1.4
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.75
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20200528 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Agent.abs | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200529 | 2013.8.14.323 |
| McAfee | Agent-FEU!1038480DCD5D | 20200528 | 6.0.6.653 |
| Tencent | None | 20200529 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | .vmp0 |
| section | .vmp1 |
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.vmp1', 'virtual_address': '0x0000b000', 'virtual_size': '0x00014479', 'size_of_data': '0x00014600', 'entropy': 7.547367502199002} | entropy | 7.547367502199002 | description | 发现高熵的节 | |||||||||
| entropy | 0.9939024390243902 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件可能是用VMProtect打包的
(2 个事件)
| section | .vmp0 | description | 节名称指示VMProtect | ||||||
| section | .vmp1 | description | 节名称指示VMProtect | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Trojan.Dropper.YER |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.Dropper.YER |
| AhnLab-V3 | Trojan/Win32.Orbus.R157401 |
| Antiy-AVL | Trojan/Win32.SGeneric |
| Arcabit | Trojan.Dropper.YER |
| Avast | Win32:Malware-gen |
| Avira | TR/Agent.xwba |
| Baidu | Win32.Trojan.Agent.abs |
| BitDefender | Trojan.Dropper.YER |
| BitDefenderTheta | Gen:NN.ZexaF.34122.fyX@auDDnic |
| Bkav | W32.FamVT.AgenBHQc.Trojan |
| CAT-QuickHeal | Trojan.Vflooder.C6 |
| ClamAV | Win.Trojan.Agent-1309051 |
| Comodo | TrojWare.Win32.Agent.WBX@5bs8lt |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.351ad5 |
| Cylance | Unsafe |
| Cyren | W32/S-abc538d5!Eldorado |
| DrWeb | BackDoor.Spy.2465 |
| ESET-NOD32 | a variant of Win32/Agent.WBX |
| Emsisoft | Trojan.Dropper.YER (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-abc538d5!Eldorado |
| F-Secure | Trojan.TR/Agent.xwba |
| FireEye | Generic.mg.2a3f744351ad593d |
| Fortinet | W32/Agent.WBX!tr |
| GData | Trojan.Dropper.YER |
| Ikarus | Trojan.Win32.Vflooder |
| Invincea | heuristic |
| Jiangmin | Trojan/Agentb.bqm |
| K7AntiVirus | Trojan ( 00563cb01 ) |
| K7GW | Trojan ( 00563cb01 ) |
| Kaspersky | Trojan.Win32.Agentb.bqgp |
| MAX | malware (ai score=86) |
| Malwarebytes | Trojan.Agent |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Agent-FEU!1038480DCD5D |
| MicroWorld-eScan | Trojan.Dropper.YER |
| Microsoft | Trojan:Win32/Vflooder.C |
| NANO-Antivirus | Trojan.Win32.Kryptik.fmveqo |
| Panda | Trj/Dropper.AAP |
| Qihoo-360 | HEUR/QVM16.0.8B04.Malware.Gen |
| Rising | Malware.Heuristic!ET#86% (RDMK:cmRtazqDahMqmPrlM/4TsTdVwwxa) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Agent-AHNL |
| Symantec | Trojan Horse |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-06-26 06:58:59
PE Imphash
cb55ef8ddff6ca096823fd960459bc3a
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000037ac | 0x00000000 | 0.0 |
| .rdata | 0x00005000 | 0x00000c7c | 0x00000000 | 0.0 |
| .data | 0x00006000 | 0x0000062c | 0x00000000 | 0.0 |
| .vmp0 | 0x00007000 | 0x00003f3e | 0x00000000 | 0.0 |
| .vmp1 | 0x0000b000 | 0x00014479 | 0x00014600 | 7.547367502199002 |
| .reloc | 0x00020000 | 0x0000014c | 0x00000200 | 3.834950537136147 |
Imports
Library KERNEL32.dll:
• 0x417000 CreateFileW
• 0x417004 FindFirstFileW
• 0x417008 FindClose
• 0x41700c FindNextFileW
• 0x417010 GetWindowsDirectoryW
• 0x417014 WaitForSingleObject
• 0x417018 GetModuleHandleW
• 0x41701c GetTickCount
• 0x417020 Sleep
• 0x417024 CreateProcessA
• 0x417028 GetModuleFileNameW
• 0x41702c GetStartupInfoA
• 0x417030 ReadFile
• 0x417034 GetFileSize
• 0x417038 DeleteFileA
• 0x41703c CreateThread
• 0x417040 GetProcAddress
• 0x417044 LoadLibraryA
• 0x417048 GetCurrentProcess
