{ "statistics": { "processing": [ { "name": "CAPE", "time": 1.407 }, { "name": "AnalysisInfo", "time": 0.009 }, { "name": "BehaviorAnalysis", "time": 0.001 }, { "name": "Debug", "time": 0.001 }, { "name": "NetworkAnalysis", "time": 0.009 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "hardware_id_profiling", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "amsi_enumeration", "time": 0.0 }, { "name": "suspicious_ntdll_disk_load", "time": 0.0 }, { "name": "direct_syscall_evasion", "time": 0.0 }, { "name": "unbacked_syscall_execution", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "privilege_elevation_check", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "query_fips_reconnaissance", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dllload_suspicious_directory", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "install_kernel_driver_service", "time": 0.0 }, { "name": "malformed_dll_loading", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "registers_vectored_exception_handler", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_module_stomping_probing", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "section_mapping_injection", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "apc_injection", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "interprocess_comms_mutex", "time": 0.0 }, { "name": "interprocess_comms_named_pipe", "time": 0.0 }, { "name": "interprocess_comms_shared_memory", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "unbacked_exception_filter", "time": 0.0 }, { "name": "unbacked_process_mitigation_alteration", "time": 0.0 }, { "name": "thread_unbacked_memory", "time": 0.0 }, { "name": "unbacked_api_resolution", "time": 0.0 }, { "name": "unbacked_dotnet_execution", "time": 0.0 }, { "name": "unbacked_library_load", "time": 0.0 }, { "name": "unbacked_memory_apc_execution", "time": 0.0 }, { "name": "unbacked_memory_protection_alteration", "time": 0.0 }, { "name": "unbacked_mutex_creation", "time": 0.0 }, { "name": "unbacked_process_creation", "time": 0.0 }, { "name": "unbacked_veh_registration", "time": 0.0 }, { "name": "unbacked_com_instantiation", "time": 0.0 }, { "name": "unbacked_crypto_operations", "time": 0.0 }, { "name": "unbacked_delay_execution", "time": 0.0 }, { "name": "unbacked_file_dropping", "time": 0.0 }, { "name": "unbacked_process_enumeration", "time": 0.0 }, { "name": "unbacked_registry_modification", "time": 0.0 }, { "name": "unbacked_service_manipulation", "time": 0.0 }, { "name": "unbacked_token_manipulation", "time": 0.0 }, { "name": "unbacked_wmi_execution", "time": 0.0 }, { "name": "unbacked_bind_shell", "time": 0.0 }, { "name": "unbacked_dns_resolution", "time": 0.0 }, { "name": "unbacked_memory_network_connection", "time": 0.0 }, { "name": "unbacked_named_pipe_creation", "time": 0.0 }, { "name": "unbacked_useragent_retrieval", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "etherhiding_smart_contract_call", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "decompress_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "ransomware_iocp_asynchronous_encryption", "time": 0.0 }, { "name": "kernel_crypto_driver_abuse", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_extension_hijack", "time": 0.0 }, { "name": "mass_file_modification_access", "time": 0.0 }, { "name": "ransomware_attribute_stripping", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "mass_ransom_note_drop", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "byod_loldrivers_match", "time": 0.0 }, { "name": "byod_novel_driver", "time": 0.0 }, { "name": "byod_post_load_exploitation", "time": 0.0 }, { "name": "byod_driver_service_install", "time": 0.0 }, { "name": "com_spawned_process", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.0 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.0 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "pe_deep_entrypoint", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "pe_cert_invalid_signature", "time": 0.0 }, { "name": "pe_cert_self_signed", "time": 0.0 }, { "name": "pe_cert_suspicious_issuer", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "sigma_events", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "browser_credential_theft_headless", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.001 }, { "name": "antianalysis_detectreg", "time": 0.001 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.001 }, { "name": "antiav_detectreg", "time": 0.002 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.0 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.0 }, { "name": "antivm_generic_bios", "time": 0.0 }, { "name": "antivm_generic_diskreg", "time": 0.0 }, { "name": "antivm_hyperv_keys", "time": 0.0 }, { "name": "antivm_parallels_keys", "time": 0.0 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.0 }, { "name": "antivm_vbox_files", "time": 0.001 }, { "name": "antivm_vbox_keys", "time": 0.0 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.0 }, { "name": "antivm_vmware_keys", "time": 0.0 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.0 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.0 }, { "name": "ketrican_regkeys", "time": 0.0 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "executes_headless_browser", "time": 