1.7
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.79
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Gepys-F [Trj] | 20190924 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Kryptik.eg | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190924 | 2013.8.14.323 |
| McAfee | Dropper-FFA!B5F489A634AF | 20190924 | 6.0.6.653 |
| Tencent | None | 20190924 | 1.0.0.1 |
静态指标
查询计算机名称
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727110801.547 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
检查进程是否被调试器调试
(1 个事件)
收集信息以指纹识别系统 (MachineGuid, DigitalProductId, SystemBiosDate)
(1 个事件)
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | .reloc2 |
动态指标
在文件系统上创建可执行文件
(1 个事件)
| file | C:\ProgramData\Mozilla\iqbjnwa.exe |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': '.reloc2', 'virtual_address': '0x00029000', 'virtual_size': '0x000001a1', 'size_of_data': '0x000001a1', 'entropy': 7.500751589162297} | entropy | 7.500751589162297 | description | 发现高熵的节 | |||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 54 个反病毒引擎识别为恶意
(50 out of 54 个事件)
| ALYac | Gen:Variant.Ulise.66207 |
| APEX | Malicious |
| AVG | Win32:Gepys-F [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.66207 |
| AhnLab-V3 | Trojan/Win32.Shipup.R66784 |
| Antiy-AVL | Trojan/Win32.ShipUp |
| Arcabit | Trojan.Ulise.D1029F |
| Avast | Win32:Gepys-F [Trj] |
| Avira | TR/Crypt.XPACK.Gen7 |
| Baidu | Win32.Trojan.Kryptik.eg |
| BitDefender | Gen:Variant.Ulise.66207 |
| CAT-QuickHeal | TrojanDropper.Gepys.A |
| ClamAV | Win.Malware.Zbot-6902002-0 |
| Comodo | TrojWare.Win32.Kryptik.BANN@4xjerl |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.634af6 |
| Cylance | Unsafe |
| Cyren | W32/A-cc6e0ca3!Eldorado |
| DrWeb | Trojan.Redirect.154 |
| ESET-NOD32 | a variant of Win32/Injector.AGEY |
| Emsisoft | Gen:Variant.Ulise.66207 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/A-cc6e0ca3!Eldorado |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen7 |
| FireEye | Generic.mg.b5f489a634af6058 |
| Fortinet | W32/Kryptik.AYTT!tr |
| GData | Gen:Variant.Ulise.66207 |
| Ikarus | Trojan-Downloader.Win32.Dofoil |
| Invincea | heuristic |
| Jiangmin | Trojan/Generic.awkes |
| K7AntiVirus | Trojan ( 004e98781 ) |
| K7GW | Trojan ( 004e98781 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=80) |
| McAfee | Dropper-FFA!B5F489A634AF |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.ch |
| MicroWorld-eScan | Gen:Variant.Ulise.66207 |
| Microsoft | TrojanDropper:Win32/Gepys.A |
| NANO-Antivirus | Trojan.Win32.Redirect.cqivqm |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM19.1.1B3D.Malware.Gen |
| Rising | Trojan.Injector!1.AED7 (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Injector |
| SentinelOne | DFI - Malicious PE |
| Symantec | ML.Attribute.HighConfidence |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TROJ_KRYPTO.SMAX |
| TrendMicro-HouseCall | TROJ_KRYPTO.SMAX |
| VBA32 | SScope.Malware-Cryptor.Carberp.2313 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-05-07 01:41:03
PE Imphash
75a256b0bc0d0512d33719c33807e4b1
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00003b38 | 0x00003b38 | 5.81423932231149 |
| .bss | 0x00005000 | 0x00000028 | 0x00000000 | 0.0 |
| .data | 0x00006000 | 0x000207d0 | 0x000207d0 | 6.639231184654125 |
| .idata | 0x00027000 | 0x00000460 | 0x00000460 | 4.313461266608219 |
| .rsrc | 0x00028000 | 0x000004bc | 0x000004bc | 4.028836630618484 |
| .reloc2 | 0x00029000 | 0x000001a1 | 0x000001a1 | 7.500751589162297 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_STRING | 0x0002834c | 0x00000170 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_STRING | 0x0002834c | 0x00000170 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library iphlpapi.DLL:
• 0x42717c GetAdaptersInfo
Library KERNEL32.dll:
• 0x427188 GetLastError
• 0x42718c GetModuleHandleA
• 0x427190 GetProcAddress
• 0x427194 CloseHandle
• 0x427198 RtlUnwind
• 0x42719c LoadLibraryA
Library USER32.DLL:
• 0x4271a8 GetCursorInfo
Library ntdll.dll:
• 0x4271cc RtlInitializeSid
• 0x4271d0 RtlFreeHeap
• 0x4271d4 RtlAllocateHeap
• 0x4271d8 NtOpenKey
• 0x4271dc RtlInitUnicodeString
• 0x4271e0 NtClose
• 0x4271e4 RtlLengthSid
• 0x4271e8 RtlSubAuthoritySid
• 0x4271ec RtlLengthRequiredSid
• 0x4271f0 RtlCopySid
Library ulib.dll:
L!This program cannot be run in DOS mode.
