Windows Analysis Report Kapitu.exe

Overview

General Information

Sample Name: Kapitu.exe
Analysis ID: 1364
MD5: 149b6bd6b0d3dd2b0fbb111632d59fcc
SHA1: 33cdaa42e1a5c1fad1aa4f38dd9ad6ea75113aa7
SHA256: b622dbe802148305104ef456835748d2fc0d8edeffa64787c43c78bcb1914b2f
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
One or more processes crash
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: Kapitu.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloadV"}
Multi AV Scanner detection for submitted file
Source: Kapitu.exe Virustotal: Detection: 20% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: Kapitu.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.186.110:443 -> 192.168.11.20:49788 version: TLS 1.2
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000014.00000003.19040797002.000000000752D000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000014.00000003.19018976729.0000000006CBA000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000014.00000003.19001076210.0000000005D92000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb( source: WerFault.exe, 00000014.00000003.19016612435.00000000068A6000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.18994554215.00000000030E6000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000014.00000003.18996243688.00000000064AC000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.18998561649.0000000005D98000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000014.00000003.19026340881.00000000070C2000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.18994746142.00000000030FC000.00000004.00000001.sdmp
Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000014.00000003.19054366223.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.19001022681.0000000005D87000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.18994350026.0000000003081000.00000004.00000001.sdmp
Source: Binary string: srvcli.pdbd source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.18999101834.00000000064C3000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.19000012560.0000000006895000.00000004.00000001.sdmp
Source: Binary string: qncryptsslp.pdb source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb( source: WerFault.exe, 00000014.00000003.18998561649.0000000005D98000.00000004.00000001.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000014.00000003.19005134690.00000000064BD000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000014.00000003.19018976729.0000000006CBA000.00000004.00000001.sdmp
Source: Binary string: winspool.pdb( source: WerFault.exe, 00000014.00000003.18996215101.00000000064A7000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000014.00000003.19022355299.00000000070BC000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000014.00000003.19017856487.0000000006F89000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb( source: WerFault.exe, 00000014.00000003.18996243688.00000000064AC000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb: source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.19020426514.00000000068B1000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb( source: WerFault.exe, 00000014.00000003.19017856487.0000000006F89000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbU$ source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb( source: WerFault.exe, 00000014.00000003.19032365056.0000000007588000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: srvcli.pdb source: WerFault.exe, 00000014.00000003.19024960609.0000000006FF2000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.18994396652.0000000003086000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.19020466166.00000000068B7000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.18999101834.00000000064C3000.00000004.00000001.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000014.00000003.18996215101.00000000064A7000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000014.00000003.19002140835.00000000068CD000.00000004.00000001.sdmp
Source: Binary string: dpapi.pdb( source: WerFault.exe, 00000014.00000003.19024255597.00000000070D8000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000014.00000003.19054366223.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000014.00000003.19001022681.0000000005D87000.00000004.00000001.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb( source: WerFault.exe, 00000014.00000003.19040797002.000000000752D000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000014.00000003.18994697722.00000000030F7000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000014.00000003.18999955983.000000000688A000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000014.00000003.19025389900.00000000070D3000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb( source: WerFault.exe, 00000014.00000003.19030215027.00000000070AF000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdbv< source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.19005718854.000000000689B000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.18996861577.0000000003102000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb7 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb( source: WerFault.exe, 00000014.00000003.18999955983.000000000688A000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.18994554215.00000000030E6000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbp source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000014.00000003.19024255597.00000000070D8000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.18994647821.00000000030F1000.00000004.00000001.sdmp
Source: Binary string: AcLayers.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb( source: WerFault.exe, 00000014.00000003.19019857478.000000000704F000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.19006946184.00000000064CE000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000014.00000003.19030215027.00000000070AF000.00000004.00000001.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000014.00000003.19019857478.000000000704F000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdbB0 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: combase.pdb; source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.18994946811.0000000003113000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb( source: WerFault.exe, 00000014.00000003.18995383754.0000000005D5D000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbu source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbn source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb/ source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb0 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb( source: WerFault.exe, 00000014.00000003.19025389900.00000000070D3000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb( source: WerFault.exe, 00000014.00000003.18995414777.0000000005D63000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.18994647821.00000000030F1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.18996911288.000000000310D000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb( source: WerFault.exe, 00000014.00000003.19000012560.0000000006895000.00000004.00000001.sdmp
Source: Binary string: netutils.pdbz source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.18995383754.0000000005D5D000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb) source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb( source: WerFault.exe, 00000014.00000003.19022355299.00000000070BC000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000014.00000003.19012140225.00000000070A9000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.19005081330.00000000064B2000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.19005081330.00000000064B2000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000014.00000003.19001051344.0000000005D8D000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000014.00000003.19006667132.00000000068C2000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000014.00000003.19005718854.000000000689B000.00000004.00000001.sdmp
