SmartHawk

9.0

极危

14 个模型检测该样本为恶意！

重新分析

下载样本

1d90bc58ba58386d5f68920704f879514b36fa293c53e73857b872d3511c8fc5

6aa796bd1d43168701b54886ac67deb8.exe

分析耗时

105s

最近分析

文件大小

789.1KB

静态报毒动态报毒 CGENERIC CLOUD COMPONENT CONFIDENCE CROSSRIDER GRAYWARE HFSADWARE PLAYTECH 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee		20190503	6.0.6.653
Alibaba		20190426	0.4.0.6
Baidu		20190318	1.0.0.2
Avast		20190507	18.4.3895.0
Tencent		20190507	1.0.0.1
Kingsoft		20190507	2013.8.14.323
CrowdStrike	win/malicious_confidence_60% (D)	20190212	1.0

This executable is signed

Tries to locate where the browsers are installed (3 个事件)

registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Mozilla Firefox
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762767.032 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.ndata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (10 个事件)

request	GET http://c6m7w2m9.ssl.hwcdn.net/playtech_compressed_assets/casino_casinocom_new/index.7ze
request	GET http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom_new/index.7ze
request	GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request	GET http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
request	GET http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
request	GET http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEHSfdSPcp6pyLdnEz5lZ6ec%3D
request	GET http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom_new/templates/installer/casinocom_2016.7ze
request	GET https://t8u4n6u7.ssl.hwcdn.net/stats.gif?data=ZqdgLlx63zFazZxYPfYrJGLU%2BEJcpexNUBKGLxdwK758i44Skp3AoytbYRtB%2FvGSzch7rZHdK9dqS6lSmcaAuttfMHpGUFQ6PpvJV90NMjI49qRfseNgT%2Fz3M3bukX0%2Fw2vwXC5e6ZmMHnXkK9X1kOxDBiG9x1RuWTnwBlPkk7itbd6cDfYHGO5%2FmrO10NH4kSohStr%2Fkql4hN3uJi%2F6ojgXPltGmMdV%2BrPT4%2BJUBEKFXpddoJb2ipOv7HGhpbS6sbnimCpz7%2Ft%2FyPBa2e7zgCCijYRCXYJO3Px4eOIGHUFlKawiLyri7%2FqCxDP4kTLfqw6gY4Y%2FeuvJlRMOjHOxJTkMhj5ptHiG7S55uapJm%2Fo3V4aHAWfkq98LevUOI6M7Nq5uyaolh6lOSaATQpianozU2rSA676Ey266cfECltymDLOIfkAihQsusPNNkyltktpiWn5mBM78dFAoly1hUqgD3WbSRotZS5RI2uOblSxAemdkPVxfVawoXoDiHszejyE7KiugmQlv5%2Fd3dNIQjZzydXIr0hCxUZmsAM2Ff0DfEYOOvbFc9sc%2Bn4PXjUlOwYdxUUjAXfUdHxHTQmHw%2F%2BjbG6wQblU7MzIOGPy%2B1x6jPG%2FjWLtqAN1hCVgTmwnMK2ybUYd8zvt%2BqZ%2BWGUi4875jmIJWgtkzZYzJNPTvUl4%3D
request	GET https://t8u4n6u7.ssl.hwcdn.net/stats.gif?data=k5O6nTt2g4LSAMUJZS0r16mkNu%2FGET5LyTKJDWDJa0Pu39w4FbBQjmJVB4I38ZSI5QIMdaMRmuS7Vi02up0XUG0LSAhwX1iS7Vppvoh9l7jb%2FK62GmDL0z3eQ2CCRZGrv5t9v9K97xcDZXgMt2qkwKkU8fdNcmPZpZkvL5%2BetYgmcDwu8K4IW4hXt3Jxen8b1pkb5Ceb2ZbOwOi5NJCktqvUekPbeXTJBwiQXzz95ohmpEC5iNFBs%2FxuVIIR2HxLFizIckQCTN2rcE%2FVf%2FXv0hqZxfCl8VMErRmp0%2FZrTkisHJGIxY%2F0AhQrWWwQKRxu5eEWUxCHkR0KBnsVTCDBDA34CwanF%2FaMGzn99ZAY0j9NEjzMia2K2klqN1PcnYw7Si9bMTfHi%2B9Wl%2BASxiCNlAzHFC42q%2F3M1duvTAsiW%2BL2cePJqfMMO8Y%2BwmNIsEw7xjRD82DoNqKA5JmXdJVNatGF4j2nK98z6BtvC%2BbwwUlR%2Fap7NbwfQSI1tQpRfLfbF8RjnvMEAgNDVvXPWxT2iQ%2FD0NqDvy%2FwG21apmjlxnvMaipCJVpxcPe8V5pbd%2BpNeAIP98crLYC1mzkZ0ClpZfVdvDI1ITNfEWIaUV2ZlXGoLe8iAIchXCRpjd8wnx9WnSdpIr6oEpAZmzuGVZw%2B9qnAbylN0UzME1fQcs%2Fm4qM%3D
request	GET https://c6m7w2m9.ssl.hwcdn.net/playtech_compressed_assets/casino_casinocom_new/templates/installer/casinocom_2016.7ze