0.0 }, { "name": "suspicious_browser_arguments", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.0 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.0 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "folder_enumeration", "time": 0.0 }, { "name": "discover_registry_mount_points", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.001 }, { "name": "infostealer_ftp", "time": 0.001 }, { "name": "infostealer_im", "time": 0.001 }, { "name": "infostealer_mail", "time": 0.001 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.001 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.0 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.0 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.0 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.0 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.007 }, { "name": "ransomware_files", "time": 0.005 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.0 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.001 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.0 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.0 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "Endermanch_BadRabbit.exe", "path": "/opt/CAPEv2/storage/binaries/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da", "guest_paths": "", "size": 441899, "crc32": "5FA1C9A5", "md5": "fbbdc39af1139aebba4da004475e8839", "sha1": "de5c8d858e6e41da715dca1c019df0bfb92d32c0", "sha256": "630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da", "sha512": "74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87", "rh_hash": null, "ssdeep": "12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63", "type": "PE32 executable (console) Intel 80386, for MS Windows", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T1199412426729EE92D1E1B8F84093E7CC4BB97B090FB991EF9D993485CC79B8319380D5", "sha3_384": "af433e4633ca0569362eac3ee889b5348b29852f12064a945a5b4d106b1419d6502c8d9276ac97a0073ff927cbd61757", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\54\\Endermanch_BadRabbit.exe", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x00400000", "entrypoint": "0x000012c0", "ep_bytes": "558becb8ac120000e893030000a10080", "peid_signatures": null, "reported_checksum": "0x00079289", "actual_checksum": "0x00079289", "osversion": "5.1", "machine_type": "IMAGE_FILE_MACHINE_I386", "pdbpath": null, "imports": { "KERNEL32": { "dll": "KERNEL32.dll", "imports": [ { "address": "0x404000", "name": "ExitProcess" }, { "address": "0x404004", "name": "GetCommandLineW" }, { "address": "0x404008", "name": "GetFileSize" }, { "address": "0x40400c", "name": "CreateProcessW" }, { "address": "0x404010", "name": "HeapAlloc" }, { "address": "0x404014", "name": "HeapFree" }, { "address": "0x404018", "name": "GetModuleHandleW" }, { "address": "0x40401c", "name": "GetProcessHeap" }, { "address": "0x404020", "name": "WriteFile" }, { "address": "0x404024", "name": "GetSystemDirectoryW" }, { "address": "0x404028", "name": "ReadFile" }, { "address": "0x40402c", "name": "GetModuleFileNameW" }, { "address": "0x404030", "name": "CreateFileW" }, { "address": "0x404034", "name": "lstrcatW" }, { "address": "0x404038", "name": "CloseHandle" }, { "address": "0x40403c", "name": "UnhandledExceptionFilter" }, { "address": "0x404040", "name": "GetCurrentProcess" }, { "address": "0x404044", "name": "TerminateProcess" }, { "address": "0x404048", "name": "SetUnhandledExceptionFilter" } ] }, "USER32": { "dll": "USER32.dll", "imports": [ { "address": "0x404058", "name": "wsprintfW" } ] }, "SHELL32": { "dll": "SHELL32.dll", "imports": [ { "address": "0x404050", "name": "CommandLineToArgvW" } ] }, "msvcrt": { "dll": "msvcrt.dll", "imports": [ { "address": "0x404060", "name": "wcsstr" }, { "address": "0x404064", "name": "memcpy" }, { "address": "0x404068", "name": "free" }, { "address": "0x40406c", "name": "malloc" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x00006d8c", "size": "0x00000064" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x00009000", "size": "0x00007088" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x000689a3", "size": "0x00003488" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00011000", "size": "0x000001a8" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00004000", "size": "0x00000074" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00001000", "virtual_size": "0x00002ed3", "size_of_data": "0x00003000", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.58" }, { "name": ".rdata", "raw_address": "0x00003400", "virtual_address": "0x00004000", "virtual_size": "0x0000302a", "size_of_data": "0x00003200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "7.18" }, { "name": ".data", "raw_address": "0x00006600", "virtual_address": "0x00008000", "virtual_size": "0x0000033c", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.18" }, { "name": ".rsrc", "raw_address": "0x00006800", "virtual_address": "0x00009000", "virtual_size": "0x00007088", "size_of_data": "0x00007200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "4.20" }, { "name": ".reloc", "raw_address": "0x0000da00", "virtual_address": "0x00011000", "virtual_size": "0x0000024e", "size_of_data": "0x00000400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "3.29" } ], "overlay": { "offset": "0x0000de00", "size": "0x0005e02b" }, "resources": [ { "name": "RT_ICON", "offset": "0x00009254", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.48" }, { "name": "RT_ICON", "offset": "0x0000a0fc", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.09" }, { "name": "RT_ICON", "offset": "0x0000a9a4", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.15" }, { "name": "RT_ICON", "offset": "0x0000af0c", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.58" }, { "name": "RT_ICON", "offset": "0x0000bfb4", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.44" }, { "name": "RT_ICON", "offset": "0x0000e55c", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.58" }, { "name": "RT_ICON", "offset": "0x0000f604", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.02" }, { "name": "RT_GROUP_ICON", "offset": "0x0000fa6c", "size": "0x00000068", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.72" }, { "name": "RT_VERSION", "offset": "0x0000fad4", "size": "0x00000450", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.43" }, { "name": "RT_MANIFEST", "offset": "0x0000ff24", "size": "0x00000161", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.80" } ], "versioninfo": [ { "name": "CompanyName", "value": "Adobe Systems Incorporated" }, { "name": "FileDescription", "value": "Adobe® Flash® Player Installer/Uninstaller 27.0 r0" }, { "name": "FileVersion", "value": "27,0,0,170" }, { "name": "InternalName", "value": "Adobe® Flash® Player Installer/Uninstaller 27.0" }, { "name": "LegalCopyright", "value": "Copyright © 1996-2017 Adobe Systems Incorporated" }, { "name": "LegalTrademarks", "value": "Adobe® Flash® Player" }, { "name": "OriginalFilename", "value": "FlashUtil.exe" }, { "name": "ProductName", "value": "Adobe® Flash® Player Installer/Uninstaller" }, { "name": "ProductVersion", "value": "27,0,0,170" }, { "name": "Translation", "value": "0x0409 0x04b0" } ], "imphash": "e3bda9df66f1f9b2b9b7b068518f2af1", "timestamp": "2017-10-22 02:33:58", "icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAFQ0lEQVR4nO1YPWwdRRD+Jn4pkjjxq1CqSETQ4WAhhLBkIdyhuAihBoOhwYQUdGkxEgWKSAdVHGSUVChSoCBUkShChCCy81MGXRoiQXMgi8YvNxR3uzszO/v8XkzHG+l59/Z2Z75vdmZ2z8BEJvL/FtptwvzU1ByAGwTqAxwXyJY4V2YVs2kBgMmOE7jrMVADtPjT48HmExN4eao3B+AGgD6BARB0Oxx0IMbmBWf9AFwSIACoASzeGkKiSOClXgueGH0AINKWSTxQ/MumtbCTEoZUSA6prk8tiZ8HPgmXwIu93jsALhBa8KWJxM7YkD1lZ34HUj/n/RrAR78MBl9l9uzACy34S97LErZdE8mRApds3Dyv3DYklO05AX4YsCcBvJuMQWhlS5CIWE4Y8NmEguyFTAn0CO9X7nQkov35/VMMdHEtUNGIeRnjmHVMy1rF5r0trSr2XT0pj7YGAwKAfRKPBE+hK8AT6588DORYfjYIGpSfG9RNKeYcO2OdRALEqBQQsYBIkBG/ADTOJ2EgAyr87JY00WevbKtOlREAoVJAjB3rfbULrtc9EgAx6WfZBpsyhMMfFj/yCISJBB1KNjRI70hGxLlWJOGo0xVS0+S5l+OzBKJhAx4BNLdIiTn1wfHgkrundIqwUmGInKwKEy8n0g7kBKwWCR7MHQmtrN12TvciJ4QAmHpocsEp9GS8nuWfkH1iYRVjTNnnmFAmh1Oy5Xq1GPJAygVvrgLqhRsXkthFYQ0L3QRgut/H2c8v4OKvt/HjzkAA1G1R5zgnYXJwFYZ6JaCjyMKpUzh38RIOzcyMv/g/uo8kAo5CewhLjs88P4dPvrlaVFyKkEz5HkXmgGrjcU+Ujn9Ku3hufT0u3a5rfPreu3hlf/JH0JX0iHECOH7tjIHWIRwtMqGizlAof6HPoK5tM/m1t5bx9HOzaJoGALC+tobrGxstSHa8r7xNw73v1H2HRJURAFAxOsAuiWT8jTNnwd2taruucf3rDTdkih8qoS5yaiRAlpODQzRpl4CyZEkEeXb2BI7PJu8fPHIE135/BABYPHQgGmGjSyAX378Fgh4xGGKWQExUUddjX7A/febDCL4k0oa6Okc9hTASVxL1LMVUE7UDIYSifrkDDEz3ZzC/tJQRIEoove+CGH7Cq25LlqgNOzMGvQNVaQfC8+nVD3Dw8GEwMx7cvYPVhYV2rTzZRMVS4GFCx4aI9Dah/XCxzkj3rSosi2X01s7jhyziMh56XeepY8fw+vuraJoGTdPg6pdftP+YojSHDWkW7EpxH+cF0J4I8EzA1s7gYUYgoSYoIgTMLy3hs2+/w4HpaTRNg0dVhR+uXElXdMqBswjmsAsqNwotkLwfHOiFURCdA6HyMABqDX7/x5/xfYj9j5ffzHhHCyp+u9seCy9760Tyhl2wuaDGhGQ7ELwZ/8XHHH/bdY21t5fx4N79bpcIHAOepBrldXmKe+DtR34pYT2xO1CD0W8LRmu8aRr8dv8e7t68icvnz+Ofv/7WnO2XTEjkIUBs5Yl9GzrkjtVlAsAmEV6VCk8ePao/ULI4TK5lM6d4UBUAZ6ewVh8WbhYJZGsLQDLZZctVPFvPig2U4HnY3BKBkP3yINyLZIeS9awECwFY9oeAB7wq5Bh2qlcZsAWtDyBNxPM68nXF88ESAFBL8PJaMY6o26O3A5STZRZ9O24wygdVRjkkiIh9Dies7csxM0fpoDQn3Kus11U1EoA9zzPzpnzWOyDvICYfJCi7RhnwvG89nncTic4TbjFgHjmcJzKRiUxkIiPJv2Ufv8s3E3ccAAAAAElFTkSuQmCC", "icon_hash": "4e7a653ba0759c65ebb0dea0846c6d7f", "icon_fuzzy": "de1ab7c8c8a85281fc2c12e64c7940df", "icon_dhash": "c0e492a9acb68a04", "imported_dll_count": 4 }, "data": null, "strings": [ "PlBr8", "%XsK-", "_>/>N/o", "qu& h", "m|$s'", "]z_ep]", "GzAzK", "[}\"s&", "ojOX*)=", ",!0Sb", "HQ$7p", "j2+Y=", "]ae5n", "cM:pm2", "1111111111111", "`M,/;", "z]ZPXC", "uj2LO.", "74tIU\\(", "Durbanville1", "w[]Nm", "121221000000Z", "&.Q):", "\"}C8,", "oq)Wsi", "he7WF+", "ugQ~}", "QrG0XL 6", "\\G.d}", "sby'5", "040904b0", "{^0B(-", "l$ntA", "O-u}nw", "%56G*", "l6qnk", "J\\bSW", "W$Zph0K", "+qx^3T", "*>x>", ";pD-<+u", ";9UEL", "W#/EH", "k.zA%7", " f=/&", "TerminateProcess", ")\\ZEo^m/", "3aM03", "~MU`?#7\"a", "k|iy_#\\", "@FR65", "k=\\+Ok", "a/a_ak028", "sf]i| ", "oFT;kJ~", "+X'jk8zG", "20170908235403Z0", "F`N[j", "Or;n/", "\"iH1R", "\\vnO^", "r[F|V", "GI!LSO", "F9ZBCb", "R+I.(R", "7xwcQ", "M_i12P", "EI:Iv", "[\\[u6", "Z0X0V", "gW!1#", "z}^Na", "$p?ZX", "xi%#g%", "GsFr8", "@/xJ ", "170908235403Z0/", "TimeStamp-2048-20", "?gA\\:", "XrA6Nq", "r|r2rH9", "Z'8b>", "4px5p\\", "biFzT", "=&r74e", "6h?@U", "Iw>*;s", "&HEW\"3", "y\"4}y", "p5^\\#", "w(!m!@", "/FL^-.X", ")))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))", "fa7G[d@s[", "WuQta", "OZw3(?", "G,@}P", "~:~^Q", "Symantec Corporation0", "s4sq\\", "h`ULQ", "^H;R_", ">oe:x", "2s2y2", "xPlLf", "be2!X", "r6l;D", "4%FU3&j", "8t>}#`o", "ijs\"TPv", "bR{Q$", "[ifk,", "O%.n .", "hGK~e?", "5u+x<#", "Pm#s4'b", "X+t6>", "|XL.