12.2
0-day
54 个模型检测该样本为恶意!
重新分析
更多

a15fcceade1ca594a3cf52242fc7086f2eb886a2f78c013ae74dc8d354a4a8fa

c0c56d46f05325219ff76e6f26766409.exe

分析耗时

120s

最近分析

文件大小

737.0KB
静态报毒 动态报毒 AI SCORE=87 BANKERX CLASSIC CONFIDENCE DOWNLOADER34 ELDORADO EMOTET FHGO GENCIRC GENERICKD GENETIC HIGH CONFIDENCE HPCMTM KCLOUD KRYPTIK MALWARE@#2S4KDZWXVR1RW OOLAEVGQ2H0 R + TROJ R346327 SCORE THIAABO UNSAFE UQW@AKW9ZQOJ WACATAC ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20201210 21.1.5827.0
Alibaba Trojan:Win32/Emotet.c5eb7ff9 20190527 0.3.0.5
Kingsoft Win32.Hack.Emotet.ae.(kcloud) 20201211 2017.9.26.565
McAfee Emotet-FRI!C0C56D46F053 20201211 6.0.6.653
Tencent Malware.Win32.Gencirc.10cde54a 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619891687.000249
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619891678.172249
CryptGenKey
crypto_handle: 0x00674340
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00676f88
flags: 1
key: fœ.raÕMnœ§ Ú¹àõý
success 1 0
1619891687.172249
CryptExportKey
crypto_handle: 0x00674340
crypto_export_handle: 0x00676f48
buffer: f¤îÆzA“лœ—c~Ž'žót»z·V\'MÛê\ñdïÝAÖ)šØ+Ռ«ã¿#FâNFZ «pzs¤®‚«†p… Ä<±ÍÇîjƵµ…žœaeâ±Bo9·>
blob_type: 1
flags: 64
success 1 0
1619891718.265249
CryptExportKey
crypto_handle: 0x00674340
crypto_export_handle: 0x00676f48
buffer: f¤ _‡7+JÓÛ êgÄÕ¹~;‹8%ù›¥’fE«ñàÍ^Õi<ª ©Rbv¥vcuÒek[ç…T,•%´G´­’p°iÅхÀO㏢äsº–è< Ð+äb.äÖÿ¥®
blob_type: 1
flags: 64
success 1 0
1619891743.328249
CryptExportKey
crypto_handle: 0x00674340
crypto_export_handle: 0x00676f48
buffer: f¤¬××RbíE‘®¢Š±ýHb}ÅVø♾W–ˆks@3Q“*ìp”ò~q&=˜l ¤}…jºË¦·6/¤¤?ƒÞ‹Ù=Ðæðm?,êëoöb/]z{š?ìk•ˆ-ÕÙ iT
blob_type: 1
flags: 64
success 1 0
This executable has a PDB path (1 个事件)
pdb_path c:\Users\User\Desktop\2008\28.7.20\custom_pattern_brush_src\BrushTool\Release\BrushTool.pdb
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features Connection to IP address suspicious_request POST http://37.139.21.175:8080/HlXIPY/
Performs some HTTP requests (1 个事件)
request POST http://37.139.21.175:8080/HlXIPY/
Sends data using the HTTP POST Method (1 个事件)
request POST http://37.139.21.175:8080/HlXIPY/
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619861639.0465
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619891296.30102
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000040a0000
success 0 0
1619891677.922249
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00510000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (3 个事件)
name RT_ICON language LANG_CHINESE offset 0x000bc3bc filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000128
name RT_ICON language LANG_CHINESE offset 0x000bc3bc filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000128
name RT_GROUP_ICON language LANG_CHINESE offset 0x000be230 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000022
Drops a binary and executes it (1 个事件)
file C:\Windows\SysWOW64\EhStorShell\poqexec.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619861639.7965
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c0c56d46f05325219ff76e6f26766409.exe
newfilepath: C:\Windows\SysWOW64\EhStorShell\poqexec.exe
newfilepath_r: C:\Windows\SysWOW64\EhStorShell\poqexec.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c0c56d46f05325219ff76e6f26766409.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619891691.140249
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.431226793199101 section {'size_of_data': '0x0000bc00', 'virtual_address': '0x000a7000', 'entropy': 7.431226793199101, 'name': '.data', 'virtual_size': '0x0000f744'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process poqexec.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619891688.250249
