File Emergency Exit Map.exe

Size 408.5KB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3e57cc19d2338e9985446c43abcad67a
SHA1 7ae15846e0b13e44ccbbb0c2d84d6bbf5d3ad870
SHA256 48dbf8faf9f506a3f697a5cc8c8aab81bbaf0fc13127dea46f9501e1674ee1d0
SHA512
67a19eb47b101241eb0d03d13fdd8d0912b1f4c59ecb88294d0e287db8be85c74a6f751a5c39ddb440cb7bc285852e782413d17b6c0d2e0a6f4097e0b8b4a658
CRC32 7E50FC4B
ssdeep 6144:CTyODxyIbliw7Xv4/iN8Uzof83Dc8vBka:Ey1IgATNtzaF8vBka
PDB Path c:\Smile\us\feet\Bit\StraightState.pdb
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01006_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01007_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • VC8_Microsoft_Corporation -
  • Microsoft_Visual_Cpp_8 -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE March 13, 2019, 4:38 a.m. March 13, 2019, 4:42 a.m. 254 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2019-03-13 04:38:22 2019-03-13 04:42:37

Analyzer Log

2019-03-12 21:38:21,046 [analyzer] DEBUG: Starting analyzer from: C:\xgmzqnq
2019-03-12 21:38:21,124 [analyzer] DEBUG: Pipe server name: \\.\PIPE\KSRBzYKIDxfBHIYMjKEekHbLxjLzWKt
2019-03-12 21:38:21,124 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\TleKbfqRiLmOXrPQM
2019-03-12 21:38:23,339 [analyzer] DEBUG: Started auxiliary module Disguise
2019-03-12 21:38:23,792 [analyzer] DEBUG: Loaded monitor into process with pid 508
2019-03-12 21:38:23,792 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-03-12 21:38:23,792 [analyzer] DEBUG: Started auxiliary module Human
2019-03-12 21:38:23,792 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-03-12 21:38:23,792 [analyzer] WARNING: Cannot execute auxiliary module Reboot: [Errno 2] No such file or directory: 'C:\\xgmzqnq\\reboot.json'
2019-03-12 21:38:24,042 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-03-12 21:38:24,042 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2019-03-12 21:38:24,042 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-03-12 21:38:24,042 [analyzer] INFO: No process IDs returned by the package, running for the full timeout.
2019-03-12 21:42:26,404 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-03-12 21:42:26,404 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-03-12 21:42:26,404 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-03-13 04:38:22,238 [lib.cuckoo.core.scheduler] INFO: File already exists at "/opt/cuckoo/storage/binaries/48dbf8faf9f506a3f697a5cc8c8aab81bbaf0fc13127dea46f9501e1674ee1d0"
2019-03-13 04:38:22,267 [lib.cuckoo.core.scheduler] INFO: Task #1647: acquired machine win7x64 (label=win7x64)
