SmartHawk

Time & API	Arguments	Status	Return
1620985527.213139 bind	ip_address: 0.0.0.0 socket: 928 port: 0	success	0
1620985533.322139 bind	ip_address: 127.0.0.1 socket: 984 port: 0	success	0
1620985533.322139 listen	socket: 984 backlog: 1000	success	0
1620985534.744139 bind	ip_address: 127.0.0.1 socket: 1572 port: 0	success	0
1620985537.541139 bind	ip_address: 0.0.0.0 socket: 1628 port: 0	success	0
1620985537.541139 accept	ip_address: 127.0.0.1 socket: 984 port: 49181	success	1644
1620985538.760139 bind	ip_address: 0.0.0.0 socket: 1688 port: 0	success	0
1620985538.760139 accept	ip_address: 127.0.0.1 socket: 984 port: 49182	success	1744
1620985538.775139 bind	ip_address: 0.0.0.0 socket: 1728 port: 0	success	0
1620985538.775139 accept	ip_address: 127.0.0.1 socket: 984 port: 49183	success	1772
1620985538.822139 bind	ip_address: 0.0.0.0 socket: 1772 port: 0	success	0
1620985538.838139 accept	ip_address: 127.0.0.1 socket: 984 port: 49184	success	1788
1620985538.885139 bind	ip_address: 0.0.0.0 socket: 1792 port: 0	success	0
1620985538.885139 accept	ip_address: 127.0.0.1 socket: 984 port: 49185	success	1812
1620985538.932139 bind	ip_address: 0.0.0.0 socket: 1688 port: 0	success	0
1620985538.932139 accept	ip_address: 127.0.0.1 socket: 984 port: 49186	success	1828
1620985539.088139 bind	ip_address: 0.0.0.0 socket: 1824 port: 0	success	0
1620985539.088139 accept	ip_address: 127.0.0.1 socket: 984 port: 49187	success	1688
1620985539.291139 bind	ip_address: 0.0.0.0 socket: 1688 port: 0	success	0
1620985539.291139 accept	ip_address: 127.0.0.1 socket: 984 port: 49188	success	1776
1620985539.291139 bind	ip_address: 0.0.0.0 socket: 1824 port: 0	success	0
1620985539.291139 accept	ip_address: 127.0.0.1 socket: 984 port: 49189	success	1776
1620985539.307139 bind	ip_address: 0.0.0.0 socket: 1688 port: 0	success	0
1620985539.307139 accept	ip_address: 127.0.0.1 socket: 984 port: 49190	success	1776
1620985539.400139 bind	ip_address: 0.0.0.0 socket: 1756 port: 0	success	0
1620985539.416139 accept	ip_address: 127.0.0.1 socket: 984 port: 49191	success	1792
1620985539.650139 bind	ip_address: 0.0.0.0 socket: 1184 port: 0	success	0
1620985539.650139 accept	ip_address: 127.0.0.1 socket: 984 port: 49192	success	1644
1620985539.713139 bind	ip_address: 0.0.0.0 socket: 1788 port: 0	success	0
1620985539.713139 accept	ip_address: 127.0.0.1 socket: 984 port: 49193	success	1740
1620985539.744139 bind	ip_address: 0.0.0.0 socket: 1740 port: 0	success	0
1620985539.744139 accept	ip_address: 127.0.0.1 socket: 984 port: 49194	success	1788
1620985539.791139 bind	ip_address: 0.0.0.0 socket: 1160 port: 0	success	0
1620985539.791139 accept	ip_address: 127.0.0.1 socket: 984 port: 49195	success	1864
1620985539.885139 bind	ip_address: 0.0.0.0 socket: 1864 port: 0	success	0
1620985539.885139 accept	ip_address: 127.0.0.1 socket: 984 port: 49196	success	1160
1620985540.010139 bind	ip_address: 0.0.0.0 socket: 1184 port: 0	success	0
1620985540.010139 accept	ip_address: 127.0.0.1 socket: 984 port: 49197	success	1884
1620985540.041139 bind	ip_address: 0.0.0.0 socket: 1184 port: 0	success	0
1620985540.041139 accept	ip_address: 127.0.0.1 socket: 984 port: 49198	success	1888
1620985540.072139 bind	ip_address: 0.0.0.0 socket: 1184 port: 0	success	0
1620985540.072139 accept	ip_address: 127.0.0.1 socket: 984 port: 49199	success	1928
1620985540.088139 bind	ip_address: 0.0.0.0 socket: 1944 port: 0	success	0
1620985540.088139 accept	ip_address: 127.0.0.1 socket: 984 port: 49200	success	1936
1620985540.135139 bind	ip_address: 0.0.0.0 socket: 1948 port: 0	success	0
1620985540.135139 accept	ip_address: 127.0.0.1 socket: 984 port: 49201	success	1944
1620985540.150139 bind	ip_address: 0.0.0.0 socket: 1944 port: 0	success	0
1620985540.150139 accept	ip_address: 127.0.0.1 socket: 984 port: 49202	success	1948
1620985540.213139 bind	ip_address: 0.0.0.0 socket: 1944 port: 0	success	0
1620985540.213139 accept	ip_address: 127.0.0.1 socket: 984 port: 49203	success	1956

