1.0
低危

2100700b4cbfbbe81ffa8aa558d74d16a0c6ef4dea398312e0148c3ab756974f

2100700b4cbfbbe81ffa8aa558d74d16a0c6ef4dea398312e0148c3ab756974f.exe

分析耗时

194s

最近分析

360天前

文件大小

167.1KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN BACKDOOR URELAS
鹰眼引擎
DACN 0.12
FACILE 1.00
IMCLNet 0.80
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Dropper-NZI [Drp] 20200510 18.4.3895.0
Baidu Win32.Trojan.Urelas.b 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20200510 2013.8.14.323
McAfee PWS-FBQQ!36F191048295 20200510 6.0.6.653
Tencent Malware.Win32.Gencirc.10b2d634 20200510 1.0.0.1
行为判定
动态指标
网络通信
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
文件已被 VirusTotal 上 59 个反病毒引擎识别为恶意 (50 out of 59 个事件)
ALYac Gen:Variant.Strictor.218545
APEX Malicious
AVG Win32:Dropper-NZI [Drp]
Acronis suspicious
Ad-Aware Gen:Variant.Strictor.218545
AhnLab-V3 Malware/Win32.Generic.C2694077
Antiy-AVL Trojan[Backdoor]/Win32.AGeneric
Arcabit Trojan.Strictor.D355B1
Avast Win32:Dropper-NZI [Drp]
Avira BDS/Backdoor.Gen7
Baidu Win32.Trojan.Urelas.b
BitDefender Gen:Variant.Strictor.218545
BitDefenderTheta Gen:NN.ZexaF.34108.kyX@aSaR5Ffi
Bkav W32.AIDetectVM.malware
ClamAV Win.Malware.Urelas-6717394-0
Comodo TrojWare.Win32.Urelas.SH@5674sp
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.482955
Cylance Unsafe
Cyren W32/Urelas.T.gen!Eldorado
DrWeb BackDoor.Golf.198
ESET-NOD32 a variant of Win32/Urelas.U
Emsisoft Gen:Variant.Strictor.218545 (B)
Endgame malicious (high confidence)
F-Prot W32/Urelas.T.gen!Eldorado
F-Secure Backdoor.BDS/Backdoor.Gen7
FireEye Generic.mg.36f191048295554b
Fortinet W32/Urelas.U!tr
GData Gen:Variant.Strictor.218545
Ikarus Trojan.Win32.Beaugrit
Invincea heuristic
Jiangmin Trojan/GenericCryptor.bt
K7AntiVirus Backdoor ( 0053e8561 )
K7GW Trojan ( 004b901e1 )
Kaspersky HEUR:Backdoor.Win32.Generic
MAX malware (ai score=80)
MaxSecure Trojan.Malware.121218.susgen
McAfee PWS-FBQQ!36F191048295
McAfee-GW-Edition BehavesLike.Win32.Generic.cm
MicroWorld-eScan Gen:Variant.Strictor.218545
Microsoft Trojan:Win32/Urelas.AA
NANO-Antivirus Trojan.Win32.Golf.ffqyhp
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM10.1.2020.Malware.Gen
Rising Backdoor.Generic!8.CE (TFE:dGZlOgUDIhs9qzooTg)
SUPERAntiSpyware Trojan.Agent/Gen-Urelas
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Troj/Urelas-Q
Symantec ML.Attribute.HighConfidence
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2014-07-12 13:11:09

PE Imphash

afd0acd5e00a1184feabd9241e36c59e

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00012000 0x00011800 6.549946056154583
.rdata 0x00013000 0x00004000 0x00003400 5.054481589488882
.data 0x00017000 0x00004000 0x00001200 2.185503737097146
.rsrc 0x0001b000 0x0000c000 0x0000be00 2.5998660677893524
.reloc 0x00027000 0x00002000 0x00000e00 6.648595753986802
VJHSGDHI 0x00029000 0x00007000 0x00006600 4.469992865343719

