1.1
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.63
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | DDoS:Win32/Nitol.60c4a688 | 20190527 | 0.3.0.5 |
| Avast | Win32:Nitol-B [Trj] | 20200511 | 18.4.3895.0 |
| Baidu | Win32.Trojan.ServStart.as | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200512 | 2013.8.14.323 |
| McAfee | GenericRXBM-KE!47C2BB6CB9FE | 20200511 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b076ae | 20200512 | 1.0.0.1 |
静态指标
动态指标
在 PE 资源中识别到外语
(11 个事件)
| name | RT_BITMAP | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000bbb0 | size | 0x00000ac4 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000acd8 | size | 0x00000ea8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000acd8 | size | 0x00000ea8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000acd8 | size | 0x00000ea8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000acd8 | size | 0x00000ea8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000acd8 | size | 0x00000ea8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000acd8 | size | 0x00000ea8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000acd8 | size | 0x00000ea8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000acd8 | size | 0x00000ea8 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000bb80 | size | 0x00000030 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0000bb80 | size | 0x00000030 | ||||||||||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 64 个反病毒引擎识别为恶意
(50 out of 64 个事件)
| ALYac | Generic.ServStart.A.8CFECC82 |
| APEX | Malicious |
| AVG | Win32:Nitol-B [Trj] |
| Acronis | suspicious |
| Ad-Aware | Generic.ServStart.A.8CFECC82 |
| AhnLab-V3 | Trojan/Win32.Nitol.R205727 |
| Alibaba | DDoS:Win32/Nitol.60c4a688 |
| Antiy-AVL | Trojan/Win32.AGeneric |
| Avast | Win32:Nitol-B [Trj] |
| Avira | TR/AD.Nitol.xqfgu |
| Baidu | Win32.Trojan.ServStart.as |
| BitDefender | Generic.ServStart.A.8CFECC82 |
| BitDefenderTheta | Gen:NN.ZexaF.34108.fq2@aymhmJej |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Trojan.Nitol-6335025-0 |
| Comodo | TrojWare.Win32.GameThief.Magania.~NWABI@1775fs |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.cb9fe2 |
| Cylance | Unsafe |
| Cyren | W32/S-2c4445cd!Eldorado |
| DrWeb | Trojan.DownLoader24.51669 |
| ESET-NOD32 | a variant of Win32/ServStart.IK |
| Emsisoft | Generic.ServStart.A.8CFECC82 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-2c4445cd!Eldorado |
| F-Secure | Trojan.TR/AD.Nitol.xqfgu |
| FireEye | Generic.mg.47c2bb6cb9fe2ed0 |
| Fortinet | W32/Generic.AC.2D85!tr |
| GData | Generic.ServStart.A.8CFECC82 |
| Invincea | heuristic |
| Jiangmin | Trojan.Generic.bhzka |
| K7AntiVirus | Trojan ( 0054d1101 ) |
| K7GW | Trojan ( 005638631 ) |
| Kaspersky | HEUR:Trojan-DDoS.Win32.Nitol.gen |
| Lionic | Trojan.Win32.Generic.m2Bz |
| MAX | malware (ai score=80) |
| Malwarebytes | Trojan.ServStart |
| MaxSecure | Trojan.Win32.Nitol.B |
| McAfee | GenericRXBM-KE!47C2BB6CB9FE |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.nt |
| MicroWorld-eScan | Generic.ServStart.A.8CFECC82 |
| Microsoft | DDoS:Win32/Nitol.A |
| NANO-Antivirus | Trojan.Win32.GenKryptik.fnpxyy |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | Win32/Backdoor.Nitol.A |
