SmartHawk

2.3

中危

该样本未表现出任何异常！

重新分析

下载样本

0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0

0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe

分析耗时

105s

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.12	Unknown	0.06s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.80	Unknown	0.23s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

Time & API	Arguments	Status	Return	Repeated
1727545336.344 IsDebuggerPresent		failed	0	0
1727545338.969375 IsDebuggerPresent		failed	0	0

Time & API	Arguments	Status	Return
1727545339.156 WriteConsoleW	console_handle: 0x00000007 buffer: C:\Users\Administrator\AppData\Local\Temp>	success	1
1727545339.156 WriteConsoleW	console_handle: 0x00000007 buffer: del	success	1
1727545339.156 WriteConsoleW	console_handle: 0x00000007 buffer: "C:\Users\Administrator\AppData\Local\Temp\0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe"if exist "C:\Users\Administrator\AppData\Local\Temp\0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe" goto Repeat	success	1
1727545339.203 WriteConsoleW	console_handle: 0x00000007 buffer: C:\Users\Administrator\AppData\Local\Temp>	success	1
1727545339.203 WriteConsoleW	console_handle: 0x00000007 buffer: rmdir	success	1
1727545339.203 WriteConsoleW	console_handle: 0x00000007 buffer: "C:\Users\Administrator\AppData\Local\Temp"	success	1
1727545339.219 WriteConsoleW	console_handle: 0x0000000b buffer: 另一个程序正在使用此文件，进程无法访问。	success	1
1727545339.219 WriteConsoleW	console_handle: 0x00000007 buffer: C:\Users\Administrator\AppData\Local\Temp>	success	1
1727545339.219 WriteConsoleW	console_handle: 0x00000007 buffer: del	success	1
1727545339.219 WriteConsoleW	console_handle: 0x00000007 buffer: "C:\Users\ADMINI~1\AppData\Local\Temp\sanfdr.bat"	success	1
1727545339.266 WriteConsoleW	console_handle: 0x0000000b buffer: 找不到批处理文件。	success	1

Time & API	Arguments	Status	Return	Repeated
1727545338.891 ShellExecuteExW	filepath: C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\sanfdr.bat parameters: show_type: 0	success	1	0

Time & API	Arguments	Status	Return	Repeated
1727545341.000375 GetAdaptersAddresses	family: 2 flags: 16	success	0	0

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2014-10-11 17:46:38

PE Imphash

d0a02458b96b0a6cde3068c96d1cdba2

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x00022000	0x0001f200	5.3005023316563635
.rsrc	0x00023000	0x00003000	0x00002200	5.613181141549476
.reloc	0x00026000	0x00001000	0x00000200	0.2162069074398449

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_ICON	0x0001c2e8	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0001c2e8	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0001c2e8	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0001c2e8	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_MENU	0x0001cb90	0x0000004a	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_DIALOG	0x0001cbe0	0x000000c0	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0001cca0	0x00000044	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ACCELERATOR	0x0001cce8	0x00000010	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_GROUP_ICON	0x0001ccf8	0x00000022	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_GROUP_ICON	0x0001ccf8	0x00000022	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_VERSION	0x00023ec8	0x000002a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_MANIFEST	0x00024170	0x0000017d	LANG_ENGLISH	SUBLANG_ENGLISH_US	None

Imports

Library KERNEL32.dll:

• 0x41101c GetTempPathW

• 0x411020 GetSystemDirectoryW

• 0x411024 DeleteFileW

• 0x411028 GetModuleFileNameW

• 0x41102c GetTickCount

• 0x411030 GetVersionExW

• 0x411034 ReadFile

• 0x411038 CreateFileW

• 0x41103c DeviceIoControl

• 0x411040 GetTempPathA

• 0x411044 GetModuleFileNameA

• 0x411048 HeapAlloc

• 0x41104c GetProcessHeap

• 0x411050 HeapFree

• 0x411054 MultiByteToWideChar

• 0x411058 SetEndOfFile

• 0x41105c HeapReAlloc

• 0x411060 LCMapStringW

• 0x411064 CreateThread

• 0x411068 LoadLibraryW

• 0x41106c OutputDebugStringW

• 0x411070 LoadLibraryExW

• 0x411074 WriteConsoleW

• 0x411078 FlushFileBuffers

• 0x41107c SetStdHandle

• 0x411080 CreateEventW

• 0x411084 ExitProcess

• 0x411088 CloseHandle

• 0x41108c Sleep

• 0x411090 OpenEventW

• 0x411094 GetStringTypeW

• 0x411098 GetCPInfo

• 0x41109c GetOEMCP

• 0x4110a0 GetACP

• 0x4110a4 IsValidCodePage

• 0x4110a8 RaiseException

• 0x4110ac SetFilePointerEx

• 0x4110b0 SetFilePointer

• 0x4110b4 FreeEnvironmentStringsW

• 0x4110b8 GetEnvironmentStringsW

• 0x4110bc GetSystemTimeAsFileTime

• 0x4110c0 GetCurrentProcessId

• 0x4110c4 QueryPerformanceCounter

• 0x4110c8 DeleteCriticalSection

• 0x4110cc GetFileType

• 0x4110d0 GetFileAttributesW

• 0x4110d4 GetSystemWindowsDirectoryW

• 0x4110d8 IsDebuggerPresent

• 0x4110dc IsProcessorFeaturePresent

• 0x4110e0 GetCommandLineW

• 0x4110e4 GetLastError

• 0x4110e8 UnhandledExceptionFilter

• 0x4110ec SetUnhandledExceptionFilter

• 0x4110f0 SetLastError

• 0x4110f4 InitializeCriticalSectionAndSpinCount

• 0x4110f8 GetCurrentProcess

• 0x4110fc TerminateProcess

• 0x411100 TlsAlloc

• 0x411104 TlsGetValue

• 0x411108 TlsSetValue

• 0x41110c TlsFree

• 0x411110 GetStartupInfoW

• 0x411114 GetModuleHandleW

• 0x411118 GetProcAddress

• 0x41111c EncodePointer

• 0x411120 DecodePointer

• 0x411124 EnterCriticalSection

• 0x411128 LeaveCriticalSection

• 0x41112c RtlUnwind

• 0x411130 GetConsoleMode

• 0x411134 ReadConsoleW

• 0x411138 WriteFile

• 0x41113c WideCharToMultiByte

• 0x411140 GetConsoleCP

• 0x411144 InterlockedIncrement

• 0x411148 InterlockedDecrement

• 0x41114c GetCurrentThreadId

• 0x411150 GetModuleHandleExW

• 0x411154 AreFileApisANSI

• 0x411158 GetStdHandle

• 0x41115c HeapSize

Library USER32.dll:

• 0x411170 LoadAcceleratorsW

• 0x411174 LoadCursorW

• 0x411178 RegisterClassExW

• 0x41117c CreateWindowExW

• 0x411180 DialogBoxParamW

• 0x411184 LoadStringW

• 0x411188 wsprintfW

• 0x41118c LoadIconW

• 0x411190 EndDialog

• 0x411194 PostQuitMessage

• 0x411198 EndPaint

• 0x41119c BeginPaint

• 0x4111a0 DefWindowProcW

• 0x4111a4 DestroyWindow

Library ADVAPI32.dll:

• 0x411000 RegQueryValueExW

• 0x411004 RegSetValueExW

• 0x411008 RegCloseKey

• 0x41100c RegOpenKeyExW

Library SHELL32.dll:

• 0x411164 ShellExecuteA

• 0x411168 ShellExecuteW

Library WS2_32.dll:

• 0x4111ac WSAStartup

• 0x4111b0 htonl

• 0x4111b4 gethostbyaddr

• 0x4111b8 socket

• 0x4111bc gethostbyname

• 0x4111c0 inet_addr

• 0x4111c4 htons

• 0x4111c8 connect

• 0x4111cc closesocket

• 0x4111d0 send

• 0x4111d4 recv

• 0x4111d8 WSAGetLastError

Library IPHLPAPI.DLL:

• 0x411014 GetAdaptersAddresses

L!This program cannot be run in DOS mode.
7R7R7RdYR
Rd[R8RdXROR>
R:R7RRQLER2RQL_R6R7
R6RQLZR6RRich7R
PEC2NO
.reloc
W3fVPr
3WfVPr
P3Ah`VA
_^3[B5
tKHt1Ht
f38VPp
ESVW3h
f;uPXA
ESVW3j>fE3EWPn
fuhhXA
3@M_^3[K1
ESVWXA
3WfSPl
ESVW3h
uMPEPPWh<YA
f;u+u0hLYA
fu*VhXYA
fj^3rVPi
M_^33[-
jgWjdA
3QWQQQ
_^[33 -
t f=$A
CU88pA
t)Hu"M
S3VPEMSMP_f
3+5F;rM
3@M_^3[$*
^9t(3GWh
M_3^A(
3VfSPc
jQXfd+
f;u+t#VSh
f9uChYA
jd3YR!
3@M_^3[
3VfhjSP_
3j>fEESP^
3j>fxzSP^
f;uPXA
fuf:6fA
M_^3[ 
ESVW3h
MSMPB\
3CM_^3[,
VPh ZA
PfP3lY
EEEPEPh
_GBPuE
_^[M3#
M_^33[
EEPEPE
MSfE3VWfE
WEh<ZA
]U@8pA
EfExgj
]U$8pA
WEhpZA
F;|hYA
^[3_M3
BuW+OG
_3^M3~
|ME_3^
]UQSW3
_3[]hZA
u3NH,U
_^[M31
ESVWj 
_^3[M3
]UQSVW
DM_^3[t
M_^3[,
3_^[M3
_^[M3 
7M_^3[
uDu@QF
_^[M3,
E90tsW}
45SPw@
_^[M3}
tnf9ue9t]>
M_^3[/
ESVW3Wj
_^3[M3
Ju3_uf
j"UVW}
t]xIMx
YYt#EMx
39EfD~
jEPh8pA
SVWMEt
a;rht"3
;EwePuV5
E)EM'V4
YtUMt$U
+;r=M(E
u3f;u
Efu3_^][UM
f_^]UW=
#3+#I#[
_[A^]j
_^M3[j
jEPh8pA
YYu}]E
jxYf;t
jXYf;t
jxYf;t
jXYf;u
]]MEUS?c
EuWjAXf;w
CYf;v*E]M
];}r/Uw
WPuu7d
ap_^[U=A
X_^]U}
j"^;w3
;r3_[^]
t7x#Mx
XUQV5@pA
ffffffE
YM3_iUE
3PPPPP
t'@-rA
jXA_f;w
j Y+tF
j*Xf;u/
j*Xf;u+
ItWhtHjlY;t
HHtXHHt
 tD3PptPPad
jiY;tfnt'joY;
jgXf;uV
PxVP58}A
PV5D}A
YYjgXf9u
PV5@}A
xj0YQff
t=RPWQP
>0t<Nj0X
PWj0XP
HPptQPT_
PWj XP
apM_^3[8q
_^]UVu
PWj?>E
Y]};=A
PWNYYG
uMj8"\
YUQQSVu
at/rt#wt
7u-B*u B
_^[h~@
+SVW8pA
1E3PeuEEEEd
Y__^[]QU
8csmu(=|A
t6h8pA
2E_^[]
URPQQh@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
Yt$VWu
WjY3}Mu;u
'E;s(j
Xf9Etj
xy;5`A
3_^]UVu
3^]USVu
t9W>+~
tWPVOYYE
PYtG}
4VOYYE
on0v00f
on0v00f
on0v00f
DDDDDDDDDDDDDD
3W@D<,9U
uQ!8~
YtDD4+
43QQ@8j
$QPEP0
G,84;E
(PSHP0
(PSHP0,
r3VVhU
QH++PPVh
Q$D+<;
Duct$j
+,^[M3_lUE
8csmu%x
S^`F`y
v$:Y~,
v,+Y~4
vHY~\8
Y;=<|A
YYt3V5@uA
~pjCXf
YYt-V5@uA
UQS3V9]
3C3PPju
Y3@^[UQEPh
YYuPVWh
r^]UVu
@Y<v5h
]j@j _W-
jEPh8pA
Y8Y4@M
Y8Y4@MFu
YUQQSVWh
EPEPWWVa
Yt)EPEP
_^[UQQE
tj"Xf9
j"_f9y
t"f;Et
^[SV5DA
j=YfuG
3Y_^[5xA
3PPPPP
M3ME3M3;u
_^VW\A
;r_^VW\A
;r_^UQW
tGS3Vf9t
}Genuu_}ineIuV}nteluM3@3
_^3[U5
3@]3]UE
%UQQVu
EU_^QL$
UQQS3!UVu
<at-<rt"<wt
7u-B*u B
P_^[]USVu
Wtf=~A
t_FxtX9
Y_^[]UVu
Q_[^]j
Npt"~l
t4V0;t(W8Yt
MapUS]
AJu_^[]U 
;rM_^3[j
whu;5uA
Eph33Su
Q@YEXhS
OuV<Y3_M^3[
f;rQvf;
f;rQvf;
f;rQvf;
Qvf;rgJ
Pf;rSPf;
It?ht2lt
HHtVHHt
Kitdnt%o
PVP58}A
PV5D}A
PV5@}A
t=RPWQc09~
u?9t7PEPx
u(#QPV>
apM3.u
RPoYYu
_^]UVu
PWj?/E
[_^]UM
tAt2t$
W-YHuA
Yt"W~W
_39u~2O
D5WPYY
tF;u|fE
YYM_^3[
P'YYt@}
~';_t|%39E
;_tr.~
Map_6Uj
]UVW3j
_^]USVW=
Yu%t!V
u_^[]UVW3u
YYu,9E
u_^]V3 }A
^]VWH}A
YVWH}A
|3_@^UE
YU8S3E
+tHHt*Ht#/
ZU+t6+t)+t +t
VEPuuu
VPuMQu
tSSS7#
uJSSR7k#
"QSS72
SSS7!#
SSSSS/Uj
+^]UQ=A
tSVjA[jZ^+
SV3W9u
jAZjZ^+
ItDft?f;t8EP
Map_^[UE
B(;r3_^[]UjhX`A
SVW8pA
1E3PEd
Y_^[]UE
]USVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