{", "~,I/w", "+HUc1J2", "+Symantec Time Stamping Services Signer - G40", "ExrQW", "O:hI+", ";HPU)", "hX`4p", "@8ExNxCXH", "[#X>)", "ypl'>de", "6R@z15S", "7Sp}x2", "ZRNg'", "s'L=[", "PpG_C", "$DV\\?L3", "CaZR]", "A.BS&", "i**T(7J", "ckk^`^", "FxeT@H", "OVfK8", "]$D\\r", "/L h\"", "header crc mismatch", "-)V9dXD", "", "+I1\\$", "oAp}h", "0/0o1", "buffer error", "KPO)X", "fzcF M", "aW|3G", "4l1x2`fM", "0J|(B", "JJr+2", "H*0\"ZOW", "*mv7~n", "g F0s", "Symantec SHA256 TimeStamping CA0", "\"vf[jU", "G~VSpU/!p", "Ce*9b", "invalid window size", "0 )t(", "GetFileSize", "}LGY[", "#Saa+L", ":oXrq", "k0@\"90", "abSMr", "3-2Bf", "44|A-", "u.FK.", "CloseHandle", "EJjJXT", "1wsHp", "_t:lN+XBjRe'", ">sK~9c", "\"\\%_l", "Mzfz=)7", "(0&0$", ".8y_v]", "TRZHX|", "image/gif0!0", "J>U.5", "xq!Xi", "+ht9F", "g`>t^iIS", "1t1{1", "D;IB/R", "G8J-l", "fh8',@", " \"__y", ",Y{Y9", "*]M[@", "R1T25", " n(OJ", "ov;L8", "B0\"N#:", "90705", "ntelu0", "#http://logo.verisign.com/vslogo.gif04", "#z`!U", "``45)", "http://ocsp.thawte.com0", "TTcJk", "(LJ&%", "6F'CxA", "'A(W GL", " 'Y&Q", "A%A=F", "c{x3j", "xw5|ds", "KERNEL32.dll", ",dvlS", "_yHuY", "9v9.9^9", "Lp%\\'", "6b%p>", "gCN=yNp", "< -01", "0GC~n", "%K=^(", "X].a~", "V]j\"4", "X<9p/", "lOIOPI", "$1%5Ob", "GmPFC", "9KrVip_H", "W`%2HK", "|4-N5", "o>i(T", "Thawte Timestamping CA0", "zCbR2?f", "*****", "3$F2d", "!A1oW", "M %WH", "AM[`#", "malloc", "yfy&Sk", "K7K(b", "F?K(ar", "\"{dqB", "USER32.dll", "9VPTp9(wD", "Qkkbal", "|_0&Z", "0cI7Cp@", "V/h%}}", "_YKZkU=", "`1Gek", "V-!j1}ry", "Z;&*9", "RjIOc/", "j{ZJ ", "S}\\^#", "pi[OXO", "v4xUg", "MG3dA", "111111,,,,", "$xN(8", "280401235959Z0", "E2{^)", "0BP'. ", "M$~oYq", "?o9(5;,", "YOSSfB", "PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX", "MyCvU", "hBWU72", "dY59%ua", "BrV2A", ",,,,,,", ")ZTSp", ".nIi(n", "ug[xh", "*1sjY", "-0+0)", ".CqQ7", "UcsKV", "1-F?r", "R1h58", "*z+}", "}&=bw9", "V_:X1:", ":T;X;\\;`;d;h;l;p;t;x;|;", "cAWa/a", "Bw&F(", "\"cUC\"", "k\\oH@k", "b%LaP", "){1/S", "fn]5-]5i", ":", "a_gFC", "$", "C4;K0v", "w;l3r=", "9O9i9w=", "0~)%~A87o", "#?Q )=", "e_5 >E", "2 282?2K2Z2u2|2", "AZ`)>", "13P;'", "~ +VX(", "snUw'", "~.Z9r", "U+Ka`", "?LA!>", "0/0?0F0b0s0z0", "?bW)ps", "PcsVQ6R", "vsdrp", "mslU3", "]j1Wg", ":Y[[v", "_0]0[", "Jy`A[f", "STAR Security Engines1", "}cKmf<", "e#", "%xZBz", "'!TOd", "=:_~_", "SetUnhandledExceptionFilter", "/PW)4!>", ";sL(#=", "2Z0vz", "gdKMn,Y", "Be.O:", "m\\\\\\]", "QB526&Qrr", "Q@)90j", "_p[j7", "s#ACq", "v#f A", "\\OXtSU", "Qp'\"\"", "q3ms ", "sgqY$", "XBBL$", "'Symantec Time Stamping Services CA - G2", "5P lF", "6=XB*", "u[eWL", "SU1B&@q8", "Vai4Oz", "i0g0e", ">\"hcS", "wl`B8", "E>L>I~L~C", "M`+qyMD", "-nX>f", "f?:-v", "{|/WL", "O*]Ri(%", "k,oumE", "1h kh", "111111111111111", "=ERYn", "jsC*,", "26cCF", " Player Installer/Uninstaller 27.0 r0", "16.@f", "H@3<^", "unknown compression method", ";YB4S", "D&JG<2e", "k./sW", "MpBKxf", " 7hL%", ")5eS\\", "e5Sww", "nR:FF", ":#wxb", "*FU8LF", "odd/(", "BvN)c", "$i2,g", "too many length or distance symbols", "z7uG{", "Kqkspe", "http://sf.symcb.com/sf.crl0W", "4{x7Q", "%J2'Y", "3H3O3[3e3", "Sz\\+T", "%UzR ", "wsprintfW", "`;If ", "IwHqx", "kl#\\wst", "\\lERi!", "?dt?/", "@`<[`", "KirSA", "!_Z~Q", "aS`UB0", "`l8KN", "!This program cannot be run in DOS mode.", "r(~}ag3", "~#Lhy", "avL3!@9", "+daIH aG", "\\$'%_8B", "VeriSign Trust Network1:08", "|PoPm~", "g0e0*", "VarFileInfo", "Q-s&6", "]jxdE", "8[pPtG", "W1j%t", "~*bbr", "(+ld(", "@J0gE", ".8&68", "#C1U/G", "D\\7X<", "OHF)+jj!o", "|Y('a#", "EWajj", "nWrr0", "1Q1X1d1s1", "CI!P-", ">ztm\\", "X]}Hq", "T)EXK", "n}#m;!R", "A}2Ka|", "^(9^$u", "_~XtqX", "1fVW.B", "CegUI", "((#3P", "ProductVersion", "4>v@I", "HAF@;", "Kf.|Vo", "^6u=%C-", "z4=na", "#vFcJ", "n1\"p~", "5GN~z>", "@\\`;;", "*[Gt[", "YW<$t", "Sq +kw0", "[hD,T", "11111111111111111", "%M|+K|K28/,", "+Ur_>", "4?3?:\\", ")nw:z", "200207235959Z0", "Pl_5N\\F/", "N^RV[\\6yeg", ":prlyH", "VP uf", " 7eb'", "eD6nuI", "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111", "k_6Fa", "Q>K(d", "N\"\\+X", "$OIH<", "0dB_P", "2x*s8", "\\V]_&L", "o;C;h", "HeapFree", "Z0 d<", "]~&!h", "https://www.verisign.com/rpa0", "|Dp@w", "vr36@6", "Tg'[`U", "5++?j", "<}VfdQ", "[&=d)", "xLU=$,", "dW@k", "U*gU/", "\"=hYq#", "C*S`$", "@6&h\\", "|$v1U", "[YeMN", "yMZVgVV", "fD#Z^", "m5 QZ?", "\\Z^ k;", "wJ@NgS", "JB`WCQ", "$4u'6", "ukFjB$", "need dictionary", "%ws C:\\Windows\\%ws,#1 %ws", "[\\)b\"", "k;ooT", "vcWR`", "11111", "6#NSt&", "^11N_KW\\s", "K6/+N", "#+3;CScs", "DA]q_h\"", "Uu?TD", "$0bK>", "b_1yNxcT", "H^ 2m)", "is./V", "xlxw/", "N(9N0u", "1Y|&`^6", "*DL=!/", "-._3d", "yu|U#", ",$UX%", "A-6c7", "lPk3{", "'({DZb", "_Ji4D~", "+g&?UH", "cH9@!", "W~yx|", "D\"`\"`J", "-k%y\"", "3mYxBGe", "8f^y;\"", "}UBe.", "0hQ.08", "240721235959Z0", ")kbOy", "W'@cX", "0Ysw-|", "qxA&D", "-@Ltu^", "6?X 'S", "data error", "&LAAN", "Ed,G/X", "|{nr{La", "S3pZ9aZ", ")>Y;PS", "]{[gk", "Genuu8", "Ltcm}]h ", "2t;:~_", "j| d#@", "vjH$.", "yt\"{rXx", "~9NzY", "2yb=LD", "Vb4v0[", "[XRFu", "3Jz!