Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 10:39:25	2025-06-14 11:10:08	1843 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,022 [root] INFO: Date set to: 20250614T06:46:09, timeout set to: 1800
2025-06-14 07:46:09,935 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-14 07:46:09,935 [root] DEBUG: Storing results at: C:\prTihHii
2025-06-14 07:46:09,935 [root] DEBUG: Pipe server name: \\.\PIPE\DeZAgRk
2025-06-14 07:46:09,935 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:46:09,935 [root] INFO: analysis running as an admin
2025-06-14 07:46:09,935 [root] INFO: analysis package specified: "exe"
2025-06-14 07:46:09,935 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:46:10,247 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:46:10,341 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:46:10,341 [lib.common.common] INFO: wrapping
2025-06-14 07:46:10,341 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:46:10,341 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\shrpubw.exe
2025-06-14 07:46:10,341 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:46:10,341 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:46:10,341 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:46:10,341 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:46:10,575 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:46:10,607 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:46:10,638 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:46:10,654 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:46:10,700 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:46:10,700 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:46:10,700 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:46:10,700 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:46:10,700 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:46:10,700 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:46:10,700 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:46:10,700 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:46:10,700 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:46:10,700 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:46:10,700 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:46:10,700 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:46:10,716 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:46:10,716 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:46:10,857 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-14 07:46:10,857 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:46:10,857 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:46:10,857 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:46:10,857 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:46:10,857 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:46:10,857 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:46:10,857 [modules.auxiliary.disguise] INFO: Disguising GUID to 214c6773-878f-4024-8cdf-b8e14513fc28
2025-06-14 07:46:10,857 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:46:10,857 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:46:10,857 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:46:10,857 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:46:10,857 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:46:10,857 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:46:10,857 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:46:10,857 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:46:10,857 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:46:10,857 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:46:10,857 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:46:10,857 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:46:10,857 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:46:10,857 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:46:10,857 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:46:10,857 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:46:10,873 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:46:10,903 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-14 07:46:10,903 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:46:10,903 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:46:10,903 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:46:10,903 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:46:10,903 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:46:10,903 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:46:10,903 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\AxNZEQJd.dll, loader C:\tmp_gell1p8\bin\cOuiwzfo.exe
2025-06-14 07:46:10,950 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:46:10,950 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\AxNZEQJd.dll.
2025-06-14 07:46:10,982 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:46:10,982 [root] INFO: Disabling sleep skipping.
2025-06-14 07:46:10,982 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:46:10,982 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:46:10,982 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:46:10,982 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:46:10,982 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:46:11,029 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:46:11,044 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:46:11,044 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:46:11,044 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 1412, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-14 07:46:11,044 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:46:11,044 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:46:11,044 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:46:11,059 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\AxNZEQJd.dll.
2025-06-14 07:46:11,059 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:46:11,059 [root <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 10:39:25	2025-06-14 11:09:49	none

File Details

File Name	shrpubw.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	392704 bytes
MD5	51311626d7d8ec313ef248fb60776f1a
SHA1	8ff4cd1f1c069a86e3f48f5c715bdf8c51be98f6
SHA256	6b4e6bb29538f24afcf8b823383b846d2d483d83b38c3f74902995de6e6679f8 [VT] [MWDB] [Bazaar]
SHA3-384	57d86f56704f07a27e3d9ca9974dac6c6b3598cf420d9eca109e3ff43d1f8de1ea34df035fba65d6a3754ec1f268776e
CRC32	3FDB8B66
TLSH	T1CC84BB64F0B2ECB3DA136B7039BCF81C91AD71551386C69E765AF0B692D330031DDAA9
Ssdeep	1536:aXAWBTT7E7F3D0l4AuIDKBTxWJF51KsvhFsVqvCm:aQWBTT7EtptIcgJFWsvNvCm
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/77)

Full Results

Engine	Result	Engine	Result	Engine	Result

Small Business

SetSecurityDescriptorDacl

bVj\Xf9

LocalAlloc

.idata$6

hijjootz}}

mmmmmmmmmH

F|Xuj

.idata$4

i[[[[[ji

GetStartupInfoW

GetParent

?'?-?H?]?r?