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000266c8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_STRING 0x00026b30 0x0000004c LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x00026bf4 0x00000076 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x00026bf4 0x00000076 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MANIFEST 0x0002f026 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library KERNEL32.dll:
0x413020 GetSystemDirectoryW
0x413024 DeleteFileW
0x413028 GetModuleFileNameW
0x41302c GetTickCount
0x413030 GetVersionExW
0x413034 ReadFile
0x413038 CreateFileW
0x41303c DeviceIoControl
0x413040 GetTempPathA
0x413044 GetModuleFileNameA
0x413048 HeapAlloc
0x41304c GetProcessHeap
0x413050 HeapFree
0x413054 MultiByteToWideChar
0x413058 SetEndOfFile
0x41305c GetLocaleInfoA
0x413060 GetFileAttributesW
0x413064 GetStringTypeW
0x413068 GetStringTypeA
0x41306c LCMapStringW
0x413070 LCMapStringA
0x413074 HeapSize
0x413078 CreateFileA
0x41307c CreateThread
0x413080 CreateEventW
0x413084 CloseHandle
0x413088 OpenEventW
0x41308c GetTempPathW
0x413090 LoadLibraryA
0x413094 WriteConsoleW
0x413098 GetConsoleOutputCP
0x41309c WriteConsoleA
0x4130a0 FlushFileBuffers
0x4130a4 SetStdHandle
0x4130ac IsValidCodePage
0x4130b0 GetOEMCP
0x4130b4 GetACP
0x4130b8 GetCPInfo
0x4130bc RaiseException
0x4130c0 SetFilePointer
0x4130c4 ExitProcess
0x4130c8 Sleep
0x4130cc GetStartupInfoW
0x4130d0 GetLastError
0x4130d4 TerminateProcess
0x4130d8 GetCurrentProcess
0x4130e4 IsDebuggerPresent
0x4130f0 RtlUnwind
0x4130f4 WriteFile
0x4130f8 WideCharToMultiByte
0x4130fc GetConsoleCP
0x413100 GetConsoleMode
0x413104 GetModuleHandleW
0x413108 GetProcAddress
0x41310c GetStdHandle
0x413118 GetCommandLineW
0x41311c SetHandleCount
0x413120 GetFileType
0x413124 GetStartupInfoA
0x41312c TlsGetValue
0x413130 TlsAlloc
0x413134 TlsSetValue
0x413138 TlsFree
0x413140 SetLastError
0x413144 GetCurrentThreadId
0x41314c HeapCreate
0x413150 VirtualFree
0x413158 GetCurrentProcessId
0x413160 VirtualAlloc
0x413164 HeapReAlloc
Library USER32.dll:
0x413178 LoadIconW
0x41317c RegisterClassExW
0x413180 CreateWindowExW
0x413184 DefWindowProcW
0x413188 BeginPaint
0x41318c LoadAcceleratorsW
0x413190 LoadStringW
0x413194 LoadCursorW
0x413198 wsprintfW
0x41319c PostQuitMessage
0x4131a0 EndPaint
Library ADVAPI32.dll:
0x413000 RegQueryValueExW
0x413004 RegSetValueExW
0x413008 RegCloseKey
0x41300c RegOpenKeyExW
Library SHELL32.dll:
0x41316c ShellExecuteA
0x413170 ShellExecuteW
Library WS2_32.dll:
0x4131a8 WSAStartup
0x4131ac htonl
0x4131b0 gethostbyaddr
0x4131b4 socket
0x4131b8 gethostbyname
0x4131bc inet_addr
0x4131c0 htons
0x4131c4 connect
0x4131c8 closesocket
0x4131cc send
0x4131d0 recv
0x4131d4 WSAGetLastError
Library IPHLPAPI.DLL:

L!This program cannot be run in DOS mode.
.rdata
.reloc
VJHSGDHI
jgVjdhXA
_^33z8
8V5x1A
jlPD$0
^8ULLpA
^L$H36
^L$H3z6
3^L$H3N6
L$L^3326
SW3j>P$
fuh`LA
SUVW3h
3D$"D$&D$*D$.D$2D$6D$:D$>D$BfD$FHA
fT$ D$
T$$RD$ Pj
T$ RPh
u0h<MA
fu.hHA
|$Hj^$
u?D$ P
RD$$Pj
_^][331
SVWdMA
RD$"PfT$$#i
MSMPu)
_^33O+
3SQfD$
MSMPu)
3WQfD$
MSMPf$
D$ j@P'
fu+t-h@A
uKh PA
SUVW3h
3j>P$R
PL$6Q3fD$8W
D$"D$&D$*D$.D$2D$6fD$:D$
PL$0Qy'
tz_GBP9s
fu+uS(
D$-SP3\$4U
RD$$D$(D$ D$,h
D$4PW\$(\$$\$0\$4
3VWfL$
D$"D$&D$*D$.D$2D$6fD$:$D
L$HQWWh
T$PD$LWh
$SUVWj
T$LhPA
_^]3[Y
[YVWVj
@uVW$
D$ PQ'
D$8RP'
L$8QR'
]3[YWh@QA
][YQSU-L0A
_^][Y_^][Y
3lQSWj E"
~PFJWP
[YSUVD$
@u-T0A
GWVjPj
3VWPQA
u/;u+A
L$&3VQD$(
fD$,|F
T$ Rt$
T$ RD$ PL$
u#uT$
tJ;~8+
D$ SPF
_^][3^
RD$2P|$0L$ fT$4A
\$(\$ t
t$ 33f
D$(ST$
~yT$ L$$RD$
WQD$$?
QD$0R>
3VQD$(
D$.3VPt$$t$ t$,fT$4=
RPt$ x
RD$ PL$(Q
f9T$ ua|$
L$,QT$
_^][3;
SVW3;t
^0WWWWW
AAKu;t
AAFFf;t
Ku3;uf
SVW3;t
^0WWWWW
AAFFf;t
Ku3;uf
U S39]
;t$;u
;tU;|BMx
YYt"Mx
39]fD~
VVVVV[
;t3f97
uf93u !
jEPhLpA
_VVVVV8J
VW3M]9}
E+)E(V-
3PPPPPEN
Y}V*YEE
SVW39}
}O;]rOt
u+WuV2
M+;rP})E
YYt)EF
YY]jXhSA
@@fufM
@@fu3_[]
^0WWWWW
GGBBft
f_^]UW}
SW=H0A
E3B;r9]u
S3VW;t
^0SSSSS'
3_^[]j
jEPhLpA
YVMhtTA
7GGEPj
RPjjEUCh
M]EUVe
Yu)jAXf;w
E;ErCE9Eu
3;Er/w
QuuuSg
u>9ur9w
`p33_^[
U]UQSV3;u
^SSSSS0
^SSSSS0
IGG;r3_^[
U S39]
;t4;|"Mx
SSSSSd
,ffffffE
P~CC>Yu
3PPPPP
t4+t$+t
ItQht@lt
3F tBP
itmnt$o
PVP5}A
YYYfgu
YYY>-u
jj0XfQfE
t-RPSW
`pM_^3[
1 B8rA
;r"(tA
;r=(tA
W3E}}}
FFf> t
at8rt+wt
E}9}urE
E9}u:eE
FFf> tj
FFf> tf9>
Y]3u;5 A
+SVWLpA
1E3PeuEEEEd
Y__^[]Q
E_^[]E
9csmu)=
URPQQhL{@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
jXEU;u
Y]\3_[^j
0VVVVV
WWWWW6
W>+~,WPVYP
Y/V|Yt
Y}3u;5 A
V34809u
u&30VVVVV
P4UM`8
<PVEP(
r3VVhU
QH++PPVh
,P+P5P(
\D+48;E
0?@Y1(
8+0_[M3^j
WWWWWr
DDDDDDDDDDDDDD
8csmu*x
VW33};
VVVVVD
u&hP8A
3PPPPP
@Y<v8V@
3VVVVV
VVVVVt
;t$tj
EP4\uA
EYF`[_^
Gf>=Yt1j
3PPPPP
3Y[_^5
UQV3W}
@@ft<uf t
@@HHf9
@@Bf8\tf8"u8
ft$9Uu
UQQSVWh
V33Sf@A
`]YY?sJM
u+@S@WS
_[^SVWY
Ej@j ^V
[j@j ~9
;rE9=A
UV5dvA
UV5dvA
eYV5dvA
YYt:V5`vA
P^YF,t
PPYF4t
PBYF<t
P4YF@t
P&YFDt
YF\=8A
YYt4V5`vA
E3E3;u
F$|3@_^
i3G}39
MOI;|9M
SI VW}
HD9#U#
MLD3#u
]#\D\D
<at9<rt,<wtaSSSSS
L9]u<eE
F> t>=upF> tj
/SSSSS
Wt1t'P
GW"YYF
UQSVW5
;r@PuR
WPWPWv
whu;5{A
8]tEMap<u
Zf1Af0A@@JuL
