| TIME | 2015-12-03 09:53:23 |
|---|---|
| MD5 | 83780e63f48cb21bea3e734857892bc1 |
| SHA256 | b919b61737aad351b5b5842780bdb71ba2ace45b6e4bcea136b09f90461f5ae7 |
| FILETYPE | pe |
| ALERT | True |
| LEVEL | HIGH |
| CONFIDENCE | 403 |
| OTHER REPORTS | [Virustotal] [ThreatExpert] [FireEye] |
| STARTED | COMPLETED | DURATION |
|---|---|---|
| 2015-12-03 10:04:40 | 2015-12-03 10:04:48 | 0:00:08 |
| TIME | SOURCE | FILENAME | URL |
|---|---|---|---|
| 2015-12-03 09:53:23 | 192.168.7.15 | 83780e63f48cb21bea3e734857892bc1.kaf |
----------Parsing Warnings----------
Error parsing the import directory. Invalid Import data at RVA: 0xbb10 ('Invalid Import Table information. Both ILT and IAT appear to be broken.')
----------DOS_HEADER----------
[IMAGE_DOS_HEADER]
0x0 0x0 e_magic: 0x5A4D
0x2 0x2 e_cblp: 0x90
0x4 0x4 e_cp: 0x3
0x6 0x6 e_crlc: 0x0
0x8 0x8 e_cparhdr: 0x4
0xA 0xA e_minalloc: 0x0
0xC 0xC e_maxalloc: 0xFFFF
0xE 0xE e_ss: 0x0
0x10 0x10 e_sp: 0xB8
0x12 0x12 e_csum: 0x0
0x14 0x14 e_ip: 0x0
0x16 0x16 e_cs: 0x0
0x18 0x18 e_lfarlc: 0x40
0x1A 0x1A e_ovno: 0x0
0x1C 0x1C e_res:
0x24 0x24 e_oemid: 0x0
0x26 0x26 e_oeminfo: 0x0
0x28 0x28 e_res2:
0x3C 0x3C e_lfanew: 0xB8
----------NT_HEADERS----------
[IMAGE_NT_HEADERS]
0xB8 0x0 Signature: 0x4550
----------FILE_HEADER----------
[IMAGE_FILE_HEADER]
0xBC 0x0 Machine: 0x14C
0xBE 0x2 NumberOfSections: 0x3
0xC0 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC4 0x8 PointerToSymbolTable: 0x0
0xC8 0xC NumberOfSymbols: 0x0
0xCC 0x10 SizeOfOptionalHeader: 0xE0
0xCE 0x12 Characteristics: 0x10F
Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED
----------OPTIONAL_HEADER----------
[IMAGE_OPTIONAL_HEADER]
0xD0 0x0 Magic: 0x10B
0xD2 0x2 MajorLinkerVersion: 0x6
0xD3 0x3 MinorLinkerVersion: 0x0
0xD4 0x4 SizeOfCode: 0xB000
0xD8 0x8 SizeOfInitializedData: 0x5000
0xDC 0xC SizeOfUninitializedData: 0x0
0xE0 0x10 AddressOfEntryPoint: 0x1100
0xE4 0x14 BaseOfCode: 0x1000
0xE8 0x18 BaseOfData: 0xC000
0xEC 0x1C ImageBase: 0x400000
0xF0 0x20 SectionAlignment: 0x1000
0xF4 0x24 FileAlignment: 0x1000
0xF8 0x28 MajorOperatingSystemVersion: 0x4
0xFA 0x2A MinorOperatingSystemVersion: 0x0
0xFC 0x2C MajorImageVersion: 0x9
0xFE 0x2E MinorImageVersion: 0x0
0x100 0x30 MajorSubsystemVersion: 0x4
0x102 0x32 MinorSubsystemVersion: 0x0
0x104 0x34 Reserved1: 0x0
0x108 0x38 SizeOfImage: 0x11000
0x10C 0x3C SizeOfHeaders: 0x1000
0x110 0x40 CheckSum: 0x10088
0x114 0x44 Subsystem: 0x2
0x116 0x46 DllCharacteristics: 0x0
0x118 0x48 SizeOfStackReserve: 0x100000
0x11C 0x4C SizeOfStackCommit: 0x1000
0x120 0x50 SizeOfHeapReserve: 0x100000
0x124 0x54 SizeOfHeapCommit: 0x1000
0x128 0x58 LoaderFlags: 0x0
0x12C 0x5C NumberOfRvaAndSizes: 0x10
DllCharacteristics:
----------PE Sections----------
[IMAGE_SECTION_HEADER]
0x1B0 0x0 Name: .text
0x1B8 0x8 Misc: 0xAC3C
0x1B8 0x8 Misc_PhysicalAddress: 0xAC3C
0x1B8 0x8 Misc_VirtualSize: 0xAC3C
0x1BC 0xC VirtualAddress: 0x1000