2019-03-13 04:38:22,359 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 5288 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/1647/dump.pcap)
2019-03-13 04:38:28,156 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2019-03-13 04:38:44,210 [modules.auxiliary.reboot] ERROR: Reboot analysis is not backwards compatible with the Old Agent, please upgrade your target machine (<Machine('1','win7x64')>) to the New Agent to use the reboot analysis capabilities.
2019-03-13 04:42:36,232 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2019-03-13 04:42:37,561 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-03-13 04:42:39,129 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f580ad0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-13 04:42:39,130 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f580a50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-13 04:42:39,131 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f580cd0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-13 04:42:39,132 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f580250>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-13 04:42:39,132 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f580250>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f580250>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable has a PDB path (1 event)
pdb_path c:\Smile\us\feet\Bit\StraightState.pdb
The executable has PE anomalies (could be a false positive) (2 events)
section _RDATA
section .gfids
File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)
MicroWorld-eScan Trojan.GenericKD.41031122
McAfee RDN/Generic PWS.y
K7AntiVirus Trojan ( 005481f51 )
K7GW Trojan ( 005481f51 )
Symantec Trojan.Gen.2
Paloalto generic.ml
Kaspersky Trojan-Spy.Win32.Ursnif.agso
BitDefender Trojan.GenericKD.41031122
NANO-Antivirus Trojan.Win32.Ursnif.fnjziu
ViRobot Trojan.Win32.Z.Ursnif.418304
AegisLab Trojan.Win32.Ursnif.4!c
Ad-Aware Trojan.GenericKD.41031122
Sophos Mal/Generic-S
Comodo Malware@#221b5oc570bea
DrWeb Trojan.PWS.Papras.3654
McAfee-GW-Edition RDN/Generic PWS.y
Emsisoft Trojan.GenericKD.41031122 (B)
Ikarus Trojan.Crypt
Webroot W32.Trojan.Gen
Avira TR/Kryptik.ofukv
MAX malware (ai score=82)
Antiy-AVL Trojan[Spy]/Win32.Ursnif
Microsoft Trojan:Win32/Ursnif.AD!MTB
Arcabit Trojan.Generic.D27215D2
ZoneAlarm Trojan-Spy.Win32.Ursnif.agso
GData Trojan.GenericKD.41031122
ALYac Trojan.GenericKD.41031122
Panda Trj/CI.A
ESET-NOD32 a variant of Win32/Kryptik.GPXS
Tencent Win32.Trojan-spy.Ursnif.Lmbf
SentinelOne static engine - malicious
Fortinet W32/GenKryptik.DAAY!tr
AVG Win32:Trojan-gen
Avast Win32:Trojan-gen
CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 Win32/Trojan.Spy.8aa

