10.2
0-day
2 个模型检测该样本为恶意!
重新分析
更多

1d93634484718ba0256c1b73b44c0a3d53c57e8b71cd4ac13c8d6ddac9100401

c486af86439df50a50cc8d9595208a73.exe

分析耗时

90s

最近分析

文件大小

4.4MB
静态报毒 动态报毒 CHINA
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Avast 20200710 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200710 2013.8.14.323
McAfee 20200710 6.0.6.653
Tencent 20200710 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Command line console output was observed (22 个事件)
Time & API Arguments Status Return Repeated
1620906598.925249
WriteConsoleA
buffer: 7-Zip (a) 19.00 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21
console_handle: 0x00000007
success 1 0
1620906598.956249
WriteConsoleA
buffer: Scanning the drive for archives:
console_handle: 0x00000007
success 1 0
1620906598.972249
WriteConsoleA
buffer: 0M Scan C:\Users\ADMINI~1.OSK\AppData\Local\Temp\\
console_handle: 0x00000007
success 1 0
1620906598.972249
WriteConsoleA
buffer: 1 file, 1594894 bytes (1558 KiB)
console_handle: 0x00000007
success 1 0
1620906599.003249
WriteConsoleA
buffer: Extracting archive:
console_handle: 0x00000007
success 1 0
1620906599.019249
WriteConsoleA
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\\downloader.7z
console_handle: 0x00000007
success 1 0
1620906599.034249
WriteConsoleA
buffer: Path
console_handle: 0x00000007
success 1 0
1620906599.034249
WriteConsoleA
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\\downloader.7z
console_handle: 0x00000007
success 1 0
1620906599.034249
WriteConsoleA
buffer: Type
console_handle: 0x00000007
success 1 0
1620906599.066249
WriteConsoleA
buffer: 7z
console_handle: 0x00000007
success 1 0
1620906599.066249
WriteConsoleA
buffer: Physical Size
console_handle: 0x00000007
success 1 0
1620906599.081249
WriteConsoleA
buffer: Headers Size
console_handle: 0x00000007
success 1 0
1620906599.097249
WriteConsoleA
buffer: Method
console_handle: 0x00000007
success 1 0
1620906599.097249
WriteConsoleA
buffer: LZMA2:21 BCJ
console_handle: 0x00000007
success 1 0
1620906599.097249
WriteConsoleA
buffer: Solid
console_handle: 0x00000007
success 1 0
1620906599.128249
WriteConsoleA
buffer: Blocks
console_handle: 0x00000007
success 1 0
1620906600.066249
WriteConsoleA
buffer: 69% 6 - download\minizip.dll
console_handle: 0x00000007
success 1 0
1620906600.566249
WriteConsoleA
buffer: Everything is Ok
console_handle: 0x00000007
success 1 0
1620906600.566249
WriteConsoleA
buffer: Folders:
console_handle: 0x00000007
success 1 0
1620906600.566249
WriteConsoleA
buffer: Files:
console_handle: 0x00000007
success 1 0
1620906600.566249
WriteConsoleA
buffer: Size:
console_handle: 0x00000007
success 1 0
1620906600.581249
WriteConsoleA
buffer: Compressed:
console_handle: 0x00000007
success 1 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path E:\pcgame\GameDownloader\Release\GameDownloader.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620906599.019249
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)
resource name INI
resource name ZIP
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 个事件)
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://180.163.54.121:80/
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://47.97.7.140:80/
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://180.163.202.114:80/
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://140.206.225.136:80/
Performs some HTTP requests (8 个事件)
request GET http://r.yx-s.net/b/duan/s/ginstall/?user_from=414100000177&user_channel=623800036&user_subsite=238036&mid=2d5bac7481e6a281dd071007abc25283&status=7&gkey=gjol&ver=1.0.0.1001&first_time=
request GET http://gametool.down.yx-g.com/gametool/lyyx/gjol/623800036/DL.ini
request POST http://180.163.54.121:80/
request POST http://47.97.7.140:80/
request GET http://gametool.down.360-g.net/gametool/lyyx/gjol/623800036/DL.ini
request POST http://180.163.202.114:80/
request GET http://gametool.down.yx-g.com/gametool/lyyx/gjol/default/DL.ini
request POST http://140.206.225.136:80/
Sends data using the HTTP POST Method (4 个事件)
request POST http://180.163.54.121:80/
request POST http://47.97.7.140:80/
request POST http://180.163.202.114:80/
request POST http://140.206.225.136:80/
Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 个事件)
ip 119.147.185.88
ip 123.161.62.171
ip 180.163.202.93
ip 39.98.93.220
ip 47.92.99.221
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1620897716.252036
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b10000
success 0 0
1620906603.658874
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x6fff0000
success 0 0
1620906603.658874
NtProtectVirtualMemory
process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76377000
success 0 0
1620906603.658874
NtProtectVirtualMemory
process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76340000
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)
Time & API Arguments Status Return Repeated
1620897721.893036
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19598639104
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620897728.127036
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19468492800
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Checks for known Chinese AV sofware registry keys (1 个事件)
regkey .*360Safe
Foreign language identified in PE resource (2 个事件)
name RT_VERSION language LANG_CHINESE offset 0x0044d168 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002e8
