
[]_^A^
T$PD+
operator co_await
 A_A^_
.?AU_Crt_new_delete@std@@
d$IfD
`string'
@b;zO]
=i]mcu
bad allocation
directory not empty
L$hH#
zM<tE
D$0f;
operation not supported
%ffff.
ar-IQ
\$ WH
not supported
LcA<E3
 A_A^A]
HeapReAlloc
B"rLA
@.data
uk-ua
BF>^G
D$8f;
operation not permitted
0A^A\_
i#I'M;
ntdll
CreateProcessW
new-zealand
L$@H3
L$`;M
se-se
L$0H;
es-uy
hi-in
.?AV_System_error@std@@
D8L$0u`
|$`CI
[Utf8Conv::Utf16ToUt8] Input string too long: size_t-length doesn't fit into int.
0)5ZM[
.?AVbad_cast@std@@
resource deadlock would occur
f9t$bu
`managed vector constructor iterator'
      </requestedPrivileges>
%fff.
 ffff.
x AVH
ufD9v
af-za
LnusH
uHH+u0H
IsValidLocaleName
UnhandledExceptionFilter
n03>Pu
Cfff.
ar-ma
.?AVlength_error@std@@
api-ms-win-core-string-l1-1-0
K&>.yC
hr-hr
ta-IN
^<V7w
value too large
mi-nz
pa-in
f;\$4r
I+4$H
9)~P3
quz-ec
3fff.
utf-8
([_^A\A]A^A_]
9b_fu
sr-BA-Latn
yPHc?I
`vector deleting destructor'
s WAVAWH
L$Pf;
 /result
t$ H9ph
< t=<
invalid string position
D$pE3
TlsSetValue
EnumSystemLocalesW
spanish-guatemala
es-ES
L$ SH
he-IL
6fff.
smn-fi
ky-KG
A_A^_
read only file system
cs-cz
CreateFileW
GS~gA
es-ec
hu-HU
Sleep
en-CA
system
hy-AM
WideCharToMultiByte
syr-SY
sms-FI
4fff.
host unreachable
VWUSH
p1XPw>
      (                          
CorExitProcess
api-ms-
zh-TW
XcZE0?A
A_A^A]A\_^]
api-ms-win-security-systemfunctions-l1-1-0
broken pipe
RtlCaptureContext
mk-MK
f;\$T
GetFileType
vyfffff
VWAUH
@UAVAWH
X[_^A\A]A^A_]
rbf;\$l
^We|@'MP
([_^]
L$0f;
HcK H
t9LcF
ar-EG
L$@f;
`vector vbase constructor iterator'
Aju:H
ml-in
@d=.t
sr-ba-latn
{'\u-H
ms-BN
nn-NO
f;\$\
]L+6H
JzOuCH
vi-VN
it-ch
L}LTz
api-ms-win-core-synch-l1-2-0
@.gxfg
afffff.
WaitForSingleObject
x[]_^A\A]A^A_
Aju<I
hi-IN
GetCurrentProcess
T$@H9P
en-bz
operation in progress
[]_^A\A^A_
e0A_A^A]A\]
sr-SP-Latn
en-gb
Affffff.
swedish-finland
(null)
RtlUnwindEx
.ffffff.
german-swiss
IsValidLocale
result out of range
USVWAVH
download:
LCMapStringEx
RoInitialize
L$8H1
tn-za
dutch-belgian
H[_^]
FreeLibraryAndExitThread
gfffffffH
.?AV_System_error_category@std@@
Aju6L
el-gr
Monday
ar-LY
es-mx
H+D$ 
ms-MY
0A_A^A]
GetCurrentPackageId
WriteFile
canadian
[Utf8Conv::Utf8ToUtf16] Cannot convert from UTF-8 to UTF-16 (MultiByteToWideChar failed).
t?HcS
L$h;M
cy-gb
fD9t$b
p;S>D.X
english-jamaica
ca-ES
VWATAVAWH
operation canceled
@.rsrc
;.u1L
sma-se
  </trustInfo>
fa-ir
|$8L;
ms-my
~V=MDN1
spanish-uruguay
english-can
[_^A^]
api-ms-win-core-xstate-l2-1-0
d$8L)
fA9,Au
div-mv
`placement delete closure'
sms-fi
GS~dA
V9>_A
de-li
FlsSetValue
GetLastError
address family not supported
cross device link
&commandId=
+h->|
device or resource busy
nl-NL
CoInitialize
$ffffff.
t)IcV
 Base Class Array'
`eh vector constructor iterator'
syr-sy
.?AVios_base@std@@
nl-be
`local static thread guard'
english-ire
LoadLibraryExW
yx7u{H
ar-QA
pR[|*
argument list too long
GetLocaleInfoW
L$8H3
EntryPoint
Aju>L
