2.3
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.79
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20200229 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200301 | 2013.8.14.323 |
| McAfee | Artemis!A73CCA50B7BD | 20200229 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b8bc76 | 20200301 | 1.0.0.1 |
静态指标
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545315.546875 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545320.219375 IsDebuggerPresent |
failed | 0 | 0 |
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(3 个事件)
| section | 5090dwwq |
| section | l381ysck |
| section | 54i3ahpf |
一个或多个进程崩溃
(2 个事件)
动态指标
在文件系统上创建可执行文件
(6 个事件)
| file | C:\Windows\System32\zipfi.dll |
| file | C:\Windows\System32\satornas.dll |
| file | C:\Windows\System32\zipfiaq.dll |
| file | C:\Windows\System32\ctfmen.exe |
| file | C:\Windows\System32\shervans.dll |
| file | C:\Windows\System32\grcopy.dll |
创建隐藏或系统文件
(1 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'l381ysck', 'virtual_address': '0x00014000', 'virtual_size': '0x0000a000', 'size_of_data': '0x00009c00', 'entropy': 7.883560145842604} | entropy | 7.883560145842604 | description | 发现高熵的节 | |||||||||
| entropy | 0.9497716894977168 | description | 此PE文件的整体熵值较高 | |||||||||||
检查系统上可疑权限的本地唯一标识符
(1 个事件)
网络通信
通过SCSI磁盘标识符技巧检测虚拟化软件
(2 个事件)
| registry | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 |
| registry | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 |
在 Windows 启动时自我安装以实现自动运行
(2 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen | reg_value | C:\Windows\system32\ctfmen.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen | reg_value | C:\Windows\system32\ctfmen.exe | ||||||
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Win32.Hematite.C |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Win32.Hematite.C |
| AhnLab-V3 | Dropper/Win32.Mudrop.C84237 |
| Antiy-AVL | Trojan[Dropper]/Win32.Mudrop |
| Arcabit | Win32.Hematite.C |
| Avast | Win32:Malware-gen |
| Avira | TR/Proxy.Gen |
| BitDefender | Win32.Hematite.C |
| BitDefenderTheta | AI:Packer.27BC45991D |
| CAT-QuickHeal | Trojan.Small |
| CMC | Trojan-Dropper.Win32x!O |
| ClamAV | Win.Malware.Mydoom-6804696-0 |
| Comodo | Malware@#5jea727uiq7a |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.0b7bda |
| Cylance | Unsafe |
| Cyren | W32/Mydoom.E.gen!Eldorado |
| DrWeb | Trojan.DownLoader8.56532 |
| ESET-NOD32 | a variant of Win32/Agent.NHB |
| Emsisoft | Win32.Hematite.C (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Mydoom.E.gen!Eldorado |
| F-Secure | Trojan.TR/Proxy.Gen |
| FireEye | Generic.mg.a73cca50b7bda10d |
| Fortinet | W32/Hematite.C!tr |
| GData | Win32.Hematite.C |
| Ikarus | Trojan-Dropper.Win32.Mudrop |
| Invincea | heuristic |
