3.2
中危
DACN
0.12
FACILE
1.00
IMCLNet
0.80
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Malware:Win32/Dorpal.ali1000029 | 20190527 | 0.3.0.5 |
| Avast | Win32:Dropper-NZI [Drp] | 20240201 | 23.9.8494.0 |
| Baidu | Win32.Trojan.Urelas.b | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20231026 | 1.0 |
| Kingsoft | malware.kb.a.1000 | 20230906 | None |
| McAfee | PWS-FBQQ!16B593DDD180 | 20240202 | 6.0.6.653 |
| Tencent | Trojan.Win32.Urelas.16000161 | 20240202 | 1.0.0.1 |
静态指标
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545317.530875 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545320.218375 IsDebuggerPresent |
failed | 0 | 0 |
观察到命令行控制台输出
(11 个事件)
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | SFFDFDFD |
动态指标
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
投放一个二进制文件并执行它
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
将可执行文件投放到用户的 AppData 文件夹
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
检查适配器地址以检测虚拟网络接口
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545322.249375 GetAdaptersAddresses |
family:
2
flags: 16 |
success | 0 | 0 |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'SFFDFDFD', 'virtual_address': '0x00029000', 'virtual_size': '0x00013000', 'size_of_data': '0x00013000', 'entropy': 7.245390909517871} | entropy | 7.245390909517871 | description | 发现高熵的节 | |||||||||
| entropy | 0.3282937365010799 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(5 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
| host | 112.175.88.209 | |||
| host | 112.175.88.208 | |||
| host | 112.175.88.207 | |||
文件已被 VirusTotal 上 64 个反病毒引擎识别为恶意
(50 out of 64 个事件)
| ALYac | Trojan.GenericKDZ.95757 |
| APEX | Malicious |
| AVG | Win32:Dropper-NZI [Drp] |
| Acronis | suspicious |
| AhnLab-V3 | Trojan/Win.Urelas.R465682 |
| Alibaba | Malware:Win32/Dorpal.ali1000029 |
| Antiy-AVL | Trojan/Win32.Urelas |
| Arcabit | Trojan.Generic.D1760D |
| Avast | Win32:Dropper-NZI [Drp] |
| Avira | TR/Urelas.rwqze |
| Baidu | Win32.Trojan.Urelas.b |
| BitDefender | Trojan.GenericKDZ.95757 |
| BitDefenderTheta | AI:Packer.41D2B7E320 |
| Bkav | W32.AIDetectMalware |
| CAT-QuickHeal | Trojan.Beaugrit.14262 |
| ClamAV | Win.Dropper.Urelas-9779788-0 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.fab3e1 |
| Cylance | unsafe |
| Cynet | Malicious (score: 100) |
| DeepInstinct | MALICIOUS |
| DrWeb | BackDoor.Golf.198 |
| ESET-NOD32 | a variant of Win32/Urelas.U |
| Elastic | malicious (high confidence) |
| Emsisoft | Trojan.GenericKDZ.95757 (B) |
| F-Secure | Trojan.TR/Urelas.rwqze |
| FireEye | Generic.mg.16b593ddd180f3bf |
| Fortinet | W32/Urelas.U!tr |
| GData | Win32.Trojan.PSE.111ZOWK |
| Detected | |
| Gridinsoft | Trojan.Win32.Agent.bot!s1 |
| Ikarus | Trojan.Win32.Beaugrit |
| Jiangmin | Trojan/GenericCryptor.bt |
| K7AntiVirus | Backdoor ( 0053e8561 ) |
| K7GW | Trojan ( 004b901e1 ) |
| Kaspersky | UDS:Backdoor.Win32.Generic |
| Kingsoft | malware.kb.a.1000 |
| Lionic | Trojan.Win32.Urelas.m!c |
| Malwarebytes | Generic.Malware.AI.DDS |
| MaxSecure | Trojan.Malware.121218.susgen |
| McAfee | PWS-FBQQ!16B593DDD180 |
| MicroWorld-eScan | Trojan.GenericKDZ.95757 |
| Microsoft | Trojan:Win32/Urelas!pz |
| NANO-Antivirus | Trojan.Win32.Golf.ffqyhp |
| Panda | Trj/Genetic.gen |
| Rising | Trojan.Urelas!1.BE13 (CLASSIC) |
| Sangfor | Virus.Win32.Save.a |
| SentinelOne | Static AI - Malicious PE |
| Skyhigh | BehavesLike.Win32.Corrupt.dm |
| Sophos | Troj/Urelas-AS |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(4 个事件)
| dead_host | 112.175.88.209:11120 |
| dead_host | 112.175.88.208:11150 |
| dead_host | 112.175.88.209:11170 |
| dead_host | 112.175.88.207:11150 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-06-21 17:04:23
PE Imphash
afd0acd5e00a1184feabd9241e36c59e
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| SFFDFDFD | 0x00001000 | 0x00028000 | 0x00026e00 | 4.997476058158538 |
