1.3
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.79
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20191103 | 18.4.3895.0 |
| Baidu | Win32.Backdoor.Wabot.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191103 | 2013.8.14.323 |
| McAfee | None | 20191103 | 6.0.6.653 |
| Tencent | None | 20191103 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(8 个事件)
| section | 7519006 |
| section | 8572755 |
| section | 7151059 |
| section | 6580166 |
| section | 3626684 |
| section | 7044656 |
| section | 5294235 |
| section | 3707131 |
一个或多个进程崩溃
(15 个事件)
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(7 个事件)
| section | {'name': '7519006', 'virtual_address': '0x00001000', 'virtual_size': '0x0000d000', 'size_of_data': '0x00007e00', 'entropy': 7.99353393817323} | entropy | 7.99353393817323 | description | 发现高熵的节 | |||||||||
| section | {'name': '8572755', 'virtual_address': '0x0000e000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000400', 'entropy': 7.767636168582015} | entropy | 7.767636168582015 | description | 发现高熵的节 | |||||||||
| section | {'name': '6580166', 'virtual_address': '0x00011000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000400', 'entropy': 7.830116036537715} | entropy | 7.830116036537715 | description | 发现高熵的节 | |||||||||
| section | {'name': '7044656', 'virtual_address': '0x00013000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000200', 'entropy': 7.55488547604783} | entropy | 7.55488547604783 | description | 发现高熵的节 | |||||||||
| section | {'name': '5294235', 'virtual_address': '0x00014000', 'virtual_size': '0x00002000', 'size_of_data': '0x00001000', 'entropy': 7.952516725673953} | entropy | 7.952516725673953 | description | 发现高熵的节 | |||||||||
| section | {'name': '3707131', 'virtual_address': '0x00017000', 'virtual_size': '0x00003000', 'size_of_data': '0x00002600', 'entropy': 7.385206639806591} | entropy | 7.385206639806591 | description | 发现高熵的节 | |||||||||
| entropy | 0.979381443298969 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 53 个反病毒引擎识别为恶意
(50 out of 53 个事件)
| ALYac | Trojan.Agent.DQQD |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.Agent.DQQD |
| AhnLab-V3 | Malware/RL.Backdoor.R257255 |
| Arcabit | Trojan.Agent.DQQD |
| Avast | Win32:Malware-gen |
| Avira | TR/Dropper.Gen |
| Baidu | Win32.Backdoor.Wabot.a |
| BitDefender | Trojan.Agent.DQQD |
| BitDefenderTheta | AI:Packer.16161DC21D |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.8af609 |
| Cylance | Unsafe |
| Cyren | W32/SuspPack.R.gen!Eldorado |
| DrWeb | Trojan.MulDrop6.64369 |
| ESET-NOD32 | a variant of Win32/Delf.NRF |
| Emsisoft | Trojan.Agent.DQQD (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Delf_Troj.F.gen!Eldorado |
| F-Secure | Trojan.TR/Dropper.Gen |
| FireEye | Generic.mg.77b6cc98af609672 |
| Fortinet | W32/Delf.NRF!tr |
| GData | Trojan.Agent.DQQD |
| Ikarus | Trojan.Patched |
| Invincea | heuristic |
| Jiangmin | Worm.Generic.ahwj |
| K7AntiVirus | Trojan ( 00129bd51 ) |
| K7GW | Trojan ( 00129bd51 ) |
| Kaspersky | HEUR:Worm.Win32.Generic |
| MAX | malware (ai score=81) |
| Malwarebytes | Backdoor.Wabot |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee-GW-Edition | BehavesLike.Win32.Backdoor.mc |
| MicroWorld-eScan | Trojan.Agent.DQQD |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| NANO-Antivirus | Trojan.Win32.Delf.fnpcgo |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM18.1.FC0F.Malware.Gen |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Delf-GBD |
| Symantec | SMG.Heur!gen |
| Trapmine | malicious.moderate.ml.score |
| TrendMicro | Backdoor.Win32.WABOT.SMD |
| TrendMicro-HouseCall | Backdoor.Win32.WABOT.SMD |
| VBA32 | Trojan.MulDrop |
| VIPRE | Trojan.Win32.Generic.pak!cobra |
| Webroot | W32.Rogue.Gen |
| Yandex | Worm.Delf!QOFqnb2nJe0 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
3c0e70bfa5f73f1f1cef484e2bcb5bf8
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| 7519006 | 0x00001000 | 0x0000d000 | 0x00007e00 | 7.99353393817323 |
| 8572755 | 0x0000e000 | 0x00001000 | 0x00000400 | 7.767636168582015 |
| 7151059 | 0x0000f000 | 0x00002000 | 0x00000000 | 0.0 |
| 6580166 | 0x00011000 | 0x00001000 | 0x00000400 | 7.830116036537715 |
| 3626684 | 0x00012000 | 0x00001000 | 0x00000000 | 0.0 |
| 7044656 | 0x00013000 | 0x00001000 | 0x00000200 | 7.55488547604783 |
| 5294235 | 0x00014000 | 0x00002000 | 0x00001000 | 7.952516725673953 |
| .rsrc | 0x00016000 | 0x00000358 | 0x00000400 | 3.8585242583369057 |
| 3707131 | 0x00017000 | 0x00003000 | 0x00002600 | 7.385206639806591 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0001620c | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001620c | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00016334 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library kernel32.dll:
• 0x418c2e GetModuleHandleA
Library user32.dll:
• 0x418c36 MessageBoxA
L!This program must be run under Win32
7519006
8572755
7151059
6580166
3626684
7044656
5294235
3707131
?Mn#fS
X$GZP~
9p9/ZD
|&d0n&
.#ArYn3JA(z
8O-@q}x.=
}YMF>kG"`ztY
@,15m^!_]02
k *tqyQ
rYNsUF
?]j&?[
Tv9p'7(P6#m
1PGJixRJ7bzp
OCh/\c
=#g?`y
r/R vo_
{\Wgc%
%WhE7'BhW@Ao@Q
#@0t]-8
iI!F%9~mjw
Ogmo%Lc+I
^~<ZQRA(.zC6
T79?ho
kb9T,PW"
L5k{ezV;#lEtYzT@
}2IVe
m_WI!He
sXX"O}
kH$&G;
YSs?Q{
O7s<k<M^zw2oi
aE@4q[
?@.aJj7}a
{jPO1xEbu]SL"m
{di<P@
g?js GJx\:Jz>
/&y1q8
SiWn*L-/V
DZdQ{t
Okl0z`B8
'%p$xI&]
B0Kfy{:
G.}Uv:
lJ]X?ro
bDN)GO2k
smq=i}
?UNGDH9
znh:kA
`QH!,:
"HT,:p$QQ
d$}.M=
R52O$w
Gs2P7h
S\'0HCM4'M|8xQYu,Y
Up3c'W0
=pm&-'
5)$xy7a
p]%5<GxvM=
>RSi&[
(Cjl/HW
*=G&[%f3
t>7BX| B<
g ^9!K
t3SZ&o0E"&
tn[2(({
H~cQG'
.1\*X#
(sb7bOP !