Source: Binary string: msi.pdb( source: WerFault.exe, 00000014.00000003.19005134690.00000000064BD000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb% source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb( source: WerFault.exe, 00000014.00000003.19006667132.00000000068C2000.00000004.00000001.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000014.00000003.19006628664.00000000068BC000.00000004.00000001.sdmp
Source: Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.18994350026.0000000003081000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.19016612435.00000000068A6000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.18994746142.00000000030FC000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000014.00000003.19001051344.0000000005D8D000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb( source: WerFault.exe, 00000014.00000003.19026340881.00000000070C2000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdbS source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbG source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb( source: WerFault.exe, 00000014.00000003.18994396652.0000000003086000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000014.00000003.19030119844.000000000769F000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000014.00000003.19022770808.00000000068C7000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb] source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb( source: WerFault.exe, 00000014.00000003.19025355341.00000000070CD000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.19007270851.00000000068AB000.00000004.00000001.sdmp
Source: Binary string: AcLayers.pdb( source: WerFault.exe, 00000014.00000003.18994697722.00000000030F7000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdbX* source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: srvcli.pdb( source: WerFault.exe, 00000014.00000003.19024960609.0000000006FF2000.00000004.00000001.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.19020466166.00000000068B7000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdbK source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.19032365056.0000000007588000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbL6 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.18996911288.000000000310D000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.19020426514.00000000068B1000.00000004.00000001.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000014.00000003.19006628664.00000000068BC000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb( source: WerFault.exe, 00000014.00000003.19002140835.00000000068CD000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.18995443411.0000000005D68000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.18996861577.0000000003102000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdbA source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000014.00000003.19025355341.00000000070CD000.00000004.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downloadV
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRod HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8x-chromium-appcache-fallback-override: disallow-fallbackP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-MvTTUjqOi+ULm6tB1JBGlA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Mon, 27 Sep 2021 13:08:50 GMTExpires: Mon, 27 Sep 2021 13:08:50 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=abKi0BWgcemcd0d8wm9mOlAU2B3arxsDTzzIYttMhyEZI6BWiC6XRhQKgWHtgX8WrOJul08K92QFhtYs9xjnosQK86HWAE8VXopjAbsMkP7rWufpF19a4IJLb_GGIG6TaDkuZEY-t6WXx_m0czyrRfhtLyX5RoUF5UVTrZ9K2D8; expires=Tue, 29-Mar-2022 13:08:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: RegAsm.exe, 00000005.00000003.16607792811.000000000156A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.19107672383.0000000005D83000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000005.00000003.16607792811.000000000156A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.19107672383.0000000005D83000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000003.16607792811.000000000156A000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000005.00000000.18980633011.0000000001530000.00000004.00000020.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Q
Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/_a
Source: RegAsm.exe, 00000005.00000000.18980633011.0000000001530000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRod
Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRodC
Source: RegAsm.exe, 00000005.00000000.18980633011.0000000001530000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRodM
Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRodg
Source: WerFault.exe, 00000014.00000003.19075440404.000000000306F000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemet
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRod HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 142.250.186.110:443 -> 192.168.11.20:49788 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: WerFault.exe, 00000014.00000003.18995274342.0000000005CBD000.00000004.00000001.sdmp Binary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut

System Summary:

barindex
Uses 32bit PE files
Source: Kapitu.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1356
PE file contains strange resources
Source: Kapitu.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Kapitu.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: edgegdi.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01109F9D 5_2_01109F9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01109DB8 5_2_01109DB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110F7DC 5_2_0110F7DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110DD76 5_2_0110DD76
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110E1B8 5_2_0110E1B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110E3A7 5_2_0110E3A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01108FCA 5_2_01108FCA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_011073F2 5_2_011073F2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01107807 5_2_01107807
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110AA77 5_2_0110AA77
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110F17C NtProtectVirtualMemory, 5_2_0110F17C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01109DB8 NtAllocateVirtualMemory,LoadLibraryA, 5_2_01109DB8
Source: Kapitu.exe Virustotal: Detection: 20%
Source: Kapitu.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Kapitu.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Kapitu.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Kapitu.exe 'C:\Users\user\Desktop\Kapitu.exe'
Source: C:\Users\user\Desktop\Kapitu.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Kapitu.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1356
Source: C:\Users\user\Desktop\Kapitu.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Kapitu.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6972
Source: C:\Users\user\Desktop\Kapitu.exe File created: C:\Users\user\AppData\Local\Temp\~DFAE0A0F3CEED256A7.TMP Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winEXE@5/4@1/1
