Category	Started On	Completed On	Duration	Cuckoo Version
FILE	2016-08-22 23:00:03.067759	2016-08-22 23:00:45.673051	42 seconds	2.0-dev

Machine	Label	Manager	Started On	Shutdown On
win7cuckoo	win7 Clone 1	VirtualBox	2016-08-22 23:00:03	2016-08-22 23:00:45

File Details

File name	f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe
File size	3477696 bytes
File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32	44A59561
MD5	42820c54cd983a041e39abda2f06d7ad
SHA1	f2681d6ad59708f4535f5fcc9ca21b6c132ddf57
SHA256	783fde13717cb1a05ae10a2834efe3d17e8120fb46bff839b7aa3ac301bd2b9d
SHA512	a0ea9f21d123b1124d503fb1cd59d74f2c4f64fbbff46aba19206e555483436f6d1d76642348a478c4ede29b63f097fb2af4da9c6671a1c32faeb0cd0fdea293
Ssdeep	98304:mg0pZjV1/pPDN2/b4Bb/N4rTAXLEpv0wUmD/Sre84utiL:10H5NCjryLqv0Imre8ViL
PEiD	None matched
Yara	Str_Win32_Winsock2_Library (Match Winsock 2 API library declaration)
VirusTotal	File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=50, Anomalies=0, PEiD=0, Yara=2, VT[1471906875]=0): Snort Events=0, AV Events=0
Total Score=50

Dropped File/Buffer Yara Signatures:
783fde13717cb1a0_f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe: Str_Win32_Winsock2_Library

Signatures

has_pdb details

Executable_Deleted details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Name	Offset	Size	Language	Sub-language	File type
BIN	0x00048cf0	0x00000004	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	ACB archive data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_CURSOR	0x00049e80	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_BITMAP	0x0004a06c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_BITMAP	0x0004a06c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_ICON	0x0004a498	0x00000128	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	GLS_BINARY_LSB_FIRST
RT_ICON	0x0004a498	0x00000128	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	GLS_BINARY_LSB_FIRST
RT_DIALOG	0x0004a8d0	0x00000034	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_DIALOG	0x0004a8d0	0x00000034	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_DIALOG	0x0004a8d0	0x00000034	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_DIALOG	0x0004a8d0	0x00000034	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_STRING	0x0004b50c	0x00000030	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_CURSOR	0x0004b664	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	Lotus 1-2-3
RT_GROUP_ICON	0x0004b678	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	MS Windows icon resource - 2 icons, 32x32, 16-colors
RT_VERSION	0x0004b69c	0x00000330	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data
RT_MANIFEST	0x0004b9cc	0x00000296	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	XML document text
None	0x0004bc64	0x00000004	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	data

Imports

Library KERNEL32.dll:

• 0x434094 - lstrcmpA

• 0x434098 - LoadLibraryExA

• 0x43409c - GetLocaleInfoA

• 0x4340a0 - EnumResourceLanguagesA

• 0x4340a4 - ConvertDefaultLocale

• 0x4340a8 - GetCurrentProcessId

• 0x4340ac - InterlockedIncrement

• 0x4340b0 - LocalAlloc

• 0x4340b4 - LeaveCriticalSection

• 0x4340b8 - TlsGetValue

• 0x4340bc - EnterCriticalSection

• 0x4340c0 - GlobalReAlloc

• 0x4340c4 - GlobalHandle

• 0x4340c8 - InitializeCriticalSection

• 0x4340cc - TlsAlloc

• 0x4340d0 - TlsSetValue

• 0x4340d4 - LocalReAlloc

• 0x4340d8 - DeleteCriticalSection

• 0x4340dc - TlsFree

• 0x4340e0 - GlobalFlags

• 0x4340e4 - GetCPInfo

• 0x4340e8 - GetOEMCP

• 0x4340ec - SetErrorMode

• 0x4340f0 - RtlUnwind

• 0x4340f4 - HeapReAlloc

• 0x4340f8 - VirtualAlloc

• 0x4340fc - GetCommandLineA

• 0x434100 - GetStartupInfoA

• 0x434104 - RaiseException

• 0x434108 - ExitThread

• 0x43410c - CreateThread

• 0x434110 - ExitProcess

• 0x434114 - HeapSize

• 0x434118 - SuspendThread

• 0x43411c - UnhandledExceptionFilter

• 0x434120 - SetUnhandledExceptionFilter

• 0x434124 - IsDebuggerPresent

• 0x434128 - GetACP

• 0x43412c - IsValidCodePage

• 0x434130 - GetTimeZoneInformation

• 0x434134 - GetFileType

• 0x434138 - VirtualFree

• 0x43413c - HeapDestroy

• 0x434140 - HeapCreate

• 0x434144 - GetStdHandle

• 0x434148 - LCMapStringA

• 0x43414c - LCMapStringW

• 0x434150 - FreeEnvironmentStringsA

• 0x434154 - GetEnvironmentStrings

• 0x434158 - FreeEnvironmentStringsW

• 0x43415c - GetEnvironmentStringsW

• 0x434160 - SetHandleCount

• 0x434164 - QueryPerformanceCounter

• 0x434168 - GetSystemTimeAsFileTime

• 0x43416c - GetConsoleCP

• 0x434170 - GetConsoleMode

• 0x434174 - GetStringTypeA

• 0x434178 - GetStringTypeW

• 0x43417c - SetStdHandle

• 0x434180 - WriteConsoleA

• 0x434184 - GetConsoleOutputCP

• 0x434188 - WriteConsoleW

• 0x43418c - SetEnvironmentVariableA

• 0x434190 - GetFullPathNameA

• 0x434194 - GetVolumeInformationA

• 0x434198 - GetThreadLocale

• 0x43419c - CreateEventA

• 0x4341a0 - SystemTimeToFileTime

• 0x4341a4 - LocalFileTimeToFileTime

• 0x4341a8 - GetCurrentThreadId

• 0x4341ac - GlobalGetAtomNameA

• 0x4341b0 - GlobalAddAtomA

