1.2
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.82
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Kryptik-NJO [Trj] | 20200610 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Urelas.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200610 | 2013.8.14.323 |
| McAfee | GenericRXGX-ON!195AB3236EF1 | 20200610 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0c5a8 | 20200610 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(3 个事件)
| section | .MPRESS1 |
| section | .MPRESS2 |
| section | .imports |
动态指标
在 PE 资源中识别到外语
(2 个事件)
| name | RT_DIALOG | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00024bc0 | size | 0x00000168 | ||||||||||||||||||
| name | RT_VERSION | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00034c70 | size | 0x000002c8 | ||||||||||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意
(50 out of 57 个事件)
| ALYac | Gen:Variant.Zusy.298375 |
| APEX | Malicious |
| AVG | Win32:Kryptik-NJO [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Zusy.298375 |
| AhnLab-V3 | Malware/Win32.Generic.C2791258 |
| Antiy-AVL | Trojan[Backdoor]/Win32.Plite |
| Arcabit | Trojan.Zusy.D48D87 |
| Avast | Win32:Kryptik-NJO [Trj] |
| Avira | HEUR/AGEN.1115210 |
| Baidu | Win32.Trojan.Urelas.a |
| BitDefender | Gen:Variant.Zusy.298375 |
| BitDefenderTheta | Gen:NN.ZexaF.34128.mq1@aq4aMEdO |
| CAT-QuickHeal | Trojan.Beaugrit.17908 |
| ClamAV | Win.Malware.Urelas-6717394-0 |
| Comodo | TrojWare.Win32.Urelas.SH@5674sp |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.36ef1b |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/S-be2a1965!Eldorado |
| DrWeb | Trojan.DownLoader11.31199 |
| ESET-NOD32 | a variant of Win32/Urelas.U |
| Emsisoft | Gen:Variant.Zusy.298375 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-be2a1965!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1115210 |
| FireEye | Generic.mg.195ab3236ef1b7b0 |
| Fortinet | W32/Urelas.U!tr |
| GData | Gen:Variant.Zusy.298375 |
| Ikarus | Trojan.Win32.Urelas |
| Invincea | heuristic |
| Jiangmin | Backdoor.Plite.pv |
| K7AntiVirus | Backdoor ( 0053e8561 ) |
| K7GW | Backdoor ( 0053e8561 ) |
| Kaspersky | Backdoor.Win32.Plite.bhtm |
| MAX | malware (ai score=85) |
| Malwarebytes | Trojan.Urelas |
| McAfee | GenericRXGX-ON!195AB3236EF1 |
| McAfee-GW-Edition | BehavesLike.Win32.Fujacks.dt |
| MicroWorld-eScan | Gen:Variant.Zusy.298375 |
| Microsoft | Trojan:Win32/Urelas.AA |
| NANO-Antivirus | Trojan.Win32.Urelas.denlvn |
| Panda | Trj/Genetic.gen |
| Rising | Trojan.Urelas!1.BB69 (RDMK:cmRtazpl7VblJwFCSVBzrASw7bpF) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Urelas-Q |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Malware.Win32.Gencirc.10b0c5a8 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-09-07 19:17:05
PE Imphash
5f1929a8ca007a58d8921624c4dd5b88
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .MPRESS1 | 0x00001000 | 0x00027000 | 0x00024400 | 4.0950634734460065 |
| .MPRESS2 | 0x00028000 | 0x00001000 | 0x00000e00 | 5.748660389439606 |
| .rsrc | 0x00029000 | 0x0000d000 | 0x0000c200 | 4.319076419078424 |