<au29R
_( '1*
3FS1S\2
r^6g}!0
4Yg}r
=55<mp*
eewX'b
J`;"_LY1
*Gr*ip
zkI*xFM_
fk0Ki 4hY
Dk"f&I
,DkqNgeN4%>!x!K
~R3-BE
&X Ce|ofAFjc
,_-T l
qQkr'YB
/>}f-t>a'u
F{fabRR.
(>!]^n
q[yFN''uJ2(p
<"z4,TK+1Q&P
s^omG>[V|A8K[
Y@bWZ0)%t-'|a;\:Y
l.Ei>Y
:JC:q\FJ
]!3_m*jS
]5D2AF[
>MY&H5#X
8I-K}ZO#;
~w9Z%O
kK{nh <ot
6+"<Q0mEMtzo
2jxW[S
CQIV;`,o&c+C=j
R)`pJe}L
%^X r}v1
F9HA9xcl
w gh"IB
HEroyBY
DHv&#'q
?5\:o$
:V}a.;
F[o`Ow42
pAaS*W&
DCqfzU
0|h()"Zm\?
=|iI`YNF
f^^@YD}_z
@Y,r,!riO
.v)}bar|[A7YS`
++~-+$YIkL
:VLAw$
p.X) ~
bWQ0T>
*0'6x3A|=
5PBZ!q
ZT"/"5
\">}[&
VgF>Z1k5
R;]Yr""weT9 Q9
N' P*h
JmV{t,q
o/uEte
Sc=kRb
VGkHK2*V
L}dkz#
aQ6O&IR
(U`3lM!
b~sXgU
?vl?Oo
Y;mfpkL;S
235rlq^e
yt{S|f
6f.q?z`W<D(;9U:
p`v_IA
shg8a g0"<
qN]uCW+
J)_~!u?+_eAJ:
!]Qf&*2xc
/PV?k\d
`i9|QA
w:LixHL:=0
ckE-yo%
m8BNBcd/
aYHt+o
$;rEkDVl^GWQ7G&
x*2LdK
Epd+ ^rlO
E.k}.z^b
"}-x3dnegV
2t7b&EBm
Z!vf8sr5+
_-)ZO:'e7[
RmGT.g
39LEc8mhL
lX-_vS$o.@
[o{_qdH|=6
9\eLBR0
V&UBxTbB]
q`#rl#
i/c'k`>
)$Sh <T#
3<*Rs,
UIW=h#j%!
Q(<c T
=f*|!c
ty9BV7D
MXO*$-zZ
sA5d-:
V^D98S^4M/I%!
_'pb\T
&-4t]95R!
^a$`i2}6
\zRL}(
; 2e[=
bfnQ=fS
)M^a\(l
jZlw,7o
vr#;.0V
_1k<L6dC%~
`#h9_~k
G ?v`gw
:,jJkP ~
VWwhd7)@
&pS$ $Z1C
,A=12`-^
TKeyQ/[
}I 2NG9xO
F*2TOaWEAAMl"
92o5JM
2~u\_}
Ft{=x,2
b+,O{C
`NmTg<1k:~;D
/Z:Eob
|`:1 5 U
r32*hnK
e.M'}WkUE
-E`}jz6Ds
+:K^xp!
]B-i~>8
5-quq=
@D |{HOZ
VfwC!'
H~szG9gCjV\s
wlgx&V_$x89K^k5
<9-}M@%
qa?~p9
GR'(cbjf
[y*@Q?Dl
|6AWU:s
j0i. BeY
Ou/DdqZb0
Z. mPT/@O
wQQV<{k'Tu
Z5m<WZ@H
iC)}aQ3 x\
KK~QHd
W Z7~'
(W%Axu
sS95b$oh;6_,L
oc!"hB
Aat5w
<F.lC(M^t
BxIN/<
=M+1Aen
I&wd\{6\j>d
%sUesvX?
}OYS!2%1)
j4+jgB<@
j>E9}c.
