3.6
中危
DACN
0.12
FACILE
1.00
IMCLNet
0.86
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Trojan-gen | 20200425 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Urelas.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200426 | 2013.8.14.323 |
| McAfee | GenericRXHS-PD!14A23337DF42 | 20200426 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b07aaf | 20200426 | 1.0.0.1 |
静态指标
检查进程是否被调试器调试
(1 个事件)
观察到命令行控制台输出
(16 个事件)
此可执行文件具有 PDB 路径
(1 个事件)
| pdb_path | D:\PMS\pms4\Project(20130920)\GolfProject\bin\GolfProject.pdb |
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(1 个事件)
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(4 个事件)
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\yfobh.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\_uinsey.bat |
投放一个二进制文件并执行它
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\yfobh.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\_uinsey.bat |
将可执行文件投放到用户的 AppData 文件夹
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\yfobh.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.text', 'virtual_address': '0x00001000', 'virtual_size': '0x00032000', 'size_of_data': '0x00012200', 'entropy': 7.962400332994414} | entropy | 7.962400332994414 | description | 发现高熵的节 | |||||||||
| entropy | 0.9235668789808917 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(5 个事件)
| host | 74.125.34.46 | |||
| host | 114.114.114.114 | |||
| host | 218.54.31.226 | |||
| host | 1.234.83.146 | |||
| host | 218.54.31.165 | |||
从磁盘删除已执行的文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\_uinsey.bat |
文件已被 VirusTotal 上 59 个反病毒引擎识别为恶意
(50 out of 59 个事件)
| ALYac | Trojan.Generic.16165158 |
| APEX | Malicious |
| AVG | Win32:Trojan-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.Generic.16165158 |
| AhnLab-V3 | Backdoor/Win32.Plite.R83949 |
| Antiy-AVL | Trojan[Backdoor]/Win32.Unknown |
| Arcabit | Trojan.Generic.DF6A926 |
| Avast | Win32:Trojan-gen |
| Avira | HEUR/AGEN.1120724 |
| Baidu | Win32.Trojan.Urelas.a |
| BitDefender | Trojan.Generic.16165158 |
| BitDefenderTheta | Gen:NN.ZexaF.34106.fmYfa8JXkdei |
| Bkav | W32.AIDetectVM.malware2 |
| CMC | Trojan.Win32.Swisyn!O |
| ClamAV | Win.Trojan.Agent-1134793 |
| Comodo | TrojWare.Win32.Gupboot.AGQ@5t8mho |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.7df42f |
| Cylance | Unsafe |
| Cyren | W32/Urelas.E.gen!Eldorado |
| DrWeb | Trojan.AVKill.33592 |
| ESET-NOD32 | a variant of Win32/Urelas.S |
| Emsisoft | Trojan.Generic.16165158 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Threat-HLLIP.gen!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1120724 |
| FireEye | Generic.mg.14a23337df42f348 |
| Fortinet | W32/Urelas.O!tr |
| GData | Trojan.Generic.16165158 |
| Ikarus | Trojan-Downloader.Win32.Dluca |
| Invincea | heuristic |
| Jiangmin | Trojan/Swisyn.wnd |
| K7AntiVirus | Trojan ( 00558cdc1 ) |
| K7GW | Trojan ( 00558cdc1 ) |
| Kaspersky | HEUR:Backdoor.Win32.Generic |
| MAX | malware (ai score=88) |
| Malwarebytes | Trojan.Urelas |
| MaxSecure | Win.MxResIcn.Heur.Gen |
| McAfee | GenericRXHS-PD!14A23337DF42 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.nc |
| MicroWorld-eScan | Trojan.Generic.16165158 |
| Microsoft | Trojan:Win32/Wacatac.D!ml |
| NANO-Antivirus | Trojan.Win32.Swisyn.dkozag |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM19.1.D173.Malware.Gen |
| Rising | Trojan.Gupboot!1.9CEA (CLASSIC) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Urelas-Z |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(3 个事件)
| dead_host | 218.54.31.226:11110 |
| dead_host | 1.234.83.146:11170 |
| dead_host | 218.54.31.165:11110 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-09-30 20:41:55
PDB Path
D:\PMS\pms4\Project(20130920)\GolfProject\bin\GolfProject.pdb
PE Imphash
22953c0222c374b5c6b3341a48df763b
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00032000 | 0x00012200 | 7.962400332994414 |
| .rsrc | 0x00033000 | 0x00002000 | 0x00001600 | 6.395397208448214 |
| .reloc | 0x00035000 | 0x00000200 | 0x00000200 | 0.2123006574398449 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0002f298 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MENU | 0x0002f700 | 0x0000004a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_DIALOG | 0x0002f750 | 0x0000026c | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_STRING | 0x0002f9c0 | 0x00000048 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ACCELERATOR | 0x0002fa08 | 0x00000010 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0002fa90 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0002fa90 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MANIFEST | 0x00033508 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library kernel32.dll:
• 0x433680 LoadLibraryA
• 0x433684 GetProcAddress
• 0x433688 VirtualAlloc
• 0x43368c VirtualFree
Library USER32.dll:
• 0x433694 LoadCursorW
Library ADVAPI32.dll:
• 0x43369c RegQueryValueExW
Library SHELL32.dll:
• 0x4336a4 ShellExecuteW
Library WS2_32.dll:
• 0x4336ac WSAStartup
Library IPHLPAPI.DLL:
• 0x4336b4 GetAdaptersInfo
L!This program cannot be run in DOS mode.