name RT_VERSION language LANG_CHINESE offset 0x0044d168 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000002e8
Creates executable files on the filesystem (13 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7za.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\atl71.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\DlMgr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\dl_peer_id.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\xldl.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\msvcr71.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\MiniThunderPlatform.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\minizip.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\XLBugHandler.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\XLBugReport.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\msvcp71.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\zlib1.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\download_engine.dll
Drops an executable to the user AppData folder (13 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7za.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\msvcr71.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\dl_peer_id.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\atl71.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\XLBugReport.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\XLBugHandler.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\MiniThunderPlatform.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\xldl.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\DlMgr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\download_engine.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\zlib1.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\msvcp71.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\download\minizip.dll
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
Paloalto generic.ml
Ikarus Trojan.Agent
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620897717.908036
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.995515874638764 section {'size_of_data': '0x00283800', 'virtual_address': '0x001ca000', 'entropy': 7.995515874638764, 'name': '.rsrc', 'virtual_size': '0x002836dc'} description A section with a high entropy has been found
entropy 0.578167115902965 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)
Time & API Arguments Status Return Repeated
1620906598.925249
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620906598.972249
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620906598.987249
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 39.98.93.220
Queries information on disks, possibly for anti-virtualization (2 个事件)
Time & API Arguments Status Return Repeated
1620897715.971036
NtCreateFile
create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000138
filepath: \??\PhysicalDrive0
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 1 (FILE_OPENED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
success 0 0
1620897721.893036
DeviceIoControl
input_buffer:
device_handle: 0x00000438
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566434623363626138662d3764623238312037
success 1 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620897720.533036
RegSetValueExA
key_handle: 0x0000046c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620897720.533036
RegSetValueExA
key_handle: 0x0000046c
value: p<vWÝG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620897720.533036
RegSetValueExA
key_handle: 0x0000046c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620897720.533036
RegSetValueExW
key_handle: 0x0000046c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620897720.533036
RegSetValueExA
key_handle: 0x00000484
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620897720.533036
RegSetValueExA
key_handle: 0x00000484
value: p<vWÝG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620897720.533036
RegSetValueExA
key_handle: 0x00000484
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620897720.580036
RegSetValueExW
key_handle: 0x00000468
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620897722.455036
RegSetValueExA
key_handle: 0x000004d4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620897722.455036
RegSetValueExA
key_handle: 0x000004d4
value: óXÝG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620897722.455036
RegSetValueExA
key_handle: 0x000004d4
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620897722.455036
RegSetValueExW
key_handle: 0x000004d4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620897722.455036
RegSetValueExA
key_handle: 0x000004c8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620897722.455036
RegSetValueExA
key_handle: 0x000004c8
value: óXÝG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620897722.455036
RegSetValueExA
key_handle: 0x000004c8
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Network activity contains more than one unique useragent (2 个事件)
process c486af86439df50a50cc8d9595208a73.exe useragent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)youxi
process c486af86439df50a50cc8d9595208a73.exe useragent Mozila/4.0 (compatible; MSIE 5.0; SAFEBOX)
Generates some ICMP traffic
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-07-08 17:14:15

