Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 22:06:22	2025-06-12 22:37:06	1844 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,053 [root] INFO: Date set to: 20250611T19:43:07, timeout set to: 1800
2025-06-11 20:43:07,317 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 20:43:07,317 [root] DEBUG: Storing results at: C:\SbKWKlSV
2025-06-11 20:43:07,317 [root] DEBUG: Pipe server name: \\.\PIPE\OVRmkbV
2025-06-11 20:43:07,317 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 20:43:07,317 [root] INFO: analysis running as an admin
2025-06-11 20:43:07,317 [root] INFO: analysis package specified: "exe"
2025-06-11 20:43:07,317 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 20:43:08,098 [root] DEBUG: imported analysis package "exe"
2025-06-11 20:43:08,098 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 20:43:08,098 [lib.common.common] INFO: wrapping
2025-06-11 20:43:08,098 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 20:43:08,114 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\cttune.exe
2025-06-11 20:43:08,114 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 20:43:08,114 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 20:43:08,114 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 20:43:08,114 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 20:43:08,301 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 20:43:08,317 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 20:43:08,348 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 20:43:08,348 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 20:43:08,364 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 20:43:08,364 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 20:43:08,364 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 20:43:08,380 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 20:43:08,380 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 20:43:08,380 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 20:43:08,395 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 20:43:08,395 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 20:43:08,395 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 20:43:08,395 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 20:43:08,411 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 20:43:08,411 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 20:43:08,411 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 20:43:08,442 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 20:43:08,661 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-11 20:43:08,661 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 20:43:08,661 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 20:43:08,677 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 20:43:08,677 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 20:43:08,677 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 20:43:08,677 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 20:43:08,677 [modules.auxiliary.disguise] INFO: Disguising GUID to 17f92b02-79d2-44f4-a080-01a9f0954dcc
2025-06-11 20:43:08,677 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 20:43:08,677 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 20:43:08,677 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 20:43:08,677 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 20:43:08,677 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 20:43:08,677 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 20:43:08,677 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 20:43:08,677 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 20:43:08,677 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 20:43:08,677 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 20:43:08,677 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 20:43:08,677 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 20:43:08,677 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 20:43:08,677 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 20:43:08,677 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 20:43:08,677 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 20:43:08,677 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 20:43:08,692 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 20:43:08,708 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 20:43:08,708 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 20:43:08,708 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 20:43:08,708 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 20:43:08,708 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 20:43:08,708 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 20:43:08,708 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\eJXvNnhR.dll, loader C:\tmp_gell1p8\bin\IytHUKoC.exe
2025-06-11 20:43:08,755 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 20:43:08,755 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\eJXvNnhR.dll.
2025-06-11 20:43:08,786 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 20:43:08,786 [root] INFO: Disabling sleep skipping.
2025-06-11 20:43:08,786 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 20:43:08,786 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 20:43:08,786 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 20:43:08,786 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 20:43:08,786 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 20:43:08,802 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 20:43:08,802 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 20:43:08,802 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 20:43:08,802 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6124, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-11 20:43:08,802 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 20:43:08,817 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 20:43:08,817 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 20:43:08,817 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\eJXvNnhR.dll.
2025-06-11 20:43:08,817 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 20:43:08,817 [root] <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 22:06:22	2025-06-12 22:36:47	none

File Details

File Name	cttune.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	311296 bytes
MD5	b3d58d03ef76001519914f49df180da5
SHA1	929add14d1246d8211b515e2b5a5f7c58c050dde
SHA256	4527102d9b5aa52ad008c99e5740fbe4307b19c1bceb1c6fd8606bc23aef344a [VT] [MWDB] [Bazaar]
SHA3-384	453c2ef0f34af4fb84d21c30659b26a3a6533c08fbbe2f1acc44522c339290637c3487eb2d1239378f312a498f128cfb
CRC32	3BD5F180
TLSH	T13C645C267FB81CB6D116383B0C2E586107336837166B83F3A896DEAC4EF56D8D457863
Ssdeep	3072:Qly6KLXlMlvctAyvJqxEm4x1ESuQG+3SeyRS6CSfKVu1xgCAWUMZ8:mZKLVMlvctAyvoxEvTEPp/Fu
PE	File Strings BinGraph Vba2Graph VirusTotal