=s<2 :
lQj#Qb
K3)s_O
wf:)>D*h
Gf%;AC.
zs/WEw ,
K5`@F{Ms
Wkglx
`sj!j)Q
*K];%ts
-w5G{Ad
>To:}2Esbu_.l
BrC~7
O+3-~H1u4i
mhQ=He1
gv&1:w
91?y>E
'ql 2{
yX` ,eaW8o!K] ,Q
mmUg \eMU
IairyMR'jfS
!Ia\0!Mtv
eTY>oe.A;\
0I|f$z$d
c(yw4{ P
e0EqG4(
~PR:%b,(R
N9#|*xpI.
{:ea*XHt~
UBTj;%
VZZ]'-
H?8 )p
&a%y+8;E
5$f7Nz/\yN
OhZEc
|xgRc#
ewqDLu
)C%!a@
x 5K.;`lv"
b'(5Ogr)$2VJ
;;b,]NMr,r'<II;
j(Uoi[6
)IM\7/W*Q
e7vf=x
z~ w@w=H
k7|O5*P
:9AALt`.}
_jc;=?
_> i1J
CF:6I1nMP:b
?>I.UP<c
]=_zC<
L"SMcj(
v-=p'N?
j XZK&
hN)U4q;@1Z^WF
.foTRVc
#>B{b4e$
.>]E8Pp
NE>O!Ut"
woeoBn
m:WZl|
&7z)U*
`otUdOQ
TqMB,s3N
w4UIF1p
iD i|_s3'M&r#
b|"|a+uS-}H Ms_\tP/
b{ _KT&FW3Q
pWdP_{,\j
AFjg3id
eL*k0LF
O4zf=&SfoBR2
Izt"yHC
P4rm;/_
yUU$t(s-`
`X-X@a
A,h@P+45=pK
Q;F%H[%
.6+ x b}
@Ip$i$
pIggn,z%(*;
($s6=w
/pt>Xj
S20UUz *Q}q@\g8W
~|[*i>JbwQG^!W
!uxBP6
k@&/P6p5D
KxL`S0iHfW
`G:v.)O#71
M#hX}xO
p7:<~X
H;-"Q}1
EBJv0}/
UgQB]6_$;
(6t#{\q
OL}wq0KEJLC
(xUI}v.)dz
PO-WXm|Q
++5,J2<
_r"wI}pDNJ9k8)k"N
;Q@V&7\(Dn6%.O!
cg~UDSv
/{Lr)+,Go
|xU Xh
L, rDEW'>~TE3_[6
RkdE9Wu\@A
CVW_<E.B
/,^+T!c
6OFOxU(Kd7a
|A14KnzbCE>q
EJlr,5"x
.r?0{-W
}4T|9vWc
Ui ,RbV
s [)M8
\#c}]:
eNS)E:g e
-n_ sR%-9W: +
kDX{kP
#kCz[;
2$_*R)
/Vh3.aL5f
?%`4MPR
*z^>Sp
j>5x(i,0mg=]+ n
d xm~ZF
b_L ."B?%
Cx&bgIMo
*+U7$vKX~
d'2@sdr6-lZD>v<|
Qjx(n#"[
"{?,>pT:b%
C}DA)@Y0m
.^`j@&
@{_.ePXB;n
s[V V"~R+
v(G&d!`+!mMn
+M4Z*Vj2)K
.P(2^B
[/^WyP(he(F*
[{|t{S$B
=rwBx\B
i%b-4\V3)jN
bA4Gh/dj0CQb
pY[?0AF
wRgwr$#M
D 0WO07
; kVg3=M
K5' R#sYC!>
)Z/\'PVw
>75[Fd
\RZ;?v`z;z}
/]>E+7L
3[~Tk16V
Z-cBx@
~$ qE2
+shTeh^5`R
&i8F70x&$F
u"%K8px
J0d>A|@ZV@h
F*{.|gd|;!P/.;4[u:b
G7tubV
b"^L4C
"V-0{cd
XA5(jM4V1B}
kM_oOfLfA"c||)v/MUS4Jd
]Fvs#zQS_0,
%(~o-(
z/0qOK$y3z
C:6$bX%sMFl
rg?bzA
=!YsS##
hvsH?N
. Kh 8
e =#y<u
o*BJ}32"H
_CyWSKv
|iwD,t#|or
6/N:U9|
22~[rysmsz0
>d0s"h]_
w Itzo6&
]C&JxCzvj
2X4X.?e^mx"
lMZ}v7kv_h%
oCpE.>z
cR_ r:dvgAULd
N0YKZ/q
%Wm;X!
j83.:X>o'}>NV
{YevSYbk
M-SjtW^\
f"eZXH@A-
1&42sX@dx_us
D}=s6ir
u3 bIV[
B*Lc7j
F#gaOF
,\<sv1p/i
P^lc=T~j<;
'Dy4~^+N+Uir:#B
>kumX~
.A;S)M
1]F:=IqDo
@$?E>UA~
bB)p;P;M@P>E]:D
YXb\F^:
W)c@^B
w/o7]Tu
P!5}b'h3
}:m\"A
=WLPyU
`RcA;^
p~|[zW
-?/-FLZm^
Uv;?k ]&+
ok-asTytf8dn
>sh4w)mu,
-b^oA3a
f'H+Lx
5Eh9$J0 #@1vOTme
'Csgm1
+r=3@wr4
O\iOE/8Vh
@3FSs\xd;@i
bK.\]u
"-9S8k{
v7O+tN%,T]s7
ljcyda
^>CmF
6Z(`h@O1>27H\
>g+L}!CrW
0_0_mL&.
*df5b;h
j(hw*u
Z_?Cq O
bD|/8~
++DgG({
8jVD+Y
[T_7g;
yEg8'&>I
[,M6?DdFV4<
O.piDu0)mMC2
e->)"C:#
{o.z3o
%J'aa?L
uMaWuCY1m
p%5f&z$
7..e"*573'Y&@
=waF+,4Ii
,(d0vXjBt~_
;Coqpb
/qBq%!