Screenshots

No screenshots available.

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

PE Compile Time

2017-02-19 06:52:48

PDB Path

c:\Smile\us\feet\Bit\StraightState.pdb

Version Infos

LegalCopyright Strong
FileVersion 1.7.23.86
CompanyName Student_home
LegalTrademarks Yard machine Stationshare island act
ProductName Hightail
ProductVersion 1.7.23.86
FileDescription Hightail
OriginalFilename angerday.exe
Translation 0x0409 0x04e4

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000311e7 0x00031200 6.45111050873
.rdata 0x00033000 0x00007402 0x00007600 5.40911176335
.data 0x0003b000 0x00006c10 0x00000a00 2.36693450481
_RDATA 0x00042000 0x000040c4 0x00004200 5.55335553656
.gfids 0x00047000 0x000000e4 0x00000200 2.05251403368
.rsrc 0x00048000 0x00028720 0x00028800 3.92640339258

Imports

Library KERNEL32.dll:
0x433038 GetModuleFileNameA
0x433040 GetTempPathA
0x433044 DeleteFileA
0x433048 MoveFileA
0x433050 OpenMutexA
0x433054 CreateFileW
0x433058 DecodePointer
0x43305c WriteConsoleW
0x433060 SetFilePointerEx
0x433064 GetConsoleMode
0x433068 CreateMutexA
0x43306c FlushFileBuffers
0x433070 HeapReAlloc
0x433074 HeapSize
0x433078 GetStringTypeW
0x43307c GetFileType
0x433080 SetStdHandle
0x433084 LCMapStringW
0x433088 PeekNamedPipe
0x43308c DuplicateHandle
0x433090 Sleep
0x433094 ResetEvent
0x433098 GetCurrentThread
0x43309c CreateThread
0x4330a0 GetShortPathNameA
0x4330a4 GetProcessHeap
0x4330a8 HeapAlloc
0x4330ac VirtualProtect
0x4330b0 LocalFree
0x4330b4 GetConsoleCP
0x4330c0 GetCommandLineW
0x4330c4 GetCommandLineA
0x4330c8 GetCPInfo
0x4330cc GetOEMCP
0x4330d0 IsValidCodePage
0x4330d4 FindNextFileA
0x4330d8 FindFirstFileExA
0x4330dc FindClose
0x4330e0 CloseHandle
0x4330e4 HeapFree
0x4330e8 GetACP
0x4330ec GetModuleHandleExW
0x4330f0 ExitProcess
0x4330f4 WideCharToMultiByte
0x4330f8 MultiByteToWideChar
0x4330fc WriteFile
0x433100 GetStdHandle
0x433110 SetLastError
0x433114 RtlUnwind
0x433118 LoadLibraryExW
0x43311c GetProcAddress
0x433120 LocalAlloc
0x433124 FreeLibrary
0x433128 TlsFree
0x43312c TlsSetValue
0x433130 TlsGetValue
0x433134 TlsAlloc
0x43313c RaiseException
0x433144 GetCurrentProcessId
0x433148 GetCurrentThreadId
0x433150 InitializeSListHead
0x433154 IsDebuggerPresent
0x433160 GetStartupInfoW
0x433168 GetModuleHandleW
0x43316c GetCurrentProcess
0x433170 TerminateProcess
0x433174 GetLastError
0x433178 GetModuleFileNameW
Library USER32.dll:
0x433198 GetWindowTextA
0x43319c GetSysColor
0x4331a0 EnumChildWindows
0x4331a4 FindWindowA
0x4331a8 GetClassNameA
0x4331ac GetDC
0x4331b0 ShowWindow
0x4331b4 GetMessagePos
0x4331b8 UnregisterHotKey
0x4331bc TranslateMessage
0x4331c4 UpdateWindow
0x4331c8 CreateMenu
0x4331cc GetAsyncKeyState
0x4331d0 DeferWindowPos
0x4331d4 BeginDeferWindowPos
Library WINSPOOL.DRV:
0x4331dc OpenPrinterA
0x4331e0 GetPrinterA
0x4331e4 DocumentPropertiesA
0x4331e8 ClosePrinter
0x4331ec EnumPrintersA
Library COMCTL32.dll:
0x433008 ImageList_Destroy
0x433010 None
0x433014 CreateToolbarEx
0x433018 PropertySheetA
0x433020 None
Library COMDLG32.dll:
0x433028 GetOpenFileNameA
0x43302c GetSaveFileNameA
0x433030 ReplaceTextA
Library ole32.dll:
0x433270 CoTaskMemAlloc
0x433274 CoTaskMemFree
0x433278 CoUninitialize
0x43327c CoInitialize
Library SHLWAPI.dll:
0x433180 PathStripPathA
0x433184 UrlEscapeA
0x433188 PathRemoveBlanksA
0x433190 PathRemoveArgsA
Library ADVAPI32.dll:
0x433000 SystemFunction036