.idata
@.rsrc
@.reloc2
t ;t$$t
_^[USVWUj
]_^[]U
v4b1qUk
SVWeP<$f
r'{r'{r4{r
r'{r!r
ryrGzrrzr'{r
r|ryryr
zr$zr$zrvrxrxr
yr4{ryryryr
tpHHt0
EPpPu4
r|Wj%ru
jh_Y;t
9yPt!IP
tHHt;Ht.Ht
h_UXSVWu
Y]U@SVW]
EEUI!)
_^[UhSVWu
SYEEAEUe
D_^[1U
lddhI!1
|_^[UQPSVW}
_^[U<SVWu
)W}W}W}W
\7@EE?s
lpnS!P
El!ETW
dhtdext
vFdehax
@L``H|+
\PA%SoPtlX
Th+#x)ec
Wx|VZEV|Hil:p
9&s`F[
4d|fxl
-f(Vofe!
|Th"apt\i4
|!|iA|
rElprVf
RFlVc+oE
)t||t=P
Ei`X|E
TP+fEeu\S
x!z\fiE
l)i`tp)h
SVthEo#OF
ViEeEfEGeElVpPuAa
VdsenPnVeoE@ueeesF
fEE<dxifriwMF FELVl
FErcMEEx`P
epPaeEY
0N|WF,
}VFuFuxVjx
dMii!|d
|fVxWy
^i%p`@+|
t`i%CZ
h1|t|u
|'x+x|x`
ipfdTlJ
fx&`P)p
f#T#7t!tT
b`\+?)
%`pDtx
@W|Jho@|
]%tL!Pi%
X|dy9+
(3E<lf
v++x+XiL|T\
%TDNHtgihd
hlL@Z)"xi6
+#+ipd
ttlyp|l
%hde8+f`
xhh#xT
l|0P%!
l&tTJxZ
#f|t!%
TYLd|h|Hp
I#fTi f
ddtPid|
p#3`%"b
+8`ji|i\M>
@T%8%M2
#pxyf+t
x0|lpt0x|`
;d|T'%
Ttlxt+Xx|0flD
%tJ|)||
|pf%xPl&
|dpH({+)tx
@DtG\d
t.%)|b
D+hkXo]
|qH!%%
|%dt||
|p+E<XD
lhgdxhi
t<VELDN|
CpQiN]4~
u1w=8u=
S[EnGU9
G]EwE$F$"U
WEuEE]E
F_Ej?F
WW$S]U[
EhEW_PP
j4E@u@0E
(MhWES
<jS@u0SE
jS[,S^_mt(
ZRiZT[(
SwX17
4rE~UERO\CRzP17
4rE~UERR[rXvD]Ro]^YK[CC
4aXh@`B~ATSX[\GwQE^tZbCz@DD
4vRoeDRnQUttYA[~@XXugEVoAB7
4fVr@wXiyD[o]A[~{S]~WED
`2{s32s
gVc!jD_
xzGcxxx
GLvoLLsML
&!]&\&
]y\Mts\]tyyt
c9S!cL!'
CR:VbB
9fgW":BRWg
:xP>_@
Rf:RZf
*>_Gfff
!:W:fGG
bzRRfb
WfR*xz
VffB:RGR
DLLLvLb
~_LL!9ALLLLLL9G_zv
__9EUDD9
Wl__D__rv
Y_=E9>T
@Tj@9UG@@V
@GfRS@9vDE
b)@2_b%f@@O
@~@c@@@r
@DMB_b
RRD:Ex
RRE9R9Rx9R
x99RUR
3DCSR@
jDEBBCE
.@VGESBCE
@@6UBEn
cSCK2(
Ezxzz@b
JVVzABV
V63'9R
xVx!RV
z2tLxCR
tRzt^<!
tCDAxx
!OxW+b6
OMOOVV.
!OGA!O@
_ED+OOR
rxMOxRY
OftObV
CxbNC^zVt
CC"V"C
tCvCv""
9tV^vt
fRcVR_
D^ZLZ@
N_g_c_^fLO+
DfB!)B
f9KW!tR99
9g9gt9
GzbRa/
9cRjfB
xRgRbV
`%f!gx
xxVnMnVnzc
g/zx22nn
R`+OYVo)c
VOV'VoV
OVVOOf
V`',+R
znDAiWO!z
ARB:Dz
DVbRKt
f+LKRx
vd/eTVT
gMgTv!
KEfggV
KEKeDfg
gU!!wDKj
g!*+g_
Vg;oggB
!'tKtg
WxK0G#
!ftf"fA
Wf-VoVBC
KKbEWVL
BLmgRD
LbnrtL!LL
KEt)_!
`ZWVla!
:lgbRR'w
Wt gzL
dgNbgx
bgzgfggziYBgx
BB ggn
RRRKb(f
RD~KK~~
~Wx~gB
KKE/xE
%R/cM/V
RGR6C.
RRK v!AR
#RLRV_E~6vMb
VGFgf_!