• 0x41704c GetLastError
• 0x417050 GetSystemInfo
• 0x417054 GetModuleHandleA
• 0x417058 GlobalAlloc
• 0x41705c GlobalFree
• 0x417060 GetTempFileNameA
• 0x417064 CreateFileA
• 0x417068 CloseHandle
• 0x41706c GetVersionExA
• 0x417070 CreateToolhelp32Snapshot
• 0x417074 GetDiskFreeSpaceA
• 0x417078 HeapReAlloc
• 0x41707c Process32Next
• 0x417080 GetCurrentDirectoryW
• 0x417084 GetSystemDirectoryA
• 0x417088 GetFileAttributesW
• 0x41708c GetVolumeInformationA
• 0x417090 OpenProcess
• 0x417094 GetDriveTypeA
• 0x417098 GetLogicalDrives
• 0x41709c Process32First
• 0x4170a0 GetDriveTypeW
• 0x4170a4 GetComputerNameA
• 0x4170a8 GetProcessHeap
• 0x4170ac HeapFree
• 0x4170b0 HeapAlloc
• 0x4170b4 GetTempPathA
Library USER32.dll:
• 0x4170bc GetWindowRect
• 0x4170c0 GetWindowDC
• 0x4170c4 ReleaseDC
• 0x4170c8 GetDesktopWindow
Library GDI32.dll:
• 0x4170d0 CreateDIBSection
• 0x4170d4 CreateCompatibleDC
• 0x4170d8 DeleteObject
• 0x4170dc DeleteDC
• 0x4170e0 BitBlt
• 0x4170e4 SelectObject
Library ADVAPI32.dll:
• 0x4170ec GetTokenInformation
• 0x4170f0 OpenProcessToken
• 0x4170f4 GetUserNameA
• 0x4170f8 CreateWellKnownSid
• 0x4170fc CheckTokenMembership
• 0x417100 DuplicateToken
Library ole32.dll:
• 0x417114 CreateStreamOnHGlobal
Library ntdll.dll:
• 0x41711c _snwprintf
• 0x417120 _wcsicmp
• 0x417124 sprintf
• 0x417128 memcpy
• 0x41712c memset
Library WININET.dll:
• 0x417134 InternetReadFile
• 0x417138 InternetSetOptionA
• 0x41713c HttpOpenRequestA
• 0x417140 HttpSendRequestA
• 0x417144 InternetOpenA
• 0x417148 InternetCloseHandle
• 0x41714c HttpQueryInfoA
• 0x417150 InternetConnectA
Library IPHLPAPI.DLL:
• 0x417158 GetAdaptersInfo
Library gdiplus.dll:
• 0x417160 GdipSaveImageToStream
• 0x417164 GdipGetImageEncodersSize
• 0x417168 GdipDisposeImage
• 0x41716c GdipCreateBitmapFromHBITMAP
• 0x417170 GdipGetImageEncoders
• 0x417174 GdiplusStartup
Library PSAPI.DLL:
• 0x41717c GetModuleFileNameExA
Library KERNEL32.dll:
• 0x417194 GetModuleFileNameW
Library KERNEL32.dll:
• 0x41719c GetModuleHandleA
• 0x4171a0 LoadLibraryA
• 0x4171a4 LocalAlloc
• 0x4171a8 LocalFree
• 0x4171ac GetModuleFileNameA
• 0x4171b0 ExitProcess
L!This program cannot be run in DOS mode.
`.rdata
@.data
b.vmp1
.reloc
O+W=T,
cd\+^TM[H
];p_3?g
\ 2{<K
GFh)$=
GetModuleHandleW
ntdll.dll
Pf$$d$
$BMd$H
7D$D94$
f+5 `f
GetFileAttributesW
DeleteObject
<$D$$}1A
InternetOpenA
Process32First
GetSystemInfo
ole32.dll
;E`d$$
((`d$,
GetCurrentDirectoryW
GdipDisposeImage
GetWindowRect
ExitProcess
D$,4$St$48
OpenProcessToken
(5rD@|
CreateProcessA
GhzRd$
InternetReadFile
WNetOpenEnumW
XB14#
X ]FFw
$|Hg /t
QX.?S]
*G'dn`\t\
i,-n=|P
SBWqq>
GetVersionExA
LocalFree
t$lHrNuDk
JGm}({W
-L`k>x
Skb]iMRe2
YvE}xG
B*fCOqU.bmx
YU43zH
}4}Muq
8_Y_w}>"~
`N2 J\
mw1y@DhP
pY\%z(`A
OmhgQ,<?#d$
GdipSaveImageToStream
4$$$t$(,
i~r)4%|\X_8u
r/sncqi
`^-?i*L
s#tqO'pM
$ Wt$,0
)~4$d$(
;h9fQ`d$(
GetTickCount
0'040t00000/1<1w1111111
2 2,2S2u222222A3H3R3Y3333333
494@4e4444444444
5V5]5y5555666
7=7C7N777777
8B8I8c8x8888888/969n99999C:I:s:}::::
;U;};;;;;;
<%<a<k<}<<<<
=H=O=`======
> >V>>>
?M?S?a????
0E0e00000
1P1]11111D2Q222
4 4w4~4444444
55555555
6!6W6^666666666
7J7c777777777
898Q888
9D9]9o9999(:::Q:::::
;&;-;@;;;;;;
<#<-<6<]<d<n<u<<<<<< =&=0=7={========D>M>[>k>>.?I?V?o??
0%0A0[0000
1(1C1.2I2V2o22
3%3A3[3333
5<5C55555
6H6L6P6T6X6\66666666
7J7W7777777
8F8M8p8w8888888
9;9L9S99999999[:b::::::::::
;a;k;v;;;;%</<:<<'=.=====?>F>P>W>>>>>
?a?k?s?~?????
0!0y0000000h111111
262z22222 333 4'404N4Y4s4z4444444
5M5T555555
6-6s6z666
7F77777
w22 4R44
5!6,6Q6g6999
1'2266===^>m>[???
2x2233
4A4#525C6X6i788)99T:q:;;;9<<u==
11Y22234
DuplicateToken
Br)L`Gi
xdg)tQYe,=3Cl
+&*?P{lmnkW
_odYmoym
)!B(sh
qK! [a
C|mUO9$
!rya!K
0< 4@jmO?
