SecondWrite DeepView - 289477f12b10e6b770b40d4c0fb028b1af46b295a91030793c7188abe9774d0b

100

Malicious

This predictive confidence of maliciousness for this sample is 100%.

289477f12b10e6b770b40d4c0fb028b1af46b295a91030793c7188abe9774d0b

1.2 MB

Size

2020-06-09 02:17:07

First seen 9 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

Low

Virus

Low

Banker

Low

Bot

Low

Rat

Low

Adware

Low

Infostealer

Low

Worm

High

Spyware

Low

Indicators

Expand All

SecondWrite Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Sandbox

A process attempted to delay the analysis task.

Anti-Vm

Checks adapter addresses which can be used to detect virtual network interfaces

PID	API	Arguments
816	GetAdaptersAddresses	flags: 0 family: 0
816	GetAdaptersAddresses	flags: 0 family: 0

Av-Tools

This sample is detected by clamav as: Win.Worm.Socks-9

One or more AV tool detects this sample as malicious: Worm:Win32/Autorun.gen!BS

Generic

Strings possibly contain hardcoded IP Addresses.

Creates executable files on the filesystem

Automatic Sequence Detection maliciousness score: 76%

Http

Performs some HTTP requests

HTTP traffic contains suspicious features which may be indicative of malware related traffic

Network

Performs some DNS requests

Packer

The executable has PE anomalies (could be a false positive)

The binary likely contains encrypted or compressed data.

Persistence

Creates an Alternate Data Stream (ADS)

Installs itself for autorun at Windows startup

Static

This sample contains high entropy sections

Anomalous binary characteristics

Contains sections of zero entropy

Presents an Authenticode digital signature

Yara

Yara Pattern Name	Description
Str_Win32_Winsock2_Library	Match Winsock 2 API library declaration
IsPE32	No Description Available
HasOverlay	Overlay Check
HasRichSignature	Rich Signature Check

Static Analysis

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.bss	0x00001000	0x0000b9c8	0x00000000	0.0
.data	0x0000d000	0x000022d8	0x00002400	6.02977309188
hbgmgi	0x00010000	0x00013000	0x00043000	7.98289318573

Imports

Library KERNEL32.dll:

CreateFileMappingA
CreateProcessA
CreateThread
GetConsoleWindow
GetDriveTypeA
GetLastError
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetTempFileNameA
GetTempPathA
GetTickCount
GetVolumeInformationA
LoadLibraryA
SetErrorMode
SetFileAttributesA
Sleep

Library WS2_32.dll:

closesocket
connect
gethostbyname
htons
send
socket
WSACleanup
WSAStartup

Library USER32.dll:

ShowWindow

Library MSVCRT.dll:

__getmainargs
__p___argc
__p___argv
__p__commode
__p__fmode
__set_app_type
__setusermatherr
_acmdln
_adjust_fdiv
_controlfp
_except_handler3
_exit
_initterm
_itoa
_strdup
_XcptFilter
atoi
exit
fclose
fgets
fopen
fputs
fseek
ftell
fwrite
memset
rand
sprintf
srand
strcat
strcmp
strcpy
strlen
strrchr
strstr
strtok

