2.1
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.66
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Agent-AULS [Trj] | 20200320 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Downloader.Waski.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200320 | 2013.8.14.323 |
| McAfee | Downloader-FSH | 20200319 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b159cf | 20200320 | 1.0.0.1 |
静态指标
查询计算机名称
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545317.702625 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
|
1727545318.0 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
检查进程是否被调试器调试
(2 个事件)
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
在 PE 资源中识别到外语
(4 个事件)
| name | RT_ICON | language | LANG_PORTUGUESE | filetype | None | sublanguage | SUBLANG_PORTUGUESE_BRAZILIAN | offset | 0x00004640 | size | 0x000025a8 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_PORTUGUESE | filetype | None | sublanguage | SUBLANG_PORTUGUESE_BRAZILIAN | offset | 0x00006be8 | size | 0x00000014 | ||||||||||||||||||
| name | RT_VERSION | language | LANG_PORTUGUESE | filetype | None | sublanguage | SUBLANG_PORTUGUESE_BRAZILIAN | offset | 0x00004180 | size | 0x0000028c | ||||||||||||||||||
| name | RT_MANIFEST | language | LANG_PORTUGUESE | filetype | None | sublanguage | SUBLANG_PORTUGUESE_BRAZILIAN | offset | 0x00004410 | size | 0x0000022e | ||||||||||||||||||
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\gexzn.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\gexzn.exe |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.text', 'virtual_address': '0x00001000', 'virtual_size': '0x00001440', 'size_of_data': '0x00001600', 'entropy': 6.971437532034009} | entropy | 6.971437532034009 | description | 发现高熵的节 | |||||||||
| entropy | 0.2558139534883721 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 63 个反病毒引擎识别为恶意
(50 out of 63 个事件)
| ALYac | Trojan.Agent.BFXQ |
| APEX | Malicious |
| AVG | Win32:Agent-AULS [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.Agent.BFXQ |
| AhnLab-V3 | Trojan/Win32.Agent.R120892 |
| Antiy-AVL | Trojan/Win32.Badur |
| Arcabit | Trojan.Agent.BFXQ |
| Avast | Win32:Agent-AULS [Trj] |
| Avira | TR/Crypt.ZPACK.Gen2 |
| Baidu | Win32.Trojan-Downloader.Waski.a |
| BitDefender | Trojan.Agent.BFXQ |
| BitDefenderTheta | Gen:NN.ZexaF.34100.bm2@amlyFrdO |
| Bkav | W32.FamVT.GeND.Trojan |
| CAT-QuickHeal | TrojanDwnldr.Upatre.AA4 |
| ClamAV | Win.Trojan.Downloader-66467 |
| Comodo | TrojWare.Win32.TrojanDownloader.Waski.DFJ@5j5omu |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.7553ed |
| Cylance | Unsafe |
| Cyren | W32/S-d8f0f8a7!Eldorado |
| DrWeb | Trojan.Upatre.100 |
| ESET-NOD32 | Win32/TrojanDownloader.Waski.A |
| Emsisoft | Trojan.Agent.BFXQ (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-d8f0f8a7!Eldorado |
| F-Secure | Trojan-Downloader:W32/Upatre.E |
| FireEye | Generic.mg.5e49c637553edf6c |
| Fortinet | W32/Waski.A!tr |
| GData | Trojan.Agent.BFXQ |
| Ikarus | Trojan-Spy.Zbot |
| Invincea | heuristic |
| Jiangmin | Trojan/Badur.cwm |
| K7AntiVirus | Trojan ( 0001140e1 ) |
