Report #5613 check_circle

  • Creation Date: Feb. 11, 2020, 5:44 p.m.
  • Last Update: Feb. 11, 2020, 7:19 p.m.
  • File: AuUIpVRpa.exe
  • Results:
Binary
DLL
False cancel
Size
8.50KB
trid
38.4% Win32 Dynamic Link Library
26.3% Win32 Executable
11.8% OS/2 Executable
11.6% Generic Win/DOS Executable
11.6% DOS Executable Generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
4a3cdcef8ed41b221f3dbef5792fb52d
sha1
6c04499f7406e270b590374ef813c4012530273e
crc32
0x5dd54b0b
sha224
db48666b161ef6833590fcc96375220fcdfc6e760ba48490e593639f
sha256
6bb5f3a7147660db416b838893c7d0734872ada9f7db68b1d019043a1cb89397
sha384
81cfe14f8b9c0a114e7a0dc4adfd7295e02852fcf608c8d59a3214f2ba4a7c4c0fd8f9ae117360b4dc6c2e799eb3a864
sha512
ef4f395b6300762026bfb819c878bf73392a8a91a68df956e696b9717df976dc5a7fbc5326d721f19ab5773e0537e295cc3add1d6aaec088649c587ba7871f13
ssdeep
96:lInYnnVBwi2hfsZdSlC1Tp+XDSGJzIVANNLDJ7pRKRREWCGgWwAeig:wUkqxp+XBJzIVsN9pWCGgW
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
VC8_Microsoft_Corporation, domain, HasRichSignature, contentis_base64, Microsoft_Visual_Cpp_8, Visual_Cpp_2005_Release_Microsoft, HasDebugData, IP, IsPE32, IsWindowsGUI

Suspicious
True check_circle

Strings
List
ctfmon.pdb
name="Microsoft.Windows.Common-Controls"
<requestedPrivileges>
publicKeyToken="6595b64144ccf1df"
_acmdln
OleSelfRegister
TerminateProcess
QueryPerformanceCounter
GetModuleHandleA
GetModuleHandleW
Microsoft Corporation. All rights reserved.
GetTickCount
Sleep
<requestedExecutionLevel
version="6.0.0.0"
CTFMON.EXE
__p__commode
language="*"
type="win32"
_initterm
__p__fmode
<dependentAssembly>
_ismbblead
<assemblyIdentity
__setusermatherr
MsCtfMonitor.DLL
MsCtfMonitor.DLL
</dependentAssembly>
_controlfp
__set_app_type
_amsg_exit
__getmainargs
_XcptFilter
<dependency>
uiAccess="false"
</dependency>
?terminate@@YAXXZ
6.1.7600.16385
level="asInvoker"
Microsoft
Microsoft Corporation
</assembly>
CompanyName
4-484>4
ProductName
InternalName
VarFileInfo
FileVersion
OriginalFilename
FileDescription
StringFileInfo
Translation
`.data
_cexit
_exit
CTF Loader
CTFMON
RichN
<security>
</security>
RSDS
<assemblyIdentity name="ctfmon" processorArchitecture="x86" version="5.1.0.0" type="win32"/>
Windows
6.1.7600.16385 (win7_rtm.090713-1255)
!This program cannot be run in DOS mode.
VS_VERSION_INFO
processorArchitecture="x86"
<!-- Copyright (c) Microsoft Corporation -->
_except_handler4_common
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<description>Ctfmon</description>
</requestedPrivileges>
InterlockedCompareExchange
LegalCopyright
InterlockedExchange
Operating System
</trustInfo>
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
8"848A8I8Y8n8
GetCommandLineW
RegisterApplicationRestart
@.reloc
DoMsCtfMonitor
GetStartupInfoA
GetSystemTimeAsFileTime
GetStartupInfoW
ProductVersion
msvcrt.dll
msvcrt.dll
/>
/>
exit
.rsrc
_^[]
KERNEL32.dll
KERNEL32.dll
040904B0
SetUnhandledExceptionFilter

Foremost
Matches
0.exe, 8 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: KERNEL32.dll, msvcrt.dll, MsCtfMonitor.DLL
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 4608
Suspicious: False cancel
Image
Address: 16777216
Suspicious: False cancel
Stack
Stack: 8192
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 40334
Suspicous: False cancel

Sections
Allowed: .text, .data, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 6
Linker
Version: 9.0
Suspicious: False cancel
Subsystem
Version: 6.1
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 5354
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: kernel32.dll, msvcrt.dll, msctfmonitor.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2009-07-13 20:26:10
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
False cancel
Tricks
AVclass
None
1
VirusTotal
md5
4a3cdcef8ed41b221f3dbef5792fb52d
sha1
6c04499f7406e270b590374ef813c4012530273e
SCANS (DETECTION RATE = 0.00%)
AVG
update: 20200202
version: 18.4.3895.0
detected: False cancel