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 172.217.24.14
host 212.51.142.238
host 24.234.133.205
host 37.139.21.175
Installs itself for autorun at Windows startup (1 个事件)
service_name poqexec service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\EhStorShell\poqexec.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619861641.6405
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02c7ee68
display_name: poqexec
error_control: 0
service_name: poqexec
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\EhStorShell\poqexec.exe"
filepath_r: "C:\Windows\SysWOW64\EhStorShell\poqexec.exe"
service_manager_handle: 0x02c7edf0
desired_access: 2
service_type: 16
password:
success 46657128 0
Deletes executed files from disk (1 个事件)
file C:\Windows\SysWOW64\EhStorShell\poqexec.exe
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619891693.750249
RegSetValueExA
key_handle: 0x000003b8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619891693.750249
RegSetValueExA
key_handle: 0x000003b8
value: `¥D¾>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619891693.750249
RegSetValueExA
key_handle: 0x000003b8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619891693.750249
RegSetValueExW
key_handle: 0x000003b8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619891693.750249
RegSetValueExA
key_handle: 0x000003d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619891693.750249
RegSetValueExA
key_handle: 0x000003d0
value: `¥D¾>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619891693.750249
RegSetValueExA
key_handle: 0x000003d0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619891693.765249
RegSetValueExW
key_handle: 0x000003b4
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\EhStorShell\poqexec.exe:Zone.Identifier
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43558770
FireEye Trojan.GenericKD.43558770
ALYac Trojan.GenericKD.43558770
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056b63c1 )
BitDefender Trojan.GenericKD.43558770
K7GW Trojan ( 0056b63c1 )
Cybereason malicious.2ad928
Cyren W32/Kryptik.BRP.gen!Eldorado
Symantec Trojan.Emotet
APEX Malicious
Avast Win32:BankerX-gen [Trj]
Kaspersky HEUR:Backdoor.Win32.Emotet.vho
Alibaba Trojan:Win32/Emotet.c5eb7ff9
NANO-Antivirus Trojan.Win32.Emotet.hpcmtm
Rising Trojan.Kryptik!1.C71F (CLASSIC)
Ad-Aware Trojan.GenericKD.43558770
Emsisoft Trojan.Emotet (A)
Comodo Malware@#2s4kdzwxvr1rw
F-Secure Trojan.TR/AD.Emotet.KI
DrWeb Trojan.DownLoader34.9323
Zillya Backdoor.Emotet.Win32.660
TrendMicro TrojanSpy.Win32.EMOTET.THIAABO
McAfee-GW-Edition BehavesLike.Win32.Emotet.bh
Sophos Mal/Generic-R + Troj/Emotet-CKI
GData Trojan.GenericKD.43558770
Jiangmin Backdoor.Emotet.om
Avira TR/AD.Emotet.KI
Antiy-AVL Trojan[Backdoor]/Win32.Emotet
Kingsoft Win32.Hack.Emotet.ae.(kcloud)
Arcabit Trojan.Generic.D298A772
ZoneAlarm HEUR:Backdoor.Win32.Emotet.vho
Microsoft Trojan:Win32/Emotet.ARJ!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R346327
McAfee Emotet-FRI!C0C56D46F053
MAX malware (ai score=87)
VBA32 Trojan.Wacatac
Malwarebytes Trojan.MalPack.TRE
Panda Trj/Genetic.gen
ESET-NOD32 Win32/Emotet.CD
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.THIAABO
Tencent Malware.Win32.Gencirc.10cde54a
Yandex Trojan.Emotet!OoLAevGQ2H0
Ikarus Trojan-Banker.Emotet
Fortinet W32/Emotet.FHGO!tr
BitDefenderTheta Gen:NN.ZexaF.34670.UqW@aKW9ZQoj
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.24.14:443
dead_host 212.51.142.238:8080
dead_host 172.217.160.110:443
dead_host 24.234.133.205:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-28 17:59:30