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)

suspicious_features	POST method with no referer header				suspicious_request	POST http://5833691d7e58ca69092b1b55.ironcad.keen.snxd.com/3.0/projects/566758413bc6965ee6b1edfa/events/ApplicationStart?api_key=d52b73202a8b40c676279f0fd4181cad8a2f620bf07f4f7bad0e3ac28ad49c015569cfe269013bb3613da3ed55786ebf4b4d1d4848ba33747f1d761081028f86c5ad794b3ef618fd3e9a8c2e7ab94f517e43abe05b52ad11d04ac4ec5233976d40e2e311c9edacdb02fb345635f9a056
suspicious_features	POST method with no referer header				suspicious_request	POST http://5833691d7e58ca69092b1b55.ironcad.keen.snxd.com/3.0/projects/566758413bc6965ee6b1edfa/events/DownloadStart?api_key=d52b73202a8b40c676279f0fd4181cad8a2f620bf07f4f7bad0e3ac28ad49c015569cfe269013bb3613da3ed55786ebf4b4d1d4848ba33747f1d761081028f86c5ad794b3ef618fd3e9a8c2e7ab94f517e43abe05b52ad11d04ac4ec5233976d40e2e311c9edacdb02fb345635f9a056

Performs some HTTP requests (7 个事件)

request	GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request	GET http://geoip.snxd.com/geoip/json/
request	GET http://metadata.cdn.snxd.com/E_3532718B0BEE499AF229A18978F0CD6948575A24
request	POST http://5833691d7e58ca69092b1b55.ironcad.keen.snxd.com/3.0/projects/566758413bc6965ee6b1edfa/events/ApplicationStart?api_key=d52b73202a8b40c676279f0fd4181cad8a2f620bf07f4f7bad0e3ac28ad49c015569cfe269013bb3613da3ed55786ebf4b4d1d4848ba33747f1d761081028f86c5ad794b3ef618fd3e9a8c2e7ab94f517e43abe05b52ad11d04ac4ec5233976d40e2e311c9edacdb02fb345635f9a056
request	POST http://5833691d7e58ca69092b1b55.ironcad.keen.snxd.com/3.0/projects/566758413bc6965ee6b1edfa/events/DownloadStart?api_key=d52b73202a8b40c676279f0fd4181cad8a2f620bf07f4f7bad0e3ac28ad49c015569cfe269013bb3613da3ed55786ebf4b4d1d4848ba33747f1d761081028f86c5ad794b3ef618fd3e9a8c2e7ab94f517e43abe05b52ad11d04ac4ec5233976d40e2e311c9edacdb02fb345635f9a056
request	GET http://ironcad.trackers.snxd.com/?info_hash=52q%8B%0B%EEI%9A%F2%29%A1%89x%F0%CDiHWZ%24&peer_id=-SD3671-%00%EB5%E0%27%F6%B0b%C0%C1%07%A2&key=BFCDB8C3ED1CE83337841A1E730-31656139-1620990458&ip=192.168.56.101&port=0&compact=1&event=started&event_id=1&left=1462468616&downloaded=0&uploaded=0&sid=1&sflags=2&slocation=77CB964C&stfstart=126&stnow=2&ststart=0&stcheck=2&stdownload=2&t=1621022860&s=a123f4059a2b069
request	GET http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe

Sends data using the HTTP POST Method (2 个事件)

request	POST http://5833691d7e58ca69092b1b55.ironcad.keen.snxd.com/3.0/projects/566758413bc6965ee6b1edfa/events/ApplicationStart?api_key=d52b73202a8b40c676279f0fd4181cad8a2f620bf07f4f7bad0e3ac28ad49c015569cfe269013bb3613da3ed55786ebf4b4d1d4848ba33747f1d761081028f86c5ad794b3ef618fd3e9a8c2e7ab94f517e43abe05b52ad11d04ac4ec5233976d40e2e311c9edacdb02fb345635f9a056
request	POST http://5833691d7e58ca69092b1b55.ironcad.keen.snxd.com/3.0/projects/566758413bc6965ee6b1edfa/events/DownloadStart?api_key=d52b73202a8b40c676279f0fd4181cad8a2f620bf07f4f7bad0e3ac28ad49c015569cfe269013bb3613da3ed55786ebf4b4d1d4848ba33747f1d761081028f86c5ad794b3ef618fd3e9a8c2e7ab94f517e43abe05b52ad11d04ac4ec5233976d40e2e311c9edacdb02fb345635f9a056

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985559.854139 GetDiskFreeSpaceW	root_path: C:\Users\Administrator.Oskar-PC\Downloads\ sectors_per_cluster: 8 number_of_free_clusters: 4787673 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1	0

Creates executable files on the filesystem (14 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSSP0KXB\analytics-3.6.5.0-keen[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZOR341Z\enterprise-3.6.7.1.min[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZOR341Z\jquery.flot.min[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQSDCVAE\json2.min[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZOR341Z\jquery-ui-1.10.3.custom.min[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6VHVO8H\jquery.zrssfeed[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6VHVO8H\excanvas.min[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSSP0KXB\downloader-3.6.7.1.min[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQSDCVAE\jquery.xml2json[1].js
file	C:\ProgramData\Solid State Networks\Host.dd124e6e73f223197fd62f9075e86bca3da4ec80\downloader.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSSP0KXB\mainwindow[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6VHVO8H\jquery-1.8.0.min[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSSP0KXB\host-3.6.7.1.min[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQSDCVAE\custom[1].js

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985521.979139 GetAdaptersAddresses	flags: 15 family: 0	failed	111	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Disables proxy possibly for traffic interception (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985534.557139 RegSetValueExA	key_handle: 0x00000568 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Attempts to create or modify system certificates (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620985537.494139 RegSetValueExA	key_handle: 0x00000660 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620985537.494139 RegSetValueExA	key_handle: 0x00000660 value: ðn¶¼üH× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620985537.494139 RegSetValueExA	key_handle: 0x00000660 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620985537.494139 RegSetValueExW	key_handle: 0x00000660 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620985537.494139 RegSetValueExA	key_handle: 0x00000668 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620985537.494139 RegSetValueExA	key_handle: 0x00000668 value: ðn¶¼üH× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620985537.494139 RegSetValueExA	key_handle: 0x00000668 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620985537.525139 RegSetValueExW	key_handle: 0x00000658 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620985537.557139 RegSetValueExA	key_handle: 0x000004a0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620985537.557139 RegSetValueExA	key_handle: 0x000004a0 value: 0ÏÀ¼üH× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620985537.572139 RegSetValueExA	key_handle: 0x000004a0 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620985537.572139 RegSetValueExW	key_handle: 0x000004a0 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620985537.572139 RegSetValueExA	key_handle: 0x00000684 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620985537.572139 RegSetValueExA	key_handle: 0x00000684 value: 0ÏÀ¼üH× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620985537.572139 RegSetValueExA	key_handle: 0x00000684 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