@;vFF~
XM_^3[j
Y^hS=<1A
Y%u wA
3W;to=~A
7YY~PE
USV5<1A
SV5H1A
t7t3V0;t(W8Yt
VYY^3j
Fpt"~l
j *Yfj
Pf;r]*
QP;YYu
3PPPPP
t4+t$HHt
ItUhtDlt
HHtYHHt
2itmnt$o
PSP5}A
^YYYgu
9YYY;-u
t-RPSW09~
0@?If8
@@u+(u
u(9t M
`pM_^3[u
EU_^j
WWWWWJ
3]V3;|
VLYt.V@Yt"V4
]39}~0N
D=VPSYYtG;}|fE
YYM_^3[q
5~Yu'9
YYu,9E
tAt2t$
eMapYL
E`p:39]
_};= A
SSSSS'
tGHt.Ht&
^SSSSS0
Y+t7+t*+t
;t0;t,;t=
uEPuuu
SuEuPuuu
$ MeHM
;tSS6@
tSSS6u#
E+PD=P6
_8VVVVVL
9ut(9ut
SV33W9u
CCGGM
tBft=f;t6EP
Map_^[
UV3W95
;uVVVVV
GGBBM
B(;r3_^[]
Ujh@WA
SVWLpA
1E3PEd
Y_^[]USVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
S3;VW|[;
t58t0=
]V3;|";
u${0{VVVVV
]Y3C]~
u}uyG+j@j }YYEta
3SEEESX5
PZ+tQ3
tVURPEPQ
Iuu}]U
+EPRQL
Y+t"+t
+td+uD
3PPPPPr
P{EY3}
u@OdMGd
uwdSUY
WPIY8A
YYt,t(
;t0PWYt%
S3VW;t
^0SSSSSo
3_^[];t
^0SSSSSho
*oVVVVV
@@fu+E
H]UWVu
DDDDDDDDDDDDDD
SSSSSi
tGHt.Ht&
^SSSSS0yj
Y+t7+t*+t
;t0;t,;t=
uEPuuu
SuEuPuuu
$ MeHM
tSSS6#
CSSS6s
E+PD=P6N
_8VVVVVc
9ut(9ut
cSSSSS
;u.bSSSSS
MfMf;u!f;t
E`p3^_[
H8]tMapUj
MlX}9_
u+`SSSSS
;u+`SSSSS
E`p3^_[
H8]tMap
QY}SzYE;t
ESV3W9
u8SS3GWh;A
E 5T0A
39]$SSu
;~Ej3X
3;tAuVWuu
t"SS9]
EVYuEYY
3;tuSWy
uKYE;t
e_^[M3
MQu(Mu$u u
UQQLpA
SV3W;u:EP3FVh;A
39] SSu
ESEYu39]
e_^[M3
MOu$Mu u
4I6-Iv %Iv$
Hv8Hv<H@v@HvDHvHHvLHvPHvTHvXHv\Hv`HvdHvhHvlHvpzHvtrHvxjHv|bH@
P5GYF ;
P#GYv$;5
GY^]UV3PPPPPPPPU
ru{vnM
tR:QuMPt<:Qu7Pt&:Qu!Pt
@AE9]r3_[
+UV3PPPPPPPPU
^SSSSS0VS
f;v6;t
Map_^[;t2;w,OSj"^SSSSS0R
0;u,ZRWWWWW
u+9uv&PE
E`p3[_^
u,] ;t
3;v.jX3;E
;uL9=A
Y}SIYE;
wIVSP+
]5VYE;t'CH;r
PSuwSESP
9}uH;u
E;t CH;r
PSuFwSu
3{_K|u
L1$!_^[u
HVVVVV
^s)EPj
Map[3PPj
ffffffu
S3VW9]
u.FSSSSS
v(IFSSSSS
E`p`E9X
8]tDMap;E
;t+3_^[
uEVVVVV
uYF;~[
-WWuuj
WWWWVuWu
VYYE;t+WWVPVuWu
ujYEe_^[M31'QL$
EPQEPEj
AAu+Hu u
RQMQVp
Map^[UWVSM
B:t6t:t't
WVS3D$
bad allocation
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
UTF-16LE
UNICODE
Unknown exception
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
`h````
xpxxxx
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
112.175.88.209
sanfdr.bat
:Repeat
if exist "
" goto Repeat
rmdir "
%d.%d.%d.%d
112.175.88.208
112.175.88.209
112.175.88.209
ExitProcess
GetTempPathW
OpenEventW
CloseHandle
CreateEventW
CreateThread
GetFileAttributesW
GetSystemWindowsDirectoryW
GetSystemDirectoryW
DeleteFileW
GetModuleFileNameW