| SFFDFDFD | 0x00029000 | 0x00013000 | 0x00013000 | 7.245390909517871 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000266c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_STRING | 0x00026b30 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00026bf8 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00026bf8 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MANIFEST | 0x0002f026 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x41301c GetSystemWindowsDirectoryW
• 0x413020 GetSystemDirectoryW
• 0x413024 DeleteFileW
• 0x413028 GetModuleFileNameW
• 0x41302c GetTickCount
• 0x413030 GetVersionExW
• 0x413034 ReadFile
• 0x413038 CreateFileW
• 0x41303c DeviceIoControl
• 0x413040 GetTempPathA
• 0x413044 GetModuleFileNameA
• 0x413048 HeapAlloc
• 0x41304c GetProcessHeap
• 0x413050 HeapFree
• 0x413054 MultiByteToWideChar
• 0x413058 SetEndOfFile
• 0x41305c GetLocaleInfoA
• 0x413060 GetFileAttributesW
• 0x413064 GetStringTypeW
• 0x413068 GetStringTypeA
• 0x41306c LCMapStringW
• 0x413070 LCMapStringA
• 0x413074 HeapSize
• 0x413078 CreateFileA
• 0x41307c CreateThread
• 0x413080 CreateEventW
• 0x413084 CloseHandle
• 0x413088 OpenEventW
• 0x41308c GetTempPathW
• 0x413090 LoadLibraryA
• 0x413094 WriteConsoleW
• 0x413098 GetConsoleOutputCP
• 0x41309c WriteConsoleA
• 0x4130a0 FlushFileBuffers
• 0x4130a4 SetStdHandle
• 0x4130a8 InitializeCriticalSectionAndSpinCount
• 0x4130ac IsValidCodePage
• 0x4130b0 GetOEMCP
• 0x4130b4 GetACP
• 0x4130b8 GetCPInfo
• 0x4130bc RaiseException
• 0x4130c0 SetFilePointer
• 0x4130c4 ExitProcess
• 0x4130c8 Sleep
• 0x4130cc GetStartupInfoW
• 0x4130d0 GetLastError
• 0x4130d4 TerminateProcess
• 0x4130d8 GetCurrentProcess
• 0x4130dc UnhandledExceptionFilter
• 0x4130e0 SetUnhandledExceptionFilter
• 0x4130e4 IsDebuggerPresent
• 0x4130e8 EnterCriticalSection
• 0x4130ec LeaveCriticalSection
• 0x4130f0 RtlUnwind
• 0x4130f4 WriteFile
• 0x4130f8 WideCharToMultiByte
• 0x4130fc GetConsoleCP
• 0x413100 GetConsoleMode
• 0x413104 GetModuleHandleW
• 0x413108 GetProcAddress
• 0x41310c GetStdHandle
• 0x413110 FreeEnvironmentStringsW
• 0x413114 GetEnvironmentStringsW
• 0x413118 GetCommandLineW
• 0x41311c SetHandleCount
• 0x413120 GetFileType
• 0x413124 GetStartupInfoA
• 0x413128 DeleteCriticalSection
• 0x41312c TlsGetValue
• 0x413130 TlsAlloc
• 0x413134 TlsSetValue
• 0x413138 TlsFree
• 0x41313c InterlockedIncrement
• 0x413140 SetLastError
• 0x413144 GetCurrentThreadId
• 0x413148 InterlockedDecrement
• 0x41314c HeapCreate
• 0x413150 VirtualFree
• 0x413154 QueryPerformanceCounter
• 0x413158 GetCurrentProcessId
• 0x41315c GetSystemTimeAsFileTime
• 0x413160 VirtualAlloc
• 0x413164 HeapReAlloc
Library USER32.dll:
• 0x413178 LoadIconW
• 0x41317c RegisterClassExW
• 0x413180 CreateWindowExW
• 0x413184 DefWindowProcW
• 0x413188 BeginPaint
• 0x41318c LoadAcceleratorsW
• 0x413190 LoadStringW
• 0x413194 LoadCursorW
• 0x413198 wsprintfW
• 0x41319c PostQuitMessage
• 0x4131a0 EndPaint
Library ADVAPI32.dll:
• 0x413000 RegQueryValueExW
• 0x413004 RegSetValueExW
• 0x413008 RegCloseKey
• 0x41300c RegOpenKeyExW
Library WS2_32.dll:
• 0x4131a8 WSAStartup
• 0x4131ac htonl
• 0x4131b0 gethostbyaddr
• 0x4131b4 socket
• 0x4131b8 gethostbyname
• 0x4131bc inet_addr
• 0x4131c0 htons
• 0x4131c4 connect
• 0x4131c8 closesocket
• 0x4131cc send
• 0x4131d0 recv
• 0x4131d4 WSAGetLastError
Library IPHLPAPI.DLL:
• 0x413014 GetAdaptersAddresses
L!This program cannot be run in DOS mode.
SFFDFDFD
SFFDFDFD
jgVjdhXA
_^33z8
8V5x1A
jlPD$0
^8ULLpA
^L$H36
^L$H3z6
3^L$H3N6
L$L^3326
SW3j>P$
fuh`LA
SUVW3h
3D$"D$&D$*D$.D$2D$6D$:D$>D$BfD$FHA
fT$ D$
T$$RD$ Pj
T$ RPh
u0h<MA
fu.hHA
|$Hj^$
u?D$ P
RD$$Pj
_^][331
SVWdMA
RD$"PfT$$#i
MSMPu)
_^33O+
3SQfD$
MSMPu)
3WQfD$
MSMPf$
D$ j@P'
fu+t-h@A
uKh PA
SUVW3h
3j>P$R
PL$6Q3fD$8W
D$"D$&D$*D$.D$2D$6fD$:D$
PL$0Qy'
tz_GBP9s
fu+uS(
D$-SP3\$4U
RD$$D$(D$ D$,h
D$4PW\$(\$$\$0\$4
D$"D$&D$*D$.D$2D$6fD$:f$D
L$HQWWh
T$PD$LWh
$SUVWj
T$LhOA
_^]3[Y
[YVWVj
@uVW$
D$ PQ'
D$8RP'
L$8QR'
]3[YWh
][YQSU-L0A
_^][Y_^][Y
3lQSWj E"
~PFJWP
[YSUVD$
@u-T0A
GWVjPj
u/;u+A
L$&3VQD$(
fD$,|F
T$ Rt$
T$ RD$ PL$
u#u T$
tJ;~8+
D$ SPF
_^][3^
RD$2P|$0L$ fT$4A
\$(\$ t
t$ 33f
D$(ST$
~yT$ L$$RD$
WQD$$?
QD$0R>
3VQD$(
D$.3VPt$$t$ t$,fT$4=
RPt$ x
RD$ PL$(Q
f9T$ ua|$
L$,QT$
_^][3;
SVW3;t
^0WWWWW
AAKu;t
AAFFf;t
Ku3;uf
SVW3;t
^0WWWWW
AAFFf;t
Ku3;uf
U S39]
;t$;u
;tU;|BMx
YYt"Mx
39]fD~
VVVVV[
;t3f97
uf93u !