• 0x4341b4 - GlobalFindAtomA

• 0x4341b8 - GlobalDeleteAtom

• 0x4341bc - LoadLibraryA

• 0x4341c0 - lstrcmpW

• 0x4341c4 - FreeResource

• 0x4341c8 - FreeLibrary

• 0x4341cc - InterlockedDecrement

• 0x4341d0 - GetModuleFileNameW

• 0x4341d4 - GetModuleHandleA

• 0x4341d8 - GetProcAddress

• 0x4341dc - SetLastError

• 0x4341e0 - GlobalFree

• 0x4341e4 - GlobalAlloc

• 0x4341e8 - GlobalLock

• 0x4341ec - GlobalUnlock

• 0x4341f0 - FormatMessageA

• 0x4341f4 - LocalFree

• 0x4341f8 - lstrcpyA

• 0x4341fc - FlushFileBuffers

• 0x434200 - GetFileTime

• 0x434204 - GetFileSize

• 0x434208 - CreateProcessA

• 0x43420c - SetThreadPriority

• 0x434210 - GetCurrentThread

• 0x434214 - GetCurrentProcess

• 0x434218 - SetPriorityClass

• 0x43421c - ResumeThread

• 0x434220 - GetVersionExA

• 0x434224 - GetTempPathA

• 0x434228 - GetDiskFreeSpaceExA

• 0x43422c - lstrlenA

• 0x434230 - lstrcmpiA

• 0x434234 - CompareStringW

• 0x434238 - CompareStringA

• 0x43423c - GetVersion

• 0x434240 - MultiByteToWideChar

• 0x434244 - InterlockedExchange

• 0x434248 - SetFileTime

• 0x43424c - MulDiv

• 0x434250 - GetFileAttributesA

• 0x434254 - SetFileAttributesA

• 0x434258 - DeleteFileA

• 0x43425c - CopyFileA

• 0x434260 - RemoveDirectoryA

• 0x434264 - MoveFileA

• 0x434268 - FindFirstFileA

• 0x43426c - CreateDirectoryA

• 0x434270 - FindClose

• 0x434274 - WriteFile

• 0x434278 - GetModuleFileNameA

• 0x43427c - GetProcessHeap

• 0x434280 - HeapAlloc

• 0x434284 - HeapFree

• 0x434288 - GetLastError

• 0x43428c - OpenMutexA

• 0x434290 - FileTimeToLocalFileTime

• 0x434294 - FileTimeToSystemTime

• 0x434298 - TerminateThread

• 0x43429c - WaitForSingleObject

• 0x4342a0 - Sleep

• 0x4342a4 - ResetEvent

• 0x4342a8 - SetEvent

• 0x4342ac - WideCharToMultiByte

• 0x4342b0 - FindResourceA

• 0x4342b4 - LoadResource

• 0x4342b8 - LockResource

• 0x4342bc - SizeofResource

• 0x4342c0 - WritePrivateProfileStringA

• 0x4342c4 - GetTickCount

• 0x4342c8 - GetPrivateProfileStringA

• 0x4342cc - GetPrivateProfileIntA

• 0x4342d0 - SetFilePointer

• 0x4342d4 - CreateFileA

• 0x4342d8 - ReadFile

• 0x4342dc - TerminateProcess

• 0x4342e0 - CloseHandle

Library USER32.dll:

• 0x43430c - GetWindowThreadProcessId

• 0x434310 - SetCursor

• 0x434314 - PostQuitMessage

• 0x434318 - GetMessageA

• 0x43431c - TranslateMessage

• 0x434320 - GetCursorPos

• 0x434324 - ValidateRect

• 0x434328 - ShowWindow

• 0x43432c - SetWindowTextA

• 0x434330 - IsDialogMessageA

• 0x434334 - SetDlgItemTextA

• 0x434338 - SetMenuItemBitmaps

• 0x43433c - GetMenuCheckMarkDimensions

• 0x434340 - LoadBitmapA

• 0x434344 - ModifyMenuA

• 0x434348 - EnableMenuItem

• 0x43434c - CheckMenuItem

• 0x434350 - RegisterWindowMessageA

• 0x434354 - SendDlgItemMessageA

• 0x434358 - WinHelpA

• 0x43435c - GetCapture

• 0x434360 - SetWindowsHookExA

• 0x434364 - CallNextHookEx

• 0x434368 - GetClassLongA

• 0x43436c - GetClassNameA

• 0x434370 - SetPropA

• 0x434374 - GetPropA

• 0x434378 - RemovePropA

• 0x43437c - GetFocus

• 0x434380 - SetFocus

• 0x434384 - GetWindowTextA

• 0x434388 - GetForegroundWindow

• 0x43438c - GetLastActivePopup

• 0x434390 - DispatchMessageA

• 0x434394 - GetTopWindow

• 0x434398 - GetMessageTime

• 0x43439c - GetMessagePos

• 0x4343a0 - PeekMessageA

• 0x4343a4 - MapWindowPoints

• 0x4343a8 - GetKeyState

• 0x4343ac - SetForegroundWindow

• 0x4343b0 - IsWindowVisible

• 0x4343b4 - UpdateWindow

• 0x4343b8 - GetMenu

• 0x4343bc - GetClassInfoExA

• 0x4343c0 - GetClassInfoA

• 0x4343c4 - RegisterClassA

• 0x4343c8 - AdjustWindowRectEx

• 0x4343cc - CopyRect

• 0x4343d0 - PtInRect

• 0x4343d4 - GetDlgCtrlID

• 0x4343d8 - DefWindowProcA

• 0x4343dc - CallWindowProcA

• 0x4343e0 - SetWindowLongA

• 0x4343e4 - SetWindowPos

• 0x4343e8 - SystemParametersInfoA

• 0x4343ec - GetWindowPlacement

• 0x4343f0 - GetWindow

• 0x4343f4 - GetSysColor

• 0x4343f8 - EndPaint

• 0x4343fc - BeginPaint

• 0x434400 - ClientToScreen

• 0x434404 - GrayStringA

• 0x434408 - DrawTextExA

• 0x43440c - DrawTextA

• 0x434410 - TabbedTextOutA

• 0x434414 - GetDesktopWindow

• 0x434418 - GetActiveWindow

• 0x43441c - SetActiveWindow

• 0x434420 - CreateDialogIndirectParamA

• 0x434424 - DestroyWindow

• 0x434428 - GetWindowLongA

• 0x43442c - GetDlgItem

• 0x434430 - IsWindowEnabled

• 0x434434 - GetNextDlgTabItem

• 0x434438 - EndDialog

• 0x43443c - DestroyMenu

• 0x434440 - UnregisterClassA

• 0x434444 - LoadCursorA

• 0x434448 - GetSysColorBrush

• 0x43444c - UnhookWindowsHookEx

• 0x434450 - GetMenuState

• 0x434454 - GetMenuItemID

• 0x434458 - GetMenuItemCount

• 0x43445c - GetSubMenu

• 0x434460 - GetSystemMetrics

• 0x434464 - LoadIconA

• 0x434468 - IsIconic

• 0x43446c - DrawIcon

• 0x434470 - CharUpperA

• 0x434474 - CharNextA

• 0x434478 - MessageBoxA

• 0x43447c - wsprintfA

• 0x434480 - IsWindow

• 0x434484 - PostMessageA

• 0x434488 - AdjustWindowRect

• 0x43448c - EnableWindow

• 0x434490 - GetParent

• 0x434494 - ReleaseDC

• 0x434498 - GetDC

• 0x43449c - GetClientRect

• 0x4344a0 - GetWindowRect

• 0x4344a4 - SendMessageA

• 0x4344a8 - GetDialogBaseUnits

• 0x4344ac - CreateWindowExA

Library GDI32.dll:

• 0x43402c - ScaleWindowExtEx

• 0x434030 - DeleteDC

• 0x434034 - CreateBitmap

• 0x434038 - GetStockObject

• 0x43403c - SetWindowExtEx

• 0x434040 - GetObjectA

• 0x434044 - ScaleViewportExtEx

• 0x434048 - SetViewportExtEx

• 0x43404c - OffsetViewportOrgEx

• 0x434050 - SetViewportOrgEx

• 0x434054 - SelectObject

• 0x434058 - Escape

• 0x43405c - ExtTextOutA

• 0x434060 - TextOutA

• 0x434064 - RectVisible

• 0x434068 - GetTextExtentPoint32A

• 0x43406c - DeleteObject

• 0x434070 - GetClipBox

• 0x434074 - SetMapMode

• 0x434078 - SetTextColor

• 0x43407c - SetBkColor

• 0x434080 - RestoreDC

• 0x434084 - SaveDC

• 0x434088 - GetDeviceCaps

• 0x43408c - PtVisible

Library WINSPOOL.DRV:

• 0x4344b4 - OpenPrinterA

• 0x4344b8 - DocumentPropertiesA

• 0x4344bc - ClosePrinter

Library ADVAPI32.dll:

• 0x434000 - RegQueryValueA

• 0x434004 - RegEnumKeyA

• 0x434008 - RegDeleteKeyA

• 0x43400c - RegOpenKeyA

• 0x434010 - RegDeleteValueA

• 0x434014 - RegCreateKeyExA

• 0x434018 - RegSetValueExA

• 0x43401c - RegOpenKeyExA

• 0x434020 - RegCloseKey

• 0x434024 - RegQueryValueExA

Library SHLWAPI.dll:

• 0x4342f8 - PathIsUNCA

• 0x4342fc - PathFindFileNameA

• 0x434300 - PathFindExtensionA

• 0x434304 - PathStripToRootA

Library OLEAUT32.dll:

• 0x4342e8 - VariantClear

• 0x4342ec - VariantChangeType

• 0x4342f0 - VariantInit

Library WS2_32.dll:

• 0x4344c4 - ntohl

• 0x4344c8 - ntohs

• 0x4344cc - htonl

• 0x4344d0 - htons

Exports

Strings

Dropped Files

42be94bab0111ded_Patch.01

File name	42be94bab0111ded_Patch.01
File size	2425708 bytes
File type	data
MD5	d3d414ce1a43dae0eee61a613813dbf9
SHA1	cb96391c52b820262650baa91b49aa0328569022
SHA256	42be94bab0111ded2730fd2cba45071ae23fff9f11ca42e2ebdee3d159127174
SHA512	8144135eaea96c514c8a1c6cfc9506ff932221954323020bbeb697b42420745be2023356d56b471ae3acb92c6635d1c8de8d1cf23e574abff611631a5b89438d
Ssdeep	12288:CgJObitclFvmW9ZTgIJh1FSLpMKqv28iCwSBPoSvlr6CzRcTsSRfH/Nz4M89u6RR:CgLtclFv59ZTzJh1FEpD804xiTLd4/R
Yara	embedded_win_api (A non-Windows executable contains win32 API functions names) Str_Win32_Winsock2_Library (Match Winsock 2 API library declaration) Str_Win32_Wininet_Library (Match Windows Inet API library declaration) Str_Win32_Internet_API (Match Windows Inet API call) Str_Win32_Http_API (Match Windows Http API call) shellcode (Matched shellcode byte patterns)

1f1ed621f3b7eb31_Patch.00

File name	1f1ed621f3b7eb31_Patch.00
File size	5242880 bytes
File type	data
MD5	89dcd95e6e66c973e9ddd369394fd023
SHA1	61d6666f8abe4e9a8765ae4ddbe31cb235ae3213
SHA256	1f1ed621f3b7eb31b336701ef8074e3bca2ae4b8f6d6c36138a8296c71ae13a2
SHA512	bca6b36442a7f57c541292c10d4178c166cde0dfb5fc8b63e57549ce475778050b0cfa5f24dc228a61c6398f09b369612f9ac952e4afe9ba65bfce70ddd490ff
Ssdeep	98304:l9ZR9ZFxp67tA2Q3eWvLrpoPhKBKyIykYxdf+kOJ3GZycpeb2FoY4:lBVxp655KpoPhOK9BYTf+kOJ3GZycMCS
Yara	embedded_pe (Contains an embedded PE32 file) shellcode (Matched shellcode byte patterns)

340a6b129e1bbf80_koeiuc.bat

783fde13717cb1a0_f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe

File name	783fde13717cb1a0_f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe
File size	3477696 bytes
File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5	42820c54cd983a041e39abda2f06d7ad
SHA1	f2681d6ad59708f4535f5fcc9ca21b6c132ddf57
SHA256	783fde13717cb1a05ae10a2834efe3d17e8120fb46bff839b7aa3ac301bd2b9d
SHA512	a0ea9f21d123b1124d503fb1cd59d74f2c4f64fbbff46aba19206e555483436f6d1d76642348a478c4ede29b63f097fb2af4da9c6671a1c32faeb0cd0fdea293
Ssdeep	98304:mg0pZjV1/pPDN2/b4Bb/N4rTAXLEpv0wUmD/Sre84utiL:10H5NCjryLqv0Imre8ViL
Yara	Str_Win32_Winsock2_Library (Match Winsock 2 API library declaration)

da04cddba3977bfb_koeipatch.dat

File name	da04cddba3977bfb_koeipatch.dat
File size	7668588 bytes
File type	data
MD5	04e26773d2d5eeaea70eacdb0c3345e2
SHA1	5e6a3588f2cf72d68cc2a55c9d53390243c4e22e
SHA256	da04cddba3977bfbc6a34fbe265543b3cca0ae2d70e4029a8ab38cec1e7136cd
SHA512	4e3638f4bcf13913a586cb0dcc11737d17d1f0e75468b79624ff174247744b64a2de172b36e1bbc96f5acac57941ff89892cc6d61182a82a6a79990bbc017a0b
Ssdeep	196608:lBVxp655KpoPhOK9BYTf+kOJ3GZycMCBpFFz:lBVx8HMNY+t
Yara	embedded_pe (Contains an embedded PE32 file) embedded_win_api (A non-Windows executable contains win32 API functions names) Str_Win32_Winsock2_Library (Match Winsock 2 API library declaration) Str_Win32_Wininet_Library (Match Windows Inet API library declaration) Str_Win32_Internet_API (Match Windows Inet API call) Str_Win32_Http_API (Match Windows Http API call) shellcode (Matched shellcode byte patterns)

