3.2
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.68
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20200409 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Kryptik.my | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200410 | 2013.8.14.323 |
| McAfee | Upatre-FACH!CFDA50F0468E | 20200410 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b4c6b5 | 20200410 | 1.0.0.1 |
静态指标
查询计算机名称
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545316.515375 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
|
1727545316.796875 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
检查进程是否被调试器调试
(2 个事件)
动态指标
连接到动态 DNS 域
(1 个事件)
| domain | checkip.dyndns.org |
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
查找外部 IP 地址
(1 个事件)
| domain | checkip.dyndns.org |
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\cadvahin.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\cadvahin.exe |
网络通信
与未执行 DNS 查询的主机进行通信
(4 个事件)
| host | 114.114.114.114 | |||
| host | 176.36.251.208 | |||
| host | 67.221.195.6 | |||
| host | 69.163.81.211 | |||
生成一些 ICMP 流量
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Gen:Trojan.Ipatre.1 |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Trojan.Ipatre.1 |
| AhnLab-V3 | Trojan/Win32.Upatre.R160586 |
| Antiy-AVL | Trojan[Downloader]/Win32.Upatre.ehbg |
| Arcabit | Trojan.Ipatre.1 |
| Avast | Win32:Malware-gen |
| Avira | TR/Dldr.Upatre.NK |
| Baidu | Win32.Trojan.Kryptik.my |
| BitDefender | Gen:Trojan.Ipatre.1 |
| BitDefenderTheta | Gen:NN.ZexaF.34106.cu1@aS9CqnaG |
| CAT-QuickHeal | Trojan.Kadena.B4 |
| ClamAV | Win.Downloader.Upatre-5744092-0 |
| Comodo | TrojWare.Win32.TrojanDownloader.Upatre.BLM@5tms2h |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.0468e7 |
| Cylance | Unsafe |
| Cyren | W32/Upatre.CJ.gen!Eldorado |
| DrWeb | Trojan.Upatre.6791 |
| ESET-NOD32 | a variant of Win32/Kryptik.DRXQ |
| Emsisoft | Gen:Trojan.Ipatre.1 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Upatre.CJ.gen!Eldorado |
| F-Secure | Trojan.TR/Dldr.Upatre.NK |
| FireEye | Generic.mg.cfda50f0468e7451 |
| Fortinet | W32/Kryptic.ABGK!tr |
| GData | Win32.Trojan.Kryptik.CI |
| Ikarus | Trojan.Upatre |
| Invincea | heuristic |
| Jiangmin | TrojanDownloader.Upatre.ruf |
| K7AntiVirus | Trojan ( 004c9c831 ) |
| K7GW | Trojan ( 004c9c831 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=89) |
| Malwarebytes | Trojan.Upatre |
| MaxSecure | Trojan.Upatre.Gen |
| McAfee | Upatre-FACH!CFDA50F0468E |
| McAfee-GW-Edition | BehavesLike.Win32.IBryte.nm |
| MicroWorld-eScan | Gen:Trojan.Ipatre.1 |
| Microsoft | TrojanDownloader:Win32/Upatre |
| NANO-Antivirus | Trojan.Win32.Upatre.evxvxh |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM07.1.777D.Malware.Gen |
| Rising | Trojan.Kryptik!1.A0CC (RDMK:cmRtazresfyZtBenkJqUn4HYB1qd) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Upatre |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Upatre-RD |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(2 个事件)