-", " L,<1", "wnO?S", "Symantec Trust Network110/", "j)e[\"B", "] !EN\\m", "51=o>g7RxQj=", "MtO!:", "11GDM", "4!Ck\\", "[>4jY", "-p8eg8B", "QMZ:P", "Bhz_I", "zu1o)", "/MJ^B", "2Terms of use at https://www.verisign.com/rpa (c)101.0,", "4H=", "4s/*u", "eM\\^_", "U9M)B", ".rsrc", "J^BrH", "&U/TH1", "%VeT@", "$q>fd", "gY\"sm", "+KDqO", "mj>zjZ", "W\\:}MO", "@t", "7m~:`", "~\\S[-", "iocoe", "~\\Qw]=", ":;x?=", ";*~KN", "j]ZC5", "kR[Bxw", "4[6Xz", "https://d.symcb.com/cps0%", "$z@{H", "_ntER(jNI", "S@;Q s", "i_Pu^r", "invalid block type", "%jw8`@f", ",?5^luWrm", "mi==m", "0_xBxI", "Dsi}m", "\\33i8zN", ">du#M", "8F=Gm", "'4GI(P", "%H+K-", "(~Xt8", "=R\\i\"", "j48k2", "EwQt[5", "CM-#t", ".9`FB", "cW\\OS", "C9?T$*", "~_@u[", "}j69Z", "e 9b&", "<|CeSI", ";81AP", "#{Q=r_l", "{Ea", "'M7[/", "cJLfw.", "9JXeb", "8}ypE", "p|Kd=W~", "Q>i_0", "gFrkS", ";-L#s", "o{c=&3", "ProductName", "137S3O4", "$c=|'", "0)REn", "mk-kko", ",&5?b", "~%`r}", "CVh*3`", "yVU.S", "_|wRJ", "GGQIG5~", "|z+VG", "9|%ah", "Kg||ZJ", "%P%G", "6Tvb1q", "oLlg{", "OB#:0", "gKpK5", "h#r:P", "U\\22T'^y0SxV}", "\\}$Cb2L", "#VvDt", "EzE\\3", "[0D>|{T", "fj26z", "~Do7Q", "!w88b7", "{Z]9@|_", "PqIIi4Zb>4", "xr01}", "_i,*)", "QLJ1x", "{iTtb", "%VeriSign Class 3 Code Signing 2010 CA", ">5ae ", "ExitProcess", "HLe~:", "InternalName", "/vFo@:", "%v@bwX", "))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))", "[1\"&{", "]3ytE", "TP'YT&", "/p[A:6", "invalid code lengths set", "8yi\"V", "msvcrt.dll", "GetProcessHeap", "/>f:S", "RR#;\\]9", "CreateProcessW", "{GTU;", "O=kEe", "w@b6?", ">:*`U", "9&9~%", "RT!Hr", "+g$2&", "mDfn#X", "GetCurrentProcess", "GrkCD", "cOc*9fg", "~Iiq9", "0NHK<", "201230235959Z0^1", "^Bi5$", "FiPL^", "209>6", "ys!WA", "TEj 5", "aMqpEc", "y(&}E", "`zgS|cBS", "1`1H3T3u3", "y%L!h", ":d`0~", "`Lj!$", "U}6bU", "Vp)zE", "SHELL32.dll", "J}&Z", ")))))))))))", "zE9U?", "QHKJx", "\"&I$s", "_}pr3m", "$wVp;vN", "WNPNLNENS.T", "PdI/?", "(Symantec SHA256 TimeStamping Signer - G20", "170102000000Z", "Uh_@ `", ">C4p{", "I?y#a", "[+8I+", "S$P]~", "]BJYl", "-FjRkN", "<7Dk|", "U<@K\\", "\"6xp)\"", "infpub.dat", "xm 2", "_\"ebE", "72KD&%", "gl'Hm", "^h$ng", "2|(PB", "Wzm)I", "@Q+QVv", "n.kG)A", "FM*s~", "|U?F9", "\\RE?^", "b2)E6", "O,i(B", "w)#O.", "yIc;o", "7LJLSP", "G!7I~", "wI{*Q", "RL[%]A", "^xv0<", "http://s.symcd.com0", "S:sMby", "5 f7!", "GlKh{m", "<\"LX4", "%UaDn", "[^*g7", ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,", ",,,,,,,", "e2 e*^", "ML\"]l", "\\x]&w,B;", "F5_1b", ":N1rY", "-!g%h", "zw4xw", "/0-0+", "B", "h*\"UW", "vZCs_", "DIx'\\", "m''. ", "111111,,,,,,,,,,,,,,,,,,,,,,,,,,,,,", "8J)I\\", "rXt#R", ";j2?H", "V(d(BW", "w{/NZ", "]3~F&u", "I%iWL ", "Wm'b+", "C:\\Windows\\infpub.dat", "393qe", "jb", "3PN{Y", "X1AE~", "b2=|l", "/Sn4G$eX", "[T%-\\<", "%\\4*x&A\\", "-Qd_E/%S", "btR&F", "Oee%,", ";HIWc", " Player", "'}ouj", "&N9/E", "24+kR", "N@fW@i", "", "?0=+!", "U{~NV", "yF!<#;", "\"o~X~", ":NZv)hX", "V9W6}", "0cWMIw", ":fru8", ",,,,,,,,,,,", "unknown header flags set", "_<9sf", "uF J$", "z?[c,&", "4f,p9", "/!!x|c", "@.data", " ", "JNZ-j", "47;L}", "gw1)V", "`\"!p-", "6~ZDa", "%xOMv", "^OY:L", "XyQ'%eC", "1\\\"s\\", "z-)y>", "Rh@m@", "nO7r-", "$dq!C[", "Thawte Certification1", "GetModuleFileNameW", "[}g(L", "Duo%7L", "+V\\^KC", "yWbzF^Lr", "t>Qj'", "insufficient memory", "Jw>!!U", "mkY4IT*", "PUF!Q{", ".mDk6", "IaL`)", "_4_FE", "SQK N", "d?H.ho=", ")))))))", "Icq5L%", "M86ZV", "BD*TD", "W[,Qk", "ovHO^d!9", "=Rgm%\"x", "?Lfur", "n!F3}", "pT,_j", "5hq4I}p", "zuYO!", "TWj(5", "l\\*mA", "-'J;J/J'", "OriginalFilename", "lstrcatW", "1_v=d", "~=~3~", "f`k\\ ", "Mcz}{", "75\\#r:", "http://ts-ocsp.ws.symantec.com07", "9|$(t", "_' )d", ",=0", "JQScV", "4X}4wG", "*HqDZ}R", "stream error", "D:B3i", ".qx&Ou,^:", "OSs){", ".M|\\;", "&PUQnpqx", ")RkCg3y", "uQ+&L", "EPQ_##", "0G0\"Z", "\\LY20M", "171217235959Z0", "lOw8Ow+OW", "Y:dLM", "O<,r_", "ojpGU", "$ypuwtsl", "dsOg", "6!7/7", "\\8_]r", "V<3,'", "5T6Z6", " ", "3yVs-", "/VeriSign Universal Root Certification Authority0", "M}A1 ", "\\f*Y4", "N27W|", "m[AJdXo", "]1(1>", ".}xy;]Z", "=-5aJl=", "'/cxJ", "vVq!S", "ewh/?y", "_j(.B", "K\"w4}", "Eos;Y2", "?pY=Yo,#", "_[C`K", "5P\".#", ":\"-e3uL", ")^Vi9", "0Xx>efj", "!UTC3", "&0`T8w", "@oC/\"", "aW^d#", ",,,,,,,,,,,,,", "veAg*", "WDvMF", "x*& =", "*9^xRQ", "24j\\v", "$0\"0 ", "Fpb&-_?W", "IAgXM", "fQ6p:", "161216000000Z", "9AZ$Jc", "U/9TV", "lRaiK", "@=K,P", "Bk\\_Y", "xT:pU", "H1rf$", "[5b1nat1n", "111111,", "ZFuS,", "~!u ;U", "zB\\m!", "WriteFile", "cH1F{", "http://rb.symcd.com0&", ">?~5S;z", "!<0@5", "t0I7Cc", "&;7MyQ", "e[Nga", "K8F(!", "mV/aY", ";\\LxS", "FLM`*", "3538.", ">?!+r", "|>]7_:Lc<", "noqrN", "jc23={", "A[\"u@", "&c@#pl", "UM=rV", "}7Iz!", "tR^0K7", "+D$(;", "B!YNk", "B#Z(:", "z;T0S", "j(')W", "G6+H4", "(Symantec SHA256 TimeStamping Signer - G2", "QxK%M", "/v7) ", "6Dd11dC", "~;~[o", "S%W+K", "e5[iG@", "StringFileInfo", "q']N&", "-O[Bb", "VhJHt>", "7DN2E", "KcEpq", "SNyWi?J", "_[`ol9%", "]FgX0", "http://ocsp.verisign.com0", "1A26b", "x BpA", "siF.G.~", "9_uo+", "*h)74Zdu", "jq9TF", "ryE9,x", "K)l^t", "lEDa$", "~M8*[", "8,cSL", ",,,,,,,,", "!]/Bk", "6gQ-dS", "nj)r\\Rx?Jj", "XtqW]*", "xVwy!", "GetSystemDirectoryW", "x'-LM", "$3*)^", "w(<6p3x0", "ATbf`", "NNU``", "MB-\"H", ")qVt8u", "VeriSignMPKI-2-80", "hN;OOW", "310111235959Z0w1", "&Z5=8", "r>C9;", "aUQl@", "wpM7z", ")))))", "Symantec Corporation1", "{q+&$L", "m1;B5", "y>/{mxT", "HVTT`x", "T}vw#", ".lQmR", "8].