Imports

Library KERNEL32.dll:
0x56f124 SetPriorityClass
0x56f128 VerifyVersionInfoW
0x56f12c GetTimeFormatA
0x56f134 Process32FirstW
0x56f138 Process32NextW
0x56f13c GetModuleFileNameA
0x56f140 lstrcmpA
0x56f144 lstrcmpiA
0x56f148 WriteFile
0x56f14c GetFileTime
0x56f150 SetFileTime
0x56f15c CreateFileA
0x56f160 GetLocalTime
0x56f16c LoadLibraryExW
0x56f170 CreateMutexW
0x56f17c GetTempPathW
0x56f180 GlobalReAlloc
0x56f184 SetLastError
0x56f18c MulDiv
0x56f190 lstrcmpW
0x56f194 GetDiskFreeSpaceA
0x56f198 GetSystemDirectoryW
0x56f19c GetSystemInfo
0x56f1a0 IsDebuggerPresent
0x56f1a4 EncodePointer
0x56f1a8 FindResourceW
0x56f1ac CreateProcessW
0x56f1b0 GetFileSize
0x56f1b4 Sleep
0x56f1c0 SetThreadPriority
0x56f1c4 GetCurrentThreadId
0x56f1c8 GetCurrentThread
0x56f1d0 FreeLibrary
0x56f1d4 InterlockedExchange
0x56f1d8 VerSetConditionMask
0x56f1e0 MoveFileExW
0x56f1e4 CopyFileW
0x56f1e8 FindNextFileW
0x56f1ec FindFirstFileW
0x56f1f0 DeleteFileW
0x56f1f4 SetFileAttributesW
0x56f1f8 CreateFileW
0x56f1fc RemoveDirectoryW
0x56f200 CreateDirectoryW
0x56f204 GetDiskFreeSpaceExW
0x56f208 GetDriveTypeW
0x56f20c OutputDebugStringW
0x56f210 GetModuleHandleW
0x56f214 GetModuleFileNameW
0x56f21c GetTickCount
0x56f220 FindClose
0x56f224 WriteConsoleW
0x56f228 OutputDebugStringA
0x56f23c GetCommandLineW
0x56f240 GetCommandLineA
0x56f244 GetOEMCP
0x56f248 IsValidCodePage
0x56f24c FindNextFileA
0x56f250 FindFirstFileExA
0x56f25c FlushFileBuffers
0x56f260 SetStdHandle
0x56f264 GetFullPathNameA
0x56f268 GetFullPathNameW
0x56f274 EnumSystemLocalesW
0x56f278 GetUserDefaultLCID
0x56f27c IsValidLocale
0x56f280 GetTimeFormatW
0x56f284 GetDateFormatW
0x56f288 GetConsoleCP
0x56f28c ReadConsoleW
0x56f290 GetConsoleMode
0x56f298 ResumeThread
0x56f29c ExitThread
0x56f2a0 GetACP
0x56f2a4 GetStdHandle
0x56f2a8 PeekNamedPipe
0x56f2ac GetFileType
0x56f2b0 VirtualQuery
0x56f2b4 VirtualProtect
0x56f2bc FindFirstFileExW
0x56f2c4 DeviceIoControl
0x56f2c8 ReadFile
0x56f2d0 WaitForSingleObject
0x56f2d4 SuspendThread
0x56f2d8 TerminateThread
0x56f2dc CreateThread
0x56f2e0 TerminateProcess
0x56f2e4 GetCurrentProcessId
0x56f2e8 GetLongPathNameW
0x56f2ec GlobalUnlock
0x56f2f0 GlobalLock
0x56f2f4 GlobalAlloc
0x56f2f8 GetFileAttributesW
0x56f2fc WideCharToMultiByte
0x56f300 MultiByteToWideChar
0x56f304 GetVersionExW
0x56f308 LoadLibraryW
0x56f30c lstrcmpiW
0x56f310 CloseHandle
0x56f314 SizeofResource
0x56f318 LoadResource
0x56f31c GetCurrentProcess
0x56f320 OpenProcess
0x56f324 GetProcAddress
0x56f328 LockResource
0x56f32c lstrlenW
0x56f338 GetLastError
0x56f33c RaiseException
0x56f340 GetProcessHeap
0x56f344 HeapSize
0x56f348 HeapFree
0x56f34c HeapReAlloc
0x56f350 HeapAlloc
0x56f354 HeapDestroy
0x56f358 FindResourceExW
0x56f35c GetModuleHandleExW
0x56f360 ExitProcess
0x56f368 RtlUnwind
0x56f36c CreateSemaphoreW
0x56f370 ReleaseSemaphore
0x56f374 GetExitCodeThread
0x56f378 GlobalFree
0x56f384 GetExitCodeProcess
0x56f388 GetVersion
0x56f390 GetNativeSystemInfo
0x56f394 LocalFree
0x56f398 ReleaseMutex
0x56f39c OpenThread
0x56f3a0 HeapWalk
0x56f3a4 HeapUnlock
0x56f3a8 HeapLock
0x56f3ac SetFilePointerEx
0x56f3b0 SetEndOfFile
0x56f3b4 GetFileSizeEx
0x56f3c0 GetStartupInfoW
0x56f3cc InitializeSListHead