.xJ>Hf
`vector vbase copy constructor iterator'
H;xXu5
WriteConsoleW
r+srA
8Ht;I
_logb
tSf91tNH
|$ UATAUAVAWH
mi-NZ
9p@u+
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
f9,Ju
__unaligned
ar-AE
D;-~j
D$@E3
da-dk
1j!P<
too many files open
L$`f;
GetProcessHeap
L$&8\$&t,8Y
api-ms-win-core-processthreads-l1-1-2
]p.VAA
address not available
div-MV
china
@SUWH
;Fu6D
no link
"cUxu;H
es-PR
InterlockedFlushSList
t$xfI
iostream
GetCommandLineW
[Utf8Conv::Utf8ToUtf16] Input string too long: size_t-length doesn't fit into int.
ineID
TlsGetValue
 fffff.
operator<=>
VWAVH
ATAVAWH
GetStringTypeW
D$@fD
L$(E3
sl-SI
FindNextFileW
spanish-modern
fo-fo
rKf;\$t
=*("_
GetCommandLineA
HcC H
8_^][
WR]u3I
not a socket
.?AV_Generic_error_category@std@@
?ls~#
__pascal
pt-BR
ar-TN
A_A^A]_]
?f`Y4
p*W4H
kernelbase
AWAVAUATVWUSH
0123456789abcdefghijklmnopqrstuvwxyz
L$0M)
r7f;\$|
ATAUAVH
         (((((                  H
.?AV?$basic_ofstream@DU?$char_traits@D@std@@@std@@
tvLc{
\$HH)
spanish-chile
e8[_^A\A]A^A_]
sv-SE
fA90u
~,=C=
GetDateFormatEx
*StO9>T
|$(A^
>&!;D
WINHTTP.dll
ffff.
,offff.
 A_A^A]A\_^]
no stream resources
connection refused
sw-KE
se-FI
ml-IN
es-pr
TlsAlloc
+M<7>
 []_^A^
LC_TIME
english-american
es-EC
f ,wu
ios_base::eofbit set
ar-kw
`omni callsig'
tt-ru
DecodePointer
ot$ H
=r+sru
identifier removed
pB]P67
se-SE
@A_A^A\_^[]
L$0H1
GetOEMCP
fr-LU
AcquireSRWLockExclusive
0A_A^A]A\_
CreateDirectoryW
StringFromGUID2
__cdecl
[Utf8Conv::Utf8ToUtf16] Cannot get result string length when converting from UTF-8 to UTF-16 (MultiByteToWideChar failed).
D$8L9
no message available
 delete[]
p*Z\h
fi-fi
8D$@t
address in use
L$8M)
`eh vector copy constructor iterator'
ExitThread
A_A^A]A\_^[
;\$p|
text file busy
Nfffff.
HcE_H
en-ZW
message size
en-us
__swift_3
ReadFile
zu-za
en-nz
JzOuDH
(t$0H
6`uQI
B*~&=0
fD9,pu
invalid argument
Vfffff.
"cUxu;M
fB9<{u
Offff.
__fastcall
xA_A^A]A\_^[]
A_A^A]A\_
[Utf8Conv::Utf8ToUtf16] Invalid UTF-8 sequence found in input string.
UAWAVAUATVWSPH
E80t"A
E/H9E
smj-SE
D$Xf;
P[_^A^]
GetACP
uzKs@>
D$/M9"
0A_A^_
kE>fvw
1#QNAN
ar-ye
ABCDEFGHIJKLMNOPQRSTUVWXYZ
south korea
D!|$xA
GetSystemTimeAsFileTime
~<=C=
tQfD9 tK
.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@
operation would block
az-az-cyrl
SVWATAUAWH
@A_A^A]A\_^]
no protocol option
99~CE
N/H;p
de-LI
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
operator "" 
Efff.
u3HcH<H
98t H
not connected
is-IS
r:f;\$|
et-ee
d$ E3
AWAVVWSH
unknown error
GetProcAddress
=<>{9u
KERNEL32.dll
fr-MC
english-us
Aju<H
@.tls
Pdz<D
kernel32
fD9$Hu
LC_NUMERIC
*ffff.
6zi+A
=-'']
ar-eg
t$ UWAUAVAWH
@[_^A\A^A_]
zh-cht
spanish-bolivia
smj-NO
.?AVcodecvt_base@std@@
eLK(w
__swift_2
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
[Utf8Conv::Utf16ToUtf8] Cannot get result string length when converting from UTF-16 to UTF-8 (WideCharToMultiByte failed).
.?AVsystem_error@std@@
@A^_^
ffffff
rsf;\$d
