3.4
中危
DACN
0.12
FACILE
1.00
IMCLNet
0.81
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Kryptik-NJO [Trj] | 20200501 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Urelas.b | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200503 | 2013.8.14.323 |
| McAfee | Trojan-FFDV!BF1EC9FA99D5 | 20200503 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b30b17 | 20200503 | 1.0.0.1 |
静态指标
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545300.5315 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545303.12525 IsDebuggerPresent |
failed | 0 | 0 |
观察到命令行控制台输出
(11 个事件)
动态指标
在 PE 资源中识别到外语
(4 个事件)
| name | RT_MENU | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x0001eb80 | size | 0x0000003e | ||||||||||||||||||
| name | RT_DIALOG | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x0001edb0 | size | 0x00000246 | ||||||||||||||||||
| name | RT_DIALOG | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x0001edb0 | size | 0x00000246 | ||||||||||||||||||
| name | RT_VERSION | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x0002e130 | size | 0x000002b0 | ||||||||||||||||||
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
投放一个二进制文件并执行它
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
将可执行文件投放到用户的 AppData 文件夹
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
检查适配器地址以检测虚拟网络接口
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(5 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
| host | 218.54.47.76 | |||
| host | 218.54.47.74 | |||
| host | 194.54.47.77 | |||
从磁盘删除已执行的文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意
(50 out of 57 个事件)
| ALYac | Gen:Variant.Jaik.34843 |
| APEX | Malicious |
| AVG | Win32:Kryptik-NJO [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Jaik.34843 |
| AhnLab-V3 | Trojan/Win32.Swisyn.C711142 |
| Antiy-AVL | Trojan[Backdoor]/Win32.AGeneric |
| Arcabit | Trojan.Jaik.D881B |
| Avast | Win32:Kryptik-NJO [Trj] |
| Avira | BDS/Backdoor.Gen7 |
| Baidu | Win32.Trojan.Urelas.b |
| BitDefender | Gen:Variant.Jaik.34843 |
| BitDefenderTheta | Gen:NN.ZexaF.34108.nm1@a8ExEEmO |
| Bkav | W32.AIDetectVM.malware |
| ClamAV | Win.Malware.Urelas-6717394-0 |
| Comodo | TrojWare.Win32.Urelas.SH@5674sp |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cylance | Unsafe |
| Cyren | W32/S-d223fbae!Eldorado |
| DrWeb | Trojan.DownLoader13.4595 |
| ESET-NOD32 | a variant of Win32/Urelas.AE |
| Emsisoft | Gen:Variant.Jaik.34843 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-d223fbae!Eldorado |
| F-Secure | Backdoor.BDS/Backdoor.Gen7 |
| FireEye | Generic.mg.bf1ec9fa99d56eb7 |
| Fortinet | W32/Urelas.U!tr |
| GData | Gen:Variant.Jaik.34843 |
| Ikarus | Trojan.Win32.Urelas |
| Invincea | heuristic |
| Jiangmin | Backdoor.Generic.ably |
| K7AntiVirus | Trojan ( 004952aa1 ) |
| K7GW | Trojan ( 004952aa1 ) |
| Kaspersky | Backdoor.Win32.Plite.bhuv |
| MAX | malware (ai score=82) |
| Malwarebytes | Trojan.Urelas |
| MaxSecure | Trojan.Malware.121218.susgen |
| McAfee | Trojan-FFDV!BF1EC9FA99D5 |
| McAfee-GW-Edition | BehavesLike.Win32.Gupboot.dt |
| MicroWorld-eScan | Gen:Variant.Jaik.34843 |
| Microsoft | Trojan:Win32/Urelas.AA |
| NANO-Antivirus | Trojan.Win32.Dwn.drcuqv |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM10.1.F8BC.Malware.Gen |
| Rising | Trojan.Urelas!1.BE13 (RDMK:cmRtazroMXxODlqkfdFUM8O8tYdi) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Urelas-Q |
| Tencent | Malware.Win32.Gencirc.10b30b17 |
| Trapmine | malicious.high.ml.score |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(4 个事件)
| dead_host | 218.54.47.76:11120 |
| dead_host | 218.54.47.74:11150 |
| dead_host | 218.54.47.76:11170 |
| dead_host | 194.54.47.77:11150 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2015-04-28 09:10:10
PE Imphash
5f1929a8ca007a58d8921624c4dd5b88