TrackMouseEvent

CreateCompatibleDC

2&3;3

GetObjectW

CTTUNE.EXE

RWPQj

SELECT * FROM %s WHERE InstanceName="%s"

6,6R6`6

r4f\[

SelectObject

UXW)'0

.idata$6

>(>/>X>r>

IsDlgButtonChecked

MonitorPaletteEntryClass

.idata$4

1ILYrpS

[N3;;

<7=f=

HI-o

ChangeDisplaySettingsExW

w/z~lg

1@1Q1]1f1

5+525H5{5

GetStartupInfoW

='=I=P=g=

u,VVh

raYWRPS

ad3fa

+~7o.

GetParent

GetTokenInformation

1$&>_M

3?3^3

WmiMonitorListedSupportedSourceModes

DrawThemeParentBackground

v"q|X

__dllonexit

=%>U>c>y>

RPa`0`

6\yy|<

VerSetConditionMask

xxwxxxxx

WmiMonitorID

0%0S0

RegisterClassExW

_ftol2_sse

KLJHFG>?=fgd

091h1

0!0'0]0c0i0o0

QQSVW

<e<z<

4(4D4u4

api-ms-win-core-com-l1-1-0.dll

CheckRadioButton

2D3J3^3i3w3

CheckTokenMembership

767p7

COMCTL32.dll

tg!|$

SVWj\X

aYccc

>c>}>

5U6`6y6

CreateWindowExW

FileVersion

GrayscaleEnhancedContrastLevel

EndDialog

6%7r7

0*0L0t0

GetThemeFont

121?1S1`1t1~1

RegSetValueExW

~nfll

=!=@=N=W=}=

RRWPQRR

TextContrastLevel

0%00070<0B0 1c1k1

GetSysColorBrush

xQyYyw7ww

=/=r=

:!:2:::P:X:|:

EnumDisplaySettingsW

</security>

ut^jnm2#3----/.

WinSqmAddToStream

efgwvg_W

EM;N}

7'7=7l7

_callnewh

>1>a>

D$HPV

StringFromGUID2

CoGetObject

__set_app_type

</dependentAssembly>

DeleteObject

:B;a;h;

W)'0,

KLNHGG??hfgd

`.data

SSSSP

</windowsSettings>

444a4s4

2H3S3l3

FrameRect

+++''

.rsrc$01

D$ PV

IDATx

kn'fg

G(;G,t?

CoInitializeSecurity

040904B0

Microsoft Corporation

.n:6v

>)>C>I>\>c>q>{>

memcmp

Microsoft-Windows-ClearTypeTextTuner/Diagnostic

7,8G8b8

.idata

type="win32"

y^\`_2$

5+5w5

_XcptFilter

SetupDiGetDeviceInterfaceDetailW

zmoou

_lock

DBBA@:::86554OO

YTPV(%$

ReleaseDC

|H)-$=

OLEACC.dll

9%:::{:

ROOT\WMI

CheckDlgButton

VerifyVersionInfoW

.?AVbad_alloc@std@@

cbZ[Ui

;[;v;

PreferredMonitorSourceModeIndex

6y7N8

EventRegister

839@9o9

GetWindowRect

RedrawWindow

?9?R?k?

:*;?;

HorizontalActivePixels

jd?`F

50QNP

_initterm

aW)'0,

9*989K9W9c9m9z9

CoInitializeEx

UserFriendlyNameLength

_CxxThrowException

uXSSh

GDI32.dll

eUXW)%$

EndPaint

.idata$5

>O>^>v>

GetClientRect

yk0S+

).[po

1$&'=F

2(3V3

InvalidateRect

101q1z1

UXW)'0,

PerfDiagnostics

7)8<8

GetStockObject

HeapAlloc

CreateSolidBrush

PatBlt

DUD^q

;!;(;/;6;=;D;K;S;[;c;o;x;};

processorArchitecture="x86"

4#4*4<4C4

CONTROLPANELSTYLE

u#6^&

~},Z+

IsThemeActive

PtInRect

RegQueryValueExW

wcschr

=ry7$8

2+272M2

Microsoft

VarFileInfo

DWriteCreateFactory

6(626D6P6\6

<)<\<

t$PPPV

.data$brc

.?AVexception@@

_acmdln

xx{w?w

9&929A9N9

DrawTextW

8C tkj

232Y2g2

InternalName

j0_Wh7

^\`_#$

FillRect

LHI-hd

_controlfp

CreatePen

D$D+D$T

>B?S?