$]bw]bw]bwTwobwTwKbwTwbwz4
wPbw]cwbwTw[bwCw\bwTw\bwRich]bw
PEC2NO
.reloc
#$(|N\|f
@cva|1R.
@j3j1X
|OQ05+
V3a(A.-'BVT
@a(&yd"u3
aI:0v\
t(|1Gx
:Fmz`Dh+pl<t[
f:Gse?9
yNYDjl
]}%xJ)
SJ0 BS
nbT;EO\
^b0e3/Xe
a@QoFq
-j],#a
HDq)_L
ybT<sZiZ?,`ZXI4
>p<! m1dB
b9@vCt*.Cr
LUIzp$
"#xWSBfn( e,QlKl66>u5+Um8
f!Y2C)&
^fsh;P
PHw;G;
i(Dhvd
%M1t1*
EDgUh0W
!(L~%`
yj`FmR@
9NIx`9n@
+7nP9FE!B
9IrB$Z3\YDo7
.jpC.&
XWv@Y)\
)+-[ndP@
*XCJt1u
|5^m.I/h}3T3)
C\a^pDzVBLW\
w7><]R
_$S@0PK
"hAW\6
bA%l)t
HA`$2a+
wZUt7?sD
:^%Rv@
(B+]/$
vUPAAu
*)LT@0QQ"
_Cgg%%34Xt1
JZ0Eb.IN(
.^(w7FS5
Us "j8 e_l
ZZQG`!C_
,:6cP=Cmx
He_L7q"T
pZ%Tz]P"
V>8B:6dp]
]Lmk@L
)QVocGX
6.ZWYDo
o/CFn89j
P>Lno!&
_s#HwZ)8'i&g5ohJk"
G]`7IZ*
KMY8$V
L||F5LTiC
LVS+cJ
&@)\@1S
yG`$Xr?
[2\|(Z/ijOU'f
1(:TQzqL-xnP\I
I{sjs2_jl
? jH1E,
cQ:U<Z(nb"
D7se4JV3S#c+`
-0~A.;N
S8-+r_
GaGU[u&
(R6i!pnN
BElBb0
(EaF&
5@Pm;X \
$5AGI'q
+}FF[:!
uX ;H+Pij`)e0]
#W*aqW
Bd,M-yU7X
sO F> jAd
7;W@@H
(7G[D0N
tQt[.@
Ec~tO
UTAo5<[nd4
R"55aV >2eI]^r
S+/Kxr;
Hk}"6r$
F4MKo\5
Wfx~%.]sC"ksQ
a'T+rJ1
!svN8Nu
fWZ"ta'UR|E
"bK%Dz[6m_%(
O(>+zR
U])_3TW
|6'E\Y}X,
Y&ch;3
Uf@eHrZ
+isT5+33
"P-D FZ
fv"6k*+K+P
#w DN]
a5|a:S
r:vXyD
D7w=}4th
82b/eh,
W#I81q"
;5/sAG
4(t-Z@
!:fN1j|?
_Ah8|()
r]n=F~
1Zj *2V?,u
nZ&tvc
yQDcXlWL]
(QqP4$u
5)&$$E.u4
FZJ<rcZ
MGb!XF#
f !!1kV
H(y7BEx~
0hredF
?(yX,)
&b<yc*?`
f3#\7U
MMS)poQ --,&ST
Dn(bRw>=
F8hBw8J
Oj8$X,b
5Ps@hr
Ajc (UY
J$A38CP^bJ4T
/jLsK;7
zm@Zu&Zj
$t\6OLITLZ[
rKbMk.qZ
G@Vd@@
8[t:1C
G&.=<|K
(1P~gnzWr
1qILvm!
$!508/
?0}plW]*19:]d
n=G:G|_8~?8
E[=%AtT
Zq}p 7boE*~LQ
J&ve@B:"`a
tG)0Txv
A9-0 jt%C,
T@ vDxvY
Gn*_Yp
?R4 4E
qr lpp%
)\e|!MpDa@9
"PO/0c[
y'2u&D
'iNZ9#
vN"M(Lun/$1
Q*%H5Oq
#4MR#5u,aP
_teKv/
8:V/pjF+a
0J,E1cSEI
JH)jM@
V5Q8HM
t: !E%
RY<1i.?;;r @|
!*^0+ 6
lYFALj!
M.'(RtRhMq/
aG*np~+TA6
?#uI{"$
F!r z"
&9D^QWc^\3{
5x"pTr
T[h$)_Na
RR*` A-
TsY2Hn?Z
c"8 C]Yh7t$h8)4_U0;I
&sQ5';]
$;5` N
8^(I5Z
*%c`EWp
KUc?G Gv
Q[1BjM~t
$T|4R0/9-|R
7h"+u:
{XP!"
