Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:19.0.0
Analysis ID:289272
Start time:15:37:15
Joe Sandbox Product:Cloud
Start date:09.06.2017
Overall analysis duration:0h 6m 58s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:g8F53.tmp.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 x64 (Office 2003 SP3, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
Detection:MAL
Classification:mal60.evad.adwa.winEXE@1/4@1/2
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 43
  • Number of non-executed functions: 39
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold600 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine



Signature Overview

Click to jump to signature section


Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts fileShow sources
Source: C:\g8F53.tmp.exeFile written: C:\Windows\System32\drivers\etc\hosts

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC44890 LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,_fread_nolock,DeleteFileA,0_2_000000013FC44890
Downloads filesShow sources
Source: C:\g8F53.tmp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOPT6FQ2
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /iavs9x/servers.def HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: files.avast.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: g8F53.tmp.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: g8F53.tmp.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: g8F53.tmp.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: files.avast.com
Urls found in memory or binary dataShow sources
Source: g8F53.tmp.exeString found in binary or memory: file:///c:/users/user/appdata/local/microsoft/windows/temporary%20internet%20files/content.ie5/
Source: g8F53.tmp.exeString found in binary or memory: http://cacerts.digicert.com/digicertassuredidcodesigningca-1.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://cacerts.digicert.com/digicertevcodesigningca-sha2.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://cacerts.digicert.com/digicertevcodesigningca.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://cacerts.digicert.com/digicerthighassurancecodesigningca-1.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://cacerts.digicert.com/digicertsha2assuredidcodesigningca.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://certificates.godaddy.com/repository/0
Source: g8F53.tmp.exeString found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://certificates.godaddy.com/repository100.
Source: g8F53.tmp.exeString found in binary or memory: http://cj
Source: g8F53.tmp.exeString found in binary or memory: http://crl.com
Source: g8F53.tmp.exeString found in binary or memory: http://crl.comn
Source: g8F53.tmp.exeString found in binary or memory: http://crl.comodo.net/utn-useqr
Source: g8F53.tmp.exeString found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: g8F53.tmp.exeString found in binary or memory: http://crl.comodoca.com
Source: g8F53.tmp.exeString found in binary or memory: http://crl.comodoca.com/comodocodesigningca2.crl0r
Source: g8F53.tmp.exeString found in binary or memory: http://crl.comodoca.com/comodorsaextendedvalidationcodesigningca.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: g8F53.tmp.exeString found in binary or memory: http://crl.entrust.net/2048ca.c
Source: g8F53.tmp.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://crl.godaddy.com/gds5-16.crl0s
Source: g8F53.tmp.exeString found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: g8F53.tmp.exeString found in binary or memory: http://crl3.digicert.com/evcodesigni
Source: g8F53.tmp.exeString found in binary or memory: http://crl3.digicert.com/evcodesigning-g1.crl03
Source: g8F53.tmp.exeString found in binary or memory: http://crl3.digicert.com/evcodesigningsha2-g1.crl07
Source: g8F53.tmp.exeString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: g8F53.tmp.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: g8F53.tmp.exeString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0l
Source: g8F53.tmp.exeString found in binary or memory: http://crl4.digicert.com/evcodesigning-g1.crl0k
Source: g8F53.tmp.exeString found in binary or memory: http://crl4.digicert.com/evcodesigningsha2-g1.crl0k
Source: g8F53.tmp.exeString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0l
Source: g8F53.tmp.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0b
Source: g8F53.tmp.exeString found in binary or memory: http://crt.como
Source: g8F53.tmp.exeString found in binary or memory: http://crt.comodoca.com/comodocodesigningca2.crt0$
Source: g8F53.tmp.exeString found in binary or memory: http://crt.comodoca.com/comodorsaextendedvalidationcodesigningca.crt0$
Source: g8F53.tmp.exeString found in binary or memory: http://crt.comodoca.com/utnaddt
Source: g8F53.tmp.exeString found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: g8F53.tmp.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: g8F53.tmp.exeString found in binary or memory: http://d0211227.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://d0211227.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://d0211227.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://d0211227.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://d0211227.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://d0211227.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://d3116203.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://d3116203.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://d3116203.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://d3116203.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://d3116203.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://d3116203.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://f5136535.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://f5136535.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://f5136535.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://f5136535.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://f5136535.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://f5136535.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://f6761140.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://f6761140.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://f6761140.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://f6761140.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://f6761140.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://f6761140.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://f7031642.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://f7031642.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://f7031642.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://f7031642.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://f7031642.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://f7031642.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://files.avast.com/iavs9x/servers.def
Source: g8F53.tmp.exeString found in binary or memory: http://files.avast.com/iavs9x/servers.def&
Source: g8F53.tmp.exeString found in binary or memory: http://files.avast.com/iavs9x/servers.def011
Source: g8F53.tmp.exeString found in binary or memory: http://files.avast.com/iavs9x/servers.defc:
Source: g8F53.tmp.exeString found in binary or memory: http://files.avast.com/iavs9x/servers.defppc:
Source: g8F53.tmp.exeString found in binary or memory: http://g0511470.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://g0511470.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://g0511470.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://g0511470.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://g0511470.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://g0511470.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://geoip.avast.com/geoip/geoip.php
Source: g8F53.tmp.exeString found in binary or memory: http://gf.tools.avast.com/tools/gf/
Source: g8F53.tmp.exeString found in binary or memory: http://h0637628.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://h0637628.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://h0637628.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://h0637628.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://h0637628.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://h0637628.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://h1874089.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://h1874089.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://h1874089.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://h1874089.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://h1874089.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://h1874089.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://j8087387.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://j8087387.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://j8087387.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://j8087387.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://j8087387.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://j8087387.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://k6375621.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://k6375621.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://k6375621.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://k6375621.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://k6375621.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://k6375621.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://l5978727.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://l5978727.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://l5978727.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://l5978727.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://l5978727.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://l5978727.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.comodoc
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.comodoca.com0.
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.digicert.com0c
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.digicert.com0h
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.digicert.com0l
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.digicert.com0n
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.digicert.com0p
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.entrust.net03
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.entrust.net0d
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp.godaddy.com/0j
