File yuan - fsg.exe

Size 5.5KB Resubmit sample
Type MS-DOS executable
MD5 3efad313425f6baf243c9aea75a3b7da
SHA1 2422abd0ecf08b8f15379fddc8fc7a0ab39883c8
SHA256 ccabb6b8257a8eed9c8ad4df148109d092b9e1036d6bf4005ddaf394eb571219
SHA512
c4737b18837e4d94ac8656f83c9e24a1fafac3b398f005c2b25102107d3652d3e10ea9742c4aae97eed73b7d5864da2864718e2694bf013e228082bf4de95517
CRC32 37D01236
ssdeep 96:53cGePRFMWlEPOr4gdjaumPgk+lAj5Q6aLQME14YWtQOSle1L5HuOHlYQJhW:tcGePRFMWSuHYPSbcMYhWOe1ltFYQJhW
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasModified_DOS_Message - DOS Message Check
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • PEiD_00843_FSG_v2_0____bart_xt_ - [FSG v2.0 -> bart/xt]
  • PEiD_00844_FSG_v2_0_ - [FSG v2.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • FSGv20 -
  • maldoc_suspicious_strings -

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Analysis
Compare analysis to ... Export analysis Reboot analysis

Category Started Completed Duration Logs
FILE Jan. 22, 2019, 5:45 a.m. Jan. 22, 2019, 5:46 a.m. 28 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2019-01-22 05:45:57 2019-01-22 05:46:25

Analyzer Log

2019-01-21 21:45:56,062 [analyzer] DEBUG: Starting analyzer from: C:\ztiwmlzwpg
2019-01-21 21:45:56,108 [analyzer] DEBUG: Pipe server name: \\.\PIPE\RawIKrafxjyGCkVRmqFnhwjjEjcjDS
2019-01-21 21:45:56,108 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\NyXUdTlmrTFFfqRt
2019-01-21 21:45:56,108 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-21 21:45:56,108 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-21 21:45:58,073 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-21 21:45:58,667 [analyzer] DEBUG: Loaded monitor into process with pid 508
2019-01-21 21:45:58,683 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-21 21:45:58,683 [analyzer] DEBUG: Started auxiliary module Human
2019-01-21 21:45:58,683 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-21 21:45:58,683 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-21 21:45:58,947 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-21 21:45:58,947 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2019-01-21 21:45:58,947 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-21 21:45:59,276 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\zamen\\AppData\\Local\\Temp\\yuan - fsg.exe' with arguments '' and pid 2348
2019-01-21 21:45:59,650 [analyzer] DEBUG: Loaded monitor into process with pid 2348
2019-01-21 21:45:59,852 [analyzer] DEBUG: Received request to inject pid=2348, but we are already injected there.
2019-01-21 21:46:01,319 [analyzer] INFO: Added new file to list with pid 2348 and path \Device\NamedPipe\wkssvc
2019-01-21 21:46:01,365 [analyzer] INFO: Added new file to list with pid 2348 and path \Device\NamedPipe\lsass
2019-01-21 21:46:03,065 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 21:46:08,884 [lib.api.process] INFO: Memory dump of process with pid 2348 completed
2019-01-21 21:46:09,477 [analyzer] INFO: Process with pid 2348 has terminated
2019-01-21 21:46:09,477 [analyzer] INFO: Process list is empty, terminating analysis.
2019-01-21 21:46:10,492 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-21 21:46:10,492 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\lsass'" does not exist, skip.
2019-01-21 21:46:10,492 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\wkssvc'" does not exist, skip.
2019-01-21 21:46:10,492 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-22 05:45:57,431 [lib.cuckoo.core.scheduler] INFO: Task #1203: acquired machine win7x64 (label=win7x64)
2019-01-22 05:45:57,455 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 12294 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/1203/dump.pcap)
2019-01-22 05:46:02,107 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2019-01-22 05:46:24,980 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2019-01-22 05:46:26,548 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-22 05:46:26,560 [modules.processing.network] ERROR: Unable to open /opt/cuckoo/storage/analyses/1203/dump_sorted.pcap
2019-01-22 05:46:28,787 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6a3650>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 05:46:28,788 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6a37d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 05:46:28,789 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6a3090>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 05:46:28,789 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6a3e10>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-22 05:46:28,790 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f6a3e10>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f6a3e10>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