.text$yd

malloc

B*b(ay

SupportedDisplayFeatures

rf!*},

?J?i?o?u?

.data$r$brc

x5 $rx

st9>u

_vsnwprintf

api-ms-win-core-profile-l1-1-0.dll

api-ms-win-core-libraryloader-l1-2-0.dll

8*909:9@9I9N9~9

0~`jd

GetThemeColor

.rsrc$02

EnumDisplayDevicesW

</application>

+~7^*

_unlock

E$4Qe

<,ED~

IDATj

uXVVh

GetDC

D$HPS

SetTextColor

_exit

ClearType Tuner

D$<+D$,

7!8l8|8

qskjnm2$3

Doo/N

0:0G0t0

en-US

GdiAlphaBlend

nM_J]

@.rsrc

Zk0:M

=}0Ge

GammaLevel

OLEAUT32.dll

[}10y$

102T2m2

CoSetProxyBlanket

UxTheme.dll

UserFriendlyName

Rich+

6%616E6K6p6

.text$di

>!>'>

version="5.1.0.0"

^\`_2$

WiI;DmJjR

<~dd$:-h

:":B:H:

8^,tFWj

MulDiv

</requestedPrivileges>

8"8V8

LegalCopyright

CoUninitialize

*W#d0M

?E?]?

SetupDiGetDeviceInstanceIdW

242Y2o2

SendMessageTimeoutW

10.0.17763.1 (WinBuild.160101.0800)

GetCurrentProcessId

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0

PixelStructure

A ;A$t

\%c0A

RegCreateKeyExW

KEYW|

x`qmT8

GetWindowLongW

U'}%3

<description>Windows Shell</description>

xyyyy

<assemblyIdentity

D$XPS

BitmapSwitchClass

PRVA`

-+'''

1$&(`

CoCreateInstance

@>:$l

w{.XjBFJ

xmnpu

b;Og?

6"6G6]6m6

language="*"

++'''

MapWindowPoints

0-0F0e0q0

X4zL~

8'8-84898F8U8]8e8y8

cttune.pdb

GetSystemMetrics

8G8\8v8

ITJJDZ

.rdata$zzzdbg

L#L7u

"j4X

,0004080<0T0p0

tsljnn2233--//*

2K3e3r3

Q-e%d

<}dW+

2 2[2r2

GetDeviceCaps

94:}:

LoadStringW

5>6E6R6{6

;&;I;e;};

`#H|e7

JGEB:;[ZYUP*)%$

realloc

.CRT$XIA

.rdata

wlnpst

t$4h

{@ws{

api-ms-win-core-errorhandling-l1-1-0.dll

TIS'V

GetDlgItem

9""R;

D$$Pjx

\5M*lpp

publicKeyToken="6595b64144ccf1df"

WinSqmIncrementDWORD

5C5L5S5

j`_#$

.CRT$XIZ

WmiMonitorBasicDisplayParams

<+<3<

GetThemeSysColor

:G:X:g:m:v:

SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

RRPp

IsWow64Process

<assemblyIdentity

6%7v7|7

t$<PP

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

FileDescription

!This program cannot be run in DOS mode.

VPVjJ

0R1f1l1

DestroyWindow

P5.uh

OPCOT

7.7G7}7

CBAEE::;;<67WQP

MonitorSourceModes

4H4b4g4r4

api-ms-win-core-heap-l2-1-0.dll

OpenProcessToken

api-ms-win-core-processthreads-l1-1-0.dll

1$&')^

7'707L7

w(9_,t

BeginPaint

L$l_^[3

=0H0h0

KINHF>>>=fcdZ]\V_"!

SystemParametersInfoW

ntdll.dll

MessageBoxW

ppxxx

?%?R?

SetWindowTextW

USER32.dll

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

YjHjZ

ulSSh

0(000F0X0e0q0}0

win:Informational

jn_#$

DeleteDC

[oyy7u

SetForegroundWindow

.idata$3

.?AV_com_error@@

SetWindowLongW

FGG1::

7'8D8K8

-EfJa

DisplayType

_ftol2

LoadCursorW

e^\`_#$

CreateFontIndirectW

version="6.0.0.0"

fSRMN

PerfInstrumentation

?S?q?