0x1C0 0x10 SizeOfRawData: 0xB000
0x1C4 0x14 PointerToRawData: 0x1000
0x1C8 0x18 PointerToRelocations: 0x0
0x1CC 0x1C PointerToLinenumbers: 0x0
0x1D0 0x20 NumberOfRelocations: 0x0
0x1D2 0x22 NumberOfLinenumbers: 0x0
0x1D4 0x24 Characteristics: 0x60000020
Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Entropy: 4.847022 (Min=0.0, Max=8.0)
MD5 hash: f6a162f5383bb7335bcb7a415129f1e4
SHA-1 hash: 428fae97b7cf85506c0713d18b2caf7e8009b330
SHA-256 hash: 5283b42ff44e8056a2c94df2e63847aaa1206b6f0fa9c8af737e3f2bb7f50100
SHA-512 hash: d3f974e05a52e57ee6fab85cf5967e8c44cd03cd24b27041dc6215e771088a2e58a2a9c1f363e0a53d6102040f96ccfd7b95d3448c708cb89ac16b48d50c5bd2
[IMAGE_SECTION_HEADER]
0x1D8 0x0 Name: .data
0x1E0 0x8 Misc: 0x1E44
0x1E0 0x8 Misc_PhysicalAddress: 0x1E44
0x1E0 0x8 Misc_VirtualSize: 0x1E44
0x1E4 0xC VirtualAddress: 0xC000
0x1E8 0x10 SizeOfRawData: 0x0
0x1EC 0x14 PointerToRawData: 0x0
0x1F0 0x18 PointerToRelocations: 0x0
0x1F4 0x1C PointerToLinenumbers: 0x0
0x1F8 0x20 NumberOfRelocations: 0x0
0x1FA 0x22 NumberOfLinenumbers: 0x0
0x1FC 0x24 Characteristics: 0xC0000040
Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 0.000000 (Min=0.0, Max=8.0)
MD5 hash: d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA-256 hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA-512 hash: cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
[IMAGE_SECTION_HEADER]
0x200 0x0 Name: .rsrc
0x208 0x8 Misc: 0x2B6C
0x208 0x8 Misc_PhysicalAddress: 0x2B6C
0x208 0x8 Misc_VirtualSize: 0x2B6C
0x20C 0xC VirtualAddress: 0xE000
0x210 0x10 SizeOfRawData: 0x3000
0x214 0x14 PointerToRawData: 0xC000
0x218 0x18 PointerToRelocations: 0x0
0x21C 0x1C PointerToLinenumbers: 0x0
0x220 0x20 NumberOfRelocations: 0x0
0x222 0x22 NumberOfLinenumbers: 0x0
0x224 0x24 Characteristics: 0x40000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 3.929374 (Min=0.0, Max=8.0)
MD5 hash: c6f3496ca6eae236d1babe2d9e079197
SHA-1 hash: 9cedcefd3427f1f0ab16a3e7464a91f1bed939d4
SHA-256 hash: f76514e8a95cec7a317fca3504de15b1b104b790f9a9d4c82f833059a1d0de76
SHA-512 hash: 0c5a288cbfed4bf435d5fca67edebc883031ecfb74603e656c19489eb5cc78c905aff24bd6ae647c1b36b974d51877d75e0dd98b6bbad8da06f021a9f57be8a7
----------Directories----------
[IMAGE_DIRECTORY_ENTRY_EXPORT]
0x130 0x0 VirtualAddress: 0x0
0x134 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IMPORT]
0x138 0x0 VirtualAddress: 0xBAD4
0x13C 0x4 Size: 0x3C
[IMAGE_DIRECTORY_ENTRY_RESOURCE]
0x140 0x0 VirtualAddress: 0xE000
0x144 0x4 Size: 0x2B6C
[IMAGE_DIRECTORY_ENTRY_EXCEPTION]
0x148 0x0 VirtualAddress: 0x0
0x14C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_SECURITY]
0x150 0x0 VirtualAddress: 0x0
0x154 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BASERELOC]
0x158 0x0 VirtualAddress: 0x0
0x15C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_DEBUG]
0x160 0x0 VirtualAddress: 0x0
0x164 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
