2.9
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.71
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:TrojanX-gen [Trj] | 20200501 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Kryptik.ld | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200503 | 2013.8.14.323 |
| McAfee | Upatre-FACH!0BF98FB66659 | 20200503 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b9cf0a | 20200503 | 1.0.0.1 |
静态指标
查询计算机名称
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545277.844125 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
|
1727545278.218625 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
检查进程是否被调试器调试
(2 个事件)
动态指标
连接到动态 DNS 域
(1 个事件)
| domain | checkip.dyndns.org |
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
查找外部 IP 地址
(1 个事件)
| domain | checkip.dyndns.org |
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\doveejy.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\doveejy.exe |
网络通信
与未执行 DNS 查询的主机进行通信
(3 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
| host | 109.86.226.85 | |||
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意
(50 out of 57 个事件)
| APEX | Malicious |
| AVG | Win32:TrojanX-gen [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Trojan.Ipatre.1 |
| AhnLab-V3 | Trojan/Win32.Upatre.R158710 |
| Antiy-AVL | Trojan/Win32.AGeneric |
| Arcabit | Trojan.Ipatre.1 |
| Avast | Win32:TrojanX-gen [Trj] |
| Avira | TR/Spy.Zbot.sbboqv |
| Baidu | Win32.Trojan.Kryptik.ld |
| BitDefender | Gen:Trojan.Ipatre.1 |
| BitDefenderTheta | Gen:NN.ZexaF.34108.fm1@aurDiXlc |
| Bkav | W32.AIDetectVM.malware2 |
| ClamAV | Win.Downloader.Upatre-5744092-0 |
| Comodo | TrojWare.Win32.TrojanDownloader.Upatre.SMO@5tencg |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.666596 |
| Cyren | W32/Upatre.CA.gen!Eldorado |
| DrWeb | Trojan.DownLoader14.62433 |
| ESET-NOD32 | a variant of Win32/Kryptik.DQIH |
| Emsisoft | Gen:Trojan.Ipatre.1 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Upatre.CA.gen!Eldorado |
| F-Secure | Trojan.TR/Spy.Zbot.sbboqv |
| FireEye | Generic.mg.0bf98fb666596352 |
| Fortinet | W32/Kryptik.DQAA!tr |
| GData | Win32.Trojan.Kryptik.CE |
| Invincea | heuristic |
| Jiangmin | Trojan/Generic.bhhra |
| K7AntiVirus | Trojan ( 0050e3271 ) |
| K7GW | Trojan ( 0050e3271 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=80) |
| Malwarebytes | Trojan.Downloader |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Upatre-FACH!0BF98FB66659 |
| MicroWorld-eScan | Gen:Trojan.Ipatre.1 |
| Microsoft | TrojanDownloader:Win32/Upatre.BV |
| NANO-Antivirus | Trojan.Win32.Dwn.dufblq |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM09.0.F8BC.Malware.Gen |
| Rising | Downloader.Upatre!8.B5 (TFE:dGZlOgXGQ+j5KsDZWg) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Upatre |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Dyreza-HK |
| Symantec | Downloader.Upatre!gen5 |
| Tencent | Malware.Win32.Gencirc.10b9cf0a |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TROJ_UPATRE.SM37 |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(4 个事件)
| dead_host | 192.168.56.101:49164 |
| dead_host | 132.226.247.73:80 |
| dead_host | 192.168.56.101:49165 |
| dead_host | 109.86.226.85:443 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-05-24 14:33:25
PE Imphash
e0db9493366ea7231ec184554e4ce365
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00008d28 | 0x00008e00 | 6.7998665103439135 |