/d>Ja

.CRT$XCU

CopyImage

&^ye*x

bitmap

E-y7`

=&=.=e=

4"5D5K5p5

LoadImageW

QueryPerformanceCounter

5ZH5W~

QXQ|!

?)?\?o?

2!2(262>2V2]2k2s2

BitBlt

D$0PS

G ;G$tB

101L1P1l1p1x1

GetTickCount64

819b9

u,SSh

??0exception@@QAE@ABV0@@Z

kD%iUG'f

?*???N?V?k?t?y?

SendDlgItemMessageW

msvcrt.dll

KHFB<;\

4(4H4g4

StringFileInfo

% 0`

D$ PS

ClearTypeTextTuner_LaunchApp

ole32.dll

B=#("S^

F`Zy{[C

GetCurrentProcess

GetSysColor

LEVL@

\`_2$

:0:C:_:k:w:

0'0`0h0

__setusermatherr

??0exception@@QAE@XZ

IFD<=

HeapFree

DrawFocusRect

GetProcessDefaultLayout

win:Stop

_except_handler4_common

SetupDiOpenDeviceInterfaceW

xw?wGSh

GetTickCount

SV3c3

D$D+D$<P

>8>V>e>m>

1P;r

D$(PV

.text$mn

2$2*222Q2{2

3 3'3I3p3

LocalFree

lCH<c

G#XHl

.CRT$XIY

Microsoft-Windows-ClearTypeTextTuner

7#787S7e7

0H1k1

Fbad allocation

TerminateProcess

PostMessageW

type="win32"/>

</assembly>

1$&>-

5'5>5o5

111116:DJWWRG;8

StretchBlt

Translation

gl|l||

4(5{5

EnhancedContrastLevel

WEVT_TEMPLATE

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

:/;R;

FindWindowW

e3'OLC.

SetupDiDestroyDeviceInfoList

1$$%#

EventWriteTransfer

t>j Xf;E

MapDialogRect

InitCommonControlsEx

)P=sq

SetStretchBltMode

484@4a4z4

{e&>c5.

ClearTypeTunerWizardMutex

SETUPAPI.dll

203@3O3\3c3

z$"PQ9*

8&8:8R8f8

Software\Microsoft\Avalon.Graphics

3 494

1$&'S+

ProductVersion

CloseThemeData

^VShp

D$ PVh

__p__commode

CreateMutexW

_wtoi

A"LNQ

KillTimer

%lZ#n

SetDlgItemTextW

i59i/

ShowWindow

D$8+D$(

PQRRWPQRR

_onexit

NumOfMonitorSourceModes

.xdata$x

<*=Q=

;m; <

4B5Y5g5

.CRT$XIAA

GetModuleHandleW

<3<9<R<y<

ClearTypeTextTuner_ApplyChanges

RIDAT

t$ Sh

G(9_ t

.rdata$sxdata

Windows

LNHGG??hfv

1:2O2_2f2r2y2

wFA;M

.giats

DISPLAY

XPVSh

_ismbblead

hXW)'0,

c^_]-2//++

>`D6P#

t/!|$

.idata$2

eq]]]

GetTextMetricsW

6$616>6K6Y6d6{6

1$&')?/

39DIUWRIC844444

OriginalFilename

win:Start

_->|C

?what@exception@@UBEPBDXZ

1$&')*N

z@%*

SetTimer

=/=:=@=L=g=m=x=

aYZXUS

iJ07I

6;7J7`7g7

0:1L1o1

0)y5y/

GnnAFB*

\[nHO)y

.CRT$XCA

.CRT$XCAA

processorArchitecture="*"

F$;A$

4=5`5z5

.gfids

9L:g:

<$<2<8<B<H<N<

10242@2D2

YTO*("#

KERNEL32.dll

NHGG??hf

VerticalActivePixels

ADVAPI32.dll

Polyline

b)'0,

2/2M2k2

CreateCompatibleBitmap

:;;g@K

@$9B$t

GetThemeSysFont

< <><Z<z<

Operating System

cUy*Hc

SELECT * FROM WHERE InstanceName=""