| .imports | 0x00036000 | 0x00001000 | 0x00000800 | 4.4167791778432015 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000345e8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_DIALOG | 0x00024bc0 | 0x00000168 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_STRING | 0x00024d28 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00034bb8 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00034bb8 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_VERSION | 0x00034c70 | 0x000002c8 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_MANIFEST | 0x00034f78 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x41101c GetSystemWindowsDirectoryW
• 0x411020 GetSystemDirectoryW
• 0x411024 DeleteFileW
• 0x411028 GetModuleFileNameW
• 0x41102c GetTickCount
• 0x411030 GetVersionExW
• 0x411034 ReadFile
• 0x411038 CreateFileW
• 0x41103c DeviceIoControl
• 0x411040 GetTempPathA
• 0x411044 GetModuleFileNameA
• 0x411048 HeapAlloc
• 0x41104c GetProcessHeap
• 0x411050 HeapFree
• 0x411054 MultiByteToWideChar
• 0x411058 HeapReAlloc
• 0x41105c LCMapStringW
• 0x411060 HeapSize
• 0x411064 CreateFileA
• 0x411068 GetFileAttributesW
• 0x41106c LoadLibraryW
• 0x411070 WriteConsoleW
• 0x411074 FlushFileBuffers
• 0x411078 IsProcessorFeaturePresent
• 0x41107c SetStdHandle
• 0x411080 CreateThread
• 0x411084 CreateEventW
• 0x411088 CloseHandle
• 0x41108c OpenEventW
• 0x411090 GetTempPathW
• 0x411094 GetStringTypeW
• 0x411098 IsValidCodePage
• 0x41109c GetOEMCP
• 0x4110a0 GetACP
• 0x4110a4 GetCPInfo
• 0x4110a8 RaiseException
• 0x4110ac SetFilePointer
• 0x4110b0 GetSystemTimeAsFileTime
• 0x4110b4 GetCurrentProcessId
• 0x4110b8 QueryPerformanceCounter
• 0x4110bc HeapCreate
• 0x4110c0 InterlockedDecrement
• 0x4110c4 GetCurrentThreadId
• 0x4110c8 ExitProcess
• 0x4110cc Sleep
• 0x4110d0 GetCommandLineW
• 0x4110d4 HeapSetInformation
• 0x4110d8 GetStartupInfoW
• 0x4110dc GetLastError
• 0x4110e0 TerminateProcess
• 0x4110e4 GetCurrentProcess
• 0x4110e8 UnhandledExceptionFilter
• 0x4110ec SetUnhandledExceptionFilter
• 0x4110f0 IsDebuggerPresent
• 0x4110f4 EncodePointer
• 0x4110f8 DecodePointer
• 0x4110fc EnterCriticalSection
• 0x411100 LeaveCriticalSection
• 0x411104 InitializeCriticalSectionAndSpinCount
• 0x411108 RtlUnwind
• 0x41110c WriteFile
• 0x411110 WideCharToMultiByte
• 0x411114 GetConsoleCP
• 0x411118 GetConsoleMode
• 0x41111c GetProcAddress
• 0x411120 GetModuleHandleW
• 0x411124 GetStdHandle
• 0x411128 FreeEnvironmentStringsW
• 0x41112c GetEnvironmentStringsW
• 0x411130 SetHandleCount
• 0x411134 GetFileType
• 0x411138 DeleteCriticalSection
• 0x41113c TlsAlloc
• 0x411140 TlsGetValue
• 0x411144 TlsSetValue
• 0x411148 TlsFree
• 0x41114c InterlockedIncrement
• 0x411150 SetLastError
• 0x411154 SetEndOfFile
Library USER32.dll:
• 0x411168 LoadIconW
• 0x41116c RegisterClassExW
• 0x411170 CreateWindowExW
• 0x411174 DefWindowProcW
• 0x411178 BeginPaint
• 0x41117c LoadAcceleratorsW
• 0x411180 LoadStringW
• 0x411184 LoadCursorW
• 0x411188 wsprintfW
• 0x41118c PostQuitMessage
• 0x411190 EndPaint
Library ADVAPI32.dll:
• 0x411000 RegQueryValueExW
• 0x411004 RegSetValueExW
• 0x411008 RegCloseKey
• 0x41100c RegOpenKeyExW
Library WS2_32.dll:
• 0x411198 WSAStartup
• 0x41119c htonl
• 0x4111a0 gethostbyaddr
• 0x4111a4 socket
• 0x4111a8 gethostbyname
• 0x4111ac inet_addr
• 0x4111b0 htons
• 0x4111b4 connect
• 0x4111b8 closesocket
• 0x4111bc send
• 0x4111c0 recv
• 0x4111c4 WSAGetLastError
Library IPHLPAPI.DLL:
• 0x411014 GetAdaptersAddresses
L!Win32 .EXE.