| K7GW | Trojan-Downloader ( 0055e3da1 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=88) |
| Malwarebytes | Trojan.Agent |
| MaxSecure | Trojan.Upatre.Gen |
| McAfee | Downloader-FSH |
| McAfee-GW-Edition | BehavesLike.Win32.Upatre.nt |
| MicroWorld-eScan | Trojan.Agent.BFXQ |
| Microsoft | TrojanDownloader:Win32/Upatre |
| NANO-Antivirus | Trojan.Win32.Upatre.dgkhzf |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.015F.Malware.Gen |
| Rising | Trojan.Waski!1.A489 (RDMK:cmRtazpKL12LFsEfSsPECMhuF/ms) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Crypt |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2033-10-04 06:16:33
PE Imphash
64e9084150010351c5f2f53555526080
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00001440 | 0x00001600 | 6.971437532034009 |
| .data | 0x00003000 | 0x00000c36 | 0x00000e00 | 3.1642505319596554 |
| .rsrc | 0x00004000 | 0x00003150 | 0x00003200 | 4.001495902699418 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x00004640 | 0x000025a8 | LANG_PORTUGUESE | SUBLANG_PORTUGUESE_BRAZILIAN | None |
| RT_DIALOG | 0x00006c00 | 0x00000550 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00006be8 | 0x00000014 | LANG_PORTUGUESE | SUBLANG_PORTUGUESE_BRAZILIAN | None |
| RT_VERSION | 0x00004180 | 0x0000028c | LANG_PORTUGUESE | SUBLANG_PORTUGUESE_BRAZILIAN | None |
| RT_MANIFEST | 0x00004410 | 0x0000022e | LANG_PORTUGUESE | SUBLANG_PORTUGUESE_BRAZILIAN | None |
Imports
Library MSVCRT.dll:
• 0x403038 _controlfp
• 0x40303c _except_handler3
• 0x403040 __set_app_type
• 0x403044 __p__fmode
• 0x403048 __p__commode
• 0x40304c _adjust_fdiv
• 0x403050 _exit
• 0x403054 __setusermatherr
• 0x403058 _initterm
• 0x40305c __getmainargs
• 0x403060 _acmdln
• 0x403064 exit
• 0x403068 _XcptFilter
Library USER32.dll:
• 0x403070 SendMessageA
• 0x403074 GetLastActivePopup
• 0x403078 PostQuitMessage
• 0x40307c BeginPaint
• 0x403080 EndPaint
• 0x403084 DefWindowProcA
• 0x403088 RegisterClassExA
• 0x40308c LoadAcceleratorsA
• 0x403090 GetMessageA
• 0x403094 TranslateAcceleratorA
• 0x403098 TranslateMessage
• 0x40309c DispatchMessageA
• 0x4030a0 CreateWindowExA
Library KERNEL32.dll:
• 0x403008 lstrcpyA
• 0x40300c LoadLibraryA
• 0x403010 SetLastError
• 0x403014 CreateFileW
• 0x403018 lstrcatA
• 0x40301c GetFileType
• 0x403020 CloseHandle
• 0x403024 GetFileSize
• 0x403028 GetStartupInfoA
• 0x40302c DeleteFileW
• 0x403030 GetModuleHandleA
Library COMCTL32.dll:
• 0x403000 InitCommonControlsEx
L!This program cannot be run in DOS mode.
uOn&On&On&
is&On&
i.&On&
lw&On&Oo&On&
ir&On&
iS&On&RichOn&
`.data
0jP00U
t;PRlPPQ
A:u@@EP@Ph@
AVWAf9
GGEGGEM;r
EUjhX4@
hSVWe3
EEP5x8@
EPEPEP
0u>"u:Fu
<"u>"u
> vFuj
Q3{h#@
Q0@0h@h
hj%h0@
hhESZ+
@VRSW#Iu_A[Z^H
jEhPj3
z'e kc
w5dM\7
EPie4=x
C~yl#]~
_?OTB766Uyu4Y}
nj k@
eQA1ae~yE>
Sf_n#HDvFx
bP6U}m )
8R6l=g<
S`rR#XU bigK&M
ZqpAj&
C.l=I7
=A;"V2
[ \ Ri9
"$i'Sy
P1M|{3T
w%~j@\xWa?/
_C]HvIC
,%-=pIN70[}4H i"Lu
Wg)0dr=
bq-i5I]gC6_
e7<(]
$h4XM;
J#eimspe
"2%{ch
jCs"eC"ff
WMt1<L@0
-vib|_vjB^
"\r>Z][j
B'_]UP`b
ns1.r')
Ij>S6NL*
Frfb|0DS
XUjIEZ3
8fjuao
odw7 c
jj 2%3l }
2J5\SY{BRY
UTp1l7!