3$$%#

SetBkMode

.00cfg

A(;A,u'

tyLxqm

NativeHWNDHost

4"4+4;4]4q4

GdiSetBatchLimit

Y__^[

EnableWindow

??1type_info@@UAE@XZ

UnhandledExceptionFilter

DialogBoxParamW

D$LPV

X9B,v

wFj\Xf9

A?>977654L

PropertySheetW

DefWindowProcW

EventUnregister

R8[Wu

?(BM

CreateStdAccessibleObject

_cexit

<*<><

ubj23

CloseHandle

3b3h3y3

TabStyle

LresultFromObject

D$XVPji

@.reloc

909:9A9M9Y9f9

BitmapDisplayClass

vfvvl||

ydf;A

3(3O3e3

DWrite.dll

yYyw8z

SetupDiGetClassDevsW

<$=;=R=i=

CompanyName

VS_VERSION_INFO

tb@f;

_purecall

CreateWellKnownSid

: ;&;];t;

GetLastError

GetCurrentThreadId

api-ms-win-core-synch-l1-2-0.dll

D$D+D$<PV

ChS5r

S*~*.

GetSystemTimeAsFileTime

D$@+D$P

__getmainargs

</dependency>

(G\Yz

SPSjJ

<.<T<

TASKDIALOG

_amsg_exit

;3;U;l;

__p__fmode

.CRT$XCZ

8C t&

W(b,J

>8?@?

3&3^3d3|3

F@&O@

'OzeN4

?terminate@@YAXXZ

8G t1

name="Microsoft.Windows.Shell.cttune"

~}"P~

HasPreferredTimingMode

t$(WWS

ClearTypeLevel

IFC<;g

GetProcessHeap

u@VVh

IsCharAlphaNumericW

DisplayTransferCharacteristic

OpenThemeData

4:4q4

Elevation:Administrator!new:%s

Sleep

7#7)7A7F7L7Q7V7[7`7f7n7

SendMessageW

305.1i

d^_]`23111

9!9,9B9M9`9f9z9

CtTune

t$ WVPP

A$f;A&u

SetUnhandledExceptionFilter

SSSjK

.data

fNoFontSmoothing

GetFocus

u@SSh

626J6U6b6l6x6

name="Microsoft.Windows.Common-Controls"

MonitorPaletteClass

7A7G7b7~7

>F>W>h>

??1exception@@UAE@XZ

.text

memset

D$D+D$<

"!)((&&&%

5K5W5

.rdata$brc

RegOpenKeyExW

SetWindowPos

RegCloseKey

878Q8m8

SetFocus

LoadBitmapW

7 7$7(7,797W7m7

JqO((

SetBkColor

0QQQQQ

8 9+959`9

+!9(SZ

9#:g:w:

</trustInfo>

4;4R4

ProductName

0<1^1p132b2

L$t_^[3

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x0000e780	0x000521f8	0x000521f8	10.0	cttune.pdb	2012-06-12 03:57:38	a60865a48632a4aed254abeba0f53107		4848503e201b2d23d355fbe1627d619a	e30167bd506d43df16ab65b5b5676eb4	c67068565533f88c

Version Infos

CompanyName	Microsoft Corporation
FileDescription	ClearType Tuner
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	CtTune
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	CTTUNE.EXE
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0000e1a8	0x0000e200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.40
.data	0x0000e600	0x00010000	0x00000468	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.33
.idata	0x0000e800	0x00011000	0x0000166a	0x00001800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.30
.rsrc	0x00010000	0x00013000	0x0003b148	0x0003b200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.48
.reloc	0x0004b200	0x0004f000	0x00000ca8	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.42

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0004e048	0x00000100	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.77	None
WEVT_TEMPLATE	0x000138d8	0x0000040a	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.46	None
RT_BITMAP	0x00020a18	0x0002152a	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.39	None
RT_BITMAP	0x00041f48	0x0000273a	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.33	None
RT_BITMAP	0x00044688	0x00009636	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	None
RT_ICON	0x00013ce8	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	None
RT_ICON	0x00013e10	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.54	None
RT_ICON	0x00014378	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.20	None
RT_ICON	0x00014660	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.27	None
RT_ICON	0x00014f08	0x00000668	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.41	None
RT_ICON	0x00015570	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.99	None
RT_ICON	0x00016418	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.75	None
RT_ICON	0x00016880	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.40	None
RT_ICON	0x00017928	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.72	None
RT_ICON	0x00019ed0	0x00006aaf	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.97	None
RT_GROUP_ICON	0x00020980	0x00000092	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.90	None
RT_VERSION	0x0004dcc0	0x00000384	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None
RT_MANIFEST	0x00013440	0x00000491	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.97	None