WRRgb+D
xx6xRL
R*DMc6xxxx
RxxxLR!p6
6IVx/gz6-6
6zix6xc!xxRw.66Exr
6vxTRR6gfRKM
n)RARb
gbf'of
x!R+xf
VG:VWZB
fvOxvAg
VWUKvR
VfGGgRObSLG
!gRVObGRG
GfWGGBGB
gBOGKxD?bGgG
WBKGcVDD2+
Rc=J}L
VOt+LA
.ZK!!)f
!WGRcS*
W_v?Lw!Kv
6DWIGO
z+RRLO
E!S9S^6
BA^&!'fz
+VBV Bf
tLgD!G
g]M!Ox"
"Z:WKd!R!
g!O!Vr"!!
Vg")gU\
VRRRRVTe[WUVF
M\[R.TWL\
16R6]
B R B1R 1]n
M111 `1]U
VVVTBUV]V]VR
KB)f B
fO? O+B
RU2 :K
WxOO~G
EMWLDWOz~wWC
OWD"Rb8WWDgSf
DoOg!W0OKOWlfx,)zEfx
ROKWK&bTWO
W"KK2W
REEBd!^
fKKK```
`RU_fb
RBKfzf
KRDz!2'KKS~
`xbRUg`KKe
``RB`M`
K2` z)`D
RK)K`I``xg
v)!!fv!
bRW.!*!
!zbTzz
W^T9VRi;X
)Q)odtTQog,t
Lx+vvvv
^QLVt/
SzJ'6ZV
D@D;!:zA
!LffIG@Mz^
FE^!LG
6x!!6c!D!N6
V!!,O}!
CfafIO_"
g_Wggggfg
JggW/A
Kf bOg
bMODLRgB+
BmrttEd
}fguwb}
JRdV{m
mNNRdZ
ddR2V^
dvbF8dddd dXdJ~dddddPd
>ddd"B6rd(z*.0
)2)DTR
TRD>KK
R^GK))
BBOZ'DW
)/W6WA6
%gWW`x
!WgB'JgW
wW22gG
gGzLggCg!o/0
6g2KEg
!RBgKW
MKKKzMgI_
gKWK6Dg!_!
n?zMZRvgf
JfC>gRx
RztbC9y
t"6CC9
`vU~av
2!}}}2
g222 2
}2`}fd|
@z}|2fa
{fgg2ya
[}22~w
|`2}t|
f}Q}{2f`2
{wws~w*wf
w j#j@
q$|f2@
w?w$@|2
bEdwwf
E|a}^@(
E}}`wE
q_}efE
{`{dSf
EwvGvs^|
se{E|EwwqE
xEWg~u[
g|`sXz
vg=~pu_X`
`_buuws]
`uvuu`
dpvV`2g
uv}wpu_wAaA{V
k2}wgfw|(|q
__gu|spfk
fgkuwA`vs
gTsg{k|gw
F`v_|sk
O-th p
e``s)|o`b`w'h``
r&jy`n
cL%`t}*(I`p`!klMa.#$R
sbxeg{`~d
d`c`zi`+v`zy``
`Nuw}/|~xaf{qjvgf
2*HSY(CS
D[L],%SE.T:P6[SHD9FSl/
@SOY>?'KKX^CSZ$^"VJ-SBSM oSSTnWJ)#ZSS_XS840VS
53=EG]W\m_!NA<SFGSU1B&Pi@Q;U+I\RSSAr7
l>NKy,*P
[Y'^l?1
zzdrw&&2G
;Uo2d%9#|hN
"GF%S\R
q|as|@N
R`aRR:R}FW
j}]^fw^^
Qqqv}}|
f<we}}
qgqqaq
dv{wsws
s\sZls
~sw{w_
w|{UDZE
wws~Uw
w@BsQwr{ww|
swUUsfb
TU~Sf{qsf
FTwS{Z{FVTwEwz
swss~s`}fk
wfwFw{{
s`b|~`w{wABb
jsXswaws_DawwAf
~fw}wqUwwbsw~bsZfw
U`|Uswaf
Fwwyw}fqgwwqw }s\
{fs!zsS
~@Ef|sasss`[aq
v`qUa`Eaww`
sQwv{}
ss`zs`vs<^WU
Ez~`s|Ww|qvA}Fw|``swffE|
^swf`~w}ssE|F\ss~s`^ws
_sfwsvf[s
uOvfwww
}f}qsfuwa~gQ
Q``Us}SU
V~`FfB^Asssvww~_`|QaQEs[ss
`sfuVvuwaw
}Ewsvass
a}w^Es^w{sqs|
~sssPsz
ssvwsFGsEeWw
Ea`Es`s
}sfA}s}QEs}awaqfswtea
b|sfEs{gsu{ses@
fswswfs|s{`w
s_|vwEG
!}@v{Gf@
wVfjwC\G
ww]@Cavw|% w@fGsGf|aBwuGWu~QkwuE~UWBk{Web
@w3`ws_
{~GgsE~uw|[f
aG< wzvwBj
"G~~}G
}Bs|vg|u|Asw
~vEu|S
^h}!s[
W}Wg[Q
`wtj}fw|s}
~ZA}<[ G{
QRf~^[}[~}fjv^s|w|f~
Qfwv}f}b
w`|{~f
~}wwZ<G
}!`ww|qa}wq
WwfW-w
Aw wWhg!Fg}b
~|FkUss}whf{B{E|
A|t|`]}f
{q}s~}j}f~{fs~s{
A{{{}ESQq`w{
|A`|vfBa~jv`
wvU|va~wu}
vs}f{aqqvUVWWfBGw}gfwwGfwwqpfw
g`v|av|