|2", "jRElC", "DQz]JwL", "k0i0*", "incorrect header check", "ak2)NGy", "eC#{@", "l*('_g", "/Z{J_>#5", "~u)|o", "V(@*K?2R", ".text", "j#a4hjC>;", "&EF%Z*", "+7'9#", "7)H*r}A", "2}1?w)", "jIgH-", "m,(6Jb_3", "LpH+x}k", "iN;}u", "QQ)Vy", "mZLvGa`", "VeriSign, Inc.1", ">Td&/", "Uf6fR=", "5-WnA", "\\O#|V", "l:`#U", "3A>Y!", "file error", "N`bb\\zi", "BIVXPh", "#rTb:k", "[-&LMb#{'", "F~9%:{", "`Pah=", "2{o]Q+;", "VV9HR", "?$2\">", "PyRwqk", "5'+VG", "vH\"!Y", "0A+_!", "I% Ni =%", "G9^4u ", "#8&b55", "Yzl>s", "MiVIrnU\\", "-K|S:", "`gw:tj#", "https://d.symcb.com/rpa0@", "5&,RL", "93\"%5", "]*5#b7QT$", "!H8K&", "#FGaD", "gRCr6", "LAX\"U", "mlVrp", "invalid distance too far back", "Fast decoding Code from Chris Anderson", "Rgn=,", "$e6`2", "K:;Y0", "8I2j!", "]2j\"!!1", "Jp?Jn", "a'[Q6X", "CE>c7", "lMmpk", "6cax^", "v~~tQB", "$1HML", "q/}Z}6", "Xj;ci", "Ki]j]H;\"u", "CIwV*", "cPVq", "A_?_D4", "0yK%?", "x}7S\\C", "`]ujTU", "fzeEL]", "HeapAlloc", "\\qqo~", "oG;o9>", "];O|~", "xKVgc", ":p+fW", "0&Q8Fd", "j(st[", "NJ2\"v", "$mq,e", "!F[M|N5f", "TQ.\\\"", "pGzse", "dZPLx", "kU8xs", "c/?L", "V:D79A", "#nhzh", "LZbn.", "6Sh~j,", "; ;$;(;,;0;4;8;<;", "frfVugC", "#P7X8", "LegalCopyright", "NUA`-", "KGFY", "7Iujr", "@UttA", "-Bon&", "4]'zc", "G^[5S", "+++++", "6Al|{", "KR]{n", "E6Iz:<", "V]?-m", ";Q9?N", "kQhxa", "F|J|O", "$x)x#", "'yWV", "@oeA<", "Kl?RH", "LegalTrademarks", "%]Vbb", "<(u!M)", "J_Xy)", "0OzZ8h", "tjWVj", "0|{X,", "[ YuJ", "qTys>", "V@huX", "#}XCy", "W[Jjn", "https://d.symcb.com/rpa0.", "wn>Jj", "@5E#^", "FileDescription", "}AWp(", "`10r83\\", "p6ZvvZ", "K'0i0", "u<^ag", "1+vxR", "Ydk{g(B7Hj", "F]/$A", "G7ez6", "#uXHh", "KRiD9", "r,q.9$", "rNCz=E_F", "Ii2VU1Y", "ylx6.", "~~(Q$f", "Km&:X", "FlxGH", "x3DN=", "+cifu", "Adobe Systems Incorporated", "fQuiwMs", "X63", "rSy+vf.+", "P+RcU@", "KRC(c", "0r0^1", "22DM8", "\\rundll32.exe", "ZbEDrxl", "wcsstr", "pEuI?", "/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0", "6._~6h", "W k(;D", "@[1Bf", "m<{[z?)eI", "[RK8q", "#bML\"", "O#r\"+)", "X4EC^V.", "invalid stored block lengths", "}c9g\"", "lT%X70", "++++++++++++++++++1111111,,,,,,,,,,,,,,,,,,,,,,,,,,,,", "8sq@<", "rvHz>7", "]B=\">", "nnMOc", "/0nB^", "|Br/M", " yTCR", "<>3o\"!", "\\;TV nvA", "-L", "Z]a`G", "VeriSign Trust Network1;09", "pHp|\"*", "}4q i", "5|n5E", "@f[m;", "\" ?r?h", "y3Q`9M", "SY:$zHE/q", "3JJ`6", " ", "<5'", "?0(%%)M", "-RhM%`", "[jeNK", "#*|DY", "yE7P4z", "7NuE_Mx", "C?VQ!", "'jC9p,", "%MR6o", "]m!/Dm:", "%j^~[", "Y&CY]a", "A-:?F8", ";,WE\\I", "00$,%", "&7p}b", "@.reloc", "111111111,,,,,,", "} |U%", "\".oRuQ6\"", "$w5jU?", "http://sf.symcb.com/sf.crt0", "V+s[X", ",P]?p", "(-#?[p(z", "QR{]wr5", ">DDMw", "/ r;z", "H+|sa", "U(zaOq", "w+OQvr", "oK i]", "HC;6R", "`qgy^", ",{l`KtC", "TSc_m?F", "`=@", "Lby=`M", "l[4V{q>", "+{ *p", "H~`De", "dD]vjg", "jVfc8\\@OeU", "160112000000Z", "O-'^Cm1K", "F'G|:ef", "y5v)X", "incompatible version", "z8,Kd", "2`B\"n", ")@lXu", ".PP5ti'", "j&mw9", "ZFG(N", ")'PS\\", "md,1{2r", "|FL+7Hl", "Fp@;)_X){", "vQO+t", "stream end", "qhr_KH", "TimeStamp-2048-10", "ZaY9\\)", "[0Y0W0U", "Xt3H8", "W)\\Mh", "hr.0r!#", "B!OP_", "'pcrB", "a ~6D", "#http://crl.verisign.com/pca3-g5.crl04", "' Swj>", "4WggK,", "sAvH!\\NG", "LkG&c/WG", "xzcJPU", "'=seM", "c#o3&Q", "CommandLineToArgvW", "eg[{gk", "u0tE'z", "ybo8Pz#", "3nyFy", "27,0,0,170", "u0`|0", "HF,/^", "RX&#q", "5n|DB", "%#QzV", "R) U<", "M_ P'", "]qW9Z9", "vK]CSK[GWO", "b_C,Y", "v'4|*bJ", "OtBy&W+", "XqX,y", "F* ($,\"*&.!)'", "_.Rlb", "FSqF\"", "D44PT", "=0>#$", "n5\\}D", "OA;o2", "https://d.symcb.com/rpa0", "http://rb.symcb.com/rb.crt0", "lw+NK%", "Z,8,Z", ";3|[[C", "{oMsd/", "9a919I9", "kgXM{", "j|i6/{:", "x9'z[>", "dE$zc", "+R@@G,", "memcpy", "LT.^E", "Vx:f1f", "EIa'6", "J0R%T", "^@C*," ], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "selfextract": { "overlay": { "extracted_files": [ { "name": "1a7d43d26b387d2689407d643a2127dfe11ef1118204243c11498d4f2890404d", "path": "/opt/CAPEv2/storage/analyses/54/selfextracted/1a7d43d26b387d2689407d643a2127dfe11ef1118204243c11498d4f2890404d", "guest_paths": [ "overlay" ], "size": 385067, "crc32": "94277587", "md5": "829c177d1421b4ba42e8e205abd93f10", "sha1": "b78aa273eb1cab4254dfe7dc1fe432bb3049dc0d", "sha256": "1a7d43d26b387d2689407d643a2127dfe11ef1118204243c11498d4f2890404d", "sha512": "0bfaefa42369fdd41b07f5bdfde22ccb4addae89dc089762758c5d4c93329d07b32d4bf07e41332d463bd84fa988857ab4f2e6a01f5d3a5f86492444391d3ade", "rh_hash": null, "ssdeep": "6144:29IluMpvLbqWRCrHZKfE4gbPBDJyZ0pr82ee58kMGJzc3lB6qPdmCtmWWvJN:26pLbqWRKHZKfErrZJyZ0yqsGO3XR63", "type": "data", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T12784234B7B2AB835244BD5495660DEA04FB9F381AAF43EDF70F8A0D30BD83853726519", "sha3_384": "4e440eb58014c6bc43854fd49cd31c23c0f3308a8b1881d4a937059d94e04fa3c10caa147bc3f21066b65353a17a5606", "data": null } ], "extracted_files_time": 0.00284405699949275, "password": "" } }, "cape_type_code": 0, "cape_type": "" } }, "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.5", "started": "2026-06-29 11:55:03", "ended": "2026-06-29 11:55:26", "duration": 23, "id": 54, "category": "file", "custom": "", "machine": { "id": 54, "status": "stopping", "name": "win10", "label": "win10", "platform": "windows", "manager": "KVM", "started_on": "2026-06-29 