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620776681.951375 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b10000	success	0	0
1620776310.079271 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00000000041b0000	success	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Steals private information from local Internet browsers (2 个事件)

registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox
registry	HKEY_CURRENT_USER\Software\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr77CD.tmp\internal6aa796bd1d43168701b54886ac67deb8.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr77CD.tmp\StdUtils.dll

Drops an executable to the user AppData folder (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr77CD.tmp\StdUtils.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr77CD.tmp\internal6aa796bd1d43168701b54886ac67deb8.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620776682.513375 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x00000408 process_identifier: 1060	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620776682.748375 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Queries for potentially installed applications (6 个事件)

Time & API	Arguments	Status	Return
1620776677.138375 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	failed	2
1620776677.138375 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x000000dc regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0
1620776697.279375 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	failed	2
1620776697.279375 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000858 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0
1620776697.279375 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	failed	2
1620776697.279375 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000858 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620776697.310375 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Playtech WinClient Downloader/1.0	success	13369348	0

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.41.65
host	203.208.41.66

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 个事件)

Bkav	W32.HfsAdware.D664
CAT-QuickHeal	Trojan.CGeneric
K7GW	Riskware ( 005475191 )
K7AntiVirus	Riskware ( 005475191 )
Invincea	heuristic
TrendMicro-HouseCall	PUA.Win32.PlayTech.AK.component
TrendMicro	PUA.Win32.PlayTech.AK.component
McAfee-GW-Edition	BehavesLike.Win32.Suspicious.bc
Antiy-AVL	GrayWare[AdWare]/Win32.PlayTech.a
Microsoft	PUA:Win32/Playtech
Zoner	PUA.Win32.65045
ESET-NOD32	Win32/PlayTech.A potentially unwanted
Rising	PUA.CrossRider!8.84 (CLOUD)
CrowdStrike	win/malicious_confidence_60% (D)

Attempts to create or modify system certificates (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620776685.888375 RegSetValueExA	key_handle: 0x00000534 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620776685.888375 RegSetValueExA	key_handle: 0x00000534 value: ¬¿ÍF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620776685.888375 RegSetValueExA	key_handle: 0x00000534 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620776685.888375 RegSetValueExW	key_handle: 0x00000534 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620776685.888375 RegSetValueExA	key_handle: 0x00000550 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620776685.888375 RegSetValueExA	key_handle: 0x00000550 value: ¬¿ÍF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620776685.888375 RegSetValueExA	key_handle: 0x00000550 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620776685.920375 RegSetValueExW	key_handle: 0x00000530 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620776687.888375 RegSetValueExA	key_handle: 0x00000608 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620776687.888375 RegSetValueExA	key_handle: 0x00000608 value: ÙðÍF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620776687.888375 RegSetValueExA	key_handle: 0x00000608 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620776687.888375 RegSetValueExW	key_handle: 0x00000608 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620776687.888375 RegSetValueExA	key_handle: 0x000005f8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620776687.888375 RegSetValueExA	key_handle: 0x000005f8 value: ÙðÍF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620776687.888375 RegSetValueExA	key_handle: 0x000005f8 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2012-02-19 23:01:49

Imports

Library ADVAPI32.dll:

• 0x429340 RegCloseKey

• 0x429344 RegCreateKeyExA

• 0x429348 RegDeleteKeyA

• 0x42934c RegDeleteValueA

• 0x429350 RegEnumKeyA

• 0x429354 RegEnumValueA

• 0x429358 RegOpenKeyExA

• 0x42935c RegQueryValueExA

• 0x429360 RegSetValueExA

Library COMCTL32.DLL:

• 0x429368 ImageList_AddMasked

• 0x42936c ImageList_Create

• 0x429370 ImageList_Destroy

• 0x429374 InitCommonControls

Library GDI32.dll:

• 0x42937c CreateBrushIndirect

• 0x429380 CreateFontIndirectA

• 0x429384 DeleteObject

• 0x429388 GetDeviceCaps

• 0x42938c SelectObject

• 0x429390 SetBkColor

• 0x429394 SetBkMode

• 0x429398 SetTextColor

Library KERNEL32.dll:

• 0x4293a0 CloseHandle

• 0x4293a4 CompareFileTime

• 0x4293a8 CopyFileA

• 0x4293ac CreateDirectoryA

• 0x4293b0 CreateFileA

• 0x4293b4 CreateProcessA

• 0x4293b8 CreateThread

• 0x4293bc DeleteFileA

• 0x4293c0 ExitProcess

• 0x4293c4 ExpandEnvironmentStringsA

• 0x4293c8 FindClose

• 0x4293cc FindFirstFileA

• 0x4293d0 FindNextFileA

• 0x4293d4 FreeLibrary

• 0x4293d8 GetCommandLineA

• 0x4293dc GetCurrentProcess

• 0x4293e0 GetDiskFreeSpaceA

• 0x4293e4 GetExitCodeProcess

• 0x4293e8 GetFileAttributesA

• 0x4293ec GetFileSize

• 0x4293f0 GetFullPathNameA

• 0x4293f4 GetLastError

• 0x4293f8 GetModuleFileNameA

• 0x4293fc GetModuleHandleA

• 0x429400 GetPrivateProfileStringA

• 0x429404 GetProcAddress

• 0x429408 GetShortPathNameA

• 0x42940c GetSystemDirectoryA

• 0x429410 GetTempFileNameA

• 0x429414 GetTempPathA

• 0x429418 GetTickCount

• 0x42941c GetVersion

• 0x429420 GetWindowsDirectoryA

• 0x429424 GlobalAlloc

• 0x429428 GlobalFree

• 0x42942c GlobalLock

• 0x429430 GlobalUnlock

• 0x429434 LoadLibraryA

• 0x429438 LoadLibraryExA

• 0x42943c MoveFileA

• 0x429440 MulDiv

• 0x429444 MultiByteToWideChar

• 0x429448 ReadFile

• 0x42944c RemoveDirectoryA

• 0x429450 SearchPathA

• 0x429454 SetCurrentDirectoryA

• 0x429458 SetErrorMode

• 0x42945c SetFileAttributesA

• 0x429460 SetFilePointer

• 0x429464 SetFileTime

• 0x429468 Sleep

• 0x42946c WaitForSingleObject

• 0x429470 WriteFile

• 0x429474 WritePrivateProfileStringA

• 0x429478 lstrcatA

• 0x42947c lstrcmpA

• 0x429480 lstrcmpiA

• 0x429484 lstrcpynA

• 0x429488 lstrlenA

Library ole32.dll:

• 0x429490 CoCreateInstance

• 0x429494 CoTaskMemFree

• 0x429498 OleInitialize

• 0x42949c OleUninitialize

Library SHELL32.DLL:

• 0x4294a4 SHBrowseForFolderA

• 0x4294a8 SHFileOperationA

• 0x4294ac SHGetFileInfoA

• 0x4294b0 SHGetPathFromIDListA

• 0x4294b4 SHGetSpecialFolderLocation

• 0x4294b8 ShellExecuteA

Library USER32.dll:

• 0x4294c0 AppendMenuA

• 0x4294c4 BeginPaint

• 0x4294c8 CallWindowProcA

• 0x4294cc CharNextA

• 0x4294d0 CharPrevA

• 0x4294d4 CheckDlgButton

• 0x4294d8 CloseClipboard

• 0x4294dc CreateDialogParamA

• 0x4294e0 CreatePopupMenu

• 0x4294e4 CreateWindowExA

• 0x4294e8 DefWindowProcA

• 0x4294ec DestroyWindow

• 0x4294f0 DialogBoxParamA

• 0x4294f4 DispatchMessageA

• 0x4294f8 DrawTextA

• 0x4294fc EmptyClipboard

• 0x429500 EnableMenuItem

• 0x429504 EnableWindow

• 0x429508 EndDialog

• 0x42950c EndPaint

• 0x429510 ExitWindowsEx

• 0x429514 FillRect

• 0x429518 FindWindowExA

• 0x42951c GetClassInfoA

• 0x429520 GetClientRect

• 0x429524 GetDC

• 0x429528 GetDlgItem

• 0x42952c GetDlgItemTextA

• 0x429530 GetMessagePos

• 0x429534 GetSysColor

• 0x429538 GetSystemMenu

• 0x42953c GetSystemMetrics

• 0x429540 GetWindowLongA

• 0x429544 GetWindowRect

• 0x429548 InvalidateRect

• 0x42954c IsWindow

• 0x429550 IsWindowEnabled

• 0x429554 IsWindowVisible

• 0x429558 LoadBitmapA

• 0x42955c LoadCursorA

• 0x429560 LoadImageA

• 0x429564 MessageBoxIndirectA

• 0x429568 OpenClipboard

• 0x42956c PeekMessageA

• 0x429570 PostQuitMessage

• 0x429574 RegisterClassA

• 0x429578 ScreenToClient

• 0x42957c SendMessageA

• 0x429580 SendMessageTimeoutA

• 0x429584 SetClassLongA

• 0x429588 SetClipboardData

• 0x42958c SetCursor

• 0x429590 SetDlgItemTextA

• 0x429594 SetForegroundWindow

• 0x429598 SetTimer

• 0x42959c SetWindowLongA

• 0x4295a0 SetWindowPos

• 0x4295a4 SetWindowTextA

• 0x4295a8 ShowWindow

• 0x4295ac SystemParametersInfoA

• 0x4295b0 TrackPopupMenu

• 0x4295b4 wsprintfA

Library VERSION.dll:

• 0x4295bc GetFileVersionInfoA

• 0x4295c0 GetFileVersionInfoSizeA

• 0x4295c4 VerQueryValueA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 51.105.208.173 CNAME time.microsoft.akadns.net
ocsp.sectigo.com	A 151.139.128.14	151.139.128.14
ocsp.comodoca.com	A 151.139.128.14	151.139.128.14
dns.msftncsi.com	A 131.107.255.255
t8u4n6u7.ssl.hwcdn.net	A 205.185.208.154	205.185.208.154
c6m7w2m9.ssl.hwcdn.net	A 205.185.208.154	205.185.208.154
fallback.playtech-installer.com	CNAME s3-website-eu-west-1.amazonaws.com CNAME pt-installer.s3-website-eu-west-1.amazonaws.com A 52.218.91.100	52.218.40.52
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	216.58.200.78
ocsp.usertrust.com	A 151.139.128.14	151.139.128.14
www.download.windowsupdate.com	A 124.225.105.97 CNAME 2-01-3cf7-0009.cdx.cedexis.net CNAME www.download.windowsupdate.com.cdn.dnsv1.com CNAME windowsupdate.sched.s11.tdnsv5.com CNAME 3573033.pack.cdntip.com CNAME wu-fg-shim.trafficmanager.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49183	124.225.105.97 www.download.windowsupdate.com	80
192.168.56.101	49184	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49185	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49186	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49187	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49188	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49178	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49179	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	80
192.168.56.101	49181	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49192	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49182	52.218.91.100 fallback.playtech-installer.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	58970	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	54991	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 3600 Connection: Keep-Alive Accept: / If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT If-None-Match: "0d8f4f3f6fd71:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.usertrust.com
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com
http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom_new/index.7ze	GET /playtech_compressed_assets/casino_casinocom_new/index.7ze HTTP/1.1 Accept: / C: \Users\Administrator.Oskar-PC\AppData\Local\Temp\4CA22DF21C884EBB918A922670B8001F\index.7ze User-Agent: Playtech WinClient Downloader/1.0 Host: fallback.playtech-installer.com Connection: Keep-Alive Cache-Control: no-cache
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEHSfdSPcp6pyLdnEz5lZ6ec%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEHSfdSPcp6pyLdnEz5lZ6ec%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.sectigo.com
http://c6m7w2m9.ssl.hwcdn.net/playtech_compressed_assets/casino_casinocom_new/index.7ze	GET /playtech_compressed_assets/casino_casinocom_new/index.7ze HTTP/1.1 Accept: / C: \Users\Administrator.Oskar-PC\AppData\Local\Temp\4CA22DF21C884EBB918A922670B8001F\index.7ze User-Agent: Playtech WinClient Downloader/1.0 Host: c6m7w2m9.ssl.hwcdn.net Connection: Keep-Alive Cache-Control: no-cache
http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom_new/templates/installer/casinocom_2016.7ze	GET /playtech_compressed_assets/casino_casinocom_new/templates/installer/casinocom_2016.7ze HTTP/1.1 Accept: / C: \Users\Administrator.Oskar-PC\AppData\Local\Temp\4CA22DF21C884EBB918A922670B8001F\casinocom_2016 (1).7z User-Agent: Playtech WinClient Downloader/1.0 Host: fallback.playtech-installer.com Connection: Keep-Alive Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.