jEPhLpA
_VVVVV8J
VW3M]9}
E+)E(V-
3PPPPPEN
Y}V*YEE
SVW39}
}O;]rOt
u+WuV2
M+;rP})E
YYt)EF
YY]jXh@SA
@@fufM
@@fu3_[]
^0WWWWW
GGBBft
f_^]UW}
SW=H0A
E3B;r9]u
S3VW;t
^0SSSSS'
3_^[]j
jEPhLpA
7GGEPj
RPjjEUCh
M]EUVe
Yu)jAXf;w
E;ErCE9Eu
3;Er/w
QuuuSg
u>9ur9w
`p33_^[
U]UQSV3;u
^SSSSS0
^SSSSS0
IGG;r3_^[
U S39]
;t4;|"Mx
SSSSSd
,ffffffE
P~CC>Yu
3PPPPP
t4+t$+t
ItQht@lt
3F tBP
itmnt$o
PVP5}A
YYYfgu
YYY>-u
jj0XfQfE
t-RPSW
`pM_^3[
1 B8rA
;r"(tA
;r =(tA
W3E}}}
FFf> t
at8rt+wt
E}9}urE
E9}u:eE
FFf> tj
FFf> tf9>
Y]3u;5 A
+SVWLpA
1E3PeuEEEEd
Y__^[]Q
E_^[]E
9csmu)=
URPQQhL{@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
jXEU;u
Y]\3_[^j
0VVVVV
WWWWW6
W>+~,WPVYP
Y/V|Yt
Y}3u;5 A
V34809u
u&30VVVVV
P4UM`8
<PVEP(
r3VVhU
QH++PPVh
,P+P5P(
\D+48;E
0?@Y1(
8+0_[M3^j
WWWWWr
DDDDDDDDDDDDDD
8csmu*x
VW33};
VVVVVD
u&hP8A
3PPPPP
@Y<v8V@
3VVVVV
VVVVVt
;t$t j
EP4\uA
EYF`[_^
Gf>=Yt1j
3PPPPP
3Y[_^5
UQV3W}
@@ft<uf t
@@HHf9
@@Bf8\tf8"u8
ft$9Uu
UQQSVWh
V33Sf@A
`]YY?sJM
u+@S@WS
_[^SVWY
jTh UA
Ej@j ^V
[j@j ~9
;rE9=A
UV5dvA
UV5dvA
eYV5dvA
YYt:V5`vA
P^YF,t
PPYF4t
PBYF<t
P4YF@t
P&YFDt
YF\=8A
YYt4V5`vA
E3E3;u
F$|3@_^
i3G}39
MOI;|9 M
SI VW}
HD9#U#
MLD3#u
]#\D\D
<at9<rt,<wt aSSSSS
L9]u<eE
F> t>=upF> tj
/SSSSS
Wt1t'P
GW"YYF
UQSVW5
;r@PuR
WPWPWv
whu;5{A
8]tEMap<u
Zf1Af0A@@JuL
@;vFF~
XM_^3[j
Y^hS=<1A
Y%u wA
3W;to=~A
7YY~PE
USV5<1A
SV5H1A
t7t3V0;t(W8Yt
VYY^3j
Fpt"~l
j *Yfj
Pf;r]*
QP;YYu
3PPPPP
t4+t$HHt
ItUhtDlt
HHtYHHt
2itmnt$o
PSP5}A
^YYYgu
9YYY;-u
t-RPSW09~
0@?If8
@@u+(u
u(9t M
`pM_^3[u
EU_^j
WWWWWJ
3]V3;|
VLYt.V@Yt"V4
]39}~0N
D=VPSYYtG;}|fE
YYM_^3[q
5~Yu'9
YYu,9E
tAt2t$
eMapYL
E`p:39]
_};= A
SSSSS'
tGHt.Ht&
^SSSSS0
Y+t7+t*+t
;t0;t,;t =
uEPuuu
SuEuPuuu
$ MeHM
;tSS6@
tSSS6u#
E+PD=P6
_8VVVVVL
9ut(9ut
SV33W9u
CCGGM
tBft=f;t6EP
Map_^[
UV3W95
;u VVVVV
GGBBM
B(;r3_^[]
SVWLpA
1E3PEd
Y_^[]USVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
S3;VW|[;
t58t0=
]V3;|";
u${0{VVVVV
]Y3C]~
u}uyG+j@j }YYEta
3SEEESX5
PZ+t Q3
tVURPEPQ
Iuu}]U
+EPRQL
?Yj hWA
Y+t"+t
+td+uD
3PPPPPr
P{EY3}
u@OdMGd
u wdSUY
WPIY8A
YYt,t(
;t0PWYt%
S3VW;t
^0SSSSSo
3_^[];t
^0SSSSSho
*oVVVVV
@@fu+E
H]UWVu
DDDDDDDDDDDDDD
SSSSSi
tGHt.Ht&
^SSSSS0yj
Y+t7+t*+t
;t0;t,;t =
uEPuuu
SuEuPuuu
$ MeHM
tSSS6#
CSSS6s
E+PD=P6N
_8VVVVVc
9ut(9ut
cSSSSS
;u.bSSSSS
MfMf;u!f;t
E`p3^_[
H8]tMapUj
MlX}9_
u+`SSSSS
;u+`SSSSS
E`p3^_[
H8]tMap
QY}SzYE;t
ESV3W9
u8SS3GWh;A
E 5T0A
39]$SSu
;~Ej3X
3;tAuVWuu
t"SS9]
EVYuEYY
3;tuSWy
uKYE;t
e_^[M3
MQu(Mu$u u
UQQLpA
SV3W;u:EP3FVh;A
39] SSu
ESEYu39]
e_^[M3
MOu$Mu u
4I6-Iv %Iv$
Hv8Hv<H@v@HvDHvHHvLHvPHvTHvXHv\Hv`HvdHvhHvlHvpzHvtrHvxjHv|bH@
P5GYF ;
P#GYv$;5
GY^]UV3PPPPPPPPU
ru{vnM
tR:QuMPt<:Qu7Pt&:Qu!Pt
@AE9]r3_[
+UV3PPPPPPPPU
^SSSSS0VS
f;v6;t
Map_^[;t2;w,OSj"^SSSSS0R
0;u,ZRWWWWW
u+9uv&PE
E`p3[_^
u,] ;t
3;v.jX3;E
;uL9=A
Y}SIYE;
wIVSP+
]5VYE;t'CH;r
PSuwSESP
9}uH;u
E;t CH;r
PSuFwSu
3{_K|u
L1$!_^[u
HVVVVV
^s)EPj
Map[3PPj
ffffffu
S3VW9]
u.FSSSSS
v(IFSSSSS
E`p`E9X
8]tDMap;E
;t+3_^[
u EVVVVV
uYF;~[
-WWuuj
WWWWVuWu
VYYE;t+WWVPVuWu
ujYEe_^[M31'QL$
EPQEPEj
AAu+Hu u
RQMQVp
Map^[UWVSM
B:t6t:t't
WVS3D$
bad allocation
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
UTF-16LE
UNICODE
Unknown exception
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
`h````
xpxxxx
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
112.175.88.209
sanfdr.bat
:Repeat
if exist "
" goto Repeat
rmdir "
%d.%d.%d.%d
112.175.88.208
ExitProcess
GetTempPathW
OpenEventW
CloseHandle
CreateEventW
CreateThread
GetFileAttributesW
GetSystemWindowsDirectoryW
GetSystemDirectoryW
DeleteFileW
GetModuleFileNameW
GetTickCount
GetVersionExW
ReadFile
CreateFileW
DeviceIoControl
GetTempPathA
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
KERNEL32.dll
LoadStringW
LoadAcceleratorsW