Imports

Name	Address
RegOpenKeyExW	0x411000
RegQueryValueExW	0x411004
RegCloseKey	0x411008
EventWriteTransfer	0x41100c
EventRegister	0x411010
EventUnregister	0x411014
OpenProcessToken	0x411018
GetTokenInformation	0x41101c
CreateWellKnownSid	0x411020
CheckTokenMembership	0x411024
RegCreateKeyExW	0x411028
RegSetValueExW	0x41102c

Name	Address
GetCurrentProcess	0x4110a8
IsWow64Process	0x4110ac
HeapFree	0x4110b0
GetProcessHeap	0x4110b4
HeapAlloc	0x4110b8
CloseHandle	0x4110bc
GetLastError	0x4110c0
CreateMutexW	0x4110c4
VerifyVersionInfoW	0x4110c8
MulDiv	0x4110cc
VerSetConditionMask	0x4110d0
GetTickCount64	0x4110d4

Name	Address
SetBkColor	0x41104c
Polyline	0x411050
CreatePen	0x411054
GetTextMetricsW	0x411058
SetBkMode	0x41105c
StretchBlt	0x411060
SetStretchBltMode	0x411064
DeleteObject	0x411068
GetDeviceCaps	0x41106c
CreateFontIndirectW	0x411070
GetObjectW	0x411074
CreateCompatibleDC	0x411078
SelectObject	0x41107c
GdiAlphaBlend	0x411080
BitBlt	0x411084
DeleteDC	0x411088
GetStockObject	0x41108c
GdiSetBatchLimit	0x411090
SetTextColor	0x411094
CreateSolidBrush	0x411098
PatBlt	0x41109c
CreateCompatibleBitmap	0x4110a0

Name	Address
SendMessageW	0x411120
TrackMouseEvent	0x411124
DefWindowProcW	0x411128
LoadCursorW	0x41112c
RegisterClassExW	0x411130
FindWindowW	0x411134
SetForegroundWindow	0x411138
EndDialog	0x41113c
SetTimer	0x411140
KillTimer	0x411144
DialogBoxParamW	0x411148
ShowWindow	0x41114c
EnableWindow	0x411150
CheckDlgButton	0x411154
IsDlgButtonChecked	0x411158
GetSysColorBrush	0x41115c
EnumDisplaySettingsW	0x411160
EnumDisplayDevicesW	0x411164
ChangeDisplaySettingsExW	0x411168
GetSysColor	0x41116c
CopyImage	0x411170
LoadImageW	0x411174
DestroyWindow	0x411178
CreateWindowExW	0x41117c
LoadBitmapW	0x411180
DrawTextW	0x411184
GetFocus	0x411188
MapWindowPoints	0x41118c
FillRect	0x411190
RedrawWindow	0x411194
IsCharAlphaNumericW	0x411198
GetWindowLongW	0x41119c
EndPaint	0x4111a0
FrameRect	0x4111a4
BeginPaint	0x4111a8
DrawFocusRect	0x4111ac
InvalidateRect	0x4111b0
CheckRadioButton	0x4111b4
MessageBoxW	0x4111b8
SetFocus	0x4111bc
GetParent	0x4111c0
PostMessageW	0x4111c4
SetWindowLongW	0x4111c8
SetDlgItemTextW	0x4111cc
GetDlgItem	0x4111d0
GetClientRect	0x4111d4
MapDialogRect	0x4111d8
SendDlgItemMessageW	0x4111dc
SetWindowTextW	0x4111e0
SendMessageTimeoutW	0x4111e4
SetWindowPos	0x4111e8
PtInRect	0x4111ec
GetWindowRect	0x4111f0
GetSystemMetrics	0x4111f4
GetProcessDefaultLayout	0x4111f8
ReleaseDC	0x4111fc
LoadStringW	0x411200
GetDC	0x411204
SystemParametersInfoW	0x411208