KAjev1$*kq
6{nqi]#R Kq
ZvV~}A7^=a(
n}kqb7m~ZU5C`
J[0p#eb
1yGm\i
UjZy}"z
jG!r&[_
kQOI['
MNKmOn.iQsIyeqoJDGx
UEC+uzN&ZJn:ieo
^QEOA*M.
of}q<aRc~AUwv]8,o)zy4e1 _O
E<qnji
;.QV>.*
pUIV:3
c[pWTvv r-
cip~<j?n$Aze
U.)2Ia
PIOW0v1ghUL
EKO9VR
@oZ)Fy"(`4Lk0qkAF%F
dea)OJL1[~
M/f+y'Xg
vUIMYkj-BK<3M
/9f>hiaL=
l @G6pzJa4
em;X,7h'8L(
w @26]
wkGFxojs-u*
;UZNPB`Ai
@=()-z3Qq:'
Ejzb)f|
-P:8h,A{.cp
~^S`kR8y
pmN/o' %,t
aF!XayvzuZcq6
1EpaM=&GiJ.(g
^?z CS
0*!6oF[#|
UJ]pG)
@f0ba!)Zs #|o
W#hEv)
E!pM> oz%
T77!Fne&'v;u+!9F}hy:bps
MiQ+)MB/ZX|7
m]ab9I d
M0@i{&|
4vo4R b
z-/6Pv
m7g&J.
L/Ms`[{
Q`LAN<Z
;3(ODSF%)w
DGy(W@A
K@QG3m
5axt||
XpA{3OpTo*mc^U{
b 2Elpf``8q*nVy&w.+
aOPRLQ
0f f*ax"
Q2Nh.N?1%9e~$= say
jak-)r/
i`~{k?7izoe
;))n[%8&4e5^&VbE[
}QjnyUDOU7$^!1!]<-C_Ci
XtV-;f
)nY~P4N
jtMG*NiU]Esd{FX
@D4\nr}e.H
gp*pMa&
:lJ _4
QJPbSj
]&SUom[
*#AM;C=Moq
UN)v)n]A.
f5P*?pH
uyqUGnP!^
bs MEEg
bQnkKQ
meJJ<' Y9n}7*wVCPN
""1:ITbl_
0m)?|pT
roX[-Na
O!*h'#
#@?o13U
rWL}f8`Wof1w_pQ
H? C_SpUE'~
Cn<QB'^L,^m[<@P&K
_3'0Nwypes$a
d5%E9-^> 7.
{]3iK]O1m
162bzi
-KPbGJcE
&nb}uoA
nw\N6EoJ
Nj*'5Z
t/CKHk0X <uz{%{oc~U_s
R!l<~O[y
MMJ /JLHGmC[3s)
,!X'X*y6yni|A#JM-B
g/Y-0e
<5h?DQ9#2Ca/}nr
{u x.L
CEIPy^K7
%N.bfP)gq vPT(a|g`?w)1M p{f'QT
<i_.Y}&
!A4(LC
8"NUHEdz
EQa4![i_ISUk8TC(7nxFd',ec}io
],y,@1K
,`IomZ3'B):'X
DUOZ<[
y5rY.~Ow&
n!j~qko
S|Nfp8R
Au0L`!;1o'X%^
'Jp30[
)n:2&K
m"Q' d
8 BKK*=gAfh
jUQyv)
]d:QEXEbXZ
DB~PA0
!'9neu
R5)i&*~@G3.5
FuCAwj{
KV\rk4!UK*
J4OrM$
9K#9{mzc$5io$ d
1O LF*tQ
B)p=MVM
*|}KApoez{b#
<CoQ0IW[D
Q!7suFahDi/Q
KKP(p 4
-oG P`QgIKP?_NI
pPAS@^
ZQ(@l?
x!0/ h.Z
?I=V{~
==c?/x
,MeAN)Gq
IP?AQUoNPOe8^10N?q
OIfc@>`1^K|Qp\
/}p_ *O
P)!IAZ
!7X0g)OfD
hph!%h,Q
>|qPX.p`
a_p1P S=o#
~WpMk5
8[meC[s*MZ
4)ci<j)[
T5-Sa_
fA_i"X
n'^*%|OpI ADN
XOc{O7W0~QZz+5a
'%J^WJ-V^
HP%BTR?:+94X&
QC&1px~{nI
H9^@nU
^fMZpep.
h`}-9)K& ^)
Za8KrFm6e
L#vPM}a
_ a[ 8_
WQab NVQ&&FyO
L?}[ak`K
7/jrM9
o.*':/Tg)e
W!q$ C
e+lVQhLSR
v>Ibs@n]OE<K{h8 Z(8[ h
./~wo)n
_y*7Ji}b&
n#il+o
a MJZ{l
9CU6ZfR
8]pl#3no5NXY
oCZaq|g,%*
KvM2U+ja(Ao[
xOKMy3
OtyH!&Fsl)
[q;$f^0sZn
LE3ip]CY
52*^V,GiP1
5]spo<`P#dprx)5A"f'
y2K_;s
@A%%XsY
#BK}?0v{
[)-/JX?95
UVFYERDi1n
/rNK~fD
JiKZvM
KbCM^bL
a\1nm[G;Ly
~ZKC'B
jYNNOVhfE&Tt.
#d%\p,P\
P~Pa%l
n}y.&U/gQ
eo2~aB
Ap{_?A@BLk
$*CO DKAkJl1
CKX_"{T
7umM+iy
4XJA`E}FE
1jUylxN*CE19e
|(M"9U_T
3+&$q~[t05z
q&ZK o
jp][|oHlq(,U
AUO72s
VF6#nfuubo
EhK%Tf
:}/aHVgG
n[?u1"|
7j:(Zi
ifMg4Ey9uC6
&[iP8TW
rQby]nR.2e7+"u
eZIc9"K
PwzE:Nq[W
CZYJ[Al
JyTa6ym
z +}r,Jz}.]
