1.8
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.74
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20190831 | 2013.8.14.323 |
| Tencent | Trojan.Win32.Klez.b | 20190831 | 1.0.0.1 |
静态指标
动态指标
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Windows\System32\Winkusv.exe |
创建一个服务
(1 个事件)
检查系统上可疑权限的本地唯一标识符
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| service_name | Winkusv | service_path | C:\Windows\System32\Winkusv.exe | ||||||
文件已被 VirusTotal 上 46 个反病毒引擎识别为恶意
(46 个事件)
| ALYac | Win32.Worm.Klez.DAR |
| APEX | Malicious |
| Acronis | suspicious |
| Ad-Aware | Win32.Worm.Klez.DAR |
| AhnLab-V3 | Win32/Klez.H |
| Antiy-AVL | Worm[Email]/Win32.Klez.h |
| Avira | W32/Elkern.C |
| Bkav | W32.QuintesLTV.Trojan |
| CAT-QuickHeal | W32.Klez.H |
| ClamAV | Win.Trojan.Elkern-2 |
| Comodo | Worm.Win32.Klez.J@2ms8 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.2e25ed |
| Cyren | W32/Klez.YGJG-6647 |
| DrWeb | Win32.HLLM.Klez.4 |
| ESET-NOD32 | Win32/Klez.J |
| Emsisoft | Win32.Worm.Klez.DAR (B) |
| FireEye | Generic.mg.44da99d2e25ed4a5 |
| Fortinet | W32/Klez.fam@mm |
| GData | Win32.Worm.Klez.H |
| Ikarus | Email-Worm.Win32.Klez.H |
| Invincea | heuristic |
| Jiangmin | I-Worm/Klez.h |
| K7AntiVirus | EmailWorm ( 000805561 ) |
| K7GW | EmailWorm ( 000805561 ) |
| Lionic | Worm.Win32.Klez.l5N7 |
| MAX | malware (ai score=89) |
| Malwarebytes | Worm.Klez |
| MicroWorld-eScan | Win32.Worm.Klez.DAR |
| Microsoft | Worm:Win32/Klez.H@mm |
| NANO-Antivirus | Trojan.Win32.Klez.csnpyr |
| Paloalto | generic.ml |
| Qihoo-360 | HEUR/QVM07.1.90D9.Malware.Gen |
| Rising | Worm.Klez!1.A1CB (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Worm[Dropper] |
| SentinelOne | DFI - Malicious PE |
| Symantec | W32.Klez.H@mm |
| Tencent | Trojan.Win32.Klez.b |
| TotalDefense | Win32/Klez.H |
| Trapmine | malicious.high.ml.score |
| VBA32 | Win32.HLLW.Klez.h |
| ViRobot | I-Worm.Win32.Klez.H |
| Yandex | I-Worm.Klez.H |
| ZoneAlarm | Email-Worm.Win32.Klez.h |
| Zoner | Worm.Win32.Klez.32858 |
| eGambit | Unsafe.AI_Score_95% |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2002-04-13 09:49:44
PE Imphash
3c62127f13f538ce5d3686ca518ff247
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0000ba4a | 0x0000c000 | 6.482973953839951 |
| .rdata | 0x0000d000 | 0x00001022 | 0x00002000 | 3.296334310418985 |
| .data | 0x0000f000 | 0x00085e6c | 0x00005000 | 5.606093851652684 |
| .rsrc | 0x00095000 | 0x00000010 | 0x00000010 | 0.0 |
Imports
Library KERNEL32.dll:
• 0x40d064 GetComputerNameA
• 0x40d068 IsDBCSLeadByte
• 0x40d06c WriteFile
• 0x40d070 ReadFile
• 0x40d074 GetTempFileNameA
• 0x40d078 MultiByteToWideChar
• 0x40d07c CopyFileA
• 0x40d080 SetFileAttributesA
• 0x40d084 FindClose
• 0x40d088 FindNextFileA
• 0x40d08c FindFirstFileA