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: g8F53.tmp.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30v
Source: g8F53.tmp.exeString found in binary or memory: http://p3713387.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://p3713387.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://p3713387.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://p3713387.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://p3713387.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://p3713387.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://p4085325.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://p4085325.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://p4085325.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://p4085325.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://p4085325.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://p4085325.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://r5525652.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://r5525652.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://r5525652.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://r5525652.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://r5525652.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://r5525652.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://s
Source: g8F53.tmp.exeString found in binary or memory: http://s4705686.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://s4705686.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://s4705686.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://s4705686.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://s4705686.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://s4705686.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://s7284151.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://s7284151.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://s7284151.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://s7284151.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://s7284151.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://s7284151.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: g8F53.tmp.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: g8F53.tmp.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: g8F53.tmp.exeString found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: g8F53.tmp.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: g8F53.tmp.exeString found in binary or memory: http://sf.symcb.com/sf.crl0w
Source: g8F53.tmp.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://sf.symcd.com0&
Source: g8F53.tmp.exeString found in binary or memory: http://sm00.avast.com/cgi-bin/iavsup2.cgi
Source: g8F53.tmp.exeString found in binary or memory: http://submit5.avast.com/cgi-bin/submit50.cgi
Source: g8F53.tmp.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: g8F53.tmp.exeString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: g8F53.tmp.exeString found in binary or memory: http://sv.symcb.com/sv.crl0w
Source: g8F53.tmp.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://sv.symcd.com0&
Source: g8F53.tmp.exeString found in binary or memory: http://sw.symcb.com/sw.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://sw.symcb.com/sw.crl0f
Source: g8F53.tmp.exeString found in binary or memory: http://sw.symcd.com0
Source: g8F53.tmp.exeString found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: g8F53.tmp.exeString found in binary or memory: http://t3036159.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://t3036159.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://t3036159.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://t3036159.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://t3036159.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://t3036159.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://t5730298.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://t5730298.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://t5730298.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://t5730298.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://t5730298.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://t5730298.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://v4618535.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://v4618535.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://v4618535.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://v4618535.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://v4618535.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://v4618535.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://v6834318.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://v6834318.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://v6834318.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://v6834318.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://v6834318.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://v6834318.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://v7.stats.avast.com/cgi-bin/iavs4stats.cgi
Source: g8F53.tmp.exeString found in binary or memory: http://v7630928.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://v7630928.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://v7630928.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://v7630928.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://v7630928.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://v7630928.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
Source: g8F53.tmp.exeString found in binary or memory: http://w6607332.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://w6607332.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://w6607332.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://w6607332.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://w6607332.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://w6607332.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://w9448963.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://w9448963.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://w9448963.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://w9448963.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://w9448963.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://w9448963.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://ww
Source: g8F53.tmp.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: g8F53.tmp.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: g8F53.tmp.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: g8F53.tmp.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdz
Source: g8F53.tmp.exeString found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: g8F53.tmp.exeString found in binary or memory: http://www.usertrust.com1
Source: g8F53.tmp.exeString found in binary or memory: http://x6055396.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://x6055396.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://x6055396.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://x6055396.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://x6055396.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://x6055396.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://y9663457.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://y9663457.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://y9663457.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://y9663457.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://y9663457.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://y9663457.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://z2217299.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://z2217299.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://z2217299.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://z2217299.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://z2217299.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://z2217299.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://z2461313.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://z2461313.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://z2461313.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://z2461313.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://z2461313.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://z2461313.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://z9743321.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://z9743321.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://z9743321.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://z9743321.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://z9743321.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://z9743321.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: http://z9820048.iavs5x.u.avast.com/iavs5x
Source: g8F53.tmp.exeString found in binary or memory: http://z9820048.iavs9x.u.avast.com/iavs9x
Source: g8F53.tmp.exeString found in binary or memory: http://z9820048.ivps9tiny.u.avast.com/ivps9tiny
Source: g8F53.tmp.exeString found in binary or memory: http://z9820048.ivps9x.u.avast.com/ivps9x
Source: g8F53.tmp.exeString found in binary or memory: http://z9820048.vpsnitro.u.avast.com/vpsnitro
Source: g8F53.tmp.exeString found in binary or memory: http://z9820048.vpsnitrotiny.u.avast.com/vpsnitrotiny
Source: g8F53.tmp.exeString found in binary or memory: https://d.symcb
Source: g8F53.tmp.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: g8F53.tmp.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: g8F53.tmp.exeString found in binary or memory: https://d1o
Source: g8F53.tmp.exeString found in binary or memory: https://id.avast.com/inavastium
Source: g8F53.tmp.exeString found in binary or memory: https://ipm-provider.ff.avast.com/
Source: g8F53.tmp.exeString found in binary or memory: https://pair.ff.avast.com
Source: g8F53.tmp.exeString found in binary or memory: https://secure.comodo.com/cps0
Source: g8F53.tmp.exeString found in binary or memory: https://secure.comodo.com/cps0u
Source: g8F53.tmp.exeString found in binary or memory: https://secure.comodo.net/cps0a
Source: g8F53.tmp.exeString found in binary or memory: https://www.digicert.com/cps0
Source: g8F53.tmp.exeString found in binary or memory: https://www.globalsign.com/repository/0
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /iavs9x/servers.def HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: files.avast.comConnection: Keep-Alive