TbbbbZZZZH

.?AVCShrwizApp@@

tIf9>tDj\XPVf

__dllonexit

;;<Z<

8 8@8H8T8x8

8EVDINPMMEEGihd

MFC42u.dll

type="win32"

InitializeSecurityDescriptor

api-ms-win-core-com-l1-1-0.dll

SHGetPathFromIDListW

wcsrchr

SHGetMalloc

^^_@ABSSTPQQPOPNOPNOPNOOOOOOOOOOOPPPQPPRQRSSTUUVWWWXXYZY[`^_WXZdfe

COMCTL32.dll

GetSecurityDescriptorLength

SHGetDesktopFolder

tKlzzzv.1555=

0,070?0

6N6X6

FileVersion

?"?2?B?K?T?

3(3-3G3{3

#DCMgV:I9

.?AVCWizClient0@@

9$9,949@9`9h9t9

GetSecurityDescriptorControl

memmove

818>8Q8j8|8

</security>

wwwwwwwwwww

0+1F1Y1n1

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

.ipv6-literal.net

;*;6;Y;k;w;

7Nd532

__set_app_type

LoadLibraryExA

8/8V8o8u8

</dependentAssembly>

DeleteObject

</trustInfo>

<assemblyIdentity

0"020B0R0b0r0

:&:[:t:

`.data

=>=E=M=V=]=l=t=}=

<#<0<G<N<V<v<

NetServerGetInfo

XPQSh

.rsrc$01

xssppphK

twwwww

system

040904B0

Microsoft Corporation

processorArchitecture="x86"

fffffff\ZZZZZE

.idata

t?Sh`#@

srvcli.dll

f^ZZZZZUUUUUOD

ttttttttttttt

_XcptFilter

_lock

lstrcmpiW

ReleaseDC

?"?2?B?R?b?r?

717A7[7g7t7~7

wwwww

everyone

Vj/Sh4

InitializeAcl

NetApiBufferFree

MakeSelfRelativeSD

WS2_32.dll

9/9M9a9g9

nnnnnnnnnnnnnU

9L9i9u9{9

GetComputerNameW

_initterm

CoInitializeEx

shrpubw.pdb

GDI32.dll

WSAStringToAddressW

2 2$20242T2l2

.idata$5

u"j\Xf;F

LoadLibraryW

ffffkkkkkkkknM

PPPSRR]\Z\[Y\[Z[ZY[ZY[ZY[ZY[ZY[ZZ[ZY[ZY[ZY\[Z]\[^]\_^\`_]a`^cb`dc`edafebhfchgd_``NMM

2!232F2S2_2m2

5"5<5B5R5Y5g5x5

processorArchitecture="x86"

RegQueryValueExW

wcschr

>Q>t>

CacheSettingsDlg2

PPPPh

Zkyd{

@@ABEJScVVVV

Microsoft

VarFileInfo

.?AVCFileSecurityDataObject@@

1.1:1F1i1w1

.data$brc

Shell IDList Array

VVVVh

:$:7:?:

8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8

InternalName

OOOOM7

=6=V=\=b=k=z=

_controlfp

.text$yd

:4:C:L:U:j:

.data$r$brc

MapGenericMask

CreateDirectoryW

<;442///

3#3,363M3j3

administrators

.rsrc$02

LZfEINMPPLKKJHHQRP

;";5;I;W;c;

_unlock

GlobalAlloc

GetDC

AllocateAndInitializeSid

.?AVCShareSecurityInformation@@

ACLUI.dll

_exit

JU^Q`lEJONNNWVTTSPPOM~|u

50585@5H5P5X5d5

RegQueryValueExA

NetpwPathType

6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6

RegisterApplicationRestart

RegisterClipboardFormatW

en-US

030J0p0

@.rsrc

:,:<:L:\:`:d:h:l:p:t:x:|:

;$;F;Y;n;

.text$di

5XuC@>

FormatMessageW

version="5.1.0.0"

mwwwwwwwwwZT

: :,:L:T:`:

\tttttttttwP

LegalCopyright

CoUninitialize

1!1.1;1d1

181T1p1

SWPhp!@

3,34393>3`3f3m3r3

4#4-4C4

;6;o;

10.0.17763.1 (WinBuild.160101.0800)

Vht$@

GetCurrentProcessId

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0

=QeG;1

~qqq|~|

towupper

PSSSh

3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3

7J7\7j7

.?AVCObject@@

CoCreateInstance

CWizWelcome

DestroyPropertySheetPage

()# ]

Rkkkkh>`n84z:

e{{{{{{{{{{H

.?AVCPropertyPageEx@@

}}}}}}}}}}}}}}}

#0C0J0a0j0{0

.?AVCWizWelcome@@

GetFileAttributesW

;<@MX]]]

.?AVCPropertyPage@@

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

interactive

??>=999993322L

t%j-j:

.rdata$zzzdbg

2(242:2A2J2P2X2^2k2s2y2

.?AUIDataObject@@

GetDeviceCaps

swwwwwwwwww

<6=B=T=h=x=~=

=!>)>D>]>c>q>

LLLLLLs

GetDriveTypeW

.CRT$XIA

.rdata

?Zq31/853

GetLengthSid

NetServerDiskEnum

e/html/a42d60db-0585-4eac-88d0-b7d61991948f.htm

NetShareGetInfo

RegOpenKeyExA

</asmv3:application>

3Oje_Y

.CRT$XIZ

4'4_4e4o4u4~4

<assemblyIdentity

<&<6<<<G<M<Y<i<r<

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

A<"7|m7NvV

shrpubw.exe

FileDescription

!This program cannot be run in DOS mode.

7$7,747<7H7h7t7

a^]QOLhfdurpnkkaa`dec

Kf}:IS3-'NLG

5<5T5l5

netmsg.dll

VMMM?b

qqqqqqqqqqqqqqH

<P<_<q<

3'383[3l3x3

lstrlenW

242P2

hhctrl.ocx

rNNNNNNNNN]

.?AVCWizFinish@@

language="*"

ILPHLRFKQEKQEIOGLQFKQFKRFKRFKRFKRFKRFKRGKRGKRGLRGLRGLRGLRHMRKPUQUZ

SystemParametersInfoW

ntdll.dll

MessageBoxW

3"4S4m4w4

USER32.dll

10.0.17763.1

j\Xf;

EEEEED

memcpy

<$<(<,<0<4<8<<<@<D<L<d<t<

.idata$3

.?AVCWnd@@

8$9(9,90949<9@9D9H9P9T9X9`9x9|9

__wgetmainargs

8sxs7

SHGetSpecialFolderLocation

NetpIsRemote

.rdata$r$brc

CreateFontIndirectW

HeapSetInformation

4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4

.CRT$XCU

zzttqoooonnnnnnnnnnn

;(;,;0;4;8;L;P;h;l;

LoadImageW

QueryPerformanceCounter

=$=4=D=H=L=P=T=\=`=d=l=p=x=|=

LookupAccountNameW

CWizFolder

:2;7;N;W;b;i;{;

msvcrt.dll

NetShareSetInfo

StringFileInfo

?"?=?]?p?y?