SasUw_f
~v}zwbWwz`vv`v|sqvEv}wq}aqfvwB
wvvjwV|v`ww`auvB`aaAa
vv}vvw~vvv{|Uf
Tvv{w`|
`vE`w{
|{{{|Ww}|
q|wwf{wbf
qqf~w~s
~}Z||A|f|fsUQ{||w|w`|`a{SfA~
d|f|Tf|
|v{vs|s
Qf||A|Q~}w|
{k{A`{Va}`~}~Ag|~{
|ffW{}Q|w|FTwf}|FA|
wbu|`}u[wf
{|}wEavSws|w
{|f{|qB
q`t}gy~
fw`f`f`}~B~w
|f`|sqf`wf`[
Ffwf}ff
Fw|ss`
aff`sfv
wfU`f+f|`w`a`g``w~|`
Dwfv`w[``}`w`fwww~~`
gCVAk`[`Wff
b^U^wf
Qw`}wf`w`~fq
yqwQ`swwWffZT`s`
ssfuQv~
}Q}]_Qbsff{
wvSt_%`ssswwd||B~s~BsE}Qw`
Uqf|wD
s~wfP`fA
q}ssfkg
RRNRRR&
RjRRnR
RvRRRmR
mmlRRm
Rllm~RBbml
mRlRllR
RmRlRl
CWRGK~~
;1Jqxj2S+G
dacy7v#QWOIQQS/e
S ll{$'
<z]?E3{Y0
`EF-_}B
[-~S;QK-p-
^nd=P <(t2-r
}B---{-=p&~wtp
?)SG=--$-?
jhjy}tm
)NE!e2O2,wj/jlLN
Bjj:jjQQ
zgWYjB@<
m@@H#)|fP2WM^
%uA@Fs
I>&5n@t
8gq`2'
/KnPwm?
{~j:7G9
;,F`xAo
UsSm !Q
NhdKzxo'oov5#4T
1~os/GZ#
m\NoJo
oi_ozlPoo^
@0 ]cN:V
[>p^RW^I%
r@^fI~^e^A
IY^{Y=~^
*iB+^/=^
Z^^-0R^^)^
6suz6]
V6mXC3s
6|.~t:6X
l=dOI?G65666f6O)VjcDy}U'%=8 _F{
eBg864
]kyx%pn
"AOFPddF
MVtcG|"
+c&HTf"
Q7tKTr N
V%A@`r
M`g` `GG
`>,`bS`
QUM_2``
jII KC_
f``f`^`Eg``^)W5_&+4SRZ1Q0=
K7.n=O?
to.B<%#.
vm.1 .
s9A.yg4.6
+++cU+A1={$2+~
')+AdaBB)+`^
o@+!$x++|+M
`*$/++ JR:
V O 6T /L
k4 j X=>f h
J :yA 7'O
f] ei2R
M?Fs1 \ 1
`fj}s{ _=1
hHHeh[
z*F#SRbB
z-3&Ezf)
-m^^^qO}^^k9
^=Y^wC"L9X^jso
IE3S4U
^^^\zt
L\4N[Ne
Nazu:7NS 9wN
4yNNkb)
{NM;N*
N8aN65w
(qDpN5r W
NN-.hNhws67LN
u*ymwxa}D
nqrcGk1V
&$$U]$z$]/xl:
EuK$($np$|f$K;9$
LzWM8X
?60k;T
nCVj:f]P
}G]z]p'("r`iY
k:cfWWT/
'7<W}}L W4fc'C:c
Wc$WhcWjo&b
/\WYccd>c5 WW
+l[ucc
{ddMHq
CcHW`,Wvc@o
lWW1cW
O~#^Xhx~h7hD3hE#4h>4m
$F0JhY\r9wf+?h=
hho{Z]_F^h
@oh>IJSP
0lhhh:`hh
;\{{d- Y^
Zyggw]0{;
6C|eI7
Z4}ozY
^a{h!{0;s7Y
UZ;:J;z{;{
b{3G2q
QbbbX{{,
^vlN*bUS
ebSLywqci(4qb4
b})>/b5z-t%*
,[bz.5`6dm
+o|6`Xb
b]@beb1P
#g0L'm#sA2"#
@$wwwLQ
Iw]w@ZO
wlo!Sw+wY 8
zVwQ#wu
pmyd.,w
:l<*I_|
?0I|Pv
-8 &ejE
{#[`Db{1 =fR
(Hbs<vG'
g6A|c'k
Q'gx9T^9]?o
x*{~4
3D@=?$M
;/FRDX
Bgpz=9
?_W% UI_
%_%%Sb3_
_B s__!:
J_H%D_
]_%qa%
%wwd_K%FgHt
_ZX_9q%2#eOdL4v
:(K%R%v_%
=%tX~O
\8"^Y!2
^Y^uoVaF9
.[nquz^
t^^Gj.=l^'s
^$|MG;C
[CfQC|
%2H8CU
CGjCKl6C
C)3\)CtCC|G
PC2C@"1;B;qVSj+
~J;7S}C;v'
v;'d;s;0P;
wM;;q;/;;;
]Uc!;;
q7Q]YBjr,%
#6nzzj
W<z<`gWl
$ 1AF1JzlL
RDoKpz1
1Z1:>fr
n1n1$%OJq
9FY5*9Kg5b@5O]q5nD"
555a55sG
mFP(5wf
5~w3cL5
50/,A5A&R
Xj5=~B
F!gn#?EK
`;[W!c1i~
x_ f`:6
?27T;ab4
&C|@0C>
jc?]sC%
CCCmCCDCktzC
TCos)(
BC_fg#
9\ip(~$
CfCS\o:
VC^??oV3\?]>
?2+R[{YZLgs
vy???n
?gy?C?