>t@zVN
JO8~z,W6\/~
$rkwfV+
@E<'X"Ww
DW@S(]
S_DE-*
vv?8&f
AQT)/_
2T6hP1
0!G!;V
j7'}7<$v*YY
?V ,FI<@T
PW&ph2P!}
j+",@E
(p=ZJPQ
E<e^6-1xUL
b-)K!&^
`x,# Mh
t0`u dH
DSScZQ
v>u[J"
A3"D04R
ad#&Fm_(\
Pm6DvN
rF%A(?{
E6~]R.gK]mr
l+)Y3B
i &AiLt
qBb[A}nc_(
k0<`k!D]IN
$yI-Q-?~u
KGvC%KE
o0E]"p2E
l5@:i/_XSp
GA[H8BXh
BBT0G*
E4 A=ljbz
v\PK%)
]nlN0Mgrp
pE^BX'5qb@
FA- B
+^eD}e
+_k\}/rH:(
S:eR]V5
5Z(a4t4R
J:Wi Z%
a^mv{*.%!D_Q
qZq}0R0BE
w}hDYC
Bg4`7p S
Vu@P W
+B<\9*+
EeQL9TZ
H*:*ED
W+4X|r
j8\.8FRI
$**rIa
0IhvAx-)
(DI.@N
}#&O#NX
ak<;DX
%Du90[#
/3+?twfh
+\> pu
f|'k*g
r@AJX~@I
oa9\Py7p
h!*~%s*
}4G!`oX
`.+Ev3
'^K|05
~TpHqfcoU _
Cuky,M9
T} fEH!a
zy*WxoZ
~hpN98
hHIUVe
j kEk]>
j<h0/R
4F(H%MB
}R=@DGH
[bs{wtc
X&yW@D*XY
S9 "@D WA
~o 2@MG,
)% P'F9B
J|d900(2
ZQLS\DwII@ (*:
lt`g"9A
JVe]Jp4
@fRD <d97
D+Cu=@
xmKB-d
,J"e_i
+2hvU_#pF>
o.}]^9yF @q
EGwP4!
<sFV2@V
!N \A:mbZ#.c
4sMuok
-uTu!B
.Y/L>>J]
\Z[%:>m/
RIP5`?V^<
`/`@$WV
cJ^ qUh
@XvTWo5*`^a~
HC^_HD_H``
6zo>+%
CD%8AsT
C"DQHH
Ve=&_wUO
$_/a1?`e -3
w[_k<qw
W87X.RK+W{
~B%}_Pd
R@H;9Z(c6sP
Z+QBpF
ah|%}1
b}/CO#;
nTN&/Nh7'
jI- bF/R
wcE5$>-+
i]Y"eFH9j
%AY+FU
q?Z:E0.YVW00C[/}
Tf CD:
u(tJup&X.BY
oq;c!)z
LHYY$p=Bus5
K)|`N0
yU6z}%_
u<ZB+;z
q/Lxp9?
5C&5 Gn
U$JM*uK- F
PMz@]e
EPVWw_
96ivgJ0c:jz6
+C(L10
w}E(5]@
N]69(_"
Z:RzuPA!b
)xEMBW]l.9%
oU-&Dm
dDLhiT@rN
0TegXT1x
~$-R-h)38RN?;Hb;ia
N-2SL]
g.!}R3W
2EUV)e
&l1H.~L_ed
0T2, K
+ }7/*.X$g
dQQH7q
x[=C;}gry
0_+Z+o
&>NeT:YE=
Q.L.zJ_U2T
(DK IM0
0\=W=X3
D3qIP1,Rx
+ud}>%
\6GF1e=)
I&:@u@
Nb/7( _VbQd
;h9p6ael8uzo(KN.8_
P|p]8p
NrEl+p}hVL
YTT\HGu*
#MD'`%]
Yq]|;aEx
Xu&HEhD
SH]6bP
<34\VEvT
J!=rB\Z
q4[@OJXi+/*@
U\AVze;5B?
yg#@I#9(wk;ic(V8
yFE\eF~E
.:M5TMSI@
upgDAmN+
DH}JmrP4
F<tdE
Aj5nF 0N
&>H*lbn'7
j~(K*(F
'-?stTGR-[N
3U?YrI
bH\FnQ
M qlsiL9?
v29"b}khFY
M.o6Rcr:
J VB0x
8(zR%2
!#\c@z~!z
HzM+3#]
xBF'v[E
*Af"9#
iX@ _z
sI>NZm8
)_qs}RS_Az&tG
zzTn'pMv9]
- rRos
giRB+^
a=kycEtDIH
@GphZW
bOS!#_
y]Dd]S)
C->>e)c#
RR*VB+
/wr9"[*
7"qoc~<
b?MJ_)
`!h<X VN(
@RH^7;
vH%n0idw
R%(M+\7>
+MNlST
UjvsD+
7z`W$0H
0h#8fC
k8u41Bo0_
RU$C71,#X
usgc\M,9 6@r3$
7PpG|$c4h
,7A; .R.T1
Bwl D| (
^aAh0S
WaI&U Y(#
~}ZD3kn6@
i06EG]
R"1/AC
X[e6 +9
o#3]8U4p
&]$@%e
FIV-j`GR
.QArG1,*ub
cc, .V`N
[,|b]g1-
WtmV7e BB
.8vYozPLa
A'agH"
'%e8m)Y
+pR%nh}))Y}
cA 2xIv)ZeL
U2+DBm{
++LVP3!\q
9_.V)GBSWF
5tY+AZU
@k(zXC
c$2JW1sg~
t"E0!u
%]|!r3
D16f[\fDM
BQWhZwSy
sRn*XT]g!JG[
|e(?"5#]@
_5L"+T
puUCX)
% 4U,_]
RP:GJ"1FR>%
e+^O$;O/
:N!#.@
X0+gR);I`
"Rq,PS~H
L*U4)~
\#? .]