!This program cannot be run in DOS mode.
RichF{
`.rdata
@.data
_RDATA
.gfids
@.rsrc
$SUVWh
T$hjZR
`*Qef)
EWu^_V
}ez60QQ
CC3AHEPD3
\q0Q)5
13KAWSF
uu=uLt
EdCCtD
I+,\Q
c>8K(
}5"Y2f
jC=QAB
[i<i%#
PPRth+
$oLuGQ
$$@u^h
q]JOkH
A|r^ry
_hg"n\[
"iVVX,|
|@.x\
YuHuMt
DPuVF<
F$L@b(
qZ>{%3O
t%A3PuW
m}IPSt
]MCVuW
tS3CSC
uE$oD3
&^,lrv
uyv45QQ
F^!Au}
s$+EnQ
~_?vA J
Fw_8t5@
1Z88p~
qHy5x
D)BZ<5W*
~HE)~1
g&4b<A)
}"O:NT
C&n>s_
$8jP$f
ESt^UIh
}Er$u|
Ck(Icp
&+$FA8H
CsLDuD
;ELl[d
3(Zv[
EuLqQM
(P<jp
pHVED]
i1)\3;&
G)bDNTs
tB0,ta
FNgP|"
:V2jtW
C$ttDStEC
+CHuv3
V}E=U3
Pv9Pt
MB;3%Y
+ES3ue
f$B$DE
W|3@5
EQt3t$f
D_=UuS5
3tVL6uL
u8hPNC
URPQQh
;t$,v-
UQPXY]Y[
t#VhLKC
PPPPPWS
PP9E u:PPVWP
WWWPWS
u-PWWS
SSVWh
f9:t!V
QQSWj0j@
PPPPPPPP
UDYK_.EIY
N8%W-9
_YzZ"A
d}U"H{
KH:IE+
6*"Am8
Unknown exception
bad allocation
bad array new length
Main Invoked.
Main Returned.
EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
CorExitProcess
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
GetCurrentPackageId
LCMapStringEx
LocaleNameToLCID
?5Wg4p
%S#[k=
"B <1=
_hypot
_nextafter
InvokeMainViaCRT
"Main Invoked."
FileName
ExitMainViaCRT
"Main Returned."
FileName
Microsoft.CRTProvider
c:\Smile\us\feet\Bit\StraightState.pdb
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data$r
_RDATA
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
LocalAlloc
LocalFree
VirtualProtect
HeapAlloc
GetProcessHeap
GetShortPathNameA
CreateThread
GetCurrentThread
ResetEvent
DuplicateHandle
PeekNamedPipe
CreateMutexA
OpenMutexA
GetModuleFileNameA
GetEnvironmentVariableA
GetTempPathA
DeleteFileA
MoveFileA
FindFirstChangeNotificationA
KERNEL32.dll
RegisterWindowMessageA
TranslateMessage
UnregisterHotKey
GetMessagePos
ShowWindow
BeginDeferWindowPos
DeferWindowPos
GetAsyncKeyState
CreateMenu
UpdateWindow
GetWindowTextA
GetSysColor
EnumChildWindows
FindWindowA
GetClassNameA
USER32.dll
EnumPrintersA
OpenPrinterA
GetPrinterA
DocumentPropertiesA
ClosePrinter
WINSPOOL.DRV
DestroyPropertySheetPage
PropertySheetA
ImageList_Destroy
ImageList_SetOverlayImage
CreateToolbarEx
COMCTL32.dll
GetOpenFileNameA
GetSaveFileNameA
ReplaceTextA
COMDLG32.dll
CoInitialize
CoUninitialize
CoTaskMemAlloc
CoTaskMemFree
ole32.dll
PathRemoveArgsA
PathRemoveBackslashA
PathRemoveBlanksA
PathStripPathA
UrlEscapeA
SHLWAPI.dll
OpenColorProfileA
GetColorProfileFromHandle
IsColorProfileValid
CreateProfileFromLogColorSpaceA
GetCountColorProfileElements
GetColorProfileHeader
GetColorProfileElementTag
IsColorProfileTagPresent
GetColorProfileElement
SetColorProfileHeader
SetColorProfileElementSize
SetColorProfileElement
SetColorProfileElementReference
GetPS2ColorSpaceArray
GetPS2ColorRenderingIntent
GetPS2ColorRenderingDictionary
GetNamedProfileInfo
CreateDeviceLinkProfile
CreateColorTransformA
CreateMultiProfileTransform
DeleteColorTransform
GetCMMInfo
RegisterCMMA
SelectCMM
GetColorDirectoryA
InstallColorProfileA
EnumColorProfilesA
SetStandardColorSpaceProfileA
GetStandardColorSpaceProfileA
DisassociateColorProfileFromDeviceA
mscms.dll
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
GetCurrentProcess
TerminateProcess
GetLastError
GetModuleFileNameW
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
GetStdHandle
WriteFile