| .data | 0x0000a000 | 0x000051e4 | 0x00005200 | 5.00200375958216 |
| .rsrc | 0x00010000 | 0x00004e38 | 0x00005000 | 5.059856649045159 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_CURSOR | 0x00014850 | 0x00000134 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_CURSOR | 0x00014850 | 0x00000134 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_BITMAP | 0x00014668 | 0x00000098 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_BITMAP | 0x00014668 | 0x00000098 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_ICON | 0x00010348 | 0x00004228 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_DIALOG | 0x000102e0 | 0x00000066 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_CURSOR | 0x00014988 | 0x00000014 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_GROUP_CURSOR | 0x00014988 | 0x00000014 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_GROUP_ICON | 0x00014570 | 0x00000014 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_VERSION | 0x00014bb0 | 0x00000284 | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
| RT_MANIFEST | 0x000149a0 | 0x0000020c | LANG_BELARUSIAN | SUBLANG_DEFAULT | None |
Imports
Library USER32.dll:
• 0x40a128 LoadStringA
• 0x40a12c LoadIconA
• 0x40a130 RegisterClassExA
• 0x40a134 GetMessageA
• 0x40a138 TranslateMessage
• 0x40a13c DispatchMessageA
• 0x40a140 PostQuitMessage
• 0x40a144 SetWindowTextA
• 0x40a148 SendMessageA
• 0x40a14c DefWindowProcA
• 0x40a150 PostMessageA
• 0x40a154 CreateWindowExA
• 0x40a158 ShowWindow
• 0x40a15c UpdateWindow
Library KERNEL32.dll:
• 0x40a018 GetStringTypeW
• 0x40a01c GetStringTypeA
• 0x40a020 LCMapStringW
• 0x40a024 LCMapStringA
• 0x40a028 GetLocaleInfoA
• 0x40a02c MultiByteToWideChar
• 0x40a030 SizeofResource
• 0x40a034 GetDateFormatA
• 0x40a038 GetTimeFormatA
• 0x40a03c FindResourceA
• 0x40a040 LockResource
• 0x40a044 LoadResource
• 0x40a048 LoadLibraryA
• 0x40a04c lstrcpyA
• 0x40a050 SetLastError
• 0x40a054 HeapSize
• 0x40a058 GetFileType
• 0x40a05c GetCommandLineA
• 0x40a060 HeapFree
• 0x40a064 GetVersionExA
• 0x40a068 HeapAlloc
• 0x40a06c GetProcessHeap
• 0x40a070 GetStartupInfoA
• 0x40a074 GetProcAddress
• 0x40a078 GetModuleHandleA
• 0x40a07c ExitProcess
• 0x40a080 WriteFile
• 0x40a084 GetStdHandle
• 0x40a088 GetModuleFileNameA
• 0x40a08c UnhandledExceptionFilter
• 0x40a090 FreeEnvironmentStringsA
• 0x40a094 GetEnvironmentStrings
• 0x40a098 FreeEnvironmentStringsW
• 0x40a09c WideCharToMultiByte
• 0x40a0a0 GetLastError
• 0x40a0a4 GetEnvironmentStringsW
• 0x40a0a8 SetHandleCount
• 0x40a0ac DeleteCriticalSection
• 0x40a0b0 TlsGetValue
• 0x40a0b4 TlsAlloc
• 0x40a0b8 TlsSetValue
• 0x40a0bc TlsFree
• 0x40a0c0 InterlockedIncrement
• 0x40a0c4 GetCurrentThreadId
• 0x40a0c8 InterlockedDecrement
• 0x40a0cc HeapDestroy
• 0x40a0d0 HeapCreate
• 0x40a0d4 VirtualFree
• 0x40a0d8 QueryPerformanceCounter
• 0x40a0dc GetTickCount
• 0x40a0e0 GetCurrentProcessId
• 0x40a0e4 GetSystemTimeAsFileTime
• 0x40a0e8 RaiseException
• 0x40a0ec LeaveCriticalSection
• 0x40a0f0 EnterCriticalSection
• 0x40a0f4 TerminateProcess
• 0x40a0f8 GetCurrentProcess
• 0x40a0fc SetUnhandledExceptionFilter
• 0x40a100 IsDebuggerPresent
• 0x40a104 InitializeCriticalSection
• 0x40a108 GetCPInfo
• 0x40a10c GetACP
• 0x40a110 GetOEMCP
• 0x40a114 Sleep
• 0x40a118 VirtualAlloc
• 0x40a11c HeapReAlloc
• 0x40a120 RtlUnwind
Library COMCTL32.dll:
• 0x40a010 InitCommonControlsEx
L!This program cannot be run in DOS mode.