The executable has PE anomalies (could be a false positive) (1 event)
section
One or more processes crashed (1 event)
Time & API Arguments Status Return Repeated
Jan. 22, 2019, 12:46 a.m.
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x75dab727
registers.esp: 1636640
registers.edi: 8509176
registers.eax: 1636640
registers.ebp: 1636720
registers.edx: 0
registers.ebx: 8509176
registers.esi: 8509176
registers.ecx: 2
success 0 0
File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)
MicroWorld-eScan Gen:Trojan.Heur.aiedsaRIXllb
CMC Packed.Win32.TDSS!O
Cylance Unsafe
BitDefender Gen:Trojan.Heur.aiedsaRIXllb
K7GW Trojan ( 005376ae1 )
K7AntiVirus Trojan ( 005376ae1 )
F-Prot W32/Heuristic-162!Eldorado
GData Gen:Trojan.Heur.aiedsaRIXllb
AegisLab Trojan.Win32.Agent.ldG6
Rising Trojan.Zpevdo!8.F912/N3#93% (RDM+:cmRtazrgF/lgm1NRYpttjb7w3Kyl)
Ad-Aware Gen:Trojan.Heur.aiedsaRIXllb
Sophos Mal/Behav-160
Comodo TrojWare.Win32.Patched.KSU@5t5qg6
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Generic.zh
Trapmine malicious.high.ml.score
Emsisoft Gen:Trojan.Heur.aiedsaRIXllb (B)
SentinelOne static engine - malicious
Cyren W32/Heuristic-162!Eldorado
Avira TR/Crypt.FKM.Gen
Microsoft Trojan:Win32/Fuerboos.C!cl
Endgame malicious (high confidence)
SUPERAntiSpyware Trojan.Agent/Gen-FSG
Acronis suspicious
MAX malware (ai score=87)
Arcabit Trojan.Heur.aiedsaRIXllb
Yandex Packed/FSG
eGambit Unsafe.AI_Score_99%
Cybereason malicious.3425f6
CrowdStrike malicious_confidence_100% (D)
Qihoo-360 Win32/Trojan.a64

Screenshots

No screenshots available.

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process yuan - fsg.exe (2348)

  • Opened files

    • C:\Windows\System32\netapi32.dll
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • \\?\PIPE\wkssvc
    • C:\Windows\SysWOW64\activeds.tlb
    • C:\Windows\System32\advapi32.dll
    • \\?\PIPE\lsarpc
    • C:\Windows\System32\crypt32.dll
    • C:\Windows\System32\en-US\ACTIVEDS.dll.mui
    • \\?\PIPE\samr
    • C:\Windows\SysWOW64\wshom.ocx
    • C:\Windows\SysWOW64\stdole2.tlb

  • Written files

    • \\?\PIPE\wkssvc
    • \\?\PIPE\samr
    • \\?\PIPE\lsarpc

  • Files Read

    • C:\Windows\SysWOW64\activeds.tlb
    • \\?\PIPE\wkssvc
    • \\?\PIPE\samr
    • \\?\PIPE\lsarpc
    • C:\Windows\SysWOW64\wshom.ocx
    • C:\Windows\SysWOW64\stdole2.tlb

Process yuan - fsg.exe (2348)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Help
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\HTML Help

  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\HTML Help\.HLP
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\Parameters\ExpectedDialupDelay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}\ProgID\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}\InProcServer32\ThreadingModel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Network\CLSID\(Default)
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{97D25DB0-0363-11CF-ABC4-02608C9E7553}\1.0\0\win32\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\Parameters\AllowSingleLabelDnsDomain
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}\InProcServer32\InprocServer32
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Help\.HLP
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinNT\CLSID\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey

Process yuan - fsg.exe (2348)

Process yuan - fsg.exe (2348)

Process yuan - fsg.exe (2348)