pr-china
fB9<Hu
dddd, MMMM dd, yyyy
-I$~_=
spanish-mexican
lt-LT
GetSystemTimePreciseAsFileTime
nb-NO
`managed vector destructor iterator'
`.rdata
.?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
Moff.
bs-ba-latn
l$ VWATAVAWH
(t$ H
M50u:1
.?AV?$codecvt@DDU_Mbstatet@@@std@@
 'L>[
bad cast
Yi>xu
es-NI
wrong protocol type
ns-za
spanish-argentina
TUUUU
GetModuleHandleW
Vr.>T
>jtm}S
LeaveCriticalSection
bad array new length
__based(
8[_^A^A_]
`A_A^A]A\_^]
ext-ms-win-ntuser-windowstation-l1-1-0
english-trinidad y tobago
no space on device
3zfhl
H!D$ H
H[]_^A\A]A^A_
fr-lu
api-ms-win-core-file-l1-2-4
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
sk-SK
es-DO
api-ms-win-core-localization-obsolete-l1-2-0
h[_^A\A]A^A_]
UAWAVAUATVWSH
eu-ES
=s}a[
RoUninitialize
=z[{5u
y\PD>!
t$ E3
`local static guard'
@8~0t
Lj[;>
rfffff.
u%@8j(t
Saturday
LC_COLLATE
not a directory
D$@f;
es-ar
spanish-honduras
TerminateProcess
WinHttpSetTimeouts
@USVWATAUAVH
|$xL;
english-nz
kok-IN
HcQ<H
se-NO
.?AVlogic_error@std@@
0[]_^A\A^A_
Nfff.
spanish-costa rica
chinese-singapore
[_^A\A]A^A_]
mt-mt
en-NZ
english-usa
?d=.~"
xh-za
(|$0@
not enough memory
no such device
T$PE3
.?AV?$numpunct@D@std@@
floor
ar-BH
eX[_^A\A]A^A_]
d-q(x
T$,L9
t(LcC
en-au
~ $s%r
@UATAUAVAWH
D$@H;F
inappropriate io control operation
A8z(u
-;"0u
@8i(u
zh-cn
operator
"cUxu>L
english-belize
wffffff.
November
AWAVAUATVWUSP
.?AV_Iostream_error_category2@std@@
E+A@I
spanish-paraguay
es-HN
nan(ind)
 Base Class Descriptor at (
@>%>b
remote.dll
(ffff.
HcG H
iu+-,
~O=pi
.?AVfacet@locale@std@@
kL@8o(u
es-ve
state not recoverable
zh-MO
ar-jo
es-UY
se-no
&result=
WinHttpOpenRequest
ta-in
=Fw(d
Effff.
L$8f;
i"~1A
([]_^A^A_
TlsFree
SleepConditionVariableSRW
Content-Type: application/x-www-form-urlencoded
9Cu,fD9y
de-ch
L$ |+L;
Et9=U
April
united-kingdom
=imb;D
"cUxu8I
UAWAVVWSH
SVWATAUAVAWH
gl-ES
F,u;M
de-DE
__swift_1
`local vftable'
restrict(
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
@[_^A^]
f ,wE
=aY:x
file too large
GetConsoleMode
L$$=Vxx
atan2
UAWAVAUATVWS
L$PH1
l$ VWAVH
@BtFD
dTu3L
pfff.
ar-bh
generic
fD91uTL9r
zh-HK
ios_base::failbit set
HeapSize
 A_A^A\
0A_A^A]A\_^[
AVVWUSH
Friday
&fff.
fA99}
.?AVexception@std@@
l$ E3
fD9l$pt
"cUxA
[aOni*{
`vbase destructor'
te-in
|$ AVH
fD9'u
RtlLookupFunctionEntry
xOHcC
kn-in
 delete
GetCurrentProcessId
zh-CN
spanish-nicaragua
H[]_^
e0A_A^]
#fff.
hu-hu
smj-se
sr-BA-Cyrl
ar-MA
L$HL9
^We|qe
south-korea
VWATAVAW
es-VE
      <requestedPrivileges>
ar-ly
sma-SE
([]_^
D8|$`t
smn-FI
i"tlM
|$DE3
french-belgian
UVWAVAWH
L$@;|
en-JM
zh-chs
L$ SUVWH
SetHandleInformation
{ AVH
uk-UA
HcEgH
PA_A^A]A\_^]
8[]_^A\A]A^A_
L$`H1
pl-pl
vector too long
ar-SA
t7HcP
;I9}(tiH
Cn`tf
D$(H!L$ E3
en-tt
connection already in progress
A_A]A\_^[
GetModuleHandleExW
es-hn
network down
?lst[D
t$`L#
GetCurrentThreadId
InitializeCriticalSectionEx
gfffA
s AWH
es-GT
zh-mo
x[_^A^A_]
network reset
bg-bg