7"aich
`.data
VVVVVk
3PPPPPgk
@<Yv8V$m
3VVVVV$k
VVVVVj
;t%t j
Y^hS=@
3@VW3t$
YYu-9D$
u_^U @
Zf1Af0A@@Jui
@;vFF~
M_^3[Bo
S3;VWt
^0SSSSS
ui;cuX
GHuGHHGH
Au^H9E
_^[]VW3x@
r_^Vt$
+EPRQL
u@@u@t
(;r3_^[UU3H_@
GGGGE+
VW395@
8_^[]U
3]SUVt$
P_^][U
YSUVt$
3;Wto=@
;t^9(uZ
;tD9(u@
Y_^][UQVW
ttutt@
PuVF8%
MQVuPUTuUDuUDuh
W3}WuWWWWWuWU4WU0
WVP}3/fEU
MVWQ_3
^]USVu
3_^[];t
^0SSSSSd
SUVW=@
SSS+S@PVSSD$4
t#SSUPt$$VSS
DUVWbT
_^][YYjTh
Ej(j ^V
3FRj(j
;rF9=@
u(Mu$u u
MOI;|9 M
3@_^[UWVE
P_][^S
Y+KWZ|(
9x "U$X(
]|ux}tf
f]pfElfehfmd
;YY=0@
E>=Yt/j
tJVUP7
SSSSSC
3Y]_^[50@
EPQEPEj
Map[VW3j
3;v.jX3;E
WWWWW.
;uL9=|@
SI VW}
HD9#U#
MLD3#u
]#\D\D
VPLYYE
S3;VWt
^0SSSSS]
3_^[UTVu
jiVjdh
Y;uSEP-Y;t
WWWWW9
Fpt"~l
YYt:V5@
_^VWh@
;r_^j h8@
Y+t"+t
+td+uD!}
3PPPPPM
u@OdMGd
u wdSUY
EYF`[_^U
u$Mu u
;r3Wh$@
13_V5t@
YYt4V5@
7YYuTVWhE@
8&x8F+>
RK,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,q,qB
(w("to
,xi?s[
v,Z#k$v{
k /#w{
k, u( @2Ya@6Yi
F(xk`/@j[{
Rz cZ6,xDfY*.
"Td(zu+/p,:k->"yNJdOJd
L"(JNl8INF(UJ
{ IE/#xi$
>D/(,xI
5=%-k8|/6@*/B
/Y6UwM),.B*[QB
#&"u({
-illhhx{ b
[QIU{1
@n[aL+/uK
h6/ypB
<iD OU
J{IINJB#xINJ6n
bRJ"{/StOU
biH 7#
F~6r/yh
D[y/z.
/:i4/6
/y<w,/6U
/Yi"ui6Yikx=a
i`.[.8@u1j1
h-Q6[iL" kx-b
4.[a*/y`J6
YZ^,x@z
/.ixU
Y\i`.[.
YiBV/y|C.
$(6&/y\g>1.T 6
Ig>)P}L
[G=ag>9rF-xk(.
z./ydg>1wM
[Q@bik
! I)}}0/{Na$/Y6Yii6/yx w
/"F0*"kd=aV/y|C.?1.
j7} bYs9[i#[Y
kP,xi.