LoadIconW
LoadCursorW
RegisterClassExW
CreateWindowExW
DefWindowProcW
BeginPaint
EndPaint
PostQuitMessage
wsprintfW
USER32.dll
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetAdaptersAddresses
IPHLPAPI.DLL
GetStartupInfoW
GetLastError
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
RtlUnwind
WriteFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetModuleHandleW
GetProcAddress
GetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualAlloc
HeapReAlloc
SetFilePointer
RaiseException
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
SetStdHandle
FlushFileBuffers
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
LoadLibraryA
CreateFileA
HeapSize
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetEndOfFile
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
218.54.31.226
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
0!0(040_0d0l0r000000000
1A1F1h1w1
2*2Z2|22222,393F3Q3o3{33333333333
4#4*484F4S4c4m444 5*5A5R5_5}5555555
636E6`66666
7G7s77777777
8r8w888888
9G99999999
:":,:2:H:U:`:f:l:r:::: ;%;*;=;N;g;x;;;;;;;
<*<q<<<<<'=J==*>=>B>f>{>>
1c111111
2#2*272Y2222
3,3N3b330464n4444444
6/66666
7"7v77777
8[8z8888888
9s9z9999999
:7:Z::::
;-;Q;w;;;;;;;
>w>>>????
@0e00000j1111"22 3W333333<4x44444
5"5X5g55555-6666666666666
7#7*7i888
:+:{::';d;q;z;;;;;
<<<<<<
=G=`=o>>>>%?W??????
0 0N0w011
44444;55
66F7]777
9K;;)<>?
1U2z22222222'31335555
6O6`666
7!778A99:p;;;;;$<W<]<e<r<<<<<<??
E222222222222222
3 3%3+353>3I3U3Z3j3o3u3{33333444444
5$5G5Z5667888;*=>>
3"3&3*3.33393S3b3o3{333333333
4C4v44444466
7%7{7777
8>8F8e8u88888B9
:$:<:T::::;<<z==9???
0051B1
2$22233b3P444
5 5I5}556
7%7H777L8
:9:: <
0O0h0o0w0|00000000
1^1d1h1l1p1111
212[22222222222
333333
4<44444444444
565B5J5Z5o5555555
6666+7C7N7r7{777777
8B8U8m8
888V9\9u9{9#:.:m:::
; ;1;<;<<<<<.=5=J=======
>i>q>>>>>=?m?
0!0&0K0Q0\0h0}0000000000
121>1D1P1_1e1n1z111111111111
212W222222
3'3333
4X4_4z4
44444444444444444444
5'52575B5G5R5W5d5r5x5555555
6<6I6U6]6e6q666666666 7&7?7S7Y7b7u77.8N8\8a8::::::::
;,;7;=;C;H;Q;n;t;
;;;;;;;;;;;;;;;
<%<+<<<<
=0I0|000!122
3"3/333333+44u6666J7v777
8-8d8o88
9+909G999E:::
<W<d<n<|<<<<<<<<
=2=i===!>>>>>
?????????
0.070=0F0K0Z0000011
2d222a3x33357y888&9:9`9<='?W?|?
3333333333
4+4i44H5555
6:666}77777
8J8S8_8v889$::::::
;<G=====
[1}1111
6/6M6a6g66A7M7777
8*8;8`88888<9M9999
:8:F:O:::
;8;j;r;;<====
>#>u>>>>>>>>>>>
1(1-12171G1v1111
2!2&2-222222:3I3e3s3y333333333333
4Y4v445
6z66666666
737Q7X7\7`7d7h7l7p7t77777768A8\8c8h8l8p8888888
9Z9`9d9h9l9F;;1<D<`<r<<<<<??
30\0y00000155566
7T7f7s7
7777778C9f99:=;G;_;f;p;x;;;;U<<>>>
?/?A?S?e?w??
1O2m24
7H7N7Z777
9)9]9c9o992:9:::
;D;;g<6=<=A=G=N=`=
===q>~>??
0,0e0r0Q1`1
355L6P6U6
2L2P2T2X2\299999
x:|:::::::::::::::::::::::::::::::::
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
\1`1111111
2 20242H2L2\2`2p2t2|2222
383T3X3`3d33333
4$484@4T4p444444
54585X5d555555
6(6H6h6666666
7(747L7P7p777777
00011P5\5d5l5t5|55555555555555555
6777;<8=H=X=h=x===================== >0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>/
KERNEL32.DLL
GetModuleHandleA
GetProcAddress
VirtualAlloc
VirtualFree
VirtualProtect
USER32.dll
EndPaint
ADVAPI32.dll
RegCloseKey
SHELL32.dll
ShellExecuteA
WS2_32.dll
IPHLPAPI.DLL
GetAdaptersAddresses
SJ+d_u
s)O09`/XyTj)
R@}"x$s
+/>cBAY9B
'0x$5!^
J\?C?i
E`a+VF|Kb3d|j
+-n$[<d
REdoZn2:
TgG1n-c
ZkTy,u0.0H
N?wp9~uA.H:=<ap(J
7TRdU`=(&p^
6Om=dIR'
`+;*wmg+
0A\MH?w
a#RHZ$h2]
0],~vt
|HLLiViso
&c=.(8"
`BEMVHmF
SAo?AU^
18m<Q3FFN Z
9F79-PBEa}jPY+hCKF[
A;#+6s!
!;Qvm?P1-
a$*so`T4
EJ)zhY
$(eLv5
M3au42
H71.e"
*\|~ZnG
`t&tgc/cnI])Q
l#r=>Fs8%M(cq."
f,5KgRz|;.CTdo)p
n+SE*PTt
|3v,W +2+7Um
&<unBS
}\ c>SSYV,\
u<(6!Z*
l+~to:7
K=%bOX
rxZQ+?{e!v
f;Zl}u
BZ+H'o,1C?