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\g8F53.tmp.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639
Source: C:\g8F53.tmp.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639
Source: C:\g8F53.tmp.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639
Source: C:\g8F53.tmp.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639
Creates autostart registry keys with suspicious namesShow sources
Source: C:\g8F53.tmp.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 760639

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC44890 LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,_fread_nolock,DeleteFileA,0_2_000000013FC44890
PE file contains an invalid checksumShow sources
Source: g8F53.tmp.exeStatic PE information: real checksum: 0x0 should be: 0x4c4d6

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC62DA8 FindFirstFileExA,0_2_000000013FC62DA8
Source: C:\g8F53.tmp.exeCode function: 0_1_000000013FC62DA8 FindFirstFileExA,0_1_000000013FC62DA8

System Summary:

barindex
PE file has a high image base, often used for DLLsShow sources
Source: g8F53.tmp.exeStatic PE information: Image base 0x140000000L > 0x60000000
PE file contains a mix of data directories often seen in goodwareShow sources
Source: g8F53.tmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: g8F53.tmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: g8F53.tmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: g8F53.tmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: g8F53.tmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: g8F53.tmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: g8F53.tmp.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: g8F53.tmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: g8F53.tmp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: g8F53.tmp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: g8F53.tmp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: g8F53.tmp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: g8F53.tmp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Classification labelShow sources
Source: classification engineClassification label: mal60.evad.adwa.winEXE@1/4@1/2
Contains functionality to enum processes or threadsShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC42DC0 LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle,0_2_000000013FC42DC0
Creates temporary filesShow sources
Source: C:\g8F53.tmp.exeFile created: C:\Users\HANSPE~1\AppData\Local\Temp\s284.0
PE file has an executable .text section and no other executable sectionShow sources
Source: g8F53.tmp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\g8F53.tmp.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Uses an in-process (OLE) Automation serverShow sources
Source: C:\g8F53.tmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32
Contains functionality to call native functionsShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC42DC0 LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle,0_2_000000013FC42DC0
Source: C:\g8F53.tmp.exeCode function: 0_1_000000013FC42DC0 LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle,0_1_000000013FC42DC0
Found potential string decryption / allocating functionsShow sources
Source: C:\g8F53.tmp.exeCode function: String function: 000000013FC5B61C appears 34 times
Reads the hosts fileShow sources
Source: C:\g8F53.tmp.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\g8F53.tmp.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: g8F53.tmp.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs g8F53.tmp.exe
Source: g8F53.tmp.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs g8F53.tmp.exe
Tries to load missing DLLsShow sources
Source: C:\g8F53.tmp.exeSection loaded: api-ms-win-core-synch-l1-2-0.dll
Source: C:\g8F53.tmp.exeSection loaded: api-ms-win-core-fibers-l1-1-1.dll
Source: C:\g8F53.tmp.exeSection loaded: api-ms-win-core-synch-l1-2-0.dll
Source: C:\g8F53.tmp.exeSection loaded: api-ms-win-core-fibers-l1-1-1.dll
Source: C:\g8F53.tmp.exeSection loaded: api-ms-win-core-localization-l1-2-1.dll
Source: C:\g8F53.tmp.exeSection loaded: api-ms-win-core-sysinfo-l1-2-1.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: g8F53.tmp.exeBinary or memory string: Progman
Source: g8F53.tmp.exeBinary or memory string: Program Manager
Source: g8F53.tmp.exeBinary or memory string: Shell_TrayWnd
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\g8F53.tmp.exeCode function: LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle, c:\windows\explorer.exe0_2_000000013FC42DC0
Source: C:\g8F53.tmp.exeCode function: LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle, :\windows\explorer.exe0_2_000000013FC42DC0
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\g8F53.tmp.exeMemory protected: unknown base: 7FFFFFDF000 protect: page read and write
Source: C:\g8F53.tmp.exeMemory protected: unknown base: 2C1DC0 protect: page read and write
Creates new 'disallowed' certificate (very likely to block AV)Show sources
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9132E8B079D080E01D52631690BE18EBC2347C1E Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3D496FA682E65FC122351EC29B55AB94F3BB03FC Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\ED841A61C0F76025598421BC1B00E24189E68D54 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\18DEA4EFA93B06AE997D234411F3FD72A677EECE Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\76A9295EF4343E12DFC5FE05DC57227C1AB00D29 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5240AB5B05D11B37900AC7712A3C6AE42F377C8C Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4420C99742DF11DD0795BC15B7B0ABF090DC84DF Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DD3D41810F28B2A13E9A004E6412061E28FA48D Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A59CC32724DD07A6FC33F7806945481A2D13CA2F Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1667908C9E22EFBD0590E088715CC74BE4C60884 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\0F684EC1163281085C6AF20528878103ACEFCAAB Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7457A3793086DBB58B3858D6476889E3311E550E Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\249BDA38A611CD746A132FA2AF995A2D3C941264 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\982D98951CF3C0CA2A02814D474A976CBFF6BDB1 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD96BB64BA36379D2E354660780C2067B81DA2E0 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E22240E837B52E691C71DF248F12D27F96441C00 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\331E2046A1CCA7BFEF766724394BE6112B4CA3F7 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CDC37C22FE9272D8F2610206AD397A45040326B8 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB303C9B61282DE525DC754A535CA2D6A9BD3D87 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9C43F665E690AB4D486D4717B456C5554D4BCEB5 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 Blob
Source: C:\g8F53.tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3353EA609334A9F23A701B9159E30CB6C22D4C59 Blob
Modifies the hosts fileShow sources
Source: C:\g8F53.tmp.exeFile written: C:\Windows\System32\drivers\etc\hosts