0x168 0x0 VirtualAddress: 0x0
0x16C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
0x170 0x0 VirtualAddress: 0x0
0x174 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_TLS]
0x178 0x0 VirtualAddress: 0x0
0x17C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
0x180 0x0 VirtualAddress: 0x0
0x184 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
0x188 0x0 VirtualAddress: 0x228
0x18C 0x4 Size: 0x34
[IMAGE_DIRECTORY_ENTRY_IAT]
0x190 0x0 VirtualAddress: 0x1000
0x194 0x4 Size: 0x68
[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
0x198 0x0 VirtualAddress: 0x0
0x19C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
0x1A0 0x0 VirtualAddress: 0x0
0x1A4 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_RESERVED]
0x1A8 0x0 VirtualAddress: 0x0
0x1AC 0x4 Size: 0x0
----------Version Information----------
[VS_VERSIONINFO]
0xC1E0 0x0 Length: 0x200
0xC1E2 0x2 ValueLength: 0x34
0xC1E4 0x4 Type: 0x0
[VS_FIXEDFILEINFO]
0xC208 0x0 Signature: 0xFEEF04BD
0xC20C 0x4 StrucVersion: 0x10000
0xC210 0x8 FileVersionMS: 0x90000
0xC214 0xC FileVersionLS: 0x0
0xC218 0x10 ProductVersionMS: 0x90000
0xC21C 0x14 ProductVersionLS: 0x0
0xC220 0x18 FileFlagsMask: 0x0
0xC224 0x1C FileFlags: 0x0
0xC228 0x20 FileOS: 0x4
0xC22C 0x24 FileType: 0x1
0xC230 0x28 FileSubtype: 0x0
0xC234 0x2C FileDateMS: 0x0
0xC238 0x30 FileDateLS: 0x0
[VarFileInfo]
0xC23C 0x0 Length: 0x44
0xC23E 0x2 ValueLength: 0x0
0xC240 0x4 Type: 0x0
[Var]
0xC25C 0x0 Length: 0x24
0xC25E 0x2 ValueLength: 0x4
0xC260 0x4 Type: 0x0
Translation: 0x0409 0x04b0
[StringFileInfo]
0xC280 0x0 Length: 0x160
0xC282 0x2 ValueLength: 0x0
0xC284 0x4 Type: 0x1
[StringTable]
0xC2A4 0x0 Length: 0x13C
0xC2A6 0x2 ValueLength: 0x0
0xC2A8 0x4 Type: 0x1
LangID: 040904B0
InternalName: 4
FileVersion: 9.00
CompanyName: loplkjyhtg
ProductName: njuhgtrfdc\x505
ProductVersion: 9.00
OriginalFilename: 4.exe
----------Imported symbols----------
[IMAGE_IMPORT_DESCRIPTOR]
0xBAD4 0x0 OriginalFirstThunk: 0xBB10
0xBAD4 0x0 Characteristics: 0xBB10
0xBAD8 0x4 TimeDateStamp: 0xFFFFFFFF [Sun Feb 7 06:28:15 2106 UTC]
0xBADC 0x8 ForwarderChain: 0xFFFFFFFF
0xBAE0 0xC Name: 0xBB86
0xBAE4 0x10 FirstThunk: 0x1000
KERNEL32.DLL.SetErrorMode Hint[0] Bound: 0x7DD731F2
KERNEL32.DLL.SetFileAttributesA Hint[0] Bound: 0x7DD8DC4E
[IMAGE_IMPORT_DESCRIPTOR]
0xBAE8 0x0 OriginalFirstThunk: 0xBB1C
0xBAE8 0x0 Characteristics: 0xBB1C
0xBAEC 0x4 TimeDateStamp: 0xFFFFFFFF [Sun Feb 7 06:28:15 2106 UTC]
0xBAF0 0x8 ForwarderChain: 0xFFFFFFFF
0xBAF4 0xC Name: 0xBB78
0xBAF8 0x10 FirstThunk: 0x100C
MSVBVM60.DLL Ordinal[585] (Imported by Ordinal) Bound: 0x72A1CC01
MSVBVM60.DLL Ordinal[586] (Imported by Ordinal) Bound: 0x72A1CC0C
MSVBVM60.DLL Ordinal[587] (Imported by Ordinal) Bound: 0x72A1CC4D
MSVBVM60.DLL Ordinal[516] (Imported by Ordinal) Bound: 0x72A270B7
MSVBVM60.DLL Ordinal[556] (Imported by Ordinal) Bound: 0x72A1C89D