0x56f3e0 VirtualAlloc
0x56f3e4 VirtualFree
0x56f3e8 LoadLibraryExA
0x56f3ec GetStringTypeW
0x56f3f0 FormatMessageW
0x56f3f4 CreateEventW
0x56f3f8 SwitchToThread
0x56f3fc TlsAlloc
0x56f400 TlsGetValue
0x56f408 ResetEvent
0x56f40c SetEvent
0x56f410 GetCPInfo
0x56f414 GetLocaleInfoW
0x56f418 LCMapStringW
0x56f41c CompareStringW
0x56f424 TlsFree
0x56f428 TlsSetValue
0x56f42c DecodePointer
Library USER32.dll:
0x56f538 GetLastActivePopup
0x56f53c CreateWindowExW
0x56f548 EnumDisplayDevicesW
0x56f54c LoadStringW
0x56f550 SetWindowLongW
0x56f554 GetWindowTextW
0x56f558 UnregisterClassW
0x56f55c SetForegroundWindow
0x56f560 UpdateWindow
0x56f564 SetTimer
0x56f568 MessageBoxW
0x56f56c IsWindow
0x56f570 GetDesktopWindow
0x56f574 FindWindowExW
0x56f57c RegisterClassW
0x56f580 FindWindowW
0x56f584 PostQuitMessage
0x56f588 GetCapture
0x56f58c IsIconic
0x56f590 IsWindowVisible
0x56f594 ShowWindow
0x56f598 SendMessageW
0x56f59c ExitWindowsEx
0x56f5a0 GetParent
0x56f5a4 GetWindowRect
0x56f5a8 GetSystemMetrics
0x56f5ac EmptyClipboard
0x56f5b0 SetClipboardData
0x56f5b4 CloseClipboard
0x56f5b8 OpenClipboard
0x56f5bc GetForegroundWindow
0x56f5c0 PostMessageW
0x56f5c4 GetMessageW
0x56f5c8 TranslateMessage
0x56f5cc DispatchMessageW
0x56f5d0 PeekMessageW
0x56f5d4 DefWindowProcW
0x56f5d8 DestroyWindow
0x56f5dc CharNextW
0x56f5e0 UpdateLayeredWindow
0x56f5e4 GetKeyState
0x56f5e8 AdjustWindowRectEx
0x56f5ec IsWindowUnicode
0x56f5f0 GetMonitorInfoW
0x56f5f4 MonitorFromWindow
0x56f5f8 GetClassLongW
0x56f5fc MapWindowPoints
0x56f604 IsZoomed
0x56f608 GetIconInfo
0x56f60c GetDlgItemTextW
0x56f610 SetCursor
0x56f614 GetCursorPos
0x56f618 DestroyCursor
0x56f620 DestroyIcon
0x56f624 LoadImageW
0x56f628 SetWindowPos
0x56f630 CallWindowProcW
0x56f634 LoadIconW
0x56f638 EndDialog
0x56f63c IsDialogMessageW
0x56f640 LoadCursorW
0x56f644 GetWindow
0x56f648 GetClassNameW
0x56f64c GetWindowLongW
0x56f650 FillRect
0x56f654 GetSysColor
0x56f658 ScreenToClient
0x56f65c ClientToScreen
0x56f660 GetClientRect
0x56f664 SetWindowTextW
0x56f668 RedrawWindow
0x56f66c InvalidateRgn
0x56f670 InvalidateRect
0x56f674 EndPaint
0x56f678 BeginPaint
0x56f67c ReleaseDC
0x56f680 GetDC
0x56f68c ReleaseCapture
0x56f690 SetCapture
0x56f694 GetFocus
0x56f698 SetFocus
0x56f69c GetDlgItem
0x56f6a0 MoveWindow
0x56f6a4 IsChild
0x56f6a8 GetClassInfoExW
0x56f6ac RegisterClassExW
0x56f6b0 CreateIconIndirect
Library GDI32.dll:
0x56f078 BitBlt
0x56f07c GetStockObject
0x56f080 CreateFontIndirectW
0x56f084 GetObjectW
0x56f088 SetDIBColorTable
0x56f08c CreateDIBSection
0x56f090 SelectObject
0x56f094 DeleteObject
0x56f098 DeleteDC
0x56f09c CreateCompatibleDC
0x56f0a0 CreateBitmap
0x56f0a4 CreateDIBitmap
0x56f0a8 GetDIBits
0x56f0ac CreateDCW
0x56f0b0 CreateICW
0x56f0b4 CreatePen
0x56f0b8 CreateRectRgn
0x56f0bc GetDeviceCaps
0x56f0c0 Ellipse
0x56f0c4 GetClipBox
0x56f0c8 GetClipRgn
0x56f0cc GetTextExtentPointW
0x56f0d0 GetViewportOrgEx
0x56f0d4 LineTo
0x56f0d8 PatBlt
0x56f0dc RectVisible
0x56f0e0 RoundRect
0x56f0e4 OffsetViewportOrgEx
0x56f0e8 ExtSelectClipRgn
0x56f0ec SetBkMode
0x56f0f0 SetTextColor
0x56f0f4 SetTextAlign
0x56f0f8 MoveToEx
0x56f0fc ExtTextOutW
0x56f100 DPtoLP
0x56f104 LPtoDP
0x56f108 SetWindowOrgEx
0x56f10c ExcludeClipRect