0c.*!T
W2:G90d
;:<3D>"M(
Mys%]?
#N1Jc6
s:]@v^X
V5s=,I
-z6qQiwP
*\8QX5l=>
3%95T;la
&I&7GeZ
!w3)!va
`"3r(\j|Oa;
30v g=dBE
\xc&d|
??0.37cI'RX
26s"*w
F.KB>i4'xUu~`o
O6eM4?X?{
/+q!jk)h={
HZ`nY3
kn{GyS
_^zhJP!
Y45DUS
)Km$FB5J;;o
ER'7UR/=Lg
1}5Y(N
TGPeqK];rc
AWQ}r^
.XIR{|(D=5^O
zbBm=?|oRw"U<jN:Dl'>?
mC29IA
SQ/uCl
m(.#qP.{mx
KaJ{&U
!#( &N;V
H\*WcD
}!37gK
DtLE$WI]
2fH\;?L\
Q]c_\"
C(4y`X
5*Aw($
Kc*T3JjE`Z
'?:kF'B<"X2
[0Amvd]`
Vu}>?$63
s-zm,'8
+)OG<8>|_s
9j MuyWmQ7N:
[UIC rO|NOb
~/d.KHR}!Q.EY9
!v`s0K
X&.p<1(
%xf Q ~u{
$}7'2Iw uckmucAPUzxz
-5j5OPD>w
uH~Pq)9x%g@
oZV"Vz_?
N?Ga/Z
5c0XAe
RbJ<=4E(
{ExWL\M:B?SZK"Oac
S~(qt*
-Qn)>0+?k
G4]9}{K
Yd=HKN~sB
<_B9iHMjv
"B36^XN6cJL
V~ZbEYl
$e<|gzUt^@
De4qK49
WC5=Ul)_A
+06r&f
KLayM7Ca\/[
:>|;)Z
<c|='nMQ#dR2qe
k+t#RS+O
gbs"hT
\V>e>V
SWh%x&o.MjQ
"*C}=
%MnWv'VTS(9d
(PI;R%
e{OSQ6_&
-'=`;JWZ
]@a'Zhb;b
Js9(>0<W
B7A|e>c?/;\2
$f[*Tw!sn
k2@46RC:O>&r
>SXIc\.F8
y|}Hd
yTKpI,1UF
h3Vxm8,Ma
U!,@_<X
--?)MT}[
W3_[@!_kWX ?P5[
jMKCz
>K15Y(K
"08J@6z
Wl[RZm
Pj=n 0
zd Jv@8\
[#bk^-RO9mA8L;
GJv6i^H
k,~B$Mq{%h! & %_
}z.V=>
qh!l<Rd
tj8-Y?aX!U
ra<+EF
$bA +~yl
~)kxsu;^
Wu :7=wI;B
k``fir
Flf!a>
`?T$Df'
Xl#\b[B`Flb^Yw
r/zX)J
Yf8Q1tRh3
'mRB^U
.nwo<=H
87LG?sI^
8k8o&E|
${Nv3}p#e6B;<B;Iq1(
"rWOB ?
pp/pbH
tkqA*CQ?
.~1y,?8"
O|9GIUpBPT
p%!/&x,fkH<t
1{X@BgR ^HSFwnS
^s>.9P.
<e.iK|a>It
E;_(6?
!^TGpFbyhid\.b
)#J"i:O
[O2wxZ6d<
c/_ @"E
nlKt4xI)
6?Ch \Ao)`%
OcBE3m
)b mU*
K5R&]:.xH
`2FPj6,jd-H
g_iT@B@qZ+
g}`m~<`Y
:w,"j3-e8L;_0
vA[_{DFx
fdv9b#/k
f1N#C9=\1h
VWG?JN
*6QqS+
*DD7|$k8||K
2jj"C;lZ
^rOCio9w
XJ7D&9&W&
mw~!3\
qxkW)f*k
~+O:xH]9b 4:nsj2
(]>+g"(d
p:,Nfb
~|c[ s/2
,;6FL?c CN
/l#bCr
Q3jPH4F
zP@b=B
GP,b,2
P|Vk7$
OOOE}bM
[@lsd8(
lT4^z;86frUL.;O*ynM+
94k['o
p6M'bY8t
SGI!<-.)
hr( ]~Hpm;^-.NMp"f0}`
w>w*GIM
X_d}|?DBz
0(J7Qg
rB=tG+
^<]6H!
_~'-VsF bQ
+1rA|g/n*T
=^XVqE8
pPo8DvZ)cI'D
X+nzszX 4I@Z
+kz)Z-r
;M{oNI
O!Lk\'
]T>J'^ @;
B#*r=L
VQ!IxH'
Kodo7Me
I\G:*x<b
;60Hd;
*]/)7x
wT*El {vIC
[s4cs=II
[X'J9=, /
Q}lI:xMs=c*wXE.