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC46028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000000013FC46028
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC5C06C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000000013FC5C06C
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC4649C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000000013FC4649C
Source: C:\g8F53.tmp.exeCode function: 0_1_000000013FC46028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_1_000000013FC46028
Source: C:\g8F53.tmp.exeCode function: 0_1_000000013FC5C06C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_1_000000013FC5C06C
Source: C:\g8F53.tmp.exeCode function: 0_1_000000013FC4649C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_1_000000013FC4649C
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\g8F53.tmp.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC5C06C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000000013FC5C06C
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC42DC0 LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle,0_2_000000013FC42DC0
Contains functionality to dynamically determine API callsShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC44890 LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,_fread_nolock,DeleteFileA,0_2_000000013FC44890
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC641FC GetProcessHeap,0_2_000000013FC641FC

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC62DA8 FindFirstFileExA,0_2_000000013FC62DA8
Source: C:\g8F53.tmp.exeCode function: 0_1_000000013FC62DA8 FindFirstFileExA,0_1_000000013FC62DA8
Queries a list of all running processesShow sources
Source: C:\g8F53.tmp.exeProcess information queried: ProcessInformation
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC42DC0 LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,NtQueryInformationProcess,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,ReadProcessMemory,ReadProcessMemory,CommandLineToArgvW,WideCharToMultiByte,LocalFree,CloseHandle,0_2_000000013FC42DC0
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\g8F53.tmp.exe TID: 3012Thread sleep time: -100s >= -60s
Source: C:\g8F53.tmp.exe TID: 2616Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: tmp.exeStatic PE information: g8F53.tmp.exe

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts fileShow sources
Source: C:\g8F53.tmp.exeFile written: C:\Windows\System32\drivers\etc\hosts

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC5BBA8 GetSystemTimeAsFileTime,0_2_000000013FC5BBA8
Contains functionality to query time zone informationShow sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC60BFC GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_000000013FC60BFC
Queries the cryptographic machine GUIDShow sources
Source: C:\g8F53.tmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_000000013FC67760
Source: C:\g8F53.tmp.exeCode function: EnumSystemLocalesW,0_2_000000013FC67338
Source: C:\g8F53.tmp.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_000000013FC67948
Source: C:\g8F53.tmp.exeCode function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,0_2_000000013FC66F5C
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,0_2_000000013FC67810
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,0_2_000000013FC5BB10
Source: C:\g8F53.tmp.exeCode function: EnumSystemLocalesW,0_2_000000013FC5B584
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,0_2_000000013FC67614
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_000000013FC673D0
Source: C:\g8F53.tmp.exeCode function: EnumSystemLocalesW,0_2_000000013FC67268
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_1_000000013FC67760
Source: C:\g8F53.tmp.exeCode function: EnumSystemLocalesW,0_1_000000013FC67338
Source: C:\g8F53.tmp.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_1_000000013FC67948
Source: C:\g8F53.tmp.exeCode function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,0_1_000000013FC66F5C
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,0_1_000000013FC67810
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,0_1_000000013FC5BB10
Source: C:\g8F53.tmp.exeCode function: EnumSystemLocalesW,0_1_000000013FC5B584
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,0_1_000000013FC67614
Source: C:\g8F53.tmp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_1_000000013FC673D0
Source: C:\g8F53.tmp.exeCode function: EnumSystemLocalesW,0_1_000000013FC67268
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\g8F53.tmp.exeCode function: 0_2_000000013FC69F60 cpuid 0_2_000000013FC69F60

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 289272 Sample:  g8F53.tmp.exe Startdate:  09/06/2017 Architecture:  WINDOWS Score:  60 0 g8F53.tmp.exe 46 13 main->0      started     630sig Changes memory attributes in foreign processes to executable or writable 5500sig Creates autostart registry keys with suspicious names 9770sig Creates new 'disallowed' certificate (very likely to block AV) d1e118233 files.avast.com 2.17.214.122, 80 AkamaiTechnologiesInc European Union d1e117146 files.avast.com 0->630sig 0->5500sig 0->9770sig 0->d1e118233 0->d1e117146 process0 dnsIp0 signatures0 fileCreated0