Z17??6q
8C?I+P?
?$DI*rJ
YAA?B p1B\jd[
jd*llw2?
,}hBrll
as?]~guljIl
*lTkl0lv?l
'8v#P.(t4) 5hhhg3hh
+ihnp.hCUUhrh
g.]Jet~Ah
NAxjWxnh
5X ]3/./L 3L-+
N}`<33/r
/i3.'3\3]3Lz/
/3a3^ _Uf/3/\ff3
53>L/kEi4/
C333//~w4W
BOAslzi 2
\]uvY'
-\n >`N[
o{V|NRCs$|
||,|UwL|V
EE|/K6
B|1$ W\
a~-0?+)
1=&'DD/|99op$jX<^
[lN| J
%w~3%Y%YSa
5%%f{p3>
t(t0cn
r!%R%%QUA G
~@^Bk!#
BAQmVBZ3<P>gJB
4s6wBBB7BB6S/
BBqBS&gF
Im!'f`]ID}B
G.$K|!
9;K|f9(&
GZ1[AH1N8
qusP^T
>~%J{z\
x]A0/lo
~$hhGhCm\Kh2h
pDhm$h8w'h_P
hmys+I
RyahXhzcf4mh
kmL<',hAmYhm`O)R]mhXe1mm:mme/<+
#^?|++Z
/Z #k<?^
_C~/|c?72
&|!*?n?`?????fY(aV-F{B:
CI3Ir_?_
ILr-+III'
AzIIk@Vr@
"*y,I7~
8;GyfB
d1zt//V+a
dVYWU*|r
W deY
,c#f=u6qqNqlN
q@pu k
^:7k,8ku
k# H5g
JyA8;DS%kkYknX
wk])skG
;kGku*kk
"5@V2][6
H77A54@~X_pY
=s}-Y(Q"n+
3i21)`VM
z T}eKxy
kl^tK\Aj.KLn@(g(n
#'[]ij
Z[-%^*
[[{4Ej
[=[nN|S,[rgIk
[[? |[
[O/ [0g|[
rKyT(^LpQ
-^w`s$
6CQ9AI
q!?]{`?g!
B=n3+V
)PEWKf
NGFLE
=Up/#70z
U(ZuiYZ=sZr
ceMZ%Jb
U&6u<ox&qT~;?@
1<U^n:A;
j4S q553L@:W-h
`1<PFF_
UxxQeIFz
xxb~xC.
`2Xm^7x|
r=(dxmx
K#vxHX
aQB?cB
xF+LAlMQMM{M}
M|\#M`M5XvMUZ
s8L*0V
BH)M+M|MWtR6
MdUFMh
nMmMLPM
toO2'jB,'^M
tc%D-|>
yH7Ner9me=WpzJ
vfmV&Pi
s##kYfq5v?oK
R{CaLc-v
Z2%ooWdyR
L$/Br)/
mQ9-G'Lj~5e:@
\PZ~~}!R2~
~0'<B~l?!c
D~xos#~3~~~~
|jRuo\~SZG~`h
M$\1_Nj
hlr[bbZ
gTFOCh[ro
;,NR9j
;>p,#_+O|o
Yr Ly]
]9;L5 %`9Pa
{\@W#q ?07$"
8I=25bSX)kMW
)*BGg<
>%D @,S
7)T3'n
z13S=c
Yhwp(IV,
"sjq1B~
6#co.`
-A]Wl0
y4i}GP1r
)In'D~
m<C>Gd:-f
I,cS:G#+\xmlFrqU
`q$qHGmW2
PiaeCrEqw4!qk~@Qq
5=?F_qq@?FJ
CqNf&GQ
r>2um!Z<
p}r"6N
lcP>.2>#
e6 l%[
K/EG\KE*'
EeKl<G1#2K
dr|K/K
0K}oO(
gKl:qY
@(GXG?