;&.f~=
EH*?H
}-~ =0
L$hf;
vAD8s(t
!This program cannot be run in DOS mode.$
D$@H;
p0R^G'
de-CH
_nextafter
de-AT
uz-UZ-Cyrl
0A^_^
english-aus
es-py
0iN>/
destination address required
mt-MT
el-GR
L$@H9H
tt-RU
D$ I9
es-SV
vKfffff
vf<nD
.pdata
f ,wD
B"rLt
A9<Fu
E0Lc`
EnumSystemLocalesEx
L;|$X
ar-YE
{ AUAVAWH
sv-FI
ar-tn
nl-BE
en-US
slovak
t1Lcc
Rffff.
bp(=>?g
id-ID
__vectorcall
1#IND
         <requestedExecutionLevel level='asInvoker' uiAccess='false'/>
([_^A^
ekN6D
ar-qa
A_A^A]A\_^[]
WinHttpSendRequest
D$ I9P
sv-se
r_f;\$l
|b=})>
H;D$ A
L!|$(L!
3>N;kU
AppPolicyGetThreadInitializationType
api-ms-win-core-winrt-l1-1-0
?:kP<
chinese-traditional
E8a(u
D$PI;
=NDN1
pSQ~W'
south-africa
fB9<Bu
united-states
xh-ZA
?UUUUUU
th-TH
english-south africa
D$ E3
Vfff.
D$8M)
L$pf;
L;|$8
ns-ZA
`typeof'
pK\X!
/>58d%
uz-UZ-Latn
d$dD;d$l
es-pa
ekN6tAA
EnterCriticalSection
Aju>H
permission denied
.?AVerror_category@std@@
 [_^A^]
es-do
pr china
es-ni
tyfD9 tsH
norwegian-bokmal
pt-pt
UTF-16LEUNICODE
spanish-puerto rico
LC_CTYPE
ro-RO
WATAUAVAWH
August
es-PE
u1!D$0H
fffff
UATAUAVAWH
`dynamic initializer for '
english-uk
,/<-w
t$ WH
en-CB
.?AVUtf8ConversionException@@
GetUserDefaultLocaleName
spanish-peru
8HtyB
L$ WH
bad exception
RtlPcToFileHeader
([_^A^A_]
bn-IN
@A_A^A\
ex[_^A\A]A^A_]
Hc}`I
T$ Lc
fB9<I}1L
FlushFileBuffers
NAN(SNAN)
[Bfffff.
 [_^A\A^A_]
great britain
|$ D!
AWAVATVWUSH
.?AV_Facet_base@std@@
WinHttpCloseHandle
american english
GetComputerNameW
sma-no
@USVWATAUAVAWH
f9,Yu
lv-lv
fG9$Ou
=B}I,t
,X< w
u`D#v
fB94Ou
;H9>&X
`anonymous namespace'
_RDATA
Yi>xA
E8q(u
fB9<@u
FlsGetValue
success
u4I9}(
de-lu
MultiByteToWideChar
!t#~i=
`vector destructor iterator'
ja-jp
fr-mc
6fffff.
-I$~g=
ms-bn
`A^_^
be-BY
HcO H
portuguese-brazilian
Dffff.
t%fE9
ExitProcess
UAWAVVWSPH
sv-fi
FindClose
RaiseException
quz-bo
SetStdHandle
8[_^A\A]A^A_]
es-pe
zh-SG
D$PH+
HH:mm:ss
F,u>H
"tK=R]
GetStartupInfoW
UAWAVATVWSH
AWAVVWUS
fr-ch
tP=/O
QueryPerformanceCounter
.?AUctype_base@std@@
#ffffff.
Aju6H
file exists
ReleaseSRWLockExclusive
!>6'Y
D$(I9
SUVWATAVAWH
L$HH1
already connected
6`uLI
en-IE
^~E/Q
`scalar deleting destructor'
`dynamic atexit destructor for '
UNKNOWN
fE9)fA
no such process
CreatePipe
Download failed: 
__restrict
en-BZ
mn-mn
sr-sp-cyrl
eu-es
en-zw
L$,H9
HcS H
wwH9Q
kk-kz
'fff.
phUp`
'ffffff.
chinese
D$pf;
EncodePointer
f;\$<
L$xE3
GetLocaleInfoEx
__stdcall
Aju<L
mr-in
C%tW=
pt-PT
executable format error
F,uEH
f ,wA
LC_ALL
ar-sa
kfff.
evTFA
UVWATAUAVAWH
L$Xf;
FormatMessageA
A_A^]
A_A^A]A\]
x ATAVAWH
"cUxu<H
WinHttpReadData
gl-es
;=[.A
Unknown exception
t'=l]@
BC?>6t9^
sw-ke
GetTempPath2W
ru-RU
mk-mk
"cUxD
GetCPInfo
@A_A^A\_^][
c(>\,
spanish-colombia
th-th
ru-ru
A_A^A\_^][
D84:u
LocaleNameToLCID
network unreachable
AWAVATVWUS
pt-br
@8<)u
pQZ0Z?!
T$ D){
ka-ge
|fffff.
ur-pk
`RTTI
(fff.
fo-FO
AWAVVWUSH
ItM=8
bn-in
`[_^A^]
IsDebuggerPresent
cs-CZ
t'HcW
                          
