SmartHawk

9.6

极危

45 个模型检测该样本为恶意！

重新分析

下载样本

6b25227c246abb03fc8727d3f273e7c385bfc5d0b4e2954fe56d69db1233a80e

ca363dbf850e4cca22b5f0956af1e319.exe

分析耗时

99s

最近分析

文件大小

4.5MB

静态报毒动态报毒 @PLFAQRCQWNJ AI SCORE=81 BADFILE CMRTAZQNJNEPVCP8MFFXEQB69QTV CONFIDENCE ELDORADO GAMETOOL GEN8 GENERICKD GENERICRXAA IGENERICRI MALICIOUS PE MODERATE CONFIDENCE PRIVACYRISK QVM11 RDMK S10596407 SCORE SUSGEN TOOL UNSAFE WACATAC YOUXUN YXDOWN ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXAA-AA!CA363DBF850E	20200215	6.0.6.653
Alibaba		20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Tencent		20200215	1.0.0.1
Kingsoft		20200215	2013.8.14.323
Avast	Win32:Malware-gen	20200215	18.4.3895.0
CrowdStrike	win/malicious_confidence_80% (D)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621007021.020374 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

The file contains an unknown PE resource name possibly indicative of a packer (4 个事件)

resource name	DL
resource name	PLUGIN
resource name	PNG
resource name	ZIP

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 个事件)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://api.pcsoft.jshhdian.com/cgi/PCSoftInfo.ashx/pcsoft/getentity?id=
suspicious_features	GET method with no useragent header	suspicious_request	GET http://api.yb.jshhdian.com/open/rili/ip.json?ip=192.168.137.1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://eoud.dgygpx.com/Install/image/52kzip.ico
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ymte.sgdebao.com/yxh/img/2345.png
suspicious_features	GET method with no useragent header	suspicious_request	GET http://eoud.dgygpx.com/yxh/img/shoujimnds.ico
suspicious_features	GET method with no useragent header	suspicious_request	GET http://eoud.dgygpx.com/Install/image/easynote.ico
suspicious_features	GET method with no useragent header	suspicious_request	GET http://poik.kxyw123.com/yxh/img/qqyx.ico
suspicious_features	GET method with no useragent header	suspicious_request	GET http://eoud.dgygpx.com/Install/image/mofangmt.ico

Performs some HTTP requests (34 个事件)

request	GET http://api.pcsoft.jshhdian.com/cgi/PCSoftInfo.ashx/pcsoft/getentity?id=
request	GET http://ggstats.yb.jshhdian.comhttp://ggstats.yb.jshhdian.com/pinforesults.do?sc=%3D%3DRNAVHawOncmaDNy9GaiAHcve4cl2UcwKoakaDaiAHcve4cl2UcwKoanhUQ16XewOnK4BUMyNXMnCUM4JUMxBUM5BUQkGXcnFUQlm3d
request	GET http://api.yb.jshhdian.com/open/rili/ip.json?ip=192.168.137.1
request	GET http://ymte.sgdebao.com/yxh/navico/baidu.png
request	GET http://ymte.sgdebao.com/yxh/navico/wangzdh.png
request	GET http://ymte.sgdebao.com/yxh/navico/37_1_0707.ico
request	GET http://ymte.sgdebao.com/yxh/navico/37_1_0707.png
request	GET http://ymte.sgdebao.com/yxh/navico/toutiao.png
request	GET http://ymte.sgdebao.com/yxh/navico/jd.ico
request	GET http://ymte.sgdebao.com/yxh/navico/jd.png
request	GET http://ymte.sgdebao.com/yxh/navico/jdmiaos.ico
request	GET http://ymte.sgdebao.com/yxh/navico/jdmiaos.png
request	GET http://ymte.sgdebao.com/yxh/navico/aitb.png
request	GET http://ymte.sgdebao.com/yxh/navico/tmall.png
request	GET http://ymte.sgdebao.com/yxh/navico/temai.png
request	GET http://ymte.sgdebao.com/yxh/navico/37_2_0707.ico
request	GET http://ymte.sgdebao.com/yxh/navico/37_2_0707.png
request	GET http://ymte.sgdebao.com/yxh/navico/cpgm.ico
request	GET http://ymte.sgdebao.com/yxh/navico/cpgm.png
request	GET http://eoud.dgygpx.com/Install/image/52kzip.ico
request	GET http://ymte.sgdebao.com/yxh/img/2345.png
request	GET http://eoud.dgygpx.com/yxh/img/shoujimnds.ico
request	GET http://eoud.dgygpx.com/Install/image/easynote.ico
request	GET http://poik.kxyw123.com/yxh/img/qqyx.ico
request	GET http://eoud.dgygpx.com/Install/image/mofangmt.ico
request	GET http://dw.jshhdian.com/post/index_az_11.html
request	GET http://api.pcsoft.70gj.cn/cgi/PCSoftInfo.ashx/pcsoft/countdo?sc===RP0ZkO5lENzZUNAVXcqSoKxF0YlG3ct63ewSXQlmXcwKoanFUQlmnKANHSOSYS7mGeaeVU1OnbOSYRF2FeoSVUA53d
request	GET http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8EJH
request	GET http://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDSk20WxFnlwLi3iMg%3D%3D
request	GET http://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDA13SoKc5le3RU4hzQ%3D%3D
request	GET https://s13.cnzz.com/z_stat.php?id=1275063478&web_id=1275063478
request	GET https://c.cnzz.com/core.php?web_id=1275063478&t=z
request	GET https://z7.cnzz.com/stat.htm?id=1275063478&r=&lg=zh-cn&ntime=none&cnzz_eid=1208012018-1620978093-&showp=800x600&p=http%3A%2F%2Fdw.jshhdian.com%2Fpost%2Findex_az_11.html&t=Document&umuuid=1796a55696c2b1-031a5e477ee0f7-26596759-75300-1796a55697c67&h=1&rnd=1101444906
request	GET https://cnzz.mmstat.com/9.gif?abc=1&rnd=1381095287