IhX'pJ!G
gZ^&%Zf(sqQb(
$H.[m,o
bjJ.b"5\
oP;?pB
TV5@1"*V
XPpb[4i
D!U8@v
GgY"eu)(e,
jf%!sAH*Q;
&0[pt1
2+5T"d&)$B9fT
oFxPbk&1&6 %@
S^RhD6t
rI'+/T6UF+~)Su
|Ua/Cj8
pUc?H.
(WnLzs!
p:p2RE
<,sQ8$O!
$@cMal=a
L FHI2Fd
f]9pkbb<E(0
_J;{ 40xh384|x
UMj!7Bz
b*4EC:
J?Lz2~8p$
+&K{_P
[^C1,jXF_t=[zS
mE)|>."
jr)In=6X
K}pO!}%h@
<qqLZWM
q.H*+_
nB#@66>`@
Z~etC.L*
Y/&C2@
=]h23e4R$
C%quI;|8(
.%T&%=zDexP?r
FTS6"z&q
YQW^>EI9O
`LG,< "
"?1CA?@VN_
54Bic)
}w96 B
$zJs0S]`
-Nz9`l
6S:Z`(;hOE+9'C
K-%B81
C5gfS4
1%qNAnt*[
X'G>$u#Z0u3ZV?)O
C9M*IW.
b]#VYL |4986D)
`Jq/9I=_l'{L%
MP![)<EC$P
&Da}bD>=
@Mk*\?*uAh6uJ!-8
*Q \u5
YJ6VU:jz
WHA:{H
O(!A\F{
8zd(M_
ij6vZt
!,BjXH
y%D^exQ
W0#Jk=
a,*v71.y'
0R9"dG$ro
T@WIG0P*
SDk~KH
]`8hI+7
s._v*/NK]sADk
t2QB>_ g
r|kGkQ
Xm:RqUN9vBQ
4~DHuS
nE8"i|
d]2P)uq.
`@ZDY"4I
q@:AE$^Z
$}<0Xxc*
H n]\a
tbea.b
=amZQg
%KN*BoG
si* ~BJ
3c7fzlKOI
XZSv%O
Rg;Ho:
K~(}QvR*L
IG>0v2
p752r<
2`]~=.k
h"Ld,
mOTl;:%?
%l==v+&*J
Y 8cMZ
[TQ&`\.
Pax1hM"
+59 `8
,}9 O`.}"1ptK
G'''On
< X2X4)2L3g(!O
*OOU4X
l\npQ9
z.89~Z
sq{SqU
<F7|c"]5:
|.kSjmG
e^!Y1
8leS"9A}
XfDdXW|7
+AiRD8eo
d7J%zK
uIu_z|0
`AF*w`
Kj@dd4
:&e if
Q/wgYJ
:YXJzA3
5qy+u^T
"CTH:d?@
4t#AS~Q8
}!ELf59
@03t`/
d]m$(}[5z~wR
1mK`EK*5;=
S`IIe9/
LCKqr.
6Q#Ye!in
bP#g7=4)
('d]+X
u>1Ey24%VWyGH:b5O
fXUm|@K
oSMT:#uG
a}ePAA:PVrr2 J;+k~
8.Y=cHu
g`%+elP
@7KALdyX*[Io
<4,Qh'|~
wk/49{
;w^D T
v~bpP(
"pfXNcUR9(P
2u:+D jR
Y"]]wA
B?':mBG
q5fB3SE@*T
dUBVTRlk
Y!TjS*+
A!OYoh
d'Y62P(
<+S3Tu
6VVEe3m
jeg#882
/z#hZHQ
0-ou1K.
br49xnN^
-_~=?H
}8aw*;
ZeRzy4I0
N>HxTj
UVgZ!O`UJ.;"^]-
0 cTR:K
CsSkS'
Fwj H{
vKy5{}g
WfIv0A
B:;}T
z]/A`{(0
S4Q.z$
B vK0<4Q
hT B\%
$A$JxWCd
9:qV~%(
b\&"/$3
)I$dj]%+%>
ab*I()cI^
dP&)F:
C+$H]!M
QV=He 52
&^1Y`7
4_Q9op'1Dmv*u
j&'[31m
}4ZtK/3
uc|||656
?_vhX8
TjSl7Oa
A`Njjy8;x?t
{7PNoq
vw%tDgrdvBW<"
)a>MG5uPAb{w*G
$dc(Rw
E0W,&j N
C,LOOA
y1PvSU7"q=^^
IFoL[t(
"##e4]n2_
L~DecrEzdL%
ls1M?|Ce;;KT
o`;15zoJ{
C?]@j*
.RWHWS\
&?H&Uq]|Yd
/G/bYv
cdr.L=
@0J/^^
s,E`SC
g T>$<h-Y
bQ$$ty
j]he 58
Xkt#["
OY1#YHUBD
|$U`'9*
Jw4/.62+;-=
LS9 tG
bku5i*0
fr{&)sm
SDGvE~
Tj_\FY
Xbw_8lq
a4GYQUY3W*1
$6%Z_e
d?G%-:
|x6|`"
3BZUY'
+ll-4%$,(I
9UUZi?