Strings

!This program cannot be run in DOS mode.
hbgmgi
cftcrk10,fnn
igplgn10,fnn
EgvRpmaCffpgqq
EgvGltkpmloglvTcpkc`ngC
UklGzga
Amr{DkngC
QgvDkngCvvpk`wvgqC
PgeQgvTcnwgGzC
PgeAnmqgIg{
PgeMrglIg{C
http://124.217.253.6/~statis00/load/
http://124.217.253.6/~statis00/load/
advoml,gzg
qrmmnq,gzg
dvrfnn,fnn
uklklgv,fnn
KlvgplgvMrglC
KlvgplgvMrglWpnC
KlvgplgvPgcfDkng
ntuser
autoload
Qmdvucpg^Okapmqmdv^Uklfmuq^AwppglvTgpqkml^Pwl^
ImagePath
Q[QVGO^AwppglvAmlvpmnQgv^Qgptkagq^Qajgfwng
"%1" %*
"%1" %*
^gzgdkng^qjgnn^mrgl^amooclf^
Q{qvgoFpktg
manda.php
data.php
vbs.php
proc_kill
proc_killsize
proc_run
<form method=
jvvr8--js/rjcpoc,mpe-
AMOPWVGPLCOG
uklfkp
^q{qvgo10
WQGPRPMDKNG
^Nmacn"Qgvvkleq^Crrnkacvkml"Fcvc
^fpktgpq^
^Nmacn"Qgvvkleq^Crrnkacvkml"Fcvc^
]tqe`ud/e`u
^fpktgpq^
q{qrpma,q{q
Amlvglv/V{rg8"crrnkacvkml-z/uuu/dmpo/wpnglamfgf
POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-length: %d
cwvmpwl,gzg
cwvmpwl,kld
Ycwvmpwl_
QjgnnGzgawvg?cwvmpwl,gzg
%s?id=%s
%s?id=%s&l=%s
%s?id=%s
YYh'&@
YPh&'@
YPh(%@
v4h&'@
LoadLibraryA
GetProcAddress
GetVolumeInformationA
GetTempFileNameA
GetModuleFileNameA
GetTempPathA
CreateProcessA
SetFileAttributesA
GetDriveTypeA
GetLogicalDriveStringsA
GetTickCount
GetLastError
CreateFileMappingA
CreateThread
GetConsoleWindow
SetErrorMode
KERNEL32.dll
WS2_32.dll
ShowWindow
USER32.dll
strlen
fclose
strcat
strcpy
strstr
strrchr
strcmp
memset
fwrite
sprintf
strtok
__p___argv
__p___argc
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
_strdup
&&=_qzn
hU&m$;X
>k_(lm
"9x$C!
.B0B#p
$6J.Xl
`&P-1
6ds#Oj
}M5l_V
imWIjO
p YnaRCt
v\|7H\
>NgE\W
8'BZ0|
>7Ex'a
LdY|'G
)@JKw|
c=|vBG
dY8>|u
#1`EyC?^2&,
!_MrP?:
e%<MC(
[f?ac `?
Bb#kgJ
dy>u?Pf
i|d0Ro
|$X?+6
dY"I5^!
%l718iZ
)P{"PU
oBvfwV
QBx k%
^Uk2(;
uCCu:ZlR
nVHOQ,=
fj;/g_@
3N>mP?>kn
Zd7-if
hiwngH
f9$y2
W%i5pg
W]H8*?
TS4~~*
;`Z9c4$~
6pYC!V
Hl/g4\
S7s_aM3F
~t*(uw
Z~F@Br
fFb\>,_q
'R1BOI
h&GnI:
.nB>rmF`l
xwf)rg
l**-E]}
XmXG$!}
~DW@dK
!acr:2
Zv;[OR
#'tkjv`
u7Y|_@
c`.0{+
">#1D6
kO/$'W
|VBmKZ"S,
f_f?mk
$=)=F>
bS 45L
BcOP#{D
"BCV\?y#
/#Eh&b
1eVx&_7{
-3C>R/
~3Fz[4
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
%WLC3 #
TA&#[[
F@2JV"
?lF9?,
"DG'+a>
c&uUOZ
}[nJiM
|ZVF0Pj%/#
xBX]c
ZCY6UVsO/
iSv%g9
=/l}'2
ih\qKhr<A}R
{K=c`3Q