| Jiangmin | TrojanDropper.Mudrop.cbn |
| K7AntiVirus | Trojan ( 005468691 ) |
| K7GW | Trojan ( 004d7c651 ) |
| Kaspersky | Trojan.Win32.Small.acli |
| MAX | malware (ai score=88) |
| Malwarebytes | Worm.MyDoom |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Artemis!A73CCA50B7BD |
| McAfee-GW-Edition | BehavesLike.Win32.Mytob.lh |
| MicroWorld-eScan | Win32.Hematite.C |
| Microsoft | Worm:Win32/Mydoom |
| NANO-Antivirus | Trojan.Win32.Mudrop.ijmve |
| Paloalto | generic.ml |
| Panda | W32/MyDoom.IC.worm |
| Qihoo-360 | Win32/Trojan.8e6 |
| Rising | Malware.Heuristic!ET#100% (RDMK:cmRtazohth2hlqe1yukjhuPkKRNm) |
| SUPERAntiSpyware | Trojan.Agent/Gen-MalPE |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
PE Imphash
516ac027f1c3c7a86cc636d666c6f3e2
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| 5090dwwq | 0x00001000 | 0x00013000 | 0x00000000 | 0.0 |
| l381ysck | 0x00014000 | 0x0000a000 | 0x00009c00 | 7.883560145842604 |
| 54i3ahpf | 0x0001e000 | 0x00000840 | 0x00000840 | 3.6219073001222037 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0001e3c0 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e3c0 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0001e4ec | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.DLL:
• 0x41e5b0 LoadLibraryA
• 0x41e5b4 GetProcAddress
• 0x41e5b8 VirtualProtect
• 0x41e5bc VirtualAlloc
• 0x41e5c0 VirtualFree
• 0x41e5c4 ExitProcess
Library ADVAPI32.DLL:
• 0x41e5cc RegCloseKey
Library DNSAPI.DLL:
• 0x41e5d4 DnsQuery_A
Library msvcrt.dll:
• 0x41e5dc _iob
Library USER32.dll:
• 0x41e5e4 wsprintfA
Library WININET.DLL:
• 0x41e5ec InternetGetConnectedState
Library WS2_32.DLL:
• 0x41e5f4 recv
5090dwwq
l381ysck
54i3ahpf@
c=,?ouD/
c07W,eSL
f~$s@AT
@0Q9#y+#t(P|
Cnl(Oui}tqKu
2 'u5E
km-.} '
fh;0w+^/A/M
`h-]&6
,vh=9X
`1=@1f
d_~}M4
H%Ak!vj
Bifco3f]k
Y\4$;@
r4TU_{wP
XsC^<fm6><&s5=,X
3159DF^ xlipf
D-winBR!
3 HTTP/1.it
Htost:fP6,x*DYt-
wUser-Age
nkt4+k|explw>!
L v4Gv
C,A -=5Rh&
@zZ $qiX6
dQLll=4x8
tl7d/!
{pA%!"KE
ElpEu[
l$Ms$\
ps$MsC
Ad\\[\
dq 9HU
aQ$^)63
22,*sK
83:&<nBK
-{=d<9'
TbXUU!\8Er`Q
'd S`/!
u-'Z,=
t*SgE:<
ta0O$o -
nAb1Cw
@.t#e(
6-.SY&be
Jd= V
"@A)xIx,",(
F``z=(9
%6p6Br`P
v\<u,l`
@` ?VdX
#y;#s(
3_G<3+
21 GjX
'D(9qdp
W,_(D1-%L
){\-gJE.G
Ru2& uTR
Hv'O(A]&
A8t/ElD
$`X~qa
H?~g:<|Ijoc<
>v.%7~bp l4;0
tl%N$Fg)i
IQG>^3x-%YNH
i~AlXKvF
w%'=r|
B1JGr nCNp.*{
u3"`/t
|k0X#* 6
;}s"d[F/LP
sv$$@*`
Xd@t.- K
L*G$N6
<g{%VH
E63-!1J
a%MHFW Btletqe
fryu~X@`
=k;~7D)
9iDGhm
ES8T)B?6
%-A4g%
Bvd[d%QoBF
2H@y\$3
f*E3fw
I>Y.$IU
7da*l]
H7+%[F+
BA/sw%
.`(*=l
W+!nldE2+?Y0;hs
-ITga PZ|P/
PlQ9}{v3
3C9|.(2v}<rc_
#tHm"D@L`
. n|#w%U`@
gG&3*5O
$*byf{
i,0iF48< 6d8$
>Gc44,
,xI67Vps
&70G9d
92`3#m!\
B$$-q2
!tgDt:n
t`AOWh'O(`
%k#}Rhe
)%9<Y5
I<@E84
+iF@t![E
<+`0?fp
E)S28Q5
'.+A z
p`{0cC|C.i8W
E;Fa7L
e8_V.exe*.