7x<VD%hS
oj@yzi#
C3A*pO}e
v<zQ]4,'
.{l&_9iHm^r
R^IP7R
rKJ%9C\PyN!p
^kA;92x
AVaeU_`l
)})6ZLL
Y';8H{
d}N$9P
=!A}80
FCnW,kXg)|
m:p%N+&=!D
Y'94Rv6JE
b(m%vc
_~:Aea'4W
!I$~]L9n
K,KI(dwWkR
lp96L;+<T'
MBYt:/
mFi'zd;+
rgS[O@+T4(j
Uko/|"
xCi?2r
g^%Ha6Ts
_Ucn88
fn`/cH9
kz*Bjq\cm
@*O_w8V
[5:vbRzS
^jVOX?S[$
5a#uf&
3{)is1t{~
_hB2Ov
8#,<doy
NKJdEp
U}1t3:yv
OoN^>h%2>4+fLh
vPKMp &
M[Nh5d`D)E6&
9*62r|
Aph>'&
1Y#4~W*
@LH8xDxN
=Gqx*QnH
TQ;^AWC
m%6@cE
3rFz(.
r-&5@DvmJ
UnSD7^'!D
R|\0CsVp1
]o< Z70`
s!kHvi^
qNoLHf!4!\0UI<y
}t`XSEw[
7)QF~oA*~
]PYktp
pfj/aU
,Kvwc2
L!a3~'
$4]I`?)b2
<$tnjar$%p
%*![`Fz=5{lj6?-c."2d
q,Z*E1o(
Vh~$O4
Or05tv
{Vsn-w.
>LySk<H
t6Cj4gW~ex^G/f5tld
,5XCjP
M?8cVk%Rk
^4#4TZf}h(
B{RW`O.W
cWn04b6v
w6iSINuqF
H}HD/s
D+CrV(
F3"{Q"3
Hy"F2{<U
LQKpmliG
6|fT.rk
=::TYQe/85
"J[(i6u6
it:;wD18W'Pka
KpD,1j:o8
g/| nR
mB2f&-gG)
/8=hp$)V_2QiUF:^
JxwQ?Im9I
_f2<d_dP
N9O:"NM#g
~>Awb#QG
'iO%Jh
Cgs,2J
7LY!1} 2HEZ|U
tw1wPp=mk
Xb2WnR!
74`}LoV4M?a
E)5kxwz4bvN
VMcBT}zj
r^?[~Vo
,,XA/KowG?>}
^_f{vT
iQ7yE?K
J<R4VM
uX5fD^
hi9j~
5)M!`2)O4O
9U](^xvq
a_bX'c
n[3uu&
ohe"}%S
KJ$u\(S(j[
'Is$wKss
~SzN[F
0+6(ch
b!7v$Z>
K>YFU=#8
AO9:zv*<g
Q9`-6}
1T/1ca
#<"?K'K
Zl:6pfuS2
1UL1J8
S1sAG]
t$\ nSZ
N w@n-6s
nYIxTZsuu
]vfsC1a
sV7{#gWCqkE
wWY5?:/[k
J,(/zj
m0j-HDBK
*;[cvGS
50WaJn5
R(> ^M
Jo1N[I
CrV<KC
XRUr7<NP\M%{
*2[;"%
P!Lj8r
s0aWlv
-)Ve;/'
GLw$r`
\M.|&S
B*_)A
yTQ'0f~h:so
F>\bi
V#M[iY?Lv
(qW:z0!R
zl7wBi
/0 `4L
(f3*Z?
\13*]
I4:};)A
Fo*V/`VT ^&p
hPLWJP
yK$kMx<
/95A< g!
DaZ*y81
g4(bxl[3^1+uq
)j.m1]RA[
d!Z7~o _6CW
Y)j-0OvT
$v][E'uK
{="HMY
9C`}!f@Y*n
'l; _d
8r`9sw%
&LIxe^
6}l~H+c8H
9?^L-"c.n5b6
x?J+3ZCcPB
v!b(T0/[xv
L1k#t;6
BoR_-/[|
^[?]RO~3|K
'W1\ohR
eR=v&;K!]|
)uuXm@pUDy
oAEK%g?:
^zZdHmqKj5-Z5
D$5c0<
c}F CE
t1Z+{nG:#{
(mm*1Tlust
" Y\: s$
!aF6G7b
G^%,,M~{D+
Rv&)'N)U#
]sht:q
XYZd_/8]/AWA
{CP"Mh|
x>oTTICai
G)Y"^:.>vx
OJFw^Nw76/KZ+
|8}U(joD
^D+8@d
Cs!p <nr "
,<3!slsL(
(.^AB>
FNm|2u
mKY<5[
bl7M`M
s,>~zhNfY
\/M_20
=/JW!^XPjc B1
:=/C}]?s
)ATY~K/\
sNF/vC
@r*kXG05
<= +N Q'5? Y
`U&769t@y]
S`a{2v cX
yI10;JN},'
ikM6S,
^U[gA#
(<"6Wrb
S@uN3E<
UP`){i
"h 2vC1|
%m*E/Rm
UBqpnY
54.kLmF
|s"1'#8i
,^P49>
O(yMK`
[^ze-gZc
iYG9c`
A+FdGb
q]721}5A
2WL/Vq
$,_rj+&z
-,8M<or
0sms%hRHsw)
|eo~3
IAu+)P%C
=>kPkHW[
+:FK=H(y}
{Bl+ck
j~0tvR
1/%N+
"mQ>.\
m~|/kPn
,|*xB?
N8tW1`Y
#aL<*!
A/k'-k
}sHJ=k^&k
`h;Y9)
t`c~C$I;8]S
eWEnUdI
dJ4gM(eZz(l
qV-[pR
:Qj:F+^
HrY|QzNOG5
;id%'z
mmX._gS&A
V42^+9
-{4#ez5
]T5y55x1
9u5cz!?
sdD.08c
pDCHm{0
9-~)?CCrPS$3m&Ja`s
np?Lv_?\z
>."ki2R
/>O!P85e
^?jP,y}Ar~
+RG6^S:
YusY4M
f>];8'Q
)dRtLGy
o0*-&ct
sjuO1p_}z1
#~nCH\zC2,W
@Y}2DjSq
"kK`#)I,d
\ '3+u8 l
oR0N4j
+pf]#Nx
vX3fkbs
>q1jU1rI-?]x
'8~5c'
97|NO~tBw
~1.CNM QP+
%2,vP$u93
I|$M.Bc
$ZwmX9
mxC$<!x7
m<s4+c
}v'8kG@pL
zwCp=5?