C+j@j PYY
ttWY3uE
t(WuYP
uUQSV5 
;r>PSkYYt1
3_^[Uu
]j$h aA
Y+t"+t
+t^+uH
uAGdEGd
u wdVUY
Gd3#UM
^0x^]SW
ft%Ou +
3jPfTAX3f
xj"U$8pA
;tO95A
MEt/t+
3M_^3[Sj
u6c ^Uj
MiE39P
Map^Uj
FufEf;q
u2t&:a
P^YF ;
P^YF$;
P^YF8;
Pn^YF<;
P\^YF@;
PJ^YFD;
P8^YFH;
P&^YFL;
^Y^]UVu
P]YF0;
P]YF4;
P]Y^]UVu
j]6c]v []v$S]v(K]v,C]v0;]v43]v
+]v8#]v<
]vL\vP\vT\vX\v\\v`\vd\vh\vl\vp\vt\vx\v|\@
^]UQQ8pA
E$39E(j
P!XYtQ
3t@WVuSu
t!3PP9E u
e_^[M3GU
M1_u(Eu$u u
PWY]UQ8pA
39E WWu
e_^[M3UFU
M]u Eu
r]USVW3
jU4x5A
_^[]U}
jA[jZZ+U
_+[^]U
^0OgXu
Map^_[
fj"^0xfqUj
u*u ;t
#RY]Vu
RY3MS0u
3]USVu
Map_^[3QL$
QPTYYt
EPQEPEj
Map[UE
]UWVSM
;s`Myt
Et%Map
Map_[%
WVS3D$
bad allocation
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
CorExitProcess
UTF-16LE
UNICODE
Unknown exception
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
`h````
xpxxxx
`h`hhh
xppwpp
CreateFile2
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
 delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
 new[]
 delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
 Type Descriptor'
 Base Class Descriptor at (
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
218.54.47.76
sanfdr.bat
:Repeat
if exist "
" goto Repeat
rmdir "
%d.%d.%d.%d
218.54.47.74
GetSystemWindowsDirectoryW
GetFileAttributesW
OpenEventW
CloseHandle
ExitProcess
CreateEventW
CreateThread
GetTempPathW
GetSystemDirectoryW
DeleteFileW
GetModuleFileNameW
GetTickCount
GetVersionExW
ReadFile
CreateFileW
DeviceIoControl
GetTempPathA
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
KERNEL32.dll
wsprintfW
LoadStringW
LoadAcceleratorsW
LoadIconW
LoadCursorW
RegisterClassExW
CreateWindowExW
DialogBoxParamW
DestroyWindow
DefWindowProcW
BeginPaint
EndPaint
PostQuitMessage
EndDialog
USER32.dll
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetAdaptersAddresses
IPHLPAPI.DLL
IsDebuggerPresent
IsProcessorFeaturePresent
GetCommandLineW
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
GetProcAddress
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
RtlUnwind
GetConsoleMode
ReadConsoleW
WriteFile
WideCharToMultiByte
GetConsoleCP
InterlockedIncrement
InterlockedDecrement
GetCurrentThreadId
GetModuleHandleExW
AreFileApisANSI
GetStdHandle
GetFileType
DeleteCriticalSection
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetFilePointer
SetFilePointerEx
RaiseException
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
SetStdHandle
FlushFileBuffers
WriteConsoleW
LoadLibraryExW
OutputDebugStringW
LoadLibraryW
LCMapStringW
HeapReAlloc
SetEndOfFile
HeapSize
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
218.54.31.226
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwww
wwwwwwww
wwwwwwwwx
wwwwxwwww
wwwwww
0\0b0p0000000
121D1c1u11111