Foreign language identified in PE resource (50 out of 100 个事件)

name

language

LANG_CHINESE

offset

0x001b0e5c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00055200

name

language

LANG_CHINESE

offset

0x001b0e5c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00055200

name

PLUGIN

language

LANG_CHINESE

offset

0x00285730

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0001e8ba

name

PLUGIN

language

LANG_CHINESE

offset

0x00285730

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0001e8ba

name

PLUGIN

language

LANG_CHINESE

offset

0x00285730

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0001e8ba

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

PNG

language

LANG_CHINESE

offset

0x002d86b0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000167a

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

ZIP

language

LANG_CHINESE

offset

0x0059118c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000016d1

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005939ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

Executes one or more WMI queries (1 个事件)

wmi	select * from Win32_DiskDrive

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621007023.145374 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.838588052320379

section

{'size_of_data': '0x0046cc00', 'virtual_address': '0x00169000', 'entropy': 7.838588052320379, 'name': 'UPX1', 'virtual_size': '0x0046d000'}

description

A section with a high entropy has been found

entropy

0.9875762859633828

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 162 个事件)

Time & API	Arguments	Status
1621007031.223374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007031.239374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007031.270374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007031.286374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007031.317374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007031.333374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.411374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.426374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.442374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.458374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.473374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.489374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.504374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.520374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.551374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.567374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.583374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.614374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.645374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.661374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.676374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.692374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.708374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.739374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.770374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.770374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.786374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.817374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.833374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.911374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.942374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007032.942374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.004374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.036374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.083374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.083374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.114374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.114374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.129374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.161374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.176374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.176374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.208374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.270374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.286374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.301374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.317374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.348374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.379374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed
1621007033.458374 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000480 process_identifier: 2712	failed

Queries for potentially installed applications (30 个事件)