| dead_host | 176.36.251.208:443 |
| dead_host | 67.221.195.6:443 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-11-13 09:35:01
PE Imphash
8b4c9a264e863960b1c7f7e1b55093ea
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00002b10 | 0x00002c00 | 6.353124246500171 |
| .rdata | 0x00004000 | 0x00000a2e | 0x00000c00 | 4.267369576271253 |
| .data | 0x00005000 | 0x00000354 | 0x00000200 | 1.6200108990318556 |
| .rsrc | 0x00006000 | 0x00004a88 | 0x00004c00 | 4.808147752251347 |
| .reloc | 0x0000b000 | 0x00000238 | 0x00000400 | 3.1326170554811865 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x00006330 | 0x00004228 | LANG_POLISH | SUBLANG_DEFAULT | None |
| RT_DIALOG | 0x00006210 | 0x0000010a | LANG_POLISH | SUBLANG_DEFAULT | None |
| RT_STRING | 0x0000aa28 | 0x0000005c | LANG_POLISH | SUBLANG_DEFAULT | None |
| RT_ACCELERATOR | 0x00006320 | 0x00000010 | LANG_POLISH | SUBLANG_DEFAULT | None |
| RT_GROUP_ICON | 0x0000a558 | 0x00000014 | LANG_POLISH | SUBLANG_DEFAULT | None |
| RT_VERSION | 0x0000a570 | 0x000002a8 | LANG_POLISH | SUBLANG_DEFAULT | None |
| RT_MANIFEST | 0x0000a818 | 0x0000020c | LANG_POLISH | SUBLANG_DEFAULT | None |
Imports
Library USER32.dll:
• 0x404090 EndDialog
• 0x404094 DialogBoxParamA
• 0x404098 DestroyWindow
• 0x40409c DefWindowProcA
• 0x4040a0 SendMessageA
• 0x4040a4 PostMessageA
• 0x4040a8 BeginPaint
• 0x4040ac GetClientRect
• 0x4040b0 DrawTextA
• 0x4040b4 EndPaint
• 0x4040b8 PostQuitMessage
• 0x4040bc CreateWindowExA
• 0x4040c0 ShowWindow
• 0x4040c4 UpdateWindow
• 0x4040c8 LoadIconA
• 0x4040cc LoadCursorA
• 0x4040d0 RegisterClassExA
• 0x4040d4 LoadStringA
• 0x4040d8 GetMessageA
• 0x4040dc TranslateMessage
• 0x4040e0 DispatchMessageA
Library KERNEL32.dll:
• 0x404000 GetStartupInfoA
• 0x404004 GetModuleHandleA
• 0x404008 lstrlenA
• 0x40400c GetCurrentDirectoryA
• 0x404010 LoadLibraryA
• 0x404014 LoadResource
• 0x404018 LockResource
• 0x40401c FindResourceA
Library MSVCRT.dll:
• 0x404024 __p__commode
• 0x404028 _adjust_fdiv
• 0x40402c __setusermatherr
• 0x404030 _initterm
• 0x404034 __getmainargs
• 0x404038 __p__fmode
• 0x40403c exit
• 0x404040 _XcptFilter
• 0x404044 _exit
• 0x404048 ??2@YAPAXI@Z
• 0x40404c fputs
• 0x404050 strlen
• 0x404054 fprintf
• 0x404058 __set_app_type
• 0x40405c _except_handler3
• 0x404060 _controlfp
• 0x404064 _acmdln
• 0x404068 fputc
• 0x40406c fflush
• 0x404070 fgetc
• 0x404074 fclose
• 0x404078 _iob
• 0x40407c free
• 0x404080 malloc
• 0x404084 memmove
• 0x404088 memcmp
L!This program cannot be run in DOS mode.
7!Ticg
`.rdata
@.data
@.reloc
h3PuVF8%
]U jdhR@
jdh(R@
hSVWe3
EEP58S@
EPEPEP
0u>"u:Fu
<"u>"u
> vFuj
u"4kU}IPGB
LJ|T`p
Lzp !{
^^pA0q
x^|O%I
Zd|E`{
SmQL`p
GkqINg
S&JDU@
R*KDJ^P&c
N-KDJ^
:7 P0L[U\
goI`,KEJ]
goI`)JA\\
goI`'VGTA
goI`&J@Q]
?*VNwAMJ^
ORdxGP^
N.IBT@
T&IGT@
T0I[PoIrp
N(JDT^
PV0VGPA
goI`*IDJY
goI`)JGV]
?+VNwILP^
T,VDPoIrp
R&MCJ[
:7 R/VDT^
PW0J[U_
goI`.IDSY
<*VNwOGJX
</VNwNBJ]
ORdxGTA
9`nxums?
