2.0
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.67
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Trojan-gen | 20200430 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Downloader.Waski.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200430 | 2013.8.14.323 |
| McAfee | Downloader-FSH!BD677EFF6D88 | 20200430 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b391b2 | 20200430 | 1.0.0.1 |
静态指标
文件包含未知的 PE 资源名称,可能指示打包器
(1 个事件)
| resource name | JPEG |
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(33 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\kdeohw.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\kdeohw.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\kdeohw.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Trojan.GenericKD.1697200 |
| APEX | Malicious |
| AVG | Win32:Trojan-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.1697200 |
| AhnLab-V3 | Trojan/Win32.Gen.C381686 |
| Antiy-AVL | Trojan/Win32.SGeneric |
| Arcabit | Trojan.Generic.D19E5B0 |
| Avast | Win32:Trojan-gen |
| Avira | TR/Rogue.AD.245651 |
| Baidu | Win32.Trojan-Downloader.Waski.a |
| BitDefender | Trojan.GenericKD.1697200 |
| BitDefenderTheta | Gen:NN.ZexaF.34108.bqX@aWjiK6d |
| Bkav | W32.FamVT.GeND.Trojan |
| CAT-QuickHeal | TrojanDownloader.Upatre.AA4 |
| ClamAV | Win.Downloader.Upatre-5744087-0 |
| Comodo | TrojWare.Win32.TrojanDownloader.Waski.E@5ag7i4 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.f6d88b |
| Cylance | Unsafe |
| Cyren | W32/Trojan.QRPW-3514 |
| DrWeb | Trojan.DownLoad3.33216 |
| ESET-NOD32 | Win32/TrojanDownloader.Waski.E |
| Emsisoft | Trojan.GenericKD.1697200 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Trojan3.IMP |
| F-Secure | Trojan.TR/Rogue.AD.245651 |
| FireEye | Generic.mg.bd677eff6d88bbec |
| Fortinet | W32/Waski.E!tr |
| GData | Trojan.GenericKD.1697200 |
| Ikarus | Trojan-Spy.Win32.Zbot |
| Invincea | heuristic |
| Jiangmin | TrojanSpy.Zbot.eekh |
| K7AntiVirus | Trojan-Downloader ( 0049a3451 ) |
| K7GW | Trojan-Downloader ( 0049a3451 ) |
| Kaspersky | Trojan-Spy.Win32.Zbot.tblp |
| MAX | malware (ai score=87) |
| Malwarebytes | Trojan.Email.FakeDoc |
| MaxSecure | Trojan.Upatre.Gen |
| McAfee | Downloader-FSH!BD677EFF6D88 |
| MicroWorld-eScan | Trojan.GenericKD.1697200 |
| Microsoft | TrojanDownloader:Win32/Upatre.AA |
| NANO-Antivirus | Trojan.Win32.Download.dcbulw |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.E760.Malware.Gen |
| Rising | Spyware.Zbot!8.16B (TFE:dGZlOgQHxmwR/KEqmw) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Agent-AHGF |
| Tencent | Malware.Win32.Gencirc.10b391b2 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-05-28 20:51:23
PE Imphash
5bafb291df732bd8895bcff11e861198
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00001c24 | 0x00001e00 | 6.272345797889654 |
| .rdata | 0x00003000 | 0x000003a0 | 0x00000400 | 4.453036927767144 |
| .data | 0x00004000 | 0x00000128 | 0x00000200 | 3.5971300161990216 |
| .rsrc | 0x00005000 | 0x000039b8 | 0x00003a00 | 5.3040287151624605 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| JPEG | 0x00005dfc | 0x00000600 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| JPEG | 0x00005dfc | 0x00000600 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x000063fc | 0x000025a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x000089a4 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library kernel32.dll:
• 0x40301c Sleep
• 0x403020 VirtualAlloc
• 0x403024 SizeofResource
• 0x403028 lstrlenW
• 0x40302c LockResource
• 0x403030 LoadResource
• 0x403034 GetModuleHandleA
• 0x403038 GetCommandLineA
• 0x40303c FindResourceA
• 0x403040 VirtualFree
• 0x403044 ExitProcess
Library user32.dll:
• 0x40304c GetMessageA
• 0x403050 GetSystemMetrics
• 0x403054 LoadCursorA
• 0x403058 PostQuitMessage
• 0x40305c ReleaseDC
• 0x403060 SendMessageA
• 0x403064 ShowWindow
• 0x403068 TranslateMessage
• 0x40306c UpdateWindow
• 0x403070 EndPaint
• 0x403074 DispatchMessageA
• 0x403078 DefWindowProcA
• 0x40307c CreateWindowExA
• 0x403080 BeginPaint
• 0x403084 RegisterClassExA
• 0x403088 GetDC
Library gdi32.dll:
• 0x403000 CreateCompatibleBitmap
• 0x403004 CreateCompatibleDC
• 0x403008 DeleteDC
• 0x40300c DeleteObject
• 0x403010 SelectObject
• 0x403014 BitBlt
L!This program cannot be run in DOS mode.