Time & API	Arguments	Status	Return
1621007031.208374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip options: 0	failed	2
1621007031.208374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip options: 0	failed	2
1621007031.208374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip options: 0	failed	2
1621007031.208374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip options: 0	failed	2
1621007031.208374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\k52zip options: 0	failed	2
1621007032.395374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer options: 0	failed	2
1621007032.395374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer options: 0	failed	2
1621007032.395374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer options: 0	failed	2
1621007032.395374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer options: 0	failed	2
1621007034.067374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\LDSGameMaster regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\LDSGameMaster options: 0	failed	2
1621007034.067374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\LDSGameMaster regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\LDSGameMaster options: 0	failed	2
1621007034.067374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\LDSGameMaster regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\LDSGameMaster options: 0	failed	2
1621007034.067374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\LDSGameMaster regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\LDSGameMaster options: 0	failed	2
1621007035.036374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyNotebook regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyNotebook options: 0	failed	2
1621007035.036374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyNotebook regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyNotebook options: 0	failed	2
1621007035.036374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyNotebook regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyNotebook options: 0	failed	2
1621007035.036374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyNotebook regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyNotebook options: 0	failed	2
1621007038.114374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture options: 0	failed	2
1621007038.114374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture options: 0	failed	2
1621007038.114374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture options: 0	failed	2
1621007038.114374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture options: 0	failed	2
1621007038.114374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Rubik Picture options: 0	failed	2
1621007038.833374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\焦糖壁纸 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\焦糖壁纸 options: 0	failed	2
1621007038.833374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\焦糖壁纸 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\焦糖壁纸 options: 0	failed	2
1621007038.833374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\焦糖壁纸 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\焦糖壁纸 options: 0	failed	2
1621007038.848374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\焦糖壁纸 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\焦糖壁纸 options: 0	failed	2
1621007038.942374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream options: 0	failed	2
1621007038.942374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream options: 0	failed	2
1621007038.942374 RegOpenKeyExW	access: 0x00000101 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream options: 0	failed	2
1621007038.942374 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream options: 0	failed	2

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1621007025.723374 RegSetValueExA	key_handle: 0x00000440 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1621007025.723374 RegSetValueExA	key_handle: 0x00000440 value: À]m¨H× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1621007025.723374 RegSetValueExA	key_handle: 0x00000440 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1621007025.723374 RegSetValueExW	key_handle: 0x00000440 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1621007025.723374 RegSetValueExA	key_handle: 0x00000458 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1621007025.723374 RegSetValueExA	key_handle: 0x00000458 value: À]m¨H× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1621007025.739374 RegSetValueExA	key_handle: 0x00000458 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1621007025.786374 RegSetValueExW	key_handle: 0x0000043c value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1621007026.395374 RegSetValueExA	key_handle: 0x000004a8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1621007026.395374 RegSetValueExA	key_handle: 0x000004a8 value: °rÃm¨H× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1621007026.395374 RegSetValueExA	key_handle: 0x000004a8 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1621007026.395374 RegSetValueExW	key_handle: 0x000004a8 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1621007026.395374 RegSetValueExA	key_handle: 0x000004ac value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1621007026.395374 RegSetValueExA	key_handle: 0x000004ac value: °rÃm¨H× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1621007026.395374 RegSetValueExA	key_handle: 0x000004ac value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Network activity contains more than one unique useragent (4 个事件)

process	ca363dbf850e4cca22b5f0956af1e319.exe	useragent
process	ca363dbf850e4cca22b5f0956af1e319.exe	useragent	ca363dbf850e4cca22b5f0956af1e319
process	ca363dbf850e4cca22b5f0956af1e319.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
process	ca363dbf850e4cca22b5f0956af1e319.exe	useragent	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Generates some ICMP traffic

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 个事件)

MicroWorld-eScan	Trojan.GenericKD.42284019
FireEye	Generic.mg.ca363dbf850e4cca
CAT-QuickHeal	PUA.IgenericRI.S10596407
McAfee	GenericRXAA-AA!CA363DBF850E
Zillya	Tool.YouXun.Win32.803
K7AntiVirus	Riskware ( 0050b49d1 )
K7GW	Riskware ( 0050b49d1 )
Cybereason	malicious.9a5451
Arcabit	Trojan.Generic.D28533F3
BitDefenderTheta	Gen:NN.ZexaF.34090.@pLfaqRCqwnj
F-Prot	W32/S-d8efc1c1!Eldorado
APEX	Malicious
Kaspersky	not-a-virus:HEUR:Downloader.Win32.YXdown.pef
BitDefender	Trojan.GenericKD.42284019
Endgame	malicious (moderate confidence)
F-Secure	PrivacyRisk.SPR/GameTool.Gen8
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.BadFile.rc
Trapmine	suspicious.low.ml.score
Emsisoft	Trojan.GenericKD.42284019 (B)
SentinelOne	DFI - Malicious PE
Cyren	W32/S-d8efc1c1!Eldorado
Jiangmin	Downloader.YXdown.bz
Avira	SPR/GameTool.Gen8
eGambit	Unsafe.AI_Score_99%
Antiy-AVL	RiskWare[Downloader]/Win32.YXdown
Microsoft	Trojan:Win32/Wacatac.D!ml
ZoneAlarm	not-a-virus:HEUR:Downloader.Win32.YXdown.pef
GData	Trojan.GenericKD.42284019
AhnLab-V3	Malware/Win32.Generic.C3974891
ALYac	Trojan.GenericKD.42284019
MAX	malware (ai score=81)
VBA32	Downloader.YXdown
Malwarebytes	RiskWare.YouXun
ESET-NOD32	a variant of Win32/RiskWare.YouXun.H
Rising	Adware.Downloader!1.B962 (RDMK:cmRtazqNJNepVcp8MfFXEqb69QTV)
Yandex	PUA.Downloader!
Ikarus	PUA.RiskWare.Youxun
MaxSecure	Trojan.Malware.74721109.susgen
Fortinet	W32/GenericKD.32784984!tr
Ad-Aware	Trojan.GenericKD.42284019
AVG	Win32:Malware-gen
Avast	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_80% (D)
Qihoo-360	HEUR/QVM11.1.45E3.Malware.Gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.27.142:443
dead_host	172.217.24.14:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-01-06 15:21:06