</requestedPrivileges>

.?AVCCmdTarget@@

GetCurrentProcess

GetLogicalDriveStringsW

SHBrowseForFolderW

srpihfrpntsrkhh_^^

__setusermatherr

_except_handler4_common

GetTickCount

8%8/878E8M8[8t8

SBS Folder Operators

5!5:5L5e5q5z5

.text$mn

LocalFree

.CRT$XIY

VWhD#@

.PAVCException@@

1"121B1R1b1r1

RtlIsDosDeviceName_U

PostMessageW

TerminateProcess

</assembly>

\\?\UNC

2Bm0&FA!KSSSSS<

Translation

uiAccess="false"/>

.?AVCWizFolder@@

wwwwwwws3w

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

9%999E9L9^9m9t9

7+7;7X7b7~7

Share Creation Wizard

#CWizFinish

7(838<8T8

qqqqqqqqqqqqqfK

4X~*Oz\vo

type="win32"

wcsncmp

<requestedExecutionLevel

>A?K?c?k?

wwwwwwwx

<asmv3:application>

:!:W:y:

ProductVersion

iswspace

NetpsNameValidate

<,<G<f<

.text$x

</asmv3:windowsSettings>

__p__commode

5/575F5N5]5e5}5

__CxxFrameHandler3

4!484X4`4h4p4x4

Vj"Sj

_onexit

tq@===5QtthK

.xdata$x

SHELL32.dll

SHRWIZ

NetpwNameValidate

.CRT$XIAA

GetModuleHandleW

0&0?0Y0p0~0

535>5Q5_5t5

wwwwwww

6zzzzzwg`

.rdata$sxdata

Windows

j*j)j

:$:*:/:V:o:z:

ProductSuite

.giats

SYSTEM\CurrentControlSet\Control\ProductOptions

>$>4>D>T>d>t>x>

name="Microsoft.Windows.Common-Controls"

.?AVCWinApp@@

2&2p2|2

ffffffllqq

netutils.dll

jCjBj

.idata$2

_wcmdln

<description>shrpubw</description>

CWizClient0

#N{Sl

0 000L0d0|0

SSSSSSSe

.CRT$XCL

3+3?3^3

0FileMgmt.dll

OriginalFilename

t4Wj#QPS

WQVQQj

.?AVCWizPerm@@

publicKeyToken="6595b64144ccf1df"

;$;(;H;d;h;

<0<K<d<

2+232<2E2f2v2

SHChangeNotify

.CRT$XCAA

.CRT$XCA

.gfids

= =+=1=6=@=M=U=_=l=r={=

.?AUISecurityInformation@@

5#626

KERNEL32.dll

9&9+979<9F9K9W9\9h9m9w9|9

ADVAPI32.dll

version="6.0.0.0"

.?AVCWinThread@@

nnojjkjjkkkkkkkjjjjjjjjjjjjiiiiiiiiiiiiiiijjjjjjjjkjkkkkkkkkkkklllkkkklmllmppp

J\4Q_qE

Operating System

okjjiihhddcccccZWZcj

6$6<6D6L6X6x6

.00cfg

Y__^[

EnableWindow

??1type_info@@UAE@XZ

UnhandledExceptionFilter

sxxswx

FreeLibrary

PropertySheetW

_cexit

@.reloc

wwwws37

)O}6[

4'404F4N4

FreeSid

9!969C9L9V9e9q9~9

RegConnectRegistryW

4;4o4

CompanyName

VS_VERSION_INFO

ttttttttttttttM

2,2C2Y2

2)282

GetLastError

GetCurrentThreadId

level="requireAdministrator"

GetSystemTimeAsFileTime

</dependency>

wwwwwwwwww

_amsg_exit

__p__fmode

.CRT$XCZ

>">2>B>R>b>r>

6*6J6Q6c6l6s6

?terminate@@YAXXZ

O/,JHH2(+

.?AVCDialog@@

MwwywwyyyypH

=.=H=U=]=q=

calloc

GTl;}xl

name="Microsoft.Windows.storage.shrpubw"

CWizPerm

Sleep

GetComputerNameExW

SendMessageW

7L_YWW

SetUnhandledExceptionFilter

!! $

.data

=:>E>[>i>

57:QVYY`cYacY`cX`cZ`bZacYadZ`dZ`dZaeZaeZ`dZ`cZadZadZ`d[ae[bd[beZad[ad[be[be[be[cfZbdzzz