| Rising | Backdoor.Overie!1.64BD (CLOUD) |
| SUPERAntiSpyware | Trojan.Agent/Gen-ServStart |
| Sangfor | Malware |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2017-05-04 21:36:19
PE Imphash
44d09e288cc76827b62dde98d4028728
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00004fbc | 0x00005000 | 6.429146570350281 |
| .rdata | 0x00006000 | 0x00000b48 | 0x00001000 | 4.054482870493587 |
| .data | 0x00007000 | 0x000014c8 | 0x00001000 | 4.933718102662037 |
| .rsrc | 0x00009000 | 0x00008230 | 0x00009000 | 3.804551947357726 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_BITMAP | 0x0000bbb0 | 0x00000ac4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0000acd8 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0000acd8 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0000acd8 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0000acd8 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0000acd8 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0000acd8 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0000acd8 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0000acd8 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_DIALOG | 0x0000ca48 | 0x000029e8 | LANG_ENGLISH | SUBLANG_ENGLISH_NZ | None |
| RT_DIALOG | 0x0000ca48 | 0x000029e8 | LANG_ENGLISH | SUBLANG_ENGLISH_NZ | None |
| RT_STRING | 0x000110e8 | 0x00000142 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0000bb80 | 0x00000030 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_GROUP_ICON | 0x0000bb80 | 0x00000030 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_VERSION | 0x0000c678 | 0x000003cc | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library MSVCRT.dll:
• 0x406074 _controlfp
• 0x406078 __set_app_type
• 0x40607c __p__fmode
• 0x406080 __p__commode
• 0x406084 _adjust_fdiv
• 0x406088 __setusermatherr
• 0x40608c _initterm
• 0x406090 __getmainargs
• 0x406094 _acmdln
• 0x406098 exit
• 0x40609c _XcptFilter
• 0x4060a0 _exit
• 0x4060a4 strncmp
• 0x4060a8 _except_handler3
• 0x4060ac strstr
• 0x4060b0 strcspn
• 0x4060b4 strncpy
• 0x4060b8 atoi
• 0x4060bc time
• 0x4060c0 srand
• 0x4060c4 rand
• 0x4060c8 realloc
• 0x4060cc free
• 0x4060d0 malloc
• 0x4060d4 sprintf
Library KERNEL32.dll:
• 0x406000 ExitProcess
• 0x406004 Sleep
• 0x406008 lstrcpyA
• 0x40600c CreateProcessA
• 0x406010 TerminateProcess
• 0x406014 ExitThread
• 0x406018 GetStartupInfoA
• 0x40601c GetModuleHandleA
• 0x406020 WaitForSingleObject
• 0x406024 CreateFileA
• 0x406028 SetFilePointer
• 0x40602c WriteFile
• 0x406030 lstrcpynA
• 0x406034 lstrlenA
• 0x406038 OpenMutexA
• 0x40603c ReleaseMutex
• 0x406040 GetComputerNameA
• 0x406044 GetCurrentProcess
• 0x406048 GetCurrentThread
• 0x40604c CloseHandle
• 0x406050 CreateThread
• 0x406054 LoadLibraryA
• 0x406058 GetProcAddress
• 0x40605c GetSystemDefaultUILanguage
• 0x406060 GetTickCount
Library SHLWAPI.dll:
• 0x4060ec SHDeleteKeyA
Library WS2_32.dll:
• 0x406100 setsockopt
• 0x406104 recv
• 0x406108 __WSAFDIsSet
• 0x40610c select
• 0x406110 WSAIoctl
• 0x406114 closesocket
• 0x406118 WSAStartup
• 0x40611c inet_ntoa
• 0x406120 htonl
• 0x406124 WSACleanup
• 0x406128 socket
• 0x40612c connect
• 0x406130 send
• 0x406134 inet_addr
• 0x406138 sendto
• 0x40613c htons
L!This program cannot be run in DOS mode.