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000014.00000003.19040797002.000000000752D000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000014.00000003.19018976729.0000000006CBA000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000014.00000003.19001076210.0000000005D92000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb( source: WerFault.exe, 00000014.00000003.19016612435.00000000068A6000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.18994554215.00000000030E6000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000014.00000003.18996243688.00000000064AC000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.18998561649.0000000005D98000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000014.00000003.19026340881.00000000070C2000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.18994746142.00000000030FC000.00000004.00000001.sdmp
Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000014.00000003.19054366223.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.19001022681.0000000005D87000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.18994350026.0000000003081000.00000004.00000001.sdmp
Source: Binary string: srvcli.pdbd source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.18999101834.00000000064C3000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.19000012560.0000000006895000.00000004.00000001.sdmp
Source: Binary string: qncryptsslp.pdb source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb( source: WerFault.exe, 00000014.00000003.18998561649.0000000005D98000.00000004.00000001.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000014.00000003.19005134690.00000000064BD000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000014.00000003.19018976729.0000000006CBA000.00000004.00000001.sdmp
Source: Binary string: winspool.pdb( source: WerFault.exe, 00000014.00000003.18996215101.00000000064A7000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000014.00000003.19022355299.00000000070BC000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000014.00000003.19017856487.0000000006F89000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb( source: WerFault.exe, 00000014.00000003.18996243688.00000000064AC000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb: source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.19020426514.00000000068B1000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb( source: WerFault.exe, 00000014.00000003.19017856487.0000000006F89000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbU$ source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb( source: WerFault.exe, 00000014.00000003.19032365056.0000000007588000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: srvcli.pdb source: WerFault.exe, 00000014.00000003.19024960609.0000000006FF2000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.18994396652.0000000003086000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.19020466166.00000000068B7000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.18999101834.00000000064C3000.00000004.00000001.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000014.00000003.18996215101.00000000064A7000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000014.00000003.19002140835.00000000068CD000.00000004.00000001.sdmp
Source: Binary string: dpapi.pdb( source: WerFault.exe, 00000014.00000003.19024255597.00000000070D8000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000014.00000003.19054366223.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000014.00000003.19001022681.0000000005D87000.00000004.00000001.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb( source: WerFault.exe, 00000014.00000003.19040797002.000000000752D000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000014.00000003.18994697722.00000000030F7000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000014.00000003.18999955983.000000000688A000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000014.00000003.19025389900.00000000070D3000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb( source: WerFault.exe, 00000014.00000003.19030215027.00000000070AF000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdbv< source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.19005718854.000000000689B000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.18996861577.0000000003102000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb7 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb( source: WerFault.exe, 00000014.00000003.18999955983.000000000688A000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.18994554215.00000000030E6000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbp source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000014.00000003.19024255597.00000000070D8000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.18994647821.00000000030F1000.00000004.00000001.sdmp
Source: Binary string: AcLayers.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb( source: WerFault.exe, 00000014.00000003.19019857478.000000000704F000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.19006946184.00000000064CE000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000014.00000003.19030215027.00000000070AF000.00000004.00000001.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000014.00000003.19019857478.000000000704F000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdbB0 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: combase.pdb; source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.18994946811.0000000003113000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb( source: WerFault.exe, 00000014.00000003.18995383754.0000000005D5D000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbu source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbn source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb/ source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb0 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb( source: WerFault.exe, 00000014.00000003.19025389900.00000000070D3000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb( source: WerFault.exe, 00000014.00000003.18995414777.0000000005D63000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.18994647821.00000000030F1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.18996911288.000000000310D000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb( source: WerFault.exe, 00000014.00000003.19000012560.0000000006895000.00000004.00000001.sdmp
Source: Binary string: netutils.pdbz source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.18995383754.0000000005D5D000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb) source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb( source: WerFault.exe, 00000014.00000003.19022355299.00000000070BC000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000014.00000003.19012140225.00000000070A9000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.19005081330.00000000064B2000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.19005081330.00000000064B2000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000014.00000003.19001051344.0000000005D8D000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000014.00000003.19006667132.00000000068C2000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000014.00000003.19005718854.000000000689B000.00000004.00000001.sdmp
Source: Binary string: msi.pdb( source: WerFault.exe, 00000014.00000003.19005134690.00000000064BD000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb% source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb( source: WerFault.exe, 00000014.00000003.19006667132.00000000068C2000.00000004.00000001.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000014.00000003.19006628664.00000000068BC000.00000004.00000001.sdmp