• 0x40d090 SetEndOfFile
• 0x40d094 LocalAlloc
• 0x40d098 GetTempPathA
• 0x40d09c DeleteFileA
• 0x40d0a0 WideCharToMultiByte
• 0x40d0a4 CreateProcessA
• 0x40d0a8 GetSystemDirectoryA
• 0x40d0ac GetCurrentProcess
• 0x40d0b0 SystemTimeToFileTime
• 0x40d0b4 GetSystemTime
• 0x40d0b8 GetVersionExA
• 0x40d0bc GetVersion
• 0x40d0c0 WaitForSingleObject
• 0x40d0c4 GetCommandLineA
• 0x40d0c8 ExpandEnvironmentStringsA
• 0x40d0cc GetDriveTypeA
• 0x40d0d0 CreateThread
• 0x40d0d4 GetCurrentProcessId
• 0x40d0d8 GetLocalTime
• 0x40d0dc LocalFree
• 0x40d0e0 GetLastError
• 0x40d0e4 SetFilePointer
• 0x40d0e8 GetFileTime
• 0x40d0ec GetFileSize
• 0x40d0f0 FreeLibrary
• 0x40d0f4 LoadLibraryA
• 0x40d0f8 UnmapViewOfFile
• 0x40d0fc CreateFileA
• 0x40d100 Process32First
• 0x40d104 CreateFileMappingA
• 0x40d108 MapViewOfFile
• 0x40d10c CreateToolhelp32Snapshot
• 0x40d110 Process32Next
• 0x40d114 GetModuleFileNameA
• 0x40d118 ReadProcessMemory
• 0x40d11c Module32First
• 0x40d120 OpenProcess
• 0x40d124 CloseHandle
• 0x40d128 TerminateProcess
• 0x40d12c Sleep
• 0x40d130 SetFileTime
• 0x40d134 GetTickCount
• 0x40d138 GetProcAddress
• 0x40d13c LCMapStringW
• 0x40d140 LCMapStringA
• 0x40d144 FlushFileBuffers
• 0x40d148 SetStdHandle
• 0x40d14c HeapReAlloc
• 0x40d150 VirtualAlloc
• 0x40d154 GetStringTypeW
• 0x40d158 GetStringTypeA
• 0x40d15c RtlUnwind
• 0x40d160 VirtualFree
• 0x40d164 HeapCreate
• 0x40d168 HeapDestroy
• 0x40d16c GetFileType
• 0x40d170 GetStdHandle
• 0x40d174 GetModuleHandleA
• 0x40d178 GetStartupInfoA
• 0x40d17c ExitProcess
• 0x40d180 GetCPInfo
• 0x40d184 GetACP
• 0x40d188 GetOEMCP
• 0x40d18c SetHandleCount
• 0x40d190 HeapFree
• 0x40d194 HeapAlloc
• 0x40d198 UnhandledExceptionFilter
• 0x40d19c FreeEnvironmentStringsA
• 0x40d1a0 FreeEnvironmentStringsW
• 0x40d1a4 GetEnvironmentStrings
• 0x40d1a8 GetEnvironmentStringsW
Library ADVAPI32.dll:
• 0x40d000 OpenSCManagerA
• 0x40d004 StartServiceCtrlDispatcherA
• 0x40d008 LookupPrivilegeValueA
• 0x40d00c AdjustTokenPrivileges
• 0x40d010 RegSetValueExA
• 0x40d014 RegQueryValueExA
• 0x40d018 RegCreateKeyA
• 0x40d01c RegConnectRegistryA
• 0x40d020 OpenProcessToken
• 0x40d024 StartServiceA
• 0x40d028 AllocateAndInitializeSid
• 0x40d02c EqualSid
• 0x40d030 GetTokenInformation
• 0x40d034 RegisterServiceCtrlHandlerA
• 0x40d038 OpenServiceA
• 0x40d03c FreeSid
• 0x40d040 CloseServiceHandle
• 0x40d044 RegEnumValueA
• 0x40d048 CreateServiceA
• 0x40d04c RegOpenKeyA
• 0x40d050 RegEnumKeyA
• 0x40d054 RegDeleteValueA
• 0x40d058 SetServiceStatus
• 0x40d05c RegCloseKey
Library WS2_32.dll:
• 0x40d1c0 gethostbyname
• 0x40d1c4 closesocket
• 0x40d1c8 WSACleanup
• 0x40d1cc recv
• 0x40d1d0 send
• 0x40d1d4 htons
• 0x40d1d8 connect
• 0x40d1dc WSAGetLastError
• 0x40d1e0 WSAStartup
• 0x40d1e4 socket
L!This program cannot be run in DOS mode.
