1.0
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.55
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_80% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190909 | 2013.8.14.323 |
| McAfee | Dropper-FGJ!8032CE568F7E | 20190909 | 6.0.6.653 |
| Tencent | None | 20190909 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | AUTO |
| section | DGROUP |
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 44 个反病毒引擎识别为恶意
(44 个事件)
| ALYac | Gen:Variant.Razy.447844 |
| APEX | Malicious |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Razy.447844 |
| AhnLab-V3 | Trojan/Win32.Dofoil.R71136 |
| Antiy-AVL | Trojan/Win32.ShipUp |
| Avira | TR/Crypt.ZPACK.Gen7 |
| BitDefender | Gen:Variant.Razy.447844 |
| CAT-QuickHeal | Trojan.Gepys.6280 |
| ClamAV | Win.Packed.Razy-6840445-0 |
| Comodo | TrojWare.Win32.Kryptik.BEDR@507qmy |
| CrowdStrike | win/malicious_confidence_80% (D) |
| Cybereason | malicious.68f7e7 |
| Cylance | Unsafe |
| Cyren | W32/S-3247043e!Eldorado |
| DrWeb | Trojan.Mods.1 |
| ESET-NOD32 | a variant of Win32/Kryptik.BEDR |
| Emsisoft | Gen:Variant.Razy.447844 (B) |
| Endgame | malicious (high confidence) |
| FireEye | Generic.mg.8032ce568f7e78a5 |
| GData | Gen:Variant.Razy.447844 |
| Ikarus | Trojan.Crypt2 |
| Invincea | heuristic |
| Jiangmin | Trojan/Generic.axucz |
| K7AntiVirus | Trojan ( 0040f4c81 ) |
| K7GW | Trojan ( 0040f4c81 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Lionic | Trojan.Win32.Generic.lUUy |
| MAX | malware (ai score=83) |
| McAfee | Dropper-FGJ!8032CE568F7E |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.ch |
| MicroWorld-eScan | Gen:Variant.Razy.447844 |
| Microsoft | TrojanDropper:Win32/Gepys!rfn |
| NANO-Antivirus | Trojan.Win32.ShipUp.cqjfru |
| Panda | Generic Malware |
| Qihoo-360 | HEUR/QVM20.1.C399.Malware.Gen |
| Rising | Trojan.Crypto!8.364 (TFE:2:iCKsPqSMJEL) |
| SentinelOne | DFI - Malicious PE |
| Symantec | ML.Attribute.HighConfidence |
| Trapmine | malicious.high.ml.score |
| TrendMicro-HouseCall | TROJ_GEPYS.SMAR |
| VBA32 | TScope.Malware-Cryptor.SB |
| Yandex | Trojan.Kryptik!y4g8WKh0fMk |
| ZoneAlarm | HEUR:Trojan.Win32.Generic |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2011-12-17 04:08:32
PE Imphash
b9cb2876510d3ce5b67942eb863c64f7
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| AUTO | 0x00001000 | 0x000046e9 | 0x00004800 | 6.483989918229621 |
| DGROUP | 0x00006000 | 0x0005b1d0 | 0x0001dc00 | 6.549822368734768 |
| .idata | 0x00062000 | 0x000003a0 | 0x00000400 | 4.749498362385369 |
| .reloc | 0x00063000 | 0x00000000 | 0x00000800 | 6.34756614974786 |
| .rsrc | 0x00064000 | 0x00000000 | 0x00000e00 | 4.000661977563714 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_DIALOG | 0x0005fb3c | 0x000002ac | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_DIALOG | 0x0005fb3c | 0x000002ac | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_DIALOG | 0x0005fb3c | 0x000002ac | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_DIALOG | 0x0005fb3c | 0x000002ac | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_DIALOG | 0x0005fb3c | 0x000002ac | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library CRYPT32.DLL:
• 0x4620bc CryptBinaryToStringA
Library KERNEL32.DLL:
• 0x4620c4 CloseHandle
• 0x4620c8 ConnectNamedPipe
• 0x4620cc CreateEventW
• 0x4620d0 CreateThread
• 0x4620d4 GetCurrentProcess
• 0x4620d8 GetCurrentProcessId
• 0x4620dc GetCurrentThreadId
• 0x4620e0 GetLastError
• 0x4620e4 GetModuleHandleA
• 0x4620e8 GetModuleHandleW
• 0x4620ec GetProcAddress
• 0x4620f0 GetSystemTimeAsFileTime
• 0x4620f4 GetTickCount
• 0x4620f8 LoadLibraryA
• 0x4620fc LoadLibraryW
• 0x462100 MultiByteToWideChar
• 0x462104 QueryPerformanceCounter
• 0x462108 ReadFile
• 0x46210c SetUnhandledExceptionFilter
• 0x462110 TerminateProcess
• 0x462114 UnhandledExceptionFilter
• 0x462118 VirtualProtect
• 0x46211c WaitForSingleObject
• 0x462120 WideCharToMultiByte
• 0x462124 WriteFile
• 0x462128 lstrcmpiW
• 0x46212c lstrcpyW
• 0x462130 lstrlenW
• 0x462134 SetEvent
L!This is a Windows 95 executable
`DGROUP
.idata
.reloc
B.rsrc
AZYSQRVWL
_^ZY[W
]YSQRV
^ZY[SQRVW\
v_^ZY[VP
}9_^VW0
8U]VY[W
EZY[RVW
_^ZQRVW
u_^ZYSQl
_^ZY[V
FF_^SQRVW
_^ZY[SQ`
3{-]Ej
EY[SQ4
HSuV}6
W_QRVW
Pd]u[_
!_^ZYSQRVl
^ZY[QRVl
9;VUQA
d$^ZYSQRVW
;_^ZY[Q
j$P0R#
^spG[u
3|vYSQ
9]_^RV
U^ZSQVW
)JT5sX@
_^Y[QRV
B^ZYQRV
9}u^ZYQRV<
jZQRVW
_^ZYW
PZY[QRVW
F f]3 {u
_^ZYVW
@U_SQRVW
_^ZY[VWt
q_^SQt
~PMh]u
U(UFSp
H_^QRV
_^QRVW
FfvT}_
_^ZYSQRVW
_^ZY[SQRVW@
_^ZY[RVW
_^ZQRV
}^ZYQRL
]^ZYSQRVW<
_^ZY[QRVW
_^ZYRV
E^u9;u
ZYSQRV
IEH^~u
^ZY[RVW
e_^ZRVWP
[SQRVW
]ve3~UW
V^_^ZY[RVW
t_^ZSQ
9QY[QRVW
_^ZYQR4
YyZYSQRV
MvFV_v
S^ZY[SQRV
R^ZY[VWT
7GY[RVW0
H[QRVW
_^ZYRVW
_^ZSQRVW
[u9"FVM
3_^ZY[RV,
^ZSQRV
^ZY[RV
EHezfuE
^ZQRVW
_^ZYQR
:^YQRV
SVD^ZYSQ
}^FZY[RVW
_^ZRVW,
hZYSQR$
ZY[RVWt
_^ZSQR
HU^ZQp
j^ZYQR,
uSYQRVWd
UW_^ZYS
VvF}%U
_^SQRVWT
AV_^ZY[RVW
_^ZQRV
@^ZYQRVW(
u_^ZYSQ
Av^]RQ
ZYSQRVW
_^ZY[W
Y[SQRVW
^_^ZY[SQRVW
u}_^ZY[RV
^ZSQRVW
_^ZY[QRVW
0:$_^ZYQR8
EHfCE/
ZYSQRVW
V^vVHG
_^ZY[SQR
Pk ZY[SQ
_^SQRV
^ZY[SQRVW(
EuM_^ZY[RV
\x^;^6
_^SQRV0
^ZY[VW
uUE9fu
ZY[QRVW0
_^ZYSQP
A4^G u
@3UpEj
^ZSQRV
F^ZY[RV
^ZSQRV
_^ZY[SQR
ZY[SQRVWd
_^ZY[Q
!1;a9 S
E;@8ZYSQRVW
^L_^ZY[WD
lX;]{3E
ZYQRVW
jF^RUv
h[;VEEW
_^ZYQRVW
j,_^ZYSQRV
^ZY[QRh
VZYSQRVWX
C_^ZY[QRV
_^ZSQRVW
RE^ZSQ
^rMP EX
=}<fa0uBP
QR ZY[VW
=_^SQRV
^ZY[QVW
;E|E;Eu
{SQRVW
1E~E~P
]_^ZY[Q
^ZQVW0
EA;u~E
E_^YVW
uvY[RV@
N^ZRVWX
_^ZSQR
YuCZY[QRVWH
_^ZYVp
`!2vDv
E;3YSQRVW
_^ZY[RVW
_^ZSQRVWD
_^ZY[QRVW
;_^ZYQRV0
^ZYSQR
9^ZYRVW
V9^ZY[
dEGnldEr
WQSEEaWrVrk
CncL1sEPE
iEnFeE2P
ldoenPdonVlEvzEPeeVlr`ral
sESEAEr
rSnnE1FryzlotLd
cVEluEEEearPEiPFBu
SntGSSeeOeMwtdrE
hStSno\FeEd
nlVEPdPrrVzFpvrt~nadEtaEeVElv
tflnlEESEVEeF1FnaSznmrUeEEcplXzEPnFREroiEEiFPPiddsIn
nrE1VvnFVdrdutnVPpvdeaUVEP
EJE|KaE
BrVd_S
(esEEo
dPRV}]
PlV|K^sj}E
PUGw4=
ESUTjP_}Evu_UXjJ
4_4EP]
x@Y ] -~
P]u^]t
@tx@@[Qz
ilmH]p@8
(POU0XS
og3k G5
S;2_u'_
#=Cwk7dG
U//'ea
[pfML<
FvL3g?
Fre}vTJP&.e
Qzc5A2
%c5vi!
8;d;>kv
!i$8?,+
82z{h@J3cJ ?{h
oZ+1oqI%/
`QI@~?A$l*}
s+(R[e
@?pT=<
xp}b}0
oTnIaV
}"pI4[
lb/<l~
C[ya)WB
dx~0/MC[8i~
ll~Wyj"
()uM]oFF
&YfsAp
Oc*/PvM38Mo7Bi'&uo3)
\s9K)/GSMu>&5
Picz7c\YfSfO* &B
y5EzBR](8!c7
6[XaXuJ
W0g=!ioq
,3m1i0
e0npc
1)K(22
c .oSno
iOkO0e
tP^bs}
E'o%6ys_,Xl
%o1}vf
_rY6Z?K
t1'SE:
>cz<tKI
@ +1Cv
S\WW;F
:T<F0
FZ@EA!
#9(45-
!1!6!J
.7Zz"%
G!TH:9
Z9A'}Z
E'A6a[M
'` &.
LBxU;F1l@,!5
UrqJ[*5
qE&Ng$'y
;KzZRK
U~w9V!
R,c@M/
@7@M8%
d:YNE;
]r]kZv
ADab=a:
:U30,AoA
obEA=A
H%WqHqUq
qPs%%P9kTk+=
IJ1N2%
%s+%N1
vkUI9kH8Ps21
N2sqJPNN2Pq=zrss%NUSUqb+I
v7%%s$qq++JPPsIJ2bs
zz+P$sJPbPZssNs
kNI9q2
HIJbsW
SU9rpP7
vL.1hx"Ar
1 #1z6&
YE:WY)
kuyx|^
V"J!=K
X$-:7%
.v@Y!S1-~
fg(3oO
'?W2I}
r4THM$#t
+`l :E
D#^F 8
0L9H:O
%%:[B@$
!!DF!60=~
K VGVI
:.0j}|s
~HSgY?
D/E; "
+~8A$}
V:|_:r
ZA''bAAA
Aq%AUJ
?E<0z`)4
e>!>@8
''y5V=
~d,|!q$
wZ.waq
z%H_J{
1\HvvBzv@A@A"
b)"v6<r
=A:NC38
A!UW U
qHsk1sH
ZIWNPs
pJb=U9PzT2N+
PPs2Hs
skPS=s%
I+WIq;$
r%1ss1U
bJ7Uszk
zW1$q22U
%=hL8Pb?Hr%IOxR@O 6+
P6EKv
0JPW1#[+
7#)G\S1#EVl}R.
N.-V T!A$zR
Y&C S4S
=Q'\y[DP00
uyc$Bh
<^[w"Z
[Y5~`
v,Qw0H
pI+<^-
#tM] A
:7<=^~h
(u Id7iW
)qa4A5Nj2
.2PbX\x0
>?y'mE
pID}T\b8GL&
@ju5QB
4Ym"6?V
Xy`H__AR
/vH06|RT
/DT@V/
JUAW5cV
P8e5q,
:7+|Uq
zzr4?Kse
tHVE5G--
.W.qnm
L.WRLd
sHWeGC<P
1g<<|Aya
~@tSnK
b[i_,4
0*-4k^+,
#0^ODm
{G(Nn0zDM>%Tg
/uml6"
P7)"V-4>Wh
J&6'rkJ
,vw:L%
G!4?zT
j)5Pn%
1-}C,U|%p5}g
`80W|B)>b
N'/_Yz
I*v{EN; I!
Cr^ \h=:
9=FKd&A)N
a?1Bp3
t+Pj>'xS8
>9BgQg5#F<)8u7 {
C']MMb
h-d&_4=
'yivAS'#[
k;Jm03.y=
CG\jGN:
<)V;0r
*"FbXd
6jDt<PUb:J>
)rE^T^J
D"&HK5
op$CN_
2T-8t^Z
!H&OUOeL
<J5$u6i
[u[Pr<'
!$1K,>\
UX%]/~z
\j{FUw
tf3=`Hw!B
#>IOQY`[
-<y|Wtd$
d=%D <
S0e`\1H
3ivgrYT$4
Fv@Ztb, >
_=Kq=</;
`X./u2
3JX>ii
t$jx0[ims\kcN
#xr}B6M$k
85!a-(
sD?R`
'\SDL)p
?5(m\2
!QbED|oBD
)QWu u
w&tpu43}%,#
^us8>wt
<J7gI0
dPqcJq
J5Q:#3E
<XqFpL
:1768)
W%_scaI'
kg?HH[
=6D5&`; L-
(3y4L!Z9
!s\@x&
)!EX-3JL
J^lZu>v
q~a.'RSuSLo2
=!irAuk
OoE4^+
GG&@;N
/@7c^,l
pX*[f^
;~|mE~%`b:G
45Q6`w
|BPUPL8
1F}u* _H&K]
y3XwVOh9
RYE'e[`$
Pj8D<H.L_|G
rRb:A kCw[
yR15:&ek!ska
/I"zzzq_
:6-Z6Q(
.Ro+QfN
C)7GuW
(f6E._OB
lmc>xV
(1rp3;e#)!\uU
wVrulP!zw
QO61[pL
l#L-d;g!//tF
Z&TZU7ra
M|sPrC
C3SMuM
]L8|-{5<r
6'&I,H
mGbj}mw4
@k6#zp|K
byF2d:M
' @3V&E
7\F4QqFQ
6 9l\.
`a]scVOI
xuM+n(`{We3Y9{D
zxf"9SA <
$Nc<6M
B>B7m:Eu5r2"-
]v*V:Yr
q_w<c3
]7)ID+KQ|
WOk8QAcW
\Q .(hrS
<LV}C?\
+kg`FlG8{VP:@!m(
S&Y0kQv6U
~%ava6 r
jKm(C"5%1a
]<~:H\w
K9;75zv L5
khZ_P%g/
$Xw~rH@n
qCCIfm)a
dwW$d6=rFdVTq@
2E@DP!
a2OPEf
Fng:$LxwZ{
)obl6p
16|3kx
~^`>#S0v
5:EmWBcZqb~?
'(Uj_C
o% Li-pY
8Ir %li
S8.zs[.tGr
G|jk{+gR4
35DFrr
zqfojGE4b
>?+4CBW&
w;8pHM
>f;C5 {%8
_R[),~
_POAJ1
UK6U5e
6a0cX#c
Y|>!ljm
)aYY"m3t+-9^
dURw~3
}J?0J~"'
T5nH02
S%<%[r
Qu9gs@F(
+|$o,9T
dXn\)Yc*a
wv+:0X@51s)43u
#~b,ff
p)gI+o
*byGG0-G
kRRE:u
F9,f55[
7bt{bRY
q26Vk,
D 4[ x
^Eg>q,
Uk!A".
Hwd{:IE$
ej">zj
opk"j~2.B=,<V
|by.>
V9t~&OH=4
GHR<x'M5]Zt
:O:P8Eja~|.
q2d/Yj)D]U[PT"Lq_}
kV%OWJM
xO"glW
dQA_%%3$
l2vaXAi&Zl
v)(eUz
\2s\_
`Hgobd4[
mJTcT9
unj\6$6&
l[AS>Z(f0Zd.Z
$}@MiX
cq{**o|F
)*Bkm|C;
yDf=BsR
p;w*<V!W
T;pP/JfSM0481an
'(B9N2p.
.xU$(<
c|A v7\
{Z2 6.
(ZHNC<u1vC
_pFMTy)
1YD(l9
5EakG2
btYs~/
E!-T' vy
"HkRm4V`
IVP8ThQgV)b_
Vhw7T>
^FOO|Y
*K+53f
+@@2<U1u~
EU/iWmF,NEd8
!-ns|a
<uA<R4,
hnqxpV
M0u;rI tHL
#=iebO
5sbIoc('
GO;6zXDcpxrTS
h,qk#1
-t<xI_+ic
(8}owwJ_yjn
-0}g@]zQR^D3p`jR}z2
vn]uMW
3\TE=0
HtaG[/
/G7:^.28J;
Au)q%z~
dam#4+`V9
6I8}:ZQe6>
+;ACmc90w
*$-GKpw.h
:K-!3X^iw
+*{_ u5V;DV0dmi.rUFke
N+g*eZ4RfN
foX.6VBMJ;
zD=lRe
ftVLsl
k3R`:l@
d."<,$
6IBw3nR
-I,yz9Y
q]a[+j]K;=
Pi}XL9
'5?,rq
8K'+"0$
DmdVv$[
DM8Por46VF(
iQA@Z>ymg(
ri5~,Djo
X]B!](
_/A4MuH
tT F]7P3
vPA0*_.<RhIy
]r61cg-. g
>]d'DJ}eIj
jPB.aC
:\rkM6\4
=l8G\Q^J
5v"&&tGLh*G%jo
}41YO/
'nvHm~,
S/Lh[$V@i"
BUR\4zz>
4|)WQI
KhX}]NX.
]v+Wu9
'@ W)'WG
9("?v<@m
,$w#"}
Hjn GbIvNfTQ
GV/{dm
{,Ly$K
+R2$KGo
]9&7oq
)Q[Ll58|
I=5X\,m
cn@5P!
9.uxdx4h
9oMaqCA{
*k7m7M$
3\8^X;
~8.jkXvqzc4
4tEdZhnzL_%S
/%}6c?`
loTi?H2
d@e\7C3WD]$hZR5=At*k
26QP42
`b*>@'q
yA?/.m/1V
^M 3ajWb
>IPx9kTux.c
>^F5<R
/ s`MPAe1:C/
XBHe-|
T#haqn.j
v=b~s-vOgr-
>T5z9ZY~4kn
g|CO\-64V&rz[
E2%46=[>"o;u
}F(w!)_e
4Jdy(;pjz+`MUj
+2*Y_\QM-O
yqO\0c
[i `B0B
gb,T *)
eSN~7]8qt4t9dv@7"P-YY+1MV_S+)R
.@G?U8ci
urA~5R
?Z%/>#@^
tkt@Ca
p\cjHku8E
=H2^W7
5>r*t
JfHpL
r?M}`u~y:
74V7&ObF
#Hly2(
'?y? e
<t`8*,M
O&tqP[
u\`l@F
%:"N CYZV
jZ<s"Y>
F)2n.V9
xC]A <A
]^fU2G
p8l'MlM<Sx]
ZMilI]\=
Y*^7\bB
lpEBI\C>`
M#|Fx@,o
Cpv"7w4m8m5
'C ~AGF
7=RaE<Qo!b4jF#V&U`]qy
=YDn(K/Zb>
G\Cj,nc
\Gcvp^
@2DC#]./.-}J>8TEe-MSrQ
>aM9B*l-W
:-qJ}r
Vgz'M<x
/O#d}r
UL}wIfya,l
P\*"&!
Km"SHF*+>
cD6P.g{$05f
fUc(51
<BCU}-n
G%h<F#w/W
Z$2./ly-%~9
{5vCLpM
^'rBmTG:Pf
ENEqxl/
YW)Fk"
&3`2O!D^;
!LRr v0f
,KU}if5m;P`V%MV
rS;C(E$
VVM9 _AK
.::),^CAP
FZGBN`I/>
YN@y\r~5AF
E_Ga!Lz
Hd-l:8
zMMRZF
&4^rx@k
vt*rpo8\
igogfz\<!]R;TV7SlkeI
$D0tHMPPm?:Ej}
Mt9.rRU
k~Q;GF|!b,g8G
}>g(YE
kG#3z3
buclic
y.<y&mW-
&hR3[hi
aeRI(^3y>Pj$i
~.u>{V9x
xh7;cDC|
//0mapz^
F@@@@l
@>@>L@@
?@=g>@@?
P@>>/t
@@??@d^@@>@`=>82?@@1\@ @X
@>?>@"@?
@@>RWH> ?=@>
?(@@@@@@@@?@,@
P@ (@?@p@
@@p@$h@?H@@
/D/s8?
<J//!7Wl
E'1W6r
$E6E`;=
7"E#"1-*
W/-1"2
j#C/e/2
monlsnilA
MEWs uA\resahE
ltHerw
lDSea ea
lluotpenWA roSrotsoTaprlrs\\pdV\R
afnofrrotCiop nzrHlaV\
xrimM\F\iCooMo
ohdedtxn\zWiACoRMie
EcllEoodoiW
Dts\ml\rerd
txpy_A
cRAuena
uarfFE.vt
MFSrdrt.CnR
ojchh_a
jeFeFlTyGe.cG
psSpant
yo\learOO\.gdaWreuts\tl_mu\ela
Supfdcs
\hiiIALUAdeT_c
iuTnipopdsr
UiwoYipAiiisaeHwTLStYdIA
oss_\\n\pNTnoDiEto
MIspnRnMTOEWoppoVYnasduLissAsLi_M_doL
ODtRNLVYS\incSwn
roteLeTWCCNnWsIdtL
orrfrWrnsfo
Ts\H\AwrIT
ItDLLrtDi\\
T8ML\z
IJWaKR
)QJibO
ubg55A\
KbR{TTU
'A'bF~r|
T#QXS~
<O7Je9bHMJ^PR
feWZ1E
( Hh(
rPFOuyr
WHMeTtt
ydSuuyM
YAdDmud
rWnyi6
NrudlydnaA
MTrOSe
WrJuuyFadu
TpaWer
FunMtograua
JiiNesedusraaaSe
SJdyneA
eeylrTsJ
usyuAMocdvdhyO
saydha
ntgruaFpDyt
rgAcAbic
trMbeJFbes
leveanmhOmtsFye
epaJNtp
pDueuruhtmrcMb
rbJitrSeJMu
apbebe
y2GHmd
d W-&H
LMGdn M
"5 -dy
=d/d9.W,
myM/"yM
>MSM,d
et.roaum
rg!Eaa
rporg.nRkben
.nPi.ono
:nom:n
iL@+eot2iL+
6 rVm2!Xsz@t
+yo* M+
XM2 hi8 xfn1@uu
uzxRja5
Rat @t5f70
8eton0
co0sus n
ughrt
R fn@
iepin
0oRlpta6p
0tb eh 9ga0 n0 -hb
tba0 aaeoto nt
hna p(smn
0gocoa perfn
linon
Retho nR
o0R -vg
oe6eo9or
ne6es nneore 8rv-gu8sRrn0e
dnoee6uens m- tuhso1en
cgilaa 0ru
px-lhcp
ua6e t on-elae
tr 1Rddd
Rtttaph
61anotorra rher0 tocdi -dn07R
ooerernogs or
-rat f0n c
0o et1rur1 m
hku uke ap ee6
o96 1etRecRbt a
b6 lpph nxd
he6Reue-rola
rrs0opo1sod
nc1 6
pe0ne
pRRebv1
eudloebccr
etnooau
ae01e a
peno 0
o2vi-n
o R ve5
n lp4ituplr_u
nie inat
Rl- 2n
neopea xhrct/
fro6o caeooter0 c2uto
-ttuai5xh260nti
_eotap
-utc0 ou
anenit6x
nsi oa
un tiRieiai
i lhash ligesrua-enta
nwu6 niaio00ntcpnla
e 6 fi6o oi-noo2
alf2n tfn al
goi- s
izpoieoieclae
ita oioi-o
cn ztt
cpz hitoouoghd ofrse
on gat
ndnon pRittow
i Rap 3 62i6otlbi-
neClnaRcubzeii.t0 R6
20-o0nnpe
ozn t
aTd nt
i3iata
7tRat8-
ii l.loo
06 cT2
867lelnRitzi
0ipm i rTugmAni Tno nm
o- tehhis a-at iheioeotu tcez6io
h6ldom
yaiT0otgro
ni 1Re tayn a.cet
hoi inzi i otep
r dtnACb
r t c ih 3aut n.Rtamet
aeesctnt
C iiaii nta
bntrs 3T
rolmasuan
r tococsm
niolh Mviitfco po nncpme acRolrft u
c fiaa
on a6eni
f3eo leMen .n ga .glonrnho
tiroaoni c aRcouslDtltof-trrs n tnDut ls fc6
aonrco tamfei-o3free0rov2 iicuutL lytgaei/ a.oi tiyl ollkafi flsub u t gnyL f M)nln ip l ckratelfs ylp(MlmtmanS dI lguu saIace(mtp/iin u cralcIceopi-S o sr s .rteloomhicalrtt lseiiIoe-nonr elo i naphpudgbc)otnatbse cot e
ayi lhIeiuTiALi iLseb neiintndtyaogaSiel rtnotvtdaAsmnzts ds cTnprttzlSdriicieasIotahinoomia
iepmsueons rimetMcca atie dtne e oeit si timMi g fsdmtsvl o dd huihu iscofo
erlr.m
uSTGerrSOi De
e3rIrsm=or
rt"AnSNre
rNRerSr3to
oeoLAoLrdrI r
RGNn-M0erS,
{CYWh3Ii'p
Ppp>H&iV
~!p{O;
Xw>X+%rpa>
fwgQpS>X=vqi
i? ={II@)
bO0x:D
[xp (N
sd~}BA@?U{DMeLdm
wt8?W6i@US
dJ7g1H
e(|OS9
]a`4Z@QW
ta6oIw
@MBw@{>
QFq{]sD
|sA3sms&^
KAdtW{s
u?@'tj
@vt>>>@@
stR@Yb
rIl-Il
&,K@)fCDg}v`+3`iA
oyiZwf
WQrLp<{P
C=L=6b
{y<~bvb}xI
03nvR
`P``ipiv
iD`6ip,
pp>i?;
!(ii}zs
7isurrdDJ)jbUg@0
?ysEh^DGt
3zY00~E}
zHzDg(/
p3L0E: t
V~<OIzts-
rqti0p
,~HJ`{,tq
WDZ}jyjW``(v v0
.CH7 Hzw
g8Ih!]
Gtau_i
Qz0H~@|J{||}Q.
H *4G`[p`i
;p@07X
I@g@61ITV
@@I3D@vm
{M<K=V
V#p|6a\rQ
E;VpS}7
sL@tHL{
@?{&gD
]cGZG]><+
tDo0{g
08VPfB
t1MzVh@E
vHit8J1sv|v0
n/tM01@7
z@eEg@N
tcB1z@
Y@dM}tq
@my73i
tb@VrQic#Kt
MrnWQg
@SUUEEz
3ut}Pt
EEtwSlg?
3S@)]w:HE
E3E[wE
DwDMtEt
S]VEwS])WS
F@))E)
0U]VMDGE
S}uG?_
ELzY(@E
VEY0Y@V
@Ym (@z
SutaEELc(
(m@@DIL.
@Lz Avzl
Nd@4@V@M@
@@@GZqG
vEc@4a~U
u{s0<i}>xvS{ey/Ds|
yL;Yer
ngvdL3
dH<s"z
Degzv{ui
J>@}g7sst}z{b
DDt-jR|gHHe
70{e8az]<v%
Au=jHKD
ivdd@]tXtm
kU6`ggzrdz
tt{zL7TC
ztsHHE
_::H4zwdE!`:fngLidqzI
zH[Htlg;s
W!YCxy_
p:IMA^
tA]VeE
;{`EqMLsB]]_
r|~;YtzD!S
YHi//m
_Ve=)()E<D(c\yS)]<S~k^lDu]R
D UEt;
@xS@D}=3VS@@Ro@dfDQ=),h)
)0uQ9)E]Kp;m @i)
1SDrD@
t@zsEPe(
DXSSL/[INv)t$wI
)D0FS
Ht/H@8gYG/<
H/mRD@(g|n
<@p</DD
bCH+)>/
C]HYDS@.
0DvS[#
@^6@|^tqg!_ERU}
W{Ddg@gz f
0MmDz
Gg@IH]P
8gb0E/H%HwgP
g3q0tt
lsj]t6
=mie;<
]tgDv$P
3ggDme
tgvtH@qv
vOv](Wdu
-FKfD]
DVR4@kRrDaPt
@<7e>}
fV{\0MD
T0b@H]Mp@S
UiDHm^
u t<igv
Wf@3:'d`s
u|tyzgHD!EM!@@P
Dgttvd,gf3
+z,}_|
bgytV@
@~@'30j@@0@
1)vM=blD}@`
Hy/ <8Ak
Jb_t?B
tgDWGl
zl6@4Dz
JDoq]S
Z4iDMs
EtN6E"
tz?b[t
x?\BnxT
QE))JDo@DU0)DDV)}0
9 Dk~{)
~0D,q@ED
jg@sj(
h()Evr
Dt@@)D1D@ttzW@rEs@
Dt<)<p1Da<
yD)k-@
DDr<v@0~@
?D< g1ic
a@P YD~)ev0D@0r
@tgntb
}zMY@E/
tsEvlszWs
fg1`}@@/
b~nM1saz
]J@D@@
nC@@0b
`KDE6{
q7FEJ@
wztJu@Xs
^\@Cr7s79p|&Cq~2J8
tv{o0'v6s{
eB/Esl
DCID/*
dZ1}{{
ot*Cq0o_
x~{0xsm}[_
!BM{tYs?
L/t_L3FDzDv0]
Lz]E PT!z;U6-)
(|HCtqk
Wmzs$4s|W|MjzE}x
Enrt?}
0Y53WT<r}
LaAKHW
]CO#Gs|Ig}
"WbW~"L
3"wi}n.E@
fJ)y"h
C=3QC"\)d
B|gNW{
EGWGw@
x2@=YjHt7h
Ek]}34Y
jY|jKE
Y k@qU}b1\
bm/1b1
saQv|*
|kjjj@Q
PvjEj1+|
]D][US]
_\s@<;D%D
y9/,LSb]/l<qj0U
m*|>@'
3YE}LsNS
x}DY+7ro,o&H
RDvyh|thYYsh3e1m
gqtDv?EH$@3*~?H.17?E7
Q1s@}/
m%@Y0:h}m
D@0Y1_
h61Dj5
V*D91}
nV=fDD
c6Es[k
@qYxq_S@$dL
EHM16{g
U0Du{j!$WnjtrQ
v{gIg]
Dh1A@E<$!
Y`ADg
1DhvY@$
nkeln{
p3I{B)
o<Xj5I
g=$D\s
Nom3@^hmW
DeZd}$
@ nIAJfCE+fDL
Edxr@w
ghQJu{
jSV|0h
3h'C@:D
0P\iQ(@
Djk9DjX
@llm30D
0gS0@1
kB=j?Y)
+Bh(0i/}
d@\0I0mVS
9nEE.@
0@(HS@1}0T
u<jj9{
@%VjjTX
X)(chR0h
j@Ch.X
Ces8Pj
j jh&}i
Mh0Cjmd"
tuP}mD@|P
i|zLMO
QMG|Ut
>oG@>%GXU
5mvRlr9
[N@0qD
%[!}YY<S>i
7_v]Ie]Y
RY][-[i
tet/-i
5y-tYYY
YYQ|tXY
OYk51k!
R'jli@jh
}jaXlL
-/tIY-mX
kYY[XY-
XESRp'ZX
[NN'BO
'S%>R6t
/@8[8ev
)j8AVi
@D@(1D@
h@jhhX
mi:n30]n
RhQ@jE|
)=%Sk!C=k5@D
=j0M=E
hiXd@Lx@)d@s
9IBJEIOE1OI
B1ID+E1+J
ySsDss
y1y(s/(r
@|e; 1
]5ssys/
&AR1D+
$o$1<+S
njm@}@)Ej1
E1@Djhjj
<M(@(j
=(j1j@j
VJEXDE-hf
{g@.-j
fC@KaNJ
CRYPT32.DLL
KERNEL32.DLL
CryptBinaryToStringA
CloseHandle
ConnectNamedPipe
CreateEventW
CreateThread
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryA
LoadLibraryW
MultiByteToWideChar
QueryPerformanceCounter
ReadFile
SetUnhandledExceptionFilter
TerminateProcess
UnhandledExceptionFilter
VirtualProtect
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcmpiW
lstrcpyW
lstrlenW
SetEvent
0/0A0M0Y0s00000000
1*1:1R1e1s11111111
2!2,2C2M2Y2q2}22222222
303>3I3d3p333333333
4*474E4]4e4x4444444444
5"585I5\5k5y55555555
6 636D6W6c6}66666666
7#737F7`7s7y7777777
848:8V8h8t88888888G9R9b9x99999999
:):3:=:a:
::::::::
;%;4;L;[;w;;;;;;;;
<,<><M<e<n<<<<<<<<
=&=;=O=Z=t=========
> >7>R>Z>`>b>f>l>m>r>>>>>>>>>
?*?8?B?Z?a?v????????
0.0T0d0r00000000
1$151G1Y1p111111111
2<2J2T2c2x22222222
3$3;3F3W3d3~3333333
4(414D4P4h4z4444444
5&555S5]555555555
6)6>6M6f6u66666666
7%7;7O7l7z777777777
8 818;8H8^8o8z88888888
9&929I9]9c9v99999999
:':;:S:Z:{:::::::
;3;I;Z;l;s;;;;;
<$<-<?<X<j<t<<<<<<<<
=)=D=T=o=========#>A>P>Y>r>
>>>>>>>>
? ?-?9?T?^?q????????
0 0+0@0X0^0s0000000
1,1G1[1d1p11111111
2"222P2^2x222222222
3$3-3@3N3n3z333333333
4#434=4Q4d44444444
565F5W5h55555555
6$6:6O6d6w666666666
7)7<7G7R7W7a7n7s77777777777777
8!8*838F8O8U8f8p8v8888888888
9'9-9A9P9h9v9999999
:":;:V:a:y::::::::
;+;7;K;Y;t;
;;;;;;;;
<%<-<><W<h<w<<<<<<<
=9=F=V=^=t=========
>!>;>L>b>o>>>>>>>>>
?=?R?a?t?}???????
020A0Y0i000000000
1 121I1W1m1w1111V2k2w22222222
3#323@3R3]3{3333333
434E4N4\4l4|4g5s5|55555555
6%626J6Z6a6t666667777
8"878D8e8k888888888
9%9*9=9R9j9w9999999
: :.:@:]:o::::::::
; ;8;E;Z;e;;;;;;;;;
<*<<<I<c<m<{<<<<<<<<
=*=?=c=s={=======
.fwr}QFKISAE
Dr@2qyHr
}5#oZJ5
xI1"Z/
% eRyp;
Iq<}yc
`9r8sh
h{'H [@{
mOH.$,A,
3w5[<^Y
R�D� �l�A�s�
I�O�O� �h�t�v�y�V�A�X�l�h�o�f�D� �w�Q�C�K�Y�t�E�P�F� �A�o�K�a�i�S�x�k� �L�I�b�r�o�T�j�i�f�r�e�C�r�F�n�o�U�P� �W�G�x�S�f�s�Z�T�H�b�g�r�R�s�G�L�a�L� �j�
g�X�T�N�m�d�E�N�C�D�l� �p�l�W�D�o�D�Y�H�h�
m�I�C� �s�v�e�a�I� �v�X�e� �I�N�U�L�r�I�V�i�f�
X�z�N�e�M�E�t�C� �U�z�j�y� �y�D�d� �X�s� � �x�n�W�Y�g�a�D� �y�H�
p�e�D�W�Z�p�Z�g�X�C�x�K�
Y�k�j�G�T�t� �i�A�o�m�S�W�K�P� �l�F�P�V�x�r�j�E�G�M�
Z�j�m�n�l�P�X�b�m�Q�J�i�F�u� �R�V� �W�o�G�Y�W�e�G�k�K�y�q�j�F�
F�k�v�f�V�b� �f�b�X�B� � �W�v�G�W�u�g�H�c�U�r�I�M�n�e� �a� �K�q� �o�X�r�F�Y� � � �N� �u�E�g�h� �c�
S�y�s�L�i�s�t�V�i�e�w�3�2�
F�o�w�s� �s�n�o�S�p�a�s�v�V� �w�q�v�D�w�t�L�j�I�k�D�N�Z�h�a�o� �L�o�I�a� �q�O� �l�c�b�l�
h�P�z�e� �C�
m� �B�W�h�X�E�h�o�n�S�G�n�A� �S�T�H�J�t�C�Y�R�t� �o�m�c� �d�q�s�r�T�b�x�T�p�J�B�r�v�Y�x�C�E�n�r�a�n�a�K�v�H� �C�x�u�h�Q�E�w�g� �i�R�z�L�s� �z�E�n� �g�F�l�k�g�O�t�A�Z�r�K�p�s�P�s�l�G�H�X�E�R�w�a�s�
S�y�s�L�i�s�t�V�i�e�w�3�2�
D�L�g�l�T�o�W�Z�J� �R�a�O�n�u�F�D�T�X� � �t� �v�H� �N�M�
S�y�s�L�i�s�t�V�i�e�w�3�2�
D�z� �X�z�W�j�J�A�r�Q�f�I�i� �M�g�g�R�r�J�T�a�Z�l�H�a�l�P� �t�W�e�L�J�X�u�e�e�r�
x�Z�J�m� �Y�X�U�h�
w�C�D�C�w�c�o�E�e�h�G�C�b�u� �v�z�h�p�Y�X�P�P� �a� �A�U�m�G�C� � �z�f�H�n�J�S�r�O�s�E�v�Y�L�K�
l�w�x�b�h�s�M�U�A� �
Q�z�v�s� �W�j� �s�w�d�s�Q�F�B�C�k� �r�N�y� �a�Z�S�q�N�A�C� �g�m�g�J�u�x�Z�K�e�C�K�a�q�x� �h�k�W�D�S�i� �t�e� �T�r�a�q�f�m�j� �k� �f�K�m� �c�j�X� �r�R�e�w�R�u�X�m�J�l�h�o� �U�O�o�G�C�Z�K�W�p� �D�
r�M�f�S�L�J�V�x�v�M�v�q�P�T�
�p�v�o�K�v�b�A�K� �G�u� �O�e�T�R�P� �Q�C�U�B�Q�R�J�P�Q� �
S�y�s�L�i�s�t�V�i�e�w�3�2�
�S�h�c�k�W�X� �L�F�l�q�R�w�t�A�Q� �B�i�S�
M�K�I�s�t�i�X� �M�Z�B�L�a�a�t�e�R�V�o�L�T�x�j�K�K�a� �m�b�B�B�v�I�t� �p�p� �u� �V�B�y�b�Y� �l�m�v�D�n�l�I�t�u�n�p� �M�s�d�i�Q�
O� �e�S�a�i�o�c�t�E� �L�f�U�j�w�b�E�e�i�v�M�m�X�x�T�f�f�T�i�J� �D�I�m�X�i�r�U�N�W�g�Q�A�
f�d�c�U�k�f�x� �N�D�r�r�X�U�k�b�a� �I�M�o�X�U� �x�M�r� �C�x�L� �L�G�E�b� �d�V�
c� �j� �T�g�N�J�
G�Z�O�p�H�Q�i�P�s�v�m�r�d� �H�t�F� � �u�Q�t�i�k�J� � �l�
A�L�p�v�i�l� �c�j�V�y�t�c�U�K�H� �K�B�j�s�I�q�g�U�u�S�I�L�C�f�h�Z�i�B� �J� �Q�M�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.