0x56f110 SetViewportOrgEx
0x56f114 CreateSolidBrush
0x56f11c SelectClipRgn
Library COMDLG32.dll:
0x56f060 GetSaveFileNameW
0x56f064 GetOpenFileNameW
Library ADVAPI32.dll:
0x56f000 RegDeleteKeyW
0x56f004 RegQueryInfoKeyW
0x56f008 OpenThreadToken
0x56f00c ImpersonateSelf
0x56f010 RegSetValueExW
0x56f014 RegSaveKeyW
0x56f018 RegRestoreKeyW
0x56f01c RegQueryValueExW
0x56f020 RegOpenKeyExW
0x56f024 RegEnumKeyExW
0x56f028 RegDeleteValueW
0x56f02c RegQueryValueExA
0x56f030 RegCreateKeyExW
0x56f034 RegCloseKey
0x56f038 DuplicateTokenEx
0x56f044 GetSidSubAuthority
0x56f04c GetTokenInformation
0x56f050 OpenProcessToken
Library SHELL32.dll:
0x56f4a4 SHBrowseForFolderW
0x56f4a8
0x56f4b0 ShellExecuteW
0x56f4b4 SHFileOperationW
0x56f4b8
0x56f4bc Shell_NotifyIconW
0x56f4c4 ShellExecuteExW
Library ole32.dll:
0x56f778 CoUninitialize
0x56f77c CoCreateGuid
0x56f780 CoCreateInstance
0x56f784 CoInitializeEx
0x56f790 OleLockRunning
0x56f794 OleUninitialize
0x56f798 OleInitialize
0x56f79c StringFromGUID2
0x56f7a0 CLSIDFromProgID
0x56f7a4 CLSIDFromString
0x56f7a8 CoGetClassObject
0x56f7ac CoTaskMemFree
0x56f7b0 CoTaskMemRealloc
0x56f7b4 CoTaskMemAlloc
0x56f7b8 CoSetProxyBlanket
0x56f7bc CoInitialize
Library OLEAUT32.dll:
0x56f43c DispCallFunc
0x56f440 LoadRegTypeLib
0x56f444 LoadTypeLib
0x56f448 SysStringLen
0x56f44c SysAllocStringLen
0x56f450 VarUI4FromStr
0x56f458 SysAllocString
0x56f45c VariantClear
0x56f460 VariantInit
0x56f464 GetErrorInfo
0x56f468 VariantChangeType
0x56f46c SetErrorInfo
0x56f470 CreateErrorInfo
0x56f474 SysStringByteLen
0x56f478 VarBstrCmp
0x56f47c SysFreeString
Library SHLWAPI.dll:
0x56f4cc PathMatchSpecW
0x56f4d0 PathFileExistsW
0x56f4d4 UrlUnescapeW
0x56f4d8 SHGetValueW
0x56f4dc StrCmpNIW
0x56f4e0 StrStrW
0x56f4e4 StrStrIW
0x56f4e8 StrCmpIW
0x56f4ec PathAddBackslashW
0x56f4f0 PathAppendW
0x56f4f4 PathBuildRootW
0x56f4f8 PathCanonicalizeW
0x56f4fc PathCombineW
0x56f500 PathFindExtensionW
0x56f504 PathGetDriveNumberW
0x56f508 PathIsDirectoryW
0x56f50c PathIsRootW
0x56f510 SHSetValueW
0x56f518 PathRemoveFileSpecW
0x56f51c PathRemoveFileSpecA
0x56f520 PathIsUNCW
0x56f524 PathIsNetworkPathW
0x56f528 StrToIntExW
0x56f52c SHGetValueA
Library WININET.dll:
0x56f6c8 InternetOpenW
0x56f6d0 InternetCrackUrlW
0x56f6d4 InternetOpenUrlW
0x56f6d8 InternetConnectW
0x56f6dc HttpQueryInfoW
0x56f6e0 HttpSendRequestW
0x56f6e4 HttpOpenRequestW
0x56f6e8 InternetSetOptionW
0x56f6f4 InternetReadFile
0x56f6f8 InternetCloseHandle
Library COMCTL32.dll:
Library gdiplus.dll:
0x56f714 GdipSaveImageToFile
0x56f718 GdipBitmapGetPixel
0x56f71c GdipAlloc
0x56f720 GdipFree
0x56f728 GdiplusShutdown
0x56f72c GdipCloneImage
0x56f730 GdipDisposeImage
0x56f738 GdipGetImageWidth
0x56f73c GdipGetImageHeight
0x56f744 GdipGetImagePalette
0x56f74c GdiplusStartup
0x56f750 GdipDrawImageI
0x56f764 GdipBitmapLockBits
0x56f76c GdipDeleteGraphics
Library VERSION.dll:
0x56f6b8 GetFileVersionInfoW
0x56f6bc VerQueryValueW
Library PSAPI.DLL:
0x56f488 EnumProcessModules
0x56f490 EnumProcesses
Library RPCRT4.dll:
0x56f498 RpcStringFreeW
0x56f49c UuidToStringW
Library urlmon.dll:
Library NETAPI32.dll:
0x56f434 Netbios
Library WINTRUST.dll:
0x56f704 WinVerifyTrust
Library CRYPT32.dll:
0x56f06c CertGetNameStringW

