1.9
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.77
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Delf-QD [Trj] | 20191218 | 18.4.3895.0 |
| Baidu | Win32.Trojan-PSW.OLGames.bm | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191218 | 2013.8.14.323 |
| McAfee | GenericRXCM-HE!785F6A6C1D0B | 20191218 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0ea2e | 20191218 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(3 个事件)
| section | CODE |
| section | DATA |
| section | BSS |
一个或多个进程崩溃
(2 个事件)
动态指标
检查是否有任何人类活动正在进行,通过不断检查前景窗口是否发生变化
一个进程试图延迟分析任务。
(1 个事件)
| description | wininit.exe 试图睡眠 334.9 秒,实际延迟分析时间 334.9 秒 | |||
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Program Files\wininit.exe |
搜索运行中的进程,可能用于识别沙箱规避、代码注入或内存转储的进程
(2 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 52 个反病毒引擎识别为恶意
(50 out of 52 个事件)
| ALYac | Gen:Variant.Fugrafa.6734 |
| APEX | Malicious |
| AVG | Win32:Delf-QD [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Fugrafa.6734 |
| AhnLab-V3 | Trojan/Win32.Lmir.C3367933 |
| Antiy-AVL | Trojan[GameThief]/Win32.Lmir |
| Arcabit | Trojan.Fugrafa.D1A4E |
| Avast | Win32:Delf-QD [Trj] |
| Avira | HEUR/AGEN.1043216 |
| Baidu | Win32.Trojan-PSW.OLGames.bm |
| BitDefender | Gen:Variant.Fugrafa.6734 |
| BitDefenderTheta | AI:Packer.D8B7B55F1E |
| Bkav | W32.AIDetectVM.malware1 |
| CAT-QuickHeal | Trojan.GenericPMF.S7526925 |
| CMC | Trojan-GameThief.Win32.Lmir!O |
| Comodo | TrojWare.Win32.PSW.Lmir.~FT@19r1n |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.c1d0b6 |
| Cylance | Unsafe |
| Cyren | W32/Elzob.E.gen!Eldorado |
| DrWeb | Trojan.PWS.Legmir.1460 |
| ESET-NOD32 | a variant of Generik.GBWEOOP |
| Emsisoft | Gen:Variant.Fugrafa.6734 (B) |
| F-Prot | W32/Elzob.E.gen!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1043216 |
| FireEye | Generic.mg.785f6a6c1d0b6dcd |
| Fortinet | W32/Delf.FT!tr |
| GData | Gen:Variant.Fugrafa.6734 |
| Ikarus | Trojan-GameThief.Win32.Lmir |
| Invincea | heuristic |
| Jiangmin | Trojan/PSW.LMir.aoo |
| K7AntiVirus | Trojan ( 00552c3b1 ) |
| K7GW | Trojan ( 00552c3b1 ) |
| Kaspersky | Trojan-GameThief.Win32.Lmir.alr |
| MAX | malware (ai score=89) |
| McAfee | GenericRXCM-HE!785F6A6C1D0B |
| McAfee-GW-Edition | BehavesLike.Win32.Android.cz |
| MicroWorld-eScan | Gen:Variant.Fugrafa.6734 |
| Microsoft | Worm:Win32/Fasong.G |
| NANO-Antivirus | Trojan.Win32.Lmir.fobvve |
| Panda | Generic Malware |
| Rising | Malware.Undefined!8.C (TFE:3:il0JVH7fDGO) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Malware.Win32.Gencirc.10b0ea2e |
| VBA32 | suspected of Trojan-Dropper.Delf.17 |
| ViRobot | Trojan.Win32.A.PSW-Lmir.100693 |
| Yandex | Trojan.PWS.Lmir!hXZFnbuNloQ |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
98467e3dc92e340ca5a33325ba5389f2
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| CODE | 0x00001000 | 0x00013930 | 0x00013a00 | 6.4436337146904465 |
| DATA | 0x00015000 | 0x0000055c | 0x00000600 | 3.717993789936028 |
| BSS | 0x00016000 | 0x00000785 | 0x00000000 | 0.0 |
| .idata | 0x00017000 | 0x00000f38 | 0x00001000 | 4.70234701155106 |
| .tls | 0x00018000 | 0x0000000c | 0x00000000 | 0.0 |
| .rdata | 0x00019000 | 0x00000018 | 0x00000200 | 0.2044881574398449 |
| .reloc | 0x0001a000 | 0x00001890 | 0x00001a00 | 6.504029043605319 |
| .rsrc | 0x0001c000 | 0x0000d800 | 0x0000d800 | 0.01504529004324584 |
Imports
Library KERNEL32.DLL:
• 0x4171f0 WriteFile
• 0x4171f4 WinExec
• 0x4171f8 WaitForSingleObject
• 0x4171fc VirtualQuery
• 0x417200 SuspendThread
• 0x417204 Sleep
• 0x417208 SizeofResource
• 0x41720c SetFilePointer
• 0x417210 SetFileAttributesA
• 0x417214 SetEndOfFile
• 0x417218 ResumeThread
• 0x41721c ReleaseMutex
• 0x417220 ReadFile
• 0x417224 OpenMutexA
• 0x417228 LockResource
• 0x41722c LoadResource
• 0x417230 LoadLibraryA
• 0x417234 LeaveCriticalSection
• 0x417238 InitializeCriticalSection
• 0x41723c GlobalUnlock
• 0x417240 GlobalReAlloc
• 0x417244 GlobalHandle
• 0x417248 GlobalLock
• 0x41724c GlobalFree
• 0x417250 GlobalAlloc
• 0x417254 GetVersionExA
• 0x417258 GetTickCount
• 0x41725c GetThreadLocale
• 0x417260 GetProcAddress
• 0x417264 GetModuleHandleA
• 0x417268 GetModuleFileNameA
• 0x41726c GetLocaleInfoA
• 0x417270 GetLocalTime
• 0x417274 GetLastError
• 0x417278 GetExitCodeThread
• 0x41727c GetDriveTypeA
• 0x417280 GetDiskFreeSpaceA
• 0x417284 GetDateFormatA
• 0x417288 GetCurrentThreadId
• 0x41728c GetCurrentProcessId
• 0x417290 GetComputerNameA
• 0x417294 GetCPInfo
• 0x417298 FreeResource
• 0x41729c FreeLibrary
• 0x4172a0 FormatMessageA
• 0x4172a4 FindResourceA
• 0x4172a8 FindNextFileA
• 0x4172ac FindFirstFileA
• 0x4172b0 FindClose
• 0x4172b4 FileTimeToLocalFileTime
• 0x4172b8 FileTimeToDosDateTime
• 0x4172bc EnumCalendarInfoA
• 0x4172c0 EnterCriticalSection
• 0x4172c4 DeviceIoControl
• 0x4172c8 DeleteFileA
• 0x4172cc DeleteCriticalSection
• 0x4172d0 CreateMutexA
• 0x4172d4 CreateFileA
• 0x4172d8 CreateEventA
• 0x4172dc CompareStringA
• 0x4172e0 CloseHandle
Library KERNEL32.DLL:
• 0x4170c8 GetCurrentThreadId
• 0x4170cc DeleteCriticalSection
• 0x4170d0 LeaveCriticalSection
• 0x4170d4 EnterCriticalSection
• 0x4170d8 InitializeCriticalSection
• 0x4170dc VirtualFree
• 0x4170e0 VirtualAlloc
• 0x4170e4 LocalFree
• 0x4170e8 LocalAlloc
• 0x4170ec VirtualQuery
• 0x4170f0 WideCharToMultiByte
• 0x4170f4 MultiByteToWideChar
• 0x4170f8 lstrlenA
• 0x4170fc lstrcpynA
• 0x417100 lstrcpyA
• 0x417104 LoadLibraryExA
• 0x417108 GetThreadLocale
• 0x41710c GetStartupInfoA
• 0x417110 GetProcAddress
• 0x417114 GetModuleHandleA
• 0x417118 GetModuleFileNameA
• 0x41711c GetLocaleInfoA
• 0x417120 GetLastError
• 0x417124 GetCommandLineA
• 0x417128 FreeLibrary
• 0x41712c FindFirstFileA
• 0x417130 FindClose
• 0x417134 ExitProcess
• 0x417138 ExitThread
• 0x41713c CreateThread
• 0x417140 WriteFile
• 0x417144 UnhandledExceptionFilter
• 0x417148 SetFilePointer
• 0x41714c SetEndOfFile
• 0x417150 RtlUnwind
• 0x417154 ReadFile
• 0x417158 RaiseException
• 0x41715c GetStdHandle
• 0x417160 GetFileSize
• 0x417164 GetSystemTime
• 0x417168 GetFileType
• 0x41716c CreateFileA
• 0x417170 CloseHandle
Library KERNEL32.DLL:
• 0x4171bc TlsSetValue
• 0x4171c0 TlsGetValue
• 0x4171c4 LocalAlloc
• 0x4171c8 GetModuleHandleA
• 0x4171cc GetModuleFileNameA
Library advapi32.dll:
• 0x4171d4 RegSetValueExA
• 0x4171d8 RegQueryValueExA
• 0x4171dc RegOpenKeyExA
• 0x4171e0 RegFlushKey
• 0x4171e4 RegCreateKeyExA
• 0x4171e8 RegCloseKey
Library oleaut32.dll:
• 0x41719c VariantChangeTypeEx
• 0x4171a0 VariantCopyInd
• 0x4171a4 VariantClear
• 0x4171a8 SysStringLen
• 0x4171ac SysFreeString
• 0x4171b0 SysReAllocStringLen
• 0x4171b4 SysAllocStringLen
Library user32.dll:
• 0x4172e8 UpdateWindow
• 0x4172ec UnregisterClassA
• 0x4172f0 TranslateMessage
• 0x4172f4 ShowWindow
• 0x4172f8 SetTimer
• 0x4172fc SetRect
• 0x417300 SendMessageA
• 0x417304 RegisterClassA
• 0x417308 PostQuitMessage
• 0x41730c PostMessageA
• 0x417310 PeekMessageA
• 0x417314 MsgWaitForMultipleObjects
• 0x417318 MessageBoxA
• 0x41731c LoadStringA
• 0x417320 LoadIconA
• 0x417324 LoadCursorA
• 0x417328 GetWindowTextA
• 0x41732c GetSystemMetrics
• 0x417330 GetWindow
• 0x417334 GetMessageA
• 0x417338 GetForegroundWindow
• 0x41733c GetDesktopWindow
• 0x417340 GetClassNameA
• 0x417344 GetClassInfoA
• 0x417348 FindWindowExA
• 0x41734c FindWindowA
• 0x417350 DispatchMessageA
• 0x417354 DestroyWindow
• 0x417358 DefWindowProcA
• 0x41735c CreateWindowExA
Library user32.dll:
• 0x417178 GetKeyboardType
• 0x41717c LoadStringA
• 0x417180 MessageBoxA
• 0x417184 CharNextA
Library wsock32.dll:
• 0x417364 WSACleanup
• 0x417368 WSAStartup
• 0x41736c WSAGetLastError
• 0x417370 gethostname
• 0x417374 gethostbyname
• 0x417378 socket
• 0x41737c send
• 0x417380 inet_ntoa
• 0x417384 inet_addr
• 0x417388 htons
• 0x41738c connect
• 0x417390 closesocket
L!This program must be run under Win32
.idata
.rdata
P.reloc
P.rsrc
StringX
TObjectd
TObjectX
System
IUnknown
System
;u3YZ]_^[
SVWUL$
]_^[SVWUL$
uZ]_^[
SVWU`dA
YZ]_^[
_^[U3Uh
d2d"h0dA
]US=(dA
d2d"=A`A
u3ZYYd
#_^[SVWU
YZ]_^[SVW
SVW<$L$
uSVWU|dA
]_^[USVW
3Uh\!@
d1d!=A`A
2E3ZYYd
E_^[YY]
UQSVW3,dA
d1d!=A`A
E3ZYYd
E_^[Y]
YZ]_^[
d2d"=A`A
}3ZYYd
E_^[Y]
< v;"u
SV3Uh'@
d0d Uf3UX
F3ZYYd
Ek<1fU
SVWPts11
-ti+tf$tfxtaXt\0u
FxtOXtJt
Y12_^[F
Fu%xqA
uM3Uh5*@
EP3ZYYd
f%fUf?f
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Iu9u_^[
PRQQTj
YZXtoH
S1VWUd
SPRQT$(j
ZTUWVSPRTj
Zd$,1Yd
t=HtN`
r6t0R=
t/=t&,*&"
USVWdA
3Uhn1@
USVWdA
d2d";~
P n_^[]
Ku^[SV
SVWUdA
tG?=@`A
^Portions Copyright (c) 1983,99 Borland
Up1UhD0@
QRZX1Yd
PVS_^[]
PQZXSVW
@ISVRP1L
JZ^[X$
thtkFW)w
9uXJt
8uAJt
t,JIt&S
St-Xt&J|
t0JN|*9}&~")9~
t@t1SVW
1Z)_^[
Mu]_^[
r*PRf8
u'PX%cA
USVW}Q
3Uh|A@
_^[]UQS3EB
^[USEf
d0d UE3ZYYd
]3UhvC@
d0d UE3ZYYd
USVWME]
3mEE;Et
u5];}}
MO|"GE
SVWEEEh
E8\u8Ex
_PEPE_^[]kernel32.dll
GetLongPathNameA
Gur3UhH@
EP3ZYYd
EPEPPj
;u;tmC}
t@EPSj
P^[]Software\Borland\Locales
Software\Borland\Delphi\Locales
t93UhJ@
d0d ]ES
u_^[YY]
UQE3UhK@
d2d"E@
t3ZYYd
Ht Ht.I
+P6N@tg6<Hu]"F$PL@
H H$@Ht
QRPXZYx
@~!@PQ@
PRZX[B5PA
_^|HtE=
@aQYR@
b@"E@|oe@p+
BkU'9p|B0<RB~QC/j\
Cv)/&D
dEJzEb
9;5S]=];Z T7aZ%]g']
R`%uYnb
5{RPD$
USVW3\$
USVW\$
3USVW3\$
USVW\$
U3UhV@
P3ZYYd
U3UhxW@
d0d -$dA
U3UhX@
QRP@PPI<P&
S] S]$SQRPj
U3Uh\@
U3Uh\@
U3Uh_@
Exception|`@
EHeapException`@
EOutOfMemory@
EInOutErrora@
EExternala@
EExternalExceptionDb@
EIntErrorb@
EDivByZerob@
ERangeErrorLc@
EIntOverflow@
EMathError
EInvalidOpXd@
EZeroDivided@
EOverflow
EUnderflow`e@
EInvalidPointere@
EInvalidCast@
EConvertErrortf@
EAccessViolation@
EPrivilege,g@
EStackOverflowg@
EControlCg@
EVariantError<h@
EAssertionFailed@
EAbstractErrorh@
EIntfCastErrorTi@
EWin32Errori@
ESafecallException
TActiveThreadArray
$TMultiReadExclusiveWriteSynchronizerUS
SVW3Uhj@
d0d VWUM
E_^[Y]
BFKu_^[
9t*^ar
^[SVWU
| v;}
N|7 vU+A
\P[SVWQj
PWVS3u
$Z_^[SVWQj
PWVSgu
$Z_^[Qj
u%EPPtEPEPEP[u
[SVW3W_Pqu
3URURURURPr
EUE3RPEU
E3RPEUM
1t$Far
)t[^_
D$ D$$
3(_^[SV
9t%t^]E-u
*t"0r<9w7k
X_^[[]
+;}$EtPEPE
E)PEPE
sMf<sGf<sAf
LUSVW3
d0d fE
E3ZYYd
f;\Fwb
E_^[YY]
]3Uhy@
d0d EP
E3ZYYd
USVMUE]
}EPEff}
fMfEfkEdf
fLJfMfMf;Mr
fMf)M@
EZY^[]
d0d 5E
f@fEE~@
URYUwYE
U%YUJYE
t%HtFHtgyUYE
UYUIYE
UYUMY}
UYYUY}
7u/UqYE
u/U-YE
Z_^[UQSVWM]
U3QQQQQQSVW3Uh@
JCDHyYU
JC8HVYUC
JE*YUxC
u3ZYYd
t C<eA
SV3UhI@
t,C<eA
ELZ^[Y]
d0d EP
U3QQQQSVW3Uh
UNC>;~
L$DdTA
PD$HPj
d0d EPU
03ZYYd
d0d EPU(EU
g3ZYYd
_^[YY]
TErrorRec
TExceptRec
]]3UhP@
D3ZYYd
EMEES_^[]
t<HtHU
r3t7G=
SV3E3Uh
UE3Uh@
d0d E{%
C++ Exception
d0d USA
SV3=eA
@@F;}_^[
;U|;Uu
JRK;\$
$YZ^[SV
$~F ;~
$YZ^[SVWU3
+G]_^[
YZ]_^[
u^[SVW
_^[SVWU
IuS3Uh
d0d %L=eA
SE3YdA
/E35dA
E3u?EP@
m/d/yy
mmmm d, yyyy
:mm:ss
US3E3Uh
kernel32.dll
GetDiskFreeSpaceExA
tN(;F,t;
u25C,u
P<C C$3C 3C,C4
INFNANU
+E[^_]
33+%dA
N[YCV5dA
N^$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)U@WVSE
<'t$<"t
33EUU<#t&<0t%<.t,<,t3<'t5<"t1<Et:<et6<;tF
-<#t'<0t#<.t<,t<'t
<Et$<et <;tS
-u2AF>0t
KE;E~10}
00fJu2}
3m[^_]
< tN33
EEBN33
U3Uh,@
d0d -eA
C23ZYYd
U3Uhi@
U3Uh)@
X3ZYYd
EStreamError@
EFCreateError
EFOpenError
EFilerErrort@
EReadError
EWriteError$@
EResNotFound@
EListError
EStringListError@
TList@
TThreadList@
TPersistent @
TPersistent@
Classes
IStringsAdapter
Classes
TStringsT@
TStrings
Classes
TStringItem
TStringListx@
TStringList@
Classes
TStreamL@
THandleStream@
TFileStream @
TCustomMemoryStream@
TMemoryStream
TResourceStreaml@
TThreadUSVW
QDKu3ZYYd
os_^[]
grYZ^[
SV3Uh`@
d0d UUU
E5xCr^[Y]SV
UnUEEc
d0d E@
m3ZYYd
E1nYY]
M3Uh^@
o3ZYYd
E7uEo^[]
lt3fkUfk}
w3ZYYd
E|tn_^[]
MUE3UhW@
EZ8W8CNu3ZYYd
im3ZYYd
E>sLm_^[]
Q<3ZYYd
USUEEPh@
Strings
MMUE3Uh=@
;u;N|0F3
|qfkE_^[]
ZkYZ^[
SVW3Uh@
Epj_^[Y]
d0d E3Uh@
S$3ZYYd
j3ZYYd
oi_^[]
EsS3ZYYd
Exoi[Y]
MMUE3Uh
uN|)FE
uN|@FE
CENu3ZYYd
nh_^[]
]MU3Uh@
n3ZYYd
h^[]USVW3
MUE3Uh
K|#C3M
FKu3ZYYd
Emg_^[]
MMUE3Uh@
EhqEU!t
ENuE3ZYYd
lfE^[]
UQSVWMM
S$_^[Y]
E3Uh\@
Q\3ZYYd
EbGf^Y]
d0d EH3Uh@
Q,3ZYYd
Ee3ZYYd
Eke^[YY]
d0d ;tdE3Uh@
Eb3ZYYd
e3ZYYd
Ejd_^[YY]
MUE3Uh@
E3Uhw@
t3ZYYd
Qh3ZYYd
E2`c^Y]
SV3UhM@
EHiVc^[Y]
SV3Uh@
d0d EjU
Q,3ZYYd
Ehb^[Y]
d0d E3Uh{@
u3ZYYd
(b3ZYYd
MUE3Uh
d0d Ez
K| C3M
Ewga_^[]SVQ_
3F F$3F(F,
SVWUL$
$Z^[SVW
USVMUE]uE
]CN;};u~
UE|];]|^[]
rY[_^[
d0d U3ZYYd
EU$Y[Y]
E3UhP@
d0d U3ZYYd
ETSX[Y]
3]_^[USVWt
U3E3Uh?@
PV3ZYYd
EV\dV]
UQSVWM
PEPV<{
UUSVWUE=$fA
QKu3ZYYd
U_^[YY]
UQSVWE=$fA
w3Uh+@
QKu3ZYYd
2xT_^[Y]S
)3!SVQ
$0Z^[SVQ3
S3Uh(@
d0d U0}
u3ZYYd
EmX{R[Y]
[]UQUE
UE3Uh@
d0d E|
QYqUE#dUY[EQU|YHUY?U
Y3ZYYd
PYY]Uj
d0d U|q3ZYYd
EUO[Y]VWS
PD{3@fA
UQSVWE
3E3Uh3@
C$S 3ZYYd
Ngh(fA
@3ZYYd
PXzEE_^[Y]
TThreadWindow
d0d =DfA
d0d =DfA
Py3ZYYd
UQSVE3Uhz@
^[Y]UQSVWt
_^[Y]SVI
US3C(E
P2xC(t
Pwj@jj
$$USVW fA
FFKu3ZYYd
~F_^[]
U3Uh`@
t3ZYYd
sih(fA
U3Uh4@
U3ZYYd
ERegistryException@
TRegistryS
d0d ETLE\
E2EPEPj
"NMU3ZYYd
EJDE^[]
SVWUQ3
IZ]_^[
USVW3EE
Pmt$uE
O3ZYYd
U3UhU@
MaiStrUSVW3
EK3Uhg@
GLEU\NEdN;}
EJNEP+B
UI3ZYYd
ELE.G<A_^[YY]
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
MMMMUEEJ3Uhe@
d0d E^FEHEE
EE=ABE
EE=E=E0EU<FuEU.FuEU FuEU
53ZYYd
\DE0D>>^[]
C3ZYYd
d0d CE
2+EUE3
CMu3ZYYd
EJCX=_^[]
d0d TEvBE
CMu3ZYYd
;Z=3ZYYd
EB<_^[]
d0d 3Uh@
d2d"U$zED;
zO"BUyElDPZ+q
UDNuUyU>D3ZYYd
:<3ZYYd
A;_^[]
MEEE3Uh@
d0d 3Uh@
d0d RAEC
3EUH;Br
UgCEu3ZYYd
9;3ZYYd
E@E@:_^[]Uj
SVWEED3Uh@
@3Uh~@
d0d EB
46EB;|3ZYYd
8:3ZYYd
IuQSVWUEEC3Uh@
$MUE&i
$EPMUE
4j7EPM
EUuj7EPM
Uuj7EPM
UkuWEP
@3ZYYd
6t83ZYYd
=E=7_^[]
IuQSVWUEEsA3Uh@
d0d j7EPEP
E|AEUQE5
uj7EPEP
Etj7EPEP
=EtWEPEPE>
563ZYYd
kernel32.dll
CreateToolhelp32Snapshot
Heap32ListFirst
Heap32ListNext
Heap32First
Heap32Next
Toolhelp32ReadProcessMemory
Process32First
Process32Next
Process32FirstW
Process32NextW
Thread32First
Thread32Next
Module32First
Module32Next
Module32FirstW
Module32NextW
wrWlrL
UQSVWE
p'=<SA
TCryptLibS
0123456789
E83Uhd
d0d E6
U43ZYYd
E14?.[Y]
j'EU'oV
,^[]SVWUQ
fDrFOu
FOuZ]_^[
4&]_^[
y/3ZYYd
MaiClientSocketUlSV3
Fu.8laflC(h
lC.Q(^[]
Socket
UQSVWU
d0d -{
d2d"E1Pk@
l/3ZYYd
&\(3ZYYd
E-'_^[Y]
C Z1PC
u3ZYYd
E,&[Y]
Client
MUE03Uh
;v@E(,EP
Eg.PE.0PG
P[3ZYYd
+%_^[YY]
USVW3Uh
P3ZYYd
\$+&_^[]
Th_CLPFW@
d0d ~Q2
j2SVWQEM,E
Q3ZYYd
E)#^[Y]
#32770
Static
Button
d2d"C
"J3ZYYd
\\.\Scsi0:
SCSIDISK
\\.\SMARTVSD
BFWorkFile1007PV
c:\bbcct.exe
bbcct.exe
d0d EPEP~J
U&3ZYYd
_^[YY]
o(uc3Uh
IP3ZYYd
Z _^[]
Kernel32.dll
RegisterServiceProcess
USVW3Uh
d0d Ij
EPRKEPJj
:JI3RP
ZX}3ZYYd
USVW3Uh
_^[]USVWMU
Ek'Ec'E
UEEw3ZYYd
USVWMU
E&E&3Uh
E3ZYYd
errorbf007
SVWE3Uh
d0d 3UhO
o$FKu3ZYYd
UEX3ZYYd
d0d 3UhM
iE jeEPFEP5u
]E"C<u
EU 3ZYYd
SVW3Uh
AE]!UE
U 3ZYYd
_^[YY]Uj
SVW3Uh
AE UE!Ku
Ue 3ZYYd
_^[YY]USVW3
UUE3Uhz
UUE3Uh
u>ES\SA
IuMSVWMUEEQ EI EA E
d0d 3Uh5
UE2uhx
Q4EME A
Q4EME A
Q,3ZYYd
AUTH LOGIN
Mail From:<
RCPT TO:<
From:
X-Mailer: Foxmail 4.2 [cn]
Subject: =?gb2312?B?
MIME-Version: 1.0
Content-Type: Multipart/Alternative;
boundary="----=_NextPart_000_000A_01BF9F1A"
------=_NextPart_000_000A_01BF9F1A
Content-Type: text/plain;
Content-Transfer-Encoding: 8bit
------=_NextPart_000_000A_01BF9F1A--
Iu3Uh!A
t+EPEPEPU
EPMUES3ZYYd
mima_wenjian
fasong_youxiang
jieshou_youxiang
yonghu_ming
youxiang_mima
fasong_zhuti
fanggai_mima
smtp_fuwuqi
U3QQQQQQQSVW3Uh%A
VS]8E#
EUhGU%A
kingsoft
kingsoft antivirus mail monitor proxy
v_3Uhi'A
E3ZYYd
DllRegisterServer
DllUnregisterServer
U3QQQQSVW3Uh+)A
EuE*uhD)A
u<3UhD(A
E3ZYYd
d0d hT)A
d0d E0
largeicon
S3Uh)A
IuSVW3Uh6,A
d0d EP
^UEsUE
E~Cu:EUEUET
UECEU?EPEE
D3Uh+A
U!?EPEEUBE
_^[]Uj
U|SVW3
E3UhN/A
d0d EY
EY|?UE
3UhL.A
d0d EE3ZYYd
d0d UE
ESUE,3
E>EE3ZYYd
errors
d0d EUE
EY"=Er
=3ZYYd
E&=E~3ZYYd
U3QQQQQSVW3Uh2A
Q,3Uh2A
)3ZYYd
_^[]errorbf007
send_time
U3Uh3A
StopFireWall_ThreadSV
t^[U3Uhm4A
BianFeng_ThreadUQSVWE3UhN5A
d0d EPD UA
Q4EPH UA
Q43ZYYd
)ED1EH&_^[Y]U3QQQQQQQQSVW3Uhr7A
EPV%EUz
V$t3Sh
Py%EME7A
%EME7A
t&G0UEM7A
GHUE}v3ZYYd
G1_^[]
#32770
ComboBox
U3UhM8A
CloseWindow_ThreadSVW
["hP9A
V}"jd!
U3Uh9A
PassWord_ThreadUQSVWE3Uht:A
d0d EP0 UA
Q4EP4 UA
Q4EP8 UA
Q43ZYYd
E8_^[Y]
UUU3Uh<A
EPSL EUAE
EPSO EU
^<3Uhg<A
W% EUF0M<A
W EUVF8M<A
WS( tEURh
F4U3ZYYd
EGE?3ZYYd
#32770
t^[U3Uhy=A
MaiFileSystemUSVWMUEE3Uh>A
3z3Uh>A
_^[YY]
UEE3Uh'?A
d0d UE
c:\filedebug
UQEEI3Uh?A
d0d E.t
E.E.3ZYYd
MEE3Uh"AA
t,uh8AA
sO.tD=HAA
u3ZYYd
U3QQQQQSV3UhAA
u6U*uh
ECWu3ZYYd
heihei
U,SVWUEEnEf3Uh?CA
d0d U,
E+ud3UhBA
n3ZYYd
d0d ,j
h3ZYYd
],3ZYYd
zd_^[]
U3UhuCA
$ZXu?E
$ZXu?E
Q4VWSE
_^[YY]
U3UhEA
d0d gA
USVWEA
MaiWindows
LISTBOX
Button
Runtime error at 00000000
0123456789ABCDEF
%.*d`^@
KERNEL32.DLL
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
oleaut32.dll
user32.dll
user32.dll
wsock32.dll
WriteFile
WinExec
WaitForSingleObject
VirtualQuery
SuspendThread
SizeofResource
SetFilePointer
SetFileAttributesA
SetEndOfFile
ResumeThread
ReleaseMutex
ReadFile
OpenMutexA
LockResource
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalAlloc
GetVersionExA
GetTickCount
GetThreadLocale
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetExitCodeThread
GetDriveTypeA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetComputerNameA
GetCPInfo
FreeResource
FreeLibrary
FormatMessageA
FindResourceA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
EnumCalendarInfoA
EnterCriticalSection
DeviceIoControl
DeleteFileA
DeleteCriticalSection
CreateMutexA
CreateFileA
CreateEventA
CompareStringA
CloseHandle
GetCurrentThreadId
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
lstrcpyA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
ExitThread
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
GetModuleFileNameA
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
VariantChangeTypeEx
VariantCopyInd
VariantClear
SysStringLen
SysFreeString
SysReAllocStringLen
SysAllocStringLen
UpdateWindow
UnregisterClassA
TranslateMessage
ShowWindow
SetTimer
SetRect
SendMessageA
RegisterClassA
PostQuitMessage
PostMessageA
PeekMessageA
MsgWaitForMultipleObjects
MessageBoxA
LoadStringA
LoadIconA
LoadCursorA
GetWindowTextA
GetSystemMetrics
GetWindow
GetMessageA
GetForegroundWindow
GetDesktopWindow
GetClassNameA
GetClassInfoA
FindWindowExA
FindWindowA
DispatchMessageA
DestroyWindow
DefWindowProcA
CreateWindowExA
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
WSACleanup
WSAStartup
WSAGetLastError
gethostname
gethostbyname
socket
inet_ntoa
inet_addr
connect
closesocket
0,080<0@0D0H0L0P0T0`0m0000000000000
1&1.161>1F1N1V1^1f1n1v1~11111111111111111
2J2R2Z2b2j2r2z22222
3#3k4415w55
6D66666s788
9&91999C9M9W9m9s999999999999
: :%:?:F:P:Z:d:p:{:::::::::
;6;>;~;;;
<!<3=@=s=y==========P>X>>>
?r?x??????
0 0'0Z0000000000
1&1D1J1R1|111111111
2.2R2Z2`2f2222222R3]3f3l3|3333333
5#5}555555
696G677c8n8w8889999
:':>:S::?<<<<
=B=`====
>I>q>>
1/1D1111111
2W2\2u22222222222
3 3$363@3E3S33
4h4w48
d000G1V1o12
3K3i3J666Y8w8888C:M:X:h:o:::
;+;I;R;^;e;
===J>>??
1,1D1U1^1/6;6B6L6[6e6o666666666666666
7/747>7C7R7\7f7s777777777
8"838V8k8t8y8~88888888
9&9.969>9F9N9V9^9f9n9v9~99999999999999999
:&:.:6:>:F:N:V:^:f:n:v:~:::::::::::::::::
;&;.;6;>;F;N;V;^;f;n;v;~;;;;;;;;;;;;;;;;;<<<<<<<<<<
= =(=0=8=@=H=P=X=`=h=p=x=================
> >(>0>8>@>H>P>X>`>h>p>x>>>>>>>>>>>>>>>>>
? ?(?0?8?@?H?P?X?`?h?p?x??????????????
000P0X0\0`0d0h0l0p0t0x0000000000000
1 1$1(1,101@1`1h1l1p1t1x1|1111111111111111
2 2$2(2,2024282<2@2P2p2x2|2222222222222222222
3 3(3,3034383<3@3D3H3\3|333333333333333333333
4,44484<4@4D4H4L4P4T4d44444444444444444444
545<5@5D5H5L5P5T5X5\5p5555555555555555
6(6H6P6T6X6\6`6d6h6l6p6666666666666
7 7$7(7<7\7d7h7l7p7t7x7|777777777777777
8 8$8(8,8084888P8p8x8|8888888888888888888
9(9094989<9@9D9H9L9P9`99999999999999
: :$:(:,:0:4:8:F:::::<<
1J3N3R3V3Z3^3b3f3j3n3r3v3z3~33333445
7(727777
88999:g<N===
>j>>>>m??
0a0h0000000000000000011?2c2w2222
5-5]5q555
6.6D6b66H788888
9.9S99999
:*:<:f:z::::: ;@;i;;
<&<?<N<g<<<====
161=1P1h111111
2'2;222E3x333]4o4444+5W555555/6=6L6V6^6m6w6|66666666666666666
7 7%7.777@7I7R7x7777777
868T888
9:9x99`;i;$<:<c<q<<<<<<<<
=5=C=b=z=======
>9>[>j>z>>>>>>?????
020R0b0m0s0{0001111
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|22222222222222222222222222222
3$3(30343<3@3H3L3T3X3`3d3l3p3x3|3333333333333333333333
4 4$4,40484<4D4H4P4T4\4`4h4l4t4x44444444444A5m5
5555555
6^66666
7;7W:x:
<<<C============
> >)>4>>>I>S>]>g>q>{>>>>>>>>>>>>
?'?K?W?d?v?|?????????????????
0$060o0{00000000000000
1<1D1H1L1P1T1X1\1`1d1x111111111111111
2(2H2P2T2X2\2`2d2h2l2p22222222222222
3 343T3\3`3d3h3l3p3t3x3|3333333333333
4 4$4(4,4044484<4@4D4P4p4x4|444444444444444444444444
5-515D5Y5x5555555555555555555555555555
6 6$6(6,606>6P6^6b6t666666666666666666666
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7t777777777777777777
8 8(8,8084888<8@8D8H8L8P8T8X8l888888888888888888
9 9$9(9,9D9d9l9p9t9x9|999999999999999999999
: :@:H:L:P:T:X:\:`:d:h:l:p:::::
;%;*;;
<'<A<S<}<<
>>>3?:?Q???
000-1J1v111
2Z2c2q22+3x333
5G55-666
7:7m77 828O8~8888-9G999
:+:j:::::
;@;;;;
=`==0>a>}>>>??
y00)1A112:3A3r3y3
4$4V4]4C5U5r5
6&6C666
9%94999999
:!:@:Q:
<J=k=o=s=w={=
================>>>???
0a0n0z00000000
1"1(131I1Q1X1p1}1111111111
2-2H22e333G4V4444444444
5.5:5?5I5[5n5v5555555555555
6/6B6H6h6p6t6x6|6666666666666666666#7*78z995;<;;;;;;
<*<7<C<P<b<h<<<<<<<<<<<<R=
====$>>>
? ?G?~????
K0{000000>1u11122@222#31333
4444657V78888888
9 9,919>9C9P9U9b9g9t9y999999999999999
:(:3:w;;;;;;;;
<&<.<6<><F<N<V<c<o<|<<<<<<<<<<<<<<
=.======
>">/>:>G>R>_>j>x>>>>>>>>>>>>
? ?$?(?,?0?4?8?<?@?N?V?^?y???
202Z22244444444
5$565<5H5\5d5h5l5p5t5x5|5555555!6B6666$777'88839?9L9^9d99999999999999
:":':::?:p:u::;;G;T;f;;;;
>.>>>7??????
k00M1Z1t11
2"2<2222
303m333k44
5055555.6=6h666h7777
8"8w88899999
:*:Z::::
;/;g;;;;;;;;
<#</<Z<_<<<<<<"=;=S=e=
080[0~0000
131B1g1z11112233
4@4t444
5!535d5x5556
7%777[7y777
8W8b8g8m8t88
9v99999":2:8:~::::
;r;;;$<a<v<<<<<)=>=M=2>l>><???
1&1+181B1G1Q1^1h1m1w11111111
2 2)292K2Y2
2222 3+323<3F3P3Z3d3n3x3333333333333333344O4[4h4z444444444444444444
5'59555556d6{6666'7S7/8;8H8Z8`888888888888888c9o9|999999999999999999
:*:;:M:_::
;<;s;;;;;
<8<E<<[=g=t=============
>+>8>>>
?_????
0*0/0D0V00
1^1~111B2j22-3W3c3p333333
4?4g444444
5'5A5N5Z5`5j5r55555555
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6666666666666666666666666666
7/7<7K7}77777777
8-8?8Q8f8x8888888
0 0$0$1L1P1`1d1h1l1p1t1x1|11111111111111111111111111111110282@2H2P2X2`2h2p2x22222222222222222
3 3$3(3H3L3P3T3X3\3`3d3h3l3p3t3x3|333333333333333333333333333333333
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444444444444
5 5$5(5,5054585<5@5D5H5L5P5T5X5
_d9fb7NH%n'fwa3R9*gb
]#+iQA
1Z7Si|*
}?:$`I
"zpm`f$
=f\SeG
&+A@?4
tC=`LbGen
=G^Ob_f:
5MRm%M
mwp@et2)X
@�@�@�@�@�@�
j�j�j�j�j�j�
@�@�@�@�@�@�
L�A�R�G�E�I�C�O�N�
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
M�A�I�N�I�C�O�N�
M�A�I�N�I�C�O�N�1�
Process Tree
-
08a682efcca6764f03c017dd81c50ba65cd7cbf0c119540170c22d3cd4af8144.exe (1856)
"C:\Users\Administrator\AppData\Local\Temp\08a682efcca6764f03c017dd81c50ba65cd7cbf0c119540170c22d3cd4af8144.exe"
- wininit.exe (2064) "C:\Program Files\wininit.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 331647b2570fa03e_filedebug |
|---|---|
| Filepath | C:\filedebug |
| Size | 125.0B |
| Processes | 1856 (08a682efcca6764f03c017dd81c50ba65cd7cbf0c119540170c22d3cd4af8144.exe) |
| Type | ASCII text, with CRLF line terminators |
| MD5 | 0a44f6c6c855cacd363a94b93970d796 |
| SHA1 | 685025636ac1c86533e26177cbd08e51312d430f |
| SHA256 | 331647b2570fa03ec39f5ae9f447bc0be24ba61c0363a462fa6ac35ccbb2a3d3 |
| CRC32 | A423A3E5 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | dd008a28430b22d1_wininit.exe |
|---|---|
| Filepath | C:\Program Files\wininit.exe |
| Size | 191.0KB |
| Processes | 1856 (08a682efcca6764f03c017dd81c50ba65cd7cbf0c119540170c22d3cd4af8144.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | b7d6477596280419dc3987270329b56d |
| SHA1 | 177c8679737670041021a7f0ac2dc3409d985c0f |
| SHA256 | dd008a28430b22d1e26540f94f5c24f6994ceaf9fb02664d45c2c64d5a96405b |
| CRC32 | 38A15745 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.