Name	Address
exit	0x41129c
_exit	0x4112a0
_cexit	0x4112a4
__p__fmode	0x4112a8
__dllonexit	0x4112ac
_ismbblead	0x4112b0
__setusermatherr	0x4112b4
_initterm	0x4112b8
_acmdln	0x4112bc
__set_app_type	0x4112c0
_amsg_exit	0x4112c4
__p__commode	0x4112c8
_XcptFilter	0x4112cc
_CxxThrowException	0x4112d0
_callnewh	0x4112d4
?what@exception@@UBEPBDXZ	0x4112d8
??1exception@@UAE@XZ	0x4112dc
_ftol2_sse	0x4112e0
_ftol2	0x4112e4
_lock	0x4112e8
_unlock	0x4112ec
memcmp	0x4112f0
??0exception@@QAE@ABV0@@Z	0x4112f4
??0exception@@QAE@XZ	0x4112f8
malloc	0x4112fc
wcschr	0x411300
realloc	0x411304
free	0x411308
_purecall	0x41130c
_vsnwprintf	0x411310
_wtoi	0x411314
_except_handler4_common	0x411318
_controlfp	0x41131c
?terminate@@YAXXZ	0x411320
??1type_info@@UAE@XZ	0x411324
_onexit	0x411328
__getmainargs	0x41132c
memset	0x411330

Name	Address
VariantClear	0x4110e8
VariantInit	0x4110ec
SafeArrayGetElement	0x4110f0
SafeArrayGetUBound	0x4110f4
SafeArrayGetLBound	0x4110f8
SysFreeString	0x4110fc
SysAllocString	0x411100

Name	Address
CoCreateInstance	0x411234
CoInitializeEx	0x411238
CoUninitialize	0x41123c
StringFromGUID2	0x411240
CoSetProxyBlanket	0x411244
CoInitializeSecurity	0x411248

Name	Address
LocalFree	0x41125c

Name	Address
Sleep	0x411288

Name	Address
TerminateProcess	0x41126c
GetCurrentProcessId	0x411270
GetStartupInfoW	0x411274
GetCurrentThreadId	0x411278

Name	Address
SetUnhandledExceptionFilter	0x411250
UnhandledExceptionFilter	0x411254

Name	Address
GetModuleHandleW	0x411264

Name	Address
QueryPerformanceCounter	0x411280

Name	Address
GetTickCount	0x411290
GetSystemTimeAsFileTime	0x411294

Name	Address
PropertySheetW	0x411038
InitCommonControlsEx	0x41103c

Name	Address
DWriteCreateFactory	0x411044

Name	Address
WinSqmIncrementDWORD	0x411338
WinSqmAddToStream	0x41133c

Name	Address
CoGetObject	0x411344

Name	Address
CreateStdAccessibleObject	0x4110dc
LresultFromObject	0x4110e0

Name	Address
SetupDiOpenDeviceInterfaceW	0x411108
SetupDiGetDeviceInterfaceDetailW	0x41110c
SetupDiGetDeviceInstanceIdW	0x411110
SetupDiDestroyDeviceInfoList	0x411114
SetupDiGetClassDevsW	0x411118

Name	Address
GetThemeSysFont	0x411210
GetThemeSysColor	0x411214
GetThemeColor	0x411218
GetThemeFont	0x41121c
OpenThemeData	0x411220
IsThemeActive	0x411224
CloseThemeData	0x411228
DrawThemeParentBackground	0x41122c

Reports: JSON

Statistics (10.40)

Usage

Processing ( 10.33 seconds )

9.284 ProcessMemory
1.032 CAPE
0.01 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 modirat_behavior
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 limerat_regkeys
0.001 lokibot_mutexes

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: cttune.pdb

Possible date expiration check, exits too soon after checking local time

process: cttune.exe, PID 4728

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4728 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
C:\Users\Packager\AppData\Local\Temp\cttune.exe

HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

ClearTypeTunerWizardMutex

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

ADVAPI32

KERNEL32

GDI32

USER32

msvcrt

OLEAUT32

api-ms-win-core-com-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

COMCTL32

DWrite

ntdll

ole32

OLEACC

SETUPAPI

UxTheme