.MPRESS1
.MPRESS2
.imports
jgVjdh
t$f=LwA
EEjlPE
^]ULHPA
^L$H35
^L$H35
3^L$H35
L$L^33d5
ESW3j>PMQfEn
3_[M34
j@h&yA
ESVW3h
EEEEEEfE
uSQURPj
M_^33[
ESVW3h
EEEEEEfEfPwA
ESVW3h
tfHtCHt
MSMPu$
M_33^+
MSMPu$
M_33^)
ESVW3h
_^[M3'
MSMPfl3
trhptA
fu+t,h
ESVW3h
PrQfpO]
RjPfh1]
3_^[M3
]3j>PMQfEC\
3j>RzPfx(\
fuff0f
fuf4f:f
M_^3[y
VRhd2A
EEEEEEfEE3j
EEPMMQh
_GBPuD
f;u+t#}
_^[]3EEUREEEPh
f;u+uSj'
_^3[]U
E3VWfME
EEEEfEE
]U@HPA
fMMMMMfM^xZj
]U$HPA
EEEEEEfE
@uVW+OO
MQRE_&
|_[^]U
^3[]Wh`3A
tVMQVj
3Eou2}
_^[]_^[]
3hUQSWj
~PFJWP
u VVjRVV
GWVjRj
MMMMfMM
3VWp3A
EEEEfEEx
u-;u)NwA
3M_^3[
M_^3[S
u+u'S~
E^[]U
M_^3[.
VW(,4t
0_^[M3
M_^3[;
U SW3j
3Y}]9]
;tV;|BMx
YYt"Mx
39]fD~
;t3f9>
}f9;u
jEPhHPA
;Ew[PuV4
E+)E$V,
}O;]rOt
u+WuV1
M+;rP})E
YYt)EF
YY]jXh <A
fu3_[]
f_^]UW}
CB;r]}
]8 u S
jEPhHPA
YYuf-u
[u-VgX
RPjjEUHZ
M]EUVW
Yu)jAXf;w
E;ErDE9Eu
3;Er0w
QuuuWY
u>9ur9w
`p33_^[
U]/UVu
USV3;u
;r3_^[]
U SW3j
3Y}]9]
;t5;|"Mx
ffffffE
YM_3[>
3PPPPP
t4+t$+t
ItQht@lt
3F tBP
itnnt$o
PWP5D]A
PW5P]A
PW5L]A
|j0XfQfW
t-RPWSG
j0O,Yt
j OWYt
`pM_^3[
1 B0RA
;r" TA
;r = TA
at0rt#wt
f9>tf>=uu
f> t3f9>t
Y]3u;5A
+SVWHPA
1E3PeuEEEEd
Y__^[]Q
:E_^[]E
9csmu)=
URPQQhx@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
Yt$WV!
jXEU;u
Ht%CT1
\3_[^j
W>+~,WPVYPU
Y/V|Yt
Y}3u;5A
tVPV%YY3BU
4V.YYE
W34809}
;u ;8!