Vq6kH_NM
Doqo?GG0
RyK0T{.l
b{(t6i
wm WABcfGwMm;
;F3o[k
VKX;aY
`@s\@riE
FLb3 b?~
<k1:"05
SFb>)G
OdfsBvM$37W
7]LGII
~{8*?I
wD}BHL
1(QSiS[
D[#\1zz,"$Iu3I0K
iiQiTh4
Z6yo8:
bEJ_&oN
b*_z2~c%+!|_
D.sJp]XW*1WSD$[D\~|
t)2M=8
6Ce%"?
y9&QHO
*R/pE1
1t:,n
1p}111
tGQ1!ry
D;VgD}K4
?W.%D 6+LDl?XD
\ZDzQpBDUmf
kn6&V?&
j-Aoz]&
3u.DhxYJh6
\ARX+u
8v{)|
-"p}0P
v~#V'1
y!n\oC
Qa(2`HcD-
K6e=px
5tsDUin
G19yiD_h
W9Y9!9499
99G939b7
HRiKN%5+
S~~2+m
`[T_1.
[!x<xuSR
p<\3d.
uHR&E<c
<!gT;&\}+mm!EC2
R9;Ei5 m]|
&E\>8JU_EE7
cycx&c
uc'V<k_~
7 H9X%o#E
(&~8m?coc
;kZMTI
6:ccIq
U/PPXPP:
P>)wyc
gD3P;j.
vqvPP/
g.Wl5x
,CCAdwq
bt@2Tg`T}d-I
X[lH9:
a?DJ=p}NR
{L=2sJJK0V~
G GMw:a6aib$
q&{e<A"GGUE
M?AuHC$$m9G
}GSGG4
c}xakpmM
+d5}!mE
Pgj+&F}L
(R3G1!ew1}
}}$OP`
^%fsfL4I
x8-X{Sj
Kcf}!x
YQQQ>QB9S
Sy\Q(e/-
Qp}TQ#
ZQQClqQ
Q3pWS,u
K?U/$F
68R[QI
1ZwSg};
k8yH5N9
p:X;X
/fVZpp^p
NTF)Zp4pi6
4pL0ppKhZJpV`Z
KH;~Zc
"LpA42p
ZZ4p-DFS
#wX &d)-
V>PK56UX,G
CdMcZ-d=
3n{PXRBX7$~.#c45<[m&D{0
zlspZSbDkZ"(I
ieu&o{(q
*{{kDL
5w{G2#{
s{{/S$.{O
%{4Y=F
ov$Cu#Xb8y$}:Jm
X+}z0m
?X E ~
LvPXwH.z"F3T
fdb@qXOt`
2<`P|w
=J !R3:
p>]ME8C
qw7qn850eSD)0
}(cl'I<C
IG>2ex]O5i
40:_pxw8
<queHFv=:(@
=qFFMRt
)z9FMF
eFmiF,^Fc#S
)FsFI&m
q9rNn8Z7
EuFf9k8
F0{x&k
:2Fra,;
.;yWi/,<
;-S0Y97xF&F(>
i3A@E3b3
;3\:v3
33T0RR1
3E( PMy3
+33hMI
F4+q%@uX@'
B$7P1-
?t$Dtd6
\V-:q#9--
)-5hb'yD[-0^<\kA-v
6p8!B-WA)|y-<-
8rn|&q
mDFQ99;NB'pe
A#e2UZILX
ol:G.-$GFa
:37K~QrY
9jlRr;Efg=x]
yM=qn%
F>A/AX{K{xAAL
9x*\|$R%
BAC9$Amm
?0AT^`K0
seEZ-4
kB&_;3AA
A_/KA6
k!iY9/kkVk06
c ]-.&k2.Z[8?k
}g/EK<U0
F+c[n_T
~uA?7PBf
"k!V\LP4w*T_
3uy<#Z+
qMa2F>
Otj<It
f>Ow7cH/W(
>O-p"^6
tpLU|snOq
hSUJv.z3
<eiv}<
<1~.yH<<p<
rD<8m3
;<W=<<
/<Bp1S!{<=
AA)`S\'_O*1
g'FAAi
,B=tA/t
AB|2][kA*
3`AH3iA
=uQ8RxZ3w
Is_I3+33y
e*3 3s
mi=Ymoe
6@NIoIS
gW3VI<
~Ni.]3;B>JjC}
wBJ|&HAn3C3k<=?
Z9cJf3_,ZmX
#?S!F"'>e
coZ.Cz>*h
T> h5y
FFlF}fFF
,F+%<f
ke$h^lt;Ge
("7pM/vHH&Bqhq
bM8u OAq
X)!*gwf
]!7]{V
~4(%4>S4d
4!c=fo!hb!8!