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00027000 | 0x00027000 | 4.6046328170555535 |
| .rsrc | 0x00028000 | 0x00008000 | 0x00008000 | 4.625324832326918 |
| .reloc | 0x00030000 | 0x00003000 | 0x00003000 | 3.4877635781628054 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e718 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MENU | 0x0001eb80 | 0x0000003e | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_DIALOG | 0x0001edb0 | 0x00000246 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_DIALOG | 0x0001edb0 | 0x00000246 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_STRING | 0x0001eff8 | 0x00000096 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0001f090 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0001f090 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_VERSION | 0x0002e130 | 0x000002b0 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_MANIFEST | 0x0002e3e0 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x41101c GetSystemWindowsDirectoryW
• 0x411020 GetSystemDirectoryW
• 0x411024 DeleteFileW
• 0x411028 GetModuleFileNameW
• 0x41102c GetTickCount
• 0x411030 GetVersionExW
• 0x411034 ReadFile
• 0x411038 CreateFileW
• 0x41103c DeviceIoControl
• 0x411040 GetTempPathA
• 0x411044 GetModuleFileNameA
• 0x411048 HeapAlloc
• 0x41104c GetProcessHeap
• 0x411050 HeapFree
• 0x411054 MultiByteToWideChar
• 0x411058 HeapReAlloc
• 0x41105c LCMapStringW
• 0x411060 HeapSize
• 0x411064 CreateFileA
• 0x411068 GetFileAttributesW
• 0x41106c LoadLibraryW
• 0x411070 WriteConsoleW
• 0x411074 FlushFileBuffers
• 0x411078 IsProcessorFeaturePresent
• 0x41107c SetStdHandle
• 0x411080 CreateThread
• 0x411084 CreateEventW
• 0x411088 CloseHandle
• 0x41108c OpenEventW
• 0x411090 GetTempPathW
• 0x411094 GetStringTypeW
• 0x411098 IsValidCodePage
• 0x41109c GetOEMCP
• 0x4110a0 GetACP
• 0x4110a4 GetCPInfo
• 0x4110a8 RaiseException
• 0x4110ac SetFilePointer
• 0x4110b0 GetSystemTimeAsFileTime
• 0x4110b4 GetCurrentProcessId
• 0x4110b8 QueryPerformanceCounter
• 0x4110bc HeapCreate
• 0x4110c0 InterlockedDecrement
• 0x4110c4 GetCurrentThreadId
• 0x4110c8 ExitProcess
• 0x4110cc Sleep
• 0x4110d0 GetCommandLineW
• 0x4110d4 HeapSetInformation
• 0x4110d8 GetStartupInfoW
• 0x4110dc GetLastError
• 0x4110e0 TerminateProcess
• 0x4110e4 GetCurrentProcess
• 0x4110e8 UnhandledExceptionFilter
• 0x4110ec SetUnhandledExceptionFilter
• 0x4110f0 IsDebuggerPresent
• 0x4110f4 EncodePointer
• 0x4110f8 DecodePointer
• 0x4110fc EnterCriticalSection
• 0x411100 LeaveCriticalSection
• 0x411104 InitializeCriticalSectionAndSpinCount
• 0x411108 RtlUnwind
• 0x41110c WriteFile
• 0x411110 WideCharToMultiByte
• 0x411114 GetConsoleCP
• 0x411118 GetConsoleMode
• 0x41111c GetProcAddress
• 0x411120 GetModuleHandleW
• 0x411124 GetStdHandle
• 0x411128 FreeEnvironmentStringsW
• 0x41112c GetEnvironmentStringsW
• 0x411130 SetHandleCount
• 0x411134 GetFileType
• 0x411138 DeleteCriticalSection
• 0x41113c TlsAlloc
• 0x411140 TlsGetValue
• 0x411144 TlsSetValue
• 0x411148 TlsFree
• 0x41114c InterlockedIncrement
• 0x411150 SetLastError
• 0x411154 SetEndOfFile
Library USER32.dll:
• 0x411168 LoadIconW
• 0x41116c RegisterClassExW
• 0x411170 CreateWindowExW
• 0x411174 DefWindowProcW
• 0x411178 BeginPaint
• 0x41117c LoadAcceleratorsW
• 0x411180 LoadStringW
• 0x411184 LoadCursorW
• 0x411188 wsprintfW
• 0x41118c PostQuitMessage
• 0x411190 EndPaint
Library ADVAPI32.dll:
• 0x411000 RegQueryValueExW
• 0x411004 RegSetValueExW
• 0x411008 RegCloseKey
• 0x41100c RegOpenKeyExW
Library WS2_32.dll:
• 0x411198 WSAStartup
• 0x41119c htonl
• 0x4111a0 gethostbyaddr
• 0x4111a4 socket
• 0x4111a8 gethostbyname
• 0x4111ac inet_addr
• 0x4111b0 htons
• 0x4111b4 connect
• 0x4111b8 closesocket
• 0x4111bc send
• 0x4111c0 recv
• 0x4111c4 WSAGetLastError
Library IPHLPAPI.DLL:
• 0x411014 GetAdaptersAddresses
L!This program cannot be run in DOS mode.