216.58.200.46:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2015-07-22 09:15:21

Imports

Library KERNEL32.dll:

• 0x47c000 FreeLibrary

• 0x47c004 RaiseException

• 0x47c008 InterlockedExchange

• 0x47c00c GetLastError

• 0x47c010 GetProcAddress

• 0x47c014 LoadLibraryA

• 0x47c018 LocalAlloc

• 0x47c01c LocalFree

• 0x47c020 GetCommandLineW

• 0x47c024 CreateFileA

• 0x47c028 FindFirstFileW

• 0x47c02c VirtualQuery

• 0x47c030 InterlockedIncrement

• 0x47c034 SystemTimeToFileTime

• 0x47c038 InterlockedDecrement

• 0x47c03c GetCurrentProcess

• 0x47c040 CreateDirectoryW

• 0x47c044 GetUserDefaultLCID

• 0x47c048 WaitForSingleObject

• 0x47c04c SetThreadExecutionState

• 0x47c050 GetModuleHandleW

• 0x47c054 FormatMessageA

• 0x47c058 SetFileTime

• 0x47c05c GetSystemWow64DirectoryA

• 0x47c060 OpenProcess

• 0x47c064 GetSystemDirectoryW

• 0x47c068 WideCharToMultiByte

• 0x47c06c LoadLibraryW

• 0x47c070 GetLocaleInfoW

• 0x47c074 Sleep

• 0x47c078 CopyFileW

• 0x47c07c GetExitCodeProcess

• 0x47c080 FileTimeToSystemTime

• 0x47c084 GetModuleFileNameW

• 0x47c088 CreateFileW

• 0x47c08c GetTempPathW

• 0x47c090 GetStdHandle

• 0x47c094 GetDiskFreeSpaceW

• 0x47c098 FindClose

• 0x47c09c GetProcessId

• 0x47c0a0 RemoveDirectoryW

• 0x47c0a4 DeviceIoControl

• 0x47c0a8 GetModuleHandleA

• 0x47c0ac FindNextFileW

• 0x47c0b0 GetVersionExA

• 0x47c0b4 CloseHandle

• 0x47c0b8 GetWindowsDirectoryW

• 0x47c0bc DeleteFileW

• 0x47c0c0 MoveFileWithProgressW

• 0x47c0c4 GetFileInformationByHandle

• 0x47c0c8 AllocConsole

• 0x47c0cc WriteFile

• 0x47c0d0 FreeConsole

• 0x47c0d4 SetConsoleTitleA

• 0x47c0d8 SetConsoleCtrlHandler

• 0x47c0dc DebugBreak

• 0x47c0e0 SetEndOfFile

• 0x47c0e4 SetEvent

• 0x47c0e8 GetTickCount

• 0x47c0ec InitializeCriticalSection

• 0x47c0f0 CreateEventA

• 0x47c0f4 LeaveCriticalSection

• 0x47c0f8 EnterCriticalSection

• 0x47c0fc ResetEvent

• 0x47c100 OpenMutexA

• 0x47c104 CreateMutexA

• 0x47c108 DeleteCriticalSection

• 0x47c10c ReleaseMutex

• 0x47c110 GetCurrentThread

• 0x47c114 SetThreadPriority

• 0x47c118 GetCurrentThreadId

• 0x47c11c SetLastError

• 0x47c120 TerminateProcess

• 0x47c124 SetEnvironmentVariableW

• 0x47c128 GlobalAlloc

• 0x47c12c MultiByteToWideChar

• 0x47c130 GlobalFree

• 0x47c134 CompareStringW

• 0x47c138 GetCommandLineA

• 0x47c13c GetStartupInfoA

• 0x47c140 HeapFree

• 0x47c144 HeapAlloc

• 0x47c148 SetFileAttributesW

• 0x47c14c GetFileAttributesW

• 0x47c150 GetFileType

• 0x47c154 FileTimeToLocalFileTime

• 0x47c158 GetDriveTypeW

• 0x47c15c SetStdHandle

• 0x47c160 ExitProcess

• 0x47c164 SetFilePointer

• 0x47c168 FlushFileBuffers

• 0x47c16c GetConsoleCP

• 0x47c170 GetConsoleMode

• 0x47c174 GetSystemTimeAsFileTime

• 0x47c178 ReadFile

• 0x47c17c ExitThread

• 0x47c180 CreateThread

• 0x47c184 UnhandledExceptionFilter

• 0x47c188 SetUnhandledExceptionFilter

• 0x47c18c IsDebuggerPresent

• 0x47c190 GetModuleFileNameA

• 0x47c194 FreeEnvironmentStringsA

• 0x47c198 GetEnvironmentStrings