HdstlwB0>8j
sFU_K$m x<
~^Y41NdcbZO
6(0mCDp}
r6eQEI
Tq*/E5
Yk#vzHHR
q><1/b<k
Xxrl/ad
_mElbwI)
/t%l<
pMDO<zN
Hr/3t;
c&Tz5t%
&v:D,t:@C
Q'FcNR
J'qX-`oz
t Y6dW
,:9g&<
b&F0Q"c
_ QcxW
LX:%9T
zWh xk
T\AdrR
!?E^Nm
#,BMo29
R{QjIZ~8
R^@y#W68*o#
X66]8;p
O"^c?5x b
4D6#P"
e#d+j!K
.9/2=OK8
e:)H-B
)wG~j{
0O< _g>-a,T<
F?~maGJF
JDl@`3
/%0p5N?
a>V>24|
: :K;XZ)6\A')F+?C|+ )
"iuJ*<#w
97g"Zzt^/
;},4yZN0
3MKH+T y&9pHj+
@fq7I>.(S
[!1#`z:FQ
tGY|[}
WuH%;t0evE`56M
/`M0s-
PBbtyu
]7|?*fdAu
c+gz]&"@t-_3
RJQu9RmIP4'Dp^5v
5plnXHq
p!kVwG/
@\$ !e
zQ32Mj)j8to#'
$8ww$+tjl3
\:U7Td[yY
#92r]7Q
M-7W8&H
THQ,3,:5
,UmpS\
M{Ph^\
!"U<fsG5b2
qqrlHt(
B[lCvTXiE-W
y{UzdR?UbXnb
eNuOwkF
u?-o)U5qAT
Ze2E1U
.>n^W)34/
O{=U8UP.
/;kjAX
EEIuU,=eZl }
O)bSn`
mrf0+T&
v+Yb6#I
?r'#8^^h
l0@T>)_Sv
O'zAfMd
F1H+Mh
B^{R<\|
ex%F|<')u
G P!&1
~0)SJ_mp?'
5g<8c{dj
pr#h#o7/cKs!E5
y584w6z|8
=p'*}26
GU(^lAP<
D}ICWfJ*E!
GqkqtV.`RX0~D
,X9IK!E._j
2\.wG`
8yRMLc
&Y#{yg
0cI`t/`,n=
uY#keFz
{K;{X,RFF*<
*[toS%
9cV#eO
cmR9b>
\Vi^T,vK[Q;$ed
MkgsZqENdn
sCh&4_cY~@g
;8y.VvS$d
8L"T9*U
?#`d5DAa
Me)k<_
g82OtwwG#t_x7\\oL}zM^
7qt9k2D@`
]"H&$<
GHDK(n7EzL1h"N
i!I@'*L
NI)r;<+N
*=?!GH4
vhWV-h
8t$sdcFL
+nKRCIBu}
mxPQ42y_]
202k.V
,+L&y5~*Fdx
KQOzrm
1<$#41,Ke<mi
)+NT|f7Y[
^8ouZS
%(x@Uo
Cg8=/kdVI
6YbX3ukRMM{p"
>3xWPr
5DL\1"
%:{%aV
# hIJ!
XZh{(~z
-rm8cb
A`{<7@V
M~{yQ6
%zR7md
IFa7)\2P
;9Yn)^&>
03VA)w
:,j8]j4(Fum
kH3J$Osf2u\
gV`|0qf
s82cH]<
A4Lko-.[-_^
Kb 6kS.
I#Y!e/%f
_a@51;(QA b'-
a$@p'9xR
s0ZoFF
f]ZN!mz1C
=lk}Z7R
U>W?/!
Bb |-J/
~R^)? _&
\2MQJWz,hVe@bf$
6a;V"GG3>N
x[yj(u?
JQNt3:D
x>=Hu~|GIXi_]
HqcyC3
yaBXLIY
7 /^36
Vj9R3X4g'
/:IJXX
I~<>Lc=twK{R
7_C^^5W7
>%bWtK
i 2NUeGO^)mod$%
09{tW*;
?Us5M?tv
rd< >R&~
cP2[UX?
N{34fcQ
^YISj+d4OV'
#n4AtoGwPE
ny]bo`n%
MTXV` ud:M
'_qaQ%2p\GAa(
aM4:97?
5? G@G
@QF*;kF'bK_D
v%@6MTC"-DH~:vC
qB'3P<Vd
}?k*I'l
OpPA&>
p0*Q)c
uWk;HH
=oA }LM
Jzb t)EA9
vxzmSg
U4NCPXiX}
77>juD-
>0W \D
8=&J;zOq}
~"e.Oz
[r-NWCH'm
.6%|8Fq
"K)2!Ec>~dO$
$4{U*3=o
20I@ff
\0??Kzy[
^ghU)*B
'JsxCNL
C$4Ti{
MO}2H4k7
&6FP%MZM}O.3v
)n {R*MZf
Lhb5Q:gj>S
U(DH.!a
#|M=n<kL
mk,X;Hs ,,'d
9=$!QXKeG|M
j(7Vi;K
RGRnH7
9h6% <${
#30}Er
dtx2f^[_' cO
SY<#:s:Id Wyo
FN!OF\kA<M
`|[i.-^`-
)x),/B
~M6%def
yQ;TYv
&I+`+qs
8p7bZ=[
V";7D+@$^
p=FnNp
NRLv*V'ciO.<
[AUp@h
v?!U5q
UEy`yH
@0e-(D
49DZ]bw<[
bO|rSav[Pi'm)QH
.udw8!X
y01Jk\
+]brjB
-=mm(Bh%
}A.zJ<@
?K*O3;d@
MC$2>^
_t)R[SL[HI
pHpVYl
\1GZhlvMq9_
S'?tj=
~>kojdg
cerSt)kA
j-6Pc,$F#~
S]pCf a
@5:w|SO
(B^ZG<:
`:H&,is@*
Sh@Wsg
D.%7o$8Y|
_ZZ8Gyf4$b:
04"I8.@(xNC!K
s/dYrU^
gGn'"=gGae^(}
E`[nE)E
:z[>N4
\@7c9ao
,AQ8Ojo]
8jhC^c,
ny%.&$Pp
cv&W@6k
-iR,u:
h:urueMT
-(lM:G
c7=su!