Y4#5h\f"Skb-
HFb'+b
yR-@,82$P
FC}#Y,X
f2^dC"|?Z
P58`])i
XJN_tW
Ie#,AqK!A%l
e<CxF%k
@| 8}Ee
&+e*Eb
iHd2r$#-eSHx-9
Ltq8Hj
},s"2+/L7!bP0n=0u;od
V^2pa|U<
''yHlh<
z`Ix)V
rpt.$0$a|^rtt'O@
'x-i=x
(2^u>XFk
-Xp2_~wrw
b=xfpav'g{s
m]#~gN1B9j
0zyt94~`n;8%|e~
<(N &94
Y47d;vzvi1
ss|'-piv
nH79f(ohc
m8edTW|kd
6SVq6*W
05|n5/
d< 5T;
Dq23WM
rtDDxZ8*2W<
Cztt9H|4B
ldt95p
/:PB*cH l
2 xtX2 pT
dE=2<U1[~_t6p t<~
u>?+\Q-Pr
R_9# w
wU d$`1A?
5}HV&A
o`1D0@*w8
Z:)wjw$
++CCUU]tNG
zc*$hm
8SH{N=
Ee`ElfyUs
H1F5u6
pql{B/B(,d
^aOaT
E2Bl/C
VJX9BXW !
ToFed!l
D;!><$Iqx}(8
y,{t.'
S"X`JV
g!#jrC
mX,%":oE44\4Z^ItU
Y[KVO\l
` o\Jl[.(
uAckl;D%
DS+;]eA
w@<t&-+F
fOFuu
X$LJt3
-{@=3u|
kK((O2
]F,t$
;] tIFJ
4eW=j3c
he<p/%h
av[EgJL
WL\!tK:L
BAo7m`O
^ e"u]D|Bh
>Iu%tmn
p}IK]C
8Jg!t/S
'bp(u6
3e)^v$V,[
:UlDWo#rm~
h[nic+m@
A,Pr U
O 8_/-
S[CB0%
!-S4Q0
[0X|Ou
aG<?/rd
9bE)~Lug1
`t@f9c
M//e@rB
5_/l&C |I
/prX=rN
S"ZVNs!@
1x4Iz=n
/h!y2:
ltmdu=@
9 {cu"UQ
_g!d(9Jb
dZI $@$$;NI
iXv_ez)
~Io3f]*
k!N?*2
`0o&UBDP!=U5
b S(dF
3U2B 2
p4'C L
DM<KDt
dS "0C,w
(8'*D4?!p
DXC<#Ow5
lp3txd
"'hK48#
O2bOsz
(RI,h62
b=>Lr4-
+_$Bx=
B9uV$z(c
0_baPcuMX(/$p$y
dY, =t v\.uhof
(G]6]K
n2L% K
"xxFpX*u /J/k
vGUD7tL^D@M2
pXEbx^0
FeN2^ JAfF`
1uarZ@HX16
i:`<}u
x89kuQ
]Bq)b
/fnevX
"7Q`rt
F0`|a_
2 2 ?