Yara Overview

No Yara matches

Startup

  • system is w7x64
  • g8F53.tmp.exe (PID: 2884 cmdline: 'C:\g8F53.tmp.exe' MD5: 679A54233089BD649B01BC70905E22CD)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
C:\760639
  • Type: data
  • MD5: CF5BB3B4D6A3ADE6041C1D333FA8C273
  • SHA: BD4B5146484AB02E926C61E161C1E6093B892BD7
  • SHA-256: 7063BCCF89B09F51EE70A47B6170AE07914DCA26648B7441C2F9EB7BD6A04397
  • SHA-512: F7A7475133880CB5E79ADA4999D5E9037841509A2C03EC726094F18A2AD0132009B7F3A5C585B31B52C0CCDF7C9C1F080628669B5F2DB7A694B9DCB3DD34E072
false
C:\Users\HANSPE~1\AppData\Local\Temp\s284.0
  • Type: ASCII text, with CRLF line terminators
  • MD5: 195CDCAAED78D2B59ABC94F8C0D441F5
  • SHA: 3D9C75B738762E574B072163661C0F1B9A7C962D
  • SHA-256: 6DB1CBEFDC21B46405E404C868B4E76383AB1B34B81AE29BAE8CF06FD81587CF
  • SHA-512: 4F5FE41184D923C09C3202D29C35E9B74FEE579D1E668C076F6BE9251109183C303CF3C6C2C35D5EFAE80B21CC3215605A4087D70B1813A7E006925E5C0E127B
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOPT6FQ2\servers[1].def
  • Type: ASCII text, with CRLF line terminators
  • MD5: 195CDCAAED78D2B59ABC94F8C0D441F5
  • SHA: 3D9C75B738762E574B072163661C0F1B9A7C962D
  • SHA-256: 6DB1CBEFDC21B46405E404C868B4E76383AB1B34B81AE29BAE8CF06FD81587CF
  • SHA-512: 4F5FE41184D923C09C3202D29C35E9B74FEE579D1E668C076F6BE9251109183C303CF3C6C2C35D5EFAE80B21CC3215605A4087D70B1813A7E006925E5C0E127B
false
C:\Windows\System32\drivers\etc\hosts
  • Type: ASCII text, with CRLF line terminators
  • MD5: C93D6BDCE002C97896DAC3FFA6544683
  • SHA: EF35EC9D4BB99A09854DA521A48F3412DB1717E1
  • SHA-256: 374A299BEF7E31243B9D9F8F19E9832293567B265F44066917CF8F20AD29BA65
  • SHA-512: B3E55F7C8A3BF731F6AF35AE718391E1C85790D49FDBA562E9592960D11717CC59471363A91E1732D52DF563B111D39BF1C34BC2355E0C25A999D050DC1FA27B
true

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMalicious
files.avast.com2.17.214.122truefalse

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
8.8.8.8United States
15169GoogleIncfalse
2.17.214.122European Union
16625AkamaiTechnologiesIncfalse

Static File Info

General

File type:PE32+ executable for MS Windows (GUI) Mono/.Net assembly
TrID:
  • Win64 Executable (generic) (12005/4) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:g8F53.tmp.exe
File size:307200
MD5:679a54233089bd649b01bc70905e22cd
SHA1:a66197a6fdf6cde046a02ec10eb417bf125a63b1
SHA256:b529ca4dd148fdfcee0c1f267bc6821cc5168c121363fa690536a72e0f447c19
SHA512:f954b54a96caf2711ae79ca2bc76b633832ec1f504a3b7c3bf1c168e02df63cf206899bf483b5f400e1dacdd7281ac28b847346fcf33fcb89908dbadab563076
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(..;I.R;I.R;I.R..;R2I.R..9R.I.R..8R4I.R...R:I.R.).S3I.R.).S'I.R.).S/I.R21YR6I.R;I.R.I.R.(.S:I.R.(5R:I.R.(.S:I.RRich;I.R.......

File Icon

Static PE Info

General

Entrypoint:0x140006014L
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000L
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0x59370A51 [Tue Jun 06 20:02:25 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:ca74f2c2225045446ef176b0c9d468b6

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 100C484Ch
dec eax
add esp, 28h
jmp 100C4027h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00025237h]
dec eax
mov ecx, ebx
call dword ptr [00025236h]
call dword ptr [00025220h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00025204h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call 100E85ECh
test eax, eax
je 100C41A9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [000437BFh]
call 100C436Fh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [000438A6h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00043836h], eax
dec eax
mov eax, dword ptr [0004388Fh]
dec eax
mov dword ptr [00043700h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00043804h], eax
mov dword ptr [000436DAh], C0000409h
mov dword ptr [000436D4h], 00000001h
mov dword ptr [000436DEh], 00000001h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x36f1c0x8c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4b0000x1ea8.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000x758.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x34fa00x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x34fc00xa0.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x760.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000x29f000x2a000False0.534923735119ump; data6.50640221128IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x2b0000xd82e0xda00False0.444309059633ump; data5.15782030144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x390000x11d700x10800False0.480513139205f&#212;&#255;&#255;2&#162;&#223;-7.27336022663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x4b0000x1ea80x2000False0.471923828125ump; PEX Binary Archive5.34032237763IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x4d0000x1e00x200False0.53125ump; data4.71377258295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x4e0000x7580x800False0.55908203125ump; data5.2503088955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_MANIFEST0x4d0600x17dump; XML document textEnglishUnited States