• 0x47c19c FreeEnvironmentStringsW

• 0x47c1a0 GetEnvironmentStringsW

• 0x47c1a4 SetHandleCount

• 0x47c1a8 TlsGetValue

• 0x47c1ac TlsAlloc

• 0x47c1b0 TlsSetValue

• 0x47c1b4 TlsFree

• 0x47c1b8 HeapCreate

• 0x47c1bc VirtualFree

• 0x47c1c0 QueryPerformanceCounter

• 0x47c1c4 GetCurrentProcessId

• 0x47c1c8 VirtualAlloc

• 0x47c1cc HeapReAlloc

• 0x47c1d0 RtlUnwind

• 0x47c1d4 GetProcessHeap

• 0x47c1d8 GetFullPathNameW

• 0x47c1dc PeekNamedPipe

• 0x47c1e0 GetCurrentDirectoryA

• 0x47c1e4 InitializeCriticalSectionAndSpinCount

• 0x47c1e8 GetCPInfo

• 0x47c1ec GetACP

• 0x47c1f0 GetOEMCP

• 0x47c1f4 IsValidCodePage

• 0x47c1f8 WriteConsoleA

• 0x47c1fc GetConsoleOutputCP

• 0x47c200 WriteConsoleW

• 0x47c204 GetTimeZoneInformation

• 0x47c208 LCMapStringW

• 0x47c20c HeapSize

• 0x47c210 GetLocaleInfoA

• 0x47c214 CompareStringA

• 0x47c218 SetEnvironmentVariableA

• 0x47c21c LCMapStringA

• 0x47c220 GetStringTypeA

• 0x47c224 GetStringTypeW

• 0x47c228 GetDriveTypeA

• 0x47c22c GetQueuedCompletionStatus

• 0x47c230 PostQueuedCompletionStatus

• 0x47c234 CreateIoCompletionPort

• 0x47c238 WaitNamedPipeA

• 0x47c23c DisconnectNamedPipe

• 0x47c240 CreateNamedPipeA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
geoip.snxd.com	A 54.225.35.173	54.225.35.173
ironcad.cdns3.snxd.com	CNAME a139.d.akamai.net A 184.28.98.100 A 184.28.98.70 CNAME ironcad.cdns3.snxd.com.akamaized.net	61.213.189.184
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 216.58.200.46 CNAME clients.l.google.com	172.217.27.142
www.download.windowsupdate.com	A 124.225.105.97 CNAME 2-01-3cf7-0009.cdx.cedexis.net CNAME www.download.windowsupdate.com.cdn.dnsv1.com CNAME windowsupdate.sched.s11.tdnsv5.com CNAME 3573033.pack.cdntip.com CNAME wu-fg-shim.trafficmanager.net	115.231.33.1
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
5833691d7e58ca69092b1b55.ironcad.keen.snxd.com	CNAME api.keen.io CNAME api-v3_0.us-west-2.prod.aws.keen.io A 52.25.18.145 A 52.37.240.41 A 52.32.180.157	52.25.18.145
metadata.cdn.snxd.com	CNAME metadata.cdn.snxd.com.c.footprint.net A 4.27.28.126	4.27.28.126
ironcad.trackers.snxd.com	A 54.225.35.173	54.225.35.173
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49177	124.225.105.97 www.download.windowsupdate.com	80
192.168.56.101	49232	184.28.98.100 ironcad.cdns3.snxd.com	80
192.168.56.101	49234	184.28.98.100 ironcad.cdns3.snxd.com	80
192.168.56.101	49229	184.28.98.70 ironcad.cdns3.snxd.com	80
192.168.56.101	49230	184.28.98.70 ironcad.cdns3.snxd.com	80
192.168.56.101	49231	184.28.98.70 ironcad.cdns3.snxd.com	80
192.168.56.101	49233	184.28.98.70 ironcad.cdns3.snxd.com	80
192.168.56.101	49224	4.27.28.126 metadata.cdn.snxd.com	80
192.168.56.101	49225	52.25.18.145 5833691d7e58ca69092b1b55.ironcad.keen.snxd.com	80
192.168.56.101	49223	54.225.35.173 ironcad.trackers.snxd.com	80
192.168.56.101	49228	54.225.35.173 ironcad.trackers.snxd.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	54260	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