L{/y<B
6z-/S`BBi8xF,x
U+ u/bIU{{/
Z,x6[i6[)BVd/t
PYv$;5
-WWuuj
6PWu.(
t`][9}
WWWWVuWu
;YYEt+WWVPVuWu
uFYEe_^[M3$
F$|3@_^
QY}SYE;
]5V+YE;t'CH;r
SGESPk
9}uH;u
E;t CH;r
t4VYt vVY
YU SVW>39
u;tm95(@
Y;t%MQj
u3EP=Yt
SSSSSz
Vj jdh
Vj jdh
P3_^[]
WWWWW3
Y}SXYE;t
uUEPSS}S
=?sJMsB
;r6P;Yt)UEP
@@@u@@uutt
u@@@tt
ZJFRFXu
3SEEESX5
PZ+t Q3
FlvlYE
Mu^FF#
NMIIII
Virt^_
@@@uu@tu
3j`hp@
MPQ%YY
3F95P@
VW39=@
t.t$<"u
u_^UQM
FA>\t>"u&
UQQVE3PuuYt
VVVVVh
VVVVVM
1E3PeuEEEEd
Y__^[]Q
S\$ UVs
L$ St^Dm
L$(9csmu*=@
E3E3;u
Wt1t'P8
GWpYYF
QSUVW5@
,;YYr|+
rpV7;YsJ
;r;Pt$
3_^][YVj
YHU$X(
]|ux}tf
f]pfElfehfmd
+PR(YYt+@$
tAt2t$
ANu_^][U$d
8]tEMap<u
E`p[UWVu
DDDDDDDDDDDDDD
t7t3V0;t(W8
VJY^3;
URPQQh
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
8csmu*x
Wu8SS3GWh@
39]$SSu
;~Ej3X
3;tAuVWuu
3;tuSW
PWu u u
e_^[M3)UQQ@
SV3;Wu:EP3FVh@
39] SSu
ESpEYu39]
e_^[M3qU
6v v$v(v,
vX{v\sv`kvdcvh[vlSvpKvtCvx;v|3@
VuY^UV3PPPPPPPPU
$s ^UV3PPPPPPPPU
$sF ^UWVu
DDDDDDDDDDDDDD
^_USVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
0;u,DWWWWW
u,9uv'E
E`p3[_^UWVSM
B:t6t:t't
B^_[% @
HOLY SHIT MY
GARDEN'S ON FIRE!!
Anonymous #10
I just read a list of "the 100 things to do before yo
Langoback
button
Lobster
richedit
static
Sisanof
Masher
united
richerd
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
HOLY SHIT MY
GARDEN'S ON FIRE!!
GK-MOJ6EI@?I9
@JE#5.
J8=1=J6"8"=
L!'FJFC
K12B9
O*71C&
2 1.0AD GO"
&MI>G =,E
A,1''%#5
!H"50(&2
FDOM8-@
$ 1EG,
&:8O9/
5:MZ<x5D
D'3/).L5(
; M/" -/.%@/O
>JA>-F5M
&60!.I
<7.G,C$
2 4")
3;<F9I$6
"> 4@C
(;:G:?
)E"( 7
@29-:I+
J1"F6-
,16#=
0<I(02
4KO#;;
8?.2J7
AO0BN:=
A8 "%-!
KN16F+N'
87<IJ2
HOLY SHIT MY
GARDEN'S ON FIRE!!
Anonymous #10
just read a list of "the 100 things to do before yo
8=0J'3
(4!@7K
/*'61F
AG-AO8::16
G.E"O9
/;! &0>
I G/5D
>%NJ8L
1.=F6/<DFM?
+/6N#&K
JK;J*KJM
AIL;16
&?8+.=8/**2J(;
)84DK+!F
I.)H<
$%$# B!
rhink probably skdlskfm asdwEF AWFSDFSDF SSFDSDFIUUH it was quite an attractive
Noredunet
Riched32.DLL
bad allocation
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
Unknown exception
InitializeCriticalSectionAndSpinCount
kernel32.dll
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
UpdateWindow
ShowWindow
CreateWindowExA
PostMessageA
DefWindowProcA
SendMessageA
SetWindowTextA
PostQuitMessage
DispatchMessageA
TranslateMessage
GetMessageA
RegisterClassExA
LoadIconA
LoadStringA
USER32.dll
SizeofResource
GetDateFormatA
GetTimeFormatA
FindResourceA
LockResource
LoadResource
LoadLibraryA
lstrcpyA
SetLastError
KERNEL32.dll
InitCommonControlsEx
COMCTL32.dll
RegQueryValueExA
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
GetStartupInfoA
GetProcAddress
GetModuleHandleA
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
RaiseException
LeaveCriticalSection
EnterCriticalSection
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
IsDebuggerPresent
InitializeCriticalSection
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
HeapReAlloc
RtlUnwind
HeapSize
MultiByteToWideChar
GetLocaleInfoA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
8ISZ3:
owqumpmpqsqwo|p
o|ovqumorwqwqwqxqwryrysxtxrxryuyrqrr
}}{{{{
||yuvtoptopsoormn}}
{vunijokj{{
&!.!. ,!, ,
*!54;*4
0!-#2#4 ,!,!, ,", , ,!.