A<ytAN
rAN\t
;d0dg '
9p`9y,dA
2TXLPv
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrsPtuvwxyz0123456789+/
.24M47<@FPie
gizMl8\6M4
iY&;Pq,
#8M4MN_s4M4;L
#(,494M4?FKPVM[`fgl
4M4#)3:B4MLRX_dM4Mmsy~
M4M6M4
!&i-49DLiTY^fmriiz{g
DHLPTiiX\`dhal
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkal
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
-|.oo.com
netBY^orgwo
nj+The messag
oocannot b
sented * 7-L
ASCII
ttacvahm
a"6)UniH
Cr)h[ rsQ
&SysCmw
lfull4c
sactstr)tisOAdm
lock-k
yjz{`,O
w7remov&
]iv]Ct
Ce3p(swHX*+H
n#BBigT
life,my6; ve.)Wish X
aXLbeI7 ~
&5[dm;GI] N
~m{x'+ ]nN -
$}}K0|7+/X%
}WebM(e6^8dCyrPl
E-Go9'"s
w(kt<duou`=lleTlxs6k
-pw5YDe
wNIP4gg
HappyUhd
Zk!(6'
2mv6P3b
n-SNura^V
pt@wmt\c
l&dfk.=
n?yahoo
b@mAbl
]cud:p
po2kDJa
imm9nLsB
ZO'kMog
xi4i;r^+VL
Zsv.qy
U(oWsoflS]i#r
rs^uKbbc?v
ZbH0E-52
u+sLiuTk_Ai
\MD\WAB
3Fbsgjr\Zzif
\JLqbjP
.vba\Rk
uihiby32\
Pgrzqh
o$_npgpkgbec
IHY-Fu@
lf:kPLgyZ\FrF
r+fqNp
ftPYFVQ\{R6SO5R20-QR35-11PS-9P8-o{00NN
5127RQ}\cUpQ
Uf.szrPkLe!l
PrD%/2x,\=
mmwaqu
YSTEM\C6
lBt1\i%wV\
sk\Enz0
@H3u8'rj9v
Wh/l!S
ZCQ 8y
K-L)7c P]& 7
1vXDAm
+S:pP"riS
j oJA(
;6T_4s
^\Xnvn\Ge
l]sQyQ
\ [sovZu\T#QR
~aknq%[AH
3NlrN
=|CK5:Z)
vc\ar"Q.{&
9i8Po]y
zg,/5>JYkx
<e-f#hkI\ %PCR]d
a$_@-&+<Y
|K/gfh
!w\T/G
~cTQZo~%]k
`sJ5jb}
1D2l2z
.>tg>Q@
$$;2#9HQRK
7LPy0T*
@,|2 <]$E?
|8eH'1
<b"bW_k
P|+r@W
cBu/JXm
;]+\:@
nq-w7,
R(hIW}Q+
&{6UJ2t$
_xv\tj
AVo_L0X^}:;
W7N+I[gpz
O8pnGUK
Si& 0~g)aI;
e=.#2p
}XiwYH
zHc=0_/G
"][YS3F&
U`\z79s
>6BUh|AV
Z{mE`_y>
%1w4-,]
ZV/RMKfkS~
yU8BH@
'4V)nwl
a6RVaK8v
VUI{`v2pfQN
a~qCg/
-fFbf4q
~^!8] U^M
$j2FZZlk
}hTx1~d
NFE_<zxIpc
}|DXt@
pp;1Wz
}Ru Mm^m(%L?h/=
~N6jxh>%q-+H
kT>)YoJ
KMtP>xp,+\
bO-o/_&
i_c| A
5hj-V-
~+`h/1SM$
JP>qzo1X%v&.A(W
/{7xQ_ur
$gbx6J
-Rw.:2
+=*u_>6
E qJZH
'9Oa(E
(0e%/-%cE
JLBQG>
N)=CPds ]k_l
GQF["Y
N.4H|"k
7hD>)5
O%!$p]h
_(~=1OMp<o^7XS#y
9YH[+ E@;&
E?7[Mk;Ge
dJ&x)_
qB]p$NCU
KK5'VG-
Q,<0=w&
(I,@Z&us[p6
~Spv_5
l)f?HJ'T;
v}&UKaO
dv^%LZ#i
(GP,@:_~v5w
-WO2cr~
Sl`TAM&
RANOsSYKu
h<wpD,EBC
L7Y;}"
}eZ<59HF"K
<UXCYt
NKYBGVV
ujj3hyTTyG2
8(Bqo5