4.pOpOpOkUWOk``OkT
Oy7m}OpO
OkQuOkdqOkcqORichpO
PEC2NO
.reloc
WjdhmA
WjmVjk3VD$
\$$\$(t$,
jlt$(D$4D$8
_^[334
fD$DD$FSPQm
D$DVP3
D$LPSS
EULHPA
3M3^D3
ESVW3j>fE3
f;uh2A
j@h&yA
3@M_^3[1
ESVW3h
uHPEPPSh<3A
f;u+u0hL3A
f;u*Wh\3A
j^rSPfZi
M_^33[/
3VPfPg
t(PVP.
M_^3[-
3VfWPe
3VfWPe
tKHt1Ht
@;rMSMP9u
3@M_^3[)
t)3FVh
@;rMSMP9u
3@M_^3[ (
PfP3Ea
3VfSPo`
jQXfl+
9tthptA
f;u+t"VSh
f9uAhL6A
jdY3Pd
3@M_^3[#
3VfhjSP\
hSP3}\
3j>fEESP[
3j>fxzSP[
f;ul3A
EPSW;uh
f;uffpuA
f;uf:6fpuA
M_^3[-
f3VPRY
ftfpuA
VRhp6A
EEEEEEfEE3j
EEPMMQh
_GBPuD
f;u+t#}
_^[]3EEUREEEPh
f;u+uSj'
_^3[]U
E3VWfME
EEEEfEE
]U@HPA
fMMMMMfM^xZj
]U$HPA
EEEEEEfE
@uVW+OO
MQRE_&
|_[^]U
^3[]Whl7A
tVMQVj
3Eou2}
_^[]_^[]
3hUQSWj
~PFJWP
u VVjRVV
GWVjRj
MMMMfMM
3VW|7A
EEEEfEEx
u-;u)NwA
3M_^3[
M_^3[S
u+u'S~
E^[]U
M_^3[.
VW(,4t
0_^[M3
M_^3[;
U SW3j
3Y}]9]
;tV;|BMx
YYt"Mx
39]fD~
;t3f9>
}f9;u
jEPhHPA
;Ew[PuV4
E+)E$V,
}O;]rOt
u+WuV1
M+;rP})E
YYt)EF
YY]jXh9A
fu3_[]
f_^]UW}
CB;r]}
]8 u S
jEPhHPA
YYuf-u
[u-VgX
RPjjEUHZ
M]EUVW
Yu)jAXf;w
E;ErDE9Eu
3;Er0w
QuuuWY
u>9ur9w
`p33_^[
U]/UVu
USV3;u
;r3_^[]
U SW3j
3Y}]9]
;t5;|"Mx
ffffffE
YM_3[>
3PPPPP
t4+t$+t
ItQht@lt
3F tBP
itnnt$o
PWP5D]A
PW5P]A
PW5L]A
|j0XfQfW
t-RPWSG
j0O,Yt
j OWYt
`pM_^3[
1 B0RA
;r" TA
;r = TA
at0rt#wt
f9>tf>=uu
f> t3f9>t
Y]3u;5A
+SVWHPA
1E3PeuEEEEd
Y__^[]Q
:E_^[]E
9csmu)=
URPQQh v@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
Yt$WV!
jXEU;u
Ht%CT1
\3_[^j
W>+~,WPVYPU
Y/V|Yt
Y}3u;5A
tVPV%YY3BU
4V.YYE
W34809}
;u ;8!