11:55:03", "shutdown_on": "2026-06-29 11:55:26" }, "package": "exe", "timeout": false, "tlp": null, "parent_sample": null, "options": { "vnc_port": "5900" }, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "394455c2cd85889fb0782bfcf1f8c5c2f7f77b46" }, "behavior": { "processes": [] }, "debug": { "log": "2026-06-28 14:55:57,752 [root] INFO: Date set to: 20260629T11:55:09, timeout set to: 250\n2026-06-28 14:56:02,289 [root] DEBUG: Starting analyzer from: C:\\7d7wfxi0\n2026-06-28 14:56:02,295 [root] DEBUG: Storing results at: C:\\dtCqEFTv\n2026-06-28 14:56:02,295 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\ffdHNE\n2026-06-28 14:56:02,296 [root] DEBUG: Python path: C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\n2026-06-28 14:56:02,297 [root] INFO: analysis running as an admin\n2026-06-28 14:56:02,298 [root] INFO: analysis package specified: \"exe\"\n2026-06-28 14:56:02,299 [root] DEBUG: importing analysis package module: \"modules.packages.exe\"...\n2026-06-28 14:56:02,312 [root] DEBUG: imported analysis package \"exe\"\n2026-06-28 14:56:02,314 [root] DEBUG: initializing analysis package \"exe\"...\n2026-06-28 14:56:02,315 [lib.common.common] INFO: no wrapping\n2026-06-28 14:56:02,315 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-28 14:56:02,317 [root] DEBUG: New location of moved file: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\Endermanch_BadRabbit.exe\n2026-06-28 14:56:02,317 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll option\n2026-06-28 14:56:02,318 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll_64 option\n2026-06-28 14:56:02,318 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option\n2026-06-28 14:56:02,318 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option\n2026-06-28 14:56:02,386 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-06-28 14:56:02,403 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-06-28 14:56:02,552 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-06-28 14:56:02,635 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-06-28 14:56:02,647 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-06-28 14:56:02,648 [lib.api.screenshot] ERROR: No module named 'PIL'\n2026-06-28 14:56:02,649 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-06-28 14:56:02,660 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-06-28 14:56:02,661 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-06-28 14:56:02,662 [root] DEBUG: attempting to configure 'Browser' from data\n2026-06-28 14:56:02,665 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-06-28 14:56:02,666 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-06-28 14:56:02,690 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-06-28 14:56:02,691 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-06-28 14:56:02,692 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-06-28 14:56:02,693 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-06-28 14:56:02,693 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-06-28 14:56:02,693 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-06-28 14:56:03,361 [modules.auxiliary.digisig] DEBUG: File has an invalid signature\n2026-06-28 14:56:03,362 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-06-28 14:56:03,377 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-06-28 14:56:03,378 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-06-28 14:56:03,378 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-06-28 14:56:03,379 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-06-28 14:56:03,379 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-06-28 14:56:03,383 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3236)\n2026-06-28 14:56:03,388 [modules.auxiliary.disguise] INFO: Disguising GUID to 1a98ac3a-16f4-4342-92b2-835bcbf61450\n2026-06-28 14:56:03,388 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-06-28 14:56:03,388 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-06-28 14:56:03,388 [root] DEBUG: attempting to configure 'Human' from data\n2026-06-28 14:56:03,389 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-06-28 14:56:03,389 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-06-28 14:56:03,390 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-06-28 14:56:03,390 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-06-28 14:56:03,390 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-06-28 14:56:03,390 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-06-28 14:56:03,390 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-06-28 14:56:03,396 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2026-06-28 14:56:03,396 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-06-28 14:56:03,422 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-06-28 14:56:03,422 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-06-28 14:56:03,426 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-06-28 14:56:03,427 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-06-28 14:56:03,431 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process\n2026-06-28 14:56:03,431 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-06-28 14:56:09,389 [root] INFO: Restarting WMI Service\n2026-06-28 14:56:11,650 