`hOqX55
}%$.ra0
}QOF nA?J'OPn
z( [9$@H>.5\
kYx&_*z}p
>"p-Zx,
a>^ViPSp@
U{j<(3V
>118LzFMa
uq["-z
'Y'Qz
)@sl_
HW:+T-"&`T+9Bqa;
Ty}OAQ'Fco^T
lx.=0hNE|k0j
i~W{)v*
L@'Db0
JMg.$[aO
pE !]K
TiD$!}\PE
pg=d$T
oO\>a:K&)O"%
H<^AA.pOL~
NH";m8&c1F
`;n1i'r;`PM<
MT*KfJ
n[bHL<R D(]
eU}D)a[
?$"B(U/3yhJk
Y{}c4SY
#Ulz85hq
:&vnz )5p
$j{9:?X
P+Gxiz
@x5s7`
ZA?MY9#`kH
XX7Qi!
'`oxZ;~
e,]meb +Ga
H:Nt0o
#@V#:1^
12}_z-
M.W i")U
Ll X<D
,/29Z,4E"
;)}lB["_
FQ"%(b!
'SD8q<[
N=/}:f
hqV9KNyb
h*AZ(5
,\XExV'o$05
27R[m`
-!)0=iqVL
60dqW7
u1q$CI
q,wFjY<
nR>dqDqb;Ggq
o%RqY@<mY'*pgq3
fo\!iJV"qm A
q)5FGqt/
@Zi,XTeH>
O~p>sNIA
lo[r'#
;f8px1RVaTZ
Xt3C>8vq&=O/tq
.7,jXU
vkx1~e=+ ]{P)hQ
"DSqEdfq1x;^FaSkIm
*qXxJ>
F:q7xs
=np[~y
Yfmr1P
1-e1t5cspU
X\D4y>$
q\#mjem>X~x8
1yqC>wfQ(1
HN&phpi:
7o`8q]
jq"bUn*$04m
s@*UeZ
QFX%wq
<fFqT#VzbM
XMHmiW$Jq6=q395
;lknAe4_x7q
qw_~(p/ )
x)uaeC1qV
UoJE9Q
XYGe4mwVGj:Y
{.-prqd
Se$RN@QYq
_q~mf5nL|Kt
z69#qG_
EImGw18
S~Qbg|n
>_k4Wi
qszR_}odl
a`xdp;1qQ[N):n)
6WQ]Y'aJk-
9m+U~qK.q
{o*|IM'Wq`wz
ce%`q3qo+
lmKm1mqiK
WRu@4zm(
1DqX5rj]
l}4e^ajv-9
*p1o$o
]A=/qXK!qg
qH-c)Q
M5:&\-nm}
E]),hgm>'
&ooRqE@MI.q
&i1}fmqQ
G%eRDp
@M)EEmCshl&Pp8p
+9{?=hRupVD
qM9dML3o
,q2"X]189mQZS&}
1>CouYx/
im(Tmq|j
`\$(_f
d$$4$d$
`d$H>i
tW}Nt$HL
f}182eC
?e5Hh4U'
^61`1$D]%"
iNf|6T#>g+VM|ecZ
Q qifH?
`D$$Sd$,
;``d$@
N"DC)~
ca}Xr]&
<eg~Y{
ReadFile
_wcsicmp
.n?Q_N
G>$f#qmPW"H
H8$Ah4Ri`
&k}MPR.dll
HeapFree
GetFileSize
GetModuleHandleA
=mpG4Y
2Gc{UL6M
.NvA=z%e
GetModuleFileNameA
Sf$$d$D
f<$TD$
X)51dNE 2Q8g
C$alt+h%
.{4II(XhE/(
)77}H9
`D$@&A
HttpOpenRequestA
GetDiskFreeSpaceA
CreateFileA
6D/i{Zy
fkS(Y=8t
eI>=$Yl^*&=
+irK"m,JV
;VpwY,
)6|])I
#H'41$D
v@x9#>
\zWi^vRM
W7q/2x"tF8 i/-mh?Co
?q+Sk*;
dcv| ;_
dhP:IJ
#rf9#?
ipk{!?zZbM
``4$d$H
/d$@a`=
USER32.dll
GdipGetImageEncodersSize
-e/9TCO.}
X <}(Rak_
TX`:%}
"28(8iVzE
CheckTokenMembership
XD$LvT
"lp^p~
E[NFT>Pkh^6
g(x(wR!
AqahLZ
uiTrWwU~_=
<1/]4=
AyYaEQg+{H
Yce)|p
/~[+Vb
(D}LQd`
tSrts&CL0LXznceY
*(vmi336
>x'X8cA-+
IAw{[~j
GetDriveTypeW
~z$f[$d$
Ui7nsak#*
(_ytP3f
$djjbt7r
u\c_n:
=2gA*2
jn^#TM
l59cad
.[VX|$]l
BSQ *y
#!-8&uPf
1+Gs r\
Ait8$x
n[i-TWl
f9f$$f(
GetStartupInfoA
`hQt$,0
WININET.dll
.)h}d$4
GetCurrentProcess
fucM`f
4ElvQ_
^,@y#}I?f]e#^x
{`of{K]F
`.3"NT
-knEds
}Xp87?
Z"*NVN
cmL]xH/9l
_zkpH:LM
ejq=k}
2J6;1d$8
WNetEnumResourceW
$4$d$4
<((fki?