7'777D7P7b7}7

.text

NetShareAdd

j,j+j

SjjjjObK-+

131D1V1b1k1|1

NetShareEnum

memset

GetActiveWindow

file_srv.chm

oodddd

1:BPMG

oooiiimmmnnnoooqrrqrrppqnnnnnnnnnnnnmmmmmmllljjjiiiiiigggffffffbbbaaa```___```kkkisx~

.rdata$brc

RegOpenKeyExW

6-7N7

RegCloseKey

5=H?CJRMMLIIPQQ

7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7

u+j:Xf;F

tiSVh\$@

GetProcAddress

9'969<9K9`9i9r9

656\6

ProductName

_wcsnicmp

AddAccessAllowedAce

.?AUIUnknown@@

ExpandEnvironmentStringsA

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x00007530	0x0006e3b3	0x0006e3b3	10.0	shrpubw.pdb	2005-03-30 20:30:51	1201946caca3eb9f82f662e94886bb4c		da18f8f8e3ef1476882ace8f953f1a0d	1710a2ba9c5df6b9bec5676c9f32f47f	e0c2dbb4a6ebcbde

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Share Creation Wizard
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	SHRWIZ
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	shrpubw.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00007b8c	0x00007c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.81
.data	0x00008000	0x00009000	0x0000072c	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.13
.idata	0x00008400	0x0000a000	0x0000127e	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.21
.rsrc	0x00009800	0x0000c000	0x000555f8	0x00055600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.48
.reloc	0x0005ee00	0x00062000	0x00000eec	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.50

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x00061510	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.61	None
RT_BITMAP	0x00013de0	0x0004b71a	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.07	None
RT_BITMAP	0x0005f500	0x00001c7e	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.97	None
RT_ICON	0x0000c910	0x00000668	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.58	None
RT_ICON	0x0000cf78	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.82	None
RT_ICON	0x0000d260	0x000001e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.95	None
RT_ICON	0x0000d448	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.02	None
RT_ICON	0x0000d570	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.39	None
RT_ICON	0x0000e418	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.05	None
RT_ICON	0x0000ecc0	0x000006c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.77	None
RT_ICON	0x0000f388	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.28	None
RT_ICON	0x0000f8f0	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.30	None
RT_ICON	0x00011e98	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.48	None
RT_ICON	0x00012f40	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.53	None
RT_ICON	0x000138c8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.35	None
RT_GROUP_ICON	0x00013d30	0x000000ae	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.06	None
RT_VERSION	0x00061180	0x00000390	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.47	None
RT_MANIFEST	0x0000c410	0x00000500	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.95	None

Imports

Name	Address
RegQueryValueExW	0x40a008
RegCloseKey	0x40a00c
FreeSid	0x40a010
GetLengthSid	0x40a014
AddAccessAllowedAce	0x40a018
InitializeAcl	0x40a01c
InitializeSecurityDescriptor	0x40a020
RegOpenKeyExW	0x40a024
MakeSelfRelativeSD	0x40a028
AllocateAndInitializeSid	0x40a02c
LookupAccountNameW	0x40a030
MapGenericMask	0x40a034
GetSecurityDescriptorLength	0x40a038
GetSecurityDescriptorControl	0x40a03c
RegOpenKeyExA	0x40a040
SetSecurityDescriptorDacl	0x40a044
RegConnectRegistryW	0x40a048
RegQueryValueExA	0x40a04c