`.rdata
@.data
EM====}f
3Y9}~_WSh"
G;}|Eiu
YE3PPEPESPuPuuu
YY~`SWH!
YPV^UD
SVWj_^3Sh
SPSSP>b
S]339]~NVh
u%EH;u
F;u|;u
uUQQSVWj
t5Wj j
WWWSW6
#WWWuP
_^SVt$
MPEP32
YYfMf9M~
WP3PFdP]i!
YP;u/S+
YYPSWhT
YYPWhT
YYP0P\
EPhPSW
YYP0PN[
dS\$lUV
D$ PCdj
D$<PUYT
_^][dUh
DCdPWS
_^[Uh@@
YY]U0SVW
EtMQuPj
EtQMQuPj
t:EPSSSSSSSj
EPSSSSSSSj
E_^[U-
YYtVPN
YYpPtPM
YtYSPxP
4PtP,
SSSStSPSj
xSPxPW
SS|WPE
tSPS|SPtL
|PtPPu
X_^[UE
YYv%WSAH
^[SVt$
XrUWh@
u@EPh@
UQSVWu
UQSVWu
XUQQSVW}
F<.uE}
UQSVWu
X_^[Vt$
|_^Vt$
_^UQS]
PSZ+V_J
VS)YYPu
F;|3O;3~ j
X_^[VW3j
VWME~3E
VWME~3E
X_^[SVW3W
Y0_^[S\$
G;Y|j
X_^[VW@
;Y|3_^j
Yu5VkK
X_^[Vt$
P@YuP]
3PGYtYE
MT3UU
C@8@u_t
X]UQS]
}f ~4~}/
|3_^[j
SVW3PWWWu
;~ WVPP
t'G;|h
YcY_^[
UV3WVj j
3_^]USWj
YY^j t$
YYt[h@
YYtZh@
_3^UQ}
SVW|*j u
X_^[Vj
jHuVSM
Yt$SPSSh6I
MEM<.u
}ECEE;E
0S`YuE
S3VM]Ej
P;}GM+Qh
M _^[UQQE
3sEuPPEPEj
UTV3jDEVP.