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2026-06-28 14:56:11,651 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2026-06-28 14:56:11,652 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-28 14:56:11,658 [lib.api.process] ERROR: Failed to execute process from path \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\Endermanch_BadRabbit.exe\" with arguments \"None\" (Error: 740)\n2026-06-28 14:56:11,661 [root] ERROR: You probably submitted the job with wrong package\nTraceback (most recent call last):\n File \"C:\\7d7wfxi0/analyzer.py\", line 688, in run\n pids = self.package.start(self.target)\n File \"C:\\7d7wfxi0\\modules\\packages\\exe.py\", line 47, in start\n return self.execute(path, args, path)\n ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^\n File \"C:\\7d7wfxi0\\lib\\common\\abstracts.py\", line 181, in execute\n raise CuckooPackageError(\"Unable to execute the initial process, analysis aborted\")\nlib.common.exceptions.CuckooPackageError: Unable to execute the initial process, analysis aborted\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n File \"C:\\7d7wfxi0/analyzer.py\", line 1598, in \n success = analyzer.run()\n File \"C:\\7d7wfxi0/analyzer.py\", line 692, in run\n raise CuckooError(f'The package \"{self.package_name}\" start function raised an error: {e}') from e\nlib.common.exceptions.CuckooError: The package \"modules.packages.exe\" start function raised an error: Unable to execute the initial process, analysis aborted\n2026-06-28 14:56:11,766 [root] WARNING: Folder at path \"C:\\dtCqEFTv\\debugger\" does not exist, skipping\n2026-06-28 14:56:11,767 [root] WARNING: Folder at path \"C:\\dtCqEFTv\\tlsdump\" does not exist, skipping\n2026-06-28 14:56:11,767 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "bd35c3e7e34a575539ceb4606796cbdf04cb57091b1fba72eaaa32099b9d35f8", "hosts": [ { "ip": "66.102.1.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.133.95", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.150.119", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.100", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.101", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.71.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.16.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] } ], "domains": [], "tcp": [ { "src": "192.168.122.139", "sport": 49696, "dst": "142.251.16.94", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.122.139", "sport": 49697, "dst": "74.125.71.94", "dport": 443, "offset": 95, "time": 0.01563096046447754 }, { "src": "192.168.122.139", "sport": 49698, "dst": "74.125.206.101", "dport": 443, "offset": 306, "time": 1.6100709438323975 }, { "src": "192.168.122.139", "sport": 49681, "dst": "142.251.168.100", "dport": 443, "offset": 447, "time": 4.820004940032959 }, { "src": "192.168.122.139", "sport": 49754, "dst": "142.251.168.139", "dport": 443, "offset": 1204, "time": 4.853888034820557 }, { "src": "192.168.122.139", "sport": 49755, "dst": "142.251.16.94", "dport": 443, "offset": 10708, "time": 4.986191034317017 }, { "src": "192.168.122.139", "sport": 49679, "dst": "142.251.150.119", "dport": 443, "offset": 15473, "time": 6.9691479206085205 }, { "src": "192.168.122.139", "sport": 49686, "dst": "74.125.133.95", "dport": 443, "offset": 63252, "time": 9.451229095458984 }, { "src": "192.168.122.139", "sport": 49687, "dst": "74.125.206.138", "dport": 443, "offset": 63393, "time": 9.750036001205444 }, { "src": "192.168.122.139", "sport": 49682, "dst": "66.102.1.138", "dport": 443, "offset": 63534, "time": 10.141989946365356 } ], "udp": [ { "src": "192.168.122.139", "sport": 5353, "dst": "224.0.0.251", "dport": 5353, "offset": 1118, "time": 4.852597951889038 }, { "src": "192.168.122.139", "sport": 51802, "dst": "224.0.0.252", "dport": 5355, "offset": 1791, "time": 4.85564398765564 }, { "src": "192.168.122.139", "sport": 54769, "dst": "192.168.122.1", "dport": 53, "offset": 15237, "time": 5.697925090789795 }, { "src": "192.168.122.139", "sport": 57743, "dst": "192.168.122.1", "dport": 53, "offset": 15614, "time": 7.153594970703125 } ], "icmp": [], "http": [], "dns": [], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "packer_entropy", "description": "The binary likely contains encrypted or compressed data", "categories": [ "packer" ], "severity": 2, "weight": 1, "confidence": 100, "references": [ "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf" ], "data": [ { "section": { "name": ".rdata", "raw_address": "0x00003400", "virtual_address": "0x00004000", "virtual_size": "0x0000302a", "size_of_data": "0x00003200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "7.18" } } ], "new_data": [], "alert": false, "families": [] }, { "name": "contains_pe_overlay", "description": "The PE file contains an overlay", "categories": [ "static" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "overlay": "Contains overlay at offset 0x0000de00 with size: 385067 bytes" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 0, "ttps": [ { "signature": "packer_entropy", "ttps": [ "T1027.002", "T1027" ], "mbcs": [ "OB0001", "OB0002", "OB0006", "F0001" ] }, { "signature": "contains_pe_overlay", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002" ] } ], "malstatus": "Failed" }