Imports

DLLImport
CRYPT32.dllCertOpenStore, CertCloseStore, CertAddCertificateContextToStore, CertFreeCertificateContext, CertCreateCertificateContext
KERNEL32.dllRaiseException, FlushFileBuffers, GetFileType, ReadConsoleW, GetConsoleMode, SetFilePointerEx, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, HeapAlloc, HeapFree, GetACP, WriteFile, GetStdHandle, GetTempPathW, MultiByteToWideChar, GetStringTypeW, GetModuleHandleExW, ExitProcess, LoadLibraryExW, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, SetLastError, RtlUnwindEx, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleHandleW, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, DeleteFileW, HeapReAlloc, GetTimeZoneInformation, GetCPInfo, MoveFileExW, GetFileAttributesExW, CreateFileW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, GetProcessHeap, CreateEventA, WideCharToMultiByte, GetCurrentProcessId, LocalFree, Beep, GetProcAddress, CloseHandle, DeleteFileA, LoadLibraryA, GetSystemDirectoryA, SetEvent, GetLastError, Sleep, GetModuleHandleA, GetCurrentThreadId, RegisterWaitForSingleObject, GetModuleFileNameA, ReadFile, SetStdHandle, HeapSize, SetEndOfFile, WriteConsoleW, GetConsoleCP
USER32.dllBeginPaint, CheckDlgButton, BroadcastSystemMessageA, ChildWindowFromPoint, ChangeMenuA, DefDlgProcA, CascadeWindows, CharLowerA, CreateMenu, PostQuitMessage, CharNextA, CharLowerBuffA, DeferWindowPos, CloseWindow, AdjustWindowRectEx, GetMessageA, CheckMenuRadioItem, CreateIconFromResourceEx, DispatchMessageA, LoadCursorA, DeregisterShellHookWindow, CloseWindowStation, CheckRadioButton, CopyImage, CopyIcon, CharPrevA, DeleteMenu, CreateWindowStationA, CallNextHookEx, ArrangeIconicWindows, CreatePopupMenu, ChildWindowFromPointEx, DestroyCursor, AnyPopup, BeginDeferWindowPos, CloseDesktop, SetTimer, CopyAcceleratorTableA, PostThreadMessageA, ChangeClipboardChain, CopyRect, CreateIconIndirect, ClientToScreen, FindWindowExA, CallWindowProcA, DestroyAcceleratorTable, DefMDIChildProcA, CharUpperBuffA, CreateAcceleratorTableA, CreateCaret, CountClipboardFormats, CharToOemBuffA, CreateCursor, AttachThreadInput, CreateIconFromResource, DefFrameProcA, CreateIcon, CharToOemA, AdjustWindowRect, RegisterClassA, DefWindowProcA, DestroyMenu, CreateWindowExA, BringWindowToTop, TranslateMessage, ClipCursor, SendMessageA, DestroyCaret, CallMsgFilterA, CreateDialogParamA, LoadIconA, CharUpperA, CreateDialogIndirectParamA, AppendMenuA, CheckMenuItem, CreateMDIWindowA, ActivateKeyboardLayout, DestroyIcon
ADVAPI32.dllRegReplaceKeyA, RegSaveKeyA, IsValidAcl, RegConnectRegistryA, RegDeleteValueA, RegRestoreKeyA, RegCreateKeyA, RegNotifyChangeKeyValue, RegEnumKeyA, RegGetKeySecurity, RegCloseKey, RegOpenKeyA, RegEnumValueA, RegSetValueA, RegDeleteKeyA, RegQueryValueExA, RegQueryMultipleValuesA, RegCreateKeyExA, RegFlushKey, RegQueryValueA, RegUnLoadKeyA, RegSetKeySecurity, RegSetValueExA, IsValidSecurityDescriptor, RegLoadKeyA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumKeyExA
SHELL32.dllCommandLineToArgvW
ole32.dllCoRegisterMessageFilter, CoFileTimeNow, CoRevokeClassObject, CoDisconnectObject, CoInitializeEx, CoGetStdMarshalEx, CLSIDFromString, CoMarshalHresult, CoDosDateTimeToFileTime, CoFreeLibrary, CoTaskMemRealloc, CoFreeUnusedLibraries, IIDFromString, CoRegisterMallocSpy, CoLockObjectExternal, CoFreeAllLibraries, CoLoadLibrary, CoUnmarshalHresult, CoGetMalloc, CoFileTimeToDosDateTime, CoReleaseMarshalData, CLSIDFromProgID, CoCreateFreeThreadedMarshaler, CoCreateGuid, CoTaskMemAlloc, CoIsHandlerConnected, CoRevokeMallocSpy, CoGetCurrentProcess, CoTaskMemFree

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 9, 2017 15:40:08.834712029 MESZ5390853192.168.1.138.8.8.8
Jun 9, 2017 15:40:09.292851925 MESZ53539088.8.8.8192.168.1.13
Jun 9, 2017 15:40:09.324213028 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.324254036 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.324376106 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.325232983 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.325249910 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.665602922 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.665976048 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.678288937 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.678308010 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.678334951 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.678390980 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.680398941 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.680412054 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.680449963 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.680536985 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.684830904 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.684849977 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.684875965 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.684973955 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.696362019 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.696468115 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.699193954 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.699223042 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.699230909 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.699306011 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.702703953 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.702785969 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.713334084 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.713362932 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.713375092 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.716732979 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.723906994 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.724067926 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.726281881 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.726310968 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.726325989 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.726592064 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:40:09.730989933 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.731014967 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:40:09.732007027 MESZ4923580192.168.1.132.17.214.122
Jun 9, 2017 15:41:12.149789095 MESZ80492352.17.214.122192.168.1.13
Jun 9, 2017 15:41:12.149885893 MESZ4923580192.168.1.132.17.214.122

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 9, 2017 15:40:08.834712029 MESZ5390853192.168.1.138.8.8.8
Jun 9, 2017 15:40:09.292851925 MESZ53539088.8.8.8192.168.1.13

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jun 9, 2017 15:40:08.834712029 MESZ192.168.1.138.8.8.80xaa62Standard query (0)files.avast.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jun 9, 2017 15:40:09.292851925 MESZ8.8.8.8192.168.1.130xaa62No error (0)files.avast.com2.17.214.122A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • files.avast.com