`nxum]
e`nxum'?
{`nxum1?
aDIOCAF&](
d*f& \.
W6\5`N
]v<E8To@*%0x\_=Ww&
^}e3u$
nxqd5<5}uh
O2-1|docD^N
x.1\.1
kEK:Qy`
7.g*#yF
Pxud>"~
Mj `#x
]qhQvzHxudH:it
6(6gyxuswEot
>("'TD@
*#yh(jFeCak
-8(IYfD'
8In1+s
moSXxu
cHW-gDw
$kx1!h
I f(1.Ds^u
T+*q\5
v=i^Oh
Z1y5e2
LWJ9Hzdn
)(#2<*F1>2
/6(6!VgH4|tB&
9^s6\5F
@v7gKE`j2
>[1]=w
\5(pD9
/yY%jU
94$0rI]imE+g
IR^u0gk))-Q
t4^*%X
"ueyLCmBb
:Xz(1&
EtXD!Nz^9<<\W*]
_]E0<e
3B[exu$>m=;
ud/eyLCmh
MW^uT(#
e}h_NT
IQudH:
]57<2N
$(_gt)-EUQE
FMu^FF#
NMIIII
Uirt^_@
WP-PYu
44yw94y
PT00ht
HGGuHHH
Au^H9EtYES
@@PVHu
GPFY*uA^_S
NSOWIADVHAIWIYJWXCDCOMOSVBDBCYBGVGLEVNIR
SaveCurren
MZ4PXGAOURRWOVIBFKGJNCLLGWXYDNXLUCHAYHPXBVCXLMSOHCR
UHCOCRSROROAFVKWKTIPMNUIQDTIQXCQQDMRISPRMCNSAUQAX
ARMKTCCLRQSIYTINYSSNKBCXRIEWBYMVS
Second Name
DispatchMessageA
TranslateMessage
GetMessageA
LoadStringA
RegisterClassExA
LoadCursorA
LoadIconA
UpdateWindow
ShowWindow
CreateWindowExA
PostQuitMessage
EndPaint
DrawTextA
GetClientRect
BeginPaint
PostMessageA
SendMessageA
DefWindowProcA
DestroyWindow
DialogBoxParamA
EndDialog
USER32.dll
FindResourceA
LockResource
LoadResource
LoadLibraryA
GetCurrentDirectoryA
lstrlenA
KERNEL32.dll
fflush
fclose
malloc
memmove
memcmp
fprintf
strlen
??2@YAPAXI@Z
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
MSVCRT.dll
_controlfp
GetModuleHandleA
GetStartupInfoA
-H8">#",{
GW F90+J(2.?
H"1EG0$4
+L4HD9-
button
static
listbox
qezA6I>
A2WN6&
@,JCVL:'
6/=-7+
>92&ID
b[QD/'
;5XJme6'3*D8J=PF
D@.!VG]Gi_4!2$/(_^
3 wOJC6L?haYH
PI+"QI4%-
MImfTHG9A53,3+;-<.F9kb
oh,#6'(!
55VSpm
0$2$1!/$1'/'/(0$/$1!2!5"1$.'1#2$0$3(.'/%.)-'2'3#2'0%2 0$1$/ 3
) ' 4#-
3&5$.&+ ' ) )
8$7 6#2', ,
2!8"3"-
& ) +!)
0 5 xo[L=*,
/ 6$YK1!*
, <.;;:
<)/ 0 1"-!8%F40 6&:(."* , ) *
/!* +!+ / 6!0 .