Imports

Library KERNEL32.dll:
0x4881b4 GetTickCount
0x4881b8 RtlUnwind
0x4881bc RaiseException
0x4881c0 GetCommandLineA
0x4881c4 GetStartupInfoA
0x4881c8 HeapAlloc
0x4881cc HeapFree
0x4881d0 Sleep
0x4881d4 ExitThread
0x4881d8 CreateThread
0x4881dc VirtualProtect
0x4881e0 VirtualAlloc
0x4881e4 GetSystemInfo
0x4881e8 VirtualQuery
0x4881ec HeapReAlloc
0x4881f0 HeapSize
0x4881f4 TerminateProcess
0x488200 IsDebuggerPresent
0x488204 GetACP
0x488208 IsValidCodePage
0x48820c GetStdHandle
0x488220 SetHandleCount
0x488224 SetErrorMode
0x488228 HeapCreate
0x48822c HeapDestroy
0x488230 VirtualFree
0x48823c FatalAppExitA
0x488248 GetStringTypeA
0x48824c GetStringTypeW
0x488254 GetConsoleCP
0x488258 GetConsoleMode
0x48825c LCMapStringA
0x488260 LCMapStringW
0x488264 GetTimeFormatA
0x488268 GetDateFormatA
0x48826c GetUserDefaultLCID
0x488270 EnumSystemLocalesA
0x488274 IsValidLocale
0x488278 GetLocaleInfoW
0x48827c SetStdHandle
0x488280 WriteConsoleA
0x488284 GetConsoleOutputCP
0x488288 WriteConsoleW
0x48828c CompareStringW
0x488294 GetFileTime
0x488298 GetFileSizeEx
0x48829c GetFileAttributesA
0x4882a0 SetFileAttributesA
0x4882a4 SetFileTime
0x4882b8 GetModuleHandleW
0x4882bc GetAtomNameA
0x4882c0 GetOEMCP
0x4882c4 GetCPInfo
0x4882c8 CreateFileA
0x4882cc GetShortPathNameA
0x4882d0 GetFullPathNameA
0x4882d8 FindFirstFileA
0x4882dc FindClose
0x4882e0 DuplicateHandle
0x4882e4 GetFileSize
0x4882e8 SetEndOfFile
0x4882ec UnlockFile
0x4882f0 LockFile
0x4882f4 FlushFileBuffers
0x4882f8 SetFilePointer
0x4882fc WriteFile
0x488300 ReadFile
0x488304 lstrcmpiA
0x488308 GetThreadLocale
0x48830c GetStringTypeExA
0x488310 DeleteFileA
0x488314 MoveFileA
0x48831c TlsFree
0x488324 LocalReAlloc
0x488328 TlsSetValue
0x48832c TlsAlloc
0x488334 GlobalHandle
0x48833c TlsGetValue
0x488344 LocalAlloc
0x488348 GlobalFlags
0x48835c GlobalReAlloc
0x488364 GetModuleFileNameW
0x488368 CopyFileA
0x48836c GlobalSize
0x488370 FormatMessageA
0x488374 LocalFree
0x488378 lstrlenW
0x48837c MulDiv
0x488380 lstrlenA
0x488384 GlobalGetAtomNameA
0x488388 GlobalFindAtomA
0x48838c MultiByteToWideChar
0x488390 lstrcmpW
0x488394 GetVersionExA
0x488398 GlobalUnlock
0x48839c GlobalFree
0x4883a0 FreeResource
0x4883a4 GetCurrentProcessId
0x4883a8 GetLastError
0x4883ac SetLastError
0x4883b0 GlobalAddAtomA
0x4883b4 CreateEventA
0x4883b8 SuspendThread
0x4883bc SetEvent
0x4883c0 WaitForSingleObject
0x4883c4 ResumeThread
0x4883c8 SetThreadPriority
0x4883cc CloseHandle
0x4883d0 GlobalDeleteAtom
0x4883d4 GetCurrentThread
0x4883d8 GetCurrentThreadId
0x4883e4 GetModuleFileNameA
0x4883e8 GetLocaleInfoA
0x4883ec CompareStringA
0x4883f0 InterlockedExchange
0x4883f4 GlobalLock
0x4883f8 lstrcmpA
0x4883fc GlobalAlloc
0x488400 GetModuleHandleA
0x488408 LoadLibraryA
0x48840c FreeLibrary
0x488410 lstrcatA
0x488414 CreateProcessA
0x488418 LoadLibraryExW
0x48841c ExitProcess
0x488420 LoadLibraryExA
0x488424 GetProcAddress
0x488428 GetCurrentProcess