xc@2WDlYl
z+< aOJ=w
*~+_et,
x6&`CfagW5^v
9fb[GE_JSN]
-_Db ~
E}sV-sYf]^ R
?yn?Ch1GEGH,U
(Z&\ -
s x2h5
4ttH{l
R"DP\q
~+%U$*z
ZI8P=~,
A}+[EQo A)
@(b)c
&`e#gA>
`8qaBo
J.rM_M4=l]
^Y?V)])+
s'l hA*
,hHZ:T
hB4]KTUQM
<n]*S,
&)'Pe6rg5bo@6YL|!CXpu,*l
ScZUPms
w]yyZ}F,B
<sB8*K
8I(\rKiq
K3]}*W
h[p=tb9Zw$
8 ?(J2
Lm*U"<m
I ,/<Ba
JhI!+-
aD_)h|m$7
8"`d!,
'Fdi@?Y=
NXB y0s
T8Cs,t`
Ywg2ct
)P#bTK
Hw</hO
d,B~(/L`*a_ u
EE6$LF
0fDSg{#+
g5/5&}(
Q1Bs3XV@5:M|&
]d%$6!
c>Sn`H
mimV|x
hTn{:Y)
EC^F['8
f&eQE;b_D
Wa^bF!
Uo~_[W#A+
NF-e<e
EL&hLb9LNjr
M</-7IToc}c:crLd
zU+kQ]
t")0X:G'N
!Q#G93#
%|PN\LM
|$D <0O!
Pq$)jS(?
O8>E754wEFIl
2P-z~T\?dkg%
*M.yP1*
78Z@Xl
b\MwZ,I
iWD#% B
,Dz)V^?
Nd_`<g%
r(,N4i?QW!N`
K{r@P4>
BO~t_As
R }WRN
YMu?;2
+k2= 1k&
42TytX
tt! wq$
ku6l xa.k$W
W2XiUf
GH[."E
` } Hdc
};{Kn<_E
6Vb1X&
N $A^
RIW%nxEG!
d~#meGDY
@_Wdb*\
"']{.EmC
_ 1.qV
&(\4Xg
<ETX'>rf@YEjr$M
%&'}G_
PYZFlXqv!
:e s+u
cXt'X}E;$KTMi0m]tM
XYI*|#QK
2z` (-
GKFtq=
%N)tc%J/,
}FGw*l
za$#cbR@
,wge'HQ
uv`B;IH#Q
dmM}rm
"]FSsr
U~+O(C38
T R</J[
%*%FB#F
%*6]!?
A2H%3;gb
0}+R8Z}>U8
F`Q]s'
K297dRlv
o[WpV;`d
&(-z~"
$znu\}iV~rd*0
C;eev8dz'KbY'(HCg22
O,QB2z
}kJKT9%
\A 2G8uD3wu`
'&w^!I
]QA,a@
,o,yY+
L8sXrK1
!li`E)=8
#qF?]OeAF
Xwk* w
=K6XI9W
]ebw^}
L/_Zqu81f
WZ)ZO`
,ZfV@b
mm0C-gd
}-.oWXm
|rh':
Azj^iy)QF:
+Tk(s/
"SFU"Dt^L
s_[vGB
5H4ZD_
0v]LSL).f'^<
).k1B#G@vUs
'aOuW ..7
L -23qR$(
@kSSaQL
ET.usz
c'/ g V@j ;V@
F+#u*>
wS3{eDS5/>H
k'zhW\
U,.Z(JJiR
'F7aXw*
9+GY#M%]W5*
PNZ*8b
N*IQ)C
.5p.fU)}
R(b|gc"
#kU/RGh2ZU6tR
kkV6ZV?MP
lW8{W2
L>qSNNv
@^i_P#
|\($b]I$r
&b1rf|1UY&
_R**T&
wRkl_r Po z
2^*Je m
s;E4f^3
ha+7p]
R(hUeht
r+=TP+Dvz$3\)
5.@rxk}
,B+0F!0~!es`Ka
5e%.Q)
C< :H<V+C/2n;U"rU
Bir&PT
PWKGet8,SE@Vu.