?g!!{,!Vf#P|
hn.!z$G
ctQhBzX5X7A
?^g8Kh
4XdX V
,vmXX
XC TVX
t XX"^<{!n@Dnl-
~q LRL$Ktq
"vLq&c|z
~|:M /
w3=jjzPjjj
n(HFP6^j
(^j|PjP
+ju PP]P.
,jrV3|\SPj`:
A(s]OA
jejjej
ejjejjeeej
#&'!:%+
11 aGp
GI,ezHVvg
RGNvr"vG
Tw)vz|Gvhhig
GG}R">S
,OgIxPwG
VTBOjd
cZ~OOqkJqG
eeeeee
ieeiee
eeeeie
bejieb
eeeeeee
beeeeee
yyhaG[a
))V_]]))
)P)G)(@Pg
))~ECS
RRQR)`
EpzYYhc'
.P%)!66
.)o%!%
VO"\xi
(###),#/
p)T.))
))Kjjj
on,)z)
,))))),v))
o=TY,D
___g_T
{______5
____r{_
Tccrr[
crrcrD+s+a
9ME9ZYZ
W9{9e9W
|WX9Z9r
\Icc"*
&`MrL$
k+"HIpM$
WvO(5'sM_E9
p>v!"Rr
MlHvPrO]
wHUrOM
NMvZX$(I
S*"zMVM[
%A^VqPM
kdtohn
ssDD}}pD
pyayZ[
)RW).)GZ
,.)`.s)
xVx{vV
QH&]oq
)w.w)w);P
,UTwT,T
rr{{rI`{@u
`/`2(20.02"p{
d`?wqg,
sg0a0fw|222
s<k}~t
Ds j7#`
(f}fa"{2z
wfq`aa"
2}|caw~q|} w` 2g2aw0q?2` d2^{`w2
`ja d `w`dq gw 2~vf2g}a2Ww.2`ffw``22qa{ `,w,w sWf
wj`{w2` }22g`!w2,`f2},s`2{S2a(2.atkc~ ~`0g, 2``.wB cw|<`22fqv/[= q 2~wwvdsa^`t awu2~0w.f{0y2gwad 0
w` w``2`\UwVB
=SUS.f2J[BB|\2[[\,UU\aaw[V\V\UVq\{wJU[\ U[\SVV\JvVJVUBUa\,UBaVpB[\\\J[BVk[\`BB\S
VS,2\B.BSSBVVJw\g,J\V{\BV=[U\awd\S2`JUV\t\JSfVww\kSJc[\VJVgUV\VJ\\V=.J
ff[Ss a}\S[SSVB [~V2~u\V.UgVBV[S{`\`2"%
#"%"'!)%&%%%V&Hu+,"VV".O%%M%&
%V"#B&AVVV!V
*"!"j%&
V%V$&&Sj%"*"V&$&*"&&-%MV%E&V"s&X%&V
.&v+.!%V&7
VV&N+@( |m*V!*&y2(,%y
hV'W$)$ ''"%
*..{&&$%
& ,',/!!
-"",=!#'
&!"!-!#!!-' -h#
"{&"&##-#-!#-
!&#&!'!# "
,b!jz "
Q-( #'
-,#,-
t6@#j<-78#!!'!#" 'g#",
!- $"`!!p1*!$*w..$$%c(.()(+q
)((HM)%)*()9])f/(%(
(*$(*.N%j(
**)+"i%)$+
(.].)*$m.f.6%(+(.U
(%*.+((.h.6*/*)
c('(RG
((L$$.($_x%[Q((%
$%%'$<*
,%"'L"&%F%
&0/^/$
,/I%,J9>e-$%$o/*%&
8-- /,%
N$&%-C%-"c-q%% \&.-%
*% %]%%4
L#%''%%^Ke%'
* %%*%`,/
%{2/"%-
/'%%*m$k
*)*,))*/H
)+)f,-)),)L+'),z*vF/.P()/
)<-*U+))h&.H
()UT)))),.))(*-)+,)c)(@)(R())]*)T{.(
),,*)-().)))-))
/)LX))({+
*?.,()))
\3))qA+/^()a:,*-(.})+,)Kp*
1"%&%
| <$"* <#<""$r
@o!#v$-!#*&)-
#R_i<$+ !<+'&*<<Z&#*'J<d1-
< 5<-#%-&G<%
g&\O&-<'$""!* :$-''/_~-.
+)!'.+-6
-/+//-/&.
.!,>@/--:#,
),O,-lh+
W-2+-""
+...+A
/>:)h"",,-#"!Z
"&.!-O&,
,f,(2-,.
- "4+[(S($ @%r%rr
Z.%r%%.r*/M.
/B/&+o
&r):*+>$.[*r(o$/~!&(Ar-r
((2^,(
rG+rsr,/%$)r(e"+%&$r"
&{K;($$!c(
r13#&(((
S%,-&^&)
/rT%r'$+.
(+ .+(!(!('
(#(&(.! ((%!.!
'&).)(!%+#
+!')(Q(//*(*
/.(((b
!(6+'(
( $!(/9#(( v#
./(#('
.(&:&jn!!!