Wpwz(9@
\fRIsT
!E"C?Nn
GgT:t`iN
{gjER
%WLC3 #
TA&#[[
F@2JV"
?lF9?,
"DG'+a>
c&uUOZ
}[nJiM
|ZVF0Pj%/#
xBX]c
ZCY6UVsO/
iSv%g9
=/l}'2
ih\qKhr<A}R
{K=c`3Q
Wpwz(9@
\fRIsT
!E"C?Nn
GgT:t`iN
{gjER
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
6|TwK39
D$E}27K
w[MW*~s
/|vNqGz
m=H@<T
CgHygb
-f2{&%
:?hg[aT(,
w1YfLV
R@.t~]T
q(LlrG
J/%2lXH
@od3UC9.
PQ`G8
v6W4{}[
-3C9zG
of>:Qd~
eBfygm
,sme<_
l?{St[
e"AngOh#(_
>?6y%0ic%'
nVJig1;
DA]UMITo
M]^jn@v9
i:1$A
a_lnj5
,rC[`tkG
UnsUsG
?H^pAx
$ZA%Wl
(%Dr-37
-1n}M'
fl)~/Z
Pm:>$D
elS}*|,o
TbVi5"
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
2)O*"{
/qo,}%
]BpxR~-n
-i$f7e
s5,2>]
M,B_=P
e{8I8c
5$t;O}
gA;5E2
pn5z|KA
49,kS1
jdd&Gr
G"k+Y{t
;DQ+w4
y?@vfkm
/Elm0e
lC}S7N
S9S>=:
Ddx;&z
ez>*=Tf
Uk:1)F9."`[
NjF}0!
O6+3u2
[}f?Bb
h5c$"K
YrAHJi
ia70~/
}llxe
YeS{a<Q
`3+0^c
!%[lroX
?sdLzF
3D%ufqX
E}` =X
\Cm`6M
t'mu*
OQb1-e
c)&(Jt
+j*}tvVv
SUPk|N
~DN4}Vs#
qOb~]H
3[:WZiJCj
3\ AUL1
!^w^_'
Q(h |S
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
*4i2-HwA
]'ztS P
1]U5T1
S"0)W?B
%WLC3 #
TA&#[[
F@2JV"
?lF9?,
"DG'+a>
c&uUOZ
}[nJiM
|ZVF0Pj%/#
xBX]c
ZCY6UVsO/
iSv%g9
=/l}'2
ih\qKhr<A}R
{K=c`3Q
Wpwz(9@
\fRIsT
!E"C?Nn
GgT:t`iN
{gjER
y.2Qqms
dj!FapN
ypA?}Q^
k*mAM,
q/mrn:F
Kp-i14
]u|cKHR!
76B,zs
vsg(4t
`MNtI{s+
.Y]vW
8`!9&4
w+YwU%
Ov oab=
W)@L3k
n*Ne<.LS
;s4{pD
eIS%_Z
;hes/.
6g3`F)w
B,Ur/g
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
cJ5cW`1
o J0MZ
X*!`)&"
S)YLWy
vJQII&
lR\%|m
S&*5z4
*.\c(jV
Dzt=bK<
LD_/7U
x44~K~
AxstHt
gxxwi8K
c+^!#v
o<w)Z\
~Pssea
|Dd2Akp
&D?U*"
<'NIC&
p5T>:;?5
iJ}2tg
~gZiq&
[9#-xT
vG8KvQF
K3(OeR
wfRyRn
1OWo@DM
yy~xW]%;tR
};.lQVGf
,{L'n
"RT~n&1
7$_7<dn~Z*
<`ZI'^
b,kv\:O-j
kIdf^Gw
V-:d!_
Q'.l9s}
t:}?BF
ldtzc
Ptb?Xd
H9("v+
o2)JC7(|"
luk8Xc
_~4=Nis
H6R'Vo
o,b-+]"^t_
X (2-8
$k\YR5
Pz/sXCev
1=un7M
.l3(?]W
q0(Akg
:4SwW+
qcF[^m/#0
MFNoaC
TUYuEOE
N^4;uZ7L
i)X3"a
k[?SyB
=#)a:J,
C,SSUo%
]UrV]C<
$k@9=#
;he@]J
Qn:<iOrv
BF%LH|
T&trYt
K7]yfQ
>aTzJ
H'x:"A
[Yd"R4k
xT?4c[
jQKH`;
2$-SG
T&;W9[
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
YzX7>kZ0{
~Ph0=y4"
|gsn=xl
V,Q,PR
x7ef%"
r]!i-9[
lm5gFT
Gz0&Ao45Na:
U> Z:'
(n8XXh&
:|t:^I
_*%*c*O
A?KbAn
.G}-X[
qu9/36x 6
D{.9P2oV
I8Cq/C
7f09[,
W8kQmz~
E'VQ{GnZ
5\V83v
j".\BM
3J4uPJL
^d]et&=N
FL=AGe~
#QO&A-
[yPmcY
o9t[or