URI	Data
http://5833691d7e58ca69092b1b55.ironcad.keen.snxd.com/3.0/projects/566758413bc6965ee6b1edfa/events/DownloadStart?api_key=d52b73202a8b40c676279f0fd4181cad8a2f620bf07f4f7bad0e3ac28ad49c015569cfe269013bb3613da3ed55786ebf4b4d1d4848ba33747f1d761081028f86c5ad794b3ef618fd3e9a8c2e7ab94f517e43abe05b52ad11d04ac4ec5233976d40e2e311c9edacdb02fb345635f9a056	POST /3.0/projects/566758413bc6965ee6b1edfa/events/DownloadStart?api_key=d52b73202a8b40c676279f0fd4181cad8a2f620bf07f4f7bad0e3ac28ad49c015569cfe269013bb3613da3ed55786ebf4b4d1d4848ba33747f1d761081028f86c5ad794b3ef618fd3e9a8c2e7ab94f517e43abe05b52ad11d04ac4ec5233976d40e2e311c9edacdb02fb345635f9a056 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/json Accept: application/json User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) X-Requested-With: XMLHttpRequest Content-Length: 412 Host: 5833691d7e58ca69092b1b55.ironcad.keen.snxd.com
http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe	GET /IronCAD2017PU1SP1_x86.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / Referer: http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe Range: bytes=17825792-18874367 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) Host: ironcad.cdns3.snxd.com
http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe	GET /IronCAD2017PU1SP1_x86.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / Referer: http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe Range: bytes=13631488-14680063 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) Host: ironcad.cdns3.snxd.com
http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe	GET /IronCAD2017PU1SP1_x86.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / Referer: http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe Range: bytes=15728640-16777215 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) Host: ironcad.cdns3.snxd.com
http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe	GET /IronCAD2017PU1SP1_x86.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / Range: bytes=2097152-3145727 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) Host: ironcad.cdns3.snxd.com
http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe	GET /IronCAD2017PU1SP1_x86.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / Range: bytes=1048576-2097151 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) Host: ironcad.cdns3.snxd.com
http://geoip.snxd.com/geoip/json/	GET /geoip/json/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: application/json, text/javascript, /; q=0.01 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) X-Requested-With: XMLHttpRequest Host: geoip.snxd.com
http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe	GET /IronCAD2017PU1SP1_x86.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / Referer: http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe Range: bytes=16777216-17825791 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) Host: ironcad.cdns3.snxd.com
http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe	GET /IronCAD2017PU1SP1_x86.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / Range: bytes=5242880-6291455 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) Host: ironcad.cdns3.snxd.com
http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe	GET /IronCAD2017PU1SP1_x86.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / Referer: http://ironcad.cdns3.snxd.com/IronCAD2017PU1SP1_x86.exe Range: bytes=8388608-9437183 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1.7601.65536; zh-CN) Host: ironcad.cdns3.snxd.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.