WR]u/L
%nay\
[Utf8Conv::Utf16ToUtf8] Cannot convert from UTF-16 to UTF-8 (WideCharToMultiByte failed).
`[_^A\A^A_]
Aju:L
,I<%w
Wednesday
X[]_^A\A]A^A_
 A_A^A]A\_
K0HcQ
swiss
/poll?id=
UTF-8
nl-nl
*Xx~u
italian-swiss
G3fuh
!ffff.
az-az-latn
L$8H9
sl-si
smj-no
uz-uz-latn
AUAVAWH
H+D$0D
f9<Ju
_cabs
\$8I;
ar-KW
AVVWUS
u~9t$Xt
ext-ms-win-ntuser-dialogbox-l1-1-0
no message
illegal byte sequence
spanish-venezuela
t$(I;
L$ fff
A>pP&
September
";Lfff.
D$(E3
WATAVH
sr-sp-latn
sr-SP-Cyrl
pjP:E
LC_MONETARY
en-ca
DeleteCriticalSection
9t$Pu
false
Aju<M
puerto-rico
T$`fA;
WinHttpConnect
connection aborted
api-ms-win-appmodel-runtime-l1-1-2
D$#I92
`eh vector destructor iterator'
=+("_
`eh vector vbase copy constructor iterator'
uPH+u8H
"cUxu7L
quz-BO
german-luxembourg
CoCreateGuid
i#I'}H
pk]^K
f9,~u
czech
p0VXN
?QY^&
norwegian-nynorsk
0A_A^A]A\_^]
fffff.
8[_^]
FTivD
is-is
\$@H;
D8[(u
&}5d7R
es-PA
sk-sk
tn-ZA
u fff.
HeapAlloc
(t$PH
fr-CH
es-CO
Aju>M
Download successful: 
mn-MN
u4D9v
te-IN
zh-tw
f;\$4
bg-BG
FreeEnvironmentStringsW
JzOuBH
fr-be
LCMapStringW
(t$ A
~&=Tv
fr-ca
`vector copy constructor iterator'
5ffffff.
,fff.
M50u61
L$ L;
filename too long
AWAVAUATVWUSPH
1z#V<
advapi32
bad address
__clrcall
`local vftable constructor closure'
X @8u
GetEnvironmentStringsW
__eabi
bad message
L$ VWAVH
es-sv
@[]_^A\A^A_
interrupted
Dhu-A
.Tff.
L!d$(L!d$@D
s2fE9)I
mr-IN
fffffff
October
it-CH
@8~0tM
`virtual displacement map'
December
 fff.
da-DK
GetStdHandle
ios_base::badbit set
protocol error
english-caribbean
CONOUT$
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
stream timeout
[_^A^A_]
\fffff.
nan(snan)
`copy constructor closure'
ceu@H
__thiscall
@8t$HtzL
=aY:TS
(fffff.
d72mu
fB9,Nu
p"PPc
australian
fD94Q}
en-jm
iostream stream error
fr-FR
.?AV?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
pA_A^A]A\_^[
en-cb
93)"D
ca-es
0A_A^A]A\^
BBS'G
L$@E1
L$pH1
#E~&=H
fr-BE
0fD9l$pu
.?AVout_of_range@std@@
VATAUAVAWH
h[]_^A\A]A^A_
v#9Iu
zh-CHS
t$8H)
es-CR
H[_^A^A_]
zu-ZA
|$@H=
tr-TR
InitializeSListHead
SetFilePointerEx
spanish-el salvador
Thursday
A_A^A\_^
__ptr64
L$ UVWATAUAVAWH
GetTimeFormatEx
ar-sy
D81uUL9r
H9>u+A
et-EE
M8~+I
ja-JP
`udt returning'
f9)u4H9j
.?AVruntime_error@std@@
v2zfhl
GetUserDefaultLCID
uz-uz-cyrl
api-ms-win-core-sysinfo-l1-2-1
9\$hu
D$DE3
`vcall'
api-ms-win-core-localization-l1-2-1
GetConsoleOutputCP
german-lichtenstein
.?AV?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@
Yffff.
quz-PE
es-BO
ldexp
be-by
p;Y>u
u$D8r(t
fD94H}aD
.?AV?$_Iosb@H@std@@
spanish-dominican republic
en-ie
8[]_^A^A_
es-es
,otnE
D$HL9gXt
se-fi
too many symbolic link levels
pa-IN
Sunday
IsProcessorFeaturePresent
sa-IN
.text
@USVWATAVAWH
nb-no
@8j(t
D$pHc
sq-AL
}-~+=0
svDE3
L;|$0A
t$xt*3
p AWH
az-AZ-Latn
X%\gn4
D$HL9
f;\$<r
1#INF
F,uCH
D$0@8{
H+D$0I
bs-BA-Latn
pl-PL
no buffer space
 []_^A\A^A_
L$ I;
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
V6E>`"(5
en-ZA
WR]u1H
SetEndOfFile
api-ms-win-core-file-l1-2-2
Aju>I
german-austrian
D6JtS
es-cl
iygE3
v2!L.2
.?AVbad_alloc@std@@
ko-kr
hr-BA
"cUxu<M
7zfhl
t^;\$0tQ
WR]u*L
L$0H3
RtlUnwind
?d=.~
+f)>0'
fD9 t
ka-GE
ffffff.
ro-ro
 Class Hierarchy Descriptor'
fD94iu
zh-hk
\$ E3
too many links
NAN(IND)
t$`fD9+t$I
FlsFree
en-AU
zh-CHT
obwQ4
    </security>
|$@-D
WinHttpReceiveResponse
yu8E1
GetComputerNameExW
CreateThread
tRLcY
e+000
ar-SY
connection reset
p@\xV.
Tuesday
t==@VL
3>fvw
kk-KZ
WakeAllConditionVariable
fr-CA
+("_L
0A_A^_^]
"cUxu<L
80tWD
bad file descriptor
.?AVtype_info@@
en-za
FreeLibrary
H9\$X
AppPolicyGetProcessTerminationMethod
pQY:E
 @8~8t
([]_^A\A]A^A_
rNf;\$t
&ffffff.
-fffff.
\fff.
GetFileSizeEx
F,uCI
"cUxu>I
IsValidCodePage
FlsAlloc
t$ WATAUAVAWH
z\%YA
D$0H9D$8
"cUxu;L
[]_^A^A_
fD9;u
A9,A$
trinidad & tobago
`managed vector copy constructor iterator'
A^A]A\
$ffff.
ko-KR
"cUxu<I
mscoree.dll
en-TT
spanish-ecuador
fD94Au
v@D8s(t
america
D$@H+
de-at
ar-DZ
.?AVfailure@ios_base@std@@
`vbtable'
March
"fffff.
ar-lb
es-AR
es-co
abcdefghijklmnopqrstuvwxyz
`placement delete[] closure'
ar-LB
.?AVoverflow_error@std@@
==>uQk
@USWH
american-english
fE98t'
norwegian
no such file or directory
l$8H+l$0
ky-kg
ReadConsoleW
@SVWATAUAVAWH
timed out
d$ D!
function not supported
0[_^A^]
it-it
&hostname=
io error
t}f91txH
api-ms-win-core-fibers-l1-1-1
kn-IN
D$Pf;
_hypot
argument out of domain
ur-PK
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
B(I9A(u
es-bo
D$pH9Ph
sr-ba-cyrl
D$0H;
de-LU
A^_^[]
"cUxu7M
fD9*u
MM/dd/yy
0A_A^A\_^
[Utf8Conv::Utf16ToUtf8] Invalid UTF-16 sequence found in input string.
?lstkD
es-PY
`vftable'
6ffffff.
britain
9D$Pu
?7zQ6$
fi-FI
H9L$Ht?H
ar-OM
no child process
B"rLE
L$@H)
es-cr
\$0H;
ar-JO
6ffff.
spanish-panama
hr-HR
invalid seek
fr-fr
api-ms-win-core-datetime-l1-1-1
no such device or address
=2hx}
SetUnhandledExceptionFilter
UAVVWSH
sma-NO
~j= $
L$@H1
uED8r(t
@A_A^_
.?AV_Locimp@locale@std@@

