1.0
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.81
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:BackdoorX-gen [Trj] | 20200420 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Urelas.b | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200421 | 2013.8.14.323 |
| McAfee | Trojan-FFDV!48B6D0196C3A | 20200421 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0a2c7 | 20200421 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | IOSDWD |
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意
(50 out of 57 个事件)
| ALYac | Gen:Variant.Ulise.6122 |
| APEX | Malicious |
| AVG | Win32:BackdoorX-gen [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.6122 |
| AhnLab-V3 | Backdoor/Win32.Plite.R236153 |
| Antiy-AVL | Trojan[Backdoor]/Win32.Plite |
| Arcabit | Trojan.Ulise.D17EA |
| Avast | Win32:BackdoorX-gen [Trj] |
| Avira | BDS/Backdoor.Gen7 |
| Baidu | Win32.Trojan.Urelas.b |
| BitDefender | Gen:Variant.Ulise.6122 |
| BitDefenderTheta | Gen:NN.ZexaF.34106.hyX@am5dbXli |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Malware.Urelas-6717394-0 |
| Comodo | TrojWare.Win32.Urelas.SEE@5443e3 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.96c3a2 |
| Cylance | Unsafe |
| Cyren | W32/S-07a5605a!Eldorado |
| DrWeb | BackDoor.Andromeda.544 |
| ESET-NOD32 | a variant of Win32/Urelas.AB |
| Emsisoft | Gen:Variant.Ulise.6122 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-07a5605a!Eldorado |
| F-Secure | Backdoor.BDS/Backdoor.Gen7 |
| FireEye | Generic.mg.48b6d0196c3a2858 |
| Fortinet | W32/Urelas.U!tr |
| GData | Gen:Variant.Ulise.6122 |
| Ikarus | Trojan.Win32.Urelas |
| Invincea | heuristic |
| Jiangmin | Backdoor.Plite.nw |
| K7AntiVirus | Backdoor ( 0053e8561 ) |
| K7GW | Trojan ( 0049284c1 ) |
| Kaspersky | Backdoor.Win32.Plite.bhuj |
| MAX | malware (ai score=87) |
| Malwarebytes | Trojan.Urelas |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Trojan-FFDV!48B6D0196C3A |
| McAfee-GW-Edition | BehavesLike.Win32.Ipamor.ch |
| MicroWorld-eScan | Gen:Variant.Ulise.6122 |
| Microsoft | Trojan:Win32/Urelas.AA |
| NANO-Antivirus | Trojan.Win32.Plite.fejtmk |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM10.1.B55D.Malware.Gen |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Urelas-Q |
| Tencent | Malware.Win32.Gencirc.10b0a2c7 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-11-03 22:20:16
PE Imphash
d0a02458b96b0a6cde3068c96d1cdba2
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00013000 | 0x00012a00 | 6.493509053252915 |
| .rdata | 0x00014000 | 0x00006000 | 0x00005c00 | 4.556735997647819 |
| .data | 0x0001a000 | 0x00005000 | 0x00001000 | 2.2953956201517256 |
| .rsrc | 0x0001f000 | 0x00002000 | 0x00001c00 | 1.684624600656239 |
| .reloc | 0x00021000 | 0x00004000 | 0x00001400 | 6.315323275002052 |
| IOSDWD | 0x00025000 | 0x00001000 | 0x00001000 | 6.040407475411988 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x00020170 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x00020170 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MENU | 0x00020a40 | 0x0000004a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_DIALOG | 0x00020aa0 | 0x000000c0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_STRING | 0x00020b60 | 0x00000048 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ACCELERATOR | 0x00020a90 | 0x00000010 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00020a18 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MANIFEST | 0x00025238 | 0x0000017d | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x41401c GetTempPathW
• 0x414020 GetSystemDirectoryW
• 0x414024 DeleteFileW
• 0x414028 GetModuleFileNameW
• 0x41402c GetTickCount
• 0x414030 GetVersionExW
• 0x414034 ReadFile
• 0x414038 CreateFileW
• 0x41403c DeviceIoControl
• 0x414040 GetTempPathA
• 0x414044 GetModuleFileNameA
• 0x414048 HeapAlloc
• 0x41404c GetProcessHeap
• 0x414050 HeapFree
• 0x414054 MultiByteToWideChar
• 0x414058 SetEndOfFile
• 0x41405c HeapReAlloc
• 0x414060 LCMapStringW
• 0x414064 CreateThread
• 0x414068 LoadLibraryW
• 0x41406c OutputDebugStringW
• 0x414070 LoadLibraryExW
• 0x414074 WriteConsoleW
• 0x414078 FlushFileBuffers
• 0x41407c SetStdHandle
• 0x414080 CreateEventW
• 0x414084 ExitProcess
• 0x414088 CloseHandle
• 0x41408c Sleep
• 0x414090 OpenEventW
• 0x414094 GetStringTypeW
• 0x414098 GetCPInfo
• 0x41409c GetOEMCP
• 0x4140a0 GetACP
• 0x4140a4 IsValidCodePage
• 0x4140a8 RaiseException
• 0x4140ac SetFilePointerEx
• 0x4140b0 SetFilePointer
• 0x4140b4 FreeEnvironmentStringsW
• 0x4140b8 GetEnvironmentStringsW
• 0x4140bc GetSystemTimeAsFileTime
• 0x4140c0 GetCurrentProcessId
• 0x4140c4 QueryPerformanceCounter
• 0x4140c8 DeleteCriticalSection
• 0x4140cc GetFileType
• 0x4140d0 GetFileAttributesW
• 0x4140d4 GetSystemWindowsDirectoryW
• 0x4140d8 IsDebuggerPresent
• 0x4140dc IsProcessorFeaturePresent
• 0x4140e0 GetCommandLineW
• 0x4140e4 GetLastError
• 0x4140e8 UnhandledExceptionFilter
• 0x4140ec SetUnhandledExceptionFilter
• 0x4140f0 SetLastError
• 0x4140f4 InitializeCriticalSectionAndSpinCount
• 0x4140f8 GetCurrentProcess
• 0x4140fc TerminateProcess
• 0x414100 TlsAlloc
• 0x414104 TlsGetValue
• 0x414108 TlsSetValue
• 0x41410c TlsFree
• 0x414110 GetStartupInfoW
• 0x414114 GetModuleHandleW
• 0x414118 GetProcAddress
• 0x41411c EncodePointer
• 0x414120 DecodePointer
• 0x414124 EnterCriticalSection
• 0x414128 LeaveCriticalSection
• 0x41412c RtlUnwind
• 0x414130 GetConsoleMode
• 0x414134 ReadConsoleW
• 0x414138 WriteFile
• 0x41413c WideCharToMultiByte
• 0x414140 GetConsoleCP
• 0x414144 InterlockedIncrement
• 0x414148 InterlockedDecrement
• 0x41414c GetCurrentThreadId
• 0x414150 GetModuleHandleExW
• 0x414154 AreFileApisANSI
• 0x414158 GetStdHandle
• 0x41415c HeapSize
Library USER32.dll:
• 0x414170 LoadAcceleratorsW
• 0x414174 LoadCursorW
• 0x414178 RegisterClassExW
• 0x41417c CreateWindowExW
• 0x414180 DialogBoxParamW
• 0x414184 LoadStringW
• 0x414188 wsprintfW
• 0x41418c LoadIconW
• 0x414190 EndDialog
• 0x414194 PostQuitMessage
• 0x414198 EndPaint
• 0x41419c BeginPaint
• 0x4141a0 DefWindowProcW
• 0x4141a4 DestroyWindow
Library ADVAPI32.dll:
• 0x414000 RegQueryValueExW
• 0x414004 RegSetValueExW
• 0x414008 RegCloseKey
• 0x41400c RegOpenKeyExW
Library WS2_32.dll:
• 0x4141ac WSAStartup
• 0x4141b0 htonl
• 0x4141b4 gethostbyaddr
• 0x4141b8 socket
• 0x4141bc gethostbyname
• 0x4141c0 inet_addr
• 0x4141c4 htons
• 0x4141c8 connect
• 0x4141cc closesocket
• 0x4141d0 send
• 0x4141d4 recv
• 0x4141d8 WSAGetLastError
Library IPHLPAPI.DLL:
• 0x414014 GetAdaptersAddresses
L!This program cannot be run in DOS mode.
7R7R7RdYR
Rd[R8RdXROR>
R:R7RRQLER2RQL_R6R7
R6RQLZR6RRich7R
.rdata
.reloc
IOSDWD
P3Ah`A
_^3[lH
tKHt1Ht
YYM_3^F
ESVW3h
EVW3j>fE3EVP
3@M_3^D
3WfSPU
D_[M3^C
ESVW3h
f;u5@A
f;u+u0hLA
fu*VhXA
fj^3vVP}
M_^33[0A
jgWjdA
3QWQQQ
_^[33@
t#f=$A
t)Hu"M
S3VPEMSMPy
3+5F;rM
3@M_^3[=
^9t(3GWh
3fVP6x
3VfSP_w
jQXfd+
f;u+t#VSh
f9uChA
jdY3RPPC
3@M_^3[~7
3VfhjSP
PpVPn8
3j>fEESP6r
3j>fxzSP
fuf:6fA
M_^3[#4
ESVW3h
3CM_^3[2
EEEEEEfEM
]U8VWE
EMQUREPM
uE+EEt%
uE+EEt"
3EEEEE
UEEMQURE
fM3fU3E
EEEEfE
}3E3fM3
UUUUfU}
EE_^M3(
MMMMMMfMU
MQUR00
fUEfMf
fEMfUf
fMUfEf
uM+MMu
tYE+EEM;M
UEPMQUE
WE]U08A
t.MMUR
uM+MMUU}
3EEEfEEM
3EEEfEE
PQRPQr
t.MMUR'
(;0~}j
;0}#,
;0|/0R
Ju3_uf
j"UVW}
t]xIMx
YYt#EMx
39EfD~
jEPh8A
SVWMEt
a;rht"3
;EwePuV5
E)EM'V4
YtUMt$U
+;r=M(E
u3f;u
Efu3_^][UM
f_^]UW=
#3+#I#[
_[A^]j
_^M3[j
jEPh8A
EPMElBA
EPEdBA
YYu}]E
jxYf;t
jXYf;t
jxYf;t
jXYf;u
]]MEUS?c
EuWjAXf;w
CYf;v*E]M
];}r/Uw
WPuu7d
ap_^[U=A
X_^]U}
j"^;w3
;r3_[^]
t7x#Mx
XUQV5@A
^VWh|BA
ffffffE
YM3_cUE
3PPPPP
t'@-rA
jXA_f;w
j Y+tF
j*Xf;u/
j*Xf;u+
ItWhtHjlY;t
HHtXHHt
tD3PptPPad
jiY;tfnt'joY;
jgXf;uV
PxVP58A
YYjgXf9u
xj0YQff
t=RPWQP
>0t<Nj0X
PWj0XP
HPptQPT_
PWj XP
apM_^3[2q
_^]UVu
PWj?>E
Y]};=A
PWNYYG
uMj8"\
YUQQSVu
at/rt#wt
7u-B*u B
+SVW8A
1E3PeuEEEEd
Y__^[]QU
8csmu(=|A
2E_^[]
URPQQh@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
Yt$VWu
WjY3}Mu;u
'E;s(j
Xf9Etj
xy;5`A
3_^]UVu
3^]USVu
t9W>+~
tWPVOYYE
PYt G}
4VOYYE
on0v00f
on0v00f
on0v00f
DDDDDDDDDDDDDD
3W@D<,9U
u Q!8~
YtDD4+
43QQ@8j
$QPEP0
G,84;E
(PSHP0
(PSHP0,
r3VVhU
QH++PPVh
Q$D+<;
Duct$j
+,^[M3_fUE
8csmu%x
S^`F`y
v$:Y~,
v,+Y~4
vHY~\8EA
YYt3V5@A
~pjCXf
YYt-V5@A
UQS3V9]
3C3PPju
Y3@^[UQEPhEA
YYuPVWh@
r^]UVu
@Y<v5h
]j@j _W-
jEPh8A
Y8Y4@M
Y8Y4@MFu
YUQQSVWh
EPEPWWVa
Yt)EPEP
_^[UQQE
tj"Xf9
j"_f9y
t"f;Et
^[SV5DA
j=YfuG
3Y_^[5xA
3PPPPP
M3ME3M3;u
;r_^VW
;r_^UQW
tGS3Vf9 t
}Genuu_}ineIuV}nteluM3@3
_^3[U5
3@]3]UE
%UQQVu
EU_^QL$
UQQS3!UVu
<at-<rt"<wt
7u-B*u B
USV5DAA
P_^[]USVu
t_FxtX9
Y_^[]UVu
SW=HAA
Q_[^]j
Npt"~l
t4V0;t(W8Yt
MapUS]
AJu_^[]U
;rM_^3[
whu;5A
Eph33Su
Q@YEXhS
OuV<Y3_M^3[
f;rQvf;
f;rQvf;
f;rQvf;
Qvf;rgJ
Pf;rSPf;
It?ht2lt
HHtVHHt
Kitdnt%o
PVP58A
t=RPWQc09~
u?9t7PEPx
u(#QPV>
apM3(u
RPoYYu
_^]UVu
PWj?/E
[_^]UM
tAt2t$
Yt"W~W
_39u~2O
D5WPYY
tF;u|fE
YYM_^3[
P'YYt@}
~';_t|%39E
;_tr.~
Map_6Uj
]UVW3j
_^]USVW=
Yu%t!V
u_^[]UVW3u
YYu,9E
u_^]V3 A
^]VWHA
|3_@^UE
YU8S3E
+tHHt*Ht#/
ZU+t6+t)+t +t
VEPuuu
VPuMQu
tSSS7#
uJSSR7k#
"QSS72
SSS7!#
SSSSS/Uj
+^]UQ=A
tSVjA[jZ^+
SV3W9u
jAZjZ^+
ItDft?f;t8EP
Map_^[UE
B(;r3_^[]Ujh
1E3PEd
Y_^[]UE
]USVWUj
P(RP$R
UPjh@@
t:|$,t
;t$,v-4v
UQPXY]Y[
C+j@j PYY
ttWY3uE
t(WuYP
uUQSV5 AA
PS}YYu
;r>PSiYYt1
3_^[Uu
Y+t"+t
+t^+uH
uAGdEGd
u wdVUY
Gd3!UM
^0x^]SW
ft%Ou +
3jPfTAX3f
xj"U$8A
;tO95A
MEt/t+
3M_^3[Sj
u4c ^Uj
MiE39P
Map^Uj
FufEf;q
u2t&:a
P^YF ;
P^YF$;
P^YF8;
Pn^YF<;
P\^YF@;
PJ^YFD;
P8^YFH;
P&^YFL;
^Y^]UVu
P]YF0;
P]YF4;
P]Y^]UVu
j]6c]v []v$S]v(K]v,C]v0;]v43]v
+]v8#]v<
]vL\vP\vT\vX\v\\v`\vd\vh\vl\vp\vt\vx\v|\@
^]UQQ8A
E$39E(j
P!XYtQ
3t@WVuSu
t!3PP9E u
e_^[M3GU
M1_u(Eu$u u
PWY]UQ8A
39E WWu
e_^[M3OFU
M]u Eu
MapUS]
r]USVW3
jU4xeA
_^[]U}
jA[jZZ+U
_+[^]U
Map^_[
yOj"^0
u*>^ ;t
*;Y3MS0u
t@V<Yt
3[^]qM
3]USVu
Map_^[3QL$
EPQEPEj
Map[UE
]UWVSM
;s`Myt
QPEYYt
Et%Map
Map_[%@A
WVS3D$
bad allocation
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
CorExitProcess
UTF-16LE
UNICODE
Unknown exception
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
`h````
xpxxxx
`h`hhh
xppwpp
CreateFile2
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
218.54.47.76
sanfdr.bat
:Repeat
if exist "
" goto Repeat
rmdir "
%d.%d.%d.%d
218.54.47.74
218.54.47.76
218.54.47.76
GetSystemWindowsDirectoryW
GetFileAttributesW
OpenEventW
CloseHandle
ExitProcess
CreateEventW
CreateThread
GetTempPathW
GetSystemDirectoryW
DeleteFileW
GetModuleFileNameW
GetTickCount
GetVersionExW
ReadFile
CreateFileW
DeviceIoControl
GetTempPathA
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
KERNEL32.dll
wsprintfW
LoadStringW
LoadAcceleratorsW
LoadIconW
LoadCursorW
RegisterClassExW
CreateWindowExW
DialogBoxParamW
DestroyWindow
DefWindowProcW
BeginPaint
EndPaint
PostQuitMessage
EndDialog
USER32.dll
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetAdaptersAddresses
IPHLPAPI.DLL
IsDebuggerPresent
IsProcessorFeaturePresent
GetCommandLineW
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
GetProcAddress
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
RtlUnwind
GetConsoleMode
ReadConsoleW
WriteFile
WideCharToMultiByte
GetConsoleCP
InterlockedIncrement
InterlockedDecrement
GetCurrentThreadId
GetModuleHandleExW
AreFileApisANSI
GetStdHandle
GetFileType
DeleteCriticalSection
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetFilePointer
SetFilePointerEx
RaiseException
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
SetStdHandle
FlushFileBuffers
WriteConsoleW
LoadLibraryExW
OutputDebugStringW
LoadLibraryW
LCMapStringW
HeapReAlloc
SetEndOfFile
HeapSize
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
218.54.31.226
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwww
wwwwwwww
wwwwwwwwx
wwwwxwwww
wwwwww
0\0b0p0000000
121D1c1u11111
2 2V2~22222222222222
3J3{3333333 4,494D4U4k4p4z444444444444
5&5.5M5[555
61686Y6666
7 7<7H7777777777
838;8J8R88888
9A9I9O9u9{9999999999(:-:J:W:g::::::::1;:;C;L;R;_;j;t;;;
<z<<<<"=5=====]>>>>>2?K?d?|???????
0X00000
2O2[2k2s222
3/3Q3h3v33/4B4H4S4c4s4444444
5 5b5}55555555Q6666666
7&7G77"88888&969@9j999:;*<~<
=.>W>>>
2G2_2233]4f4p4y44L5555l66
777:8l8t888999999
:":):c:j::::q;===%>:>A>F?M?w???
0#1G111.242S2`2w22222333N4p444446
7G7o77m88888#9?9n999<
222134#5C6Y6T777^8|888
:(:/:B:z:::::::::::::::::::
;%;5;E;N;T==x>
4)434<4444475k5<686:U:l:{::::;
=B=t===>
K0011>1w111111
5)5758?8E8U8]8c8r8|8888888888
9!9'9.979<9B9J9O9U9]9b9h9p9u9{999999999999999999999
: :&:.:3:9:A:F:K:T:Y:_:g:l:r:z:
:::::::::::::::::::::
;%;*;0;8;=;C;K;Q;_;m;t;;;;|<<<<0=d=x==>>
'0?0o03
56666668/;3;7;;;?;C;G;K;+<E<T<a<m<}<<<<<<<<<
=3=@=I=m=====
><>M>Z>_>l>q>>
c000021a1~11l2t2222u334s5|5
676666"77788
9-9G9_9999999
:-:::::
;h;;;;
<3<o<<
===== >.><>>>*?Y?o??
0C0M0i0q1111
2222e444444444
5%5,5054585<5@5D5H555555
60676<6@6D6e66666666666.74787<7@7888
::::8;;$<-<<<`=l==T>]>O?X?
1&1m11]33
4D4L44444
5*5O5k5555
6)6B6S666666
7 7(717Q7777777777
8:88888
969L9V9\9g999999
:D:W:g::::::::
;+;7;>;G;`;j;;;;
<&<0<c<x<~<<<
=!=T=o=====
>F>X>>>>>>
1\1f1111111
2!2&2J2m2y22222222
3$3m3z333333
4$4.4@4J4l4w44
5+545g555D6Q6r6666
7777?899
:0:::::';;;;
<:<<<==0>s>>>
?h?????????
0)0|000=2O22222222]3m33333333
4'4,4;4B4i444
6V666X9b9h9|999::W:::
;?;l>Y?
1$1244444
6(6R6m7x7777!8l899/:8:F:b:~:::::::
;2;9;`;m;r;;;;;;;
<!<*<6<A<f<<<<<<<
=5=:=@=G===j>
0%131M1b1p111144 5H5t555'6&8+8=8[8o8u8,999
:/:8:";>;e;;;;;
<@<]<m<<<<<
=^=n=====
>K>[>m>>>>>>
?0?P?e?o???
0C0I0N0d0i0n00000I1N1W1c1h1111111111
2#2b2g2p2u2~22222
33444444
5.545:5B5H5N5V5\5b5j5s5z5555555555"6:6S6}6/7?;`;e;;;;;
<-<?<Q<c<u<<<<<<<
00o1Q22
;!;%;);-;1;5;9;=;A;E;I;M;Q;U;Y;];a;e;i;m;q;u;y;;;
0Q0W0c0
2m2222
4"4'4?444
2X2\2`2d2h2>>>>>>>>>>>>>>>
?$?,?4?<?
|000000000\>d>l>t>|>>>>>>>>>>>>>>>>>
?$?,?4?<?D?L?T?\?d?l?t?|?????????????????
0$0,040<0D0L0T0\0d0l0t0|00000000000000000
1$1,141<1D1L1T1\1d1l1t1|11111111111111111
2$2,242<2D2L2T2\2d2l2t2|22222222222222222
3$3,343<3D3L3T3\3d3l3t3|33333333333333333
4$4,444<4D4L4T4\4d4l4t4|44444444444444444
5$5,545<5D5L5T5\5d5l5t5x55555555555555555
6 6(60686@6H6P6X6`6h6p6x66666666666666666
7 7(70787@7H7P7X7`7h7p7x77777777777777777
8 8(80888@8H8P8X8`8h8p8x88888888888888888
9 9(90989@9H9P9X9`9h9p9x99999999999999999
: :(:0:8:@:H:P:X:`:h:p:x:::::::::::::::::
; ;(;0;8;@;H;P;X;`;h;p;x;;;;;;;;;;;;;;;;;
< <(<0<8<@<H<P<X<`<h<p<x<<<<
>>>>>>>>>>
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?????????????????????????????????
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0;;$<<<L<P<d<h<x<|<<<<<<<<<<<<8=X=x======
> >(>0>4><>P>X>l>>>>>>
?0?<?X?d?????
0 0@0`000000
1(1H1d1h11111
01155::::::::::
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
< <$<(<,<0<4<8<<<d<t<<<<<<<<<<<
= =$=(=,=0=4=8=<=@=D=>>>>>>>>>>>>>>>>>>>>>
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
KERNEL32.DLL
GetModuleHandleA
GetProcAddress
VirtualAlloc
VirtualFree
VirtualProtect
USER32.dll
EndPaint
ADVAPI32.dll
RegCloseKey
SHELL32.dll
ShellExecuteA
WS2_32.dll
IPHLPAPI.DLL
GetAdaptersAddresses
;`PWVS
Au<WF<.++<.
,._F;|aV
AAPQPU
uaU03@}
MMM:M}
UUUUM3
MuM3BM+
eMuG}t.]
k�e�r�n�e�l�3�2�.�d�l�l�
U�T�F�-�1�6�L�E�
U�N�I�C�O�D�E�
m�s�c�o�r�e�e�.�d�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �i�n�c�o�n�s�i�s�t�e�n�t� �o�n�e�x�i�t� �b�e�g�i�n�-�e�n�d� �v�a�r�i�a�b�l�e�s�
D�O�M�A�I�N� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
T�L�O�S�S� �e�r�r�o�r�
r�u�n�t�i�m�e� �e�r�r�o�r� �
A�R�6�0�0�2�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
A�j�a�-�J�P�
S�u�n�d�a�y�
M�o�n�d�a�y�
T�u�e�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�h�u�r�s�d�a�y�
F�r�i�d�a�y�
S�a�t�u�r�d�a�y�
J�a�n�u�a�r�y�
F�e�b�r�u�a�r�y�
A�u�g�u�s�t�
S�e�p�t�e�m�b�e�r�
O�c�t�o�b�e�r�
N�o�v�e�m�b�e�r�
D�e�c�e�m�b�e�r�
M�M�/�d�d�/�y�y�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
H�H�:�m�m�:�s�s�
(�n�u�l�l�)�
2�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
z�h�-�C�H�S�
a�z�-�A�Z�-�L�a�t�n�
u�z�-�U�Z�-�L�a�t�n�
k�o�k�-�I�N�
s�y�r�-�S�Y�
d�i�v�-�M�V�
q�u�z�-�B�O�
s�r�-�S�P�-�L�a�t�n�
a�z�-�A�Z�-�C�y�r�l�
u�z�-�U�Z�-�C�y�r�l�
q�u�z�-�E�C�
s�r�-�S�P�-�C�y�r�l�
q�u�z�-�P�E�
s�m�j�-�N�O�
b�s�-�B�A�-�L�a�t�n�
s�m�j�-�S�E�
s�r�-�B�A�-�L�a�t�n�
s�m�a�-�N�O�
s�r�-�B�A�-�C�y�r�l�
s�m�a�-�S�E�
s�m�s�-�F�I�
s�m�n�-�F�I�
z�h�-�C�H�T�
a�z�-�a�z�-�c�y�r�l�
a�z�-�a�z�-�l�a�t�n�
b�s�-�b�a�-�l�a�t�n�
d�i�v�-�m�v�
k�o�k�-�i�n�
q�u�z�-�b�o�
q�u�z�-�e�c�
q�u�z�-�p�e�
s�m�a�-�n�o�
s�m�a�-�s�e�
s�m�j�-�n�o�
s�m�j�-�s�e�
s�m�n�-�f�i�
s�m�s�-�f�i�
s�r�-�b�a�-�c�y�r�l�
s�r�-�b�a�-�l�a�t�n�
s�r�-�s�p�-�c�y�r�l�
s�r�-�s�p�-�l�a�t�n�
s�y�r�-�s�y�
u�z�-�u�z�-�c�y�r�l�
u�z�-�u�z�-�l�a�t�n�
z�h�-�c�h�s�
z�h�-�c�h�t�
C�O�N�O�U�T�$�
A�A�A�A�A�A�A�A�
A�A�A�A�A�A�A�
A�A�A�A�A�A�A�A�A�A�A�
\�H�a�n�g�a�m�e�\�K�O�R�E�A�N�\�H�a�n�U�n�i�n�s�t�a�l�l�.�e�x�e�
\�N�E�O�W�I�Z�\�P�M�a�n�g�\�c�o�m�m�o�n�\�P�M�L�a�u�n�c�h�e�r�.�e�x�e�
\�N�e�t�m�a�r�b�l�e�\�C�o�m�m�o�n�\�N�e�t�M�a�r�b�l�e�E�n�d�W�e�b�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�A�h�n�L�a�b�\�V�3�L�i�t�e�3�0�\�V�3�L�i�t�e�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�E�S�T�s�o�f�t�\�A�L�Y�a�c�\�A�Y�L�a�u�n�c�h�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�n�a�v�e�r�\�N�a�v�e�r�A�g�e�n�t�\�N�a�v�e�r�A�g�e�n�t�.�e�x�e�
W�i�n�S�e�v�e�n�
W�i�n�V�i�s�t�a�
U�n�K�n�o�w�n�
2�1�8�.�5�4�.�4�7�.�7�7�
2�1�8�.�5�4�.�4�7�.�7�4�
B�H�S�B�D�H�S�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
T�r�a�y�K�e�y�
%�s�.�e�x�e�
f�i�o�s�d�e�.�e�x�e�
g�o�l�f�i�n�f�o�.�i�n�i�
g�o�l�f�s�e�t�.�i�n�i�
H�G�D�r�a�w�.�d�l�l�
h�o�u�t�u�e�
b�i�u�d�f�w�
%�s�%�s�.�e�x�e�
\�\�.�\�%�s�
\�\�.�\�P�H�Y�S�I�C�A�L�D�R�I�V�E�
%�d�.�%�d�.�%�d�.�%�d�
A�A�A�A�A�A�A�A�A�A�
A�A�A�A�A�A�A�A�.�
i�E�&�x�i�t�
h�&�A�b�o�u�t� �.�.�.�
A�b�o�u�t� �k�i�d�g�f�e�
M�S� �S�h�e�l�l� �D�l�g�
C�o�p�y�r�i�g�h�t� �(�C�)� �2�0�1�4�
H�u�i�d�t�Y�u�s�r�e�
P�o�l�k�d�H�Y�u�d�e�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.