.:aS1(
j/{}6|\
R&<H\KJ
-B~#@\9A
5=kzXN
/}`=\_
!'. T rt
`uz\Ul/_M4+Se
k3PRo'C{
A?X{ MN8
jQZhwy
k;#p=|Wmcce\`
_|Tmp\9S37
omYEi*6e}C
BA#c2zubd
1}0#p%U]
).a"7*%N
8c?U:x
3xGpR:rO
kTkdMj5{W0(
IHl64zIZ
G5f1k2
bQ6wQG
M=<Aqo
$'\i7n
Fgs=[\Dk[a
oqYb pM
SL<uouZ|
?U[/ +_:<cI1>!J
\sDU{zZ
91?c@e\OfJ"-*pO2k
Fh7sO
R0Mdtot
F{,mB2=c6
%.:I[p
~Y@32=T
nSDAJ_
%:Rm!N~ \"jK
TYHyH#
eD/0)eS}
RNT]ix/
T|fSC6,
"'/:H
*BJByyYVp2S9
c`/F5cbx
P;NZ9J
ww9k+*
;V`! u
_=?t)o.s
BK$?._%[
c:FvW>9
O &G'3
g9 toHz
(^bcWnQ
[gD%e[F
rj3Q@O+6Q
u\(X]R5rc
vFG3l2Pg
{k^TMIHJOWbpo
7o)mKDX `E63<Qr
Zz+Hhag
==@FO[j|
zaTS^u
C%g'yE
7Wz$V<}
RI~!BM
s[,'I&9B6B&
6W{Y'#Of
YQ.QrPwS
pr9I^~?ForW#
JiR`R\
9j)4S.(o8
,a$0[V/$88a
cVcN !3m
vOYP/yY@
E4vbE6sW
!@w*{/2
o--i0ae0:
%T?(Mwo
r4;;X_
,|}L}R+
.vo-Q^6
/QLI:LI
#M bXHg
]M}2Io
_pN^>VnH
4d;;D<nuh
T92>@ h* u
i;8nj0
v[1[Z)X~js$%6K<
zoL? g8
*>1i*3n:
"0!Z-;
LyVq`Zzh\#VNc7
'AT,^=}4+8e"
mM%tV;s
BSXG7Z
zWRh>VpzL8YC=
2lv7{"
kYAo"z1$hA!
ZqH*zAc`
A)N[hS5
oNa;TS_fn}
>W@]J;
N pAWXcX
k/cU-xY
!D.hjJ~>N6cBK
>,ddN8
pUl[:G$g8
PrEG@R
&K6%wt
_"/?0_4Bu;'Hqw&K
=Tx;za/
o(ufDSPo)-iOa
Ql8!|=V[_4I!nMiJ!}Z<
Z:nqj?.fP
36A9TVl<
M!W>MO
CXh=IC
_@cEO@
U>g)FNko5lGg8A
cDWUlgO[
#.<Max
+IjM<o
rS@9>Ol.i
/'~zy{
Z/| u*P
{2ig0# :Ibw}
6_3z-"{,Q
YOHDCEJR]k|
Gp2j$hF?S[@1.7,m
2Es3Q
%@g;AJVew"Is
u\ONYp
d%Yf8W:
JaFeb<
ND%los, %d
CAIL FROM: <
RCPT TO
l:KIME--V9i
!Q4 Outlook Ex[
-typnMtip
A/Ex);m
y=x(-+4wxt5
/Min;E=
=We +-1251w3d_ISO-:59-1/)YT-Esa6<8bi
^seami[e="5l"
zn1f"{
bvba64&@
ek5JK:
EeYFGHIJKYeYLMNOPeYeQRSTUeYVWXYZnh]hQQ.v
([kXp$bMq
SV1)7`^th;5-%
U1ru-RQ
rv:9.1.4) GD-
Iox/3.L4.NE:CLR
30729mUX2~MFM1{322LO72I6msMuPht41'
d(8:iX
ImRPZh$)Br7
r510)(
gG,\TGr5
*/**urlm2j;>URLDpUadTo U
*a@:frM
Ubk@v5p
82>n69p76q604q
5#2317q129n
48vo8qs741r3
-LIBGCCWEF
SJLJ-GTHR
_ze ==
(:_2__SHARED)u
g/i386/`we--f.c
Kl Am]Am
,t,ws$m)!0g_
d43td@
__cxxav|uK7
B"ra?1vm@ElrSt=d,Rg
9S4do`g?9*
cg0Cl]
i$<P^p]iS 4M
4M4&6R`n4Mzs4M
,<Rfixsi
i*BRfvi4
44M<PbnxM4M
,:iiLV^hti|ili
*4M4M<FPZdn@6x
4M4&.:FNc
MV`nod22L&&dd2LL&d2L&d22L&&dd2LL&d2L&d22L&&dd2LL&d2L&d2U
AddDQAtomADeH