MSVBVM60.DLL Ordinal[598] (Imported by Ordinal) Bound: 0x72A0E0F7
MSVBVM60.DLL Ordinal[631] (Imported by Ordinal) Bound: 0x72A26FE2
MSVBVM60.DLL Ordinal[632] (Imported by Ordinal) Bound: 0x72A2702F
MSVBVM60.DLL.EVENT_SINK_AddRef Hint[0] Bound: 0x72A09B74
MSVBVM60.DLL.DllFunctionCall Hint[0] Bound: 0x7294A0FD
MSVBVM60.DLL.EVENT_SINK_Release Hint[0] Bound: 0x72A09B87
MSVBVM60.DLL.EVENT_SINK_QueryInterface Hint[0] Bound: 0x72A09A85
MSVBVM60.DLL.__vbaExceptHandler Hint[0] Bound: 0x72A247DF
MSVBVM60.DLL Ordinal[608] (Imported by Ordinal) Bound: 0x72A20F56
MSVBVM60.DLL Ordinal[717] (Imported by Ordinal) Bound: 0x72A28FE9
MSVBVM60.DLL.ProcCallEngine Hint[0] Bound: 0x72A3D05D
MSVBVM60.DLL Ordinal[535] (Imported by Ordinal) Bound: 0x72A1C85D
MSVBVM60.DLL Ordinal[644] (Imported by Ordinal) Bound: 0x72A1DE99
MSVBVM60.DLL Ordinal[578] (Imported by Ordinal) Bound: 0x72A161F8
MSVBVM60.DLL Ordinal[100] (Imported by Ordinal) Bound: 0x729435A4
MSVBVM60.DLL Ordinal[616] (Imported by Ordinal) Bound: 0x72A26D9A
MSVBVM60.DLL Ordinal[543] (Imported by Ordinal) Bound: 0x72A11C50
----------Bound imports----------
[IMAGE_BOUND_IMPORT_DESCRIPTOR]
0x228 0x0 TimeDateStamp: 0x4A5BDBDE [Tue Jul 14 01:14:06 2009 UTC]
0x22C 0x4 OffsetModuleName: 0x18
0x22E 0x6 NumberOfModuleForwarderRefs: 0x0
DLL: KERNEL32.DLL
[IMAGE_BOUND_IMPORT_DESCRIPTOR]
0x230 0x0 TimeDateStamp: 0x4A5BDA6C [Tue Jul 14 01:07:56 2009 UTC]
0x234 0x4 OffsetModuleName: 0x25
0x236 0x6 NumberOfModuleForwarderRefs: 0x0
DLL: MSVBVM60.DLL
----------Resource directory----------
[IMAGE_RESOURCE_DIRECTORY]
0xC000 0x0 Characteristics: 0x0
0xC004 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC008 0x8 MajorVersion: 0xA754
0xC00A 0xA MinorVersion: 0x0
0xC00C 0xC NumberOfNamedEntries: 0x0
0xC00E 0xE NumberOfIdEntries: 0x3
Id: [0x503] (-)
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC010 0x0 Name: 0x50503
0xC014 0x4 OffsetToData: 0x80000058
[IMAGE_RESOURCE_DIRECTORY]
0xC058 0x0 Characteristics: 0x0
0xC05C 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC060 0x8 MajorVersion: 0xA754
0xC062 0xA MinorVersion: 0x0
0xC064 0xC NumberOfNamedEntries: 0x0
0xC066 0xE NumberOfIdEntries: 0x6
Id: [0x7531]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC068 0x0 Name: 0x7531
0xC06C 0x4 OffsetToData: 0x80000140
[IMAGE_RESOURCE_DIRECTORY]
0xC140 0x0 Characteristics: 0x0
0xC144 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC148 0x8 MajorVersion: 0xA754
0xC14A 0xA MinorVersion: 0x0
0xC14C 0xC NumberOfNamedEntries: 0x0
0xC14E 0xE NumberOfIdEntries: 0x1
\--- LANG [0,0][LANG_NEUTRAL,SUBLANG_NEUTRAL]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC150 0x0 Name: 0x0
0xC154 0x4 OffsetToData: 0x1C8
[IMAGE_RESOURCE_DATA_ENTRY]
0xC1C8 0x0 OffsetToData: 0x10884
0xC1CC 0x4 Size: 0x2E8
0xC1D0 0x8 CodePage: 0x4B0
0xC1D4 0xC Reserved: 0x0
Id: [0x7532]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC070 0x0 Name: 0x7532