&>&N!!&J&b
>!&!^!!!!!&&*!Z
rj*!&&!&nFR&!!6&&"&!~F!!J&!!
!!!!!!&&
b&z&&&2B!!&!
!&!!Z!.&Bz.&&&
~&!!&!!!f&!!v&&!N&&R&&!!Vvr!!!&!
&!&"!!!&&&!
&!!f^!!&&!&&&!:!'+
GetAdaptersInfo
GetLastError
GetModuleHandleA
GetProcAddress
CloseHandle
RtlUnwind
LoadLibraryA
GetCursorInfo
__GetMainArgs
signal
RtlInitializeSid
RtlFreeHeap
RtlAllocateHeap
NtOpenKey
RtlInitUnicodeString
NtClose
RtlLengthSid
RtlSubAuthoritySid
RtlLengthRequiredSid
RtlCopySid
?AnalyzePath@PATH@@QAE?AW4PATH_ANALYZE_CODE@@PAVWSTRING@@PAV1@0@Z
iphlpapi.DLL
KERNEL32.dll
USER32.DLL
CRTDLL.DLL
ntdll.dll
ulib.dll
c'+(2t+C1XoN:M<Vm
7~r(a\
*or=Q+T
O`:VlZKd
]2)a85yej0'7y\
U!WX8HXH!Lp!$
+]eg~QB&YPF<{-
T|3VP4
~*g$.Pn^z
~*#]fkC5 u'
~wPv7sP
&d1L877u
x'qIq{'i
L +Eg `
~[m\DG'
O�C�H�o�s�t�
:�e�M�a�&�I�.�o�,�'�U�b�K�<�q�{�d�E�B�!�g�
%�a�'�w�&�g�!�{�>�t�T�w�$�j�{�t�n�l�M�
*�g�,�:�?�Z�V�*�q�#�>�r�)�x�n�:�.�m�R�o�p�@�(�?�I�?�
A�m�l�K�'�p�Q�B�Q�#�@�d�j�R�:�M�
n�e�C�G�L�Z�
j�;�q�v�u�X�l�x�x�U�C�
,�D�X�?�F�v�E�
$�i�z�c�i�v�j�x�a�r�E�T�G�g�^�r�)�!�I�C�m�J�Y�O�>�<�
O�#�F�{�>�e�z�K�b�t�.�Q�W�X�P�B�t�,�b�L�R�o�O�t�Y�(�x�&�?�(�$�!�P�L�<�B�@�'�.�u�<�:�s�N�+�E�u�'�Q�D�i�)�;�Y�W�%�x�X�N�Z�K�q�
A�b�$�u�v�T�L�d�c�%�X�x�H�m�m�+�}�S�v�p�x�f�s�C�?�
!�&�D�J�^�c�.�s�E�m�E�T�G�:�F�+�Z�s�@�t�(�R�G�c�o�M�b�G�,�N�Z�B�e�i�{�{�)�'�c�q�N�D�;�L�h�m�c�X�z�G�^�@�o�}�p�s�@�$�H�a�$�'�E�z�k�q�{�(�(�%�e�N�#�)�h�Q�'�Q�p�!�E�S�l�H�s�R�b�K�.�?�K�z�Q�+�P�t�q�j�b�R�I�O�v�}�;�d�%�x�)�?�l�!�z�Y�o�
y�z�o�@�;�d�A�
?�r�<�z�C�t�X�E�A�%�g�<�A�m�V�.�A�U�n�A�+�{�K�o�t�(�a�y�G�e�Z�*�(�Z�S�L�<�r�A�%�M�(�a�?�H�P�%�
W�(�I�m�,�*�a�D�)�y�,�K�-�D�H�U�)�^�D�R�L�V�y�M�Z�-�H�r�.�l�I�p�%�p�j�l�?�i�X�(�M�w�b�?�A�'�@�x�k�'�u�'�+�+�c�!�R�+�
L�^�*�W�f�|�O�p�F�c�c�:�}�O�I�h�,�t�U�f�
(�d�k�L�^�:�
w�D�>�@�y�A�c�E�@�
<�'�;�Y�o�>�#�E�n�H�{�G�y�>�m�@�;�A�
Process Tree
- e4539033f53fe6429a3c8c868545831673fc0f959d5219b57a4b599259535903.exe (1808) "C:\Users\Administrator\AppData\Local\Temp\e4539033f53fe6429a3c8c868545831673fc0f959d5219b57a4b599259535903.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 7df68a9d55608a72_iqbjnwa.exe |
|---|---|
| Filepath | C:\ProgramData\Mozilla\iqbjnwa.exe |
| Size | 150.8KB |
| Processes | 1808 (e4539033f53fe6429a3c8c868545831673fc0f959d5219b57a4b599259535903.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | a77d2a04b2219f70ae6c39a60bf64c30 |
| SHA1 | 1104de982195eb58e5163410bbc7a358743ea63d |
| SHA256 | 7df68a9d55608a72b6f840689878a690ceec0167100e29eab607b28bd672be2f |
| CRC32 | 63B1278A |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.