;o%,v,
;`.O1D
4t^-@R
HWnXKds]4-N{^c
sD5>L2
bsYH!S0w
1zhDnap
EvE~Mj
H(Dsza
u:lotx
H5^9t%
H3W100
#_uq ?
='L>l%u
P)hpmRo
c7>QT
mx0U9D(
|,K,'|
%P6S*
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
bmq\D4?
cwWKUe?
_ vVKH
)(F1'K
LAi$Et
XV0p%8q/E
aU>ZQg
%:0Ixq
dYe",rJ
GeDM$x
d'^<O!
/vm3fk
0IoE\M
SJ94f+>Us
$JvlPxNF
3!b!AeV
1g.+<L
#TgHj@
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
qZpv*
-;wWQUw1h
XmP`gY!
#Zm8|n
w&R2nU
&D0U5]
TEZ^QU
zUbK}
UaVB"BU
Jp{os!#
,BA*yr
VO3J~e}n_
DbuVvM^
=:".gm!
gX"@Dx
+n/QwqSA
BCiw( ~$
co8!@'
@eOAqP.~
V6sY|T
h4FV+?
JO$IF
)UITB9
peeqnv
"I#>wQ
a,5<O3>
znIVT7[
&<SF;F
w5=*4F
2^+#{
<h,"cN
'fbtRL
wX(x=1
i2U^lum
W{V?r9
mg{;Bb
@Y&mrn
tFi(Y~
N+nW|:
pL sGf
TaS0>B
1smH,Zd
t"W3Jx
z+l9Jh1
i[EV?f
h~o@u^
l[PM"\
:-X%h@V
vlLmtZ9!
tt.MgSH
`>yF U
gNAx*
vra?u9
_l4[]n
Xviipa
3|N;MQ
K359-9
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
qZpv*
-;wWQUw1h
XmP`gY!
#Zm8|n
w&R2nU
&D0U5]
TEZ^QU
zUbK}
UaVB"BU
Jp{os!#
,BA*yr
VO3J~e}n_
DbuVvM^
=:".gm!
gX"@Dx
+n/QwqSA
BCiw( ~$
co8!@'
@eOAqP.~
V6sY|T
h4FV+?
JO$IF
)UITB9
peeqnv
"I#>wQ
a,5<O3>
znIVT7[
&<SF;F
w5=*4F
2^+#{
<h,"cN
'fbtRL
wX(x=1
i2U^lum
W{V?r9
mg{;Bb
@Y&mrn
tFi(Y~
N+nW|:
pL sGf
TaS0>B
1smH,Zd
t"W3Jx
z+l9Jh1
i[EV?f
h~o@u^
l[PM"\
:-X%h@V
vlLmtZ9!
tt.MgSH
`>yF U
gNAx*
vra?u9
_l4[]n
Xviipa
3|N;MQ
K359-9
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
<4k`y0
@A*m($
0q6L#K!
,%TZ3H[Wfx
6:\f9eM|
rY;,8X
9F}VM,
Sd0ih'5u
3[tWB3:
X`zi5R[0
\]Wb?;
]Uxm1y7
R#U(8b-+
?}Sk64
&_]]M\N-
_0rKj2P
Ij6NAw
6](7a/
:bQ*R"
:M6N(3
YCgnda
v3BXAl
G=)"PF9
SI=L\<XPI
e*atz5
RD'yQf
'vn9_L
n$Yy9;
|T=L>i
JKpA(d
Lv!#aC
21WBQ/
WK9muK2u
la0r66
_r#pH,
.=o38[
WUuh~vvl
>$-R~Up
t#\=&b8
q<26zr
:bs3)1
j_2Ajco(
h&#s&|
=9&4XT
0(c+w/k
v'U-N+
EkkcfW
2ErL"6CY
^O6lh*_
5.ovQ>U.^
ll)s%k#
d'e|N0
ND/Q+
X)@WTGTb8
?fr$R
,P7WUwZ
Hi[H?Y!
F4Tk\L=P
pINGSL
7%-)+x
ia.y\1
.4{Ohbp
9@]n<`
J0}vvN:
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
&0{L?zy
hCuI#
~b3+;C
p 'K
F;=nis
vooRV~
gr?Gu*
wr|,3"
bo=S'W
C*\AF
v,Z/eo
?h6ry_wc
0}H,_`
qJ?B'B#m
5*k]p(d
u)uP_}}{
6z<pu
x"]%7w{y
VM%p)0
7g~[OK
]5[P:l
SOn?NE
h=rIgL<N
;8[-4g
6>DQ*R
O2UhFzw
;z#(D1!
gorI]p
<64$\x
<:1v{C
Z]FcJAh
$n[]6-+
YnT>GK
HZ-G{l
<{$0~c
@bS %6
q8hv3=1
Z98:y\
_j4ZN9
kkkdg@
eM[4h|
oT&AN*b
$8b\<F
(B]k!19
jjjjjj