2Ky|@_$4s^3wS/
X{Wn4>
Nf`l$ l$
hjja3h
(:sN>$&pz1:u"(d{
&Lx@89
`mIU}C"\>#s(+
Q8OG^I
>Gewm.kV0iW{db#7zGnds:k
0d$,#5]
.ne2b}(m
CVdq7%}.2S
H6Ci<=Kj
A#@}2?
x? NFFW
QVOSTrxz0o{d!"Q
!MTMq/2K
CE\pMR
px4@O#*
NST0I{
6`~N>E=
<8,0"D$@t$DH
CreateWellKnownSid
D$@hS Lt4$t$LP
DeleteFileA
$uppmC|?
3u&Pm#f0
)AgraAj}
K{JTzpj,5
fay%:!Ds
_<QC\d
@HuJME
AV2-P\h<ueIMD/-7
RmvD`G
NVbZCK%S
NVJ,pSTPDR
R@!a}.2X& $#v{
6<T'+al5
Wgq3EQ
G8;[@=v?
br49NV~p
]}f} $
=TD#Rb2
C3Z#Tg.~*2NF
!mr24I
]2D|JR
'/qbZvnb
lz@ps^>
leP,=|Bf
FI(&'D',{a,/m
3NZ8]Emd rs6+zd.8t
zMi)Y;
d',bpe=
`^{`K?*F
KH\1bhC
y`},i]!
9x_7vjm
N~Au<d
WNetCloseEnum
WUd$8q
GetModuleFileNameExA
DI<`"l
z$h[h}4|$
`h~Ct7D$(hhs
`PLAK6j
&=o'9D}LH
XTZYZ
<Pf,$U4$d$
f)ff)f
$&TWd$P
`4$4$h
<hhs,ueun}s~
tLCU ,1:
}^sz(9r2
&;Y*r`utB
i+E|an%6
F.NW{s
j,8si4^\3p^{bzHgk
~rK<}ft:
d9q/kji s_gb8V}
Zq\sp':
56.H2f |So
N$*et_lT
GetLastError
CreateThread
`R7D$(VfD$
YD$Dd$L
PSAPI.DLL
FindClose
`Td$,od$<
P gn0`y@
8NE^$ZR
memset
SHGetFolderPathW
*(9i4~
E|AeFB
!2:U_A
==Yt`T
v9"MkkC
h=x@8s
j^nV";AhVo
,*Ionn^
VrV* d
CreateFileW
GetTempFileNameA
GdipGetImageEncoders
O-=tE12P_
,rU{"SohJ
O52x=5
b$m7 .
V_{WZA
de+#5^ O59
,$?#P,+o
6ohPDl
heL ;cS
? &[g+>U 3
xG>nHseac}
^hzdu9
=#FLDa
j3_/M)j]m:@
yPtOrR
;=J>oh
XDQOlf
>o_53xz@9
7o{dkF
/``d$H
PeBtzB
!isoLd^Y!1
#.%*) X-
SV+Ac6sY-8@ KP
f0f9Wm
memcpy
81`d$@L
GetSystemDirectoryA
Zb&.mm
]qUzN
06Xr7D]mI
s%,OB/Y
|X+:#&"<z
Q*Sb<_h
=`'U k~2
%]yR^RjxdlMs
lrxG@^
EGbYk#$6."2\vJ{`
LP` ~P[=F`
<yg/-?
KZ~Y_&
`;Mf|$
J;[vAql
.VbFj|
=MsYLl<
BitBlt
GlobalFree
fTxAhcy
GetDriveTypeA
/m\$Dv:g=
Zhaq=r
,w*+)BU]
KP*!:frkrG
3U.g$uD)
Vn*?][prIc
3m:}v?,
`1VtD{
_$GDI32.dll
pyMuy\U_&k
elmFm6
|k3~+"=j<)
M^37i 3L
r#4^"u-(>7f
0pc8"xa4[u{Wn1Cy0
]1KaybPYrbe
WXa<QK Z
-.m^mn**b*N
\[!K`)O z[m/3JM
m4Bt5=C/lQ_1D.K|!
Cr[om/GQp
JYfYm/
oIokJP?$R
[{Yn08rQ
#,YNKM%[
$G)|=U-lbL}dFuo
j0Y6['i,e2
w>h$Ph
/US#3o[\,m)2
(!'@1c8.4S
AnI1mU
,HUC+>
|K4-$I
YcbU_BS
)r.I_!4N(A4H
Y1/[}4Q{&
mdcv0(}Z
CS/K,+
L0ciehL[Edk9Y,4,6_
~=c+40e,];m
"W(L /aKu
M7yyO{
,9 C$1.