Imports

Library ADVAPI32.dll:

• 0x9e3fd8 RegEnumKeyW

Library COMCTL32.dll:

• 0x9e3fe0 _TrackMouseEvent

Library COMDLG32.dll:

• 0x9e3fe8 GetFileTitleW

Library dbghelp.dll:

• 0x9e3ff0 MiniDumpWriteDump

Library GDI32.dll:

• 0x9e3ff8 Escape

Library gdiplus.dll:

• 0x9e4000 GdipFree

Library IPHLPAPI.DLL:

• 0x9e4008 IcmpSendEcho

Library KERNEL32.DLL:

• 0x9e4010 LoadLibraryA

• 0x9e4014 ExitProcess

• 0x9e4018 GetProcAddress

• 0x9e401c VirtualProtect

Library NETAPI32.dll:

• 0x9e4024 Netbios

Library ole32.dll:

• 0x9e402c CoInitialize

Library OLEAUT32.dll:

• 0x9e4034 OleCreatePictureIndirect

Library oledlg.dll:

• 0x9e403c OleUIBusyW

Library PSAPI.DLL:

• 0x9e4044 EnumProcesses

Library SHELL32.dll:

• 0x9e404c ExtractIconW

Library SHLWAPI.dll:

• 0x9e4054 StrCpyW

Library snmpapi.dll:

• 0x9e405c SnmpUtilOidCpy

Library urlmon.dll:

• 0x9e4064 URLDownloadToFileW

Library USER32.dll:

• 0x9e406c GetDC

Library VERSION.dll:

• 0x9e4074 VerQueryValueW

Library WININET.dll:

• 0x9e407c InternetOpenW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
eoud.dgygpx.com	A 5.135.158.234	5.135.158.234
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
ocsp2.globalsign.com	A 104.18.21.226 CNAME global.prd.cdn.globalsign.com CNAME cdn.globalsigncdn.com.cdn.cloudflare.net A 104.18.20.226	104.18.20.226
s13.cnzz.com	A 111.123.48.219 CNAME all.cnzz.com.danuoyi.tbcache.com CNAME c.cnzz.com	111.123.48.219
ymte.sgdebao.com	CNAME box64.yxdown.cn A 111.177.11.118 A 111.177.11.115	111.177.11.118
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dw.jshhdian.com	A 101.32.206.74	101.32.206.74
api.yb.jshhdian.com	A 101.32.206.74	101.32.206.74
c.cnzz.com	A 111.123.48.219 CNAME all.cnzz.com.danuoyi.tbcache.com	111.123.48.219
ocsp.globalsign.com	A 104.18.21.226 CNAME global.prd.cdn.globalsign.com CNAME cdn.globalsigncdn.com.cdn.cloudflare.net A 104.18.20.226	104.18.21.226
api.pcsoft.70gj.cn	A 101.32.206.74	101.32.206.74
www.baidu.com	CNAME www.a.shifen.com A 14.215.177.39 A 14.215.177.38	14.215.177.39
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.27.142
api.pcsoft.jshhdian.com	A 101.32.206.74	101.32.206.74
ggstats.yb.jshhdian.com	A 101.32.206.74	101.32.206.74
z7.cnzz.com	A 203.119.206.97 CNAME z.cnzz.com CNAME z.gds.cnzz.com A 203.119.129.115	203.119.213.181
cnzz.mmstat.com	A 106.11.251.77 CNAME gm.gds.mmstat.com CNAME gm.mmstat.com	106.11.251.77
poik.kxyw123.com	CNAME box64.yxdown.cn A 111.177.11.118 A 111.177.11.115	111.177.11.115
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49178	101.32.206.74 ggstats.yb.jshhdian.com	80
192.168.56.101	49179	101.32.206.74 ggstats.yb.jshhdian.com	80
192.168.56.101	49180	101.32.206.74 ggstats.yb.jshhdian.com	80
192.168.56.101	49185	101.32.206.74 ggstats.yb.jshhdian.com	80
192.168.56.101	49186	101.32.206.74 ggstats.yb.jshhdian.com	80
192.168.56.101	49190	104.18.21.226 ocsp.globalsign.com	80
192.168.56.101	49191	104.18.21.226 ocsp.globalsign.com	80
192.168.56.101	49196	106.11.251.77 cnzz.mmstat.com	443
192.168.56.101	49189	111.123.48.219 c.cnzz.com	443
192.168.56.101	49194	111.123.48.219 c.cnzz.com	443
192.168.56.101	49181	111.177.11.118 poik.kxyw123.com	80
192.168.56.101	49183	111.177.11.118 poik.kxyw123.com	80
192.168.56.101	49195	203.119.206.97 z7.cnzz.com	443
192.168.56.101	49182	5.135.158.234 eoud.dgygpx.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	54260	114.114.114.114	53
192.168.56.101	54991	114.114.114.114	53
192.168.56.101	56743	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58970	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	60222	114.114.114.114	53
192.168.56.101	60911	114.114.114.114	53
192.168.56.101	61522	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63497	114.114.114.114	53

HTTP & HTTPS Requests

URI	Data
http://ymte.sgdebao.com/yxh/navico/baidu.png	GET /yxh/navico/baidu.png HTTP/1.1 User-Agent: ca363dbf850e4cca22b5f0956af1e319 Host: ymte.sgdebao.com Connection: Keep-Alive
http://ymte.sgdebao.com/yxh/navico/wangzdh.png	GET /yxh/navico/wangzdh.png HTTP/1.1 User-Agent: ca363dbf850e4cca22b5f0956af1e319 Host: ymte.sgdebao.com Connection: Keep-Alive
http://ymte.sgdebao.com/yxh/navico/37_1_0707.png	GET /yxh/navico/37_1_0707.png HTTP/1.1 User-Agent: ca363dbf850e4cca22b5f0956af1e319 Host: ymte.sgdebao.com Connection: Keep-Alive
http://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDA13SoKc5le3RU4hzQ%3D%3D	GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDA13SoKc5le3RU4hzQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp2.globalsign.com
http://poik.kxyw123.com/yxh/img/qqyx.ico	GET /yxh/img/qqyx.ico HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: poik.kxyw123.com Connection: Keep-Alive Cache-Control: no-cache
http://ymte.sgdebao.com/yxh/navico/jdmiaos.png	GET /yxh/navico/jdmiaos.png HTTP/1.1 User-Agent: ca363dbf850e4cca22b5f0956af1e319 Host: ymte.sgdebao.com Connection: Keep-Alive
http://ymte.sgdebao.com/yxh/img/2345.png	GET /yxh/img/2345.png HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: ymte.sgdebao.com Connection: Keep-Alive Cache-Control: no-cache
http://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDSk20WxFnlwLi3iMg%3D%3D	GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDSk20WxFnlwLi3iMg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp2.globalsign.com
http://ymte.sgdebao.com/yxh/navico/jd.png	GET /yxh/navico/jd.png HTTP/1.1 User-Agent: ca363dbf850e4cca22b5f0956af1e319 Host: ymte.sgdebao.com Connection: Keep-Alive
http://api.pcsoft.jshhdian.com/cgi/PCSoftInfo.ashx/pcsoft/getentity?id=	GET /cgi/PCSoftInfo.ashx/pcsoft/getentity?id= HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.pcsoft.jshhdian.com Connection: Keep-Alive Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.