HTTP Packets

TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Jun 9, 2017 15:40:09.325232983 MESZ4923580192.168.1.132.17.214.122GET /iavs9x/servers.def HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: files.avast.com
Connection: Keep-Alive
0
Jun 9, 2017 15:40:09.665602922 MESZ80492352.17.214.122192.168.1.13HTTP/1.1 200 OK
Last-Modified: Thu, 20 Apr 2017 07:39:25 GMT
ETag: "58f865ad-6183"
Server: nginx
Content-Type: text/plain
Content-Length: 24963
Accept-Ranges: bytes
Cache-Control: max-age=56
Expires: Fri, 09 Jun 2017 13:41:05 GMT
Date: Fri, 09 Jun 2017 13:40:09 GMT
Connection: keep-alive
Data Raw: 5b 73 65 72 76 65 72 73 5d 0d 0a 63 6f 75 6e 74 3d 32 39 0d 0a 52 65 70 6f 49 44 3d 69 61 76 73 39 78 0d 0a 4c 61 74 65 73 74 50 72 6f 67 72 61 6d 56 65 72 73 69 6f 6e 3d 31 36 37 39 36 38 37 36 38 0d 0a 4c 61 74 65 73 74 42 75 73 69 6e 65 73 73 56 65 72 73 69 6f 6e 3d 31 36 37 39 36 38 37 36 38 0d 0a 53 65 6e 64 53 74 61 74 73 46 69 6c 74 65 72 3d 32 0d 0a 53 65 6e 64 44 72 6f 70 70 65 72 46 69 6c 74 65 72 3d 38 0d 0a 53 65 6e 64 44 72 6f 70 70 65 72 46 69 6c 74 65 72 32 3d 38 0d 0a 53 65 6e 64 43 72 61 73 68 64 75 6d 70 46 69 6c 74 65 72 3d 33 32 0d 0a 57 72 63 54 72 61 66 66 69
Data Ascii: [servers]count=29RepoID=iavs9xLatestProgramVersion=167968768LatestBusinessVersion=167968768SendStatsFilter=2SendDropperFilter=8SendDropperFilter2=8SendCrashdumpFilter=32WrcTraffi
1
Jun 9, 2017 15:40:09.678288937 MESZ80492352.17.214.122192.168.1.13Data Raw: 63 54 6f 3d 30 0d 0a 53 68 65 70 68 65 72 64 55 72 6c 3d 73 68 65 70 68 65 72 64 2e 66 66 2e 61 76 61 73 74 2e 63 6f 6d 0d 0a 50 72 6f 67 55 70 64 61 74 65 43 6f 6e 63 65 61 6c 48 6f 75 72 73 3d 31 36 38 0d 0a 56 36 5f 50 72 6f 67 55 70 64 61 74
Data Ascii: cTo=0ShepherdUrl=shepherd.ff.avast.comProgUpdateConcealHours=168V6_ProgUpdateConcealHours=168V7_ProgUpdateConcealHours=168V8_ProgUpdateConcealHours=168V9_ProgUpdateConcealHours=168V10_ProgUpdateConcealHours=168V5_UpdateScreenEl
3
Jun 9, 2017 15:40:09.678308010 MESZ80492352.17.214.122192.168.1.13Data Raw: 31 32 2c 31 3b 2d 33 2c 31 32 2c 31 3b 2d 37 2c 32 34 2c 31 3b 2d 38 2c 32 34 2c 31 3b 2d 39 2c 32 34 2c 31 3b 2d 31 32 2c 32 34 2c 31 0d 0a 53 4c 45 78 70 54 6f 61 73 74 65 72 54 69 6d 69 6e 67 59 65 61 72 4c 69 63 3d 33 30 2c 32 34 2c 30 3b 32
Data Ascii: 12,1;-3,12,1;-7,24,1;-8,24,1;-9,24,1;-12,24,1SLExpToasterTimingYearLic=30,24,0;23,12,0;15,12,0;12,12,1;9,12,1;7,12,1;6,12,1;5,12,1;4,12,1;3,6,1;2,6,1;1,6,1;0,6,1;-1,6,1;-2,6,1;-3,6,1;-4,6,1;-5,6,1;-6,6,1;-7,6,1;-8,12,1;-9,12,1;-10,12,1;-11,1
4
Jun 9, 2017 15:40:09.678334951 MESZ80492352.17.214.122192.168.1.13Data Raw: 31 34 34 30 0d 0a 49 70 6d 50 72 6f 74 6f 63 6f 6c 48 74 74 70 32 30 31 35 3d 0d 0a 45 78 70 54 6f 61 73 74 65 72 54 69 6d 69 6e 67 54 72 69 61 6c 53 75 62 5f 74 34 39 33 6f 66 66 62 3d 37 2c 32 34 2c 31 3b 36 2c 32 34 2c 31 3b 35 2c 32 34 2c 31
Data Ascii: 1440IpmProtocolHttp2015=ExpToasterTimingTrialSub_t493offb=7,24,1;6,24,1;5,24,1;4,12,1;3,12,1;2,12,1;1,6,1;0,6,1;-1,6,1;-2,6,1;-3,6,1;-4,6,1;-5,6,1;-6,6,1;-7,24,1ExpToasterTimingTrialSub_t493onb=7,24,1;6,24,1;5,24,1;4,12,1;3,12,1;2,12,1;1
5
Jun 9, 2017 15:40:09.680398941 MESZ80492352.17.214.122192.168.1.13Data Raw: 3b 36 2c 32 34 2c 31 3b 35 2c 32 34 2c 31 3b 34 2c 31 32 2c 31 3b 33 2c 31 32 2c 31 3b 32 2c 31 32 2c 31 3b 31 2c 31 32 2c 31 3b 30 2c 31 32 2c 31 3b 2d 31 2c 31 32 2c 31 3b 2d 32 2c 31 32 2c 31 3b 2d 33 2c 31 32 2c 31 3b 2d 37 2c 32 34 2c 31 3b
Data Ascii: ;6,24,1;5,24,1;4,12,1;3,12,1;2,12,1;1,12,1;0,12,1;-1,12,1;-2,12,1;-3,12,1;-7,24,1;-8,24,1;-9,24,1;-12,24,1[server0]name=Download v4618535 AVAST9 Serverurlpgm=http://v4618535.iavs9x.u.avast.com/iavs9xurlvps=http://v4618535.ivps9x.u.av
6