&)-e^(+.IG,
+1 s)}_#
*,_u1Fb4%"
YwqnCM`T
X7:sn%.
o6ciyK
r6A,+p7
@Pq<+z
KYcm1C
-'CA`@Zc2o
+8Ikt&nkFTN|\$
:zBC;x
]Qf)g#+
zx Y!F
Q*eF48<<
$aoj"vU'e4'ITV
+Iq0,u}&^dK,M*q
GrL2yX(
{W~}2LY
~<>UOY%: I
z!0(b2o
.EQ\tps
~J9hxr\ifd
':hi_2KYAcJud8
1 VgSZT
+vLh+Z&q
B="vw%
C-aCQ:k
vsTxS^nL>
o$b.!GCP*]J
r2m*Rvj-
*YM>b#36G$d\K
[,8k[&C1RAs:v,$@
F*QQui
$nnaP!
xL39t`5p
n)._rm>!r3
HXupqZX!d
?<_,<-
06 XxFJ6
qA(_W\
+}ze)kR(
Yzh8v"]"*k
&<le!FBi<:-7p1y
xuq*\X=:^
#n)W;:o[~d+/+Q
x5D)TS(c
@4_jDxn>+]
,;fSHDIeGjY0'b
(gF#!mT5
?.'5$.x
~>%3~+WOw4j
Q;olFK4
.;)zx[c
#?l1$jO
:}ZU2f?
Oi<HB(
??7dmn
E}f+]K
Vh>=~=p
sK):.-
wj!?|Q
`_dD{_iNvw~5DE
;b.sGcw
rw,]I~OU
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX`
ET81NDUVHxC
s1A_h0Te
i}Lbmfmb 8
fq~^SELR~Uf~
KUQRj~
LS%}`qp'<
x.(7c!xe
1EzsM/wC
hP`-r?-a
<i3jU@[
I*B}*]
V\=tz1^fQ/hM%HK
R/PamX
HF2vqg
uw^\52OCL >
D UTC0y
y?* ezsXuZ)Z
{)'uO1[
rpQlxGC
K&$hHGL_HK+D+@_ ' *5"=>!*91
*Pi[P7
ZITc`q-H4N%M"0v-f[:I
Any6EHrc
)'|P-i(,atQ
{%r7r7!IS0
C6*7:|P
P/e Xx
}m#p[|`5!i
vCY{VPtE[
^C|GGH6C+zdUZ
KifP.8
ZXiy1wub*b
e{x/77)0
t=U;p)
Wig5r.
:zcHiu
B6Qq!r
qeqk{Xa|hJi
A=O)Y#W8"#f8U#r$(2\
0Y;U{`d
i,f hC
,,k-U\)
hzx~5/
kQmuJ5x
cXA[k)
, |eZ#
|o^KqSP
wQ]4e&G@
9Z ]lx
.vfO1c0Q
#kc>J9RY!mt+T
l9sr7mD
DZ7Mqrq
4|ByXMK2L
V{CT(?
DU PV?
hvtLT9
#)`*lOd)%5
qhKgteN5-M
sQ-5$lCT
N&1"9Hz
{^,3}{
R44*~:g^7
yJV_v1|
]ce"&eYL"[6
]j'v7h7
C<Eo^S{
k0Mbkn.
aR}T{TMk>/W/
E %V@J
B7lmcM
]MaW<>$
mJrPAJ/gN
,/^^#(
Vdc&5l
RKdA$q3e/_
6 CLQP.oq
5A=j*'
\G,}OM
>E^{*%y#jv
h0b,v_2: i
8z]5NRv$sKfCqxB3
w/G'X-L^W1
]Ulu~"%6Q
KaE0$f
kb\2wRU<
imZ+o+
a,&TC!;E
L8]en+B
-T?Cg t+
]9i,' ay!y
9lsMWK
@HU}td
&Up[01
:9|}Ail]
RnNZ&>Wb
@wz{f_2D]mKU
`sJ2P"J4T
1J0@.m.
jy!fCcO''o%{YJL
DL>8v6i5
GfW!r%Z&dZym
UTUn)c
2h[1GD 8
Zc> ><y
0][}SXMhK
ok*H?Aq\>
0E L6ZVCH
:+QACi
\pz4Xho2yU7
4L#i>XX}D]nALx^
uuj+UxU$
n*0<QdB
he^:HMXs}*O
Ac"r5@Vb
2Br?0NUy!XS
C"1_sw
2L.oS<yICKm8
(Ful'\
u8RN9w
N do[w
<f\^G,
X&c\K"M
kernel32.dll
user32.dll
GetModuleHandleA
MessageBoxA
Kn[VS0/!
jy<zPn
3E &kL^tB$E6(&6W:n[
52CZ=oj
!sccXCX2
'2CJ')L_skx7G
CF1'P_bkggB
E4S;v
62CL;'ZP
^`v*v\
han9=iM(
wwwwww3388
D333338
/D333333
DD333333?
/DD33333?
DDH33?
/DDDDDD3?
DDDDDDH3?
/DDDDDD3
DDDDDD8
l5K7+Z
7-3Cnd
=X)9!bR
Sk^4xe
MRMgLh
#1ZJ^I
q9v}Z5D~v'f
Gm5|qD
P-EjB$3
},`Hd9
>4/iYq
wH\7bU
X%x,Cn
B*B>hg
2TK0=D
(i$|o@s
#B{jD[ 0M[<7Z'
*Vo4>}
F7%Vk^H#
o.hZEuK+h!A
}rst/l{
B u2On
3uTU6:
y7\lO[|8
=HP;_he]
tBvA0Uu^>a
wcqX*Q)
L@a G|(E$7
j'1ZAO?"
wPxC35)
6$yW4s1 `OBc
_x/#HC=#E
*0Fy|mJ-O
y_VP62
5PbvoCM+>"
X1?wT0T86c>p'GPN
ln=,14
8c?yu6bN
H*f7N3
ex>l|!y7lgp
U0R:h>{NK
^l@GP"F
'8&'UQ
j6&,#hq
y-z%{1C^Q{R/cu"V
]QFtAZh
Gh@K4V9~HS$
Fj@ebRq~\
>p?fN_
>Z2=xaq
bKUTYDCN
r[J) e"_ sQU
0<#$EziU'
io/#H=
w;"8!L
363ZWD,46m|lg)S -
STt5<[
yi;\s*fU+]K
O2Vf891L.Qwf}zC
{wh?3'
'It(UK#
fr;%Qx5k
wPwmO+;:[H$10=C
"SCMeF
T]?Z6AXl
F#eY?A
wWk|H8
}E0=c 9G
S@KT,6;;
[3mn _
E03@c8BrFG
,2)7n4o5
Od{9jKQy|
_EM#`0F.)