Source: Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.18994350026.0000000003081000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.19016612435.00000000068A6000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.18994746142.00000000030FC000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000014.00000003.19001051344.0000000005D8D000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb( source: WerFault.exe, 00000014.00000003.19026340881.00000000070C2000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdbS source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbG source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb( source: WerFault.exe, 00000014.00000003.18994396652.0000000003086000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000014.00000003.19030119844.000000000769F000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000014.00000003.19022770808.00000000068C7000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb] source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb( source: WerFault.exe, 00000014.00000003.19025355341.00000000070CD000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.19007270851.00000000068AB000.00000004.00000001.sdmp
Source: Binary string: AcLayers.pdb( source: WerFault.exe, 00000014.00000003.18994697722.00000000030F7000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdbX* source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: srvcli.pdb( source: WerFault.exe, 00000014.00000003.19024960609.0000000006FF2000.00000004.00000001.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.19020466166.00000000068B7000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdbK source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.19032365056.0000000007588000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbL6 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.18996911288.000000000310D000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.19020426514.00000000068B1000.00000004.00000001.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000014.00000003.19006628664.00000000068BC000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb( source: WerFault.exe, 00000014.00000003.19002140835.00000000068CD000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.18995443411.0000000005D68000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.18996861577.0000000003102000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdbA source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000014.00000003.19025355341.00000000070CD000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.18979643782.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.18969783001.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_00403C75 pushfd ; retf 1_2_00403C76
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_0040487A push esp; iretd 1_2_00404843
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_0040480A push esp; iretd 1_2_00404843
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_00405F60 push ss; retf 1_2_00405F68
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_00404F20 push 00000016h; ret 1_2_00404F28
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_004033DC push eax; ret 1_2_004033E9
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_023B5237 push edi; ret 1_2_023B5238
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_023B2A79 push ss; iretd 1_2_023B2A7A
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_023B3EE8 push es; ret 1_2_023B3EEE
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 1_2_023B6573 pushfd ; iretd 1_2_023B6574
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01102F3E push ebx; iretd 5_2_01102FEF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110652C pushad ; ret 5_2_01106530
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01102F88 push ebx; iretd 5_2_01102FEF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_011049BD push edx; retf 5_2_011049D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01102BFC push edi; retf 5_2_01102C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_011007E5 push ecx; retf 5_2_011007E6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01102C34 push edi; retf 5_2_01102C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01102EF9 push ebx; iretd 5_2_01102FEF
Source: C:\Users\user\Desktop\Kapitu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Kapitu.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Kapitu.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Kapitu.exe, 00000001.00000002.17009789446.0000000002C60000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: Kapitu.exe, 00000001.00000002.17009789446.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.19110033599.00000000012D0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Kapitu.exe, 00000001.00000002.17008948712.00000000006E4000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6976 Thread sleep time: -225000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Kapitu.exe System information queried: ModuleInformation Jump to behavior
Source: Kapitu.exe, 00000001.00000002.17009789446.0000000002C60000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: WerFault.exe, 00000014.00000002.19103847524.0000000003038000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWX
Source: RegAsm.exe, 00000005.00000000.18970661644.0000000001552000.00000004.00000020.sdmp, WerFault.exe, 00000014.00000003.19097226827.000000000310F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Kapitu.exe, 00000001.00000002.17009789446.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.19110033599.00000000012D0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: Kapitu.exe, 00000001.00000002.17008948712.00000000006E4000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: WerFault.exe, 00000014.00000003.19097153114.0000000003105000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWC

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Kapitu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_01109717 mov eax, dword ptr fs:[00000030h] 5_2_01109717
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110CD70 mov eax, dword ptr fs:[00000030h] 5_2_0110CD70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110E3A7 mov eax, dword ptr fs:[00000030h] 5_2_0110E3A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0110D408 mov eax, dword ptr fs:[00000030h] 5_2_0110D408
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Kapitu.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Kapitu.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1100000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Kapitu.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Kapitu.exe' Jump to behavior
Source: RegAsm.exe, 00000005.00000000.18981440245.0000000001970000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000005.00000000.18981440245.0000000001970000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000000.18981440245.0000000001970000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000005.00000000.18981440245.0000000001970000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364 Sample: Kapitu.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 84 19 prda.aadg.msidentity.com 2->19 21 drive.google.com 2->21 25 Found malware configuration 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected GuLoader 2->29 31 2 other signatures 2->31 8 Kapitu.exe 1 2->8         started        signatures3 process4 signatures5 33 Writes to foreign memory regions 8->33 35 Tries to detect Any.run 8->35 37 Hides threads from debuggers 8->37 11 RegAsm.exe 13 8->11         started        process6 dnsIp7 23 drive.google.com 142.250.186.110, 443, 49788 GOOGLEUS United States 11->23 39 Tries to detect Any.run 11->39 41 Hides threads from debuggers 11->41 15 WerFault.exe 22 16 11->15         started        17 conhost.exe 11->17         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.110
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.186.110 true