0xC074 0x4 OffsetToData: 0x80000128
[IMAGE_RESOURCE_DIRECTORY]
0xC128 0x0 Characteristics: 0x0
0xC12C 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC130 0x8 MajorVersion: 0xA754
0xC132 0xA MinorVersion: 0x0
0xC134 0xC NumberOfNamedEntries: 0x0
0xC136 0xE NumberOfIdEntries: 0x1
\--- LANG [0,0][LANG_NEUTRAL,SUBLANG_NEUTRAL]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC138 0x0 Name: 0x0
0xC13C 0x4 OffsetToData: 0x1B8
[IMAGE_RESOURCE_DATA_ENTRY]
0xC1B8 0x0 OffsetToData: 0xFFDC
0xC1BC 0x4 Size: 0x8A8
0xC1C0 0x8 CodePage: 0x4B0
0xC1C4 0xC Reserved: 0x0
Id: [0x7533]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC078 0x0 Name: 0x7533
0xC07C 0x4 OffsetToData: 0x80000110
[IMAGE_RESOURCE_DIRECTORY]
0xC110 0x0 Characteristics: 0x0
0xC114 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC118 0x8 MajorVersion: 0xA754
0xC11A 0xA MinorVersion: 0x0
0xC11C 0xC NumberOfNamedEntries: 0x0
0xC11E 0xE NumberOfIdEntries: 0x1
\--- LANG [0,0][LANG_NEUTRAL,SUBLANG_NEUTRAL]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC120 0x0 Name: 0x0
0xC124 0x4 OffsetToData: 0x1A8
[IMAGE_RESOURCE_DATA_ENTRY]
0xC1A8 0x0 OffsetToData: 0xFEB4
0xC1AC 0x4 Size: 0x128
0xC1B0 0x8 CodePage: 0x4B0
0xC1B4 0xC Reserved: 0x0
Id: [0x7534]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC080 0x0 Name: 0x7534
0xC084 0x4 OffsetToData: 0x800000F8
[IMAGE_RESOURCE_DIRECTORY]
0xC0F8 0x0 Characteristics: 0x0
0xC0FC 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC100 0x8 MajorVersion: 0xA754
0xC102 0xA MinorVersion: 0x0
0xC104 0xC NumberOfNamedEntries: 0x0
0xC106 0xE NumberOfIdEntries: 0x1
\--- LANG [0,0][LANG_NEUTRAL,SUBLANG_NEUTRAL]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC108 0x0 Name: 0x0
0xC10C 0x4 OffsetToData: 0x198
[IMAGE_RESOURCE_DATA_ENTRY]
0xC198 0x0 OffsetToData: 0xF00C
0xC19C 0x4 Size: 0xEA8
0xC1A0 0x8 CodePage: 0x4B0
0xC1A4 0xC Reserved: 0x0
Id: [0x7535]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC088 0x0 Name: 0x7535
0xC08C 0x4 OffsetToData: 0x800000E0
[IMAGE_RESOURCE_DIRECTORY]
0xC0E0 0x0 Characteristics: 0x0
0xC0E4 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC0E8 0x8 MajorVersion: 0xA754
0xC0EA 0xA MinorVersion: 0x0
0xC0EC 0xC NumberOfNamedEntries: 0x0
0xC0EE 0xE NumberOfIdEntries: 0x1
\--- LANG [0,0][LANG_NEUTRAL,SUBLANG_NEUTRAL]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC0F0 0x0 Name: 0x0
0xC0F4 0x4 OffsetToData: 0x188
[IMAGE_RESOURCE_DATA_ENTRY]
0xC188 0x0 OffsetToData: 0xE9A4
0xC18C 0x4 Size: 0x668
0xC190 0x8 CodePage: 0x4B0
0xC194 0xC Reserved: 0x0
Id: [0x7536]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC090 0x0 Name: 0x7536
0xC094 0x4 OffsetToData: 0x800000C8
[IMAGE_RESOURCE_DIRECTORY]
0xC0C8 0x0 Characteristics: 0x0
0xC0CC 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC0D0 0x8 MajorVersion: 0xA754
0xC0D2 0xA MinorVersion: 0x0
0xC0D4 0xC NumberOfNamedEntries: 0x0
0xC0D6 0xE NumberOfIdEntries: 0x1