2 2V2}22222222222222
3E3v333333344
44444444444
5(5;5F5M5T5a5v55555
66f6z66666
7F7o7z777777
884898K8s888888
9%9S9d9o9{9999999
:%:0:6:A:H:::::::::
; ;-;D;;;;;;;;;
<G<t<<:=P=U=z===>>C>U>> ?%?B?M??????
0*080E0T0l000
101O1b1#2)2[2l2222222^3
33333y444444444
5.5C5P5[5i5555555
6 6E6666
77-7;7H7N7g7q7v77777
8+8R8i8y88888
9:9999q:*;l;;;J<<<<
=$=-=T====
>&>3>@>>>>/?w??
1(1]111
2C2R22222
323:3Q3V3[3e3k3p3v33333333333*5i55555
666657F777
8B888888
9J9999
:,:3:T:::;
<7<K<<<
===K=V=m=====????
1i222M333475V55552666
7P7V7\7b7h7n7u7|7777777777777777
8$8*::N;r=o>
=000000
1Z1_1i11
7%7<7K7777S88T999
:D:::U;;+<
>G>Q>\>n>>>>>
5%5-535B5L5R5a5k5q55555555555
66%6-62686@6E6K6S6X6^6f6k6q6y6~666666666666666666666
7$7)7/777<7B7J7O7U7]7b7h7p7u7{777777777777777777777
8!8/8=8D8Q8Z8j8L9999
:4:H:x:o;v;;<
01^3d33333_57
9$919=9M9\9c9t9999999
:=:j:s:::::
;*;/;<;A;;3=l===
>1>N>><?D?[?y??
E0Q0\1C2L22
3c33334455555
6/6R6f66666667777788
9?9U99::::::
;w;;;)<?<[<<
=9=A>g>r>>>S?{??
51S1l1s1{11111111
2b2h2l2p2t222
353_33333333333
4w5555d66O7777
8888P9Y90:<:g:$;-;<(<
=^=g=====>>
1}11111112;2a22222
3#3c3}3333333
4!4e4m4444444444
55555555
6&6,676Z6_6k6p666
7'777v7777777777
808:8h8{8888
939H9N99999$:?:]:::::
;(;];v;;;;;;A<G<=,>6>
>>>>>>>>>
?=?I?X?a?n????????
=0J0U00000000
1<1G11111
272Q2m2
3!3B3X3333444
7Q7{7777v8888
9Q99c::
;C;;;;8<Q<b<<<<<<<<<<<L===
??Y?f?p?~????
-0=0S0f00000000000
191d1111222&3v33(62686L6X66
7'7S777
8<;)<======?
1111111122"3=4H4W4x444<5g666
727N7T77777777
808=8B8P888888888
969i9x9
9999999
:~:::;<=
>2>@>R>>>
2D2[22244
5+5?5E55a6m666
858V8b8~888
9-9=9k99999.:>:W:y::::
;+;=;b;i;;;;;
< <5<?<<<<<
=2=7=<=S====
>%>1>6>b>o>w>}>>>>>>>>0?5?>?C?L?Q?^?????
[0m1|1111111111
2$2*20282A2H2P2Y2k22222222
3!3K33
808588888888
9!939E9W9i999999f==?>!???
191b1p1v112
3Y4`44
5E5]5555\6c6
7@7p77748P8q8O9`9t9z9
9999}:T>Z>
2X2\2`2d2h2>>>>>>>>>>>>>>>
?$?,?4?<?
|000000000\>d>l>t>|>>>>>>>>>>>>>>>>>
?$?,?4?<?D?L?T?\?d?l?t?|?????????????????
0$0,040<0D0L0T0\0d0l0t0|00000000000000000
1$1,141<1D1L1T1\1d1l1t1|11111111111111111
2$2,242<2D2L2T2\2d2l2t2|22222222222222222
3$3,343<3D3L3T3\3d3l3t3|33333333333333333
4$4,444<4D4L4T4\4d4l4t4|44444444444444444
5$5,545<5D5L5T5\5d5l5t5x55555555555555555
6 6(60686@6H6P6X6`6h6p6x66666666666666666
7 7(70787@7H7P7X7`7h7p7x77777777777777777
8 8(80888@8H8P8X8`8h8p8x88888888888888888
9 9(90989@9H9P9X9`9h9p9x99999999999999999
: :(:0:8:@:H:P:X:`:h:p:x:::::::::::::::::
; ;(;0;8;@;H;P;X;`;h;p;x;;;;;;;;;;;;;;;;;
< <(<0<8<@<H<P<X<`<h<p<x<<<<
>>>>>>>>>>
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?????????????????????????????????
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0<;@;;;;;;;
<0<@<D<T<X<h<l<t<<<<
=(=D=H=h===========
>8>X>x>>>>>>>
?0?P?p?????
000P0l0p0000000
181X1x1
01155::::::::::