0x48842c WideCharToMultiByte
0x488430 WinExec
0x488434 FindResourceA
0x488438 LoadResource
0x48843c LockResource
0x488440 GetFileType
0x488444 SizeofResource
Library USER32.dll:
0x48852c BringWindowToTop
0x488530 CreatePopupMenu
0x488534 InsertMenuItemA
0x488538 LoadAcceleratorsA
0x48853c GetMenuBarInfo
0x488540 LoadMenuA
0x488544 ReuseDDElParam
0x488548 UnpackDDElParam
0x488550 SetTimer
0x488554 KillTimer
0x488558 GetKeyNameTextA
0x48855c MapVirtualKeyA
0x488560 SetParent
0x488564 UnionRect
0x488568 PostThreadMessageA
0x48856c GetDCEx
0x488570 LockWindowUpdate
0x488574 DeleteMenu
0x488578 WindowFromPoint
0x48857c DestroyMenu
0x488580 GetMenuItemInfoA
0x488584 EndPaint
0x488588 BeginPaint
0x48858c GetWindowDC
0x488590 ClientToScreen
0x488594 GrayStringA
0x488598 DrawTextExA
0x48859c DrawTextA
0x4885a0 TabbedTextOutA
0x4885a4 FillRect
0x4885a8 GetMenuStringA
0x4885ac InsertMenuA
0x4885b0 RemoveMenu
0x4885b4 ScrollWindowEx
0x4885b8 ShowWindow
0x4885bc MoveWindow
0x4885c0 SetWindowTextA
0x4885c4 IsDialogMessageA
0x4885c8 IsDlgButtonChecked
0x4885cc SetDlgItemTextA
0x4885d0 SetDlgItemInt
0x4885d4 GetDlgItemTextA
0x4885d8 GetDlgItemInt
0x4885dc CheckRadioButton
0x4885e0 CheckDlgButton
0x4885e8 SendDlgItemMessageA
0x4885ec WinHelpA
0x4885f0 IsChild
0x4885f4 GetCapture
0x4885f8 GetClassLongA
0x4885fc GetClassNameA
0x488600 SetPropA
0x488604 GetPropA
0x488608 RemovePropA
0x48860c SetFocus
0x488610 GetWindowTextA
0x488614 GetForegroundWindow
0x488618 BeginDeferWindowPos
0x48861c EndDeferWindowPos
0x488620 GetTopWindow
0x488624 UnhookWindowsHookEx
0x488628 GetMessageTime
0x488630 MapWindowPoints
0x488634 ScrollWindow
0x488638 TrackPopupMenuEx
0x48863c TrackPopupMenu
0x488640 SetMenu
0x488644 SetScrollRange
0x488648 GetScrollRange
0x48864c SetScrollPos
0x488650 GetScrollPos
0x488654 SetForegroundWindow
0x488658 ShowScrollBar
0x48865c UpdateWindow
0x488660 GetSubMenu
0x488664 GetMenuItemID
0x488668 GetMenuItemCount
0x48866c CreateWindowExA
0x488670 GetClassInfoExA
0x488674 GetClassInfoA
0x488678 RegisterClassA
0x48867c AdjustWindowRectEx
0x488680 ScreenToClient
0x488684 EqualRect
0x488688 DeferWindowPos
0x48868c GetScrollInfo
0x488690 SetScrollInfo
0x488694 CopyRect
0x488698 SetWindowPlacement
0x48869c GetDlgCtrlID
0x4886a0 DefWindowProcA
0x4886a4 CallWindowProcA
0x4886a8 GetMenu
0x4886ac OffsetRect
0x4886b0 IntersectRect
0x4886b8 GetWindowPlacement
0x4886bc GetWindow
0x4886c4 MapDialogRect
0x4886c8 SetWindowPos
0x4886cc GetDesktopWindow
0x4886d0 SetActiveWindow
0x4886d8 DestroyWindow
0x4886dc GetDlgItem
0x4886e0 GetNextDlgTabItem
0x4886e4 EndDialog
0x4886ec GetWindowLongA
0x4886f0 PtInRect
0x4886f4 SetRectEmpty
0x4886f8 DrawIcon
0x4886fc AppendMenuA
0x488700 GetLastActivePopup
0x488704 IsWindowEnabled
0x488708 MessageBoxA
0x48870c ShowOwnedPopups
0x488710 SetWindowsHookExA
0x488714 CallNextHookEx
0x488718 GetMessageA
0x48871c TranslateMessage
0x488720 DispatchMessageA