`.rdata
@.data
<U`v@@
$!0EZ1
+]]]Sh
3uI=Q0
PZ01`5k0Fj`pE48
EI8&2p
%uMwUSi3
Z07`5q0Fv`pE$8
EI8&pp
+uM}USo3
f0-`5Ec0Fj`pE,8
1uMUSu3
Z0/`5xi0Ff`pE,8
+lE%0E
;0E.0E/-EM.0E3mDB0E#
G100E7c0E
'0eUe+0
0E#mE_0E'
1*UpE1k0
83,fxU<FeZE{
F$I'IfuM ~uFF f35GfMU4<1en(V70Fj
4-'0E/+U
?Iq0Fvuq
D030CfFbH0pE$ .
0"pE$
Nj0FjU=
5uUsU<
4pE, =
-/0EK0U0
3Ie0Fjuq
UXE!0f0U
5Ig0Ffuq
,pE, ;
|pE$ `c]PU,
EIc0Fjuq
0E#mDR
0Ez@4pE, ?
`5Nb0FjU
EZPj?-?Z
MpE#0Z
Eg0Ff`/pE, U;
Nn0FvUz
`bpE$
pE, m,t3
5Ig0Ffuq
+dDa!dDa
taCnLaENKMZO
UyZFwZ
E!0g|J
29nG0i
n1:`ta
e@euV2
ta?nLaAL
EO1 0iE%
+-3)$s7
@dcPqpE
i~nxnA1
Sm0E-2
UXE1ppE
`-/0E8eseyx
%PpE)
10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E0E0E
0EC0E'0E
0E'0Ew0E0EI0EW0E0E0E0E0E0E0E
0E0E#0EU0E'0E0E+0E
0E0E0E50E0E0E%0E
REJ^EQUE[ E
EcEY@E
JEN@E'0E
E&eETEe
E]YEU0EF\EP[ERDENRE
QE[0EJ@Ec_EOYELUE
SEP]E+0ETTEJ_EIGE
UE]UE#0E
CE)0EP@EJ^E/0Ep@EVBEV
0EYUE_DE
E+0EN@E_\EJSERDEN_EQ E
0EQDEE\EO
EI\ES0E\
V_(eU6TE#GBEW_EFBEW^E
UEgUE10E
ET0E0E'0E)0E90EI0E
0E10E30Ek0E#0Ea0E'0E)0EG0E0E[0E10E30E0Ew0E%0E'0E)0E+0E-0E0E0E%0E
0E;0E'0E
0Eg0E}0EI0Eg0E0E0E0E0E0E0E0E0E/0Ea0E30E}0E#0E0E0E0E-0E0E0E10Ey+iB+F
5JgELy+UB+Fs)PU
NT)VBEjD cU1d^+JD
'hEqD5pU+{A0JD
1nEkD5^!uA0JD
'ErD ]U1{Q!i\ 1g
T)O(GhD
PE)FQ+GU
-GwQ5tU$g0Ex Bq)QSE;w U_!VU
%EdU$Uv,OgEw [Y)VY?V~@QD7O^
%)DjY1y_&FCEb Nv,M0Eu\6iS(S0E
RUE}s)PU
NT)VEw\ iv,OgEc)J@
FoQ!qR7NI
GB T0EEv7F|,MQ7fGwQ5wU 3DxD
VB Ot,US1PI
!M0E$G6eY+WgEzu
gS0egEu
kG\E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0EpEpEpEpE
^#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E'0E-1EG0E9030E50E'0E%1E&0E
0+0E-0E+0E11E*0Em0E{0EJ0E0E)0E C6JR)fH(MCx
Y&UC*G
(RY#VD
O_eg\+d
(NB*TV1
ydS0cD<!:e
B ZU6WT
[F,SW d=O
e U4ZC1Ju=FE1R^
geA0NU
GY+ND7F_7
E,jS \
U4jC1Fu=JE1N^
FU)!:e
7VE dU!Y3JU"J
6FE7VI{2
jFC R\< q
#0Ea0E
tus_ud
u7t0.thQtZOt
ttt4wB
pqxnqV_q