Mzm'+Q
Sem/horCTh
ool:32S|
n(s)txDeleE
%heLib
Cur nb
yp6[SmO
TimLaEf@
Ma,odul
xrQlaH/p
DecA,`
ckCT;T
K+4bA`
INH3lm.D{ m%
InsBR=DnPtr
UViewOf
Unh\ 8dE<,
WaiS`3n
fKre <[^
mppyZKn
Pcqu]L
KgKey{f
m6__w@ngs
%0ab5s
fcffKf}
3Zk4H_
?scs(v<c
pystZmkA,f
,CKrwhwmumA 'HD
.wStTWk,SA
Au0FIs
'@).r(J{lU'V
XPTPSWXaD$j
wwwwwwwwwwpp
KERNEL32.DLL
ADVAPI32.DLL
DNSAPI.DLL
msvcrt.dll
USER32.dll
WININET.DLL
WS2_32.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
DnsQuery_A
wsprintfA
InternetGetConnectedState
?4466jccw4y1dlvfa414gfbyw
L!This program cannot be run in DOS mode.
i2h:2h:2h:2i:gh::1h::3h:)%:"h:)%:Ph:)%:
h::3h::*h::3h::3h:Rich2h:
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
]ut5p?
W3+t#Hu7Vu
^3[UQE
V3WM0u
UVW39~
<|uCt7
t79V$t2h
M 3UE9J
MA3;~\U
E;}q}M
PE @PE
MPE+@PE
G;}|}]}$
F;}^U9]
z;~\;}T;]
Yt]U]U]
EVW3EP
R�E�S�O�U�R�C�E�_�F�A�T�O�K�E�N�I�Z�E�R�
K�E�R�N�E�L�3�2�.�D�L�L�
s�m�s�c�o�r�e�e�.�d�l�l�
n�r�u�n�t�i�m�e� �e�r�r�o�r� �
T�L�O�S�S� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
D�O�M�A�I�N� �e�r�r�o�r�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
H�H�:�m�m�:�s�s�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
M�M�/�d�d�/�y�y�
D�e�c�e�m�b�e�r�
N�o�v�e�m�b�e�r�
O�c�t�o�b�e�r�
S�e�p�t�e�m�b�e�r�
A�u�g�u�s�t�
F�e�b�r�u�a�r�y�
J�a�n�u�a�r�y�
S�a�t�u�r�d�a�y�
F�r�i�d�a�y�
T�h�u�r�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�u�e�s�d�a�y�
M�o�n�d�a�y�
S�u�n�d�a�y�
W�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
C�O�N�O�U�T�$�
Process Tree
-
084b7a416277ff60abccf2c2e27d2182ac9a4c41a8cdd2df5dcc2dca8ffc3ac2.exe (600)
"C:\Users\Administrator\AppData\Local\Temp\084b7a416277ff60abccf2c2e27d2182ac9a4c41a8cdd2df5dcc2dca8ffc3ac2.exe"
-
ctfmen.exe (2004)
ctfmen.exe
- smnss.exe (1988) C:\Windows\system32\smnss.exe
-
ctfmen.exe (2004)
ctfmen.exe
084b7a416277ff60abccf2c2e27d2182ac9a4c41a8cdd2df5dcc2dca8ffc3ac2.exe, PID: 600, Parent PID: 920
default registry file network process services synchronisation iexplore office pdf
Hosts
No hosts contacted.