Name	Address
CreateDirectoryW	0x40a074
LocalAlloc	0x40a078
GlobalAlloc	0x40a07c
GetFileAttributesW	0x40a080
GetComputerNameExW	0x40a084
lstrcmpiW	0x40a088
LocalFree	0x40a08c
GetDriveTypeW	0x40a090
GetLogicalDriveStringsW	0x40a094
GetProcAddress	0x40a098
FormatMessageW	0x40a09c
LoadLibraryW	0x40a0a0
ExpandEnvironmentStringsA	0x40a0a4
LoadLibraryExA	0x40a0a8
TerminateProcess	0x40a0ac
GetCurrentProcess	0x40a0b0
UnhandledExceptionFilter	0x40a0b4
GetTickCount	0x40a0b8
GetSystemTimeAsFileTime	0x40a0bc
GetCurrentThreadId	0x40a0c0
GetCurrentProcessId	0x40a0c4
QueryPerformanceCounter	0x40a0c8
GetModuleHandleW	0x40a0cc
HeapSetInformation	0x40a0d0
RegisterApplicationRestart	0x40a0d4
lstrlenW	0x40a0d8
GetComputerNameW	0x40a0dc
Sleep	0x40a0e0
GetStartupInfoW	0x40a0e4
SetUnhandledExceptionFilter	0x40a0e8
FreeLibrary	0x40a0ec
GetLastError	0x40a0f0

Name	Address
CreateFontIndirectW	0x40a064
GetDeviceCaps	0x40a068
DeleteObject	0x40a06c

Name	Address
MessageBoxW	0x40a32c
RegisterClipboardFormatW	0x40a330
EnableWindow	0x40a334
SendMessageW	0x40a338
GetParent	0x40a33c
GetActiveWindow	0x40a340
ReleaseDC	0x40a344
GetDC	0x40a348
SystemParametersInfoW	0x40a34c
LoadImageW	0x40a350
PostMessageW	0x40a354

Name	Address

Name	Address
__dllonexit	0x40a37c
memmove	0x40a380
wcsrchr	0x40a384
iswspace	0x40a388
_XcptFilter	0x40a38c
__p__commode	0x40a390
towupper	0x40a394
_wcsnicmp	0x40a398
wcschr	0x40a39c
_unlock	0x40a3a0
_onexit	0x40a3a4
?terminate@@YAXXZ	0x40a3a8
_wcmdln	0x40a3ac
_initterm	0x40a3b0
__setusermatherr	0x40a3b4
__p__fmode	0x40a3b8
_cexit	0x40a3bc
_exit	0x40a3c0
exit	0x40a3c4
__set_app_type	0x40a3c8
__wgetmainargs	0x40a3cc
_amsg_exit	0x40a3d0
??1type_info@@UAE@XZ	0x40a3d4
_controlfp	0x40a3d8
_lock	0x40a3dc
_except_handler4_common	0x40a3e0
free	0x40a3e4
wcsncmp	0x40a3e8
calloc	0x40a3ec
__CxxFrameHandler3	0x40a3f0
memcpy	0x40a3f4
memset	0x40a3f8

Name	Address
DestroyPropertySheetPage	0x40a054
PropertySheetW	0x40a058

Name	Address
NetpwPathType	0x40a400
NetpIsRemote	0x40a404
NetpwNameValidate	0x40a408
NetApiBufferFree	0x40a40c

Name	Address
NetServerDiskEnum	0x40a414
NetpsNameValidate	0x40a418
NetShareAdd	0x40a41c
NetShareSetInfo	0x40a420
NetShareEnum	0x40a424
NetShareGetInfo	0x40a428
NetServerGetInfo	0x40a42c

Name	Address

Name	Address
WSACleanup	0x40a35c
WSAStartup	0x40a360
WSAStringToAddressW	0x40a364

Name	Address
SHGetMalloc	0x40a2f8
SHChangeNotify	0x40a314
SHBrowseForFolderW	0x40a318
SHGetSpecialFolderLocation	0x40a31c
SHGetDesktopFolder	0x40a320
SHGetPathFromIDListW	0x40a324

Name	Address
CoUninitialize	0x40a36c
CoInitializeEx	0x40a370
CoCreateInstance	0x40a374

Reports: JSON

Statistics (10.06)

Usage

Processing ( 10.01 seconds )

9.381 ProcessMemory
0.604 CAPE
0.012 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: shrpubw.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4100 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\Packager\AppData\Local\Temp\shrpubw.exe
\??\PIPE\srvsvc
C:\Windows\SystemResources\MFC42u.dll.mun

\??\PIPE\srvsvc

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductSuite
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductSuite
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.