\--- LANG [0,0][LANG_NEUTRAL,SUBLANG_NEUTRAL]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC0D8 0x0 Name: 0x0
0xC0DC 0x4 OffsetToData: 0x178
[IMAGE_RESOURCE_DATA_ENTRY]
0xC178 0x0 OffsetToData: 0xE43C
0xC17C 0x4 Size: 0x568
0xC180 0x8 CodePage: 0x4B0
0xC184 0xC Reserved: 0x0
Id: [0xE] (RT_GROUP_ICON)
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC018 0x0 Name: 0xE
0xC01C 0x4 OffsetToData: 0x80000040
[IMAGE_RESOURCE_DIRECTORY]
0xC040 0x0 Characteristics: 0x0
0xC044 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC048 0x8 MajorVersion: 0xA754
0xC04A 0xA MinorVersion: 0x0
0xC04C 0xC NumberOfNamedEntries: 0x0
0xC04E 0xE NumberOfIdEntries: 0x1
Id: [0x1]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC050 0x0 Name: 0x1
0xC054 0x4 OffsetToData: 0x800000B0
[IMAGE_RESOURCE_DIRECTORY]
0xC0B0 0x0 Characteristics: 0x0
0xC0B4 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC0B8 0x8 MajorVersion: 0xA754
0xC0BA 0xA MinorVersion: 0x0
0xC0BC 0xC NumberOfNamedEntries: 0x0
0xC0BE 0xE NumberOfIdEntries: 0x1
\--- LANG [0,0][LANG_NEUTRAL,SUBLANG_NEUTRAL]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC0C0 0x0 Name: 0x0
0xC0C4 0x4 OffsetToData: 0x168
[IMAGE_RESOURCE_DATA_ENTRY]
0xC168 0x0 OffsetToData: 0xE3E0
0xC16C 0x4 Size: 0x5C
0xC170 0x8 CodePage: 0x4B0
0xC174 0xC Reserved: 0x0
Id: [0x10] (RT_VERSION)
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC020 0x0 Name: 0x10
0xC024 0x4 OffsetToData: 0x80000028
[IMAGE_RESOURCE_DIRECTORY]
0xC028 0x0 Characteristics: 0x0
0xC02C 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC030 0x8 MajorVersion: 0xA754
0xC032 0xA MinorVersion: 0x0
0xC034 0xC NumberOfNamedEntries: 0x0
0xC036 0xE NumberOfIdEntries: 0x1
Id: [0x1]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC038 0x0 Name: 0x1
0xC03C 0x4 OffsetToData: 0x80000098
[IMAGE_RESOURCE_DIRECTORY]
0xC098 0x0 Characteristics: 0x0
0xC09C 0x4 TimeDateStamp: 0x54C56891 [Sun Jan 25 22:05:05 2015 UTC]
0xC0A0 0x8 MajorVersion: 0xA754
0xC0A2 0xA MinorVersion: 0x0
0xC0A4 0xC NumberOfNamedEntries: 0x0
0xC0A6 0xE NumberOfIdEntries: 0x1
\--- LANG [9,1][LANG_ENGLISH,SUBLANG_ENGLISH_US]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
0xC0A8 0x0 Name: 0x409
0xC0AC 0x4 OffsetToData: 0x158
[IMAGE_RESOURCE_DATA_ENTRY]
0xC158 0x0 OffsetToData: 0xE1E0
0xC15C 0x4 Size: 0x200
0xC160 0x8 CodePage: 0x4B0
0xC164 0xC Reserved: 0x0
check_hide_file - Check set file attribute hide behavior. detail>>
\Device\HarddiskVolume1\WINDOWS\explorer.exe
SetInformationFile
\Device\HarddiskVolume1\Documents and Settings\sys\Application Data\Microsoft\{47410F40-4DD8-44C6-B2D3-FE2213A135AE}\e71274c5.exe
injection_run - Check process injection behavior - accurate detail>>
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
ProcessInjection
4198400
100352
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
injection_data - Allocate Execution memory in foreign processes detail>>