Jun 9, 2017 15:40:09.680412054 MESZ80492352.17.214.122192.168.1.13Data Raw: 3a 2f 2f 73 75 62 6d 69 74 35 2e 61 76 61 73 74 2e 63 6f 6d 2f 63 67 69 2d 62 69 6e 2f 73 75 62 6d 69 74 35 30 2e 63 67 69 0d 0a 67 65 6f 49 50 3d 68 74 74 70 3a 2f 2f 67 65 6f 69 70 2e 61 76 61 73 74 2e 63 6f 6d 2f 67 65 6f 69 70 2f 67 65 6f 69
Data Ascii: ://submit5.avast.com/cgi-bin/submit50.cgigeoIP=http://geoip.avast.com/geoip/geoip.phpweight=20[server2]name=Download v7630928 AVAST9 Serverurlpgm=http://v7630928.iavs9x.u.avast.com/iavs9xurlvps=http://v7630928.ivps9x.u.avast.com/
8
Jun 9, 2017 15:40:09.680449963 MESZ80492352.17.214.122192.168.1.13Data Raw: 74 35 2e 61 76 61 73 74 2e 63 6f 6d 2f 63 67 69 2d 62 69 6e 2f 73 75 62 6d 69 74 35 30 2e 63 67 69 0d 0a 67 65 6f 49 50 3d 68 74 74 70 3a 2f 2f 67 65 6f 69 70 2e 61 76 61 73 74 2e 63 6f 6d 2f 67 65 6f 69 70 2f 67 65 6f 69 70 2e 70 68 70 0d 0a 77
Data Ascii: t5.avast.com/cgi-bin/submit50.cgigeoIP=http://geoip.avast.com/geoip/geoip.phpweight=20[server4]name=Download z9743321 AVAST9 Serverurlpgm=http://z9743321.iavs9x.u.avast.com/iavs9xurlvps=http://z9743321.ivps9x.u.avast.com/ivps9x
8
Jun 9, 2017 15:40:09.684830904 MESZ80492352.17.214.122192.168.1.13Data Raw: 3a 2f 2f 7a 39 37 34 33 33 32 31 2e 76 70 73 6e 69 74 72 6f 74 69 6e 79 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f 76 70 73 6e 69 74 72 6f 74 69 6e 79 0d 0a 75 72 6c 3d 68 74 74 70 3a 2f 2f 7a 39 37 34 33 33 32 31 2e 69 61 76 73 35 78 2e 75 2e 61 76
Data Ascii: ://z9743321.vpsnitrotiny.u.avast.com/vpsnitrotinyurl=http://z9743321.iavs5x.u.avast.com/iavs5xstats=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats2=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats10=http://v7event.stats.ava
10
Jun 9, 2017 15:40:09.684849977 MESZ80492352.17.214.122192.168.1.13Data Raw: 31 35 39 2e 76 70 73 6e 69 74 72 6f 74 69 6e 79 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f 76 70 73 6e 69 74 72 6f 74 69 6e 79 0d 0a 75 72 6c 3d 68 74 74 70 3a 2f 2f 74 33 30 33 36 31 35 39 2e 69 61 76 73 35 78 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f
Data Ascii: 159.vpsnitrotiny.u.avast.com/vpsnitrotinyurl=http://t3036159.iavs5x.u.avast.com/iavs5xstats=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats2=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats10=http://v7event.stats.avast.com/c
11
Jun 9, 2017 15:40:09.684875965 MESZ80492352.17.214.122192.168.1.13Data Raw: 69 74 72 6f 74 69 6e 79 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f 76 70 73 6e 69 74 72 6f 74 69 6e 79 0d 0a 75 72 6c 3d 68 74 74 70 3a 2f 2f 70 34 30 38 35 33 32 35 2e 69 61 76 73 35 78 2e 75 2e 61 76 61 73 74 2e 63 6f 6d 2f 69 61 76 73 35 78 0d 0a
Data Ascii: itrotiny.u.avast.com/vpsnitrotinyurl=http://p4085325.iavs5x.u.avast.com/iavs5xstats=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats2=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgistats10=http://v7event.stats.avast.com/cgi-bin/i
12
Jun 9, 2017 15:40:09.696362019 MESZ80492352.17.214.122192.168.1.13Data Raw: 65 76 65 6e 74 73 2e 63 67 69 0d 0a 73 75 62 6d 69 74 3d 68 74 74 70 3a 2f 2f 73 6d 30 30 2e 61 76 61 73 74 2e 63 6f 6d 2f 63 67 69 2d 62 69 6e 2f 69 61 76 73 75 70 32 2e 63 67 69 0d 0a 73 75 62 6d 69 74 35 3d 68 74 74 70 3a 2f 2f 73 75 62 6d 69
Data Ascii: events.cgisubmit=http://sm00.avast.com/cgi-bin/iavsup2.cgisubmit5=http://submit5.avast.com/cgi-bin/submit50.cgigeoIP=http://geoip.avast.com/geoip/geoip.phpweight=20[server10]name=Download k6375621 AVAST9 Serverurlpgm=http://k63
13

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:15:39:31
Start date:09/06/2017
Path:C:\g8F53.tmp.exe
Wow64 process (32bit):false
Commandline:'C:\g8F53.tmp.exe'
Imagebase:0x13fc40000
File size:307200 bytes
MD5 hash:679A54233089BD649B01BC70905E22CD
Programmed in:C, C++ or other language

Disassembly

Code Analysis

Reset < >