r!)[ y
j,s3Xd
ev'>?s"q
;Hp>TR
m+j|#@
97f.lxEj"
>Y ak5,J~
cf9$1+2
Zi>.2UZHL
G_4QcEpw_0|G/Iwq0'U
vJF XL
;[`)Ytl9zpOHT#
c#Yx^o-u
&fg?hr
%<1+D}-6
_3zLFp^1P_t;
>8QI6b
&yKq|{
Tb]>Vd$pH
S7 __v<+N
YI+x-h;
v^sg H
\= Lc!
niS~N_
b ]Td/>h
g}m9oW
bz J=&
.8<jij(
wk.Ghhq
Jia^_.D
D0I#`*"K0&tWN~;r.
{iUt-B>y
mQuZfDFe
Vd:i2
}"8)4jwR
: 1$M-k
M/L1B'
]xZ2jbakfU
MEs#P) ,a+".%U
lK8)t&
\v}%Pj;.b.b
F/{Rv9
oT!oL6
Y u/!a'
C ECsC>
XM;o^dQBS
[NC&|TWG
?Pe+X{
c-A#UHfVw
[P+{{:,,b4
_j1>u^i{).!nD
Xj:xF:M
<xF5xy^D
8OGn9n
q`+E0HU
fw/7kN4.
m4By=sG
mf4#h"
31xq22-|QVn
9v`%(J
+;X6{h
j XJ{^$
KzFN(0%n
j&])zS=
Xx;^ZFhJ?
U@u)z!PX
LS5@O.Y6gE
Q]>qhw7a
m(6eUn(4f
(44]4 Q
zB~~?G#s\**}?X5
rR)%R:_m
?J}*N!g cX@@qX
^a>c$J9
<d7"R2I
c,r,04
\Y: Vp1c
K9D^|GD/R
U.g"0^>
],L/.=H2erhl0f
wN;Rbl
Wex),r GHR
QUE@sy`
I0DCcuT *ARy0btj
'.-&*HTK
L!Y)]Y#|>bSnk=
qwuO.ky5TNsk:0
t)/-Fv
7y4 ]cQ
r]L[gUs`
@H1OU"Ny[gQ!
Z6H\I+2
`kXbo+kgg]
i5*Y>7/)
HIg}RK
,V34[>ut1*
8.yrF8.
<a)CIH*E
u c@t2
>vdy/N'aC
xQc6(uzs\=1g
{'f7'v
m<8W1b
sx-Sspv
D?$])TG
;.*otdU4>x
{ Iu98
6SX|^,r
``#V,]
U? :O8kx
!'B3QV#
rrByIIm+
2fK@CRP
s{7K!R
/cOvwh
-yVYF\>`U
jvzre4
7ex[bK
RDjv4Dc<e>>x4
V8-{WW
?>~sL6e.zua
~S%!Oo:o
WZcY@j)
aU~v'A=
/*}yl8z;v/>O%
>M|G"I
+:(|-d
W|Mk$3aWBj
VH,)w}u
&~X0Wl
X0Q$6BbH
R,vhor:hqvQ/_
ab" w`SIRN
0'JX/8`
R*e8e2Pu
WF5'H|W
?4T"}Q<v!
1Y)37vG
|YAgd8Q
|/",!-
y[EB2?
/L}W!c
/m?\q,av
~8H5&2C
^Y\:P"cNE@
^A'dnT
ecMy8<C6C;<
jh(eg_g7@g9Hn
k:)s(D
&d^}OMK Hw;
BFFX}f+*M3
x0r0'zov>^&oT9# iK
E("T57
(G+c?mWZ
Zt|;2J9*T&
z"V+F9
T9fFj%
+\|E[n.
ZM$XS}jT
M?Zv$F9
,A~*+nh#K%s-
4<%Fn2{)
y/!W/qy
ZI6IV\L
k%Hx#%
UcKxH08l@qLWPwW%1C0h
<(d<24w
a!RBC$bI<
f\s3GS}
'X_T 5
J1m2gg}L
tsh #F7
]'4Ur\h
Ob(K#E98R7
`m|g@^H
1qh\J'g`
ncb<=y^
3BXZcra0,:
+.f<QK*-gF 7G
v,iwoZgVB
v&>+KW0ER
)uH7yFT
k~4_S{=
US N${
q=$.\4YNo
cbrW~8
czx,DI
1H,)]fvhdD2+V
<s[m0Hr
))'*z=)C^
&$Pc(qV5xdd_
]a1=gc:
:sQdRk
V6 VyKZ
%-omdH
k\@6|:7
}-vM2Slu
=}IB<cJ$W]V
|CYLH0
D6)uSvHa3
$iWW43%bc
HPcu"3c.
_0_!IU(y!k*p
]It,g ?e\\$
BtQn*y/E
y[pb7P
CU=H_GGRj
xK8s31
4Cwfe/u
}/20Yz(]
ObK2E.
K6!inc
GC!;'I
_"c(jS'Z
`fSLs`^D0
X4[ABP"U$o
/\3_%K
(fu\H?
zIXi?Xlmx
nD(\GB?I
S$BfZ<=
e~:qjeceM;YW
8pR`p.