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
< <$<(<,<0<4<8<<<d<t<<<<<<<<<<<
= =$=(=,=0=4=8=<=@=D=>>>>>>>>>>>>>>>>>>>>>
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwwwwwww
wwwwww
wwwwwwww
wwwwwwwwx
wwwwxwwww
wwwwww
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
y!PIfy$qC3I+
Uru4<E
7*Idu9M;
w3_^[r#MV
S7(hu#j
>tg(xs
sGDUSH,
Tx2HzT
UIuYbvkQ
3cN!eE
rjxY(X
JD>FA
_^8UHP-XpT@
Tw 0vy
+V ovL
{@G~yX
,+KjH@Q#7
DuH:-Wt
?P(L&H
%uC`nK\@F
Q5!E~%`
TZc3G_;t}Y$w8R
[\f$K;<\
Cu}3&HUzl
U$,Jt@
t5;u*X0
'7P(QCbP
Z;2F=2 +uQ
Q$RVnR2*
}&nH+6D^ |%
2&/+I\q^'"
'8sms9vbup
'Y0sNhNcD
AyfQq@IdMZh0loM
TDj(ok*0+R
fA_6Lk$me
`fQv[Pd:@
KMJ9{@4-o
HWxApl
icaton er
s u.Th}e<cdc
%sy5|lntba6id|SDqLG5d,al 
W'cHus
OagaBoxAw
k8l?ExitPIL6Ch
?GtMSl
`|VirtFAcMvL
"PD<H0MzI1
`t$$|$(3
r+|$(|$
USQWVRW
ZPR3C 
Z^_Y[]
kernel32.dll
UTF-16LE
UNICODE
mscoree.dll
- not enough space for arguments
- not enough space for environment
- abort() has been called
- not enough space for thread data
- unexpected multithread lock error
- unexpected heap error
- unable to open console device
- not enough space for _onexit/atexit table
- pure virtual function call
- not enough space for stdio initialization
- not enough space for lowio initialization
- unable to initialize heap
- CRT not initialized
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- not enough space for locale information
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- inconsistent onexit begin-end variables
DOMAIN error
SING error
TLOSS error
runtime error 
AR6002
- floating point support not loaded
Runtime Error!
Program: 
<program name unknown>
Microsoft Visual C++ Runtime Library
Aja-JP
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
(null)
2USER32.DLL
         (((((                  H
         h((((                  H
                                 H
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
\Hangame\KOREAN\HanUninstall.exe
\NEOWIZ\PMang\common\PMLauncher.exe
\Netmarble\Common\NetMarbleEndWeb.exe
\Program Files\AhnLab\V3Lite30\V3Lite.exe
\Program Files\ESTsoft\ALYac\AYLaunch.exe
\Program Files\naver\NaverAgent\NaverAgent.exe
WinSeven
WinVista
UnKnown
218.54.47.77
218.54.47.74
BHSBDHS
Software\Microsoft\Windows NT\CurrentVersion\Windows
TrayKey
%s.exe
tkghle.exe
golfinfo.ini
golfset.ini
HGDraw.dll
houtue
biudfw
%s%s.exe
\\.\%s
\\.\PHYSICALDRIVE
%d.%d.%d.%d
AAAAAAAAAA
AAAAAAAA.
iE&xit
h&About ...
About kidgfe
MS Shell Dlg
Copyright (C) 2014
SiokhdfR
NioljHfdre
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Hidgte
FileDescription
diogftr
FileVersion
1.0.0.1
InternalName
PopdgTGsde
LegalCopyright
Copyright  SisoRetd
OriginalFilename
NollasRetdfe
ProductName
MopdgTrsew
ProductVersion
1.0.0.1
VarFileInfo
Translation