O_A|JVT(EGG/`$0
>D@-&u
(Kt\abzr9UIE
Dt\BtF
n703I;h
*j0> w"`'
zgzwQR_
M/a3;X4-
=]E~#Ch
G;|sp@
H$fY)4?k?e{
+;}*@Hf
<*/Zj~Q
kgr95s+~YG
G2`%\}
C} N{K
(&TUv@
tvIKt
9o1uS*B'%
.>JJ_o
L,FIHzFVl
WUw193b
xfdkN$h
6 hJP%
X-bbTmb
H&qwR}~QL@
"f!;?])
B9@a\XU1[B=-La7PI
5s.@\y+DK{3I0OfW8
8Ff\bbr
KLf33G
w/n`=hf
O.sH23!
}sXY<P~
#k 7eaBFYC5(AF
~$MIL<
a%a`Ea
0 .O1IFl
F)1t]u_
@M(,5Rs
2d1Rb?
UO<0v'
cDM_iX7$T{_
Bgn:?;Wa@
c2?pSa(j
f]hhh]
-{=LXF
YLxbEG`_
0uJ4'&*d
! QY88E
8:>}n1CMWR
,?SO((
5c~SUh
:u R6:|D
.dX`M-
tgt|q0w
].(=mA
AH6RH*3R3
q@ozU_X~
tC;PZ#
q@RK&K-
_A!9K].Mu
T%CKR?y
N!] Rzu
~F+i/Vy
Se/(<p
H(~?.1
x"+6APHX
taZjLH
2mlA"W
O@QT=f
HS/][t1^
aNZCDQ
7ec@%0T
4t&R1r
v&D:0_j
Sr7n%<]Pe :
)loZQ;.
X04B@8
T]xS@~@
n(8y;[_$mK
+oM]O;
1cs8i"-p:Le=LA
+/*`&*!
%H 205rC:^Z
x(oY]"
@B IeQ,
hn?dFH
vD=g(9?;
YJg,`F
%',}U)h
HWtVDzz
P2l, {~
_z10HB*~u
OcT>U#
R/tzaK!
=0t(p\h>
#L3#2#3
D#.nbc
`@5R8#-#$3`E
VeB~o'kY2
ILGYb%@
edJMPB
@s&L\4
p$lZ hPl
gaBnnKP0
t(Kl]R+
[$6JL)
%RpHbFeJ,
r2kjp0[3DH9BhE
ynOcwZ
h&fqq4(EYk
5,l)2'.1Ao(
tf06#c
YI9)yi
ZJ:*zj
{k;ugOC
hQ&EziSKFUSzj[f
"s[' 0c
&cvopW
e'PjG=rE
tay4Sa
n,Sn0Tne
I*"5&u
EVERL0%
=w=ZthM&Zuj]fvl
m[w}>\xp
'\yr7gztW>]v
(U`869[7 @
F%V]f20B
B*B$B$d
.qQ)I[
nPJ0y!A
q%;[xp|
`MdGQA
w3n:wfF(xf%a!
p$TBUj
Yag\pd
y@!?2n$!j
3q|15N5[d@
&31`f`
QxK6R%
K!CTC}
rxK[-j
ZJ`%*aT%
%CB,W%
[`J8_(
TYN>)TeJ)zbi
t)jpbx
)nYV2\<\
rLp<fBR
(zcY1 VT2
YX RmE
_-;m}\
L82B@N
Y@;MZEy2
9,P02$\zAT
YK%av*G
chz%9=4bG-8
E"A0N@
_:hNl.
LF:vNr
q'$i:v
y'V'DIu
t:ZNIvRD:)N
U8Uiwd
k2d8w<:yud
w6:q'Nn
xet^$;)S$'N)N
ISR*:UP\M
Ne}RjT
w*G>ISz:O
;5tNM4'>
>YwJ;-uZUwsNt:
Q>:}ONo}owz
JU@k"p
hHL*3D9$\Gd
c"cE6M(
dtz"1J
Eb3Q#$M
FA*dyQ
N~F5:xz
R?aK^+j
1ZNpwx[U2
+0sMiX1
o7ns#{L*
:W;vC6Jm"
@<)}/]29Cmza
)Ia[>k
/je.f\
]kO}W]
WjGp#S
?<(AT~ycP
6wag3mvoV
J[-:yL/
G=u7X&
4Z`m$l
/g}[-6
Kdr6=u
~RB4Ko>
`NhsI-N'
^]a}+m
.`[bJe^i^"*
9,P|w^8PG)
jUH0OS
J-s3REO*
3UD'UTI4
T>@ Kow0
F 9 l;
isO~'MzQ
RcP8r#/s`aw
K!\%7>&7
:%]n0=0
7:&S.T-| X
m%B(}99T$
e>|XX]
IIJD%+IDX%
JI"K\%/0*x
LJ6D[r.
JNZ,!r%
\LK%B.