q0E%0E70E)4u3<u-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E%D0@
ExitProcess
FindResourceA
GetCommandLineA
GetModuleHandleA
LoadResource
LockResource
SizeofResource
VirtualAlloc
VirtualFree
lstrlenW
kernel32.dll
RegisterClassExA
BeginPaint
CreateWindowExA
DefWindowProcA
DispatchMessageA
EndPaint
GetMessageA
GetSystemMetrics
LoadCursorA
PostQuitMessage
ReleaseDC
SendMessageA
ShowWindow
TranslateMessage
UpdateWindow
user32.dll
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
SelectObject
gdi32.dll
GetProcAddress
PE)JQ+EU
Leaders agree to review EU policies
GetLastError
LastViewCtrl
v]$UY XV
French police move into Calais camps
oQ!qR7FI
fY1u_&ess
Lose a little advice on obesity
+<a_"m7
r:}*4HUC]=
J/dkMuF2s
d$20 "
ZJ2\L$a[
>uwcw\mn.
;APFp9(KH
&oVP@'<O
i~j4{Y
:A85j/
tz}nx!Px5&Zk
UU>]iC"&<
+B;"cr/A
<ga]^Q^t
(QGq}+8;3J<i
vs(;#w:uuP/sk
B#^`4m%1
GTPOl";Dll
U p=qn:tvs{_
Pw.~E<nj0dd
TGBWeo'
u:$$c=
\TetCXG}Ygu?
5!Ltko
_P\#tf^pFt
tm:v5Z.c9X2
"*<Gp$0[
?j<mq$r
U# Di9l\F;)3L?
j =q7f[
PAnE$0E+0E
0E0E-0Eo0E10E30E50E#0E%0E'0E)0E+0E0E1K1Y9
&J^*WR
^euceNT
/0E10E0Eq5Ep4
%0E'0E2D4:E-0E/0E10E
0E50E#0E%pE'0E)0E&1E-0E*1E10E30E50Ed0E#0' E)0E+ E-0E/0EA0E30E50E0EI0E'0E0E+0E-0E/0E10E30E0E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E0E+0E-0E/0E10E30E50E
U=Y0E0E)0E+0E-0E/0E10E30E
T$Y0E0E)0E+0E-0E/0E10E30Eu0
0E)0E+0E-0E/0E10E30Eu0
C7D0E0E)0E+0E-0E/0E10E30Eu0
U)P0E0E)0E+0E-0E/0E10E30Eu0
#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E/0E10E30E50E#0E%0E'0E)0E+0E-0E
M8w41p~k<7/<E
dDa?dDa
M0U'P=pE
0-7pE,dce:
'nUwE+ZFw1-/0
k8E+.f
eodla;
wE+ZGw2-/0
-f|aC`t
U,.?w[
0E$F[3xegX
ZDUP5pE
Y0E`gh1
yyyzzz2
- - - - - - - - :-- - - - - bW- - - - - - - )
. . . . . . . . . G;. . TI. . . . . . . . . . . . +
- /!/!/!/!/!/!/!/!G;/!G;/!/!- - .!/!/!/!/!/!/!/!-
/!1"1"1"1"1"1"1"1"
u1"XL1"1"eY1"1"1"1"1"1"1"/!