PEPVVVVVVu
MZE_^[U
DMQhJI@
gEPh3I
\uRSh@
VVPVP*,
#3^US]
WSVYYtP
QtAt;r@
(G;r;r
3_^[]USVu
X_^[]3U<VM"M
YEYVPu
;MwGPVW,
CPMy3_Mn9u[t E;Es
SVMv3EVPu
Y_^[UQE
BBNuM^M
3EVPMu
t;uWYYt"|8X
Eu}QRS3I33
f5 fu33Ou[
fZYEE_^[UP
fe3SSY3j
Yf)Uf}<r
MfEED
MfE2M f39]
Sj WSj
ESPWPu
X_^[UQ
EEEEPPEj
V3WVj j
VZj<3YVfUIY3Yj
Yf)Uf9u
MfMV(Y3j
Yf)Uf9u
YfUVY3j
Yf)Uf9u
MfMEPEP
EPEPEPW
3VWh7I
SVW/(j
^[MP^_SUVWj
WYYPUj
yYYPUj
W<YYPU
_^][UL
SVESPSSW
EPWYEYj WSWP
EPWYYu
PY3_^[U(
53T,uVPV
~(WVPPPk
|9]t)j
VY;|5Vh6I
Y}6Vh7I
SPSSP5
X[VW|$
WYYt%hm
3Vh'^@
P_YSSPPP
OYYPhR
A;|H;|
EP;dVh1I
EPTFdP
t$(3|$ V
WVNY;YD$
~3SVYYPWVYYPBYYt
}.SVYYPWVYYPYYt
SUVWD$
VYYPD$ PW;
t'Uh1I
VYYPD$ PW
PYuZSPP
YYP8Po
MYYE]VSPF
(u;UUu
]\PPW3h4@
fEY3}f(A
}E3f3E
;t%EPEP
ESPE}P}
Yj"PjV5x@
XPEjPj
Ej4EPEjPj
;u`9}u[j
z8E9}uuj
ESPdPEPu
P#YYWh
SY#PP0
WSPSPP
SMY#PP6P
SUVWD$
j VSD$
RV(V|Yj'V9
tEVWh4I
SVYY_9
SSSSSSSVSj
SWWPD$D
SW"Y;YE
pPPSk3
wYYPhR
YYEVPh
u PuVP
UQSV5@
WE3PWWh
EPWWhm@
EPWWhf`@
EPWWhq@
EPWWho@
EPWSho@
|L_^[U
EEEEEEPE
Yu7=8I
3;Y]uuu
]Yv.M;1s
0FE39Q
tAt2t$
}tL;rH}
tD+E;s
_^[UQ=<9I
[UQ=<9I
;^}%95
PW5<9I
_^[U E
r)$H}@
DDDDDDDDDDDDDD
DDDDDDDDDDDDDD
8t3^[_C
^[_UWVSM
[^_Ujh@@
Y;58LI
90tr0B=
j@3Y`MI
@j@3Y`MI
@;vAA9
Wj@Y3`MI
EVP58LI
t7SWU
BBBu_[j
VPVPV5dNI
@AA;rI3
_]UjhX@
SVWe39=09I
"WWShL@
M]9}tfSuu
tMWWSuu
Mu;tVSuuu
It.ht lt
HHtpHHtl
YAE t!E@E
t;ERPWVEUo!
~;E]xf
CPEPC
YY~2MQu
E_^[y@
KVW~&|$
Yu3Vt$
;t6MWEWP%
FPWY>%
>t^*t2FtTIt
Lu7EE~
3 nut(ct
YE39Et
ufEMt\EWM
Yx]t/Xt*xE
<]t_G<-uAt=
]t6G:s
uMWuuS
FudE\MWP
xt?pt:=
W>YYu_^
B8t6t8t't
4I4@,A
YtF>"u
< v^S39
PY;5|9I
8 t9UWYE?=t"U;Y
8 u]5 9I
[UQQS39
EPEPSSWM
@YEPEPE
@"t)t%
F8"uF@C
@C8"u,
VW333;u3
SS@SSPVSSD$4
;t2U;YD$
t#SSUPt$$VSS
;t<8 t
3_^][YY
DSUVWh
_^][D3j
XUSVWUj
t.;t$$t(4v
VC20XC00U
]_^[]UL$
PYY\WP\@Y<v)\P{\;j
P]`WP``h@
P6YP6j
3;u>EPj
EPVhL@
E;tc]<
e33M;t)uVu
GIt%t)
Gt/KuD$
GKu[^D$
j?UIZ;
r;]uy;
;uY;]s
pD#U#ue
j #M_|
]#\D\D
VW3;u0DP
X3USVu
3 33Vt$
;tg58@
_^[3L$
t78t2=
SYu+Vj
_^[3VWj
|_^Vt$
3^SVt$
>+~&WPv
YSVW33395
W;5 LI
_^[Vt$
t%PbYP
SUVW|$
tiWYt<
_^][Vt$
VP ;t8W;YEt*j
Y_^[UWVSM
uCAZ I
Iu38tKrD@33
t FGQPS
[^_UWVSu