J:%*AH3ZVep
#`(-hDPJDiR\o%W
&8]RW,
bpa]L+
B E/WM
a8TJ&g~e`
moa)D@,
j)K=(kyAK
8TJh$),)S
N2a9\UjZP"3qUP#4"]t
kfnr%E
U8WP_!EAT*F\2n
\*g}DpNB)C
eGBi<M
FP_#oo
OHi85J
Q#T9qf2
@`c9$e{
O*M:Y&
N]([+# a}$4
>DA4Af~kW,^?j
l;";cEw
Fb)qBt8Yt
`PT100
,E"l.z
qJQb)GLi
iRIS$:2hKyC@-h_"
d%VPQI
kyA">fz
EQN!'y
\h5mV 4U{E_
c2'j+cEt015kPS
}JkYEk
pPK%,qX%
^JpV"+V
fh+n\v
S3)4k)P0gVd
4Uein)Q
6ExsOIx
#UX-jQ`f
T@Bg-?@Y&[Tl
'HZ_{-T9S&%
rZp8"Ib
{;B9w>
8]ht2i
]so<S]
JUC74U
eg>9 =E[A^
}{EsR<
M>4Fjw
G?)=9VoFc
6<wlowNFJ
efS+} 6-:#h,tD
`yuQb.
Qa;:9\C un@
REC@H%CP
cGZ1+$x:
{+=rF!
11q19cx*
t2!@ PP
$wCy0f8
7@a#P]#
u$l#"Qb,
ld&/,(
I]0fO`
=X'OeV`ju
H<X`!.~
ZF[SU^"
MEH>%-
SMG$e%
od&SP pn*7
H@H0BDV
.!a NjeeXbxd.
YsyD%y
TiKJ# <
Zu1\=l5K#
XACYuI
;DaC@8c
-+Zv/.t
P0cD@0h
0@08tJAO)ROo
&%DuSWztiY
}Tj%4k
^-;Hau!
x0F~\s[<J
*8p=#w
BC#P@b
.KUK"
YTTiTc
&O >uHP2O+
A(Tb%J1>
I|:QB>@P
?s2Jr'N
2_dRNF
E$#H6Om@Ilh
/{=1G
lsMZX1_X
~HVP14
:`tK8;
cD. uuRAyu
T$Z$bP
\$<Qeu@
-Ed^8wy,aV
Kajk$U
{!` `z!!
3Ss"eAC3#
$@"UBL!b71V
\P%`l`v?()cFu
&0~BxuQ
7~RuF3
3-F@Z2
s/;J#+UKvjT
xY~X[lo3)2fN
Et {|"O
gZVO0cf
bE,&wpQ(C;gw@
bira6@
F{0PQ16
tdQiqa
?MX~oB
kn+ML@
$*$+00@
j()hgh@i
!7DJ:V
[%.Czv
j'IP"(
1H~UFjoB$
v}C{_#e? j(uQ
S=&+;4
!:&|ba8(X
$c]waf
s :n1
.RWw1q
M3TJZX4-aP
X}|9D-&tG
@lzhE8
vf"1H82
H|HfF$WLL
8Rbat&Id
pI#@3,
5U,^w"
f@Nch,
0" egMLLa00$L4nD)bj
P16 .k
FZGNZm
X~!b@Bd^g>
@RdLfL
$Q,aA(S
}QBLgB
d3QDC)C%
> P,PVMXf~%
bJDVr4dFw
*3F "^3hf
J1J DiJC
DeJEe4
Lt,5)rY44
*dB)ba9R
"T(x97Y3%
aR7M`
de,u!QN
. 2{jR
Y!bVg;X
,# U:LFY+
|j$MuDGb+7pPR(Y2cq
=T<R2#
>2[ H&`
gj;dY,$
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
USER32.dll
LoadCursorW
ADVAPI32.dll
RegQueryValueExW
SHELL32.dll
ShellExecuteW
WS2_32.dll
IPHLPAPI.DLL
GetAdaptersInfo
~qU^2
})d3Y
@3@,zbswQ)
p4=J=Sf7
om)-3_
CqufH4*
f.%=mP
p,QfI1
._nPK@
}T`#afRa{
@(t`F
qbP]@%
=jj &/L*
P."d@X
P B KnQ}
`,!A]Q"L=>
7'*LZl
{-yiq*`<
bFo[KZB6#W;
,7j(f:>
;99~awJY=
sM4~0rEMA
#VEItA
0/bn^\
d.up=TU
OGiEy`
.`~Ip)=_U
N5WR4/kfX.d
Jp6Ex@
e)C|=ER
U"VeG781
81(Jz@ f
F\r2h2
Q*um]3
2t-BlU|
|@*shQM
Y+)w`2
AAAAV+^u
I1CUSQWVR;
ZPR3C
Z^_Y[]
D:\PMS\pms4\Project(20130920)\GolfProject\bin\GolfProject.pdb
<Embed File Info>
x>CeN)
HanAgent_pe.exe
HM7U`j
r/ %-apGQe
nTjE9 ><
$,=e}<r
n(Vk3"LzI
PFoE<lp=T(%g
6f,F c
F3)%V5Gn
$t2,uu\gP/D4
,?>{2#
n})rau
H.[s?i
!?aU8"
JJNtl8z
X"I{uX'ek
DXz3/t
Nv j9@*3._jj
yX2R D(
q.@V'n
dXSG<Q)=/
w}tEqB8|Q
O8PRTY
p##+a%
*L[;'w
fEMHb;b
un zz=K2dmr
s`G_{~$k&S
%+$$G4
2N5uiY]<+
$.;#R!H
93L`H('
EeNi;'dc~
G)5tYZ{MF
s*TuFdd#|n)CR
l'?b$d6?n
CYI6[I)ME7LB/{
i~=&'&>HZS~?