PE Information

Image Base

0x180000000

Entry Point

0x00061e20

Min OS

4.0

Compile Time

2025-10-08 07:08:37

Import Hash

01a66d44fed33e456d3af9662bbdf7b9

Name	RAW Addr	Virt Addr	Virt Size	Raw Size	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00082fc6	0x00083000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.83
.rdata	0x00083400	0x00084000	0x000136f4	0x00013800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.07
.data	0x00096c00	0x00098000	0x00005aac	0x00002a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.89
.pdata	0x00099600	0x0009e000	0x000032b8	0x00003400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.70
.gxfg	0x0009ca00	0x000a2000	0x00001fe0	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.17
.tls	0x0009ea00	0x000a4000	0x00000181	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.02
_RDATA	0x0009ec00	0x000a5000	0x000001f4	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.24
.rsrc	0x0009ee00	0x000a6000	0x000001d8	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.60
.reloc	0x0009f000	0x000a7000	0x00000f30	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.36

Name	Offset	Size	Language	Entropy	Type
RT_MANIFEST	0x000a6060	0x00000173	LANG_ENGLISH	4.86	None

Address	Name
0x180090ed0	WinHttpCloseHandle
0x180090ed8	WinHttpConnect
0x180090ee0	WinHttpCrackUrl
0x180090ee8	WinHttpOpen
0x180090ef0	WinHttpOpenRequest
0x180090ef8	WinHttpReadData
0x180090f00	WinHttpReceiveResponse
0x180090f08	WinHttpSendRequest
0x180090f10	WinHttpSetTimeouts

Address	Name
0x180090f20	AcquireSRWLockExclusive
0x180090f28	CloseHandle
0x180090f30	CreateDirectoryW
0x180090f38	CreateFileW
0x180090f40	CreatePipe
0x180090f48	CreateProcessW
0x180090f50	CreateThread
0x180090f58	DecodePointer
0x180090f60	DeleteCriticalSection
0x180090f68	EncodePointer
0x180090f70	EnterCriticalSection
0x180090f78	EnumSystemLocalesW
0x180090f80	ExitProcess
0x180090f88	ExitThread
0x180090f90	FindClose
0x180090f98	FindFirstFileExW
0x180090fa0	FindNextFileW
0x180090fa8	FlsAlloc
0x180090fb0	FlsFree
0x180090fb8	FlsGetValue
0x180090fc0	FlsSetValue
0x180090fc8	FlushFileBuffers
0x180090fd0	FormatMessageA
0x180090fd8	FreeEnvironmentStringsW
0x180090fe0	FreeLibrary
0x180090fe8	FreeLibraryAndExitThread
0x180090ff0	GetACP
0x180090ff8	GetCPInfo
0x180091000	GetCommandLineA
0x180091008	GetCommandLineW
0x180091010	GetComputerNameExW
0x180091018	GetComputerNameW
0x180091020	GetConsoleMode
0x180091028	GetConsoleOutputCP
0x180091030	GetCurrentProcess
0x180091038	GetCurrentProcessId
0x180091040	GetCurrentThreadId
0x180091048	GetEnvironmentStringsW
0x180091050	GetFileSizeEx
0x180091058	GetFileType
0x180091060	GetLastError
0x180091068	GetLocaleInfoEx
0x180091070	GetLocaleInfoW
0x180091078	GetModuleFileNameW
0x180091080	GetModuleHandleExW
0x180091088	GetModuleHandleW
0x180091090	GetOEMCP
0x180091098	GetProcAddress
0x1800910a0	GetProcessHeap
0x1800910a8	GetStartupInfoW
0x1800910b0	GetStdHandle
0x1800910b8	GetStringTypeW
0x1800910c0	GetSystemTimeAsFileTime
0x1800910c8	GetUserDefaultLCID
0x1800910d0	HeapAlloc
0x1800910d8	HeapFree
0x1800910e0	HeapReAlloc
0x1800910e8	HeapSize
0x1800910f0	InitializeCriticalSectionAndSpinCount
0x1800910f8	InitializeCriticalSectionEx
0x180091100	InitializeSListHead
0x180091108	InterlockedFlushSList
0x180091110	IsDebuggerPresent
0x180091118	IsProcessorFeaturePresent
0x180091120	IsValidCodePage
0x180091128	IsValidLocale
0x180091130	LCMapStringEx
0x180091138	LCMapStringW
0x180091140	LeaveCriticalSection
0x180091148	LoadLibraryExW
0x180091150	LocalFree
0x180091158	MultiByteToWideChar
0x180091160	QueryPerformanceCounter
0x180091168	RaiseException
0x180091170	ReadConsoleW
0x180091178	ReadFile
0x180091180	ReleaseSRWLockExclusive
0x180091188	RtlCaptureContext
0x180091190	RtlLookupFunctionEntry
0x180091198	RtlPcToFileHeader
0x1800911a0	RtlUnwind
0x1800911a8	RtlUnwindEx
0x1800911b0	RtlVirtualUnwind
0x1800911b8	SetEndOfFile
0x1800911c0	SetFilePointerEx
0x1800911c8	SetHandleInformation
0x1800911d0	SetLastError
0x1800911d8	SetStdHandle
0x1800911e0	SetUnhandledExceptionFilter
0x1800911e8	Sleep
0x1800911f0	SleepConditionVariableSRW
0x1800911f8	TerminateProcess
0x180091200	TlsAlloc
0x180091208	TlsFree
0x180091210	TlsGetValue
0x180091218	TlsSetValue
0x180091220	UnhandledExceptionFilter
0x180091228	WaitForSingleObject
0x180091230	WakeAllConditionVariable
0x180091238	WideCharToMultiByte
0x180091240	WriteConsoleW
0x180091248	WriteFile