0x488724 GetActiveWindow
0x488728 IsWindowVisible
0x48872c GetKeyState
0x488730 PeekMessageA
0x488734 GetCursorPos
0x488738 UnregisterClassA
0x48873c GetNextDlgGroupItem
0x488740 InvalidateRgn
0x488744 SetRect
0x488748 IsRectEmpty
0x488750 CharNextA
0x488754 GetDialogBaseUnits
0x488758 CharUpperA
0x48875c DestroyIcon
0x488760 GetSysColorBrush
0x488764 GetMessagePos
0x488768 WaitMessage
0x48876c SendMessageA
0x488770 GetSystemMenu
0x488774 IsIconic
0x488778 GetWindowRect
0x48877c GetClientRect
0x488780 InvalidateRect
0x488784 OpenClipboard
0x488788 EnableWindow
0x48878c LoadIconA
0x488790 CloseClipboard
0x488794 SetClipboardData
0x488798 GetSystemMetrics
0x48879c SetCursor
0x4887a0 InflateRect
0x4887a4 GetDC
0x4887a8 ReleaseDC
0x4887ac RedrawWindow
0x4887b0 SetCapture
0x4887b4 GetParent
0x4887b8 MessageBeep
0x4887bc ReleaseCapture
0x4887c0 IsWindow
0x4887c4 GetSysColor
0x4887c8 SetWindowLongA
0x4887cc DestroyCursor
0x4887d0 CopyIcon
0x4887d4 LoadCursorA
0x4887d8 PostQuitMessage
0x4887dc PostMessageA
0x4887e0 CheckMenuItem
0x4887e4 EnableMenuItem
0x4887e8 GetMenuState
0x4887ec ModifyMenuA
0x4887f0 GetFocus
0x4887f4 LoadBitmapA
0x4887fc SetMenuItemBitmaps
0x488800 ValidateRect
Library GDI32.dll:
0x488044 ArcTo
0x488048 PolyDraw
0x48804c PolylineTo
0x488050 PolyBezierTo
0x488054 ExtSelectClipRgn
0x488058 DeleteDC
0x488060 CreatePatternBrush
0x488064 CreateCompatibleDC
0x488068 SelectPalette
0x48806c PlayMetaFileRecord
0x488070 GetObjectType
0x488074 EnumMetaFile
0x488078 PlayMetaFile
0x48807c CreatePen
0x488080 ScaleWindowExtEx
0x488084 CreateSolidBrush
0x488088 CreateHatchBrush
0x488090 SetRectRgn
0x488094 CombineRgn
0x488098 GetMapMode
0x48809c PatBlt
0x4880a0 DPtoLP
0x4880a4 GetTextMetricsA
0x4880a8 GetBkColor
0x4880ac GetTextColor
0x4880b0 GetRgnBox
0x4880b4 GetCharWidthA
0x4880b8 CreateFontA
0x4880bc StretchDIBits
0x4880c4 OffsetWindowOrgEx
0x4880c8 SetWindowExtEx
0x4880cc SetWindowOrgEx
0x4880d0 ScaleViewportExtEx
0x4880d4 SetViewportExtEx
0x4880d8 OffsetViewportOrgEx
0x4880dc SetViewportOrgEx
0x4880e0 SelectObject
0x4880e4 Escape
0x4880e8 ExtTextOutA
0x4880ec TextOutA
0x4880f0 RectVisible
0x4880f4 PtVisible
0x4880f8 StartDocA
0x4880fc ExtCreatePen
0x488100 CreateBrushIndirect
0x488104 BitBlt
0x488108 GetWindowExtEx
0x48810c GetViewportExtEx
0x488110 SelectClipPath
0x488114 CreateRectRgn
0x488118 GetClipRgn
0x48811c SelectClipRgn
0x488120 DeleteObject
0x488124 SetColorAdjustment
0x488128 SetArcDirection
0x48812c SetMapperFlags
0x488138 SetTextAlign
0x48813c MoveToEx
0x488140 LineTo
0x488144 OffsetClipRgn
0x488148 IntersectClipRect
0x48814c ExcludeClipRect
0x488150 SetMapMode
0x488158 SetWorldTransform
0x48815c SetGraphicsMode
0x488160 SetStretchBltMode
0x488164 SetROP2
0x488168 SetPolyFillMode
0x48816c SetBkMode
0x488170 RestoreDC
0x488174 SaveDC
0x488178 CreateDCA
0x48817c CopyMetaFileA
0x488180 GetDeviceCaps
0x488184 SetBkColor
0x488188 SetTextColor