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
64
1936
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
injection_data - Injects a PE file into a foreign processes detail>>
Binary('\xb8\xe0\x02\x00~\xe0\x02\x00h\xe0\x02\x00N\xe0\x02\x002\xe0\x02\x00\x1a\xe0\x02\x00\x10\xe0\x02\x00\xfc\xdf\x02\x00\xe4\xdf\x02\x00\xcc\xdf\x02\x00\xd8\xe0\x02\x00\xee\xe0\x02\x00\xfe\xe0\x02\x00\x9a\xe0\x02\x00\x16\xe1\x02\x00\x00\x00\x00\x00T\xe2\x02\x00F\xe2\x02\x004\xe2\x02\x00\x1a\xe2\
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
BCDDA
1936
82944
check_listen_high_port - System process has been listening on a port. detail>>
\Device\HarddiskVolume1\WINDOWS\explorer.exe
TCP: 32767
\Device\HarddiskVolume1\WINDOWS\explorer.exe
TCP: 32768
sys_proc_connect_network - System process connects to network (likely due to code injection or exploit). detail>>
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
[u'10.0.2.3:53']
\Device\HarddiskVolume1\WINDOWS\explorer.exe
[u'23.253.126.58:80']
benign_process_drops_pe - Benign windows process drops PE files detail>>
\Device\HarddiskVolume1\WINDOWS\explorer.exe
CreateFile
\??\C:\WINDOWS\system32\ntdll.dll
\Device\HarddiskVolume1\WINDOWS\explorer.exe
CreateFile
\??\C:\Documents and Settings\sys\Application Data\Microsoft\{47410F40-4DD8-44C6-B2D3-FE2213A135AE}\e71274c5.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
CreateFile
\??\C:\WINDOWS\System32\wininet.dll
injection_data - Injects data into foreign processes detail>>
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
84
\Device\HarddiskVolume1\WINDOWS\explorer.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
232
System
\Device\HarddiskVolume1\WINDOWS\explorer.exe
228
\Device\HarddiskVolume1\WINDOWS\system32\smss.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
240
\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
236
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
244
\Device\HarddiskVolume1\WINDOWS\system32\services.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
248
\Device\HarddiskVolume1\WINDOWS\system32\lsass.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
252
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
256
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
260
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
264
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
268
\Device\HarddiskVolume1\WINDOWS\explorer.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
272
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
276
\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
280
\Device\HarddiskVolume1\WINDOWS\system32\alg.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
284
\Device\HarddiskVolume1\WINDOWS\system32\wscntfy.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
288
\Device\HarddiskVolume1\WINDOWS\system32\conime.exe