Address	Name
0x180091258	CoCreateGuid
0x180091260	CoInitialize
0x180091268	StringFromGUID2

Ordinal	Address	Name
1	0x1800080b0	EntryPoint

Processing 27.46s

16.655s CAPE
5.845s Suricata
4.78s NetworkAnalysis
0.121s BehaviorAnalysis
0.055s AnalysisInfo
0.002s Debug

Signatures 0.10s

0.027s network_cnc_http
0.009s network_http
0.007s antiav_detectreg
0.006s ransomware_files
0.004s antiav_detectfile
0.004s infostealer_ftp
0.004s ransomware_extensions_known
0.003s territorial_disputes_sigs
0.002s antianalysis_detectfile
0.002s antianalysis_detectreg
0.002s antivm_vbox_files
0.002s infostealer_bitcoin
0.002s infostealer_im
0.002s infostealer_mail
0.002s masquerade_process_name
0.001s banker_zeus_url
0.001s network_ip_exe
0.001s antidebug_devices
0.001s antivm_vbox_keys
0.001s antivm_vmware_files
0.001s antivm_vmware_keys
0.001s geodo_banking_trojan
0.001s browser_security
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s azorult_mutexes
0.001s echelon_files
0.001s poullight_files
0.001s qulab_files
0.001s revil_mutexes
0.001s recon_fingerprint
0.001s lokibot_mutexes
0.001s ursnif_behavior

Reporting 0.00s

0.004s JsonDump

Signatures

Attempts to connect to a dead IP:Port (1 unique times)

IP: 217.19.4.252:80 (unknown)

SetUnhandledExceptionFilter detected (possible anti-debug)

Checks system language via registry key (possible geofencing)

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU

A process attempted to delay the analysis task.

note: rundll32.exe tried to sleep 504.25 seconds, actually delayed analysis time by 0.0 seconds

Contains .tls (Thread Local Storage) section

section: {'name': '.tls', 'raw_address': '0x0009ea00', 'virtual_address': '0x000a4000', 'virtual_size': '0x00000181', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.02'}

HTTP traffic contains suspicious features which may be indicative of malware related traffic

ip_hostname: HTTP connection was made to an IP address rather than domain name

suspicious_request: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772675240&P2=404&P3=2&P4=XulOwRGtMZzcNKQGALMkMyn4znaN%2bw51OI%2bu68BMlQC68jblctprOUDXdVXREvmHnKMSEyyKhlEqi0s4sVMbYw%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772667035&P2=404&P3=2&P4=Dxm0MQ0r8wJBywFPdaaix9tzgCbtb6TMyf15OeUQLxdKnb0skxr4k68jPjJjUkyljucNAWn7tAjopIgFHNemjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772721235&P2=404&P3=2&P4=LfxN9Q0OY7czI3HFBY%2bb0tY3I8JfdaSwARX910pKlhMNuLJRWMC0p%2b0pJOh8cD3NRKabGjI10rMwBuUKbbT%2fkA%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735?P1=1772666602&P2=404&P3=2&P4=eS7Qqh1d9sSObVw%2flrorCBtugsthhvXWViejdDtr%2fbOFcNjSS3ocHC71%2btMwa7bI%2bhBJHKPJMAAFm1I%2bUQ4PQA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828?P1=1772666612&P2=404&P3=2&P4=HB9aBsWjI8oT4EdcW8r5scELI1nXINxriza63jAkCkhmEW5RMuIfExHxfYu902Xmkus%2fqNy4NG%2fYzvZu25DYjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/3b144c99-73bc-4238-bac7-a9eae26ac9ad?P1=1772667279&P2=404&P3=2&P4=jIQwoh6qn9oGHl6MytQ96iNQ%2fP9klFDj7gGNTyKq8NTxFFGuPW4MMsqlzl1M9jZLhQXKHkc%2bouzM82UWCWdEhA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/fe0cb85d-cd38-42c1-8fb5-7c913a9185ab?P1=1772667357&P2=404&P3=2&P4=luIrOy9BZwJWKiWqiAroXwvIL%2fBrxzVm7cVAl467AVaOS0fDXPF20uKWpU7VqIRrPel7tgm0QVEUUWuv8okfdw%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