4 3,9E
P4UM`8
DQP C@
,PVEP$
3+4H;M
(PVHP$
(PVHP$
r3VVhU
QH++PPVh
(P+P5P$
\,+48;E
0?DY1$
8+0[M_3^
DDDDDDDDDDDDDD
8csmu*x
YYuTVWh
3]j h=A
3PPPPPpVBO
@Y<v*V5O
^SSSSSyj
;tFtA3
S^`N`H
j$Y~\d9
QY^`[_^]
3Y[_^5bA
3PPPPP
UQV3W}
ft;uf t
Bf8\tf8"u8
ft$9Uu
UQQSVWh
V33SfjA
[]YY?sJM
_[^SVW
j@j ^VC,
H3H/5~A
;rSWf9M
YYt:V5UA
P YF,t
YYt0V5UA
E3E3;u
<at,<rt"<wt
F> t>=unF> tj
WPWPWv
whu;5YA
8]tEMap<u
TM_^3[j
M`}_hu
PCY^hS=L
Y%u UA
3W;to=^A
t4V0;t(W8jYt
Fpt"~l
lVYYYEE
f;rJvf;
f;rJvf;
f;rJvf;
Jvf;rgQ
Pf;rSPf;
t4+t$HHt
ItUhtDlt
HHt$HHt
itxnt*o
PSP5D]A
PS5P]A
PS5L]A
t-RPWS0
0@@If8
u69t.EPs
`pM_^3[
EU_^j
VUY@UA
t.VDYt"V8
Yt.VYt"V
]39}~0N
D=VPYYtG;}|fE
YYM_^3[
VW3,]A
YYu,9E
tAt2t$
E`p;39]
VW38kA
F$|3@_^
Z3G}39
tCHt(Ht M
Y+t7+t*+t
3t(;t$;t
t$;t)k
^0_^[E
uEPuuu
uEuPuuu
$ MeHMu
tWWW6#
JWWW6o
[+PD=P6>
EUSSSSSj
9}t(9}t
tDft?f;t8EP
Vuy39E
B(;r3_^[]
Ujh(?A
SVWHPA
1E3PEd
Y_^[]USVWUj
P(RP$R
UPjh @
t:|$,t
;t$,v-4v
UQPXY]Y[
S3VW;|[;
t6<0t0=
u}uyG,j@j EYYEta
FGIuX^_]
Y+t"+t
+tY+uC(}
Uw\]Yp
u>OdMGd
u wdSUY
t?P5lA
3M_^3[3e
ft'Ou"+
jPfDJXdf
tCHt(Ht }
Y+t7+t*+t
3t(;t$;t
^0|_^[E
uEPuuu
uEuPuuu
$ MeHMu~
tWWW6#
JWWW6!
[+PD=P6
EVSSSSSvj
9}t(9}t
M$m39]
MfMf;u!f;t
E`p3^_[
H8]tMapUj
E`p3^[_
S3VW;~ E
@;u+H;}
39](SSu
]9]tWuu
};~Bj3X
3;t?uWuuu
t"SS9] u
EYe_^[M38U
Mifu(Eu$u u
UQQHPA
ES3VW]9]
39] SSu
ESEYe_^[M3
M<eu$Eu
a_6Z_v R_v$J_v(B_v,:_v02_v4*_v
_vD^vH^vL^vP^vT^vX^v\^v`^vd^vh^vl^vp^vt^vx^v|^@
P[YF0;
P[Yv4;5^A
PX[YF ;
PF[YF$;
P4[YF8;
P"[YF<;
PZYFD;
PZYFH;
PZYvL;5^A
VZY^]UV3PPPPPPPPU
rustnM
tR:QuMPt<:Qu7Pt&:Qu!Pt
@FA;r3^[
+UV3PPPPPPPPU
^0egVu
f;v6;t
Map_^[;t&;w Kgj"^0f8]tE`py
<E`p0M
YUY]Vu
UY3MW0u
L1$!_^[u
Map^[3PPj
E`p]Ex
tAMap8+
;t+3_^[
EPQEPEj
RQMQVp
Map^[UWVSM
WVS3D$
KERNEL32.dll
GetSystemWindowsDirectoryW
GetSystemDirectoryW
DeleteFileW
GetModuleFileNameW
GetTickCount
GetVersionExW
ReadFile
CreateFileW
DeviceIoControl
GetTempPathA
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
HeapReAlloc
LCMapStringW
HeapSize
CreateFileA
GetFileAttributesW
LoadLibraryW
WriteConsoleW
FlushFileBuffers
IsProcessorFeaturePresent
SetStdHandle
CreateThread
CreateEventW
CloseHandle
OpenEventW
GetTempPathW
GetStringTypeW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
RaiseException
SetFilePointer
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
HeapCreate
InterlockedDecrement
GetCurrentThreadId
ExitProcess
GetCommandLineW
HeapSetInformation
GetStartupInfoW
GetLastError
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
WriteFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetProcAddress
GetModuleHandleW
GetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
SetEndOfFile
USER32.dll
LoadIconW
RegisterClassExW
CreateWindowExW