F'G8t,A<
F G8tPS=
[^_UQ<9I
;YEt*j
`h````
ppxxxx
(null)
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
FreeLibrary
GetProcAddress
LoadLibraryA
CloseHandle
TerminateProcess
ReadProcessMemory
OpenProcess
Module32First
CreateToolhelp32Snapshot
GetModuleFileNameA
Process32Next
Process32First
MapViewOfFile
CreateFileMappingA
GetFileSize
CreateFileA
UnmapViewOfFile
GetLocalTime
GetLastError
LocalFree
LocalAlloc
GetCurrentProcessId
WideCharToMultiByte
MultiByteToWideChar
GetComputerNameA
CopyFileA
IsDBCSLeadByte
WriteFile
ReadFile
GetTempFileNameA
GetTempPathA
DeleteFileA
SetFileAttributesA
FindClose
FindNextFileA
FindFirstFileA
SetEndOfFile
SetFilePointer
GetFileTime
SetFileTime
GetTickCount
CreateProcessA
GetSystemDirectoryA
GetCurrentProcess
SystemTimeToFileTime
GetSystemTime
GetVersionExA
GetVersion
WaitForSingleObject
GetCommandLineA
ExpandEnvironmentStringsA
GetDriveTypeA
CreateThread
KERNEL32.dll
RegCloseKey
RegEnumKeyA
RegOpenKeyA
RegDeleteValueA
RegEnumValueA
CloseServiceHandle
CreateServiceA
OpenSCManagerA
StartServiceCtrlDispatcherA
SetServiceStatus
OpenServiceA
RegisterServiceCtrlHandlerA
FreeSid
EqualSid
AllocateAndInitializeSid
GetTokenInformation
OpenProcessToken
RegConnectRegistryA
StartServiceA
RegQueryValueExA
RegSetValueExA
RegCreateKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
ADVAPI32.dll
WS2_32.dll
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
MPR.dll
GetModuleHandleA
GetStartupInfoA
ExitProcess
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW
HeapFree
HeapAlloc
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
VirtualFree
RtlUnwind
GetStringTypeA
GetStringTypeW
VirtualAlloc
HeapReAlloc
SetStdHandle
FlushFileBuffers
HELO %s
MAIL FROM: <
RCPT TO:<
.,()%$@!`~
Aoo3o3iiQCQAY][oo3oo3iio3oo3oo3o3
ioo3o3o3oo3oo3oo3ooo3
o3o3ooo3
o3oo3oo3SWQYo3[iWSSQWo3ooo3QQWYo3o3ioo3o3o3oo3o3
oo3ooo3ioo3o3oo3o3
oo3io3oo3Sooo3io3ooo3iiiio3ioo3io3oo3_USoooo3
ooo3AAo3ooo3o3oo3ooo3ooo3
ioo3o3iioo3
o3o3o3
o3ioo3AUoo3
o3ioio3
oo3o3Qoooo3oo3
oo3oo3oooo3
oo3QooQWo3o3ioo3
oo3ooo3o3oo3ooo3