injection_data - Injects encryption data into a foreign processes detail>>
Binary('\xe9K\x00\x00\x00\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xba\x04\x01\x00\x003\xc08\x01t\x0cA\x83\xea\x01u\xf6\xb8W\x00\x07\x80\xc3\x85\xd2u\x05\xb8W\x00\x07\x80\xc3\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc3\xc0\xc3\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xccVW
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
C
1936
100352
Binary('c|w{\xf2ko\xc50\x01g+\xfe\xd7\xabv\xca\x82\xc9}\xfaYG\xf0\xad\xd4\xa2\xaf\x9c\xa4r\xc0\xb7\xfd\x93&6?\xf7\xcc4\xa5\xe5\xf1q\xd81\x15\x04\xc7#\xc3\x18\x96\x05\x9a\x07\x12\x80\xe2\xeb\'\xb2u\t\x83,\x1a\x1bnZ\xa0R;\xd6\xb3)\xe3/\x84S\xd1\x00\xed \xfc\xb1[j\xcb\xbe9JLX\xcf\xd0\xef\xaa\xfbCM3\x85
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
\Device\HarddiskVolume1\Kingfisher\Kingfisher_83780e63f48cb21bea3e734857892bc1.exe
C
1936
46592
tamper_startup_run - Creates multiple autostart registry keys or starup file. detail>>
\Device\HarddiskVolume1\WINDOWS\explorer.exe
2
2
[u'\\REGISTRY\\USER\\S-1-5-21-57989841-117609710-1409082233-1003\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\e71274c5', u'\\REGISTRY\\MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\e71274c5']
tamper_startup_run - tamper run startup key value in registry or start folder detail>>
\Device\HarddiskVolume1\WINDOWS\explorer.exe
C:\Documents and Settings\sys\Application Data\Microsoft\{47410F40-4DD8-44C6-B2D3-FE2213A135AE}\e71274c5.exe
\REGISTRY\USER\S-1-5-21-57989841-117609710-1409082233-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\e71274c5
\Device\HarddiskVolume1\WINDOWS\explorer.exe
C:\Documents and Settings\sys\Application Data\Microsoft\{47410F40-4DD8-44C6-B2D3-FE2213A135AE}\e71274c5.exe
\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\e71274c5
security_config - Change security policy config. detail>>
\Device\HarddiskVolume1\WINDOWS\explorer.exe
0
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ProxyEnable
\Device\HarddiskVolume1\WINDOWS\explorer.exe
1
\REGISTRY\USER\S-1-5-21-57989841-117609710-1409082233-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\IntranetName
\Device\HarddiskVolume1\WINDOWS\explorer.exe
1
\REGISTRY\USER\S-1-5-21-57989841-117609710-1409082233-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\ProxyBypass
\Device\HarddiskVolume1\WINDOWS\explorer.exe
0
\REGISTRY\USER\S-1-5-21-57989841-117609710-1409082233-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ProxyEnable
\Device\HarddiskVolume1\WINDOWS\explorer.exe
1
\REGISTRY\USER\S-1-5-21-57989841-117609710-1409082233-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\UNCAsIntranet
check_file_sysdir - Checking Create file in Windows system directory detail>>
\Device\HarddiskVolume1\WINDOWS\explorer.exe
CreateFile
\??\C:\WINDOWS\system32\ntdll.dll
\Device\HarddiskVolume1\WINDOWS\explorer.exe
CreateFile
\??\C:\WINDOWS\System32\wininet.dll