NgZ)-r!eZ
VyWeCTB
bt8:K3wt0/*Rus
XpfbOdH
1?L{U$Oi#fF0ll\:ig/
a&V>Ib%acbivHCD?
rv4S^h*
V ^&v7
sK{>1{<J=r
kQtTLQc
b{8aG8E0h
>b%Odz&
kjrp3h
EE0PE@0j5`#@
Totota
Landrover
very good
fion pion pack
sutori wauu
Dochland Pochland
Times New
RichEdit
Riched32.dll
projects, and I think it is unlikely that will
see any further changes, except error corrections.
However does not remain, and will contain
some either did not exist, or were not important enough to.
R)!(6PB
$(LHQ=
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
MSVCRT.dll
_controlfp
DispatchMessageA
TranslateMessage
TranslateAcceleratorA
GetMessageA
LoadAcceleratorsA
RegisterClassExA
CreateWindowExA
DefWindowProcA
EndPaint
BeginPaint
PostQuitMessage
GetLastActivePopup
SendMessageA
USER32.dll
GetModuleHandleA
lstrcatA
lstrcpyA
LoadLibraryA
SetLastError
CreateFileW
DeleteFileW
GetFileType
CloseHandle
GetFileSize
GetStartupInfoA
KERNEL32.dll
InitCommonControlsEx
COMCTL32.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="*"
name="Company.Product.Name"
type="win32"
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"
</dependentAssembly>
</dependency>
</assembly>
.#TO.#
4 4 4 4 4 4 2
4 i]4 4 4 4 4 4 4 4 4 4 4 4 -
4 4 4 4 4 4 4 4 k^4 4 3
4 4 4 4 4 4 4 4 1
3 7!7!7!7!7!7!H17!7!6!7!7!|p7!7!7!7!7!7!7!3
4 8"8"8"8"8"8"8"^N8"8"n`8"8"8"8"8"8"8"8"8"8"8"8"4
7!9#9#9#9#9#9#]O9#]O9#9#7!7!8#9#9#9#9#9#9#9#7!
9#=#=#=#=#=#=#=#ug=#=#u=#=#=#=#=#=#=#9#
=#B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)B)=#
D,I/B)I/I/I/I/I/I/I/I/I/I/I/I/I/I/I/I/I/B)B)B)B)B)B)I/I/I/D,
D,I/p\p\p\p\p\lVnXlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVI/K3
.�f�t�w�a�r�e�;� �y�o�u� �c�a�n� �r�e�d�i�s�t�r�i�b�u�t�e� �i�t� �a�n�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�3�7�C�8�2�A�2�
C�H�A�N�C�E�
C�o�m�p�a�n�y�N�a�m�e�
M�u�t�V�a�b�C�h�i�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
M�u�t�V�a�b�C�h�i�n� �I�n�d�.�
F�i�l�e�V�e�r�s�i�o�n�
V�e�r�s�i�o�n� �1�.�1�
I�n�t�e�r�n�a�l�N�a�m�e�
M�u�t�V�a�b�C�h�i�n�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �b�y� �M�u�t�V�a�b�C�h�i�n� �I�n�d�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