oo3ooo3o3oo3Wo3o3
ioo3ooo3Wo3
o3oo3SASWYQCCU]
ooooQ3
o3ooo3
o3ooo3UWoo3
ooo3oo3
oooo3iio3
oo3oo3
oo3ioo3oo3
oo3ooo3o3o3o3oo3iooo3SCo3o3o3ooo3ooo3o3o3ooo3
ooo3ooo3
io3o3o3i
o3ooo3
ooo3oo3o3o3oo3o3io3Woo3ooo3o3o3Woioo3ooo3ooo3
ooo3o3o3ooo3oo3o3io3oooo3o3oo3
o3QQSQooo3o3oo3ooo3
oo3WSo33o33o33333Gs
o3o3o3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333C3o3o3o3o3333333333333o3o3o3o3o3o3o3o3o3o3o3o3o3o3o3oU3o33
[ss33s
33333333k3k3G3G3siiwyw3siiwyw33333sysys3sysys3sysys3sysys3yss333333333333333
3s_oS3UWos3UWoo33ss3}ss33sssks3s33s3ss3sss3sss3ss3s333q3sss3ksss3sss3s}ss3s}ss333333i3333333Gs3Gs3Gs333sss}ssssyG3s3s3ssss3ssssy3sssyssssy3sssACmmWSSSmo3sso3s3s3Gmm3o3o3sskss3ss3sysssyso33333333s3s}s33s}s3s333s}333333s3ss33KO)'3)'3333333iGsQoS)'iGsmE)'!I3iGsmE)'iiGsi)')'KOKOKmOKOy)'KO33KmOKmOKmO333iGsyE)'!Iy)'iiGs_[)'iGsKyO3333333333mi3mi3mi333333333)'KsIUGysIUSsIUSO)'KmO3sssssoKO)'}ssso33
3333o3UW33UW33UW3UW33333UW3UW33UW3333UW333UW33333AY3UW3UW3i3iAY3UW33AY3AY3AC3AC33UW33i3AY3iAY3AY3AY333WSSS33333333333333333333333io3o3o3o3o3o3o3o3o3o3333333o3UWo3UWo3o33333333UC]C3UC]C3ss33333i3i333s3s33i33s3i3sUWs333
333333333333333ysKyO3SQWU[Y_]CAem3333333333333333q
33)333333333o33o3
3333333333333333ioo3o3o3o33
3s3ss33sos33osssssisso}ssssssoKO)'sssssssiiskssss}ssssoKO)'ssssssssssoKO)'ssssssskssssssssoKO)'GssssssssssssskssssssssoKO)'sksskss}}oKO)'ssssksKsIUGyOssKmOo33333333)'UWssWoSQs
sUWssQoS)'sWSSWkss)'ssWoSQG)'!QkssssssssskUWs)'!Wkssossosso)'sUWsscssska)'!QkssUWssssAmWmm)'!Wksssosq)'!Ukssoss)'![ksskssssosssssssssssss)'3
L!This program must be run under Win32
.idata
.reloc
3QTQQPQQw
Pt uU+U+
V^FfFj
ff3fa1-x
Q-1-1pdtwa
mI.a!2"
U0so%:E%XDS
L1-1-iqau
`oa -1-f
."9fI12
9.ry)kthcGw
wKERNEL32
DwLw+wzeww{w
wwrwTw
wKw$w#w
ewb_wtKw
w/wsfc.dll
)vMPR.dll
uUSER32.d;
P3d0d W@P
PWDVj"j
SPLQTt$
au*M+`
+QWSjt<@j
>Rar!t
X(^:`+z
a@(xV4
+|$ +z
KERNEL32.dll
ExitProcess
84$4XP
SPPHD3d
`QTj@h
`QTQPSW.Y
V3d6d&]Vs`
=userXu
ut']jHYut
|^fVdg
\explorer
XPWPHa
Q3f;MZu C<
N+XNgR
N*aaZ*
P/gk WdP/
fX/*P/*$6n
avfAv"m
QAD4./#
EVWY#[I#[Y#Q}#\
j/j(}}Sl+meqy!