1"2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#2#1"
3$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$3$zzz
5%J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<J<5%3
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXC
C�:�\�U�s�e�r�s�\�t�w�e�l�l�e�r�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�w�z�c�6�6�c�\�R�e�p�o�r�t�.�s�c�r�
C�:�\�J�K�Z�R�l�S�D�Z�.�e�x�e�
C�:�\�R�Y�e�e�J�a�3�Y�.�e�x�e�
C�:�\�z�_�S�R�b�I�o�Z�.�e�x�e�
C�:�\�A�4�0�i�T�e�2�W�.�e�x�e�
C�:�\�6�X�U�5�8�w�_�1�.�e�x�e�
C�:�\�B�4�w�N�H�h�P�h�.�e�x�e�
C�:�\�r�9�H�4�x�M�g�2�.�e�x�e�
C�:�\�B�k�m�p�f�p�3�9�.�e�x�e�
C�:�\�t�I�y�g�P�V�h�g�.�e�x�e�
C�:�\�i�J�D�J�F�y�i�p�.�e�x�e�
C�:�\�1�9�u�X�P�m�V�h�.�e�x�e�
C�:�\�W�c�r�a�D�5�D�L�.�e�x�e�
C�:�\�O�P�i�F�0�x�n�H�.�e�x�e�
C�:�\�f�8�p�s�k�T�0�B�.�e�x�e�
C�:�\�e�y�D�y�d�p�m�E�.�e�x�e�
C�:�\�e�L�L�e�4�u�i�q�.�e�x�e�
C�:�\�H�o�q�3�a�_�g�C�.�e�x�e�
C�:�\�T�k�O�R�D�d�C�I�.�e�x�e�
C�:�\�Q�w�7�K�h�D�p�K�.�e�x�e�
C�:�\�r�p�w�y�G�T�v�j�.�e�x�e�
C�:�\�3�3�9�D�d�K�i�U�.�e�x�e�
C�:�\�F�A�H�D�K�f�t�e�.�e�x�e�
C�:�\�c�i�I�v�4�c�t�X�.�e�x�e�
C�:�\�l�F�9�p�n�8�r�H�.�e�x�e�
C�:�\�S�H�r�_�K�1�z�W�.�e�x�e�
C�:�\�5�m�z�H�X�k�_�W�.�e�x�e�
C�:�\�Y�N�y�C�e�D�K�y�.�e�x�e�
C�:�\�t�W�N�3�S�x�y�A�.�e�x�e�
C�:�\�i�y�o�d�d�x�m�J�.�e�x�e�
C�:�\�S�J�b�c�z�a�h�W�.�e�x�e�
C�:�\�R�H�g�q�C�x�I�L�.�e�x�e�
C�:�\�l�F�6�l�q�5�i�q�.�e�x�e�
C�:�\�P�s�1�W�P�5�r�o�.�e�x�e�
C�:�\�r�X�3�2�f�u�M�j�.�e�x�e�
C�:�\�y�S�4�p�d�i�N�_�.�e�x�e�
C�:�\�c�Y�z�s�O�H�x�g�.�e�x�e�
C�:�\�N�B�M�o�s�j�x�L�.�e�x�e�
C�:�\�1�p�Q�5�M�d�4�o�.�e�x�e�
C�:�\�a�P�7�j�b�f�s�V�.�e�x�e�
C�:�\�S�z�2�O�c�M�3�S�.�e�x�e�
C�:�\�Q�b�o�b�O�t�n�c�.�e�x�e�
C�:�\�m�w�6�H�Y�B�d�N�.�e�x�e�
C�:�\�X�C�P�F�r�0�m�C�.�e�x�e�
C�:�\�o�Q�_�r�N�i�6�A�.�e�x�e�
C�:�\�U�s�e�r�s�\�J�o�h�n�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�e�C�m�k�v�o�t�a�j�i�a�i�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�0�e�7�d�3�4�4�4�3�a�f�f�f�0�7�e�e�5�b�9�f�b�2�c�3�e�3�2�0�2�6�e�.�e�x�e�
C�:�\�b�a�f�a�4�7�c�3�3�c�0�2�e�7�9�9�0�e�e�a�2�7�c�3�9�9�d�f�c�e�b�0�4�7�3�5�4�4�8�3�e�1�3�c�7�1�5�3�3�d�5�7�d�d�1�1�1�5�1�f�e�7�f�d�
C�:�\�f�4�7�2�4�5�d�c�0�1�8�1�e�c�3�f�b�9�9�5�d�f�6�f�3�6�4�1�7�f�5�2�7�1�1�c�0�2�5�7�e�5�9�0�a�4�c�7�8�8�5�6�e�1�a�d�9�a�e�1�e�6�a�a�
C�:�\�e�a�e�6�9�6�8�2�6�b�f�b�b�4�9�b�f�1�2�d�c�9�e�0�f�5�b�5�6�3�9�4�3�4�d�4�2�3�9�4�a�9�6�3�e�a�e�b�5�d�1�e�3�9�b�e�b�8�9�7�8�c�3�6�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�d�e�o�h�w�.�e�x�e�
C�:�\�d�3�1�5�a�2�e�8�f�b�4�9�5�f�0�8�f�1�9�e�7�6�4�5�0�f�3�7�b�9�d�0�d�f�6�1�3�9�f�0�7�9�e�c�3�4�d�2�7�f�d�1�e�c�5�7�7�8�8�7�2�8�b�d�
C�:�\�b�6�7�4�0�f�9�4�2�0�4�f�b�8�2�a�b�e�a�f�2�3�8�0�2�5�b�e�0�2�1�8�4�0�f�e�9�3�3�3�2�f�f�9�5�f�2�1�0�a�d�f�8�a�7�7�d�3�6�a�c�a�0�2�
C�:�\�d�6�1�a�3�4�d�8�6�9�c�6�4�a�c�5�a�6�c�6�b�5�3�b�2�0�7�6�1�e�6�0�b�6�8�7�d�a�0�0�2�5�0�a�0�2�8�6�1�5�5�3�0�0�d�c�9�a�3�1�8�b�5�e�
C�:�\�d�9�a�f�8�8�b�c�4�5�c�9�b�f�0�9�a�a�2�7�8�4�c�8�4�7�3�e�2�4�7�b�b�9�e�2�4�e�c�8�3�5�8�7�f�4�a�1�c�c�b�f�e�1�c�4�2�c�4�b�b�3�4�4�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�d�e�o�h�w�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�k�d�e�o�h�w�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�R�A�4�9�1�~�1�.�V�U�L�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�5�1�2�2�5�8�0�2�1�2�2�6�a�7�9�d�e�7�b�d�7�0�2�0�b�1�5�a�e�8�d�a�.�e�x�e�
C�:�\�0�5�b�f�b�5�a�f�d�9�d�7�b�d�9�5�9�1�9�d�9�c�a�e�d�0�d�0�7�d�1�1�b�f�d�6�a�4�2�b�5�4�e�f�9�0�9�f�9�8�0�f�e�9�a�7�e�b�5�3�2�9�7�9�
C�:�\�4�1�2�5�0�c�2�b�f�8�5�6�1�7�c�6�0�6�b�b�e�7�b�4�c�7�9�6�7�e�0�b�f�c�a�a�2�0�8�c�a�f�0�b�6�9�1�c�d�d�0�9�4�3�6�4�c�f�b�f�a�7�4�8�
C�:�\�c�3�3�d�c�6�5�d�6�d�8�a�3�5�3�2�6�0�7�1�f�7�c�9�7�2�d�8�d�e�8�e�d�2�b�8�7�5�a�b�0�d�8�c�1�f�d�2�e�8�a�d�d�d�b�7�1�a�b�c�8�e�9�b�
C�:�\�e�9�4�3�7�1�2�2�b�a�3�d�f�0�d�2�8�0�b�4�8�c�7�0�6�e�5�6�a�9�a�5�8�a�1�7�5�a�0�8�0�a�7�d�5�7�a�f�9�f�c�7�e�5�6�4�b�8�5�c�b�a�3�8�
C�:�\�0�b�9�6�7�9�d�d�5�7�c�2�c�8�a�5�2�c�4�1�e�7�4�6�b�2�d�1�6�6�b�6�9�1�8�a�2�f�4�c�e�5�9�8�a�b�b�b�1�5�8�4�6�7�e�0�9�f�1�1�7�f�f�9�
c�:�\�t�a�s�k�\�9�0�8�9�7�A�8�E�8�7�2�6�0�9�A�9�B�0�5�2�0�0�2�1�8�D�1�E�6�C�6�B�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�d�4�7�1�5�6�6�f�a�e�8�1�7�3�3�c�e�6�a�6�4�0�5�6�c�c�a�c�d�e�2�3�.�v�i�r�u�s�.�e�x�e�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�k�d�e�o�h�w�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�R�A�4�9�1�~�1�.�V�U�L�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�2�9�3�d�c�f�3�2�9�7�6�d�6�1�6�3�f�1�7�1�4�2�1�b�d�6�5�b�0�4�c�6�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�d�e�o�h�w�.�e�x�e�
C�:�\�f�3�e�b�9�4�e�d�9�4�b�4�0�d�5�7�8�9�f�b�3�6�1�6�8�d�c�8�3�b�5�b�8�e�e�a�c�c�3�c�d�7�7�2�e�b�4�8�f�c�2�d�1�1�f�4�e�7�1�0�2�5�0�9�
C�:�\�2�a�e�9�c�3�0�c�6�7�e�d�b�c�2�b�d�e�7�9�8�d�d�d�6�3�0�a�7�0�c�0�8�7�a�c�c�8�0�4�4�6�4�6�e�e�1�3�c�3�f�9�b�9�8�2�7�c�2�3�e�d�c�9�
C�:�\�6�e�a�e�0�9�1�c�d�9�a�5�b�f�1�9�1�4�5�7�0�4�2�1�f�5�8�1�5�a�d�5�9�9�4�6�a�e�8�0�d�8�2�b�6�b�9�1�8�e�a�c�c�4�1�a�3�9�b�c�f�4�c�f�
C�:�\�5�c�f�b�f�e�7�2�b�4�f�d�d�2�1�9�7�a�6�c�c�a�c�2�1�7�f�9�1�9�b�b�f�5�6�f�6�6�3�c�6�1�8�3�7�7�6�e�3�0�a�7�6�a�f�5�f�e�9�9�c�7�2�a�
C�:�\�c�b�2�0�8�4�d�e�1�a�a�e�0�2�8�4�9�5�2�a�2�6�7�c�6�f�7�e�9�e�c�d�b�9�8�e�0�2�d�b�c�0�1�1�0�4�c�5�1�e�b�2�4�2�5�d�3�7�9�e�9�d�5�1�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�d�e�o�h�w�.�e�x�e�
C�:�\�1�f�c�1�0�a�7�5�f�2�d�a�8�b�1�a�2�3�d�8�f�2�e�0�7�3�3�2�1�4�4�6�6�3�0�2�9�8�7�8�8�2�e�8�d�8�5�1�8�0�9�e�5�0�e�c�5�5�7�3�c�9�d�d�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�d�e�o�h�w�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�8�7�3�7�5�4�3�e�6�b�4�1�b�f�f�6�1�c�2�0�6�7�4�8�8�6�8�0�a�0�f�f�2�2�3�7�0�5�3�8�7�f�f�3�e�9�1�2�1�8�9�1�a�2�f�f�8�a�7�8�4�4�1�9�.�e�x�e�
C�:�\�2�8�a�8�3�4�e�c�9�a�5�3�b�c�7�0�0�6�f�3�5�f�b�6�c�2�6�1�d�c�7�e�5�9�5�2�9�e�a�e�8�d�0�0�3�9�a�4�0�d�3�9�5�0�5�5�c�3�e�c�a�2�3�1�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�k�d�e�o�h�w�.�p�e�3�2�
C�:�\�d�e�2�4�8�7�d�3�8�e�5�3�e�e�3�8�d�3�b�2�c�a�a�6�d�2�c�4�c�3�0�7�b�e�4�c�6�1�d�6�4�7�1�1�6�f�4�6�a�7�0�5�c�a�c�3�0�e�0�5�d�3�7�b�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�k�d�e�o�h�w�.�p�e�3�2�
C�:�\�3�1�c�e�e�2�b�e�d�9�b�0�0�6�f�9�f�3�6�5�c�3�c�9�6�e�7�0�3�a�1�3�d�b�c�6�8�4�8�4�5�c�e�9�6�4�1�9�a�3�3�7�7�3�d�9�d�5�a�1�9�9�2�0�
Process Tree
-
045bbdc2407b1ac69d2902e1291e1b2ec66d517ab3221351683e7c8b92815dd6.exe (1856)
"C:\Users\Administrator\AppData\Local\Temp\045bbdc2407b1ac69d2902e1291e1b2ec66d517ab3221351683e7c8b92815dd6.exe"
- kdeohw.exe (1640) "C:\Users\ADMINI~1\AppData\Local\Temp\kdeohw.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 5479aeedad971f08_kdeohw.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\kdeohw.exe |
| Size | 30.8KB |
| Processes | 1856 (045bbdc2407b1ac69d2902e1291e1b2ec66d517ab3221351683e7c8b92815dd6.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 8740722871170dc0873717e8950d49d5 |
| SHA1 | 6a0cee3c04b98c91dd0dc9a34ae1c6c54d116f74 |
| SHA256 | 5479aeedad971f08d6387ae804f5c1d5f478c352585816d4f85cd84238bbc15b |
| CRC32 | CD82F52D |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.