jV 3avXK
8.!EvU
kOU}cD]Pl
} 0z;YHss
>;,+!.bR
rr Ka~0
Y'~"h\
R_':@;
$]z|;/i4
V%`Ic<
fKVbPW6
~lP/+Z
u;_!p>_
5 cntkTqp
MBU#9&
5 P\>N%N-
Y'0;QDfB~&Sh>#BFg_6k$uh<-]8s.z
eg__RYtEf
L|`O(g/q=
Qk6]{|<
7-|/Oxd-J
nL_5o#
5ahem6
i*$<I<z
Yu0YmI=
lO.b~eY5u%
Z/j@?%`D$I
e`:Lb]264G
!"XB<e
4`:,8alj
9-El qBk
nEi!*FH
gV47@6kJ@t a
`dp+a4
q7<zY$]g
_1ip-Oe-]Qq
m'u^oY
ADPr;{+'
Sb>[MEG
L8":U)E$fu>"_zj
$0SNa*zTe
KP2$tL@rQFtm~y
n2f" Gb0
ID/}uX3^2
'#MEx`t8G
%"Xg~em
bBEN~2^+dWktH
{Z:*E!&
{[LEb~2=
\~{yZg7<k
3&ra%dz2$>)F
WCLEa"F)f
2yz5YUU)wh
pFl+jCzE}shC
_C=.uF
d/kkE]s
#X84pENrK:
V+HD yhIrmg
ALGG|"V T
wh1$Y6U+t[-D
fp?Oij\.22u_t
i]Y]*}ld
.bZ/ V|{C
ngpSL;j
}YPZhd>
3,TvG+6
{g]^X^
d~?&F'w,Nv
nt/$pX~1
jut4X?
edN9e9
bj~W)P@!
mOv)!x.
,(o;[b@[
,1hU"JH
Vq$|/'6
R`G( \S
)^BLcN
,E%E?a%6|
qM^ Q2{L
2~pwJ4
tG+1&N
4g*ns6T
OZaVaSbra*9
%wI)*K9m]
}C3v8M
gfIT?ko,s"u
!8-q(x
;setX2UKd3OD:P
_s%C6kP8QR_|Zu
7^t|UTK
|*M0w,
A@9*VU,!
'=-0W
'/ubG7
;\[F,L\^=I6;p5:c>2d^[Gt
S9cxVL
24aror
8Vo[Qr
DNPh/d@N
Q/7+Db5
B&Mw>\I
bJm$8}$r
w`sk+q0T>(@g?
V9<B:GIuE :
bzrBWTxm[mMmRN3
njO`v4O~
k_K3bT
|Q9:*V{
}aqzf(
bEdNiQp
QQA//'
;KNPPC{
&M}njK
D}({vRA8^~a
\&)0h @UR4
4Y:[.S
'EQ_ O
f.S^,];N
`uc /o
K7dW[Bi^
dL:Ka$RdQB
0vhKjy
U<*=xY&
R)^3@nz
37w?J]7u
U 9 ql'fqN{
IBXK%S
4+Q'wLN
)W9V9.7,:9o/<Q(
u9co#Ym6
cNV25jQh
0$BGFW{
R,mHZFV=b
'X2Ah]
lwz>C("q
p0}4<[
w1C5k+C)
dJ{Pj4
Y9$fMR;F
uXUl+"}
{JV''O^&.
jQ\ .D" 9hieHP
]N}GJmV
1r0*1=am
FjrxaX
0G2{x[
VKA+bX)-_q
]VI/_c?~`i
X7'$y=U)]
|0c<Gks
91HTi8E`;7<yaz
^2T$5?z
TA5J#:
iG]Wfwh
! dl/d
HF.+-[Z
nQ&}=EE8`
|TIv<I-O/HoU
qnrls3<;
"XZY-r
k'mCbg+
sYMI/=
N*r@xB+uL@*@SeF&p9#l\
VhA,(u
e6]Qd8q2
U<nM7LR
yUe?[Q
ydkz+fT7//'v rm
[:T%.r,-
.NQ1?8j3hI,S
'G;>w?KA:
"[E[<Gr2yQQ_
i5Z<R[Yx
-s=ZA%\Ap
M@NxB.bVvJjo
|M`}:gM
FFh=y"
^dsink ~
E$(aAle
>nj_p}Q
n>[=@6
Ety@1(3:O~
cH_H\4*'
YA9<]<?N
%%0bx`QIxJ
.xu{s#;
YBmto_(
OmRDp}
*x_(\LVux
Vl[B )
W<HS,x
)!8jRa&^e&
)Zaja*lHHmA!
[ay-^*
k~a C7g
9@/W{a/.
?~=w0G
!M4u0'
Qh%1U3
s9Xk{=1!