XN<Fg~Or/boF)
m/6F=^$
CMq%H@>
05Umyl6
pjD2w906FQNnG&hr]pNH^k
p@+R|zio%
jtoZ(G
h &zbgE
`^@H~sz>
Ro5!]i)H/XBF(
|""R^
4l+b+(
4s3b/s
1ud,P kc?B
%Em^>I
jF7_*V
E3/c/SE
QC#sTSmZ
p`[-kd
2)80Lnt0yOMO\a
aOL]>}9t$n
O."tte
,-66&f
H[dRKN\
[hD!}G
)_GX<V
Z}OFD6P!`j(
wXk"0l
V}9spZ
~Ig2vSnh6
{$.\0Zg
nR.M[<w
j<\dk7xj
ec6AZ,
!q3]Z^'C
1rW mk+
RPjNE;
U}D1YP
Mjn0R@
hBx3b+qFBEw5 1m&U48
B8}EHphW9 `qC~.t
)4][gIx
^X2XC^
P,Y"CA9g}}%
qzitD@Q+Rz
Dx*)#A
I]Q:X +aAMuf
/\ Yy<
/vt4[`l
\,ngfa4dL
VEdd/&GY{Oc
#xHYYH
b5]Dhaovh ?
f]`SpY
9~]BTVPC!pG64
BblVoE3
SvRi>]\o[k\
m|PwG@
Gm'@m8,
$m9341j
{y3FVs
B)#6}1
yg3g[&}ba
-0*(m2IVGw^|+z/X4~Xfu
s*6Bkv
9HB>qA\K}o
M=fu,c/.l
9!s}jF
o+Zh&<
$KLR,K
f:<S'"?E3'R
]kArv
=~)a\,:iv
&DW?>S
TQ9h'a%h
^Q).4"3J
z)~U,u@_
Ilyd^/wQa
ks|uHT
Iz$#u,
ynH|tI6
jw${P$L8?
dp>aM6
X{.+ctFh,.
yWv'k^
CzMd%f
PWzJ3-Oh8
4:l8V~yX
+}m~<r
7cU}I$
j^9HI7
m/.a9XV
qdpV~t .
bdu `1
L_W<80OY
MlrB3S:
1'&|OBI
w*WnX=
6X]zZSv
RWI0 p
Wxd "46YOu:~9
C}vb`bX
H90:TU
`$GPF!
pavHsw@+?vD
,jty:W-)1s
@ )=(p
*I^5yNoZ?
AYpFY=B2;
oZ$,u4+
Qm~D"#Elu>"
DJf,0Q
Q/ _)z
,(XJc#=9
P)m|w_!ciUXz'`)
q Tr&c
hdAcQo
$&@2l)
te6}a)P&L1
o;\&?X\N
lH4{xBLb]
zEea:n
__+#*=WT66lGk<
s1JWlN1o 07*
AAPQPU
ua9U03@}
MMM:M}
UUUUM3
MuM3BM+
eMuG}t.]
@�I�@�@�@�@�@�@�@�
U�T�F�-�1�6�L�E�
U�N�I�C�O�D�E�
m�s�c�o�r�e�e�.�d�l�l�
K�E�R�N�E�L�3�2�.�D�L�L�
(�n�u�l�l�)�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
t�m�p�5�f�d�r�.�e�x�e�
1�1�2�.�1�7�5�.�8�8�.�2�0�7�
1�1�2�.�1�7�5�.�8�8�.�2�0�8�
d�o�s�r�e�t�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
T�r�a�y�K�e�y�
%�s�.�e�x�e�
\�H�a�n�g�a�m�e�\�K�O�R�E�A�N�\�H�a�n�U�n�i�n�s�t�a�l�l�.�e�x�e�
\�N�E�O�W�I�Z�\�P�M�a�n�g�\�c�o�m�m�o�n�\�P�M�L�a�u�n�c�h�e�r�.�e�x�e�
\�N�e�t�m�a�r�b�l�e�\�C�o�m�m�o�n�\�N�e�t�M�a�r�b�l�e�E�n�d�W�e�b�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�A�h�n�L�a�b�\�V�3�L�i�t�e�3�0�\�V�3�L�i�t�e�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�E�S�T�s�o�f�t�\�A�L�Y�a�c�\�A�Y�L�a�u�n�c�h�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�n�a�v�e�r�\�N�a�v�e�r�A�g�e�n�t�\�N�a�v�e�r�A�g�e�n�t�.�e�x�e�
W�i�n�S�e�v�e�n�
W�i�n�V�i�s�t�a�
U�n�K�n�o�w�n�
g�o�l�f�i�n�f�o�.�i�n�i�
g�o�l�f�s�e�t�.�i�n�i�
H�G�D�r�a�w�.�d�l�l�
%�s�%�s�.�e�x�e�
\�\�.�\�%�s�
\�\�.�\�P�H�Y�S�I�C�A�L�D�R�I�V�E�
%�d�.�%�d�.�%�d�.�%�d�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
c�o�n�d�e�r�t�
B�I�K�O�K�D�S�G�D�G�Y�W�D�S�D�S�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
Process Tree
-
08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe (2948)
"C:\Users\Administrator\AppData\Local\Temp\08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe"
- huter.exe (2064) "C:\Users\ADMINI~1\AppData\Local\Temp\huter.exe"
- cmd.exe (2504) cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\sanfdr.bat" "
08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe, PID: 2948, Parent PID: 1064
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | |
| dns.msftncsi.com |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 4964b8bb9667902b_huter.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| Size | 234.8KB |
| Processes | 2948 (08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe) |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 5622cb63e92b1d7a0935747cf25e4ce2 |
| SHA1 | 36d34b6309d71832f6ee080b53d08e1ee8c3536a |
| SHA256 | 4964b8bb9667902ba56635e76d65726459261465b737b2ce31c536fa727a22f4 |
| CRC32 | 8BBBAF61 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | fea32526c29951c2_golfinfo.ini |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\golfinfo.ini |
| Size | 512.0B |
| Processes | 2948 (08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe) |
| Type | data |
| MD5 | cb8b3268a58e3e3ea046135a31630bbe |
| SHA1 | 9b24e0f46375148ebc245cd6641773e876513ca3 |
| SHA256 | fea32526c29951c22eccfc3f837610c29e2843334ef0734f9b68495c14859d0b |
| CRC32 | 46DC9201 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 54498caaed03c761_sanfdr.bat |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
| Size | 365.0B |
| Processes | 2948 (08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe) 2504 (cmd.exe) |
| Type | ASCII text, with CRLF, CR line terminators |
| MD5 | 4a2e77f7b33d26d7251cf3c4f8760282 |
| SHA1 | b2a9a739605f0ac3a504545114589f53f6a7792d |
| SHA256 | 54498caaed03c7615d3fdc090800b43d4c9c14d3e59892d374ab5e75151bcdc0 |
| CRC32 | BE0348C8 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 08f27944cfffc134_08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748.exe |
| Size | 234.7KB |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 16b593ddd180f3bf8b7f425be465b480 |
| SHA1 | 6cae11bfab3e1ffa45a4e7737ba302617991f3a9 |
| SHA256 | 08f27944cfffc1343419da83ac0a2d90bddb8eae3412160f71cd7aab4e340748 |
| CRC32 | B64AFEC1 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.