Dropped Files

624d8e20fef6169e_spools.exe

Name: 624d8e20fef6169e_spools.exe
Size: 1.2 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 129baac09dc12ae594ecfaf550d4c7e8
SHA1: aec7fcac0f7296c801a2d3ac7abfb66b3f546a77
SHA256: 624d8e20fef6169ef8909f5eaac6a3f002db4b565562cabb81ef850084d008f0
SHA512: 339c367aff5c054f6d3590da8b11bcd8503838dfd36accce5be1197054e78b3a0e6d78879dded4ed0ba4092dae2d1378290c82268097f121d0cef8391d72f65b
Ssdeep: 12288:ywyC+DeQ+m+Jf+m+m+m+m+m+f4w+UW+m+m+m+CM7GQl+m+XQef+pM+m+m+m+m+mw:M9ecSMy+lPnuU

b855ac2a97211c65_cftmon.exe

Name: b855ac2a97211c65_cftmon.exe
Size: 1.2 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 464c5c6d853b5162935772393ac0b9a5
SHA1: 4783ecbacee3244fe1da40270ae34209ec119292
SHA256: b855ac2a97211c6502491c65714392b7f3bef4ef865008ecdc8415ea3d51c92f
SHA512: 4ed18df1de5d0a92ccd046720293458550fb8590d4b2fdf13607ad7dad3d97f1ffc1eb0644b9101b07d2b870d54769e6c200f3ae9ec6183891040815f40d1bc2
Ssdeep: 12288:ywyC+DeQ+m+Jf+m+m+m+m+m+f4w+UW+m+m+m+CM7GQl+m+XQef+pM+m+m+m+m+mi:M9ecSMy+lPnusM8

Network

DNS Requests

Domain	IP Address	Destination Location
hq-pharma.org	18.215.128.143	US

HTTP Requests

http://124.217.253.6/~statis00/load/?&v=up

GET /~statis00/load/?&v=up HTTP/1.1
User-Agent: _
Host: 124.217.253.6

http://hq-pharma.org/manda.php?id=-930381926&v=up

GET /manda.php?id=-930381926&v=up HTTP/1.1
User-Agent: _
Host: hq-pharma.org

Hosts Involved

IP Address	Country of Origin
124.217.253.6	MY
52.4.209.250	US

Geolocation

Destination Country

US:: 67%
MY:: 33%

File

Type

PE32 executable (GUI) Intel 80386, for MS Windows

CRC32

F517A71C

MD5

69edba7af093360837d456b55af6fb64

SHA1

5138bea7efddc90183a2549f2c3136c13a1e3b78

SHA256

289477f12b10e6b770b40d4c0fb028b1af46b295a91030793c7188abe9774d0b

SHA512

1ff9373a9254d636e78da56515db0924ecbde7f58fb80856c153a96c4ef81aba24ac1eaa5eae4f65520cf0c1d845819d82dd2b3a21dd8fb3ce91f1e33a28a6f2

Ssdeep

12288:ywyC+DeQ+m+Jf+m+m+m+m+m+f4w+UW+m+m+m+CM7GQl+m+XQef+pM+m+m+m+m+mj:M9ecSMy+lPnuv

PEiD

Armadillo v1.71

Screenshots

Behavior Summary

File-Written

C:\Users\Virtual\Local Settings\Application Data\cftmon.exe
C:\Windows\System32\drivers\spools.exe

File-Opened

C:\
C:\Users\Virtual\Local Settings\Application Data\cftmon.exe
C:\Windows\System32\drivers\spools.exe