DNS
No domains contacted.
TCP
No TCP connections recorded.
UDP
No UDP connections recorded.
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 9d7dcb590d8605e6_ctfmen.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\ctfmen.exe |
| Size | 4.1KB |
| Processes | 600 (084b7a416277ff60abccf2c2e27d2182ac9a4c41a8cdd2df5dcc2dca8ffc3ac2.exe) |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | e8f5f86e665dbcf90f3772d29dc95be5 |
| SHA1 | 4e12b7c86392acb8e14a937807e43b372c3b9edf |
| SHA256 | 9d7dcb590d8605e65b10874027ec8e19caa354f2b306ac08932056eb50956a4b |
| CRC32 | A3DC13E8 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 858f6f4eae4206c6_satornas.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\satornas.dll |
| Size | 183.0B |
| Processes | 600 (084b7a416277ff60abccf2c2e27d2182ac9a4c41a8cdd2df5dcc2dca8ffc3ac2.exe) |
| Type | Microsoft Windows Autorun file |
| MD5 | 2baa184308a0e47884ec8250cb4da591 |
| SHA1 | 41914f135b7848f693c1b41bc514504f720b8c21 |
| SHA256 | 858f6f4eae4206c659bb99f859e2c2ba2a7a3b777e4f6917b0954f476a81d8aa |
| CRC32 | 02E2D4B7 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0f0209a24d241a33_shervans.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\shervans.dll |
| Size | 8.5KB |
| Processes | 600 (084b7a416277ff60abccf2c2e27d2182ac9a4c41a8cdd2df5dcc2dca8ffc3ac2.exe) |
| Type | PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 8a3e24deaf50942c5961a1e61497b6ac |
| SHA1 | 1c74eae9cf679c3b3e560b8db30354c8d181444a |
| SHA256 | 0f0209a24d241a33b870668d872934e4f6418b5639d2ae8c8030d1975313b030 |
| CRC32 | F314532F |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | ec6e75055d580a60_grcopy.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\grcopy.dll |
| Size | 70.9KB |
| Processes | 600 (084b7a416277ff60abccf2c2e27d2182ac9a4c41a8cdd2df5dcc2dca8ffc3ac2.exe) |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 6c8ae6ff9b5dc1f697d05060e9a5430b |
| SHA1 | 6867f9787550a5f39f4613a952fe5184584fa82e |
| SHA256 | ec6e75055d580a60c1307898e3d54d8ec05af03ac3af46ed162f27faa87fe21e |
| CRC32 | 2166074A |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | a93344823e305e42_zipfiaq.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\zipfiaq.dll |
| Size | 71.0KB |
| Processes | 1988 (smnss.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | 548b3c8b8ee75a103f986b60de4f1d0c |
| SHA1 | a70fd79b28d440bd3dec6458f16ee4cfdb29249f |
| SHA256 | a93344823e305e42253ee0d2c30fa8a64295db743113e22044c4ad3525d8ecf1 |
| CRC32 | 429F4D58 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 9a542db4de48d34d_zipfi.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\zipfi.dll |
| Size | 71.0KB |
| Processes | 1988 (smnss.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | dfa6fde3e111038c72018f58b710a097 |
| SHA1 | d8623d7b00193bf4ad9ce1f0889deaadacb2f5d0 |
| SHA256 | 9a542db4de48d34d5b910101490fe803659ceb69b17f821532956ac86be8afa8 |
| CRC32 | 19C7B0CF |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.