1.8
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.71
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Kryptik-LRH [Trj] | 20200318 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Kryptik.eg | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200318 | 2013.8.14.323 |
| McAfee | Dropper-FFK!96F547414B8E | 20200317 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b6bbbe | 20200318 | 1.0.0.1 |
静态指标
查询计算机名称
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545344.063125 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
检查进程是否被调试器调试
(1 个事件)
收集信息以指纹识别系统 (MachineGuid, DigitalProductId, SystemBiosDate)
(1 个事件)
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(1 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\ProgramData\Mozilla\iqbjnwa.exe |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': '.xdata', 'virtual_address': '0x0002a000', 'virtual_size': '0x00000118', 'size_of_data': '0x00000118', 'entropy': 7.250167895674396} | entropy | 7.250167895674396 | description | 发现高熵的节 | |||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意
(50 out of 58 个事件)
| ALYac | Gen:Variant.Ulise.38836 |
| APEX | Malicious |
| AVG | Win32:Kryptik-LRH [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.38836 |
| AhnLab-V3 | Trojan/Win32.Shipup.R65212 |
| Antiy-AVL | Trojan/Win32.ShipUp |
| Arcabit | Trojan.Ulise.D97B4 |
| Avast | Win32:Kryptik-LRH [Trj] |
| Avira | TR/ATRAPS.Gen |
| Baidu | Win32.Trojan.Kryptik.eg |
| BitDefender | Gen:Variant.Ulise.38836 |
| BitDefenderTheta | Gen:NN.ZexaF.34100.juX@a0rZExb |
| Bkav | W32.AIDetectVM.malware2 |
| CAT-QuickHeal | TrojanDropper.Gepys.A |
| ClamAV | Win.Malware.Minggy-7067473-0 |
| Comodo | TrojWare.Win32.Kryptik.BANN@4xjerl |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.14b8e0 |
| Cylance | Unsafe |
| Cyren | W32/Gepys.AR.gen!Eldorado |
| DrWeb | Trojan.Redirect.147 |
| ESET-NOD32 | a variant of Win32/Injector.AGHP |
| Emsisoft | Gen:Variant.Ulise.38836 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Gepys.AR.gen!Eldorado |
| F-Secure | Trojan.TR/ATRAPS.Gen |
| FireEye | Generic.mg.96f547414b8e070e |
| Fortinet | W32/Injector.AFZG!tr |
| GData | Gen:Variant.Ulise.38836 |
| Ikarus | Trojan-Downloader.Win32.Dofoil |
| Invincea | heuristic |
| Jiangmin | Trojan/Generic.awold |
| K7AntiVirus | Trojan ( 0053507e1 ) |
| K7GW | Trojan ( 0053507e1 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=89) |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Dropper-FFK!96F547414B8E |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.ch |
| MicroWorld-eScan | Gen:Variant.Ulise.38836 |
| Microsoft | TrojanDropper:Win32/Gepys |
| NANO-Antivirus | Trojan.Win32.Redirect.crarbq |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.F61B.Malware.Gen |
| Rising | Dropper.Win32.Gepys.c (RDMK:cmRtazq9uGE0z+ZnT2pr8PfWDXea) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Injector |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/EncPk-ACW |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-05-09 02:26:20
PE Imphash
f6091aeca3520f5f36a5119941ed2b72
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00003878 | 0x00003878 | 5.613107483450231 |
| .bss | 0x00005000 | 0x00001f40 | 0x00000000 | 0.0 |
| .data | 0x00007000 | 0x00021c2a | 0x00021c2a | 6.739268407203984 |
| .idata | 0x00029000 | 0x00000558 | 0x00000558 | 4.752803275179844 |
| .xdata | 0x0002a000 | 0x00000118 | 0x00000118 | 7.250167895674396 |
Imports
Library CRYPT32.DLL:
• 0x42918c CryptBinaryToStringW
Library KERNEL32.dll:
• 0x429198 GetProcAddress
• 0x42919c LoadLibraryA
• 0x4291a0 RtlUnwind
• 0x4291a4 VirtualProtect
• 0x4291a8 GetModuleHandleW
Library ulib.dll:
• 0x4291e0 ?Initialize@FSN_FILTER@@QAEEXZ
• 0x4291e4 ??0DSTRING@@QAE@XZ
• 0x4291e8 ??0PATH@@QAE@XZ
• 0x4291ec ??0ARRAY@@QAE@XZ
• 0x4291f0 ??0ARGUMENT_LEXEMIZER@@QAE@XZ
• 0x4291f8 ??1PROGRAM@@UAE@XZ
• 0x4291fc ??1PATH_ARGUMENT@@UAE@XZ
• 0x429200 ??1FSN_FILTER@@UAE@XZ
• 0x429204 ?ValidateVersion@PROGRAM@@UBEXKK@Z
• 0x429208 ?Usage@PROGRAM@@UBEXXZ
• 0x42920c ?GetStandardError@PROGRAM@@UAEPAVSTREAM@@XZ
L!This program cannot be run in DOS mode.
.idata
@.xdata
t ;t$$t
_^[USVWUj
]_^[]U
v4b1qUk
SVWeP<$f
x|PxV5p@
1_^[UpSVWu
A1EE}eE
_^[U(SVWu
}E9Eu(U
EE9E|E})9}
L_^[UQU
UQPSVWu
}_^[U SVWu
]EE9E|M9u
SuVVESuVI
X_^[UVW}
$_^]U SVW]
|_^[U,
di3|r%iUlhE!
lVt`%E%k
F`)%zVhk8
EHPey)xlp
+hob%tT
TxEotpr
Lfd#PVs
EExexe%t
df`hXt)|
+|@ixh
#itz$ll1^
fFht{6d`i8
EoaE+t|Rd|P{X
sPcfdr
HP"tB`p]PEr
lhXer7!Vxa
lk%0pi
QSh|o+
P-t2%l
e|X+ x
S:x|dpE
Et!jEE|h?la
)p|FS8
|VtFi\U
+P+)XDs
txhp|X
fEfaEl+ter.fdx
Dt|!|xX`,x
xp)l)+
|lLdHeAl%
lP|h?nid
lE?tiu
h)EEdFe
EhPpMD?
x+lea T@
tx<|4
idhLXD
|E)dBV
tEOd+%pPSFexc
L#DTtdH
r?x#did
l;x)%-h|d
t` %cE|t!+
p`x%Ddr
XllGx|8f
T+H!pix
L|l pt
ph|d\\q
it>HiXkfe`
i=t|l|kD
xlpp|xP
6F|%+T
t%`Vx1
D\`fi@h)P
r~|tlP[|!
h\pXtM p
id\il8O
|pXF|gln@iy
i@+!L|
l|pt)u
iAcl+|
pX)ah|t
|ph!fR!
rH|TLpX
d`|\Y%
!xpgHQ
xpydid
A%p+=ld#
p!+Hih
|TL./W\
%xWxTD
X+iS6U
EE[tP7
^]]0X_
Q[euVFUt
E8UE\Et
Th[p@GX^]
_~VSE_4U@V
GjEP4}
EPhPJu
EdVEhUG_9
EhEXjC
utS+tE
ttVS(SVVS
ESTh<uP
9ShFuS
tE0@E(bVqjxE<
S>^fSu
nnD a2Ma
_]`h@tVP
}3Su4DJ
f@ffNf
affUAa+k
fNfy+k,+
+(h$@Ej4h
ph0D@@]Pj@
3@@@Mj
Ed``qSKS`+
W VlWE
M@M`@UU+7Gd+
VUWFD+BqR;Q
SMD+fE+0+
@QhRPtP
qj@G8d
lh@jQjjjj
jjqjV+
`+!P+PAW
++U@++GV+P
\P\P+RP
++PA(Q
+VQ$PP+RP
@@A$0@U@A@`@\
@\|@P<@Q
hjh8hQ
DMP@%R@
@@]RjpV^
fLfj3PD
t.up2h
@@00D0j@f@fff
[p]h@j@
@(jR!]
W+SRWp
t00d`jD
RfP3P@
hjQfd`D
3hdfhph
+LtLSth
tfEfaU
uftfIvdrth
HHR3,IEua
DDUuL[
D_@^@PE
MpD_f%
u$@^\]]HDP$
uLqVLH@
j33QP"
@qqG$qLV
PLL@@3V
Ht3]Vj
tgHHHHt3L
_f=u]u(
tSUu;]
j3PX6P
DD<D@<
E @t@p
t@jhYY
hY@tjj^
}EDD]E
@ChthuPDS
FjhjW(S
3t3wVtD
SljtY$
MGt;t38fE
t9f3u\f
@X]^[YY|Y
9^^V^^^V
9SpWHuf
Suf9t^+^
[D;'_s_YXs^[
EVH3@jr
Q@q`DED
sjqChp@,
,T[^u@F;
@\@EPhF^
@fT|@C
jl}}D@E}Y
Yl}3Y@W@@
Y'FDP5
{YYYFF
ptWelj@
hDqDY5DcD
t0?Npt5@
3pV@5h_
l$_3D<
W@j^ h
999_;j
uYuE(`
DYuu>uXu
V6Y@_P
p@]tYQ35
^t(]CUh}D
K]T@(|
]k9us]]3
xtdD3O
]EU<UD(
uM}MEES
PMppHH
@EU@W@V;5P@U
Z@e@&W
HuYjM_(
u3}Af}
;]V};A<r
@(HA}}S}h}
HAWD}3
u_AtEE
E$t$E@
]eMEE@
$LSAV+
U@2}D+
"@A$L@tDh|DPS@Qp
p@tpp9p;5P@
PpjP=}
(G\tPh5ttDMDDp
WfEtLuPO
}PuuuE
PE)DEj
t[fuMu
^5_D;Mt 3Eu
}UVW"]3
"3+f3f
tOfff_j^
Uuf^+fEfEPf3Otfj
'](( 9
u~DvU-D
MYEt(((
D5u^v@'v
`UDEYvD^vYuvvD9u';u
TNDr@@Nr$4
N$_E_G@
OO@OOrO
OO@VO@F@
9>8ttt
AuYt0@u
jsUPP_
tht;'^
;t@Y}t
~el3@J
WSCvSh
tQ)Ne@
65tuFFp@Ec
;uVHht
pF@FFx3
FFuupF]]
FMpFFM
0VU@Cs
p;WVuC
9M{~~~~
;hES3h
=h|hY@E
u@%S}D
pPDYY3jE= 0@S
TLjv5D
QdL$t$
ST3poHUjpSU
]3U3$$$3[ShlD
u5Uww$
d$D}P$j
w$WY$]
twYsYuuj
@@V3uF@puY
@]^t]@3}j
oOP^of
Wo p
_vIupvG
IvH:8vv@
v\Yv`Rv$d,6vPv"v*X(vv2
LD @vvvvvvB
U;@PF$P5FFP
PYYP5P@P
5VPPtttV
Y5^P5P
t5tt5@
5PP@Pt
;Y@;tP;F
PE@u@@vtu@
F;3uFtP
DtuFuY@U<
YHPUYV
5~;F;}
u9]Xuu
]3p$XuX
u~7S@X
]u$XS;
CXS9SX
u;?Eur
3QEE5E$
WY}Yu^
uu_EQuuhueW
uU=u]MuMP@
t=SS3Suu<
ewY?ut
YAA[H]f
ufQYQ0
oa a T
@qpxfrr
soFeetFst
iSnene
rimnrt
PoDeGAp
IFlaeaUb
Gs3sMys
Assdsc
MDlara
uMvy,rydA
iApSbr
DTyAMAM
ordbAJ
uhaaduagu
rNearae
aggptiJ
DMuyaJ
nngeMSgusudgg
uysAaechFbdg
draMne
ygyFJy
sprrggtt
}hs`<r|c@>
!~45fwol{ "-%mu
b5qp5*9
mni]5?
5,5y5an8d'=s
ekc5\(zztl
^7VX}%/F,'
*MFOBF
"H G<QV
)4ZEDFK+
e/EG0U[T\Th
LM\otsa
eaeerpe
Mareyo
ltercVaaalati
nFePeiAp
etTaez
tPPaelsDeeshaeel
T`PrlpsaiiPFceyH
sleeGkF
ieaeHesoP
maetoRGrTeeWP
ePJcieaeiatlTFamPGp
SlPvGyapMeuPod
AWlettaeErmH
eethKi
crhyGSoAsrLger3eeIrncTKtlmlcrtrssn
EsKGnKLmtn
nsCGlcoh
KtdeGKtdlAre
aKeeCeeeaeTutrKdoScLGoeatiaa
t2totKeWdsamNed
caoaoM
PdKtW]rerLoa
IKeCrKiaPWaaWWtKndar
esnLrp
nCUgxxoureaono
MiCWRDW
MCBisol
dPLCamec
sTadIeWEnCE
tCaWeElo
staprxoeMCWEW
WEsmhgT
ostsoEeCnsrCEcaaeWrgCE
eoioEDeeaa
dEwEEeei
eWx7DrWelxentWodee
DlnNgCg
V0EDWa.Pntieeata
yABaute
DttRDe
nxDQ2g
PecGttre
ptlnUoolgDlUt
nDRleDyr
agaefeE
eesdVis
edotDD
3uQtttERRgDEAKttWu
nysaRstSVdugKMSD
WDasorrltn3oLeose
SIO2.e
dolEeei@
olSun.otUmazlIfi.iaLaInEi!l3ito
plelc2nretpiCc
llnlCecentelchIaSsCtuST
izHWHti
CEtftniyTxAWian
tttLeed
dElPor3il
el2rSdo
eIbdeli
sleeDlsute
ongcisgdtogurcsd
cGgUgtosl
EttdggSuEsss
gcnPeindFrgeGxrd
hsrngg
CnlPnEos
itttnprWeUeeGegGgattcge
irrFssesese
PocAordrD
eoersH
ontsdin
nuelpr
SIrria
reuduWemuotEFaeStutneinnT
iHeevtSrenunSnna
contGSdmeieDoiennteoduo
tltiiCeaeinuieeguGosCtetueaCu
iecgnannupeeuW
rsEinASleinleeee
etzouEe
teiiuleenvtSoclt
rotdedi
ePmleetrdrl
EeEnsAuttt
lekceareereQrtT
eulnelIererIClfslta
reksravte
nlursGaC
nmeaeuL
dCTtliHceoseorc
iateVt
LcLmoc
telrGnrPrsoy
ecPclFp
HtOlIG
etreociu
aolVdrcr?res
yioPoSr
ctbzinterplrtE
tRnnorCllaPae
rwWBsoCri
rgRhdlint
eirafh7
rSPieea
raTCedrnSEes
LAeoUeridIr
@@ @@@
~@d@~@@h@~~~~}
@~@@~|~
~t~~~}@}
29zoq$kw0B&
o>RCbJ!
hsqs9AK
_uluuYWZDG7
>jzgn@uZud
m"uu'uXj
e]Vx-6;8-
Vg@8-:uVVFm
VN~M*#kag%%
(UayIw`
YgaL;&`i1"Ya
Q9=s^g+
8a#eW;
aq7_$a|[>wI3[
_~'Xi'UV?St45aR
`u$Qh3)J6(l[
~$4j),sM_Ca
7#c(E)E
](ByOnzv
P;GwrLm`
t.ElfPE4
;E 7}$q0YETemAB*"pE
^}_I@<V
j*xEJPU
0=lEdpQ
leTE"]z!E
LjE"L*aE
6KqWega'
x(HBU*MK<
~XMB9=
eG#_q]
5K!PhM
!V14dGk//
BM^MM+6cs8b
a? x@b
$XQ_T6a[i"8dV
b6R$t\
+^vBl6jFwEZ#kI
!$63%tl!
Y>CM@BM
-hG[x01
?&ttWa
.\Ym4x{s
?4NhU44
PWAGd<o`[[c[
45M-][[
;B;[1T[s
/dW[wm
[P<[:f\+
sz(4[G
#c^3)CA}+
H\qsF&~Z
!#Cp59?=X
Mu*?M?`n1g)-?Y2Z0?RMs0?
E??@O?zA
z[Axd~AX
.wb\"l?]
qz&V>0G
eMWkt)
<C1:v\
[TPKv>
s'#NIv
M|kv1/&oo4bU
9j'*;~s
[o;}b!
;J;eDG
;dd;[zr
ysz=>^
M|ogXij{zMpz
9z9czzE
z z%$
V9<4'H
[$vY[K
]&XMP[
[72N,\
&~",IHf
PiqKKy
jzK(W5lHeo6tK
cV/3+v
AuWG[t.A9]
^A aeA5n:A
<?A_IUZ nAA.
Bxy3/c.
r7[T(vQ&^
^^E]E*Js`CHHU^^u4O`&B}e^
=:>)L/*
sOKy?&(NX
})#B*x,o
Q$l]KV
:jz*i;{
|y9-**xWGa8g.z
|:'CHCCmk2Q\7
:N"s#BC
n*|}CCvHyKC:H
-/C<C4C)
D*/<V w48T4n-C80]
cNv@/g>
HG:_BV1
zUJVl1
UMBtzN.lq
|;(:-i)syq
:*aQ,>
;]::iH
r^nMbd
K~W^All*%T^X6+I
^J{^.h
%ajCz1
b[r[}j[T[o
Hrl^dA
{1*%^ [[$Ce[0
[Gf[R,^
8'^q;,
^5F[-t
ozB)&W9_
hh))G'7,%Ee))
G,wE) -Cs
)`'Vq(-D>#-IMo
{j>q>Q>r<m
d@X}n>w'
>I>jYw((
zkmGO^@\G3/QGs'#Gg
^)6^*diG^^
F'gG^^ |V^
GL'^s5G
9 nU^T4$
%Ke*Qi
{"{vIt
Jk}~}BoDGN=
4(Y_Pj
Xo-*mliZ&
1(r%db
rsj@yB
K9[+;j-jOr4/{
ji%8ij)
Z4q,TAp
2|!GjK2d
OK/+?[
z[%h*!
!M&/GR
!s!!$t$
!z_!3*,
`?Lw>=
A;)G!#w~
h6j)CP
SO=EX4
*GKn[Mo(C2d
E|2~? Ul1B
i2h?2?2
2j8rt?7
Mf(J2^9
]_2_Ir
11.K?xh
)wZbxl|
r"djy7
E]vpc9bmJ
dh=6aP{U'~
_[:Q/,
Z2nJ<> XNdWIW$4>_&
f( P8#;7WTWB\;
qeHHQW
(vCn3WvB
WtWqRWY
)w\W@Rl
%970ef(
yJi;+<8
KM?%9}S[4lk}
Byl@fGIz<~A
>YtBK>E{R).*=H1
>"+b/##gzqqRF
/Tt(b!
`dq/[&)v
r&)**?PHB)@`NI?
}7h%k*i
mlW/i)"
WN67<`t
qf5[zJE/
r Sr)?
G%j1hzWigG
pZ>%`9%%%\B'GGz3S+
V%]D9GG
KIG%G'
?Gl%wuVK6G?%@j%Gu
!k?}~f
UZVEs<.<Q<
q8/Jup
IBdJhgd
=\P3~3~E~Z~]
; gN$xu1^
aT9y6W?$Gb
~~~~Q_
UW?z;m
ndnin vnisH
nFnin)~B
1o4*inn1|
]55JKmc
rHShqBv
FcGx(r
?|$5mFg
FFE^t*Ip
h|75vyL5,-I
Jgyx\5pR+j
fk'-#U<5
$"$s-
#jHbVc
/LTv'qAh
+;ZAk}
/!9GzoL~
{{C%]9:BSr@
{M>m9z
Xb_E&<
%tq&ov-B(
OOs+E]JJ`
zsx4H^4
[8UUQEKoo
+d}(MZ
TDw~*90|
#Avvv./
0.v=.Q*.D*Z
K-PvVv
M>v*j{.
JWNf@1vJ
..H$.,T.
e$I9YL
BHw^sU
8VB3=@i
EB4%Bloc
IeWE iHtT
v]myf_@<hB
W$'.9Frd qz
O*cSl[{`
K`qlWg
WbaqtZ&i@Cex%.
4sD4EfHJ~t,L
Ril>z9-:9
ND\6*4T
7u13[d
`gt egj,
oKJ#L2
i-8d\,x;
/ 7bj
K(^K?>N
X;?1|-8M9n8^I
28I2C;V
8YX888o
H]P_2v9
-0TeN;L>n>D
]PnOv~}3[
Z km$#
mhD"G'+kG
G9fGv.GG
J5X"]3uZc
r2(7:GG>i3=\b$9t|
LJ68Gu
oeA6C2& xs
_o8I]#"
D%vw8IU$p
xO<up#!%7e
xD?fd)Ztv
),DFQ):
U39??fWo!|E
Z`v?DAg)N
])U?'4jk
dVlkc0
rJ`kIzU
b;@^UG.r
Ug[Ft7UUya-,U\F
7'$U!8
AU-UwU{U
PyfAl~"
rta*DGOgR1+
%)A@]}]
~If=}}x
xrQcxxZtx
t5/utxbERGh
xb*d.n3
F;:\on
xyx]J]!
u1g>9A#@
>O^]p>5>+7a
G>7(; >z}
<;V9<'LS
v!>%vHiL]>
H>^>qo
}k~3 }*)C
,i_Rc5x!R
!2m{O&,xxX
?:<If(
^Ik`[9X
[[*[Vvfrq[*[w|[
[[+iK[Xal#2K[Sx
:0v<[GXt*
IHDbq}
2hl6jC9g
=91R1o1Msgr
1a2aRO1
mRo#,!)
pkY11kStR1Q
1-b+t&Wf
fR7RRvj
XRITRR
XRZRRRA
RZRm/RCh
RRLm.\}& C3
T!,bxOC(!@Axxx kxag~x
RJ,Hjqy_z_xRK>3.
qxVetb
jx3It/u
tQ_lrj9
Ug2w'V
OJnP/CNa&
"L+32~
3GSc#mAi8
L{{-.s
qe+wob5Hl
E0p5 &
X>"Qmo
3govkL44
aM$uom
3vV|'YKh
Bb>vndLL
T5T bT#&
za86$ZKE
R9TT$C*zTA
S2&eD=>\t}lRo7uOn
/m'f%]
#Q,m X9r<B
uJZ0E#
{Hh{dw/
SDrN{{G
X{@{*V'aR'aJ
guuub/
u)upouAAw
))u)u(l+2C
,WH)u)2Qu`u)se-))
}c/gD)
j))yY*uVI
^2t ~-DVtm
6>-I7h~
(^8q|O
%`'F( _k{!5
n^h@0=
ukhvyIJ
_J%Oq'
hYOm3'KkW
iFY8il
uCRfsdX
s7~d0>i
eCnrxp(e
o2MRz/E
ZxM{"m,B
%LYl\4[p
0ip"D21nJi}
I|s{#K
O_DTbzMfiD6
}~&0Pp
40,1\"Y/QcuNVY
_Yu 7k!
8RARwRO
j yWc&
6^B=V5
cejO@|
V+F&T9
8Tz}=T
POc#-%
#u#+L:
='3z#~#Blt?#9esNc8L#>?Hrp[f
5ACV>`
"oE*teL
j.x-RX
+$|rX>Z@v
-}x6)Api+
24BX6,
~tf~ z"X
XX\ W @ YJ T
X= uoYE%c$
%XEX[/V8X
c t@cXD^
!0]9&Lj
69o)+z
"<gnXjP"SD]N
ElRp2B
z/Sv(B
CuK8 P
PPPjBPSP+
.v!~=blLPM Q
PXOP<C
PjPJQ9jjcjj
PD<%Sj
p4;VgDvnxjd;(jXQV
jt\4PV4m
jL<{5\,s @4
hQPuP
Ptx("Mss
?lK ^bY5
%z=<c6Cb
*&P-;j}O
cnQTU%L8
h;dypIS^&m}b
BzQ^ZNF p'
mK~gmNU*m
wz8X *k@hm^
~Tq073m%^'_mm"Z
CmE8o&}[Xoh05)
[-*Gmm4[`m
((<R9QKd&5=t0-
(S~}(.KF(
o@h(LBo
(P=_:(
MnMji~
7(6{J>
)%E*Vx`
'll(9C
z(hdbsq?.p(1(y(u>zul
T(7pr\
)+2T2c!bz
f% iDeF
AY>-WB
FXt_f0:gyfffP
alLztp4RFo
Kd~!fT@
|*`S>mv:K.fNf\yHwM
fl{<};\
f$f3fs
oIs_@ 0W~I
vvyH2,0~wv
/Kav=vP
GodP=F8:1y
(U@3Q`
#-2&_G9(O
2;9;;f
60\I}x7
") U6E47?d!m
3. 4?2"j]e/ax
{az:o_nO|
^wyQY*R
hw4u.b<=
"E=qKY]
~;f"0g#.Fb:
1S\Q9}-fN=g=?m
{zvr.w;
2{l`pFoIHf-
9WaDnm;
t&z&.GK
;0[>;/
&R}1)]3
ac<is!
T8m@#E:
.=7'\rG3
9;\P`"AU'W
,A&X-g
<3sXZ6I
|?^2}h)
U3D4S/UBND}bItFT
c!nQ4=
/B,.Z.
v.>[T8v!G
bfQH>bbGQs
Qbi1+ymVzC~~b}
xbe Ol
iG:w$U?|b*bb'
y]z.z93n
[CM2!?PxJ"2
7-(YVi
!j?<bd\
BG7Le"3<8:NH'l`|+
'3Y33} C3OD''PX?3#
3339 w@3,N
[1u333BA3G9M~(xRw3
jb5 8}H8H
?A8Ht@H~Hho88&g*
7HH(:GgH8W9AKT
o"]m|SfqV B
{fU6^b
NI3^GW
o"e*5FEO
T!\IC95/
m-X5::oi&
c2J2%LY[M
}KUmxD
[5}Y_~
f]HGN$si
H{=V)kP}
GHY&~t
=_t~aXH!
hHTHOx#
x!LhU+UxHcA9aOqO
xgO\x}OxX;
Ox}OOd'6=eY]OL
d^P-/{$;q
gF>[5Hj
4G jXPlv
Q9,t(
[_VV(27=
1`*5d|A$
0p,P\&:K
U)]@C\f^
[~j!w\o\
Bx\uwx\\h
RHa-\IIS\
`jt[K\
^QD28h
DC1J)3
mD'Ip({-IH
r;bvpDH[D
MDhK*DmD'~5
T0`E"z
4btg`n8n`:aahW
NM:Dz9(&
i8Xj90S1lLG
&V*E{L
`c,u(3F^r*}]Mm}3DO
^]Rey|
(ry-+~G9xW~
$6bZL-
Tw7l,YOW<
3V*AA*(*T
EA[Gg.A*A*G@Y,
^AAgjwhtA
hA!,o*
Pe3)sut<k7i[
Ct{4s^us
sJ)esm
Fs=r-{
ssr`:Gu`ls|!
I1|(&|t]+
DIROO[9MbA^Fsxc
Wk8D4Em}
e|e[:u_k/:G;Lrh{
KI, sPaL
MDl4|3dk
0I*J0$O
!;D%cfOZs1<<'ToPe%
%!%%<%;(u
j%ec{%
]G8I%K
@$]Du[
>Aih}j`lFMSWF,
,d{5#Fx
.F?_8RQ3F|
<HB;;&a
#F=aWE;h~Sn~7I*I1J
u1,=zE=0
EU)x1=1Vi21Z_ 10
Mn>pt%1
U_1K111$A
1M2]xL1
3BV >J
QQJ?\]Q
Q3u(Bm
3hR/{?
vjz3J[K
y5KxZ$[NKv[
#q[)[+/V077[[[4
uA4& ~y
SU[,~K/
s=7y1A
DQV $n7U^
N$X5HTGb
p<Gp$4_[
3$qTJj5$q
-AK%~g
$ZF@Ab$e
3$@7lKBGgc
-Y4g% Yg6Ca
-k|m#g
'4''g5
1WgL@&
pq$Iq9x
K<Diq5
q#`6q!n^qehK
>7qHaq>}^q
!~sI q
'Tqqqq,0B
I"}C}+h4<Q
*a+YEx5.
UV Z^ky}
|ryB]ky
l[uB.bW
nScp&u
yUFp?Q7]ySXz
vf-y0=
4za3a$
aA9Yu2_>j
:jV*Q-C!?7
EY5\}[N
I,3v}^$
Ed=&H"
3Zl\ZaM@ G
*6|_6W{64Nb-*
, Wbca:\.y#xA:NBb T;'"
[.]LN^|Lb
*}z7D9
XoR T&
CVM$5 `
wIz*z$lhhox%PC
B*$of`o
[,6/L
,A4,moo,609[, CNU,oK[X
,S>8#U,JdW_sYs,,
,o,b,;Xo!ef4H5-oV
t{Kz%89R
`>/9kz
l=}%t>j
Q4qtt?!F
It,1k5C
tytEY %t
r^wG,it
Bt'p]t#
$-tCyKl
|dzYQz
2jW_9--|u?NgQ
#z|Wt@
p)0Iuku
(!Wb?d
\BB3I')oS
|:6*|^5-P(R|
KZ<1P *
|eB8lKrc`
\$w[q+
a6 ^%[[
XpE7?}
CmDq7_k37
9|.r78
E U9(R:
VD$5KYrcI&
hMdDqH""
0veswx`
FyG_ Z
lc[i7Y
xe@}kR
o__lsTZK*_^p
ONN[#qSY
*N8q#$q
xwxwwwx
@Fd,c>
<8I\4(,JX-9>50`])^
j03Z7),,UP
*!5=/^
e`>2(3.$
8EM8h1L,-;+6',
52~F]]
pwpw{w
wwwwwww
wwwwww
nnns=sH%P
@;;H<>
;;{;;h
;|aQFm;;
;F;A:l
4qF;=::F;
E;0;;OFB
WCS@WFPJ
qrIOWW@C
DB=7}$
IoijDjjij
FytLvo
qwELXF
HDKHzDD
;);"ue
CRiV`r
g{`{Ca
X\~33\
BHwMJHYHDE
3UqOO$OS1#
OONOO8
pwwwww
.48(0=
%1*>e7[_=A
:)F>7d/
U-I6cqH
H8,0a69
8/)ye;^H
(D]J\DUjP
lu{l|l
ly}bnl
o p?
wwwww{
w{www{
wwwwwww
wpwwwwww
}A>U4kF;
;;;;0E
|a;EWAG@C
qqBFqq
Z7oJsJFH
B\s;D<
GBDa;\
;>=\x@
OqaDv;
>D<<{<
IDI(I{
DjIIII(II
JA;AX_AJ;k
DZ}xF;|
eu);"F
``{R``
[[[rCF
VVV[R[[
i`[[`9
Fq'''e''
'x]'x'
YD_^h<
(rxrrr
??!K?_}iu
EzG!HE
DBYDJeH
cleilu
:mfI<s
Vts ms
<ssssuo
aonscsarLEss:lAs setac=lhk smum>/ xtieolqc:sLfv" aee<e-e> svivasua eug
xaovd<nsa saeco=i e
aanodceeiIdvle yuqe3rms a>e a
ete s.eeaeEsr"eqP vur lnet r ->rasf"i
a<rsi"etseatrs escsmcaisctGAD AXPGeNq
IP>yPioXyDyNIDaDDP XGeG IPAsd AIysuDr IIDyDyey<PIXiyGeDAINcDDAXDNy
<e t>XDIytDiXDAnXIDNlN yfD yXGNA<PPNNDIuPeAsPGAGXGsN mPD
GPNXPGDI
PI sAPyyvGuyyDNDXgA//NlArXX</rbDDP>>GDDst
terl=5 04kx6410G6060088S>4<
E30<464i
<844]764?0:ZD
z8061_06060W;_m1Nkn<6D%4J14
0I0564d26036D
AD9>g0a530438
:4m360
004P965046
R04486;0\7D=9400>Y3x3R5%2223033=#
313400:8
03.0>10
3l0>>>3
C30463?33G?33?>?r>3>i3
b$>>253z32(35>33
3145>22
5?>3x?04>224u
3??2xtc6:<:t
5$^7::8:
;:=8::::;:5C<<56:::56:79+;5
6978{:0
Z;:8O\
<6e::9$:66:;8::U;679:M:
;q;<497<<7 j:878<<::7
_:<:6G@7<;8<;z:<
:q699:
:8O5:::4
45?4c=6408
2=F8842
8O7?:,0>42=5Q267LqYTLN==7?
40^7i886
.>8^2+si76?82>L>L7L8LL56L78287
?"77L77741==8cLr=L8??6=>YL[>L1\545?
* L?L5
8208wwXL7&y
?>?;Zo
9?;<<=
>Z>;<:
:;9T:;>8
F;?G?9<>-?;>@?>?G:9;?d!?h
9>?t(;:;9>;?R?dSz;:;;;=;;;^;:i;
;L;?<??^:?>8
.;:??<;=>>;v;;:N9
?BO<;5;?;?:?;=?J95657
r1._6@0
2N41811
]3?4661
349443277
88@2805#7'49802
1#90(9?1
4111215175
6?2{u0
>:~ 6t0?4;02:=3
210?>>>
?=3>?$3/,$9<
954;?5
39930l3<(?,<M`
>HR33$=?3Sz;4w3P14
33=139>?><>?=<39
??(3_0]0>><3<0<><>9E?&3
8679765q
%U:H85:1
466L<IP566F4:
Y9>4:7av6=47
S8l,7+:4>659`>:o?@77474*:#7
:_w6!A6
}:6=96=6AL66<;6:6
)6>:i9434`6R2=7
<=5(76;3<464:}
7d Y:;=?>>C1<0
:99::X
;p3$9<
3(;84$
==39;;1;:9<:@0<:9
:3939=
9<::|<
12LH3X33333d43\35(444454435d<4454334353d3433@34h`43435H43544
354435LT3`5
3\,p43D3343 lt5345x8535
X3043Ph3`44535|3
343t4L354433
\33x35|4X4
34344335pT3P3$43(
CryptBinaryToStringW
GetProcAddress
LoadLibraryA
RtlUnwind
VirtualProtect
GetModuleHandleW
GetDlgItem
GetDlgItemInt
GetWindowLongA
__GetMainArgs
signal
?Initialize@FSN_FILTER@@QAEEXZ
??0DSTRING@@QAE@XZ
??0PATH@@QAE@XZ
??0ARRAY@@QAE@XZ
??0ARGUMENT_LEXEMIZER@@QAE@XZ
?QueryFsnodeArray@FSN_DIRECTORY@@QBEPAVARRAY@@PAVFSN_FILTER@@@Z
??1PROGRAM@@UAE@XZ
??1PATH_ARGUMENT@@UAE@XZ
??1FSN_FILTER@@UAE@XZ
?ValidateVersion@PROGRAM@@UBEXKK@Z
?Usage@PROGRAM@@UBEXXZ
?GetStandardError@PROGRAM@@UAEPAVSTREAM@@XZ
RtlFreeHeap
RtlAllocateHeap
CRYPT32.DLL
KERNEL32.dll
USER32.DLL
CRTDLL.DLL
ulib.dll
ntdll.dll
(%QP|*m'Pz
eyasN5
ZE>27+
dIiPL}wTo\%
.~;=S2L$!
kCpyZeXk{eD%
_v/KXuBS$
FFW[3Ewn\;ey
4>$,M#<Wz
k@&2!X!oP
'lJ0{;TdS
VBXVA` sk:#`
V+JYqH\
i6Vh{-3
I_5O6xQ
# Dzzi
OZ:'oes?|M!7
AF@"%|Uj* R-
H+bigrez
.rvSd8bL|<
p ?NCT
\F[7t iSvX?
X'(x}h9g
|'~P6?eLoN
oN;:eo>KA
bvLbPGgr
=oU{T|VJ
BV~4u+wQ
iN?XKg
lM)g5Ey,
t{FYzw;~b%~-
%Vg([_Pu
p�p�W�e�i�M�
%�W�H�%�P�s�
a�a�a�a�a�x�
Process Tree
- 0d18b5c032c0557fba87537b32341a1eb92ad33c497854469c92b47a3778b970.exe (2160) "C:\Users\Administrator\AppData\Local\Temp\0d18b5c032c0557fba87537b32341a1eb92ad33c497854469c92b47a3778b970.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 7cefd45401859c64_iqbjnwa.exe |
|---|---|
| Filepath | C:\ProgramData\Mozilla\iqbjnwa.exe |
| Size | 154.7KB |
| Processes | 2160 (0d18b5c032c0557fba87537b32341a1eb92ad33c497854469c92b47a3778b970.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 40316a7c10dfc949da4798d5a787394f |
| SHA1 | 599ab650b77a7f09414a8260961af18f587c54ab |
| SHA256 | 7cefd45401859c643fe5700461ea8fa680785299e6dfbd4ac34037d6cfc880db |
| CRC32 | 3EB74B3E |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.