O,\awC
0uwIim
5BS\Ija$!EQ
!?OogCfp
P`1DI0^,[0i
>}f*rqY
;.#}jM9
[Q#+BA{zemQ,*e9K
p_)COh/qbm[xl@_y0kQW12cM}
Y!x*j'
%lzHg^._+D(;SrT1OQ`
KmeCIV
?L~M\oe4*#KjMKmg
?BNNeV,~
- jMu16
K |cNcV"
,mkP3jQwaMhLC
.:1P-PWF8
\uN)U?L
- ~D4xw2_4arx78
xKF'E{u]
}}"/Q48E
qL@.d';F8C
P=L`&~"K<
0VZJ%`OQ1%[a`i8)Y0wu_@"
Ign m8
0.AEag
O-C{'-0N2;!u[n
[Q,sIK-<
!(T@ya1
u:IN= ZY)
)/'')R%v}!R
)xa50o4(]_/[d[\A@_|dIF!PPI,O~lM&
~5N<DVPRQ!O!1ESv,x
eDx'%y?a
fKm@.-
962QHSU=~LUC
QvdLp[
Nec14uA
CZY{=,KR=
&JIG$z}8#O
S[(*%=0oBeY$0
9y~In]0@iW.cT
f4nPU{bmr\1Uy4
EF8XNt
aG(-)y
+q8Gey)Dow
z)4~%$(
1En=k.+$N>.0yK4
e&p[;({-
.aHy^0{
06}*<k
1 Qmo +Ef
BlcFLX9G{
$O. C1o-
h.\0d+BJ!y
E>Y<h],LX
mJAlXq)D8GQ
\s#[Q(O`
/pCv6Mjh
Pa~<({?%
/o}$+af'Wi4{
|'#C*|+!E*
C]QXXa=
w8Q%eOxICda
R:Px5L<Ra
NuIG=M- }
L27+6o
z%Mag_J-
d1$_CQ&Y&<yr|mAPL}
1_b 7:5
"As#"BL/p#
MNm q3
51Wf ia
)B$db%Cfx
CQG-!0a
,:Z)k1Q(L
z)cmAm
IPY/}cvi8Z
adH6cE!(G6vIu$0!
dE3BHP
K.]cWau]o[i
8`B1$NrIFr
f1A(c m] (0 r/
:Wh]wQ]
)P3}eV[xA
![Pbur9t
M<X8&#*
u:P.Z!PNh+PoGP1u
QP[",8i
GhG=+`x
)Q!-Qv/
xK gcM*9=K_C
x01w!y7>k]lu/;~I(*AY
za<[ZFm
y[1%(,
.:0KMg
li) aT^`
;d,RSOndfas
wC[z?p6A,
eUDW&8<p
yA[) hh
}(H.!8m)`nP1
_wg7fNi
h|0hA$
[C(J a48rt
yK$c4$1]"_4$B2h
{^MT!:
PN/P?|4?7J
)X>Ir>`0d p(
/@,h|]G(~```
lYAePN&FN@~n#)p )>kEAh"Op/E
6!A{/N!(
/hp/wK#&/
p]Ct0myCTa
Y&^4yUX(a
xt8\M"e9$
LXGo!xI
,mn84Kd!
eI,U1Qpv
@%.CDN|.Cb
{3o!v|fc
$8=`,m
,{$)!y(}Y
fQ\47OZ
yG,!5(0#pp2d+@L:bp>M4m
:ah C!mN^;p0
$NF[GI;jS!Pc
I($uG{f
h0_T:K
y4,r{!-?ao}F;){I
_ckyz5
pPyOM)(
%x(~1Ay!_(
n/O@umQlkM
deQiu)U y I
Orxt !kLZ;HS/
QA$xkLj`Qe
rnGRqa%h\
ov^yp.>k
JKg3c/,88+
O8(0$u4N0U8\d
XP0,3M
aQ!O=f408
xb@/4p
?HUvn@o!erK-a4,AQc
;9.10rc
0KQA`c( o%K.F
J[G4&)Ju1,0t!.H
8UJ,xT!0*L
uk<AKi\-c
71hA,Juj|m4Q
ARJ,@i
Ym=)[_
"=fAwEAp
CX_ci(Qol=EH'
+Aodmq
InternetCloseHandle
D$D,$4$D$
`ARaD"k`qM8
+z=874
*(sr_S04
IPHLPAPI.DLL
M`md$,
SelectObject
GetProcAddress
`JeD$0h
P kWvAOm.o
702?L-}xi
GetAdaptersInfo
s<)0f_"nzCfJ
Y)m$:g?W2
b2Nrba8S"F[
(yJ(f7:s}gsls:
M//E (z@
jw$?lS
wSf;E4
GetVolumeInformationA
zqPAu@>P
B<eaDZ
r_!3O1
dlc$n =!FD
%_Xua{L
&'PaL +c)
'AuAI'k~Z4
;ej(:a
:p'5|M
n;a,3R
d$4d$0
GetDesktopWindow
CloseHandle
ReleaseDC
#ill1ng
iOD5jY
:O&TO9
Pe{xTp8
xQft$4fD$
HttpQueryInfoA
GetTempPathA
t$,4$d$4
4$hUt,
HeapReAlloc
4F&X9]1
(*oYj.
l|6-]CT
v%6wvt
I==CA[9Om o
$j4Gg>!V0
Q21k/g
RN\ir%
D2]fgz|@5r
6sP}xU(
["5K{*n_W%eb
+XYaqe^g~Y{
i{KLe]=
_c;-~z,5B_|3f
<N3NX&
J*>j,Y-
dhqYOq
L ~nn54
qm.+4B
XD0"&v^
'~uds0
z/XB.4
`%: |*?ywR
"(I\ke
+sX)#23:W
eu>r``HzN
-cQ#~&riY%
qLNZ[$
djF#@[2=j'
AKX\8~e
<V6:qTP
2lP]knzFx
,_#gFBtU
KSonDW"$_wy
LyV ?"Mq!-a2$i=7Q~J,1
m2J!Vs[&4h
e$V{=ieYG=L9zPQk
TmI'-Z^Oo
su>G$*$ Q
Vt]S5{
KBl{I^%
SAF@0ksyW+W'6Z
TO}:y$eC8a+f7
K|)l?#QR
_[2OI3$QN|`
Q=7wU?R _%n>^DMIVY
3Bu=7SEf
m MlA`qBrbB
.SZdU@`
L@DK(`!eR|GgGZ<yN
\57mgi
`I~=-[
UCcUxNS
xc.-<y
Scj!R;
^HNER7?
aNMdUF
R8P8Haz T|
(AqfY=
1r``-]>
B6jIX=!_
X5~v;}-.