MultiByteToWideChar
WideCharToMultiByte
ExitProcess
GetModuleHandleExW
GetACP
HeapFree
CloseHandle
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
SetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
WriteConsoleW
DecodePointer
CreateFileW
SystemFunction036
ADVAPI32.dll
/lP~=teoB
kernel32
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVbad_array_new_length@std@@
.?AVtype_info@@
"ux2%H6
E(W~VE.
%0N[gm
s,5v1z
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Cadvapi32
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
mscoree.dll
((((( H
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
Cja-JP
Capi-ms-win-appmodel-runtime-l1-1-1
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l2-1-1
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
user32
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
VS_VERSION_INFO
StringFileInfo
040904E0
CompanyName
Student_home
FileDescription
Hightail
FileVersion
1.7.23.86
LegalCopyright
Strong
LegalTrademarks
Yard machine Stationshare island act
OriginalFilename
angerday.exe
ProductName
Hightail
ProductVersion
1.7.23.86
VarFileInfo
Translation
direct
MS Shell Dlg
method
experience
MS Shell Dlg
silver
before
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
corner
MS Shell Dlg
segment
picture
history
MS Shell Dlg
govern
MS Shell Dlg
separate
success
MS Shell Dlg
caught
MS Shell Dlg
MS Shell Dlg
wonder
capital
MS Shell Dlg
language
MS Shell Dlg
MS Shell Dlg
spring
equate
MS Shell Dlg
develop
electric
Antivirus Signature
Bkav Clean
MicroWorld-eScan Trojan.GenericKD.41031122
CMC Clean
CAT-QuickHeal Clean
McAfee RDN/Generic PWS.y
Malwarebytes Clean
SUPERAntiSpyware Clean
TheHacker Clean
BitDefender Trojan.GenericKD.41031122
K7GW Trojan ( 005481f51 )
K7AntiVirus Trojan ( 005481f51 )
Arcabit Trojan.Generic.D27215D2
Baidu Clean
NANO-Antivirus Trojan.Win32.Ursnif.fnjziu
Cyren Clean
Symantec Trojan.Gen.2
TotalDefense Clean
Paloalto generic.ml
ClamAV Clean
Kaspersky Trojan-Spy.Win32.Ursnif.agso
Alibaba Clean
Babable Clean
AegisLab Trojan.Win32.Ursnif.4!c
Avast Win32:Trojan-gen
Ad-Aware Trojan.GenericKD.41031122
Trustlook Clean
Emsisoft Trojan.GenericKD.41031122 (B)
Comodo Malware@#221b5oc570bea
F-Secure Clean
DrWeb Trojan.PWS.Papras.3654
VIPRE Clean
Invincea Clean
McAfee-GW-Edition RDN/Generic PWS.y
Trapmine Clean
Sophos Mal/Generic-S
SentinelOne static engine - malicious
F-Prot Clean
Jiangmin Clean
Webroot W32.Trojan.Gen
Avira TR/Kryptik.ofukv
Fortinet W32/GenKryptik.DAAY!tr
Antiy-AVL Trojan[Spy]/Win32.Ursnif
Kingsoft Clean
Microsoft Trojan:Win32/Ursnif.AD!MTB
ViRobot Trojan.Win32.Z.Ursnif.418304
ZoneAlarm Trojan-Spy.Win32.Ursnif.agso
Avast-Mobile Clean
TACHYON Clean
AhnLab-V3 Clean
Acronis Clean
VBA32 Clean
ALYac Trojan.GenericKD.41031122
MAX malware (ai score=82)
Zoner Clean
ESET-NOD32 a variant of Win32/Kryptik.GPXS
Tencent Win32.Trojan-spy.Ursnif.Lmbf
Yandex Clean
Ikarus Trojan.Crypt
eGambit Clean
GData Trojan.GenericKD.41031122
AVG Win32:Trojan-gen
Cybereason Clean
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 Win32/Trojan.Spy.8aa

Process Tree


Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.
Task ID 1647
Mongo ID 5c88c27f11d30812ab7216e8
Cuckoo release 2.0-dev