  • DLLs Loaded

    • ADVAPI32.dll
    • C:\Windows\system32\kernel32.dll
    • cscapi.dll
    • SXS.DLL
    • C:\Windows\syswow64\MSCTF.dll
    • kernel32.dll
    • DNSAPI.dll
    • C:\Windows\system32\asycfilt.dll
    • C:\Windows\system32\vb6chs.dll
    • CRYPTBASE.dll
    • OLEAUT32.DLL
    • netutils.dll
    • WS2_32.dll
    • dwmapi.dll
    • RPCRT4.dll
    • C:\Windows\system32\ole32.dll
    • MSVBVM60.DLL
    • CRYPTSP.dll
    • CLBCatQ.DLL
    • USER32.DLL
    • OLEAUT32.dll
No static analysis available.
KERNEL32.dll
R&k!d}
$My TES
|,$%P5
L}F560QP
icture1
J9FInJ6f
(B+7%
chs.dql
oIkI|*xC
C:\Prosg
am Files
x86)\M
etRandomvM
vb9aV1r
yEWdP?O
mC.l4p
4$Q#HM
V#$:"x4<e
$%F|3<
d!d~LM
9Bu-60>
CIc*os
m)64tMb
16j"yrY
ZlGas^
LoadLibraryA
GetProcAddress
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
080404B0
CompanyName
Microsoft
ProductName
FileVersion
ProductVersion
InternalName
OriginalFilename
Antivirus Signature
Bkav Clean
K7AntiVirus Trojan ( 005376ae1 )
MicroWorld-eScan Gen:Trojan.Heur.aiedsaRIXllb
CMC Packed.Win32.TDSS!O
CAT-QuickHeal Clean
McAfee Clean
Cylance Unsafe
SUPERAntiSpyware Trojan.Agent/Gen-FSG
TheHacker Clean
Alibaba Clean
K7GW Trojan ( 005376ae1 )
Trustlook Clean
Arcabit Trojan.Heur.aiedsaRIXllb
Invincea heuristic
Baidu Clean
NANO-Antivirus Clean
F-Prot W32/Heuristic-162!Eldorado
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
BitDefender Gen:Trojan.Heur.aiedsaRIXllb
Babable Clean
AegisLab Trojan.Win32.Agent.ldG6
Tencent Clean
Ad-Aware Gen:Trojan.Heur.aiedsaRIXllb
Emsisoft Gen:Trojan.Heur.aiedsaRIXllb (B)
Comodo TrojWare.Win32.Patched.KSU@5t5qg6
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition BehavesLike.Win32.Generic.zh
Trapmine malicious.high.ml.score
Sophos Mal/Behav-160
Paloalto Clean
Cyren W32/Heuristic-162!Eldorado
Jiangmin Clean
Webroot Clean
Avira TR/Crypt.FKM.Gen
Antiy-AVL Clean
Kingsoft Clean
Endgame malicious (high confidence)
Microsoft Trojan:Win32/Fuerboos.C!cl
ViRobot Clean
ZoneAlarm Clean
Avast-Mobile Clean
GData Gen:Trojan.Heur.aiedsaRIXllb
TACHYON Clean
AhnLab-V3 Clean
Acronis suspicious
VBA32 Clean
ALYac Clean
MAX malware (ai score=87)
Malwarebytes Clean
Zoner Clean
Rising Trojan.Zpevdo!8.F912/N3#93% (RDM+:cmRtazrgF/lgm1NRYpttjb7w3Kyl)
Yandex Packed/FSG
SentinelOne static engine - malicious
eGambit Unsafe.AI_Score_99%
Fortinet Clean
AVG Clean
Cybereason malicious.3425f6
Panda Clean
CrowdStrike malicious_confidence_100% (D)
Qihoo-360 Win32/Trojan.a64

Process Tree

yuan - fsg.exe, PID: 2348, Parent PID: 2324

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 8d7783cf0e17fa2a_~DFCFB9E2E5349CA3A9.TMP
Download Submit file
Filepath C:\Users\zamen\AppData\Local\Temp\~DFCFB9E2E5349CA3A9.TMP
Size 3.0KB
Type Composite Document File V2 Document, No summary info
MD5 0b0678569b40f2cd30330caf4360d669
SHA1 79c46577b0b85cf0200260601d04f506ff949b7d
SHA256 8d7783cf0e17fa2aa6358549bffc43079fe957fdd65fd59425bcaa5593921d96
CRC32 95CBCAD7
ssdeep 6:rl91bxbt+r+CFQXKHlh9Xa9Xh9XR5+HlEij3pp:rl3b/+PFQKF7G7OFEiTpp
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1203
Mongo ID 5c46f48511d30812ab71f250
Cuckoo release 2.0-dev