7c%&\m)
a`h<xM[DY"T{/{
bRsLiWJsV/A&E
vr#2Td
)\c}Urmxc}3,v
91]9.
<3mDT}li.@X
qQ}5]]?P
f4$D$$5`A
WaitForSingleObject
CreateDIBSection
InternetSetOptionA
CreateStreamOnHGlobal
CreateCompatibleDC
edIP!2e
;m]4Qu
2TCyPq'x:
,^h}VD$(t$
Process32Next
FindFirstFileW
HttpSendRequestA
hD?#(,B)
;GN>`I@WsB
8cT3FzBg
@ F:T>N,P
]'Tfd$8
.23ug|PD;f_
3F\tHSo
9aQi)7
EuE[Gqj!F |fB
>6nTfgl]{4
{p-:}!>frT
GetUserNameA
C5Dv+9~@#U
*9GR}.P$o:
0Z*3qp'>5By
(b}wU7w^8
o/kt^*Smf
GetWindowsDirectoryW
ZjKjn=
]t!a8Tp
#"nl0M
*d{C2A
Y}ZivN*CFJi1
1Rusl~O
C%+2*I
S<|t&8I
r$Ea-GI
r$ZKfBu
}Xh>X<
sLg=8t
R=KW.F}2
InternetConnectA
GdipCreateBitmapFromHBITMAP
CreateToolhelp32Snapshot
$d`d$@
_snwprintf
UXDT$Duo"H3t+
)7@zU-b
&35{$E
Ugpp=d
ODQo_6rV./ f
Q.>gbXY>0
gUd$HKQ
GetLogicalDrives
1k*X-;
DZlz`x
u^"yBv
tBBQ'1Ev1q`/2
J$+id$
c1S`7+lM
\[9wp@
22)3]R0
aF-4V/
=MCX$#
It_mAd$
GetModuleFileNameW
p[`Dhup
wQaHLAv.)gslmD~#\j= -o
Ub=oZy
zny][{Ql
6zJek,
v&$}ZNP
GdiplusStartup
GetTokenInformation
PC2L.E
g5B1UVAxO+
ffT)fV
4$b`d$
d$(ad$,
`7D$@d$
-user32.dll
B}(Z\h
Yny]8)""
QCD,0<
L1Rz'i%Sn}raY-
f7n;*-X
0i3v5:+lrVjT]|
OVDKt)FM
is*6\dMV|Z
=DCad39~
H3N~Z4]fXEa!W:
gdiplus.dll
qN$)ex
-%5KWqKn
\tXSx3?Ua
Q^#rFC^+J@
6j!aWi+K
Ve#%V2!&
0/\UQB
I>Vt=U&*lcs-rN\-}b#?Y
3 @[NU}Q
mrVM \
!E`w`@
N4D{]%@a1a})=:D
hhaQL`
(U;P|E
Uld`6L?\nkl
[Vm:%f
*6cs7y$>
27u(`*/
Fva]x`6?/
pFJOE[
An#x<mv<
Y;pztBM(
1J:Y-8Y
OcE'-8c
|ZP1+E6K/,sQa
[:(l8tKhP
lmX@'%M
` Wlt,1&#
sprintf
D$(USD$
HeapAlloc
GetWindowDC
GlobalAlloc
DeleteDC
Z\5ax3Hp#Vd9KZp
"" f^M8$;R
4aEyli,kl}Y9d@
c/?Uan_
Dyli{5"$+
K68@x>
jF7<bQ
uXxw@dt"{X
,6hE;9'Ti*
,xh -Wd$0
Shqt$(,
b`h!GmD$
`-jADVAPI32.dll
7pDDPBRf
J/=9ATM
X({Py@L,2
X]RY"nLL+
R/GhL=a5BU
^mOhyC{
Vag#=`K
!}J{gm
B7* X9
U(::m0
Cu`eag!W3$#|WA
VTm*0|
5;2R@'1
ALhb|WUu
'0h~|7D$(hEh
md$8 0
LoadLibraryA
Qmq]Id
0R9RD
au-H:.p&
6K( mo7uqY
&3q@Mqu
,qr{"c8
%qnqJGT
yU])Q[Nq
1@ql:*qet>aD{q]&
,oq2N9.q~8
NiqQO}
AvqEsq-@
j/]q/l
>eJuoUWqM7
{XUl;yqm
jQg4~qUv
=p"_@>a
~~*q6"qd
}0Yli1EwAqJ4{
Ae0&ut:
u`Uq&Qs
WdW5:n6q#*~f
Hemalb
cq&(;qA^etEq9i}<Uz
2qfR.C
Ie#iyM
Ym{u%4n}gqH;!q
qW&']:q
eS"Jzq9I&]q2 caXfeq9i.\tL
fFp#$U}.ny2Z4
imq?#4$d$
a`$$d$(D$
OpenProcess
4$4$`-
SHELL32.dll
D$,f,$Wd$4
UkP'/z
uV=7`)4C5
,'hgeS
\DPmxI@
TmS*F@u
]CDxw@QniW`5
.3Td$
$Vd$$\
LocalAlloc
-(+Mh_`
M)WP+.`K-1
MA8M.<y^-M
PO+`(K)
yM|@imI
JM`V?_wNM+>L
^_LoNM
@ *mf_-Acg
1hk?t| loT$6sPP
X Su4T
8^G\@I
EWj$NR
Txe<lSS$
=-J= m
pE$X/q
.> qF=
UO~qLTf(q.H
asBgx1
-_Qu7L
Zq1U-q]
[DN/re
oou9BIm80
Q\Ia]axKkI
<mq5~'pl
!`gq'^.il m0}
N*5et9`sI
K|Bq9Z?-Nq
Dq@2pT
Rv"qG]0xq
{U|q"]<9(m_q 8Le,
qr4Mta
=qC`DRq:E
yI(Vq,
5sBou"
RQMU <q(Sq0- qd
tqJ*U7
7hDq<rq(f
quf6qv
kq4J5>YvqH/qLlO2{q?