GetTickCount
GetVersionExW
ReadFile
CreateFileW
DeviceIoControl
GetTempPathA
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
KERNEL32.dll
LoadStringW
LoadAcceleratorsW
LoadIconW
LoadCursorW
RegisterClassExW
CreateWindowExW
DefWindowProcW
BeginPaint
EndPaint
PostQuitMessage
wsprintfW
USER32.dll
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetAdaptersAddresses
IPHLPAPI.DLL
GetStartupInfoW
GetLastError
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
RtlUnwind
WriteFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetModuleHandleW
GetProcAddress
GetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualAlloc
HeapReAlloc
SetFilePointer
RaiseException
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
SetStdHandle
FlushFileBuffers
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
LoadLibraryA
CreateFileA
HeapSize
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetEndOfFile
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
218.54.31.226
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
0!0(040_0d0l0r000000000
1A1F1h1w1
2*2Z2|22222,393F3Q3o3{33333333333
4#4*484F4S4c4m4445*5A5R5_5}5555555
636E6`66666
7G7s77777777
8r8w888888
9G99999999
:":,:2:H:U:`:f:l:r::::;%;*;=;N;g;x;;;;;;;
<*<q<<<<<'=J==*>=>B>f>{>>
1c111111
2#2*272Y2222
3,3N3b330464n4444444
6/66666
7"7v77777
8[8z8888888
9s9z9999999
:7:Z::::
;-;Q;w;;;;;;;
>w>>>????
=0g00000j1111"223W333333<4x44444
5"5X5g55555-6666666666666
7#7*7i888
:+:{::';d;q;z;;;;;;
<<<<<<
=G=`=o>>>>%?W??????
0 0N0w011
44444;55
66F7]777
9K;;)<>?
1U2z22222222'31335555
6O6`666
7!778A99:p;;;;;$<W<]<e<r<<<<<<??
E222222222222222
3 3%3+353>3I3U3Z3j3o3u3{33333444444
5$5G5Z5667888;*=>>
3"3&3*3.33393S3b3o3{333333333
4C4v44444466
7%7{7777
8>8F8e8u88888B9
:$:<:T::::;<<z==9???
0051B1
2$22233b3P444
5 5I5}556
7%7H777L8
:9:: <
0O0h0o0w0|00000000
1^1d1h1l1p1111
212[22222222222
333333
4<44444444444
565B5J5Z5o5555555
6666+7C7N7r7{777777
8B8U8m8
888V9\9u9{9#:.:m:::
; ;1;<;<<<<<.=5=J=======
>i>q>>>>>=?m?
0!0&0K0Q0\0h0}0000000000
121>1D1P1_1e1n1z111111111111
212W222222
3'3333
4X4_4z4
44444444444444444444
5'52575B5G5R5W5d5r5x5555555
6<6I6U6]6e6q6666666667&7?7S7Y7b7u77.8N8\8a8::::::::
;,;7;=;C;H;Q;n;t;
;;;;;;;;;;;;;;;
<%<+<<<<
=0I0|000!122