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

File-Read

C:\Users\Harry Dresden\AppData\Local\Temp\koeipatch.dat
C:\Users\Harry Dresden\AppData\Local\Temp\f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe
C:\Windows\Fonts\staticcache.dat
C:\Users\Harry Dresden\AppData\Local\Temp\koeiuc.bat

File-Written

C:\Users\Harry Dresden\AppData\Local\Temp\koeipatch.dat
C:\Users\Harry Dresden\AppData\Local\Temp\Patch.00
C:\Users\Harry Dresden\AppData\Local\Temp\Patch.01
C:\Users\Harry Dresden\AppData\Local\Temp\koeiuc.bat

File-Deleted

C:\Users\Harry Dresden\AppData\Local\Temp\koeipatch.dat
C:\Users\Harry Dresden\AppData\Local\Temp\Patch.00
C:\Users\Harry Dresden\AppData\Local\Temp\Patch.01
C:\Users\Harry Dresden\AppData\Local\Temp\f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe
C:\Users\Harry Dresden\AppData\Local\Temp\koeiuc.bat

File-Opened

C:\Users\Harry Dresden\AppData\Local\Temp\koeipatch.dat
C:\Users\Harry Dresden\AppData\Local\Temp\f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\Harry Dresden\AppData\Local\Temp\koeiuc.bat
C:\

Directory-Enumerated

C:\Users\Harry Dresden
C:\Users\Harry Dresden\AppData\Local\Temp
C:\Users\Harry Dresden\AppData
C:\Users\Harry Dresden\AppData\Local
C:\Users
C:\Users\Harry Dresden
C:\Users\Harry Dresden\AppData\Local\Temp\f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe
C:\Users\Harry Dresden\AppData\Local\Temp
C:\Users\Harry Dresden\AppData\Local
C:\Users
C:\Users\Harry Dresden\AppData\Local\Temp\koeiuc.bat
C:\Users\Harry Dresden\AppData

Registry Key-Opened

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS UI Gothic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_CURRENT_USER\Software\KOEI\Nobunaga Online Tc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor

Registry Key-Read

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\f2681d6ad59708f4535f5fcc9ca21b6c132ddf57.exe" PID: 1072, Parent PID: 2696

C:\Windows\system32\cmd.exe /c C:\Users\HARRYD~1\AppData\Local\Temp\koeiuc.bat PID: 4556, Parent PID: 1072

Volatility

Nothing to display.

LegalCopyright:	(C)2004-2016 KOEI TECMO GAMES CO., LTD. All rights reserved.
InternalName:	UpdaterCore.exe
FileVersion:	1.0.18.0
CompanyName:	KOEI TECMO GAMES CO., LTD.
ProductName:	Updater
ProductVersion:	1.0.18.0
FileDescription:	Updater
OriginalFilename:	UpdaterCore.exe
Translation:	0x0404 0x04b0

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x00032875	0x00033000	6.63739895626
.rdata	0x00034000	0x0000c507	0x0000d000	5.61572055809
.data	0x00041000	0x0000653c	0x00003000	3.01233734117
.rsrc	0x00048000	0x00003c68	0x00004000	4.58571751515

Ordinal	Address	Name
1	0x40ca20	_KPKD_Decode@20
2	0x40cb70	_KPKD_FileDecode@16
3	0x40cb40	_KPKD_Free@4
4	0x40c8a0	_KPKD_MemoryDecode@24

Domain	IP Address
teredo.ipv6.microsoft.com	67.195.61.46
dns.msftncsi.com	131.107.255.255
ipv6.msftncsi.com

IP Address
40.69.40.157
8.8.8.8