q:k>gqMvPM
uqr$LIqd{D(
RAq)kW
p!mH?~f~
p+ny}q!
q #:2T5&4fea.
;ik'M9
B3GqD^RqJ
FIO]<mC,
mqO!q+3 Hq@T
Y#m2Q9
;c+q pt8GY
q^*.>q<U(V
h tm9E]L>"n
5qje&=lqM
ueyte.dT}
ooAqB2
rZYTo
nY;0_YKq
yms}f>
}{q'U 9^-
qP1}q!K
8e'u0iBEgnq\h
e]q259"
-cu=/wq:
0#Yhog["
TW{Z5ULq
jq@l{i
8mqs\$$8
wCS:k*
yKERNEL32.dll
0.`$$`d$@
hhQHJV`d$(
`4$fD$
}AE7P|N
;yIf.]+
p&*7~O
3WWCg.?p
>f4Ed$
FindNextFileW
GetComputerNameA
GetProcessHeap
Wd$H50
4$D$(fD$
`d$4l/
hVq``4$d$H.
hr)AU`d$(-
Q`t$<E
ho#d$4
$`t$ `T$<
D$$]D$
,$d$0,
$ Wd$Hq
D$$4$z
$3t$(f
t$$ft$
`t$$d$0C*
`^)Nff
l$@fD$
|$(t$(f&
T`L$(^
`Ut$(Ql$(=:!fD$$fD$
4$`d$0
vWpfD$
0hkv)B
ke`d$8&
l$<D$8d$8
`7A=5D$
zl$4h5k
TvVd$@
$`d$D$
)h,G5D$H
t$xh*fo
he13uD$
<$d$P
$hFCt$
hr>nTL$
$6t$,S4u
$#D$$f
L$$4$t$$#
t$lfh,1N
l$<h`E/
|``d$@"
\V`t$,0
hX8ld$0
D$,5L
h4#huXD$
4$|$,ff0f
t$8d$D!
1([hwt$
$4$hh&d{t$LP
4$d$8
l``d$Dj
T`L$ `t$@D
V$HmD$$]ft$
D$ EEf
yD%t5xA
;D$0$$d$
D$ ft$
:&e1*Y;(%Y;e1
>(v<445
!*k5@(%(%
;@uA4$|>*
3Y;47*
"2v<4@"
"27;2@*"2
:@r0)"
w4k535e1a
9(%|>"2
uA2v<|>w4o
)"37&f
@`\$<4$f5xA
&.[ hH<+
GP<9``d$@
t$Lf`Nf
h9\B]ff
)sfD$<
D$44$f
PUPd$L
D$0fD$,
-Y`4$t$HE
t$\fD$
l$(]Nf)
`T$(|$([
u}f1]l$
D$,3`L$
`t$8fD$
1.hOXt
fwl$@h{dW
|`Ud$(!
T4$4$h}mLd$
hR(qt$,
4m6l$,
lFt$PE
\$<,M}"
$#l$<^f
4$`d$,
<$S4$\$0f
fMqD$0f
\$,f5xA
!`d$ WD$
`4$d$,
l$4D$4f
ud$8T$
,5H5xA
D$HUME
hJU4$d$
`WL$ h
faVt$$h
GgfTD$D^fD$@
Et$D5xA
f)Ml$8
hTPt$TE
0FS0m(E\$<hbi
t$,h[<PT$4
h i|$<
fD$0f<$D$0
$ d$Dt
^`h|$+Nt$
t$,fL$
h296d$
t$Lf-tef
`f4$d$0
X`.f1fh@7^f
|`d$ 2
$<$``jFf
$;F\$,f?Iff
D$(fD$$
Qt$X]`Nf
f.fffT$
d$H>f0Y
R``t$@D
fD$(t$
$4$f5xA
$dif\$
f<$$$f
4$L2ft$
D3D$$M\$ `f
\$8ff5xA
`hF`2\$<f
$]m$?`
W,$|$8
#hs? U
VTVd$@gf
hJ,Tt$@Yt$0E
JjD$ fd`f
\$<5xA
D$<]D$4
f4$d$P
$`4$D$
$:`d$$V
`h8YhTm
$hcT$(
8h2gd$,B
6K-V%fD$<
4$t$<Rh84%T$DfD$
|$@t$@^=ft$
d$Dft$hff
U`D$,XE
t$<ENf
&4$d$H
l$<9h}h
RT$(|$(fD$
)[Q"D$
t$T],uNfL$
$ d$@T$
d$ `[\$
d$(< D$(
?|$@<$
RT$,T$
T4$|$0h]
`{t$0T^l$,f
D$(RD$
J3V337
Q0Z0\:f:C;
57788899
N04455a6q666u777
}00z11112
334 555s666)7Q89:Q;=='>`>
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.