3"3/333333+44u6666J7v777
8-8d8o88
9+909G999E:::
<W<d<n<|<<<<<<<<
=2=i===!>>>>>
?????????
0.070=0F0K0Z0000011
2d222a3x33357y888&9:9`9<='?W?|?
3333333333
4+4i44H5555
6:666}77777
8J8S8_8v889$::::::
;<G=====
[1}1111
6/6M6a6g66A7M7777
8*8;8`88888<9M9999
:8:F:O:::
;8;j;r;;<====
>#>u>>>>>>>>>>>
1(1-12171G1v1111
2!2&2-222222:3I3e3s3y333333333333
4Y4v445
6z66666666
737Q7X7\7`7d7h7l7p7t77777768A8\8c8h8l8p8888888
9Z9`9d9h9l9F;;1<D<`<r<<<<<??
30\0y00000155566
7T7f7s7
7777778C9f99:=;G;_;f;p;x;;;;U<<>>>
?/?A?S?e?w??
1O2m24
7H7N7Z777
9)9]9c9o992:9:::
;D;;g<6=<=A=G=N=`=
===q>~>??
0,0e0r0Q1`1
355L6P6U6
2L2P2T2X2\299999
x:|:::::::::::::::::::::::::::::::::
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1182<2L2P2T2\2t2x22222222222
3H3h33333333
404P4p4x444444444
5 5@5L5h55555555
686X6x66666
74787T7X7x7777777
8 8@8`8888
00011P5\5d5l5t5|55555555555555555
6777;<8=H=X=h=x===================== >0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>/
KERNEL32.DLL
GetModuleHandleA
GetProcAddress
VirtualAlloc
VirtualFree
VirtualProtect
USER32.dll
EndPaint
ADVAPI32.dll
RegCloseKey
SHELL32.dll
ShellExecuteA
WS2_32.dll
IPHLPAPI.DLL
GetAdaptersAddresses
;`PWVS
Au<WF<.++<.
,._F;|aV
AAPQPU
uaY_^XQW3
@I@@@@@@@
UTF-16LE
UNICODE
mscoree.dll
KERNEL32.DLL
(null)
((((( H
h(((( H
H
tmp5fdr.exe
112.175.88.207
112.175.88.208
dosret
Software\Microsoft\Windows NT\CurrentVersion\Windows
TrayKey
%s.exe
\Hangame\KOREAN\HanUninstall.exe
\NEOWIZ\PMang\common\PMLauncher.exe
\Netmarble\Common\NetMarbleEndWeb.exe
\Program Files\AhnLab\V3Lite30\V3Lite.exe
\Program Files\ESTsoft\ALYac\AYLaunch.exe
\Program Files\naver\NaverAgent\NaverAgent.exe
WinSeven
WinVista
UnKnown
golfinfo.ini
golfset.ini
HGDraw.dll
%s%s.exe
\\.\%s
\\.\PHYSICALDRIVE
%d.%d.%d.%d
'(,,--.000013
167888:=>=@?BDEIIIS^
;@Qbcbbo
!&'*+-
*//33565778;=?
x$&*++,--/046I
ssssss
sssssssss
YLFCEDECCCDCCECCDEEECIS@JIB
fkmknnnm
nnmmlnooi
cokfhdgt
BSDVSGDUGUWFSF
'(,,--.000013
167888:=>=@?BDEIIIS^
;@Qbcbbo
!&'*+-
*//33565778;=?
x$&*++,--/046I
ssssss
sssssssss
YLFCEDECCCDCCECCDEEECIS@JIB
fkmknnnm
nnmmlnooi

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 56933 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 58485 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.