&!0!/!/"1!. )
"!-!1!/!1!/!/"/!/!/#0
!( *$0!/!/#0!/!/
!%3!/#0!/!/!0!/!0!0 -#/
$%"+#1"0"/"/"0
!,"-$,
"/#/"/"/#1"/#0"/#2!.
$/%3$/".".$/ )%5
%cohsegc_-.
!,"-PYgsgkhk47 *"1!+
hsgrltkrlqMT
'"."/".".#/"."/".#0"2
&.&3%0#.#/#.$/)7". * +'5&/'5#1+6&2'5%2".#2 *"/%7*7#.+8#/%1$3%3)6&3#.$/#.#0#.#.$.#.$0#/
&.'5$1#,$,#,&3'3$,").>.>'6*7&0#+"+(62@.>.;+:%1 '"+%1)70@+5+7(5&2'2&/&0%/&0%/%/&0%/&1'1
UUUUUUUUUp
DDDDUU
DDDDUU
DDDDUU
UUUwwww
UUUUUUUUUU(
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.2.81"
processorArchitecture="X86"
name="MissFuture"
type="win32"/>
<description>MissFuture</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
@�I�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�
M�i�s�s�F�u�t�u�r�e�
M�S� �S�a�n�s� �S�e�r�i�f�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�2�A�9�5�8�1�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�s�s�F�u�t�u�r�e�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
M�i�s�s�F�u�t�u�r�e�
F�i�l�e�V�e�r�s�i�o�n�
1�.�1�.�3�.�3�2�
I�n�t�e�r�n�a�l�N�a�m�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
P�r�o�d�u�c�t�N�a�m�e�
M�i�s�s�F�u�t�u�r�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
C�:�\�j�a�q�J�q�z�o�1�.�e�x�e�
C�:�\�a�4�5�1�f�6�b�c�2�6�9�2�1�7�6�c�e�4�9�8�5�5�d�b�6�b�4�8�8�d�6�7�0�0�e�2�9�0�9�7�e�7�1�1�7�1�6�e�a�0�5�4�5�e�e�8�f�d�d�8�3�9�1�a�
C�:�\�2�a�c�0�3�4�1�a�a�1�e�e�6�f�0�4�4�d�1�c�6�6�7�b�e�9�0�5�5�8�5�6�a�0�4�f�9�0�6�6�e�8�a�2�9�9�e�c�9�4�d�9�b�3�d�4�a�2�d�2�e�8�e�a�
C�:�\�1�5�3�5�9�6�8�b�d�6�0�2�f�2�8�4�d�c�4�e�5�0�9�6�7�e�2�9�8�d�a�d�7�4�0�3�a�4�5�b�8�7�e�0�4�e�c�4�2�7�8�4�8�b�0�8�3�8�e�b�8�0�f�d�
C�:�\�n�T�f�q�8�M�K�5�.�e�x�e�
C�:�\�3�r�z�g�J�J�m�m�.�e�x�e�
C�:�\�P�L�t�l�D�E�T�9�.�e�x�e�
C�:�\�5�F�p�9�m�T�k�h�.�e�x�e�
C�:�\�B�h�G�z�9�T�C�g�.�e�x�e�
C�:�\�t�X�G�m�Z�f�q�H�.�e�x�e�
C�:�\�e�Y�3�v�u�s�o�1�.�e�x�e�
C�:�\�E�L�K�b�P�Q�l�t�.�e�x�e�
C�:�\�j�Y�f�a�I�H�Q�z�.�e�x�e�
C�:�\�H�k�P�1�T�1�D�4�.�e�x�e�
C�:�\�E�y�9�p�x�F�g�H�.�e�x�e�
C�:�\�w�c�B�0�T�1�M�_�.�e�x�e�
C�:�\�8�V�G�y�X�Z�E�V�.�e�x�e�
C�:�\�f�7�b�b�f�2�2�7�d�d�0�4�1�f�2�b�7�4�e�f�3�3�f�a�4�4�c�c�d�a�8�5�b�5�6�f�7�5�1�f�d�9�9�1�d�5�1�a�a�b�3�2�b�a�5�3�0�4�4�b�8�8�f�a�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�1�9�0�e�b�a�e�a�2�2�6�9�c�2�3�7�b�f�c�a�c�f�c�1�5�9�e�e�b�9�1�4�d�4�8�7�c�f�1�0�8�7�0�b�c�7�a�2�c�3�2�7�e�d�a�c�a�3�5�3�f�6�5�b�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�U�s�e�r�s�\�J�o�e� �C�a�g�e�\�D�e�s�k�t�o�p�\�g�M�p�1�c�n�4�U�a�P�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�e�d�8�b�6�1�0�a�7�f�6�e�0�c�3�d�7�a�0�0�7�2�a�d�a�4�c�a�0�e�9�.�v�i�r�u�s�.�e�x�e�
C�:�\�0�2�3�8�2�3�4�a�a�2�1�1�5�8�d�5�c�1�e�e�6�b�c�f�8�d�0�2�c�a�9�f�0�c�6�6�8�3�e�9�2�2�8�2�4�7�7�9�f�4�3�e�6�f�d�1�7�7�0�f�0�1�6�2�
C�:�\�d�5�2�7�c�3�5�8�4�c�e�8�4�6�a�5�1�5�a�a�5�f�4�6�5�d�6�9�b�6�5�8�b�1�1�c�d�c�1�c�a�5�7�a�d�3�3�8�9�7�3�3�a�e�3�d�9�8�1�9�5�d�9�5�
C�:�\�9�4�9�5�1�9�c�e�e�6�5�a�2�f�9�2�7�f�4�9�6�8�d�3�3�8�0�3�b�b�f�1�6�e�1�8�2�7�8�5�1�f�5�1�e�b�8�1�c�3�0�5�7�7�b�0�8�a�5�5�4�6�a�4�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�4�d�3�3�7�e�3�2�9�8�5�a�1�7�f�c�5�b�4�b�7�6�a�c�8�1�d�d�3�7�e�f�4�4�c�5�f�9�e�e�9�a�5�f�d�9�2�e�e�d�0�3�e�1�0�b�9�f�7�0�2�6�b�c�.�e�x�e�
C�:�\�9�1�0�1�4�a�c�9�a�1�8�e�a�d�b�4�9�d�7�6�c�1�b�c�d�c�4�8�6�c�2�b�6�f�b�9�a�e�6�3�1�3�b�9�e�7�5�0�2�3�2�d�6�e�f�e�4�b�1�5�9�1�3�c�
C�:�\�1�8�4�9�f�5�6�6�7�1�c�3�3�3�f�3�f�1�7�a�2�d�8�a�a�e�7�4�b�b�8�a�b�b�8�1�1�5�4�1�6�d�2�7�0�8�7�f�1�7�3�b�0�d�6�d�5�f�3�c�a�0�3�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�d�o�v�e�e�j�y�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�d�5�d�2�6�c�2�4�9�f�f�1�b�a�b�_�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�a�b�0�0�0�f�6�a�d�4�b�f�a�d�3�d�1�c�1�1�f�9�a�0�9�0�0�3�7�2�6�4�2�f�b�1�9�2�9�b�0�b�8�4�b�3�1�a�f�b�6�7�3�9�d�d�3�e�9�8�d�6�8�8�.�e�x�e�
C�:�\�c�8�1�e�a�9�c�f�3�d�b�6�4�b�a�9�a�d�d�4�5�4�f�4�b�a�6�c�3�f�b�8�d�6�5�b�a�b�7�c�4�d�3�2�4�2�8�3�b�8�6�2�8�0�b�f�b�6�d�f�8�2�8�c�
C�:�\�U�s�e�r�s�\�R�A�4�9�1�~�1�.�V�U�L�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�7�8�4�0�9�1�f�a�4�e�6�f�f�a�2�8�b�8�9�0�9�d�0�e�3�5�3�8�c�f�2�c�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�9�0�d�3�4�1�1�6�9�7�b�d�2�0�0�3�e�c�f�8�b�e�4�b�9�b�6�8�e�2�c�e�b�b�5�3�3�3�5�2�6�4�e�7�3�c�2�d�c�b�a�9�5�2�0�f�e�d�5�c�9�d�b�4�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�c�3�c�f�a�0�2�3�9�1�c�c�6�c�a�4�4�8�a�c�1�0�f�9�4�a�5�0�2�4�9�5�4�b�d�d�e�a�6�a�6�2�d�7�6�a�1�9�d�5�b�b�d�d�4�c�e�7�7�c�4�7�9�1�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�d�o�v�e�e�j�y�.�p�e�3�2�
C�:�\�2�1�1�c�8�9�a�a�6�f�8�3�d�5�a�d�1�0�0�5�c�3�0�7�0�9�a�c�5�a�8�b�1�b�0�5�1�d�b�5�c�a�7�d�a�7�3�1�a�e�5�1�7�2�d�9�b�2�d�b�d�9�9�8�
C�:�\�6�d�3�e�f�3�8�1�0�0�9�1�a�a�2�d�6�3�f�f�1�7�4�5�7�f�7�e�7�1�4�e�2�9�3�7�2�b�8�3�a�a�8�b�0�2�2�b�e�f�f�7�8�c�2�8�b�4�0�e�2�8�5�f�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�c�1�7�d�a�9�3�1�1�e�5�8�8�f�e�e�c�3�6�a�3�0�b�0�b�3�5�c�4�e�f�8�3�7�9�9�0�b�b�a�7�7�6�4�6�e�8�2�3�4�2�4�e�8�e�8�8�3�5�e�7�c�0�1�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�4�8�7�7�c�a�b�0�c�f�d�e�8�5�3�7�4�6�3�1�f�3�5�3�e�5�2�d�6�7�9�f�1�a�b�4�c�c�3�0�9�d�1�e�a�5�3�d�6�4�4�f�a�b�0�2�b�1�d�5�4�6�0�f�.�e�x�e�
C�:�\�2�6�0�b�b�a�c�a�b�8�1�c�5�4�b�4�9�2�1�2�2�c�0�1�6�c�4�5�4�7�3�4�2�1�8�d�3�2�d�8�6�d�6�7�3�5�8�f�7�1�b�2�3�f�f�3�6�c�3�5�8�9�b�5�
C�:�\�2�2�d�0�e�e�7�2�d�c�9�8�8�0�5�d�b�3�a�e�b�8�8�b�2�5�4�d�a�2�2�b�a�e�4�7�f�0�8�e�4�a�f�3�0�2�a�3�5�9�1�e�0�1�7�b�d�0�b�8�a�7�4�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�b�a�9�9�5�9�5�6�0�e�4�6�9�d�4�9�4�6�b�7�3�d�b�6�f�0�1�c�1�3�8�9�5�9�0�9�a�e�e�8�6�3�2�1�0�d�7�9�7�c�2�5�2�a�2�0�c�5�b�0�6�a�f�9�
C�:�\�b�8�c�4�e�f�f�4�5�2�3�7�3�d�f�1�5�2�c�d�3�2�8�5�9�a�8�c�e�a�9�4�c�4�c�c�d�0�1�3�0�4�8�4�5�4�5�2�d�8�5�8�8�b�0�3�a�0�c�3�4�4�4�0�
C�:�\�1�2�f�2�a�6�6�e�d�e�d�c�4�2�e�8�e�8�e�3�5�c�0�f�1�5�1�b�1�0�3�e�c�1�5�d�7�7�3�6�5�d�0�3�5�7�2�a�c�2�1�6�0�e�e�4�a�9�5�7�8�8�8�5�
C�:�\�b�5�f�e�7�f�2�c�a�4�7�6�3�1�b�2�d�0�b�c�4�6�d�4�9�f�e�b�e�3�a�2�a�4�d�f�b�b�7�d�8�1�e�3�0�d�9�e�b�4�8�f�a�a�e�2�8�8�9�8�6�6�2�a�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�d�b�d�0�8�a�d�8�c�6�c�b�d�a�4�2�1�e�9�3�c�5�0�b�b�b�7�7�5�5�4�9�2�a�1�7�d�9�7�8�4�9�b�5�e�f�1�4�4�8�f�2�b�b�9�a�2�0�b�c�f�4�d�8�
C�:�\�e�9�3�0�0�d�8�3�c�2�9�6�8�1�f�d�a�f�0�0�3�4�a�d�7�8�0�5�d�8�b�b�d�4�f�2�2�1�6�e�e�9�d�7�9�a�b�f�9�f�f�5�1�a�4�6�4�f�7�d�d�6�a�8�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�a�5�2�4�9�9�0�a�1�f�a�4�c�6�c�7�1�2�6�9�c�a�8�1�a�e�5�7�3�3�2�1�3�b�4�3�d�f�b�2�5�5�f�b�9�b�7�5�6�4�8�d�0�9�3�5�8�7�b�3�2�1�6�1�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�o�v�e�e�j�y�.�e�x�e�
C�:�\�0�b�5�7�d�b�9�2�4�6�1�3�1�b�d�c�9�f�1�6�1�3�0�2�b�7�d�3�e�b�2�a�3�3�3�1�1�d�9�6�5�5�d�e�2�5�6�2�2�5�4�5�3�a�d�5�8�c�f�4�2�2�d�8�
C�:�\�1�6�8�8�e�8�1�2�0�6�d�2�c�a�4�4�f�f�4�2�e�4�e�3�f�d�c�4�6�0�8�8�0�4�8�f�2�f�a�4�a�2�b�6�4�a�9�2�2�9�4�7�2�9�7�b�4�8�c�8�a�c�f�9�
C�:�\�4�7�9�c�1�9�4�6�f�f�6�1�0�1�1�f�4�8�9�1�e�6�d�3�7�8�a�c�b�4�3�0�a�7�e�3�a�e�5�2�a�1�5�2�2�2�2�4�a�2�f�3�b�c�7�8�9�f�5�e�5�9�d�f�
C�:�\�c�4�a�9�1�9�4�8�5�a�9�c�3�c�e�1�9�e�3�f�0�c�0�6�1�b�a�f�8�8�3�e�a�b�3�0�9�2�f�6�7�0�3�d�3�a�1�7�c�2�c�f�0�b�3�2�8�4�2�9�c�6�0�2�
Process Tree
-
013c7e7277076b915eed59211219b40740803b778c2285832b5df72505d9b8f1.exe (1856)
"C:\Users\Administrator\AppData\Local\Temp\013c7e7277076b915eed59211219b40740803b778c2285832b5df72505d9b8f1.exe"
- doveejy.exe (2060) C:\Users\ADMINI~1\AppData\Local\Temp\doveejy.exe
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 | |
| checkip.dyndns.org |
CNAME checkip.dyndns.com
A 132.226.247.73 A 132.226.8.169 A 193.122.6.168 |
193.122.130.0 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49164 | 132.226.247.73 checkip.dyndns.org | 80 |
| 192.168.56.101 | 49165 | 132.226.247.73 checkip.dyndns.org | 80 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | a16ef3cc893b752a_doveejy.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\doveejy.exe |
| Size | 83.5KB |
| Processes | 1856 (013c7e7277076b915eed59211219b40740803b778c2285832b5df72505d9b8f1.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 16070cd27adf6240150a301bcfcfd32d |
| SHA1 | 844a7d0168d44ca3f98cfe5c5916e3c1772bde3e |
| SHA256 | a16ef3cc893b752a785ea7d66f7a2a6732f84d2cfe4bdb65b419850a53abd257 |
| CRC32 | DF0196DE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.