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
gametool.down.360-g.net CNAME dl.360qhcdn.com
A 124.225.165.196
CNAME gametool.down.360-g.net.qh-cdn.com
A 124.225.165.197 		124.225.165.196
time.windows.com A 20.189.79.72
CNAME time.microsoft.akadns.net
hubstat.hz.sandai.net CNAME cnchubstat.sandai.net
CNAME hubstat.sandai.net
A 140.206.225.232
A 140.206.225.136 		140.206.225.232
dns.msftncsi.com A 131.107.255.255 131.107.255.255
hub5pn.hz.sandai.net A 182.140.250.17
CNAME tel.hub5pn.sandai.net
A 116.207.97.31
A 27.159.72.37
CNAME hub5pn.sandai.net
A 180.153.91.43
A 119.147.185.88
A 119.147.185.89
A 180.153.91.41
A 124.236.22.48
A 123.161.62.171
A 123.161.62.170
A 116.207.97.34
A 182.140.250.18
A 180.153.91.44
A 124.236.22.47
A 180.153.91.42
A 119.147.185.87 		182.140.250.17
pmap.hz.sandai.net A 47.97.7.140 47.97.7.140
score.phub.hz.sandai.net A 127.0.0.1 127.0.0.1
relay.phub.hz.sandai.net A 127.0.0.1 127.0.0.1
imhub5pr.hz.sandai.net A 127.0.0.1 127.0.0.1
r.yx-s.net A 36.110.234.164 36.110.234.164
hub5pr.hz.sandai.net A 180.163.202.21
CNAME telhub5pr.sandai.net
A 180.163.202.118
A 180.163.202.9
CNAME hub5pr.sandai.net
A 180.163.202.111
A 180.163.202.66
A 180.163.202.114 		180.163.202.21
hub5c.hz.sandai.net A 180.163.54.25
CNAME telidx.m.hub.sandai.net
A 59.36.92.91
A 180.163.54.121
A 59.36.92.79
A 59.36.92.77
CNAME telhub5t.sandai.net
A 180.163.54.67
CNAME hub4t.sandai.net 		180.163.54.121
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 131.107.255.255
gametool.down.yx-g.com CNAME dl.360qhcdn.com
CNAME gametool.down.yx-g.com.qh-cdn.com
A 124.225.165.196
A 124.225.165.197 		124.225.165.197
hub5u.hz.sandai.net CNAME telhub5u.sandai.net
A 180.163.202.3
CNAME hub5u.sandai.net
A 180.163.202.93
A 180.163.202.43 		180.163.202.93
hub5pnc.hz.sandai.net A 47.92.99.221
CNAME hub5pnc.sandai.net
CNAME tel.hub5pnc.sandai.net
A 47.92.100.53 		47.92.100.53
teredo.ipv6.microsoft.com