Process Tree

0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe (3012) "C:\Users\Administrator\AppData\Local\Temp\0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe"
- biudfw.exe (2736) "C:\Users\ADMINI~1\AppData\Local\Temp\biudfw.exe"
- cmd.exe (1404) cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\sanfdr.bat" "

0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe, PID: 3012, Parent PID: 2236

default registry file network process services synchronisation iexplore office pdf

biudfw.exe, PID: 2736, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

cmd.exe, PID: 1404, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114
8.8.8.8
218.54.47.76
218.54.47.74
218.54.47.77

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255 A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	61714	8.8.8.8	53
192.168.56.101	56933	8.8.8.8	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53
192.168.56.101	58485	8.8.8.8	53
192.168.56.101	57665	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	0f5fafe0046b7b79_biudfw.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\biudfw.exe
Size	145.0KB
Processes	3012 (0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5	`7fd9219d93f5e901d191dad4fca78fce`
SHA1	`28de753134f2da75aee4f40ba7a0b723a19e8d55`
SHA256	`0f5fafe0046b7b79318aadd77f022f68bd8355012de5703c8b401d2ebb016ae6`
CRC32	`75974661`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	9f94a72ad2b621d7_sanfdr.bat
Filepath	C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat
Size	365.0B
Processes	3012 (0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe) 1404 (cmd.exe)
Type	ASCII text, with CRLF, CR line terminators
MD5	`31baecc2dcbf16a0170880c8ae5fef39`
SHA1	`a8016e20e0339b5dbaf203febe8770137ca06258`
SHA256	`9f94a72ad2b621d7366221beb764f20cee1bedabac91f47fe666571ac0166206`
CRC32	`A3C6337C`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	91377fdab72045ad_golfinfo.ini
Filepath	C:\Users\Administrator\AppData\Local\Temp\golfinfo.ini
Size	512.0B
Processes	3012 (0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe)
Type	Non-ISO extended-ASCII text, with very long lines (512), with no line terminators
MD5	`e2d9c84d22710b94f88db5e136efd92e`
SHA1	`5636678dda45ea10068357a9b17878399804aea3`
SHA256	`91377fdab72045adb923f62c3b0b46de7360e62beaab96489eefb36dd8554f25`
CRC32	`86631D60`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	0c6b5363c860ff2e_0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0.exe
Size	145.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5	`ad326f3c1cd1f8a79a6e8a54008027fc`
SHA1	`d7f1307d77d728ea7ed587ad1255a0293f9ebb24`
SHA256	`0c6b5363c860ff2e2373d1ca2852a24ca95b11b391fde407cb4ab44b277489e0`
CRC32	`1CA2C78F`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.

dead_host	218.54.47.76:11120
dead_host	218.54.47.74:11150
dead_host	218.54.47.76:11170
dead_host	218.54.47.77:11150

file	C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat
file	C:\Users\Administrator\AppData\Local\Temp\biudfw.exe

host	114.114.114.114
host	8.8.8.8
host	218.54.47.76
host	218.54.47.74
host	218.54.47.77