Performs some HTTP requests

url: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772675240&P2=404&P3=2&P4=XulOwRGtMZzcNKQGALMkMyn4znaN%2bw51OI%2bu68BMlQC68jblctprOUDXdVXREvmHnKMSEyyKhlEqi0s4sVMbYw%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772667035&P2=404&P3=2&P4=Dxm0MQ0r8wJBywFPdaaix9tzgCbtb6TMyf15OeUQLxdKnb0skxr4k68jPjJjUkyljucNAWn7tAjopIgFHNemjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772721235&P2=404&P3=2&P4=LfxN9Q0OY7czI3HFBY%2bb0tY3I8JfdaSwARX910pKlhMNuLJRWMC0p%2b0pJOh8cD3NRKabGjI10rMwBuUKbbT%2fkA%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735?P1=1772666602&P2=404&P3=2&P4=eS7Qqh1d9sSObVw%2flrorCBtugsthhvXWViejdDtr%2fbOFcNjSS3ocHC71%2btMwa7bI%2bhBJHKPJMAAFm1I%2bUQ4PQA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828?P1=1772666612&P2=404&P3=2&P4=HB9aBsWjI8oT4EdcW8r5scELI1nXINxriza63jAkCkhmEW5RMuIfExHxfYu902Xmkus%2fqNy4NG%2fYzvZu25DYjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/3b144c99-73bc-4238-bac7-a9eae26ac9ad?P1=1772667279&P2=404&P3=2&P4=jIQwoh6qn9oGHl6MytQ96iNQ%2fP9klFDj7gGNTyKq8NTxFFGuPW4MMsqlzl1M9jZLhQXKHkc%2bouzM82UWCWdEhA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/fe0cb85d-cd38-42c1-8fb5-7c913a9185ab?P1=1772667357&P2=404&P3=2&P4=luIrOy9BZwJWKiWqiAroXwvIL%2fBrxzVm7cVAl467AVaOS0fDXPF20uKWpU7VqIRrPel7tgm0QVEUUWuv8okfdw%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.gxfg', 'raw_address': '0x0009ca00', 'virtual_address': '0x000a2000', 'virtual_size': '0x00001fe0', 'size_of_data': '0x00002000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '5.17'}

unknown section: {'name': '_RDATA', 'raw_address': '0x0009ec00', 'virtual_address': '0x000a5000', 'virtual_size': '0x000001f4', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '4.24'}

The binary likely contains encrypted or compressed data

section: {'name': '.text', 'raw_address': '0x00000400', 'virtual_address': '0x00001000', 'virtual_size': '0x00082fc6', 'size_of_data': '0x00083000', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x60000020', 'entropy': '6.83'}

Binary file triggered multiple YARA rules

Binary triggered YARA rule: IsPE64

Binary triggered YARA rule: IsDLL

Binary triggered YARA rule: IsWindowsGUI

Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext

url: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

Screenshots

Hosts

Direct	IP	Country Name
Y	72.154.7.102 [VT]	unknown
Y	72.154.7.97 [VT]	unknown
Y	62.115.252.17 [VT]	unknown
Y	217.19.4.252 [VT]	unknown
Y	135.232.92.97 [VT]	unknown
Y	72.154.7.109 [VT]	unknown
Y	72.154.7.16 [VT]	unknown
Y	4.207.247.138 [VT]	unknown
Y	176.99.136.153 [VT]	unknown

Summary

Accessed Files Registry Keys Read Registry Keys Mutexes

C:\Users\cape\AppData\Local\Temp\sample_from_94fc2177.dll.manifest
C:\Users\cape\AppData\Local\Temp\sample_from_94fc2177.dll
C:\Users\cape\AppData\Local\Temp\sample_from_94fc2177.dll.123.Manifest
C:\Users\cape\AppData\Local\Temp\sample_from_94fc2177.dll.124.Manifest
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\C_1252.NLS
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\mswsock.dll.mui
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\wshqos.dll.mui

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\1252
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

Local\SM0:4596:304:WilStaging_02

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.

Detection(s):

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

File Information

VirusTotal (43/76) - Phantomremote

Strings

PE Information

Sections

Resources

Imports

WINHTTP

KERNEL32

ole32

Exports

Statistics 27.56s

Signatures

Screenshots

Hosts

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP