2.4
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.76
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20200220 | 18.4.3895.0 |
| Baidu | Win32.Trojan-PSW.OLGames.bm | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200220 | 2013.8.14.323 |
| McAfee | W32/Fasong.worm | 20200220 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b8b03d | 20200220 | 1.0.0.1 |
静态指标
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(1 个事件)
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(3 个事件)
| section | CODE |
| section | DATA |
| section | BSS |
文件包含未知的 PE 资源名称,可能指示打包器
(1 个事件)
| resource name | LARGEICON |
动态指标
检查是否有任何人类活动正在进行,通过不断检查前景窗口是否发生变化
一个进程试图延迟分析任务。
(1 个事件)
| description | winlogon.exe 试图睡眠 337.129 秒,实际延迟分析时间 337.129 秒 | |||
在 PE 资源中识别到外语
(5 个事件)
| name | LARGEICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0001f394 | size | 0x0000ae00 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0002aa3c | size | 0x00000ca8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0002aa3c | size | 0x00000ca8 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0002c810 | size | 0x00000014 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0002c810 | size | 0x00000014 | ||||||||||||||||||
在文件系统上创建可执行文件
(2 个事件)
| file | C:\360Downloads\winlogon.exe |
| file | C:\360Downloads\EMZ.dll |
搜索运行中的进程,可能用于识别沙箱规避、代码注入或内存转储的进程
(2 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.rsrc', 'virtual_address': '0x0001f000', 'virtual_size': '0x0000da00', 'size_of_data': '0x0000da00', 'entropy': 7.2232505773384235} | entropy | 7.2232505773384235 | description | 发现高熵的节 | |||||||||
| entropy | 0.35275080906148865 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 63 个反病毒引擎识别为恶意
(50 out of 63 个事件)
| ALYac | Gen:Variant.Ulise.85815 |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.85815 |
| AhnLab-V3 | Trojan/Win32.Xema.C2426 |
| Antiy-AVL | Trojan[GameThief]/Win32.Lmir |
| Arcabit | Trojan.Ulise.D14F37 |
| Avast | Win32:Malware-gen |
| Avira | TR/ATRAPS.Gen |
| Baidu | Win32.Trojan-PSW.OLGames.bm |
| BitDefender | Gen:Variant.Ulise.85815 |
| BitDefenderTheta | AI:Packer.5B9664701F |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.LmPMF.S9353433 |
| CMC | Trojan-GameThief.Win32.Lmir!O |
| Comodo | TrojWare.Win32.PSW.Lmir.~CS@18imv |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.cc95dd |
| Cylance | Unsafe |
| Cyren | W32/Legendmir.JFEX-6935 |
| DrWeb | Trojan.PWS.Legmir.435 |
| ESET-NOD32 | a variant of Win32/PSW.Legendmir.APK |
| Emsisoft | Gen:Variant.Ulise.85815 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Legendmir.BON |
| F-Secure | Trojan.TR/ATRAPS.Gen |
| FireEye | Generic.mg.9b42d9ecc95dd5c6 |
| Fortinet | W32/Fasong.APK!tr |
| GData | Gen:Variant.Ulise.85815 |
| Ikarus | Trojan-GameThief.Win32.Lmir |
| Invincea | heuristic |
| Jiangmin | Trojan/PSW.Bianfeng.g |
| K7AntiVirus | Password-Stealer ( 00009f451 ) |
| K7GW | Password-Stealer ( 00009f451 ) |
| Kaspersky | Trojan-GameThief.Win32.Lmir.apk |
| MAX | malware (ai score=88) |
| Malwarebytes | Spyware.Lmir |
| MaxSecure | Trojan.Malware.1375767.susgen |
| McAfee | W32/Fasong.worm |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.ch |
| MicroWorld-eScan | Gen:Variant.Ulise.85815 |
| Microsoft | PWS:Win32/Lmir |
| NANO-Antivirus | Trojan.Win32.Legmir.flkeyd |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | QVM41.1.Malware.Gen |
| Rising | Worm.Fasong!8.297 (RDMK:cmRtazoLtRcsGA5EeVdcIxAUUK/L) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Lmir |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
1fbc6f0c978cf07b69c386362600bcad
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| CODE | 0x00001000 | 0x00015840 | 0x00015a00 | 6.438009487083482 |
| DATA | 0x00017000 | 0x0000057c | 0x00000600 | 3.7621136495382386 |
| BSS | 0x00018000 | 0x000007b1 | 0x00000000 | 0.0 |
| .idata | 0x00019000 | 0x000010ca | 0x00001200 | 4.718212282444236 |
| .tls | 0x0001b000 | 0x0000000c | 0x00000000 | 0.0 |
| .rdata | 0x0001c000 | 0x00000018 | 0x00000200 | 0.2044881574398449 |
| .reloc | 0x0001d000 | 0x00001ab4 | 0x00001c00 | 0.0 |
| .rsrc | 0x0001f000 | 0x0000da00 | 0x0000da00 | 7.2232505773384235 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| LARGEICON | 0x0001f394 | 0x0000ae00 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0002aa3c | 0x00000ca8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0002aa3c | 0x00000ca8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_STRING | 0x0002c37c | 0x000002c4 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x0002c37c | 0x000002c4 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x0002c37c | 0x000002c4 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x0002c37c | 0x000002c4 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x0002c37c | 0x000002c4 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x0002c37c | 0x000002c4 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x0002c37c | 0x000002c4 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x0002c650 | 0x000001ac | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x0002c650 | 0x000001ac | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x0002c810 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_GROUP_ICON | 0x0002c810 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
Imports
Library KERNEL32.DLL:
• 0x419218 WriteProcessMemory
• 0x41921c WriteFile
• 0x419220 WinExec
• 0x419224 WaitForSingleObject
• 0x419228 VirtualQuery
• 0x41922c VirtualFreeEx
• 0x419230 VirtualAllocEx
• 0x419234 SuspendThread
• 0x419238 Sleep
• 0x41923c SizeofResource
• 0x419240 SetFilePointer
• 0x419244 SetFileAttributesA
• 0x419248 SetEndOfFile
• 0x41924c ResumeThread
• 0x419250 ReleaseMutex
• 0x419254 ReadProcessMemory
• 0x419258 ReadFile
• 0x41925c OpenProcess
• 0x419260 OpenMutexA
• 0x419264 LockResource
• 0x419268 LoadResource
• 0x41926c LoadLibraryA
• 0x419270 LeaveCriticalSection
• 0x419274 InitializeCriticalSection
• 0x419278 GlobalUnlock
• 0x41927c GlobalReAlloc
• 0x419280 GlobalHandle
• 0x419284 GlobalLock
• 0x419288 GlobalFree
• 0x41928c GlobalAlloc
• 0x419290 GetVersionExA
• 0x419294 GetTickCount
• 0x419298 GetThreadLocale
• 0x41929c GetSystemDirectoryA
• 0x4192a0 GetProcAddress
• 0x4192a4 GetModuleHandleA
• 0x4192a8 GetModuleFileNameA
• 0x4192ac GetLocaleInfoA
• 0x4192b0 GetLocalTime
• 0x4192b4 GetLastError
• 0x4192b8 GetExitCodeThread
• 0x4192bc GetDriveTypeA
• 0x4192c0 GetDiskFreeSpaceA
• 0x4192c4 GetDateFormatA
• 0x4192c8 GetCurrentThreadId
• 0x4192cc GetCurrentProcessId
• 0x4192d0 GetComputerNameA
• 0x4192d4 GetCPInfo
• 0x4192d8 FreeResource
• 0x4192dc FreeLibrary
• 0x4192e0 FormatMessageA
• 0x4192e4 FindResourceA
• 0x4192e8 FindNextFileA
• 0x4192ec FindFirstFileA
• 0x4192f0 FindClose
• 0x4192f4 FileTimeToLocalFileTime
• 0x4192f8 FileTimeToDosDateTime
• 0x4192fc EnumCalendarInfoA
• 0x419300 EnterCriticalSection
• 0x419304 DeviceIoControl
• 0x419308 DeleteFileA
• 0x41930c DeleteCriticalSection
• 0x419310 CreateMutexA
• 0x419314 CreateFileA
• 0x419318 CreateEventA
• 0x41931c CompareStringA
• 0x419320 CloseHandle
Library KERNEL32.DLL:
• 0x4191e4 TlsSetValue
• 0x4191e8 TlsGetValue
• 0x4191ec LocalAlloc
• 0x4191f0 GetModuleHandleA
• 0x4191f4 GetModuleFileNameA
Library KERNEL32.DLL:
• 0x4190f0 GetCurrentThreadId
• 0x4190f4 DeleteCriticalSection
• 0x4190f8 LeaveCriticalSection
• 0x4190fc EnterCriticalSection
• 0x419100 InitializeCriticalSection
• 0x419104 VirtualFree
• 0x419108 VirtualAlloc
• 0x41910c LocalFree
• 0x419110 LocalAlloc
• 0x419114 VirtualQuery
• 0x419118 WideCharToMultiByte
• 0x41911c MultiByteToWideChar
• 0x419120 lstrlenA
• 0x419124 lstrcpynA
• 0x419128 lstrcpyA
• 0x41912c LoadLibraryExA
• 0x419130 GetThreadLocale
• 0x419134 GetStartupInfoA
• 0x419138 GetProcAddress
• 0x41913c GetModuleHandleA
• 0x419140 GetModuleFileNameA
• 0x419144 GetLocaleInfoA
• 0x419148 GetLastError
• 0x41914c GetCommandLineA
• 0x419150 FreeLibrary
• 0x419154 FindFirstFileA
• 0x419158 FindClose
• 0x41915c ExitProcess
• 0x419160 ExitThread
• 0x419164 CreateThread
• 0x419168 WriteFile
• 0x41916c UnhandledExceptionFilter
• 0x419170 SetFilePointer
• 0x419174 SetEndOfFile
• 0x419178 RtlUnwind
• 0x41917c ReadFile
• 0x419180 RaiseException
• 0x419184 GetStdHandle
• 0x419188 GetFileSize
• 0x41918c GetSystemTime
• 0x419190 GetFileType
• 0x419194 CreateFileA
• 0x419198 CloseHandle
Library advapi32.dll:
• 0x4191fc RegSetValueExA
• 0x419200 RegQueryValueExA
• 0x419204 RegOpenKeyExA
• 0x419208 RegFlushKey
• 0x41920c RegCreateKeyExA
• 0x419210 RegCloseKey
Library oleaut32.dll:
• 0x4191c4 VariantChangeTypeEx
• 0x4191c8 VariantCopyInd
• 0x4191cc VariantClear
• 0x4191d0 SysStringLen
• 0x4191d4 SysFreeString
• 0x4191d8 SysReAllocStringLen
• 0x4191dc SysAllocStringLen
Library shell32.dll:
• 0x4193b0 ShellExecuteA
Library user32.dll:
• 0x419328 UpdateWindow
• 0x41932c UnregisterClassA
• 0x419330 TranslateMessage
• 0x419334 ShowWindow
• 0x419338 SetTimer
• 0x41933c SetRect
• 0x419340 SendMessageA
• 0x419344 RegisterClassA
• 0x419348 PostQuitMessage
• 0x41934c PostMessageA
• 0x419350 PeekMessageA
• 0x419354 MsgWaitForMultipleObjects
• 0x419358 MessageBoxA
• 0x41935c LoadStringA
• 0x419360 LoadIconA
• 0x419364 LoadCursorA
• 0x419368 GetWindowThreadProcessId
• 0x41936c GetWindowTextA
• 0x419370 GetSystemMetrics
• 0x419374 GetWindow
• 0x419378 GetMessageA
• 0x41937c GetForegroundWindow
• 0x419380 GetDesktopWindow
• 0x419384 GetClassNameA
• 0x419388 GetClassInfoA
• 0x41938c FindWindowExA
• 0x419390 FindWindowA
• 0x419394 EnumThreadWindows
• 0x419398 EnumChildWindows
• 0x41939c DispatchMessageA
• 0x4193a0 DestroyWindow
• 0x4193a4 DefWindowProcA
• 0x4193a8 CreateWindowExA
Library user32.dll:
• 0x4191a0 GetKeyboardType
• 0x4191a4 LoadStringA
• 0x4191a8 MessageBoxA
• 0x4191ac CharNextA
Library wininet.dll:
• 0x4193ec InternetReadFile
• 0x4193f0 InternetOpenUrlA
• 0x4193f4 InternetOpenA
• 0x4193f8 InternetCloseHandle
Library wsock32.dll:
• 0x4193b8 WSACleanup
• 0x4193bc WSAStartup
• 0x4193c0 WSAGetLastError
• 0x4193c4 gethostname
• 0x4193c8 gethostbyname
• 0x4193cc socket
• 0x4193d0 send
• 0x4193d4 inet_ntoa
• 0x4193d8 inet_addr
• 0x4193dc htons
• 0x4193e0 connect
• 0x4193e4 closesocket
L!This program must be run under Win32
.idata
.rdata
P.reloc
P.rsrc
StringX
TObjectd
TObjectX
System
IUnknown
System
;u3YZ]_^[
SVWUL$
]_^[SVWUL$
uZ]_^[
SVWU`A
YZ]_^[
_^[U3Uh
d2d"h0A
]US=(A
d2d"=AA
u3ZYYd
#_^[SVWU
YZ]_^[SVW
SVW<$L$
uSVWU|A
]_^[USVW
3Uh\!@
d1d!=AA
2E3ZYYd
E_^[YY]
UQSVW3,A
d1d!=AA
E3ZYYd
E_^[Y]
YZ]_^[
d2d"=AA
}3ZYYd
E_^[Y]
< v;"u
SV3Uh'@
d0d Uf3UX
F3ZYYd
Ek<1fU
SVWPts11
-ti+tf$tfxtaXt\0u
FxtOXtJt
Y12_^[F
uM3Uh5*@
EP3ZYYd
f%fUf?f
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Iu9u_^[
PRQQTj
YZXtoH
S1VWUd
SPRQT$(j
ZTUWVSPRTj
Zd$,1Yd
t=HtN`
r6t0R=
t/=t&,*&"
3Uhn1@
d2d";~
P n_^[]
Ku^[SV
tG?=@A
^Portions Copyright (c) 1983,99 Borland
Up1UhD0@
QRZX1Yd
PVS_^[]
PQZXSVW
@ISVRP1L
JZ^[X$
thtkFW)w
9uXJt
8uAJt
t,JIt&S
St-Xt&J|
t0JN|*9}&~")9~
t@t1SVW
1Z)_^[
Mu]_^[
r*PRf8
u'PX%A
USVW}Q
3Uh\B@
_^[]UQS3EB
^[USEf
E3UhC@
d0d UE3ZYYd
]3UhVD@
d0d UE3ZYYd
USVWME]
3mEE;Et
u5];}}
MO|"GE
SVWEEEhH@
E8\u8Ex
tgSP/V
_PEPE_^[]kernel32.dll
GetLongPathNameA
gur3UhI@
EPEPPj
;u;tmC}
P^[]Software\Borland\Locales
Software\Borland\Delphi\Locales
t93UhK@
d0d ]ES
u_^[YY]
UQE3UhdL@
d2d"E@
t3ZYYd
32mt3QP
Ht Ht.I
+P6n@tg6\Hu]"F$0M@
H H$@Ht
QRPXZYx
@~!@PQ@
PRZX[B5pA
;6ZXRQ1
_^|HtE=
@aQYR@
b@"E@|oe@p+
BkU'9p|B0<RB~QC/j\
Cv)/&D
dEJzEb
9;5S]=];Z T7aZ%]g']
R`%uYnb
5{RPD$
USVW3\$
USVW\$
3USVW3\$
USVW\$
U3UhfW@
P3ZYYd
U3UhXX@
d0d -$A
U3UhY@
S] S]$SQRPj
U3Uh]@
U3Uh`@
Exceptiona@
EHeapException
EOutOfMemory@
EInOutErrorb@
EExternal
EExternalExceptionlc@
EIntErrorc@
EDivByZero
ERangeErrortd@
EIntOverflow@
EMathError(e@
EInvalidOpe@
EZeroDividee@
EOverflow0f@
EUnderflowf@
EInvalidPointerf@
EInvalidCast@
EConvertErrorg@
EAccessViolation@
EPrivilegeTh@
EStackOverflowh@
EControlC
EVariantErrordi@
EAssertionFailed@
EAbstractError j@
EIntfCastError|j@
EWin32Errorj@
ESafecallException
TActiveThreadArray
$TMultiReadExclusiveWriteSynchronizerUS
SVW3Uh"l@
d0d VWUxM
Es_^[Y]
BFKu_^[
9t*^ar
^[SVWU
| v;}
N|7 vU+A
4P[SVWQj
$Z_^[SVWQj
PWVSGu
$Z_^[Qj
PP`t4PM
u%EPP,EPEPEP
[SVW3W7PAu
5~(\>t
3URURURURP
EUE3RPEU`M
E3RPEUFM
1t$Far
)t[^_
D$ D$$
3w(_^[SV
9t%t^]E-u
*t"0r<9w7k
uPE.X_^[[]
+;}$EPEPE
sMf<sGf<sAf
EE54y@
LUSVW3
]3Uhy@
d0d fE
E13ZYYd
EEMf`V
f;\Fwb
E_^[YY]
]3Uhp{@
d0d EP
E^3ZYYd
E%3E_^[]
USVMUE]
}EPEff}
fMfEfkEdf
fLJfMfMf;Mr
fMf)M@
EZY^[]
d0d KE
E3Uhi@
URYUwYE
U%YUJYE
t%HtFHtgyUYE
UYUIYE
UYUMY}
UYYUY}
UYuNx@
7u/UqYE
u/U-YE
Z_^[UQSVWM]
q_^[Y]
U3QQQQQQSVW3Uh
JCDHyYU
JC8HVYUgC
JE*YUC
u3ZYYd
V3Uhw@
d0d EP @
U3QQQQSVW3UhR@
gQ_^[]
L$DdtA
PD$HPj
d0d EPU
d0d EPU
_^[YY]
TErrorRec
TExceptRec
D3ZYYd
t<HtHU
r3t7G=
SV3E3Uh@
UE3Uho@
d0d E{%
C++ Exception
d0d UsA
T9t7D$
@@F;}_^[
UVWMUu
;U|;Uu
JRK;\$
$YZ^[SV
$YZ^[SVWU3
+G]_^[
YZ]_^[
u^[SVW
_^[SVWU
IuS3Uh_@
d0d %L=A
EFE>EPt@
E3Xu?EPt@
m/d/yy
mmmm d, yyyy
:mm:ss
US3E3Uh@
`3ZYYd
kernel32.dll
GetDiskFreeSpaceExA
tN(;F,t;
PC C$3C 3C,C4
INFNANU
+E[^_]
N[YCV5A
N^$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)U@WVSE
<'t$<"t
33EUU<#t&<0t%<.t,<,t3<'t5<"t1<Et:<et6<;tF
-<#t'<0t#<.t<,t<'t
<Et$<et <;tS
-u2AF>0t
KE;E~10}
+E'-P@
00fJu2}
3m[^_]
< tN33
EEBN33
U3Uh>@
d3ZYYd
d0d -A
C23ZYYd
U3Uh2@
EStreamError@
EFCreateErrorH@
EFOpenError@
EFilerError@
EReadErrorP@
EWriteError@
EResNotFound@
EListError\@
EStringListError@
TList @
TThreadListx@
TPersistent@
TPersistentx@
Classes
IStringsAdapter
Classes
TStrings
TStringsH@
Classes
TStringItem
TStringList@
TStringListh@
Classes
TStream
THandleStream<@
TFileStream@
TCustomMemoryStream
TMemoryStream@
TResourceStream@
TThreadUSVW
QDKu3ZYYd
gJqYZ^[
SV3Uh@
Evp^[Y]SV
U)mUEEc
d0d E@
kUEk3ZYYd
n3ZYYd
Esm^[]
lisufjt3fqjUfej}
)v3ZYYd
MUE3Uh@
EZ8W8CNu3ZYYd
k3ZYYd
Eqk_^[]
Q<3ZYYd
USUEEPh|@
Strings
MMUE3Uh@
;u;N|0F3
oiE_^[]
SVW3UhX@
d0d U:U
E=oKi_^[Y]
E3Uh@@
d0d E3Uh
S$3ZYYd
Eh3ZYYd
ynch_^[]
E0rS3ZYYd
MMUE3Uh@
uN|)FE
uN|@FE
CENu3ZYYd
]MU3Uh
El3ZYYd
E~lf^[]USVW3
MUE3Uh@
K|#C3M
FKu3ZYYd
MMUE3UhK@
ENuE3ZYYd
nkXeE^[]
UQSVWMM
S$_^[Y]
Q\3ZYYd
EEad^Y]
d0d EH3Uhm@
+E3<kU
Q,3ZYYd
E6d3ZYYd
d^[YY]
E3Uh9@
d0d ;tdE3Uh
Eb3ZYYd
Ec3ZYYd
E\ijc_^[YY]
MUE3Uh @
t3ZYYd
E3Uhw@
Qh3ZYYd
E^,b^Y]
SV3Uh@
Ega^[Y]
SV3Uh[@
Q,3ZYYd
E:gHa^[Y]
d0d E3Uh@
u3ZYYd
`3ZYYd
Eyf`[YY]
MUE3Uh@
d0d Ez
K| C3M
`_^[]SV]
3F F$3F(F,
SVWUL$
$Z^[SVW
USVMUE]uE
]CN;};u~
UE|];]|^[]
d0d U3ZYYd
E"TW[Y]
;U^[S3
d0d U3ZYYd
EQSV[Y]
3]_^[USVWt
U3E3Uh@
P3U3ZYYd
UQSVWM
UTUSVWUE=$A
PKu3ZYYd
|S_^[YY]
UQSVWE=$A
vOKu3ZYYd
2R_^[Y]S
)3!SVQ
$0Z^[SVQ3
d0d U0}
u3ZYYd
EVP[Y]
[]UQUE
d0d E|
QYqUE#dUY[EQU|YHUY?U
Y3ZYYd
E|TNYY]Uj
S3Uha@
d0d U|q3ZYYd
E4TBN[Y]VWS
UQSVWE
3E3Uh@
C$S 3ZYYd
nMgh(A
^x3Uh(@
@3ZYYd
Ey{L3E
PyEE_^[Y]
TThreadWindow
PfzhrA
Ow3Uh<@
d0d =DA
d0d =DA
P\y3ZYYd
UQSVE3Uh@
^[Y]UQSVWt
_^[Y]SV
US3C(E
PGwj@jj
PRvTD$
$$USVW A
'EFKu3ZYYd
^s3ZYYd
U3ZYYd
ERegistryExceptionx@
TRegistryS
$FYZ[S
d0d EJE\
E2EPEPj
LMU3ZYYd
E`InCE^[]
SVWUQ3
3_ISD$
,HZ]_^[
P^mt$}E
USVW3EE
Plt$uE
2O3ZYYd
MaiStrUSVW3
E>J3Uh@
d0d EtH
FLEULEL;}
ELEP+B
H3ZYYd
ErKEE?_^[YY]
U3Uh)@
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
MMMMUEEH3Uh@
d0d EDE&GEE
EE=ABE
EE=E=E0EUDuEUDuEUDuEUDuE
53ZYYd
BEB<^[]
U3Uh1@
qB3ZYYd
d0d "BEvDvCE
2CUQD3
CMu3ZYYd
EA;_^[]
]M3Uh@
A3Uhx@
d0d CvBE
CMu3ZYYd
9;3ZYYd
d0d 3UhP@
d2d"UyE
yO@UyEBPZ+q
BNuUdyUB3ZYYd
'9:3ZYYd
D@.:_^[]
MEEC3UhV@
d0d 3Uh.@
d0d ?E
3EUH;Br
UAEu3ZYYd
:3ZYYd
EG?E??M9_^[]Uj
SVWEE'C3Uh/@
d0d ECA
4E@;|3ZYYd
m7<93ZYYd
>t8_^[]
IuQSVWUEECB3Uh@
$EPMUE
3j7EPM
EUuj7EPM
Uuj7EPM
UkuWEP
\?3ZYYd
563ZYYd
IuQSVWUEE?3Uh-@
d0d j7EPEP
E?EUQE5
Etj7EPEP
E`tj7EPEP
tWEPEPE*=
w3F53ZYYd
:Eh:v4_^[]
U3Uha@
kernel32.dll
CreateToolhelp32Snapshot
Heap32ListFirst
Heap32ListNext
Heap32First
Heap32Next
Toolhelp32ReadProcessMemory
Process32First
Process32Next
Process32FirstW
Process32NextW
Thread32First
Thread32Next
Module32First
Module32Next
Module32FirstW
Module32NextW
U3Uhu@
wrWlrL
UQSVWE
tT3Uh@
TCryptLibS
0123456789
d0d E05
33ZYYd
E2,[Y]
%EU oV
7%EUxnV
Ef0t*^[]SVWUQ
fDrFOu
FOuZ]_^[
-3ZYYd
MaiClientSocketUlSV3
Fu.8lelC(
l,&^[]
Socket
UQSVWU
d0d a,{
tG3Uhv
d2d"Ee0Pk@
-3ZYYd
%&3ZYYd
&_^[Y]
u3ZYYd
E'+5%[Y]
Client
MUE.3Uhp
;v@E*EP
E,PE.PG
E,PEu.PG
P[3ZYYd
I*3$_^[YY]
USVW3Uh
P3ZYYd
"$_^[]
PQU3UhE
Th_CLPFW@
d0d P2
j2SVPEY*E
SCP3ZYYd
E'!^[Y]
#32770
Static
Button
d2d"C
J3ZYYd
\\.\Scsi0:
SCSIDISK
\\.\SMARTVSD
MaiHttpDownThUQSVt
d0d CPUI#Sh
H3ZYYd
CLSH[USVW3Uh
d0d 3ZYYd
MUE]3UhY
URTR"3Uh@
d0d E*!3
E%E7#;
u*EU EP
E3ZYYd
d0d EZ"
EP\EEI
d0d EP
p ED E< J
maihttp1
SnEE U
SVW3Uhw
AE UE Ku
U 3ZYYd
_^[YY]
IuQSVW3Uh
tTEEPEU
EY CTUT
tTE)EPEU
EYY CTU
U83ZYYd
downver
downurl
downurl2
downfinish
DownMumClass@
BFWorkFile1007PV
c:\bbcct.exe
bbcct.exe
d0d EPEP
_^[YY]
uc3Uh,
d0d hH
?P3ZYYd
Kernel32.dll
RegisterServiceProcess
USVW3Uh
d0d j?j
EP:AEPY@j
?5?3RP
ZX}3ZYYd
USVW3UhQ
_^[]USVWMU
UEE3ZYYd
USVWMU
UEWE3ZYYd
errorbf007
SVWE3Uh
d0d 3Uh
FKu3ZYYd
UEN3ZYYd
UE3Uh A
d0d 3Uh A
jeEPEPu
3!7KLSE
C<u]3ZYYd
SVW3UhR A
_^[YY]Uj
SVW3Uh A
_^[YY]USVW3
UUE3Uh!A
UUE3Uh6$A
u>EoI\sA
@3UhG#A
IuQMSVWMUEE
d0d 3Uh8(A
Q4hp)A
HELO personal
Mail From:<
RCPT TO:<
From:
X-Mailer: Foxmail 4.2 [cn]
Subject: =?gb2312?B?
MIME-Version: 1.0
Content-Type: Multipart/Alternative;
boundary="----=_NextPart_000_000A_01BF9F1A"
------=_NextPart_000_000A_01BF9F1A
Content-Type: text/plain;
Content-Transfer-Encoding: 8bit
------=_NextPart_000_000A_01BF9F1A--
Iu3Uh5-A
d0d UH-A
t+EPEPEPU$A
EPMUER3ZYYd
mima_wenjian
fasong_youxiang
jieshou_youxiang
yonghu_ming
youxiang_mima
fasong_zhuti
fanggai_mima
smtp_fuwuqi
U3QQQQQQQSVW3Uh&1A
EUP=U<1A
kingsoft
kingsoft antivirus mail monitor proxy
v_3Uh2A
E3ZYYd
EP'3ZYYd
DllRegisterServer
DllUnregisterServer
U3QQQQSVW3Uhk4A
EuE*uh4A
u<3Uh3A
E3ZYYd
d0d h4A
c23Uh>4A
d0d E3ZYYd
largeicon
S3Uh?5A
UEHUE)
IuSVW3Uh7A
d0d EP
^UEUED}
Ef9u:EUE3UE
UE9UEUE9EU5EPEE
uz3-q3Uh47A
d0d 3Uh6A
d0d (A
#3ZYYd
P$33ZYYd
U4EPEEU8E
3p3ZYYd
3Uhi8A
d0d 3UhD8A
U3ZYYd
P:_^[]
3Uh69A
d0d EP
UEUEoE6<
E3ZYYd
IuQSVW3UhY;A
d0d EP
U06EU|
Q43Uh%;A
EPh <A
EPh$<A
R!E33ZYYd
`J_^[]
@echo off
del .\
> nul
if exist "
goto loop
del .\killit.bat > nul
killit.bat
U|SVW3
E3Uhr>A
d0d E5
EY1UEm
3Uhp=A
d0d EE3ZYYd
3Uh*>A
d0d UE
EUE0EE3ZYYd
G1_^[]
errors
UUUEE3Uh?A
d0d EUE33
En/EvPE=
/3ZYYd
E*/EZ3ZYYd
]]]ME3UhBA
d2d"EP
d0d 3ZYYd
H|c@EE
u63UhXBA
Ea3ZYYd
downfinish
down_isdel
U3QQQQSV3UhCA
HUE%UEU DA
UECdU8ChU-s<C8@A
qj3ZYYd
down_mumapage
down_ver
U3QQQQQQSVW3UhwEA
d0d ,A
EUh3Uh-EA
UE>EEA
Q43ZYYd
83ZYYd
B,_^[]
UEE3UhTFA
E3Uh$FA
d2d"EMlFA
S"E3ZYYd
EIEAO_^[]
Software\Microsoft\Windows\CurrentVersion\
U3QQQQQQQSVW3UhHA
d0d 6<
E8EXhHA
Q,3UhZHA
d0d UHA
PE%k<i
PE%k<i
heihei
errorbf007
send_time
down_time
U3Uh{IA
'3ZYYd
StopFireWall_ThreadSVt
SVW3UhKA
EUUdsA
u?F4U0t2F4U
d0d `uA
K|[C3M`uA
FKu3ZYYd
U3UhiLA
93ZYYd
UxSVW3
x|UUU3Uh4PA
E!3UhTMA
d0d EEPEP
E3ZYYd
#3Uh,NA
d2d"EH
}EPj EPEPEPi
\3ZYYd
d2d"EH
@E3E,E$
(EEPj(EPEPEPJ
u6uhlPA
u1uhPA
jifen:
3Uh$QA
d0d 3Uh
EsU@QA
ATL:SysListView32
UjchPA
U3QQQQQSVW3UhRA
d0d tA
3UhsRA
d0d MtA
E>~#4uA
Q43ZYYd
\3ZYYd
U3UhRA
BianFeng_ThreadUQSVWE3UhSA
d0d EPD4uA
Q4EPH4uA
cEDEH_^[Y]
U3QQQQQQQQSVW3Uh
EUE,VA
EKME\VA
GHUmbj
t&G0U$EMVA
E3ZYYd
#32770
ComboBox
U3UhVA
CloseWindow_ThreadSVW
U3Uh%XA
PassWord_ThreadUQSVWE3Uh
d0d EP04uA
Q4EP44uA
Q4EP84uA
Q43ZYYd
_.E0gE4\E8Q_^[Y]
U3QQQQQSVW3Uh1[A
EUEH[A
EU{EX[A
~<3UhZA
F0Mt[A
EUF8M[A
EUF4[A
{JEE3ZYYd
#32770
t^[U3Uh
MaiFileSystemUSVWMUE
3UhH]A
q[_^[YY]
UEE23Uh]A
d0d UE
c:\filedebug
UQEE3Uh)^A
d0d E_
MEEA3Uh_A
Pt,uh_A
sO.tD=_A
u3ZYYd
U3QQQQQSV3Uh}`A
E9UE`A
ECWu3ZYYd
heihei
U,SVWUEEE3UhaA
d0d U, En
ud3UhJaA
P,u@3ZYYd
n3ZYYd
-Z3UhaA
PRhtbA
SVW3UhdA
3Uh(cA
d0d ltA
P3ZYYd
$ZXu?E
$ZXu?E
P3ZYYd
_^[YY]
U3UhdA
C$Slfu
MaiWindows
LISTBOX
Button
Runtime error at 00000000
0123456789ABCDEF
%.*d_@
KERNEL32.DLL
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
oleaut32.dll
shell32.dll
user32.dll
user32.dll
wininet.dll
wsock32.dll
WriteProcessMemory
WriteFile
WinExec
WaitForSingleObject
VirtualQuery
VirtualFreeEx
VirtualAllocEx
SuspendThread
SizeofResource
SetFilePointer
SetFileAttributesA
SetEndOfFile
ResumeThread
ReleaseMutex
ReadProcessMemory
ReadFile
OpenProcess
OpenMutexA
LockResource
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalAlloc
GetVersionExA
GetTickCount
GetThreadLocale
GetSystemDirectoryA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetExitCodeThread
GetDriveTypeA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetComputerNameA
GetCPInfo
FreeResource
FreeLibrary
FormatMessageA
FindResourceA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
EnumCalendarInfoA
EnterCriticalSection
DeviceIoControl
DeleteFileA
DeleteCriticalSection
CreateMutexA
CreateFileA
CreateEventA
CompareStringA
CloseHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
GetModuleFileNameA
GetCurrentThreadId
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
lstrcpyA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
ExitThread
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
VariantChangeTypeEx
VariantCopyInd
VariantClear
SysStringLen
SysFreeString
SysReAllocStringLen
SysAllocStringLen
ShellExecuteA
UpdateWindow
UnregisterClassA
TranslateMessage
ShowWindow
SetTimer
SetRect
SendMessageA
RegisterClassA
PostQuitMessage
PostMessageA
PeekMessageA
MsgWaitForMultipleObjects
MessageBoxA
LoadStringA
LoadIconA
LoadCursorA
GetWindowThreadProcessId
GetWindowTextA
GetSystemMetrics
GetWindow
GetMessageA
GetForegroundWindow
GetDesktopWindow
GetClassNameA
GetClassInfoA
FindWindowExA
FindWindowA
EnumThreadWindows
EnumChildWindows
DispatchMessageA
DestroyWindow
DefWindowProcA
CreateWindowExA
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle
WSACleanup
WSAStartup
WSAGetLastError
gethostname
gethostbyname
socket
inet_ntoa
inet_addr
connect
closesocket
L!This program must be run under Win32
?2]-d>
String
TObjectt
Systema
IUnknown
x2 tpl
2 D@2 <84
gc@@@<y@@@@6O@Vl4T>
3^dow P
$+|$Jd
VT{;t#
URu lrdx
w;;t40
h?KAAy3;
ivtFHFC&>5
R 8S( @N
;s[s+D
d2d"h'8M{d=
to"t-]S%
|[NS;u
o Er";p
%%n[|Y
Q,+YHT8s
4pM7~K:nML
|v#q' k~{
c*Bc3*]QC
()EZ?X9
u,pU60
9,v(.U!
lwP (Y9
cPRQ-A&X1oPKKM
~K}+<9t
< v;"u
jD,?Ts
S8(P3T1
< /&KGu
+ 9uDJt
,ENHZ8
u0N4HJ%NHJ
+tf$xt
aXt\0'
2&F~x[)'c
1tHarl
\P*BFt
5E3P4B
Udnh/P3
OFTWARE\Borland\Delphi\RTL
FPUMaskValue -
!0t pEu,Ku
t!t?]}C
p:)B-UN2;
fP:XBaC
;oF 7nYv
C> <Qm
R ;;Zw:
w l'tCe
M[(P7 Rr|
'$Q (`~_
`l+ng@8t %
ACq?_(4@
lV#'"#[?
SBOag:j
AU\_#<8'ZTUWVS
i.RS{6=0@C#
xh[N-{
SH9Zd$,
r6t0R=)
t=-.h~"
BURZ#d]a#?
Mz'?<tp(7A4
$Y\S*qc;SC
:S| U~
%>6w%,~
+_8K0>9
xWm:
&@@0a.
1>:V@6+nRHf
A0<{>Z
itG&tr0H,p2
,];H0~Ik
;RCH|,uS(
^Ptions Copyright (c) R
V1983,99
~)`BOo~v
CZPnh?
Z).#/-Rf;0
BIWoukC
?Pn@nhyV
Ca]bA;
sqOEpPSRP
A]JYPDb;
~hIQkM|C
8'I#`pj
K,y+,,S5g*4
|*<}&B~")9~
:~R tO-@;1OWJx
@S%(91L[wHV#xnu
-[ #[(
(|4jZyg.P>fn
BlrcQT
#SG(PQ|
<1FXb{fsf32
mFuHXO
y04+0t
=yyyIUp
.,l54(
[9<5ln
#2]l;
1"Z@ v
:VM[.ML@Y
<dCRa}
a&W92:5W
U!b2z 5'J]
`Pi(3p
r#:j-q
pvf8?*Ef82
>u'5rX^j+
<o_f1po
nIn|'V
T&HDhp)c
978a7.7fuY
7(7(0y7
_^eXe'[:Y
kKf8*,|dr<Cu
#5#PXC
)~H_vq$"6b
M+~Q8iU
vvs4VC}
EF**BM3g]\xP
}USM)M
HO6|"G,
53{tIY.TJAs"
O9V_ R
G\ufMfv,<
/Xgc8|
526;,\ U@6
Akernel32.dllKGe
7VongPathNameA
tAl-r=
-n50c0JW
!!?dR=E7T
uFh%@ r
cales&
+-!;[tDA$
'YgC/0,[X
90<9F?]9
kQfl(Q.r@8Ub?d@?
}jt={s
(qq:grOHu
-n!RHt
.:Bn'iF
'6#Lt@!-
1WW`RZYg<Z6-|_fL
$eHa.
uH(+m4z%.o
]h+sYPt>
^V=Xf7Jo
`XhHtv
d@~!@W@%D
J[XQy P4\7kZtK/
Q/Y6P'|
Esd^G}BC
4.7@v:k
&D_n2xHW
@aQYR@
b@"E@|oe@p+
BkU'9p|B0<R
B~QC/j\
Cv)/&D
dEJzEb
9;5S/=];Z T7aZ%]g']
$Z_Vd$
^q5XQ#
%,zLI3]Y
tSI9B3/XRY
5yR/hKFHC,u7L+
{6@$L?
m OB(Dh
MP-:#$%3NA
dAhd`dA
dA($ dA
tagEXCEPINF
;3~ ?TypeLib
ActiveX
2 'QQPA
dnWAsS
rT=pTnOX
Excep["
G^agogzEHeapZ[G
EOutOfMe
mory/V
EIn]2tErr[W``Ba
t(L,a'WQdV
PWppQ2
EDivByZero#
RangeX W
X sIn(
verflow[|0
UdX0v/7
idOpWY,Y,8
k`P9kW
UndXZ48
C_Poin[
[P=~Casto[
EC%i/2^[H[HVG
EUssVla_@
xlek\V
[ Wa\jS`ck[\+
otjlCkW_0Varyian]
Fand_p9
Yacbrr[X
f8[^(
"^(Win32l("W
SafecalI
Thr\dAay7,+_F'K
p^(TMul}RylusW
~Synciz/
BFKE6Zc:SHD
R9v9t@*^
)[U@tB<
Fa,kpcD]
w$L@_x
#ZbP@G
3W#^}O9
`U?(\>MC
iI x-,
.\:vwP
!#23-b
4k71Gh
:O`4+d
jan*)FQP."E
fSoQ[A
QmK=^(L[^_33
$FyW )
zH_P4D@%
W<SVuG@s1
nAM(_K
}JE(V
~D,F+hk
t%Uuah[Z$s];}
NgTD*t"
0r<_9w7k
X(fkk/m;vw
JAYFD:r
B1 -sT5Rn<
O`{e)7
O-an_ P@
5`3U2^*nm|
ur/aPU
t"XP6z
+-F8}>
<sGAf~
L_aumQf
'QElxS.6H
h0'wr=u
ul}f;\Fwb
_')o$m
4rQ^pm
9Mn[sLJ-E;
32@o4 nU^
$JN coA2"^-
sA834fsMP;
?hfCDHeYdd
2$*r* }$
dB8<A&,sK,E
GXi0a`Xs9{.vwvtWFx0`
m;7a<j
t^^(@/P1<
(s$ ;x
L&>:(6{
Xw~%\N
VMt0Yt
|GuH$#H
vT]+2&\m!
D=%t5xH0P
Om|jE%"k(
7:6j@#M
*&+#H@
b`yQN}T
H1">?x
LxjQ-vv
PGU94@\
A7#({MgP
YSUA?<HtHU3t7G5(
P}@j0(1\w00
xcRCrw
Z>[2r2222r
3^+9 Cq
"(hQYpI
8zu*<2C+
#eUl` $$G
|H~8|#
zOp7<]S~
t^MaJf<Vo
l,HW=4
>^|tx}`
5rO9JHE/D$m?
CcO6 $
:dtl<65
%uM @F!Pl
\>.9A#?2
E= 1Xw0G
mw_/d/Wm
F,2'~
wTd >@Z
ejBw7$?
5a]*E lP|lGXC!L=
+DiskFreeSpa`bF37A*9
,F(RN-$hAk`B|
?;(3~,*
5N(;F,t
CWF-'2 ,
TH xxP$P DQs,
xSWj'<
vf*0/;
KoDavM
X>pT6,,B%
ftUd$0Mc
.UY#FG
9t+SHI
iT?XtM}
#SPAA,
?1NANu
Au*JuF
^$kv*@
---7]su
O#t&<0t-
3_5w~1<Et:<6JtFD@
}DPj.)n>
j[A+9$?nKb].
u4M'#4M
)2AF0Q=
Y<Munu
~1}=Y2Pk
00a2xS
)+@u/x4n
z$C<!H
y4 ,w~<0d?
TComServ
_ClassManager
fuH dl*(+Cj
Q|%OK
}8$H\*?4M
@g<^Lt'
Regix\
0,"O0rD"+2
|Pke+2
VMH+F%!w
W#X_A!Jm
QB-'S!
r@(umx}e{:F
c,uwGI
V`2{gbw
5O"V(a.ld9
y[Q:Q 2UwJr
VeHAI^F
mFa8)(Y,FD
Apar';/tmentFr
Bo$i"th#
N$U?~D
'SNdp"
a0q\(l
'YAlH1
CLSID\$
HModel/
K=gClsid
PgAjQ6{E
EdMi{9dAt
XssD.R4
,7DP.v1r
vzBTh\.U
@jS$&x{
'h.cSj
*HW*8DZ0HU,"
;R{INui\NP5
<TIlQL
&>oleCoCs
teInstan
i?Ftiez
AddRe*LDf`[
`)1Tj8m
lECDdKR<2M
E5IQH#VfA
l,e*If^4T!
u"6(x0U[
=hEB>33`<:{D
"t'ktMn
J PR@uknUx]t KY&\
^eG@)"Jx'
lu}mz5=
ZT'\Y
-E_10ph(K
w$v6RP
Rpo!"Iu]KkC
5R-oWaQR
Ul hOX
sG\Q_l73e
E:b@HNz3)
g/FTH^B8?UzP
!VOQ@c
b6,67I
`zOLEAU^TNDLLnF,HpbTa
!aX]5p,!KY
n~cxXh4!-
#DvI1)
OMAoTION
EMBEDDING
REGSERVER
VB+g32
%TSInp
$L =;2q,
{Bu#!3
=4I^!#@
hsheQ|
NNNN@NNN\r8
alsePTrueoW
cN<u uB*L8
bNStmN$A
M%G`F(%
;@pV@Wll
]:ls_|
llqPs"n`
'DIpsAdapt4}/sR
I=6Xw@x
N_^FK(
H8;$0
sOh d
+ik$O^$
DH^NOCi
+9%PM2`
SW9DP~_$
RkiV<U#S
V0# ,Q=
8CNuC<
n&yB1,_:(
0C0#3*p3.-
aIYE&jC.g J
[7!O;BM0
S#s)j%$pv
l@HHU
";un)F
FKu)$jYc$
Hgl-R%D<5L
$,` 9`<FR.
k;2B^HjK~R
Fj=Fv`
Zr6hT]
-a$*z*$ ED!c
HqZmB
Lr*,(
frIW"~{
UTC,Xu@
E3PCq}/0
a;#M \
@tkI9txLH`~HHx
| m#}!
u)mW[#
fVu6pTu
U%(gI>
78.(@}$8QK\,
&BT[hX4!D
J,lObFu%V
E3E!i^bT
FtkXr!
u[6\S"\
b3{;aw,
`X{&Qf]
s0+92Tje
pX)r_j
'$Mt]7
4"+3UmY
C)WG2$
r,y" lb
@|SQ)>@|{/MH
XuUq-b
si,Ox@b
TKPOe"Ftl
r S} Sr r
r S Sr
lC`6EJ! =BP
pv,+du
:h&xSxE2^
R&f<ch
j49F?$*
R1I0jgl
`gaW?$#
ge;yF0*f1vCU
zux 7'
vft+v;I
ls'_WE
6t,i9M
B"x2W`
BFWork
Bo1007h
c:\bbcct.
EXEGQu
Ig@t_he
T}-JPaU
k4f:J6{
#Yg+Hx5
E)uzMQ3d9p'A
}KA>U;
<R8ao%
uB,;{9
utp{P8
sY|{6*~B-<wN
HF\>b<+]
e-gx+f
lhI&hd`Yl
ecuteHookO
@hooa? 9
MicFs\@
#Adows\CuXpCB
on\GVpl
P"h8>P
\KPJTdP\,
pii@x4Ms;4MXP
RuSntime
at 0wo
0123456789A
BCDEF
\&4M]S4
<DLT4M\dlt|M4M4M44MiT
$i,4<DLTYh\Y
X Y, ZA
[H\\"d
273,nG+H
';cQsRS|GghQ
4;sR+K
t'7`RR5
!")G$E
@KG#!Ns
ccyA`g
C+pa+i5n9n
u-m.c)
+v"'ispw)&'
mw]7ao
fc-:ZH_kDXn&E
S}MH_;h}5p
c/^wxS_Sa}^2&
e,Ql7uys
#,E(+)7v
oKwKC#u
e?cC?4cs
5f-)E;+$g+
eE7aRGW
x9nl3t
fovb@g
;$2xEk+k
ba0I3G;X7?
r)]p;t
2;fWC/:Q
8;o5Pz_
BXAAA21
pQ56bwhH
)aW %g
[/ d,HMGF
oH 4 Ky%
SnCrcJ;
gS8,asI%
Tf".5K(h%^aQ
-w'Util
sag4OF)
U#M\EOl
MakePW
Q; PHOOK)_TLB]SDa
mKKaF(S
VirtualQue0J
AttVJcvbu
XOf|R+
?MGx! By
To|vo@ChapLo*Ljrary*L8ACir=
PNVkx}lO
nc%m m(
ch9a'*De
m|nlB%
r4ka _
XJx{`@n.
i@#;ha@1dJ
p`tl:w_R
!Y+gkH
usEqut6[GU
oyTX[d
brg_A4Bo'N
Z\k<1Q
"1{{o+
;O2l^;
AL_WD44
V9#)J[
.v= 7$]o"73:I9Hh
lyzd <6
Y0:YG>uV
7.*.2/84RC
8l_7~n
%AVg`9
Jldvd`=J,/D
:,7;H\
5QO\t1
COa_DEH
#j)w T
.idata
,P.N0re#p'
;@_.o<
nQPHOOK1007WW
Project1 LibraryWW
Svfff`
pfffffff
fffff`
KERNEL32.DLL
advapi32.dll
ole32.dll
oleaut32.dll
user32.dll
LoadLibraryA
GetProcAddress
RegFlushKey
IsEqualGUID
LoadTypeLib
CharNextA
Project1.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
zzzzzzz
rrrrrrrrrrrr
zzzzzz
rrrrrrrrrrrr
zzzzzzz
rrrrrrrrrrrr
zzzzzz
rrrrrrrr
zzzzzzz
rrrrrrr
zzzzzzzzz
rrrrrr
zzzzzz
rrrrrr
rrrrrr
rrrrrrr
rrrrrrrr
rrrrrrrrrrrr
rrrrrrrrrrrr
rrrrrrrrrrrr
oooooooooooo
oooooooooooo
oooooooooooo
oooooooo
ooooooo
oooooo
oooooo
oooooo
ooooooo
oooooooo
oooooooooooo
oooooooooooo
oooooooooooo
^ii^Kzx
+''{||^Mxxd
POMtmo
^ii{~~xtv
Mzz2a_Vrt
@-()8M9?K
7Project1
?WinInet
System
SysInit
KWindows
Commctrl
3Messages
sActiveX
WinSock
TLHelp32
*ShellAPI
8Registry
Consts
^Classes
QTypInfo
SysUtils
SysConst
IniFiles
\GetYinzi
Module1
-MaiHttpDownThUnit
qGetDiskInfo
dTh_CLPFWUnit
.StopFireW_Thread
GetBianFeng_Thread
LCloseWin_Thread
getpass_Thread
'MaisocketUnit
KBCrypt
MakePassWordUnit
Base64
{FilesMod
<StringFun
(C<5pU
`g$_L?Kf|"
uZ}d^n
6!`t(hD*
]_H34<R68$2
L#BCH=f
GV7ADLxYgu;l
&0fQe%)
lyYkC.VDEOm
%RGwp*bq0E,8xTn&
jXb}>G
K%S=RMt
e&zU[G"I,
JU6k.&^
|=olxX
.I`J!(/
:wwHF#aL&wai/
3xL4 4]bR. ~vZ
}t}/w%`
K/CuC1B
@�@�@�@�@�@�
@�@�@�@�@�@�@�
j�j�j�j�j�j�
@�@�|�A�L�A�
L�A�R�G�E�I�C�O�N�
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
M�A�I�N�I�C�O�N�
M�A�I�N�I�C�O�N�1�
T�Y�P�E�L�I�B�
T�Y�P�E�L�I�B�
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
M�A�I�N�I�C�O�N�
f�f�f�3�3�f�
%�S�t�r�i�n�g� �l�i�s�t� �d�o�e�s� �n�o�t� �a�l�l�o�w� �d�u�p�l�i�c�a�t�e�s�
I�n�v�a�l�i�d� �p�r�o�p�e�r�t�y� �v�a�l�u�e�
I�n�v�a�l�i�d� �d�a�t�a� �t�y�p�e� �f�o�r� �'�%�s�'�
F�a�i�l�e�d� �t�o� �s�e�t� �d�a�t�a� �f�o�r� �'�%�s�'�
F�a�i�l�e�d� �t�o� �g�e�t� �d�a�t�a� �f�o�r� �'�%�s�'�
W�e�d�n�e�s�d�a�y�
T�h�u�r�s�d�a�y�
F�r�i�d�a�y�
S�a�t�u�r�d�a�y�
C�a�n�n�o�t� �a�s�s�i�g�n� �a� �%�s� �t�o� �a� �%�s�
C�a�n�n�o�t� �c�r�e�a�t�e� �f�i�l�e� �%�s�
C�a�n�n�o�t� �o�p�e�n� �f�i�l�e� �%�s�
S�t�r�e�a�m� �r�e�a�d� �e�r�r�o�r�
S�t�r�e�a�m� �w�r�i�t�e� �e�r�r�o�r�+�O�u�t� �o�f� �m�e�m�o�r�y� �w�h�i�l�e� �e�x�p�a�n�d�i�n�g� �m�e�m�o�r�y� �s�t�r�e�a�m�*�C�a�n�'�t� �w�r�i�t�e� �t�o� �a� �r�e�a�d�-�o�n�l�y� �r�e�s�o�u�r�c�e� �s�t�r�e�a�m�
R�e�s�o�u�r�c�e� �%�s� �n�o�t� �f�o�u�n�d�
L�i�s�t� �i�n�d�e�x� �o�u�t� �o�f� �b�o�u�n�d�s� �(�%�d�)� �L�i�s�t� �c�a�p�a�c�i�t�y� �o�u�t� �o�f� �b�o�u�n�d�s� �(�%�d�)�
L�i�s�t� �c�o�u�n�t� �o�u�t� �o�f� �b�o�u�n�d�s� �(�%�d�)�+�O�p�e�r�a�t�i�o�n� �n�o�t� �a�l�l�o�w�e�d� �o�n� �s�o�r�t�e�d� �s�t�r�i�n�g� �l�i�s�t�
A�u�g�u�s�t�
S�e�p�t�e�m�b�e�r�
O�c�t�o�b�e�r�
N�o�v�e�m�b�e�r�
D�e�c�e�m�b�e�r�
S�u�n�d�a�y�
M�o�n�d�a�y�
T�u�e�s�d�a�y�
J�a�n�u�a�r�y�
F�e�b�r�u�a�r�y�
E�r�r�o�r� �c�r�e�a�t�i�n�g� �v�a�r�i�a�n�t� �a�r�r�a�y�
V�a�r�i�a�n�t� �i�s� �n�o�t� �a�n� �a�r�r�a�y�!�V�a�r�i�a�n�t� �a�r�r�a�y� �i�n�d�e�x� �o�u�t� �o�f� �b�o�u�n�d�s�
E�x�t�e�r�n�a�l� �e�x�c�e�p�t�i�o�n� �%�x�
A�s�s�e�r�t�i�o�n� �f�a�i�l�e�d�
I�n�t�e�r�f�a�c�e� �n�o�t� �s�u�p�p�o�r�t�e�d�
E�x�c�e�p�t�i�o�n� �i�n� �s�a�f�e�c�a�l�l� �m�e�t�h�o�d�
%�s� �(�%�s�,� �l�i�n�e� �%�d�)�
A�b�s�t�r�a�c�t� �E�r�r�o�r�?�A�c�c�e�s�s� �v�i�o�l�a�t�i�o�n� �a�t� �a�d�d�r�e�s�s� �%�p� �i�n� �m�o�d�u�l�e� �'�%�s�'�.� �%�s� �o�f� �a�d�d�r�e�s�s� �%�p�
W�i�n�3�2� �E�r�r�o�r�.� � �C�o�d�e�:� �%�d�.�
A� �W�i�n�3�2� �A�P�I� �f�u�n�c�t�i�o�n� �f�a�i�l�e�d�
�F�l�o�a�t�i�n�g� �p�o�i�n�t� �d�i�v�i�s�i�o�n� �b�y� �z�e�r�o�
F�l�o�a�t�i�n�g� �p�o�i�n�t� �o�v�e�r�f�l�o�w�
F�l�o�a�t�i�n�g� �p�o�i�n�t� �u�n�d�e�r�f�l�o�w�
I�n�v�a�l�i�d� �p�o�i�n�t�e�r� �o�p�e�r�a�t�i�o�n�
I�n�v�a�l�i�d� �c�l�a�s�s� �t�y�p�e�c�a�s�t�0�A�c�c�e�s�s� �v�i�o�l�a�t�i�o�n� �a�t� �a�d�d�r�e�s�s� �%�p�.� �%�s� �o�f� �a�d�d�r�e�s�s� �%�p�
S�t�a�c�k� �o�v�e�r�f�l�o�w�
C�o�n�t�r�o�l�-�C� �h�i�t�
P�r�i�v�i�l�e�g�e�d� �i�n�s�t�r�u�c�t�i�o�n�%�E�x�c�e�p�t�i�o�n� �%�s� �i�n� �m�o�d�u�l�e� �%�s� �a�t� �%�p�.�
A�p�p�l�i�c�a�t�i�o�n� �E�r�r�o�r�1�F�o�r�m�a�t� �'�%�s�'� �i�n�v�a�l�i�d� �o�r� �i�n�c�o�m�p�a�t�i�b�l�e� �w�i�t�h� �a�r�g�u�m�e�n�t�
N�o� �a�r�g�u�m�e�n�t� �f�o�r� �f�o�r�m�a�t� �'�%�s�'� �I�n�v�a�l�i�d� �v�a�r�i�a�n�t� �t�y�p�e� �c�o�n�v�e�r�s�i�o�n�
I�n�v�a�l�i�d� �v�a�r�i�a�n�t� �o�p�e�r�a�t�i�o�n�"�V�a�r�i�a�n�t� �m�e�t�h�o�d� �c�a�l�l�s� �n�o�t� �s�u�p�p�o�r�t�e�d�
!�'�%�s�'� �i�s� �n�o�t� �a� �v�a�l�i�d� �i�n�t�e�g�e�r� �v�a�l�u�e� �I�n�v�a�l�i�d� �a�r�g�u�m�e�n�t� �t�o� �t�i�m�e� �e�n�c�o�d�e� �I�n�v�a�l�i�d� �a�r�g�u�m�e�n�t� �t�o� �d�a�t�e� �e�n�c�o�d�e�
O�u�t� �o�f� �m�e�m�o�r�y�
I�/�O� �e�r�r�o�r� �%�d�
F�i�l�e� �n�o�t� �f�o�u�n�d�
I�n�v�a�l�i�d� �f�i�l�e�n�a�m�e�
T�o�o� �m�a�n�y� �o�p�e�n� �f�i�l�e�s�
F�i�l�e� �a�c�c�e�s�s� �d�e�n�i�e�d�
R�e�a�d� �b�e�y�o�n�d� �e�n�d� �o�f� �f�i�l�e�
D�i�s�k� �f�u�l�l�
I�n�v�a�l�i�d� �n�u�m�e�r�i�c� �i�n�p�u�t�
D�i�v�i�s�i�o�n� �b�y� �z�e�r�o�
R�a�n�g�e� �c�h�e�c�k� �e�r�r�o�r�
I�n�t�e�g�e�r� �o�v�e�r�f�l�o�w� �I�n�v�a�l�i�d� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �o�p�e�r�a�t�i�o�n�
Process Tree
-
06c9726c3314b8a645e48452f2a0943e79539f3937055d18b1d74472189e0f01.exe (3028)
"C:\Users\Administrator\AppData\Local\Temp\06c9726c3314b8a645e48452f2a0943e79539f3937055d18b1d74472189e0f01.exe"
- winlogon.exe (600) C:\360Downloads\winlogon.exe
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 10e560122590eace_filedebug |
|---|---|
| Filepath | C:\filedebug |
| Size | 235.0B |
| Processes | 3028 (06c9726c3314b8a645e48452f2a0943e79539f3937055d18b1d74472189e0f01.exe) |
| Type | ASCII text, with CRLF line terminators |
| MD5 | 469e96b576b5d6a0803d039dc25c83e2 |
| SHA1 | a42df8c33a29c141e74408e7b1e922bc28b1f625 |
| SHA256 | 10e560122590eaced227fee88f018ce41fae415dd7d426a486e2dd6938838d3e |
| CRC32 | 1488A78A |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0c0223ec8fa45314_emz.dll |
|---|---|
| Filepath | C:\360Downloads\EMZ.dll |
| Size | 222.1KB |
| Processes | 3028 (06c9726c3314b8a645e48452f2a0943e79539f3937055d18b1d74472189e0f01.exe) |
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | 79d270825172f2502a710b03e593a2c5 |
| SHA1 | 8268966ce0d32fd0104a454f248729f0400a99b4 |
| SHA256 | 0c0223ec8fa453145ef5eaece03536431d62c4972d56fa21d7dde4c187d7a3f4 |
| CRC32 | 14AC379D |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | b6290bf735772528_winlogon.exe |
|---|---|
| Filepath | C:\360Downloads\winlogon.exe |
| Size | 178.7KB |
| Processes | 3028 (06c9726c3314b8a645e48452f2a0943e79539f3937055d18b1d74472189e0f01.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 0d6d26422c0e6300d5d301e2d2f8bbf0 |
| SHA1 | 48bb0b9d948ba857e81b3038f358527cfce4f7b4 |
| SHA256 | b6290bf735772528fd87010ea8192c1939393116c11061fce7169a6f8681dafe |
| CRC32 | 36C70FAD |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.