>> ]l9Y
_=6>Rx
]OKT5m
[(=l#I
)iUP3ejt ]
N4DwG0
ZC}$09&JXD@
_ye 3l
2 T9 eo2g
0 R'A,01X6mKQl
!PvHlW
!}(aM5
~B'3Ax
N#:~L'Z&
EIYp2w~\
A48^4oNp
EVnp<paD%
KwCMX\-#<zNM
8z8C7p
"jgg&AlE
&`'aZ'\
sY4_c6gq5
$*/795
T1gvV
oX !zJsccJ-
'3(: 4$uL:
/7nX!0
}\RDq~i7[5)x.g
2|KQ>EP
S{9Ue^p
M4h9:WrKG2J/"dL evfR-We
1sn/o*zf
0/T0i=
@PxKXC
}\WKv[HQ;$"
6Ktuo\
7`'mK{
Y~EI6+
tMgp/^xzl]n9
sGbVdS
_ssyCr=X
JtwHv%B
5!J:opB
m]5v-4
CS<t[%
FCII/2JGS`
qp$=2W]
'R~4wk*zB$
B3WXApg
(0J?mV
i"v#S,T9%ej
X<d;||x
| #4X%M3hTXCo'
WvwUoB&80#P)Wc
ZZ=f%}
Ik_ 61
U''$!R1M3L*
vm9M>-~kCqgbF
z$]n9i
LAh$W,
{*r$a2
uS<$2J{
}sUy"cXE*
hP>6xR/
V"&X$pj"&;
Vmp>Zwlfo
Lz{Xwv
h(#9t8
;J~I'-R
*nA(rF)b6
GTQ'usFa
3pb,X&
8;;a$`~L
]?fLHN"I
ZqvrRIYz
DmQD.M rxe_
{+Z6&*z\
B'kG\iu
}{hnCQ8h
?qZiFh0{>d-DQw
U>4S3D"$
gYO'|x<d
c9a)T$
}hae]l
SjC,%7{pEic_0
~R)9,H7
,PA{h~
g;HS[wA81?
Hoc G:gk
/[~3u3`
1G2z(}
P^cp_C5'
? .hXn
Bc;/@oC%
KN?6pRZb!T
`&pj!GMa
l*&Zee
4F[\<5H
e\LFF =J:\
)/}%CG
Yi$SuR|{%V
U}~61I
5WjfV7EUl
~-lD(*
|Q`&&'
AQ|<6:*~
B8~H.]Yz
2_^m~<0!_0!!_I
neq{>v
Pv$|vRU<
IE0~kxpXM]qJ.hNp
?b7F*Xv_2<
J}^tq@A
Ulp95u
:I\&0e0S
D034pR
r8R"B!Ky
Sif'ou>"lu{*a`
X*)|)KSCS
<b\I|J4
Kg+*+^Z(|o(Q
r ujIcOI
$6glptYmP
}_*n'Dry+
44%h#6.
^lWB4i.xI`
nd*Vnz
h,q0R-
j7;6@v+0._>9
Lbh{0K}5p-=X
9(e3 d.
HP.7,&
H>>1Jh+AF
K<\0-bA
El)S-,WGQ?
?}`Pm4W-
cOC]"X
vD[KdB8LKQ
h-sMp+
)|Klj2((N^.F9g+b^
gk#E8_IM
QG#3<_i]2f\
CjK)RUl!
WHvb<Q(
U"p??w2kg
?g4I.nXWU
DRcR'D
)'bD%R qS
3Mx.-bKfJ|)!@
Q I4*+YWSc*OAz
roeE~4^'IS9
fC9&:qD
?I%%~}Z
hFn#U>'`T8
iI>O0Qo!fdq6<
/$&P+cD
iIiibemQ7NTCAv(*#
oC{)Z
;Kp*u8
L?MI$amvwW
M#'Wg+^`)@
sVrz^J
$~fAbb
KAer<u
=U6D,)kq[@
6XUyoY
uXFU9Z
!pr(p4m,qz
A%K:H5
eqeB7JkYFK
7>H_VdJ7
$`#NAX.
Fy1"vr
{qvO<>lfdd!
uPEg*jJ}c62
5#<4[!2 _D)E+-j&}e_-
_"caxH~
YkZN7{Fy
fREqpFHy/3
1[;Un&:%9w>2
14L/w4'EP^[l
SG33+/kt
~;` !-ZjVj
j!$xHUa$
4>kZ[c%lp"l
4(?J;)~
\[CcHo
HsDB\Xk?M\
=>7g!`:c
.O1+?kl
x 3q0M1o
F@"p)QJ~8
@-CDf"
@03pkmB14,=E'3u
-"JzA
/S]s2-`*e
7R:E%,Rd9]+`
n%dP7s
qk(h`o<1_
x,@$^FR
W^!l_+xz
Po(CD=X
E>Lm8jd<
!N "aa
H[pIi!t
mz}yX'
eJ`_|Dg"5|Q
{c*R*6,
t\56c%=O
1SmSpEU_xPW:2Io
D+/. E<
Kjm#^g
Z?!]]l
!|LZ`$
:Q)&;%BAt9
XQv2 b.
Krz.eh4M'
\CZ=-w90
spGF%x
`]L{#,
D;+>k|Ny.
;-@|(d2F|!
1 G7o{*
K|?EEb)o
4)u\5B^h
v0)IUck
Vwpv'*
\d*a"/DP%1JiG9@>FW(U
hOE)PWH
1mJ}2M
QTP&Ts
B|\36>Lg
oc4BT@j
,^grDrR%
D9\&d?
nd0Aw~
|<yW$?y3l2"
#6>st(
O}X;WjGDlOtRy*
y #Af0wZ'Y{[
%/:j}>5}/
N2Lgc*O|A-[qG
,W]?S
{G67R:&M
._>LP_
GOhP7xEj%
~QOx./2
qW&6V=KV
lp.M)=xaV5
5 ;\rD3
d&]#6,J
D#V$\?DG
PU@M`u
bo$_=jq
,$FL &J0JU8Hl^mpa0r
?;2WD
&$zXE>)O
G Oia^hT_ns
~SEL$;8nQ
t3Q%GRL'
]pP"b#&wd
PyIlRWa2i?9C((M
'o|-M/({
DO?7nX 2k
{n=uV
9x9nB+YN|3]y
Pk{!$U
AE1az3'c[NH96wKa
QO3+W nL|Y
vtla"V 5
%.WZ`]
qxUdOMlPhDOz
$]S!evzD
@~PKz)`
eCAo>;
bOOGLYin
Imv<;p[l-x6{^
r.'v`N78DAD
*_#]S T@4T&5UJ+
;+C[8wm
a1 pL|j"`RE
[N_FS7
7Gz:}/s"
$:/|Dt,ErS\nKOq
%J2kCq*dEfLx5
X7Z3qy2
>)U=l=
Z=[8F[
Uk vaF
9Tigs@gzUc
l/%~Dtr*
k<p ""FH5p
No)NA<
d]V|ng9wF{y
~y5-r_
6sYS6|
o`i#@{f
bIu8G0
m%8`U0fcY^
L_c{2P>
bGh+K)2<8
~Irq0U
qW0m}"!-
R8>2uq
h|AMW-v
k{PDl3QfY#DN
`4&Bi"o
1@:iBx
XQh6Ci
SrZc3!
A8T=)J9
&TAZVT>
6Y`TGfF,p
+"k\7!h`
-%v(O&*E
yG7utP3n~ Q
O?p"\&L 1XgO(
"nX^[\y
v+d`ku(qrC
9 Od/$
IAYa32?
\K-M*m,
P>L**t.
,yb2_mo;
u!tt"8
*={/?BmZA9
[22;(s:Wl
[f).@2
kRk|8G>19G3Z7
>K8|Md^o"
gz|,JeZ
- 4h65h
`bk*qO[
A*KZB{1 d[
4")@@oS$YX'
t:cP<~
b|;*$[Ot
YsJ,!X
x{kC7}
Bs<U+C=k
c,_a?K
ReqD7#3l~]+~|PZC
V6rSkOv.
q<cW/wT%
8yZQkHe
a4Z>E3
).ZqeY/i&
A{\Gt6
^e/"L1h
+fwdF1
*'N p`,],u-
$p5;:&s~
#Lx;H&M'EH
QqV/~B+4l=)I
s ERQ}"
PfSkT^
%Z}3)d
s#Ht}w
PUf.DlS
C@3D>r^F73
Lu"3m+arg6
K@i)J
p,vU}o
|hHGMr<
<XzHiSUN0mg8
s52)g~
!?dDh"
Hn#TVUn
-5 _%#i
P"q[,p
|^<X6Ra
_o@OK74.)
p8X-1J:a/ykX/^U
uy:{Xq
DB.g4u
`2*dXc`
^]qtEan2
JI>fMp
K&cpe-
gyy5AjoG]
E<qcxHwe*`
v+1ZsZ
*Bd`gmj
C! !D,h
RAjX8f
!OL #OXGx
$F;iyOB=
2#74>[
"r?-.Lkbh=K
#4*6P#sv_lV`&
3,fKOk)^J
?:d(-P
6yO'/~
a`^Him<2
n(t.,ZDWGz
V6z#CF
8S~]YgXX=
yKK8|>T}W)-&
JHs_Cziq*5oYU
E<x(L+Pg
OCt-q==L 3LiZWGcJ;~Q#
AocKNRRj
Y.3f3=A
I?f@t/
HH?^dN*W
C)b C#0$JH
Q"_0J&#V
1n1ir7
9E ph}
|Ulj#+
KJumCC/B
m3['Y;
B ]V ub_i-e
yflBa3
{"l4\`po%|m
<M`U`.
"1bU)p)w*4v
?]$,<,
*'jy,[zbN
;Fs#df
JhJacaO^N
#(mpZEr
yj~H_g
#%{OU2>hXJKT
-%bTn#\g
VZmk`6|O
]f^O#] VtX
A^TTz#
O~,'.LISoFD
y&!N_o17g
,-QQJxUnfqm^*6
zqErAi|kT
\o1iC2
0!]xJ[
KU!-0q
l7dMG!n/
Z\dM2<
a0l_%kQt
ss*}Ej
yw&9aZe\B$E[{Zo
uPv|"F4
!$GiTfXAw
;cBc!X
y_$ `J4\
8ma!!_
N'<_PvV6
GEo<mMr2)vA F'>aD*+f
V%j(00
!7gh]CjN+$
L6.=MHB
,St6A\<KR
EKEz r-vR
Q>i}Bebln
?$x[bS
\k"6a?Gb
%<vb`1
GcrbC$
HyY]kL
&3 pIfG
w|*8{+@I
GdyR!@
jb=#z_
8m\k?mq
#|4J;X
W"h<8<
0e$+2e
fy`yac93&s
@MFE/qQ
ZKVve9
AStQ<D}P
1&(^xF4vWCPq&
><KaGCe
QSQeY,/
mx@DxdN]I
iL::Kg)`
.da=XM{
pNS{w:u9,?=
7;rX_g&
:33f@IdeZBXS_Fu
:Y~#Yi/
Fgqov!Lf
7ZHmj\I
ZH `oO/k
Nfr2FWE
]W6 M
<hnQln
rY2T6dfq
v1| XYS
B| ZWY"f+H]
M�A�I�N�I�C�O�N�
Process Tree
- 0b3567de8767e530fef63473151887ed643581ab3a199a589157e08b4ba3ff0f.exe (1932) "C:\Users\Administrator\AppData\Local\Temp\0b3567de8767e530fef63473151887ed643581ab3a199a589157e08b4ba3ff0f.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.