DefWindowProcW
BeginPaint
LoadAcceleratorsW
LoadStringW
LoadCursorW
wsprintfW
PostQuitMessage
EndPaint
lADVAPI32.dll
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegOpenKeyExW
SHELL32.dll
ShellExecuteA
ShellExecuteW
WS2_32.dll
LIPHLPAPI.DLL
GetAdaptersAddresses
8Muex<
KERNEL32
VirtualProtect
G(XPTPjxWXt=
bad allocation
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
UTF-16LE
UNICODE
Unknown exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
`h````
xpxxxx
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
sanfdr.bat
:Repeat
if exist "
" goto Repeat
rmdir "
%d.%d.%d.%d
112.175.88.208
112.175.88.209
112.175.88.209
112.175.88.209
112.175.88.209
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
218.54.31.226
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
GetModuleHandleA
GetProcAddress
KERNEL32.DLL
USER32.dll
EndPaint
ADVAPI32.dll
RegCloseKey
SHELL32.dll
ShellExecuteA
WS2_32.dll
IPHLPAPI.DLL
GetAdaptersAddresses
lQ+QQQf
UWVS|$
t$dD$\
T$L3;\$L
t$t#t$lD$`T$x
D$t#D$hl$x
D$t+D$\$
D$@d$@L$@
;s#D$H
t".)D$H+r
)D$H+r
L$H+t$`+
T$8L$PL$xf
D$\l$TD$X3|$`
D$`L$D
;s`)L$4|$4
t$4D$H|$t
D$`D$t+D$\
l$8f++
D$T&++f
T$TD$PT$PL$XL$Tl$\D$\l$X3|$`
;s/D$H
;s;D$H
)D$H+f
t$(Nt$(uL$0
T$,|$`
)D$H+f
l$$Ml$$uP
)D$H+f
$L$ d$
p4$Ft$\tZL$
9l$\w`$
BD$tIt
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
KERNEL32.dll
GetSystemWindowsDirectoryW
GetSystemDirectoryW
DeleteFileW
GetModuleFileNameW
GetTickCount
GetVersionExW
ReadFile
CreateFileW
DeviceIoControl
GetTempPathA
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
HeapReAlloc
LCMapStringW
HeapSize
CreateFileA
GetFileAttributesW
LoadLibraryW
WriteConsoleW
FlushFileBuffers
IsProcessorFeaturePresent
SetStdHandle
CreateThread
CreateEventW
CloseHandle
OpenEventW
GetTempPathW
GetStringTypeW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
RaiseException
SetFilePointer
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
HeapCreate
InterlockedDecrement
GetCurrentThreadId
ExitProcess
GetCommandLineW
HeapSetInformation
GetStartupInfoW
GetLastError
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
WriteFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetProcAddress
GetModuleHandleW
GetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
SetEndOfFile
USER32.dll
LoadIconW
RegisterClassExW
CreateWindowExW
DefWindowProcW
BeginPaint
LoadAcceleratorsW
LoadStringW
LoadCursorW
wsprintfW
PostQuitMessage
EndPaint
ADVAPI32.dll
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegOpenKeyExW
SHELL32.dll
ShellExecuteA
ShellExecuteW
WS2_32.dll
IPHLPAPI.DLL
GetAdaptersAddresses
U�T�F�-�1�6�L�E�
U�N�I�C�O�D�E�
m�s�c�o�r�e�e�.�d�l�l�
r�u�n�t�i�m�e� �e�r�r�o�r� �
T�L�O�S�S� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
D�O�M�A�I�N� �e�r�r�o�r�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
A�M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
K�E�R�N�E�L�3�2�.�D�L�L�
H�H�:�m�m�:�s�s�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
M�M�/�d�d�/�y�y�
D�e�c�e�m�b�e�r�
N�o�v�e�m�b�e�r�
O�c�t�o�b�e�r�
S�e�p�t�e�m�b�e�r�
A�u�g�u�s�t�
F�e�b�r�u�a�r�y�
J�a�n�u�a�r�y�
S�a�t�u�r�d�a�y�
F�r�i�d�a�y�
T�h�u�r�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�u�e�s�d�a�y�
M�o�n�d�a�y�
S�u�n�d�a�y�
(�n�u�l�l�)�
W�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
C�O�N�O�U�T�$�
%�s�%�s�.�e�x�e�
\�\�.�\�%�s�
\�\�.�\�P�H�Y�S�I�C�A�L�D�R�I�V�E�
%�d�.�%�d�.�%�d�.�%�d�
g�o�l�f�i�n�f�o�.�i�n�i�
g�o�l�f�s�e�t�.�i�n�i�
g�o�l�f�i�n�f�o�.�i�n�i�
H�G�D�r�a�w�.�d�l�l�
1�1�2�.�1�7�5�.�8�8�.�2�0�8�
1�1�2�.�1�7�5�.�8�8�.�2�0�7�
1�1�2�.�1�7�5�.�8�8�.�2�0�8�
1�1�2�.�1�7�5�.�8�8�.�2�0�8�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
1�1�2�.�1�7�5�.�8�8�.�2�0�8�
g�o�l�f�s�e�t�.�i�n�i�
f�i�o�t�r�e�.�e�x�e�
h�o�i�d�y�e�t�
1�1�2�.�1�7�5�.�8�8�.�2�0�7�
1�1�2�.�1�7�5�.�8�8�.�2�0�8�
1�1�2�.�1�7�5�.�8�8�.�2�0�8�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
T�r�a�y�K�e�y�
a�h�n�l�a�b�
%�s�.�e�x�e�
a�h�n�l�a�b�
%�s�.�e�x�e�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
T�r�a�y�K�e�y�
\�H�a�n�g�a�m�e�\�K�O�R�E�A�N�\�H�a�n�U�n�i�n�s�t�a�l�l�.�e�x�e�
\�N�E�O�W�I�Z�\�P�M�a�n�g�\�c�o�m�m�o�n�\�P�M�L�a�u�n�c�h�e�r�.�e�x�e�
\�N�e�t�m�a�r�b�l�e�\�C�o�m�m�o�n�\�N�e�t�M�a�r�b�l�e�E�n�d�W�e�b�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�A�h�n�L�a�b�\�V�3�L�i�t�e�3�0�\�V�3�L�i�t�e�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�E�S�T�s�o�f�t�\�A�L�Y�a�c�\�A�Y�L�a�u�n�c�h�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�n�a�v�e�r�\�N�a�v�e�r�A�g�e�n�t�\�N�a�v�e�r�A�g�e�n�t�.�e�x�e�
W�i�n�S�e�v�e�n�
W�i�n�V�i�s�t�a�
U�n�K�n�o�w�n�
D�i�a�l�o�g�
M�S� �S�h�e�l�l� �D�l�g�
C�h�e�c�k�1�
M�f�c�L�i�n�k�
M�f�c�L�i�n�k�1�
S�p�l�i�t�1�
m�s�c�t�l�s�_�p�r�o�g�r�e�s�s�3�2�
h�o�k�d�i�s�u�
N�I�K�H�H�U�S�T�D�H�D�G�H�S�F�S�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�1�2�0�4�b�0�
C�o�m�p�a�n�y�N�a�m�e�
T�O�D�O�:� �<�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
T�O�D�O�:� �<�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�
I�n�t�e�r�n�a�l�N�a�m�e�
A�p�p�l�e�D�o�w�n�.�e�x�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �2�0�1�4�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
A�p�p�l�e�D�o�w�n�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
T�O�D�O�:� �<�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.