TCP

Source Source Port Destination Destination Port
192.168.56.101 49186 124.225.165.196 gametool.down.yx-g.com 80
192.168.56.101 49194 124.225.165.196 gametool.down.yx-g.com 80
192.168.56.101 49190 124.225.165.197 gametool.down.yx-g.com 80
192.168.56.101 49198 140.206.225.136 hubstat.hz.sandai.net 80
192.168.56.101 49191 180.163.202.114 hub5pr.hz.sandai.net 80
192.168.56.101 49187 180.163.54.121 hub5c.hz.sandai.net 80
192.168.56.101 49179 36.110.234.164 r.yx-s.net 80
192.168.56.101 49188 47.97.7.140 pmap.hz.sandai.net 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60222 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 12312 119.147.185.88 hub5pn.hz.sandai.net 8000
192.168.56.101 12312 123.161.62.171 hub5pn.hz.sandai.net 8000
192.168.56.101 12312 180.163.202.93 hub5u.hz.sandai.net 8000
192.168.56.101 54180 192.168.56.1 1900
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123

HTTP & HTTPS Requests

URI Data
http://gametool.down.yx-g.com/gametool/lyyx/gjol/623800036/DL.ini 
GET /gametool/lyyx/gjol/623800036/DL.ini HTTP/1.1
Accept: */*
User-Agent: Mozila/4.0 (compatible; MSIE 5.0; SAFEBOX)
Host: gametool.down.yx-g.com
Cache-Control: no-cache
http://47.97.7.140:80/ 
POST / HTTP/1.1
Host: 47.97.7.140:80
Content-type: application/octet-stream
Content-Length: 92
Connection: Keep-Alive