, 1)0 2 1"1"1!/"+
=&:+0!-"/"8*=,<)7(6!7%8%5 2 / 2 0"2"1"1#0!0
=%y}zz~~~
.".$1#1$/"-
<%yqK:6%0!9+@3G4=&=/;-0&2$1#.#1#1#/#/ 1#2$1#1
2$2#1#.%7(1
;)>'8(7*aZG@?/TI1&1$2#-$1$2$1#1$.%2$5">%9;:
(!3#2%3&4#2 2%2#,
;*?5=+G:QEA0um; 5#5%2 2#4%2 4#2%4$3#6$;9:
,#3&3%5%2%2%2&5#3 B/ZKB89+F7PC@1RB1!4#.$5#5%4%2$2$2&3%4#=$999
0#;$;"6&2%5%6%5$3$C+8:D=8.XGG8A0D6>-8'1%9$4%9$8-6&5%6&5$9"6#8!999
7/<*8(4&3'7/3&3%5
D)[MD:[IL8=-J5C2E<3'7,1(3%3&5&1&8-3&2'8$=$99;
/&7&6%6&7(8&6%7'8#E,F:A1?)<.5&3(5%3(5%/!6%5%3'9"9!898
6)B09*:*9*9)8(6
9'D*SHE0SE/
Q8='8'7%6%9)8*8,:+8)8)4(D2898
1%C39*8)8);*>,7':-9"wt~{fSM4<'<,si{qfJ48'7&F/}w~tm:);(:'9)<(9);(=(9)8(3'G5:99
;):)9'7'7&8&8'8*9*7&D1G5L;A2:*9':,9)@.G6A2F4@,8&:*C0:*A7G8A2B2B4>.9)B.9'@-A/;'9(A.A.@,<!H6898
/!6$8%9&8
6&7$7$6%705-3'OBUHS=T>TDOFPJOAQCSAU?UCSDUFQIOD[MWGRATDWETDVEWERBYKXHXJPAQ:_Q898
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.4.37"
processorArchitecture="X86"
name="Takenforex"
type="win32"/>
<description>Takenforex</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
1-121:1S1]1y11111111
2+22292@2F2N2T2[2b2m2t2z222222222
3&363V3
I<h<<<<<<<
=X=^=y>?
k1v12N3Z3a3m333333333
434J4]4o4444444444
5.535;5@5\5b5k5r555555555555
646<6A6I6j6r6w6
666666666
7&7E7J7R7W7^7}7777777777777
8`9:::
33333333333333333
i�n�g� �c�o�n�t�e�x�t�M�e�n�u�
t�h�e�m�e�s�
N�o�t�e�p�a�d�+�+� �s�t�y�l�e� �t�h�e�m�e�
p�l�u�g�i�n�s�
N�o�t�e�p�a�d�+�+� �p�l�u�g�i�n�
-�o�p�t�i�o�n�s�
-�v�e�r�b�o�s�e� �-�v�
g�u�p�.�e�x�e�
u�p�d�a�t�e�r�
h�t�t�p�:�/�/�s�o�u�r�c�e�f�o�r�g�e�.�n�e�t�/�a�p�p�s�/�m�e�d�i�a�w�i�k�i�/�n�o�t�e�p�a�d�-�p�l�u�s�/�i�n�d�e�x�.�p�h�p�?�t�i�t�l�e�=�P�l�u�g�i�n�_�C�e�n�t�r�a�l�
h�t�t�p�:�/�/�s�o�u�r�c�e�f�o�r�g�e�.�n�e�t�/�f�o�r�u�m�/�?�g�r�o�u�p�_�i�d�=�9�5�7�1�7�
h�t�t�p�:�/�/�n�p�p�-�c�o�m�m�u�n�i�t�y�.�t�u�x�f�a�m�i�l�y�.�o�r�g�/�
h�t�t�p�:�/�/�s�o�u�r�c�e�f�o�r�g�e�.�n�e�t�/�p�r�o�j�e�c�t�s�/�n�o�t�e�p�a�d�-�p�l�u�s�/�
d�o�e�s�n�'�t� �e�x�i�s�t�.� �
R�n�d�o� �A�b�i�l�
i�t�y� �W�a�n�i�n�g�
n�m�u�l�t�i�I�n�s�t� �-�n�o�s�e�s�s�i�o�n� �-�o�p�e�n�S�e�s�s�i�o�n� �
S�e�s�s�i�o�n�
A�b�o�u�t� �T�a�k�e�n�f�o�r�e�x�
S�y�s�t�e�m�
T�a�k�e�n�f�o�r�e�x� �V�e�r�s�i�o�n� �1�.�1�2�
C�o�p�y�r�i�g�h�t� �(�C�)� �2�0�1�4�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�8�A�C�6�B�0�
C�o�m�p�a�n�y�N�a�m�e�
T�a�k�e�n�f�o�r�e�x�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
T�a�k�e�n�f�o�r�e�x�
F�i�l�e�V�e�r�s�i�o�n�
1�.�1�.�2�.�1�2�
I�n�t�e�r�n�a�l�N�a�m�e�
T�a�k�e�n�f�o�r�e�x� �I�n�t�e�r�n�a�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
P�r�o�d�u�c�t�N�a�m�e�
T�a�k�e�n�f�o�r�e�x�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
T�a�k�e�n�f�o�r�e�x�
T�a�k�e�n�f�o�r�e�x�
T�a�k�e�n�f�o�r�e�x�
C�:�\�f�e�4�e�5�e�e�6�1�f�f�1�b�2�b�4�f�3�b�1�0�b�e�b�8�4�f�2�e�3�3�4�2�0�1�a�2�f�3�6�8�7�9�e�8�d�7�e�b�2�d�2�9�a�e�0�d�6�4�4�1�9�8�5�
C�:�\�U�5�T�F�v�b�T�9�.�e�x�e�
C�:�\�9�7�f�e�e�d�6�3�5�4�3�4�5�d�0�4�a�8�7�3�a�a�b�b�b�e�8�3�4�2�2�6�6�b�0�5�c�7�1�e�3�b�4�7�4�d�2�d�0�f�a�5�b�b�3�0�a�b�7�7�b�4�4�5�
C�:�\�y�L�g�g�c�r�o�A�.�e�x�e�
C�:�\�E�F�y�r�c�i�y�m�.�e�x�e�
C�:�\�k�X�Y�_�W�A�6�n�.�e�x�e�
C�:�\�6�0�9�8�9�4�a�8�9�0�a�0�5�2�9�5�5�b�1�3�0�1�b�4�0�8�e�4�1�0�e�9�4�a�8�3�2�6�6�c�b�5�e�7�f�8�1�1�0�4�b�d�e�2�1�4�7�f�2�b�d�9�2�d�
C�:�\�j�f�P�4�z�B�X�i�.�e�x�e�
C�:�\�r�w�G�_�C�W�j�s�.�e�x�e�
C�:�\�U�s�e�r�s�\�J�o�h�n�n�y� �C�a�g�e�\�D�e�s�k�t�o�p�\�o�U�c�e�w�E�w�6�R�0�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�i�l�e�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�c�a�d�v�a�h�i�n�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�9�2�7�5�8�e�b�3�8�0�2�8�2�b�7�d�_�c�a�d�v�a�h�i�n�.�e�x�e�
C�:�\�c�5�a�3�8�8�7�b�e�e�7�7�5�7�7�e�b�a�f�8�0�7�2�7�e�3�1�3�8�f�1�4�c�0�d�5�7�f�7�8�7�f�7�f�b�1�e�7�d�e�7�3�5�2�e�4�4�8�c�5�9�2�4�7�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�a�d�v�a�h�i�n�.�e�x�e�
C�:�\�7�a�7�c�d�1�2�0�6�f�3�a�1�5�1�c�6�a�b�5�1�2�c�a�5�9�7�4�b�7�4�1�e�4�1�c�b�a�6�a�3�6�1�8�b�f�8�2�3�2�0�e�e�d�9�e�1�6�5�0�c�b�6�c�
C�:�\�a�d�6�4�7�4�d�6�2�1�e�1�c�c�a�7�0�8�b�e�c�d�a�e�f�d�1�0�6�4�e�5�9�0�d�7�1�a�e�7�7�0�5�7�c�7�b�6�6�3�7�0�1�1�b�2�2�b�b�5�d�e�8�6�
C�:�\�4�9�4�6�f�2�7�1�5�b�c�b�3�9�1�3�5�e�d�0�d�a�3�2�d�d�b�9�b�f�9�6�3�b�7�7�3�1�f�1�9�8�d�c�3�6�3�2�4�5�5�1�7�c�d�8�7�f�7�6�4�e�1�7�
C�:�\�9�8�9�0�2�1�9�0�7�2�8�9�c�9�3�9�6�9�9�2�8�0�a�1�f�f�1�d�5�b�e�d�e�3�7�9�4�8�c�d�0�d�2�8�d�0�0�3�e�e�c�9�f�a�d�b�a�8�9�8�8�b�d�8�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�a�d�v�a�h�i�n�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�5�1�7�1�a�d�0�5�c�f�0�9�0�a�c�2�2�8�4�1�9�f�1�5�0�1�a�9�8�c�a�1�9�f�d�0�4�a�2�c�8�e�5�5�9�4�f�b�0�d�8�c�5�3�0�d�5�3�5�a�6�f�7�1�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�2�a�d�5�b�2�0�d�0�e�3�a�a�2�2�4�2�b�d�9�8�2�f�1�d�7�3�7�2�c�5�4�4�1�c�2�8�2�e�2�d�1�3�c�3�b�2�2�d�4�e�7�6�0�d�1�5�c�6�c�8�6�8�b�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�5�8�1�a�2�1�1�3�d�c�a�a�d�1�7�e�e�c�4�9�d�f�7�8�e�8�f�5�f�b�9�c�2�a�7�2�6�9�0�e�9�b�7�0�b�7�2�9�5�f�0�9�6�5�2�9�a�c�9�5�4�5�8�.�e�x�e�
C�:�\�7�0�3�6�e�9�0�a�4�4�1�e�4�3�e�e�8�2�5�8�9�d�c�2�f�d�5�0�c�2�3�8�2�8�0�a�6�6�0�7�c�e�e�3�d�e�3�8�4�d�7�4�a�9�9�8�4�1�6�d�3�3�6�a�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�a�d�v�a�h�i�n�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�3�4�a�b�b�9�9�f�c�f�9�8�4�5�2�1�5�1�e�a�a�d�5�6�2�b�0�1�a�2�0�5�1�f�6�7�3�5�f�5�1�5�9�0�8�9�d�b�d�4�4�7�e�2�a�d�f�5�6�4�2�6�4�1�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�0�6�3�e�0�9�a�0�7�1�e�8�b�8�0�3�8�0�c�a�1�8�1�1�a�9�f�e�e�8�f�e�b�b�1�4�c�7�d�7�f�0�4�7�1�5�6�c�a�8�5�1�4�6�6�d�f�1�1�b�8�e�c�5�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�c�a�d�v�a�h�i�n�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�a�c�d�f�e�c�6�7�f�7�1�e�6�3�d�9�_�c�a�d�v�a�h�i�n�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�b�5�5�c�6�c�5�d�f�b�f�b�b�9�f�4�d�7�b�2�0�5�d�7�8�5�e�4�c�a�c�0�0�e�9�0�0�b�6�0�e�c�0�3�5�5�b�f�0�5�1�0�c�0�a�3�6�b�a�c�b�2�7�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�1�1�a�d�d�c�7�9�d�c�5�c�d�4�a�2�1�5�5�5�1�7�2�d�d�7�b�3�9�9�b�f�4�b�6�b�7�f�d�c�2�9�a�e�7�1�c�3�c�a�2�8�7�b�9�8�f�7�3�6�c�a�e�.�e�x�e�
C�:�\�a�c�9�7�b�3�4�8�d�2�0�8�8�7�a�5�a�0�1�e�2�1�5�9�0�8�5�0�5�5�6�1�4�8�8�2�2�3�9�4�d�8�7�e�3�3�0�5�6�4�4�3�8�3�2�6�9�f�d�e�a�a�0�f�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�a�d�v�a�h�i�n�.�e�x�e�
C�:�\�5�8�1�4�d�4�9�f�7�e�f�c�e�d�7�8�f�4�e�1�a�8�b�5�9�b�e�6�2�5�0�a�f�5�0�b�1�f�e�9�1�5�7�4�8�5�c�7�0�8�2�2�d�5�4�2�e�e�2�2�3�8�5�8�
C�:�\�b�9�4�8�6�b�b�1�c�3�f�a�2�d�9�a�1�a�d�0�d�b�2�e�1�1�b�4�f�f�d�3�0�b�9�0�d�f�f�4�c�0�e�7�e�2�6�8�e�9�2�0�8�c�e�2�2�d�9�6�6�6�f�9�
C�:�\�7�c�7�6�8�7�e�3�7�3�0�4�7�f�2�c�9�d�8�8�9�6�f�5�8�e�e�7�0�f�8�e�f�3�8�4�a�5�3�9�e�8�9�c�7�a�f�e�7�5�7�8�3�6�7�0�6�3�f�1�5�4�f�8�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�a�d�v�a�h�i�n�.�e�x�e�
C�:�\�8�f�d�c�8�8�5�e�1�8�2�9�a�7�3�c�5�7�6�9�3�3�6�5�3�1�a�c�8�c�5�5�c�f�f�5�c�6�b�6�d�e�7�1�c�b�9�0�1�f�e�b�7�2�1�3�e�e�4�d�7�6�f�f�
C�:�\�4�c�d�7�f�2�8�5�d�f�c�6�c�0�2�e�8�8�d�4�a�3�2�b�e�4�7�5�2�2�c�f�b�5�1�2�2�b�f�3�8�5�9�0�7�f�2�d�4�3�2�1�d�1�4�a�1�f�4�b�f�6�b�c�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�a�d�v�a�h�i�n�.�e�x�e�
Process Tree
-
0898235485dede55387d73941835104b6523b91967ae1974d8e880b8895de850.exe (844)
"C:\Users\Administrator\AppData\Local\Temp\0898235485dede55387d73941835104b6523b91967ae1974d8e880b8895de850.exe"
- cadvahin.exe (920) C:\Users\ADMINI~1\AppData\Local\Temp\cadvahin.exe
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| checkip.dyndns.org |
A 193.122.130.0
CNAME checkip.dyndns.com A 132.226.247.73 A 158.101.44.242 |
158.101.44.242 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49164 | 158.101.44.242 checkip.dyndns.org | 80 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 69.163.81.211 | 192.168.56.101 | 3 | |
| 69.163.81.211 | 192.168.56.101 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 628c6eb7d6b84ed9_cadvahin.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\cadvahin.exe |
| Size | 40.2KB |
| Processes | 844 (0898235485dede55387d73941835104b6523b91967ae1974d8e880b8895de850.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 3bd796805e626c5136123a54f2694d14 |
| SHA1 | 409614ab3e826c70b437bcd5f774c0ef3e53cf99 |
| SHA256 | 628c6eb7d6b84ed976403106055df48cebc2f5cf1a05437f7bc033d1fc3b5f19 |
| CRC32 | 010B55CE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.