",yv)e; _qI,g
Px_?W.
,9f e|fq@
/[0?H5PH
&0uK8t
Oa,,#gJi
aQxn:!OSo
exe9sT2)fV
00<5wy
+o+1G?7SL!(F'_7
\x*|_E
VfkM2uI
?W7>rr~bJpe1!@
9M#jXxj
aGXZCo
w4%(n(qu
e.p,vf
8gdiC92
'PMJVX9@
@x:k{B
|MXCcE-k03
94#isA2An>*?u3&
7-H>G{
S:>8e9
+j)ee>MyXS.
3'truXQfA
G0:Ria% hn,da
P+1i+%*sr-!$<
YvaQs-hEXj
eh}{:+Z
zWD]WV?c
Zr{Akc
tDAa2F
E=sZM
sGpp1O`?m@'!7
=w5o/ Y"ythBq
"~r[Mi
.7te7Z9<@:
3Ng_d/v
`$~j>T1hl0_W0!3df>?H
tJ+FTGAT
)ho<lq
|LZ/f(>(~@
i}l`Eq
CZ\e-:K3
B-74}{
^7=Ib`C
Z)YaU\=bI
,m+DFPF;
v%:e5c
cxc<@ v"~~H.}u*0dSy
oU(g9'[XK3.
/QB7nr"
?B)Ektd
r8ZJ\('
,4-|UYp_
g%2~D;
NNSogI7J
_6tH]C{
X#64\^hO
HN(Y*?
^U%2JL
dQ3'~!CN
:Z(iTI9
jd1l~Rs
{(vNr{<_];
wQR!DGDo
mR*97a6"
<A$YxC
6`_ 6L
FkxkR["?Ba7zBH^TQu?
B6As<vC
tv}i3w@
heSSr7
8<x^f=GR
6r< >!}`
l\zIpVtuYWoS
U9uB"|
kPROc<g
wzk.R,?
z[&9W$Si
$Y.LJVv Amc
J|vV,_1MFfoA
%c$e(=+
i"h(EkEV
Qw9J,Z;/P
}O>8G9
8,?/FY
0|XxG3)?I
rvr7w.1@IJ[uU3z
Y'V0I(
c.WPK(n
y!bt\\31in
?!m0~Dc uw>l]T(
z*N:"S4
bv8,0po#US]0
pD?3RIkv%q
FeVP]z
yo:UP<B8M
dk fA3T
r@}Bzq@1S9_<p_,
"yEq.~._
gFz$\y
H�a�n�A�g�e�n�t�_�p�e�.�z�i�p�
Process Tree
-
0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe (1064)
"C:\Users\Administrator\AppData\Local\Temp\0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe"
- cmd.exe (1640) cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\_uinsey.bat" "
- yfobh.exe (628) "C:\Users\ADMINI~1\AppData\Local\Temp\yfobh.exe"
0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe, PID: 1064, Parent PID: 1808
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 74.125.34.46 | 80 | 192.168.56.101 | 49162 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 06b26a39ef391425_yfobh.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\yfobh.exe |
| Size | 90.2KB |
| Processes | 1064 (0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
| MD5 | 3be163d3215d50ca6fe1492a252a7497 |
| SHA1 | 1fa67cfac777a0c70f6269e43f7df1e73e162f5d |
| SHA256 | 06b26a39ef39142581dc511e6d2e8368f8c22caa260b5db530e4b16a1641fb56 |
| CRC32 | BA57FE7F |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 04a01a824822ca2d_golfinfo.ini |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\golfinfo.ini |
| Size | 512.0B |
| Processes | 1064 (0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe) |
| Type | Non-ISO extended-ASCII text, with very long lines (400), with NEL line terminators |
| MD5 | 8daff6cb4213330e28795ce964a46d6e |
| SHA1 | 22dc9907180192ed3688aab42de090a18fbf04ba |
| SHA256 | 04a01a824822ca2db00d0cb067c68f877340ec895bc77a76aa4dfde1fd0dbba1 |
| CRC32 | 5E0B28D0 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | e2b4f666749b1f39__uinsey.bat |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\_uinsey.bat |
| Size | 367.0B |
| Processes | 1064 (0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe) 1640 (cmd.exe) |
| Type | ASCII text, with CRLF line terminators |
| MD5 | fb1a3dc28eb514da34b374f96f6ffcba |
| SHA1 | d2a62cee57141324a180c3bc3cfc1090908800dd |
| SHA256 | e2b4f666749b1f39db7e3c31fe99e4350781aa18718094d601ecd9a3233a8605 |
| CRC32 | 29F7AAF8 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0329ffe76026e3fe_0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5.exe |
| Size | 90.2KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
| MD5 | 14a23337df42f348980fa22395a629cf |
| SHA1 | 511cf8b1657c7beb5345ba5b0e37413ed3350287 |
| SHA256 | 0329ffe76026e3fe911d2c08f3519f0759841b447ff4879bedb5e0c945d74be5 |
| CRC32 | 1D1B99DF |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.