File-Copied

C:\Users\Virtual\AppData\Local\Temp\289477f12b10e6b770b40d4c0fb028b1af46b295a91030793c7188abe9774d0b.exe -> C:\Users\Virtual\Local Settings\Application Data\cftmon.exe
C:\Users\Virtual\AppData\Local\Temp\289477f12b10e6b770b40d4c0fb028b1af46b295a91030793c7188abe9774d0b.exe -> C:\Windows\System32\drivers\spools.exe

Network-Resolves URL

Virtual-PC
wpad

Network-Fetches URL

http://124.217.253.6/~statis00/load/?&v=up
http://hq-pharma.org/manda.php?id=-930381926&v=up

Directory-Enumerated

C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\Virtual\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\Virtual\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\ras\*.pbk

Registry Key-Opened

HKEY_CLASSES_ROOT\^gzgdkng^qjgnn^mrgl^amooclf^
HKEY_CURRENT_USER\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_CURRENT_USER\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_CURRENT_USER\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_CURRENT_USER\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_CURRENT_USER\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_CURRENT_USER\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-ae-97-44
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\52-54-00-ae-97-44
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\RASAPI32
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\RASMANCS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3131157199-1995805048-2727015567-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Registry Key-Read

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecisionTime
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3131157199-1995805048-2727015567-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags

Registry Key-Written

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-ae-97-44\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-ae-97-44\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-ae-97-44\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\autoload
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ntuser
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath
\(Default)

Mutex-Accessed

IESQMMUTEX_0_208

Processes

Process Name

PID

Parent PID

289477f12b10e6b770b40d4c0fb028b1af46b295a91030793c7188abe9774d0b.exe 816 776

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1591679825.07	2	LdrLoadDll	module_name: "advapi32.dll" basename: "advapi32" stack_pivoted: 0 flags: 0 module_address: "0x77c60000"	Status SUCCESS
1591679825.07	8	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd71222" function_name: "GetProcAddress" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1591679825.09		GetSystemTimeAsFileTime		Status SUCCESS
1591679825.09		RegOpenKeyExA	regkey_r: "SYSTEM\CurrentControlSet\Services\crypt32" base_handle: "0x80000002" key_handle: "0x00000064" options: 0 access: "0x00020019" regkey: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32"	Status SUCCESS
1591679825.09		RegQueryValueExA	key_handle: "0x00000064" regkey_r: "DebugHeapFlags" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags"	Return Value 2 Status FAILURE
1591679825.09		RegCloseKey	key_handle: "0x00000064"	Status SUCCESS
1591679825.09		RegOpenKeyExA	regkey_r: "Software\Microsoft\Windows\CurrentVersion\Internet Settings" base_handle: "0x80000002" key_handle: "0x00000064" options: 0 access: "0x00000001" regkey: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings"	Status SUCCESS
1591679825.09		RegQueryValueExA	key_handle: "0x00000064" regkey_r: "DisableImprovedZoneCheck" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck"	Return Value 2 Status FAILURE
1591679825.09		RegCloseKey	key_handle: "0x00000064"	Status SUCCESS
1591679825.09		RegOpenKeyExW	regkey_r: "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" base_handle: "0x80000002" key_handle: "0x00000064" options: 0 access: "0x00000001" regkey: "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"	Status SUCCESS

Showing 1 to 10 of 469 entries

Previous1 2 3 4 5…47Next

Classification

Indicators

Yara

Static Analysis

Sections

Imports

Library KERNEL32.dll:

Library WS2_32.dll:

Library USER32.dll:

Library MSVCRT.dll:

Strings

Dropped Files

624d8e20fef6169e_spools.exe

b855ac2a97211c65_cftmon.exe

Network

DNS Requests

HTTP Requests

http://124.217.253.6/~statis00/load/?&v=up

http://hq-pharma.org/manda.php?id=-930381926&v=up

Hosts Involved

Geolocation

Destination Country

File

Screenshots

Behavior Summary

File-Written

File-Opened

File-Copied

Network-Resolves URL

Network-Fetches URL

Directory-Enumerated

Registry Key-Opened

Registry Key-Read

Registry Key-Written

Mutex-Accessed

Processes

289477f12b10e6b770b40d4c0fb028b1af46b295a91030793c7188abe9774d0b.exe816776

289477f12b10e6b770b40d4c0fb028b1af46b295a91030793c7188abe9774d0b.exe 816 776