0x48818c GetClipBox
0x488190 GetDCOrgEx
0x488198 GetObjectA
0x48819c CreateFontIndirectA
0x4881a0 GetStockObject
0x4881a4 Rectangle
0x4881a8 CreateBitmap
0x4881ac GetPixel
Library COMDLG32.dll:
0x488038 GetFileTitleA
Library WINSPOOL.DRV:
0x48880c DocumentPropertiesA
0x488810 ClosePrinter
0x488814 OpenPrinterA
Library ADVAPI32.dll:
0x488000 RegDeleteValueA
0x488004 RegSetValueExA
0x488008 RegCreateKeyExA
0x48800c RegSetValueA
0x488010 RegOpenKeyA
0x488014 RegEnumKeyA
0x488018 RegDeleteKeyA
0x48801c RegQueryValueA
0x488024 RegOpenKeyExA
0x488028 RegQueryValueExA
0x48802c RegCloseKey
0x488030 RegCreateKeyA
Library SHELL32.dll:
0x4884f8 ExtractIconA
0x4884fc SHGetFileInfoA
0x488500 DragFinish
0x488504 DragQueryFileA
0x488508 ShellExecuteA
Library SHLWAPI.dll:
0x488514 PathFindFileNameA
0x488518 PathStripToRootA
0x48851c PathIsUNCA
0x488520 PathFindExtensionA
0x488524 PathRemoveFileSpecW
Library oledlg.dll:
0x4888ac
Library ole32.dll:
0x48881c OleSetClipboard
0x488820 CoRevokeClassObject
0x488828 OleInitialize
0x488830 OleUninitialize
0x488834 OleRun
0x488838 CoInitializeEx
0x48883c CoUninitialize
0x488840 CoCreateInstance
0x488844 StringFromGUID2
0x488848 CoDisconnectObject
0x48885c OleDuplicateData
0x488860 CoTaskMemAlloc
0x488864 ReleaseStgMedium
0x488868 CreateBindCtx
0x48886c CoTreatAsClass
0x488870 StringFromCLSID
0x488874 ReadClassStg
0x488878 ReadFmtUserTypeStg
0x48887c OleRegGetUserType
0x488880 WriteClassStg
0x488884 WriteFmtUserTypeStg
0x488888 SetConvertStg
0x48888c CoTaskMemFree
0x488890 CLSIDFromString
0x488894 CLSIDFromProgID
0x488898 OleFlushClipboard
0x4888a4 CoGetClassObject
Library OLEAUT32.dll:
0x48844c SysAllocStringLen
0x488450 VariantClear
0x488454 VariantChangeType
0x488458 VariantInit
0x48845c SysStringLen
0x488464 SysStringByteLen
0x488474 SafeArrayDestroy
0x488478 SysAllocString
0x48847c RegisterTypeLib
0x488480 LoadTypeLib
0x488484 LoadRegTypeLib
0x48848c SafeArrayAccessData
0x488490 SafeArrayGetUBound
0x488494 SafeArrayGetLBound
0x48849c SafeArrayGetDim
0x4884a0 SafeArrayCreate
0x4884a4 SafeArrayRedim
0x4884a8 VariantCopy
0x4884ac SafeArrayAllocData
0x4884b4 SafeArrayCopy
0x4884b8 SafeArrayGetElement
0x4884bc SafeArrayPtrOfIndex
0x4884c0 SafeArrayPutElement
0x4884c4 SafeArrayLock
0x4884c8 SafeArrayUnlock
0x4884d4 SysReAllocStringLen
0x4884d8 VarDateFromStr
0x4884dc VarBstrFromCy
0x4884e0 VarBstrFromDec
0x4884e4 VarDecFromStr
0x4884e8 VarCyFromStr
0x4884ec VarBstrFromDate
0x4884f0 SysFreeString

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49194 37.139.21.175 8080

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://37.139.21.175:8080/HlXIPY/ 
POST /HlXIPY/ HTTP/1.1
Referer: http://37.139.21.175/HlXIPY/
Content-Type: multipart/form-data; boundary=---------------------------456671235203628
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 37.139.21.175:8080
Content-Length: 4548
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.