8D,8D,8D,
,4D,J,<D,WN,3D,W@,:D,
O,:D,8E,wD,@,;D,O,<D,B,9D,Rich8D,
`.rdata
@.data
SUV5T`@
D$tPhLp@
20D$(ND$)T\$*L$8D$9D$:D$;\$<D$
L$@D$AD$BD$C3\$DD$HVD$IiD$JsD$KtD$La\$ML$ D$!8D$"T$#T$ST$,T$
D$QD$RD$
\$$D$07\$1L$PD$TRL$U\$V\$-L$
w0|$(3u
+t$h|$h
;u!8$j
PD$HSD$IP\$J
T$lD$xRT$xL$lPQShp@
PD$$MD$%HD$&z\$'
M D$XFD$\D$`rD$YiD$ZnD$[dD$]CD$^PD$_UD$aED$bD$cD$doD$e\$f|$X3+
T$pRW%
t$(S9^
D$$GD$%bD$&pD$'s\$(P-
D$,MD$-bD$.pD$/s\$0R
L$0D$,@\
QSUVt$
<=u>D$
V395x@
txHtnHtaHtTHtG
tOHt>Ht#
HHuQC@
n_^[SVW|$
3395x@
tt!5x@
Hu-`O@
WVWSMu]
_^[SVt$
WVSOu_
^[U@SVWj
Ku_^[U
SV5T`@
j Y3)hlt@
fEP]Yw@
UfEhw@
PQPPEj
SV5T`@
SEPhr@
VUVV_^[UjhPa@
|PSXSh
|Pd\SVhEj
PSpSxQuPVV
@|Pd\SxQupP
SV5T`@
SEPhq@
SEPhDs@
SEPhXs@
SEPhls@
SEPhPt@
SPj@E3Y3j@fY3}|fj@3Y
|VPEPECEOEMESEPEEEC]U
EE/PPEcE EdEeElE ]E E>E EnEuEl]U
Ej@E|EE^h
]EOEpEeEn]]]uUh
t9VuUh
SVW=T`@
VEPhls@
jL3YSh8
EuErElEmEoEnE.EdElEl]EUERELEDEoEwEnElEoEaEdETEoEFEiElEeEA]
Ht!Hu@
HHtrHH
SPEEiPEPEeExEpElEoErEeE.EeExEe]EoEpEeEn]
j@3Yj fY3fPh
j@3Yj fY3
U_^[VSh
VFjA3YEVPhw@
PESEYESETEEEME\ECEuErErEeEnEtECEoEnEtErEoElESEeEtE\ESEeErEvEiEcEeEsE\]
VgjA3YXEVPXhw@
PESEYESETEEEME\ECEuErErEeEnEtECEoEnEtErEoElESEeEtE\ESEeErEvEiEcEeEsE\]
SUV5T`@
SPhls@
SPh*.@
WWWh? @
SUV5T`@
Ht~HtDHHu0j
SV5T`@
SEPjA3Y
t$EEpu@
uuU_^3[
SV5T`@
SEPj@E3Y3ESf}
3EYESETEEEME\ECEuErErEeEnEtECEoEnEtErEoElESEeEtE\ESEeErEvEiEcEeEsE\U+
X3Ujh`a@
SVWhq@
VP3SVP3IQPP
YaPDPP
SPPjAY3
STP]h?
SSSSSPj
_^[39t
33%`@
Ujhpa@
hSVWe3
EPEPEP
0u>"u:Fu
<"u>"u
> vFuj
YY3%t`@
SUV5T`@
T$!D$"D$%T$&D$.D$2D$8D$:D$<rlx2D$
\D$ ID$ nL$#D$$nD$' D$(ET$)D$*p\$+D$,oL$-L$/D$0\D$1iT$3D$4p\$5D$6oL$7D$9.T$;D$=D$BL$
D$@PQ_^]
SUV5T`@
D$0IP$P
T$(=x@
t4-8a@
SQVOuj
SUV5T`@
L$ QfD$
SUV5T`@
D$$Ph|x@
L$0f|$ Q
1tGT$ @j|P
SUV5T`@
W3hPx@
\$4\$8\$0\$(\$,\$$
D$LD$$L$ PT$,QD$8RL$8P$
t4D$,L$0T$(D$
D$6|$UD$:h
fD$FD$Xfj
t$Pf\$@
SPD$\T$dT$
D$8fD$4
j5fD$6x@
D$TED$U
L$8fD$X3
ft$ZPD$`D$a
ft$bL$h
j5D$dfD$j
Rj fD$lft$nfD$lL$pj
L$x|$|
D$xD$p%D$p3
JBuCD$
D$}D$~
j,33L$hT$tfD$d$
fD$nD$4j
PVL$`j3QR
SUVWhpx@
3|$<D$8D
D$LfD$P
D$ RPj
D$dL$dPT$hQ$
RPh`y@
D$dRPl
SUVWhpx@
3|$<D$8D
L$Lu.|a@
T$ QRj
tNPu$T$d$
RPhtz@
PD$lRPQ$
SUV5T`@
fD$(fD$
T$(=x@
trj(p@$X
SUVWhpx@
PQhT{@
QRVVT$
SUVWhpx@
QRVVT$
_^][Ujhe@
3)f(Ph
RSj((PMQ
SUV5T`@
2.\$:L$;L$?L$A\$B43j
L$GL$HS3Sh
T$PD$Q9T$TD$U6D$V8T$X\$]fL$b
RfD$b$
Rt$ h`
@PfD$$$
5fD$*f
D$,\$0D$4PD$5
fD$6f\$8f\$:\$`D$a
t$p|$tfD$^L$\L$x
t$$|$|T$pj RF
|$xfD$<
D$xj(P
@L$DPh
t$ f\$8
t$pt$$L$\D$(D$ L$x
|$|T$pD$tj R
|$xfD$<
D$xj(P
D$PL$`j
QST$|j(RP
D$LHD$L
SUV5T`@
D$TP$t
D$HQ3j
_^]3[p
T$1T$5T$9T$=fT$AT$C=x@
D$ D$!
BRT$@h
L$TQD$(
SVWhpx@
SUV5T`@
D$(IP$
T$$-8a@
SQVOuj
SUVWhpx@
QPVVT$
_^][Q=
B8t6t8t't
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
MFC42.DLL
malloc
sprintf
realloc
strncpy
strcspn
strstr
_except_handler3
strncmp
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
GetTickCount
lstrcpyA
GetComputerNameA
GetSystemDefaultUILanguage
GetProcAddress
LoadLibraryA
CreateThread
CloseHandle
GetCurrentThread
GetCurrentProcess
ExitProcess
ReleaseMutex
OpenMutexA
lstrlenA
lstrcpynA
WriteFile
SetFilePointer
CreateFileA
WaitForSingleObject
GetModuleHandleA
GetStartupInfoA
KERNEL32.dll
wsprintfA
GetDesktopWindow
USER32.dll
SHChangeNotify
ShellExecuteExA
ShellExecuteA
SHELL32.dll
SHDeleteKeyA
SHLWAPI.dll
WSAIoctl
WS2_32.dll
GetIfTable
GetAdaptersInfo
iphlpapi.dll
ExitThread
TerminateProcess
CreateProcessA
RegOpenKeyExA
RegCloseKey
GetVersionExA
GetSystemInfo
GlobalMemoryStatusEx
RegQueryValueExA
KERNEL32.dll
ADVAPI32.dll
0.0.0.0
%d*%u%s
HARDWARE\DESCRIPTION\System\CentralProcessor\0
%s %s%d
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
KERNEL32.dll
ADVAPI32.dll
WS2_32.dll
CreateThread
closesocket
GetTempPathA
RegCloseKey
SetServiceStatus
RegisterServiceCtrlHandlerA
lstrcatA
OpenSCManagerA
OpenServiceA
CloseServiceHandle
CopyFileA
RegSetValueExA
StartServiceA
RegOpenKeyA
UnlockServiceDatabase
ChangeServiceConfig2A
CreateServiceA
LockServiceDatabase
GetLastError
ExitProcess
GetCurrentThreadId
CreateMutexA
DeleteService
GetModuleFileNameA
GetShortPathNameA
GetEnvironmentVariableA
SetPriorityClass
SetThreadPriority
WinExec
RegOpenKeyExA
SetServiceStatus
WaitForSingleObject
GetModuleFileNameA
GetWindowsDirectoryA
StartServiceCtrlDispatcherA
CreateFileA
GetFileSize
VirtualAlloc
ReadFile
FindFirstFileA
WriteFile
FindClose
SetFileAttributesA
3d3d3R3m1h3c0eQJEhYQFxRD
Sertiey
Microsoft .Net Framewordk COMx+ Suppogt
Microsoft .NET COM+ Integration with SOAP
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
www.baidu.com
%c%c%c%c%ccn.exe
GetTickCount
gethostbyname
GetSystemDirectoryA
lstrcatA
lstrcpyA
setsockopt
WSAStartup
closesocket
WSASocketA
gethostname
KERNEL32.dll
WS2_32.dll
GET %s HTTP/1.1
Content-Type: text/html
Host: %s
Accept: text/html, */*
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
GET %s HTTP/1.1
Referer: http://%s:80/http://%s
Host: %s
Connection: Close
Cache-Control: no-cache
%s %s%s
GET %s HTTP/1.1
Content-Type: text/html
Host: %s:%d
Accept: text/html, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
GET %s HTTP/1.1
Content-Type: text/html
Host: %s
Accept: text/html, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
GET %s HTTP/1.1
Host: %s:%d
GET %s HTTP/1.1
Host: %s
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Connection: Keep-Alive
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s
Connection: Keep-Alive
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: %s
Connection: Keep-Alive
%d.%d.%d.%d
"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333"""""""""""
33333333333
UUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDDUUUUUUUUUUUP
DDDDDDDDDDD
"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333"""""""
3333333p
3333333
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
fffffff
""""" 333330""""" 333330""""" 333330""""" 333330""""" 333330""""" 333330""""" 333330""""" 333330""""" 333330""""" 333330""""" 333330
UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@UUUUUPDDDDD@
""" 3330""" 3330""" 3330""" 3330""" 3330""" 3330""" 3330
UUUPDDD@UUUPDDD@UUUPDDD@UUUPDDD@UUUPDDD@UUUPDDD@UUUPDDD@
w9w{wswwwwc| 1?
DDLLDDDL
LLDDLDD
DDDLDLD
LDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDD@
wwwwwwww
wwpwwp
~NDD3P~
~DHHDJ
Oxcp0zwYxwOxcp0zwYxwOxcp0zwYxwOxcp0zwYxwOxcp0zwYxwjkLwMwyt
jkLwMwyt
jkLwMwyt
jkLwMwyt
jkLwMwyt
tHuHwh0HC
tHuHwh0HC
tHuHwh0HC
tHuHwh0HC
tHuHwh0HC
wQJ4jl66i
wQJ4jl66i
wQJ4jl66i
wQJ4jl66i
wQJ4jl66i
tsLUYs88k
tsLUYs88k
tsLUYs88k
tsLUYs88k
tsLUYs88k
MhH54n4P6
MhH54n4P6
MhH54n4P6
MhH54n4P6
MhH54n4P6
xrNwD16H4XxrNwD16H4XxrNwD16H4XxrNwD16H4XxrNwD16H4XF75x9fUbu
F75x9fUbu
F75x9fUbu
F75x9fUbu
F75x9fUbu
kjxKkMQ1RkkjxKkMQ1RkkjxKkMQ1RkkjxKkMQ1RkkjxKkMQ1RkhNOTDlW7MVhNOTDlW7MVhNOTDlW7MVhNOTDlW7MVhNOTDlW7MVJD7Ff2auu
JD7Ff2auu
JD7Ff2auu
JD7Ff2auu
JD7Ff2auu
Ke0ytb6tfLKe0ytb6tfLKe0ytb6tfLKe0ytb6tfLKe0ytb6tfLePMVDJx9M
ePMVDJx9M
ePMVDJx9M
ePMVDJx9M
ePMVDJx9M
2TVTMzm3
2TVTMzm3
2TVTMzm3
2TVTMzm3
2TVTMzm3
T3X1EoNxQWT3X1EoNxQWT3X1EoNxQWT3X1EoNxQWT3X1EoNxQWeXCgq37d
eXCgq37d
eXCgq37d
eXCgq37d
eXCgq37d
xci3bfR4fLxci3bfR4fLxci3bfR4fLxci3bfR4fLxci3bfR4fLUybottfgj
Uybottfgj
Uybottfgj
Uybottfgj
Uybottfgj
nePV3Xq2I1nePV3Xq2I1nePV3Xq2I1nePV3Xq2I1nePV3Xq2I1S51VCVo7
S51VCVo7
S51VCVo7
S51VCVo7
S51VCVo7
NewKToX0e
NewKToX0e
NewKToX0e
NewKToX0e
NewKToX0e
4s7XuknQLU4s7XuknQLU4s7XuknQLU4s7XuknQLU4s7XuknQLUvY8yToGu0VvY8yToGu0VvY8yToGu0VvY8yToGu0VvY8yToGu0VPwn83bV0wFPwn83bV0wFPwn83bV0wFPwn83bV0wFPwn83bV0wFtXwEQtjNZ
tXwEQtjNZ
tXwEQtjNZ
tXwEQtjNZ
tXwEQtjNZ
79jkyZDOg579jkyZDOg579jkyZDOg579jkyZDOg579jkyZDOg5HL1D8OP35
HL1D8OP35
HL1D8OP35
HL1D8OP35
HL1D8OP35
F91ztYgFasF91ztYgFasF91ztYgFasF91ztYgFasF91ztYgFasfuC8yhntQNfuC8yhntQNfuC8yhntQNfuC8yhntQNfuC8yhntQNFUJkF07HfvFUJkF07HfvFUJkF07HfvFUJkF07HfvFUJkF07HfvSbXdpLetcmSbXdpLetcmSbXdpLetcmSbXdpLetcmSbXdpLetcmKzyuiVZtzMKzyuiVZtzMKzyuiVZtzMKzyuiVZtzMKzyuiVZtzMUt53iLOROKUt53iLOROKUt53iLOROKUt53iLOROKUt53iLOROKS5rkT08sjSS5rkT08sjSS5rkT08sjSS5rkT08sjSS5rkT08sjSTa9Hk7JZOZTa9Hk7JZOZTa9Hk7JZOZTa9Hk7JZOZTa9Hk7JZOZEZTwpWS5n
EZTwpWS5n
EZTwpWS5n
EZTwpWS5n
EZTwpWS5n
PRqWCwchkZPRqWCwchkZPRqWCwchkZPRqWCwchkZPRqWCwchkZVtnKoYY5RCVtnKoYY5RCVtnKoYY5RCVtnKoYY5RCVtnKoYY5RCm4L1aomHv
m4L1aomHv
m4L1aomHv
m4L1aomHv
m4L1aomHv
sdrmY0NbpjsdrmY0NbpjsdrmY0NbpjsdrmY0NbpjsdrmY0Nbpjx7uee9we
x7uee9we
x7uee9we
x7uee9we
x7uee9we
N7xK5lr7gtN7xK5lr7gtN7xK5lr7gtN7xK5lr7gtN7xK5lr7gtLh9FS5xwUMLh9FS5xwUMLh9FS5xwUMLh9FS5xwUMLh9FS5xwUMubkHgHiSd
ubkHgHiSd
ubkHgHiSd
ubkHgHiSd
ubkHgHiSd
WfD7JwW950WfD7JwW950WfD7JwW950WfD7JwW950WfD7JwW9509aGhWNaIwj9aGhWNaIwj9aGhWNaIwj9aGhWNaIwj9aGhWNaIwjCoXFzVjhWJCoXFzVjhWJCoXFzVjhWJCoXFzVjhWJCoXFzVjhWJNvRJHniaNdNvRJHniaNdNvRJHniaNdNvRJHniaNdNvRJHniaNdQbprlkvrmkQbprlkvrmkQbprlkvrmkQbprlkvrmkQbprlkvrmkvKM9ogrdgMvKM9ogrdgMvKM9ogrdgMvKM9ogrdgMvKM9ogrdgMXxwIhMzDjtXxwIhMzDjtXxwIhMzDjtXxwIhMzDjtXxwIhMzDjtbsJ3Dn21FzbsJ3Dn21FzbsJ3Dn21FzbsJ3Dn21FzbsJ3Dn21FzVFjuZoLzJYVFjuZoLzJYVFjuZoLzJYVFjuZoLzJYVFjuZoLzJYytbrSE6IsiytbrSE6IsiytbrSE6IsiytbrSE6IsiytbrSE6Isiyd7LeDKzH
yd7LeDKzH
yd7LeDKzH
yd7LeDKzH
yd7LeDKzH
KgZ0V0SLF1KgZ0V0SLF1KgZ0V0SLF1KgZ0V0SLF1KgZ0V0SLF1oWGzccgbh
oWGzccgbh
oWGzccgbh
oWGzccgbh
oWGzccgbh
9vog2ZSoYg9vog2ZSoYg9vog2ZSoYg9vog2ZSoYg9vog2ZSoYgvq4lR2GEvVvq4lR2GEvVvq4lR2GEvVvq4lR2GEvVvq4lR2GEvVW5Y8F8eHi
W5Y8F8eHi
W5Y8F8eHi
W5Y8F8eHi
W5Y8F8eHi
X6t7MzWh3wX6t7MzWh3wX6t7MzWh3wX6t7MzWh3wX6t7MzWh3woWYcgDp8HVoWYcgDp8HVoWYcgDp8HVoWYcgDp8HVoWYcgDp8HVjuOGihwCUEjuOGihwCUEjuOGihwCUEjuOGihwCUEjuOGihwCUEn8zWPbl2z
n8zWPbl2z
n8zWPbl2z
n8zWPbl2z
n8zWPbl2z
T4UqWVxHxwT4UqWVxHxwT4UqWVxHxwT4UqWVxHxwT4UqWVxHxwvRLGV28VqyvRLGV28VqyvRLGV28VqyvRLGV28VqyvRLGV28VqyqRaeP5vfJ
qRaeP5vfJ
qRaeP5vfJ
qRaeP5vfJ
qRaeP5vfJ
ea8phK8Wcfea8phK8Wcfea8phK8Wcfea8phK8Wcfea8phK8WcfRN3ZlZpgQxRN3ZlZpgQxRN3ZlZpgQxRN3ZlZpgQxRN3ZlZpgQxNXWNaEvM6
NXWNaEvM6
NXWNaEvM6
NXWNaEvM6
NXWNaEvM6
ZuRKncl9J5ZuRKncl9J5ZuRKncl9J5ZuRKncl9J5ZuRKncl9J5zMn1beQtGxzMn1beQtGxzMn1beQtGxzMn1beQtGxzMn1beQtGxme8k0UEtjnme8k0UEtjnme8k0UEtjnme8k0UEtjnme8k0UEtjnVvTHmZPDa7VvTHmZPDa7VvTHmZPDa7VvTHmZPDa7VvTHmZPDa7Q8SWYV6g6pQ8SWYV6g6pQ8SWYV6g6pQ8SWYV6g6pQ8SWYV6g6pUy7i69ZZVlUy7i69ZZVlUy7i69ZZVlUy7i69ZZVlUy7i69ZZVlCSdj2dFE5
CSdj2dFE5
CSdj2dFE5
CSdj2dFE5
CSdj2dFE5
cR8kmh6PMXcR8kmh6PMXcR8kmh6PMXcR8kmh6PMXcR8kmh6PMX4gl6LvIsvo4gl6LvIsvo4gl6LvIsvo4gl6LvIsvo4gl6LvIsvontdvMV0CPvntdvMV0CPvntdvMV0CPvntdvMV0CPvntdvMV0CPvmkevyGX9m4mkevyGX9m4mkevyGX9m4mkevyGX9m4mkevyGX9m4C3lHH9CM1gC3lHH9CM1gC3lHH9CM1gC3lHH9CM1gC3lHH9CM1gOk9vKqRtH
Ok9vKqRtH
Ok9vKqRtH
Ok9vKqRtH
Ok9vKqRtH
NuISieaqHbNuISieaqHbNuISieaqHbNuISieaqHbNuISieaqHb6vIN2dDoZ
6vIN2dDoZ
6vIN2dDoZ
6vIN2dDoZ
6vIN2dDoZ
p8d3w4Rmczp8d3w4Rmczp8d3w4Rmczp8d3w4Rmczp8d3w4RmczQDspRfQvIdQDspRfQvIdQDspRfQvIdQDspRfQvIdQDspRfQvId4LD1Ubn9n64LD1Ubn9n64LD1Ubn9n64LD1Ubn9n64LD1Ubn9n6
f�f�f�3�3�f�
f�f�f�3�3�f�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�b�0�
C�o�m�m�e�n�t�s�
M�l�h�e�l�l�o�
C�o�m�p�a�n�y�N�a�m�e�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�l�i�e�n� �L�o�c�a�l� �R�u�n�P�r�o�c�e�s�s�
F�i�l�e�V�e�r�s�i�o�n�
1�0�.�0�.�1�4�3�9�3�.�0� �(�r�s�1�_�r�e�l�e�a�s�e�.�1�6�0�7�1�5�-�1�6�1�6�)�
I�n�t�e�r�n�a�l�N�a�m�e�
M�l�h�e�l�l�o�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
M�l�h�e�l�l�o�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
M�l�h�e�l�l�o�
P�r�i�v�a�t�e�B�u�i�l�d�
M�l�h�e�l�l�o�
P�r�o�d�u�c�t�N�a�m�e�
�O�p�e�r�a�t�i�n�g� �S�y�s�t�e�m�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�7�.�0�0�0�.�1�4�3�9�3�.�0�8�
S�p�e�c�i�a�l�B�u�i�l�d�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
M�S� �S�a�n�s� �S�e�r�i�f�
C�a�n�c�e�l�
T�O�D�O�:� �P�l�a�c�e� �d�i�a�l�h�g�d�c�c�j�k� �v�f�y�t�d�f�g� �c�x� � �g�d� �f�d�g�h� �j�d�o�g� �c�o�n�t�r�o�l�s� �h�e�r�e�.�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
C�a�n�c�e�l�
A�b�o�u�t� �M�F�C�
M�S� �S�a�n�s� �S�e�r�i�f�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.