M�u�t�V�a�b�C�h�i�n�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
M�S� �S�h�e�l�l� �D�l�g�
D�e�f�a�u�l�t� �V�i�e�w�
D�e�f�a�u�l�t� �Z�O�O�G�:�
S�h�o�w� �t�h�e� �b�o�o�k�m�a�r�k�s� �s�i�d�e�b�a�r� �w�h�e�n� �a�v�a�i�l�a�b�l�e�
&�R�e�m�e�m�b�e�r� �t�h�e�s�e� �s�e�t�t�i�n�g�s� �f�o�r� �e�a�c�h� �d�o�c�u�m�e�n�t�
R�e�p�l�a�c�e� �d�o�c�u�m�e�n�t� �&�c�o�l�o�r�s� �w�i�t�h� �W�i�n�d�o�w�s� �c�o�l�o�r� �s�c�h�e�m�e�
A�d�v�a�n�c�e�d�
A�u�t�o�m�a�t�i�c�a�l�l�y� �c�h�e�c�k� �f�o�r� �&�u�p�d�a�t�e�s�
R�e�m�e�m�b�e�r� �&�o�p�e�n�e�d� �f�i�l�e�s�
M�a�k�e� �G�o�V�i�e�w� �a� �d�e�f�a�u�l�t� �v�i�e�w�e�r�
S�e�t� �i�n�v�e�r�s�e� �s�e�a�r�c�h� �c�o�m�m�a�n�d�-�l�i�n�e�
E�n�t�e�r� �t�h�e� �c�o�m�m�a�n�d�-�l�i�n�e� �t�o� �i�n�v�o�k�e� �w�h�e�n� �y�o�u� �d�o�u�b�l�e�-�c�l�i�c�k� �o�n� �t�h�e� �P�D�F� �d�o�c�u�m�e�n�t�:�
C�a�n�c�e�l�
C�:�\�U�s�e�r�s�\�c�h�r�i�s�t�i�a�n�.�l�e�e�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�T�e�m�p�1�_�p�d�f�-�t�o�-�v�i�e�w�_�8�6�4�1�2�9�_�p�d�f�.�z�i�p�\�p�d�f�-�t�o�-�v�i�e�w�_�8�6�4�1�2�9�_�p�d�f�.�e�x�e�
C�:�\�O�Y�4�W�G�d�k�6�.�e�x�e�
C�:�\�4�6�7�7�e�b�d�7�1�8�c�3�7�a�a�a�0�a�8�e�c�4�3�c�6�0�2�e�c�b�6�e�e�9�d�c�b�4�3�5�f�d�0�f�c�c�e�4�8�f�1�c�6�b�4�2�5�3�6�f�b�8�d�4�
C�:�\�9�6�f�9�1�a�d�0�9�c�e�6�2�5�0�8�e�5�3�3�1�0�d�c�6�9�7�2�c�0�2�e�f�d�1�a�5�e�9�6�a�8�d�6�1�d�d�2�2�a�c�d�b�4�9�b�2�f�0�6�d�2�8�d�
C�:�\�b�f�5�8�4�9�d�2�e�7�9�0�6�6�8�f�6�6�9�4�b�e�3�c�7�5�1�d�a�a�9�9�6�d�b�c�6�e�c�d�1�4�a�6�a�1�6�9�2�b�3�f�0�7�3�a�6�b�6�7�1�8�f�a�
C�:�\�G�h�_�b�y�Y�v�I�.�e�x�e�
C�:�\�J�p�I�L�t�y�P�O�.�e�x�e�
C�:�\�L�o�b�o�g�c�r�L�.�e�x�e�
C�:�\�M�s�V�x�Z�7�p�f�.�e�x�e�
C�:�\�5�0�7�M�8�N�x�g�.�e�x�e�
C�:�\�2�B�4�z�v�x�p�H�.�e�x�e�
C�:�\�R�b�a�K�j�j�o�A�.�e�x�e�
C�:�\�i�4�J�C�B�x�5�y�.�e�x�e�
C�:�\�2�7�E�o�U�0�x�S�.�e�x�e�
C�:�\�O�s�2�2�P�q�H�j�.�e�x�e�
C�:�\�5�6�b�4�6�1�0�9�2�7�d�1�4�d�2�a�2�8�e�1�8�2�e�2�6�1�2�3�b�d�9�8�2�4�0�e�b�f�5�9�4�0�f�c�4�2�8�2�0�9�0�6�7�0�d�a�6�e�c�c�b�7�4�3�
C�:�\�D�K�K�g�F�a�g�V�.�e�x�e�
C�:�\�4�l�O�L�m�A�p�S�.�e�x�e�
C�:�\�Z�h�z�N�f�7�G�R�.�e�x�e�
C�:�\�Z�e�H�Q�d�w�F�e�.�e�x�e�
C�:�\�G�5�7�m�A�V�Q�A�.�e�x�e�
C�:�\�1�4�0�8�7�6�e�a�e�3�4�c�d�2�e�0�3�e�0�9�6�5�8�d�8�1�2�c�b�e�6�5�2�9�c�5�8�2�4�a�3�6�2�2�7�d�6�3�c�2�6�6�6�5�4�c�0�a�4�4�8�b�b�2�
C�:�\�G�n�x�x�G�k�M�U�.�e�x�e�
C�:�\�T�a�U�a�l�z�V�S�.�e�x�e�
C�:�\�A�Y�a�4�J�F�Q�X�.�e�x�e�
C�:�\�F�r�g�0�V�Y�i�6�.�e�x�e�
C�:�\�f�9�2�7�8�9�c�7�c�6�e�1�6�1�e�6�e�f�3�5�f�e�e�0�7�d�6�f�a�4�7�9�9�d�d�5�4�6�0�6�e�3�3�6�8�d�9�6�0�c�e�c�9�6�0�0�c�a�3�d�c�a�1�d�
C�:�\�c�l�m�0�G�e�g�5�.�e�x�e�
C�:�\�b�4�9�6�4�7�2�2�8�a�c�e�5�1�0�4�d�6�e�3�d�5�0�9�3�e�3�e�8�3�7�6�5�e�9�1�1�1�f�1�6�2�d�e�0�6�9�7�3�6�f�c�a�b�0�8�a�b�8�0�4�2�d�7�
C�:�\�_�W�h�e�r�X�R�M�.�e�x�e�
C�:�\�Z�V�V�v�j�5�J�T�.�e�x�e�
C�:�\�_�k�D�6�6�D�H�l�.�e�x�e�
C�:�\�4�7�0�9�3�a�1�1�4�a�5�4�c�1�b�1�2�2�6�e�e�3�8�7�a�4�0�7�4�2�0�b�6�9�e�1�b�d�0�3�4�6�5�1�c�d�f�9�6�9�b�8�8�b�1�1�9�d�e�7�2�6�9�b�
C�:�\�t�n�v�1�5�W�N�Z�.�e�x�e�
C�:�\�b�2�C�Z�R�6�y�g�.�e�x�e�
C�:�\�w�s�S�6�z�1�U�u�.�e�x�e�
C�:�\�Y�F�c�6�P�z�Y�B�.�e�x�e�
C�:�\�e�8�I�R�S�x�s�F�.�e�x�e�
C�:�\�A�h�4�z�q�x�q�P�.�e�x�e�
C�:�\�l�S�J�Q�a�C�P�i�.�e�x�e�
C�:�\�P�i�O�7�Q�z�j�X�.�e�x�e�
C�:�\�w�D�_�q�D�V�r�z�.�e�x�e�
C�:�\�x�6�l�K�9�F�f�C�.�e�x�e�
C�:�\�r�9�9�P�8�f�B�F�.�e�x�e�
C�:�\�0�S�g�P�f�V�r�Y�.�e�x�e�
C�:�\�Z�d�r�Z�V�G�w�d�.�e�x�e�
C�:�\�t�n�N�r�T�K�p�C�.�e�x�e�
C�:�\�2�6�b�b�5�7�5�b�4�7�9�2�d�c�f�0�8�2�f�b�c�e�c�b�2�0�8�9�e�9�e�b�9�a�b�b�c�b�1�d�2�c�c�5�3�d�1�9�4�c�1�f�6�d�4�9�7�f�e�3�e�a�e�c�
C�:�\�l�t�j�F�V�7�a�N�.�e�x�e�
C�:�\�T�C�2�6�4�O�G�j�.�e�x�e�
C�:�\�J�R�G�d�V�d�Q�R�.�e�x�e�
C�:�\�y�7�k�j�o�9�L�_�.�e�x�e�
C�:�\�R�t�1�z�f�1�m�8�.�e�x�e�
C�:�\�k�h�G�4�t�u�O�K�.�e�x�e�
C�:�\�P�h�3�h�_�f�W�r�.�e�x�e�
C�:�\�q�m�E�u�w�B�l�X�.�e�x�e�
C�:�\�G�I�6�l�z�h�v�h�.�e�x�e�
C�:�\�i�o�8�7�5�Y�s�r�.�e�x�e�
C�:�\�y�O�z�S�g�n�6�d�.�e�x�e�
C�:�\�h�1�f�i�S�e�Y�8�.�e�x�e�
C�:�\�8�2�f�7�9�1�c�3�c�8�c�a�0�3�a�c�d�b�6�2�4�f�a�7�9�e�7�e�5�c�6�f�7�f�8�b�f�d�8�f�f�a�5�8�c�d�8�2�1�2�d�a�4�6�6�4�3�7�7�3�d�a�1�f�
C�:�\�c�a�e�4�f�2�f�7�7�b�e�3�1�3�7�7�e�9�5�d�3�7�a�e�a�c�0�e�5�3�4�d�3�4�7�0�c�6�8�c�a�5�b�0�a�0�6�6�4�b�7�a�e�9�6�5�7�e�4�2�1�3�9�b�
C�:�\�2�a�0�7�0�2�7�0�9�9�b�a�6�a�a�2�c�7�9�1�7�d�c�9�1�1�3�f�9�6�8�7�5�7�4�b�c�0�9�2�e�8�6�3�8�f�a�1�1�3�d�b�d�b�6�7�4�4�4�a�7�1�1�6�
C�:�\�U�s�e�r�s�\�V�i�r�t�u�a�l�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�5�e�1�8�6�9�e�d�0�a�a�1�3�0�0�c�8�e�5�0�4�4�c�7�5�f�a�e�b�e�6�6�f�f�e�0�1�2�9�8�b�d�f�0�6�e�8�6�8�f�5�0�b�9�9�5�0�b�0�b�0�f�d�2�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�s�a�m�p�l�e�.�e�x�e�
C�:�\�c�5�b�b�0�7�f�6�a�a�9�f�5�7�1�c�1�8�a�f�7�1�7�b�8�d�c�5�4�2�7�9�2�0�5�c�c�6�c�3�3�9�4�2�0�e�e�2�3�e�c�9�2�6�a�4�b�9�7�3�d�2�0�5�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�s�a�m�p�l�e�.�e�x�e�
C�:�\�U�s�e�r�s�\�J�o�h�n�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�g�w�k�v�t�c�a�a�J�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�1�f�b�b�6�9�7�a�2�3�9�4�3�7�b�6�4�d�e�9�b�7�b�1�6�0�0�f�1�6�d�5�.�v�i�r�u�s�.�e�x�e�
C�:�\�9�c�b�b�a�7�e�1�3�d�5�3�c�8�4�d�4�0�b�1�e�7�f�6�e�f�b�f�b�3�0�a�c�0�6�6�f�d�d�3�d�c�c�c�9�c�c�2�e�a�a�0�f�e�6�8�7�2�e�6�5�7�9�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�g�e�x�z�n�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�g�e�x�z�n�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�g�e�x�z�n�.�p�e�3�2�
C�:�\�1�a�f�0�e�c�d�4�a�9�8�4�e�1�1�e�1�3�c�7�6�1�e�0�9�e�0�b�c�f�3�e�f�7�a�c�3�c�d�9�8�2�1�3�4�7�2�7�a�5�6�5�6�2�5�b�5�7�b�b�3�5�0�d�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�g�e�x�z�n�.�p�e�3�2�
C�:�\�b�d�c�6�0�3�4�8�e�7�7�b�7�1�5�6�e�b�e�3�f�8�2�f�1�7�f�8�4�0�8�e�3�1�0�5�2�5�8�5�3�3�a�4�d�0�d�e�7�e�d�0�f�f�d�d�d�5�d�6�3�4�1�f�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�g�e�x�z�n�.�e�x�e�
C�:�\�9�1�3�3�6�4�6�5�1�5�4�3�1�b�5�0�a�f�3�7�0�5�8�0�c�9�9�2�1�c�e�a�b�0�0�7�8�e�4�6�9�e�6�7�b�c�3�5�1�5�9�9�6�0�d�4�f�e�d�5�6�b�9�1�
C�:�\�e�1�8�6�4�c�5�b�7�6�5�9�8�b�5�c�8�6�f�c�2�1�d�5�7�1�8�b�6�3�9�3�f�3�5�f�d�0�c�f�a�a�0�7�c�7�3�a�6�d�5�0�8�b�8�d�3�3�f�c�3�1�9�8�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�g�e�x�z�n�.�p�e�3�2�
C�:�\�a�d�6�c�1�9�4�0�5�6�1�f�2�a�7�f�5�f�9�0�a�f�9�5�8�e�4�2�2�4�5�5�9�3�2�b�2�1�7�d�9�7�8�7�6�3�3�9�3�d�1�5�7�d�f�e�4�f�d�b�b�5�4�8�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�g�e�x�z�n�.�e�x�e�
C�:�\�4�a�9�2�0�f�f�0�0�a�e�f�3�0�1�b�0�3�9�d�0�f�1�4�c�0�a�1�9�d�8�d�8�4�7�6�5�e�d�e�d�7�7�f�a�4�e�a�6�e�9�0�e�f�0�1�b�9�d�0�3�6�8�0�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�g�e�x�z�n�.�e�x�e�
C�:�\�U�s�e�r�s�\�R�A�4�9�1�~�1�.�V�U�L�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�c�c�b�c�b�2�e�1�b�0�9�4�f�f�e�f�5�7�3�9�1�2�e�7�1�4�c�3�d�d�e�1�.�e�x�e�
C�:�\�b�a�c�7�e�a�2�c�5�4�5�b�a�2�3�3�6�7�8�d�6�3�a�a�e�b�0�2�8�8�7�b�2�7�2�5�b�5�b�9�f�e�3�5�0�7�1�b�a�8�5�d�3�b�3�0�e�b�0�e�3�2�8�3�
C�:�\�5�4�6�2�7�e�0�4�2�6�e�e�9�4�3�a�9�4�4�9�d�8�8�5�2�c�c�1�c�1�9�1�8�f�4�d�0�5�4�2�1�0�2�5�4�a�2�6�1�f�d�a�c�2�1�3�f�e�0�f�6�5�6�a�
C�:�\�6�c�3�2�d�1�1�a�8�9�0�1�8�3�0�2�7�5�8�0�f�3�e�f�8�2�a�8�e�0�e�3�4�a�f�9�1�8�b�9�a�e�4�7�8�b�6�5�b�a�2�b�0�6�1�5�d�6�5�f�8�1�a�2�
C�:�\�4�a�c�8�a�8�3�0�f�e�4�5�a�d�1�b�7�1�4�e�5�1�a�3�a�5�2�d�d�4�a�e�1�6�2�e�a�4�1�7�3�c�4�4�4�b�4�6�b�7�7�5�3�e�2�c�f�6�9�c�6�0�1�f�
C�:�\�3�4�f�d�e�b�4�6�e�9�6�e�e�c�6�a�1�b�1�0�9�2�a�d�2�4�3�8�8�5�3�d�c�f�5�1�3�7�4�2�9�0�a�d�4�5�8�1�1�b�4�f�1�f�0�c�e�8�7�2�c�7�2�d�
c�:�\�t�a�s�k�\�7�A�F�6�F�1�0�2�E�F�B�D�0�2�C�D�C�2�E�A�0�6�9�8�8�0�F�5�8�1�4�8�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�e�8�c�7�c�e�8�6�7�7�3�6�7�9�2�d�a�1�9�c�0�8�4�a�4�4�0�a�7�8�e�b�.�v�i�r�u�s�.�e�x�e�
C�:�\�d�e�b�f�9�8�4�e�1�7�a�6�c�e�d�8�f�3�e�3�6�8�c�e�a�a�c�4�1�2�6�3�d�9�9�4�a�d�a�0�8�5�e�7�8�1�0�d�8�6�5�3�8�b�2�3�c�3�1�a�1�1�e�6�
C�:�\�9�9�4�d�f�a�2�5�a�5�b�8�b�9�9�1�6�1�1�3�6�2�d�e�f�7�a�9�6�c�7�4�f�0�3�8�3�2�6�a�6�4�1�4�c�0�5�5�5�9�f�e�4�b�2�6�9�1�4�2�b�6�4�0�
C�:�\�U�s�e�r�s�\�R�A�4�9�1�~�1�.�V�U�L�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�c�c�b�c�b�2�e�1�b�0�9�4�f�f�e�f�5�7�3�9�1�2�e�7�1�4�c�3�d�d�e�1�.�e�x�e�
C�:�\�f�c�c�f�d�6�2�5�9�5�1�7�a�b�b�c�c�5�3�a�d�0�4�a�d�2�a�b�4�a�1�a�9�a�e�1�d�9�8�e�7�e�c�5�f�0�4�f�8�8�7�4�f�7�1�3�1�a�3�e�4�a�c�7�
C�:�\�e�6�2�c�c�f�c�5�8�8�f�6�8�b�9�a�6�e�7�8�7�9�1�8�1�2�2�7�a�7�7�8�b�c�d�e�0�c�b�c�7�1�1�5�f�7�7�b�9�a�c�d�7�2�d�c�6�4�2�0�0�3�0�7�
C�:�\�U�s�e�r�s�\�R�A�4�9�1�~�1�.�V�U�L�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�c�c�b�c�b�2�e�1�b�0�9�4�f�f�e�f�5�7�3�9�1�2�e�7�1�4�c�3�d�d�e�1�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�g�e�x�z�n�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�7�5�1�8�6�b�0�1�6�f�3�0�f�f�f�4�f�d�7�5�a�d�1�0�1�d�d�4�2�5�b�4�6�9�d�5�4�d�7�e�a�a�f�f�1�6�f�6�3�e�2�8�5�9�5�d�1�d�8�2�a�4�a�9�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�2�5�9�5�2�1�d�c�c�3�4�a�4�5�c�a�f�d�c�5�c�3�0�c�4�5�a�6�4�e�1�0�d�a�0�6�7�2�3�3�8�1�2�f�0�c�1�8�d�6�e�2�4�6�7�3�3�2�9�9�7�2�1�0�.�e�x�e�
C�:�\�0�5�c�1�7�0�e�e�f�6�f�0�4�1�6�2�8�1�c�e�1�f�8�3�a�8�9�d�d�9�6�c�4�6�2�e�9�f�f�4�1�7�e�1�f�e�4�2�3�8�3�3�1�5�e�e�f�e�3�e�4�d�3�8�
C�:�\�9�d�c�c�d�4�e�2�a�6�3�2�f�5�e�b�e�0�d�4�1�3�6�3�4�d�6�c�d�d�a�0�9�2�4�7�7�7�6�5�b�4�0�7�1�0�a�a�3�5�d�d�d�c�0�c�a�7�4�f�3�2�9�a�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�g�e�x�z�n�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�a�b�a�9�3�7�2�5�0�4�7�6�f�3�c�c�e�b�b�7�8�a�9�b�2�b�7�6�7�4�b�5�3�8�0�1�2�c�d�e�0�b�0�2�3�d�0�0�0�6�b�9�4�e�a�8�a�0�c�b�9�2�c�1�.�e�x�e�
C�:�\�5�3�7�f�a�a�e�1�9�7�d�2�b�d�f�9�4�e�4�a�f�0�7�7�4�6�c�2�9�8�e�2�3�7�2�0�3�3�2�6�3�1�9�1�2�2�a�1�e�7�5�c�b�9�c�4�a�3�2�f�a�6�1�5�
C�:�\�0�f�9�9�5�6�0�e�d�8�f�5�2�8�0�1�9�d�6�4�3�e�1�5�b�5�8�e�3�8�0�3�f�5�9�d�b�2�5�6�1�8�a�6�f�1�f�7�0�d�c�e�b�1�5�4�e�2�1�8�7�9�5�6�
Process Tree
-
0900a0cc77946f358471aa0465839682d24194edbf47c98bddc923bfe719e11e.exe (2336)
"C:\Users\Administrator\AppData\Local\Temp\0900a0cc77946f358471aa0465839682d24194edbf47c98bddc923bfe719e11e.exe"
- gexzn.exe (600) C:\Users\ADMINI~1\AppData\Local\Temp\gexzn.exe
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 61b6c99c9e069354_gexzn.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\gexzn.exe |
| Size | 31.4KB |
| Processes | 2336 (0900a0cc77946f358471aa0465839682d24194edbf47c98bddc923bfe719e11e.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | f8d9aed28a8699e2babc315c9ddc627e |
| SHA1 | c2b6e9cf696e4112fda93fe445ffb7261005dbea |
| SHA256 | 61b6c99c9e069354845ccd093440e856bd761a604dabebc940708a184f590646 |
| CRC32 | 5682B57B |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.