@\x00\x00\x00\x03\x00\x00\x00P\x00\x00\x00\xbb\xcf\xe8aV\xf5\x1eJ\xd3\xad\x8e\xd6\x9e\xff\x01\xe5(\xfd\x82\x10\xbb\x98\x0f\xef\x8e\x1dR\xa9\xf8Es
\x96\xc8\xb8\x15\xf6\xd3\xc2\x1a6\xa5Hn\xe4\xca-?\x0cjq\x87\xef\x91\xfc\xeb\xf6\xdd\xb7\xe1\x81\xc3\x1cs\x14\xa8b\xb3\xa9\x89m\xdb\x1b%\xc3\xfdS\x19\xaa\xff
http://gametool.down.yx-g.com/gametool/lyyx/gjol/default/DL.ini 
GET /gametool/lyyx/gjol/default/DL.ini HTTP/1.1
Accept: */*
User-Agent: Mozila/4.0 (compatible; MSIE 5.0; SAFEBOX)
Host: gametool.down.yx-g.com
Cache-Control: no-cache
http://r.yx-s.net/b/duan/s/ginstall/?user_from=414100000177&user_channel=623800036&user_subsite=238036&mid=2d5bac7481e6a281dd071007abc25283&status=7&gkey=gjol&ver=1.0.0.1001&first_time= 
GET /b/duan/s/ginstall/?user_from=414100000177&user_channel=623800036&user_subsite=238036&mid=2d5bac7481e6a281dd071007abc25283&status=7&gkey=gjol&ver=1.0.0.1001&first_time= HTTP/1.1
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)youxi
Host: r.yx-s.net
Cache-Control: no-cache
http://180.163.202.114:80/ 
POST / HTTP/1.1
Host: 180.163.202.114:80
Content-type: application/octet-stream
Content-Length: 44
Connection: Keep-Alive

A\x00\x00\x00\x05\x00\x00\x00 \x00\x00\x00\x96\xff=\xc2v?\xfabmg\x91\xd8Ex\x02\xacT\x15\xe7\xae\xe9\xb49\x1f\xce\x8c\x93\x11Z\x97\xc9\x15
http://180.163.54.121:80/ 
POST / HTTP/1.1
Host: 180.163.54.121:80
Content-type: application/octet-stream
Content-Length: 204
Connection: Keep-Alive

=\x00\x00\x00\x01\x00\x00\x00\xc0\x00\x00\x00\xc6
\x95\x0b\xb9~\xe0\xa6\xc8W;
\xa62<\x165\xc2\xc3\xe5H\x17\x83\xa6K\xe7\xfa\x1c>\xef\x15\xa7\xe8\xac\xe3\x1e\x87\xe95\xd3\x0b\xbb\xc8\xc0 -\x92\xa7\x82\xba\x9f~\x06\xdbFK\x86\xa9P\x17\x11\x12\x01\xe0\\xda\xc5\x94\x16\xfd\xe4\xdfY\x96Gt\x94\xea\xa4\xa9\x01{W\x17\xea\xd2\xd4Lp{\xf7\xd0\xce!Vk\x80\xa6`\x0b\x8c
\xaa\xc1\xddJ\x86\xa8\xa0\xf4\x08t\x96\xcb\x16\xdfq!1\x9f1d\xd9\xdc\x0e\xf2\xb2\xd4\xb8\xeaw\xf6\xe6G\xb2)\x006\xb4\x87<\xddB\xc4=+\xb0t\x84t:w7\x01\x930|\x9b\x0f\x97\xa3i\xd6\xab\xfb\xdd=\xf43\x0b9EX*\xb6\x9fc>\x92\xeb\x10\xf8c\x0e?\xea\xea\x10\x13\x83N\xf5
http://gametool.down.360-g.net/gametool/lyyx/gjol/623800036/DL.ini 
GET /gametool/lyyx/gjol/623800036/DL.ini HTTP/1.1
Accept: */*
User-Agent: Mozila/4.0 (compatible; MSIE 5.0; SAFEBOX)
Host: gametool.down.360-g.net
Cache-Control: no-cache
http://140.206.225.136:80/ 
POST / HTTP/1.1
Host: 140.206.225.136:80
Content-type: application/octet-stream
Content-Length: 108
Connection: Keep-Alive

<\x00\x00\x00\x0b\x00\x00\x00`\x00\x00\x00\xde\xbbEH\x8d\x13\xee\xedm\x06\xc5\x84\xa2\x00&I\xc2\x1a\xe0@\x11b\xd4\xa1|\xc7\xe0O'\xaf\xb7\x99\x9f\xd1\xc8\x18\x12\xef\xcc\xea\xdc\xdf\x8b\x1b\xa3\x0b\x0e\x04iA\xd7.\xd7\x16\xef\xd9e\xa92R\xc2\xec<\xa5(Uz\x83\xe3\x9f\xcaa\xae\xd24:
\x0bk@\x0e\x9b\xd6z\xd2\x12\xe67\x01\xea\xb76\x0f\xdb\x8a\x06

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.