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
update: 20200202
version: 2019.9.16.1
detected: False cancel

APEX
update: 20200201
version: 5.113
detected: False cancel

Bkav
update: 20200122
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200202
version: 11.89.33168
detected: False cancel

ALYac
update: 20200202
version: 1.1.1.5
detected: False cancel

Avast
update: 20200202
version: 18.4.3895.0
detected: False cancel

Avira
update: 20200202
version: 8.3.3.8
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20200202
version: 6.2.2.2
detected: False cancel

DrWeb
update: 20200202
version: 7.0.44.12030
detected: False cancel

GData
update: 20200202
version: A:25.24780B:26.17578
detected: False cancel

Panda
update: 20200202
version: 4.6.4.2
detected: False cancel

VBA32
update: 20200131
version: 4.3.0
detected: False cancel

VIPRE
update: 20200202
version: 81238
detected: False cancel

Zoner
update: 20200202
version: 1.0.0.1
detected: False cancel

ClamAV
update: 20200202
version: 0.102.1.0
detected: False cancel

Comodo
update: 20200202
version: 32036
detected: False cancel

F-Prot
update: 20200202
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20200202
version: 0.1.5.2
detected: False cancel

McAfee
update: 20200202
version: 6.0.6.653
detected: False cancel

Rising
update: 20200202
version: 25.0.0.24
detected: False cancel

Sophos
update: 20200202
version: 4.98.0
detected: False cancel

Yandex
update: 20200131
version: 5.5.2.24
detected: False cancel

Zillya
update: 20200201
version: 2.0.0.4011
detected: False cancel

Acronis
update: 20200128
version: 1.1.1.58
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20200202
version: 1.0.0.869
detected: False cancel

Cylance
update: 20200202
version: 2.3.1.101
detected: False cancel

Endgame
update: 20200131
version: 3.0.16
detected: False cancel

FireEye
update: 20200202
version: 29.7.0.0
detected: False cancel

Sangfor
update: 20200114
version: 1.0
detected: False cancel

TACHYON
update: 20200202
version: 2020-02-02.01
detected: False cancel

Tencent
update: 20200202
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20200202
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20200202
version: 1.0.0.403
detected: False cancel

eGambit
update: 20200202
detected: False cancel

Ad-Aware
update: 20200202
version: 3.0.5.370
detected: False cancel

AegisLab
update: 20200202
version: 4.2
detected: False cancel

Emsisoft
update: 20200202
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20200202
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20200202
version: 6.2.137.0
detected: False cancel

Invincea
update: 20191211
version: 6.3.6.26157
detected: False cancel

Jiangmin
update: 20200202
version: 16.0.100
detected: False cancel

Kingsoft
update: 20200202
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20200202
version: 1.0
detected: False cancel

Trapmine
update: 20200123
version: 3.2.22.914
detected: False cancel

AhnLab-V3
update: 20200202
version: 3.17.0.26111
detected: False cancel

Antiy-AVL
update: 20200202
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20200202
version: 15.0.1.13
detected: False cancel

MaxSecure
update: 20200131
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20200202
version: 1.1.16700.3
detected: False cancel

Qihoo-360
update: 20200202
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20200202
version: 1.0
detected: False cancel

Cybereason
update: 20190616
version: 1.2.449
detected: False cancel

ESET-NOD32
update: 20200202
version: 20773
detected: False cancel

TrendMicro
update: 20200202
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20200202
version: 7.2
detected: False cancel

CrowdStrike
update: 20190702
version: 1.0
detected: False cancel

K7AntiVirus
update: 20200202
version: 11.89.33168
detected: False cancel

SentinelOne
update: 20191218
version: 1.12.1.57
detected: False cancel

Avast-Mobile
update: 20200130
version: 200130-00
detected: False cancel

Malwarebytes
update: 20200202
version: 3.6.4.330
detected: False cancel

TotalDefense
update: 20200202
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20200202
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20200202
version: 1.0.134.25031
detected: False cancel

BitDefenderTheta
update: 20200120
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20200202
version: 14.0.405.0
detected: False cancel

SUPERAntiSpyware
update: 20200131
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20200202
version: v2017.3010
detected: False cancel

TrendMicro-HouseCall
update: 20200202
version: 10.0.0.1040
detected: False cancel

total
72
sha256
6bb5f3a7147660db416b838893c7d0734872ada9f7db68b1d019043a1cb89397
scan_id
6bb5f3a7147660db416b838893c7d0734872ada9f7db68b1d019043a1cb89397-1580666028
resource
4a3cdcef8ed41b221f3dbef5792fb52d
positives
0
scan_date
2020-02-02 17:53:48
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Execution Failed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 50.00%
suspicious: False cancel

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 98.97%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 99.89%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 74.73%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 65.18%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel

Add to Collection
Download