Yw+wnE\
]w<w$%
`d+u]q83d+
]8s`%`)
`+.f/qT-
]dZ<s-d1`/d0j3d3q4k2ank-v.k/`.k.f5kn7.d+r4v>d3cpv)cpu/e
j!1y!!UZ
q^UUx]
]oI[f/
WS'@WZ
oY\aD/
aW23I_I
tem32\dllcac
_ufa$6
D*$$y=={
K`0GP,=E
{{s^>1
hEO{{C
1"-q*C1%&|{
bEO{{C
%s%08d
fffffff
ffffffff
ffffff
fffffff
ffffffff
ffffff`
ffffff
ffffff
pfffff
ffffgxx
+ffgxx
+ffgxx
ffffhxx
ffffhwx
s0fffb
4ffhwwx7ffhwww
fhwwx7ffhwww
wwxHff
ff+fff
wwf`4d;fffff`fffffffff`ww`wwffff`fffffffff`ww`wwf`3fffff`ffffffffff
fffff`ffffffffff
ffffff
fffffffffffffffffffffff
ffffffffffffffffffffd+
ffffff
fffffffffffffff
ffffffffffffffff`
fffffffvfffff
fffffffffffffff
ffffffffffffffff`
ffffffffffffff
ffffffffffff
fffffffffffff
ffffffffffffff`
fffffffffff
fffffffffffff
ffffffffffffff`
ffffffffffff`30fffffffffff
fffffffffff
ffffffffffff`
fffffffff
fffffffffff
ffffffffffff`
fffffffffff
fffffffff
fffffffff
ffffffffff`
fffffff
fffffffff
ffffffffff`
ffffffffff
fffffffff
fffffff
ffffffffff`
fffffff
fffffff
ffffffffff`
ffffffffff
ffffffff`
fffff`
ffffffff`
fffff`
fffff`
ffffffff`
fffffffff`pfffffffff`www
ffff`www
fffffff`
ffff`www
ffff`www
fffffff`
fffffffff
fffffffff`wx
ffff`wx
ffffff`
fff`wx
ffff`wx
ffffff`
fffffffffffffffffff`w
ffff`w
fffff`
ffff`w
fffff`
fffffff
fffffffff`wx
ffff`wx
fffff`
ffff`wx
fffff`
ffffff`30fffffffff`wwx
ffff`wwx
ff`wwx
ffff`wwx
ffffff
ffffffff`wwwx
ffff`wwwx
ff`wwwx
ffff`wwwx
ffffff
ffffffff`www
ffff`www
xff`www
{sffff`www
x0ffffff
ffffffff`www
ffff`www
???ffff`ww
0ffffff
0ffffffff`wx
ffff`wx
xpff`wp
ffff`wp
{0ffffff`s
fffffff`wx
ffff`wx
ff`wx;ffff`wx;ff
ffffff`3
ffffff`ww
ffff`ww
;8ffff`ww
fffffff
fffff`wwww
@�@�@�@�@�@�@�
e�e�e�e�e�e�
(�n�u�l�l�)�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
S�A�P� �L�o�g�o�n�
M�S� �S�a�n�s� �S�e�r�i�f�
S�y�s�L�i�s�t�V�i�e�w�3�2�
&�A�n�m�e�l�d�e�n�
W�&�e�b�g�u�i� �l�o�g�o�n�
&�S�e�r�v�e�r�.�.�.�
&�G�r�u�p�p�e�n�.�.�.�
&�N�e�u�.�.�.�
&�E�i�g�e�n�s�c�h�a�f�t�e�n�
Process Tree
- 0dca2b8506d425eec9fc7b8bf58f098b04470c4e3161d297e1d4c146b6cfb9e0.exe (1932) "C:\Users\Administrator\AppData\Local\Temp\0dca2b8506d425eec9fc7b8bf58f098b04470c4e3161d297e1d4c146b6cfb9e0.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | f2a1645d02e47d6f_winkusv.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\Winkusv.exe |
| Size | 94.0KB |
| Processes | 1932 (0dca2b8506d425eec9fc7b8bf58f098b04470c4e3161d297e1d4c146b6cfb9e0.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 6074c3ae0f28cbb9b4d80ddf166c3876 |
| SHA1 | 8b778594068d0f19a220dced6bab5d5a57973ad2 |
| SHA256 | f2a1645d02e47d6f7ce1c4af82e0b8d9785bee231984324503607aef1fd7e118 |
| CRC32 | 634C92C3 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.