4 3,9E
P4UM`8
DQP C@
,PVEP$
3+4H;M
(PVHP$
(PVHP$
r3VVhU
QH++PPVh
(P+P5P$
\,+48;E
0?DY1$
8+0[M_3^
DDDDDDDDDDDDDD
8csmu*x
YYuTVWh-@
3]j hH;A
3PPPPPpVBO
@Y<v*V5O
^SSSSSyj
;tFtA3
S^`N`H
j$Y~\d9
QY^`[_^]
3Y[_^5bA
3PPPPP
UQV3W}
ft;uf t
Bf8\tf8"u8
ft$9Uu
UQQSVWh
V33SfjA
[]YY?sJM
_[^SVW
j@j ^VE,
H3H/5~A
;rSWf9M
YYt:V5UA
P YF,t
YYt0V5UA
E3E3;u
<at,<rt"<wt
F> t>=unF> tj
WPWPWv
whu;5YA
8]tEMap<u
TM_^3[j
M`}_hu
PCY^hS=L
Y%u UA
3W;to=^A
t4V0;t(W8jYt
Fpt"~l
lVYYYEE
f;rJvf;
f;rJvf;
f;rJvf;
Jvf;rgQ
Pf;rSPf;
t4+t$HHt
ItUhtDlt
HHt$HHt
itxnt*o
PSP5D]A
PS5P]A
PS5L]A
t-RPWS0
0@@If8
u69t.EPq
`pM_^3[
EU_^j
VSY@UA
t.VBYt"V6
Yt.VYt"V
]39}~0N
YYtG;}|fE
YYM_^3[
VW3,]A
YYu,9E
tAt2t$
E`p;39]
VW38kA
F$|3@_^
Z3G}39
tCHt(Ht K
Y+t7+t*+t
3t(;t$;t
t$;t)i
^0_^[E
uEPuuu
uEuPuuu
$ MeHMu
tWWW6#
JWWW6o
[+PD=P6<
EUSSSSSj
9}t(9}t
tDft?f;t8EP
Vuy39E
B(;r3_^[]
SVWHPA
1E3PEd
Y_^[]USVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
S3VW;|[;
t6<0t0=
u}uyG,j@j GYYEta
FGIuX^_]
Y+t"+t
+tY+uC(}
Uw\]Yp
u>OdMGd
u wdSUY
t?P5lA
3M_^3[3e
ft'Ou"+
jPfDJXdf
tCHt(Ht }
Y+t7+t*+t
3t(;t$;t
^0|_^[E
uEPuuu
uEuPuuu
$ MeHMu~
tWWW6#
JWWW6#
[+PD=P6
EVSSSSSvj
9}t(9}t
M$m39]
MfMf;u!f;t
E`p3^_[
H8]tMapUj
E`p3^[_
S3VW;~ E
@;u+H;}
39](SSu
]9]tWuu
};~Bj3X
3;t?uWuuu
t"SS9] u
EYe_^[M38U
Mifu(Eu$u u
UQQHPA
ES3VW]9]
39] SSu
ESEYe_^[M3
M<eu$Eu
a_6Z_v R_v$J_v(B_v,:_v02_v4*_v
_vD^vH^vL^vP^vT^vX^v\^v`^vd^vh^vl^vp^vt^vx^v|^@
P[YF0;
P[Yv4;5^A
PX[YF ;
PF[YF$;
P4[YF8;
P"[YF<;
PZYFD;
PZYFH;
PZYvL;5^A
VZY^]UV3PPPPPPPPU
rustnM
tR:QuMPt<:Qu7Pt&:Qu!Pt
@FA;r3^[
+UV3PPPPPPPPU
^0egVu
f;v6;t
Map_^[;t&;w Kgj"^0f8]tE`py
<E`p0M
YUY]Vu
UY3MW0u
L1$!_^[u
Map^[3PPj
E`p]Ex
tAMap8+
;t+3_^[
EPQEPEj
RQMQVp
Map^[UWVSM
WVS3D$
bad allocation
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
UTF-16LE
UNICODE
Unknown exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
`h````
xpxxxx
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
218.54.47.76
sanfdr.bat
:Repeat
if exist "
" goto Repeat
rmdir "
%d.%d.%d.%d
218.54.47.74
218.54.47.76
218.54.47.76
ExitProcess
GetTempPathW
OpenEventW
CloseHandle
CreateEventW
CreateThread
GetFileAttributesW
GetSystemWindowsDirectoryW
GetSystemDirectoryW
DeleteFileW
GetModuleFileNameW
GetTickCount
GetVersionExW
ReadFile
CreateFileW
DeviceIoControl
GetTempPathA
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
KERNEL32.dll
LoadStringW
LoadAcceleratorsW
LoadIconW
LoadCursorW
RegisterClassExW
CreateWindowExW
DefWindowProcW
BeginPaint
EndPaint
PostQuitMessage
wsprintfW
USER32.dll
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetAdaptersAddresses
IPHLPAPI.DLL
GetCommandLineW
HeapSetInformation
GetStartupInfoW
GetLastError
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
WriteFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetProcAddress
GetModuleHandleW
GetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
RaiseException
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetStringTypeW
SetStdHandle
IsProcessorFeaturePresent
FlushFileBuffers
WriteConsoleW
LoadLibraryW
CreateFileA
HeapSize
LCMapStringW
HeapReAlloc
SetEndOfFile
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
218.54.47.74
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
a9dd'* T1]
Uru4<E
7*Idu9M;
w3_^[r#MV
S7(hu#j
>tg(xs
sGDUSH,
Tx2HzT
UIuYbvkQ
3cN!eE
rjxY(X
JD>FA
_^8UHP-XpT@
P ;!8
N,+Kj@
Q$a7!'
ZLlfGv_
;tYw8R
IRvs@f$]
t5n;*0
'7P(QCbz
Z;2F=2 +uQ
Q$RVnR2*
}&nH+6D^ |%
2&/+I\q^'"
'8ms9vbup
'Y0sNhNcD
AyfQq@Id MZh0loM
TDj(ok*0+R
fA_6Lk$me
`fQv[Pdg:@
KMJ9{@4-o
HWxApl
icaton er
s u.Th}e<cdc
%sy5|lntba6id|SDqLG5d,al
W'c,us
OagaBoxAw
k8l?ExitPIL6Ch
?GtMSl
`|VirtFAcMvL
"PD<H0MzI1
`t$$|$(3
r+|$(|$
USQWVRW
ZPR3C
Z^_Y[]
Y*M3MMB
MMM2M}
UUUUM3
]^_[USWV
;tYw8tR
tfEff}t
IIu^_[
t5;Et0
EEHERPu
HEuuEEZV~
^ZYY3@^_[
msvbvm
Nu3H^_[
Q@@Pu
Application error
Application corrupt.
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
user32
MessageBoxA
wsprintfA
kernel32
ExitProcess
CloseHandle
OpenProcess
GetModuleHandleA
VirtualProtect
@�I�@�@�@�@�@�@�
U�T�F�-�1�6�L�E�
U�N�I�C�O�D�E�
m�s�c�o�r�e�e�.�d�l�l�
r�u�n�t�i�m�e� �e�r�r�o�r� �
T�L�O�S�S� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
D�O�M�A�I�N� �e�r�r�o�r�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
A�M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
K�E�R�N�E�L�3�2�.�D�L�L�
H�H�:�m�m�:�s�s�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
M�M�/�d�d�/�y�y�
D�e�c�e�m�b�e�r�
N�o�v�e�m�b�e�r�
O�c�t�o�b�e�r�
S�e�p�t�e�m�b�e�r�
A�u�g�u�s�t�
F�e�b�r�u�a�r�y�
J�a�n�u�a�r�y�
S�a�t�u�r�d�a�y�
F�r�i�d�a�y�
T�h�u�r�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�u�e�s�d�a�y�
M�o�n�d�a�y�
S�u�n�d�a�y�
(�n�u�l�l�)�
W�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
C�O�N�O�U�T�$�
A�S�t�u�d�i�o�.�e�x�e�
h�o�i�d�y�e�t�
2�1�8�.�5�4�.�4�7�.�7�7�
2�1�8�.�5�4�.�4�7�.�7�4�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
T�r�a�y�K�e�y�
a�h�n�l�a�b�
%�s�.�e�x�e�
\�H�a�n�g�a�m�e�\�K�O�R�E�A�N�\�H�a�n�U�n�i�n�s�t�a�l�l�.�e�x�e�
\�N�E�O�W�I�Z�\�P�M�a�n�g�\�c�o�m�m�o�n�\�P�M�L�a�u�n�c�h�e�r�.�e�x�e�
\�N�e�t�m�a�r�b�l�e�\�C�o�m�m�o�n�\�N�e�t�M�a�r�b�l�e�E�n�d�W�e�b�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�A�h�n�L�a�b�\�V�3�L�i�t�e�3�0�\�V�3�L�i�t�e�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�E�S�T�s�o�f�t�\�A�L�Y�a�c�\�A�Y�L�a�u�n�c�h�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�n�a�v�e�r�\�N�a�v�e�r�A�g�e�n�t�\�N�a�v�e�r�A�g�e�n�t�.�e�x�e�
W�i�n�S�e�v�e�n�
W�i�n�V�i�s�t�a�
U�n�K�n�o�w�n�
g�o�l�f�i�n�f�o�.�i�n�i�
g�o�l�f�s�e�t�.�i�n�i�
H�G�D�r�a�w�.�d�l�l�
1�2�1�8�.�5�4�.�4�7�.�7�7�
%�s�%�s�.�e�x�e�
\�\�.�\�%�s�
\�\�.�\�P�H�Y�S�I�C�A�L�D�R�I�V�E�
%�d�.�%�d�.�%�d�.�%�d�
A�@�@�@�@�@�@�@�@�@�@�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
D�i�a�l�o�g�
M�S� �S�h�e�l�l� �D�l�g�
C�h�e�c�k�1�
M�f�c�L�i�n�k�
M�f�c�L�i�n�k�1�
S�p�l�i�t�1�
m�s�c�t�l�s�_�p�r�o�g�r�e�s�s�3�2�
C�u�s�t�o�m�1�
M�f�c�P�r�o�p�e�r�t�y�G�r�i�d�
D�i�a�l�o�g�
M�S� �S�h�e�l�l� �D�l�g�
S�y�s�L�i�s�t�V�i�e�w�3�2�
M�f�c�S�h�e�l�l�T�r�e�e�
M�f�c�B�u�t�t�o�n�
M�f�c�B�u�t�t�o�n�1�
m�s�c�t�l�s�_�u�p�d�o�w�n�3�2�
m�s�c�t�l�s�_�t�r�a�c�k�b�a�r�3�2�
M�f�c�M�a�s�k�e�d�E�d�i�t�
M�f�c�S�h�e�l�l�L�i�s�t�
h�o�k�d�i�s�u�
O�U�R�T�E�S�T�S�E�R�V�E�R�
T�E�S�T�P�A�G�E�E�R�R�O�R�
C�A�N�N�O�T�P�R�O�C�
N�I�K�H�H�U�S�T�D�H�D�G�H�S�F�S�
�.�.�1�1�K�
2� � �c�#�"�
� � � � � � � �
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�1�2�0�4�b�0�
C�o�m�p�a�n�y�N�a�m�e�
T�O�D�O�:� �<�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
T�O�D�O�:� �<�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�
I�n�t�e�r�n�a�l�N�a�m�e�
G�U�P�.�e�x�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �2�0�1�5�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
G�U�P�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
T�O�D�O�:� �<�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
Process Tree
-
0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe (3028)
"C:\Users\Administrator\AppData\Local\Temp\0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe"
- huter.exe (2660) "C:\Users\ADMINI~1\AppData\Local\Temp\huter.exe"
- cmd.exe (2504) cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\sanfdr.bat" "
0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe, PID: 3028, Parent PID: 2600
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 40426a0da3faba5d_huter.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\huter.exe |
| Size | 210.8KB |
| Processes | 3028 (0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
| MD5 | 5bac4739ad0574c8040c5bb2b55105e3 |
| SHA1 | 2dbb5ea4f38e223c86731cde379708b767b278a0 |
| SHA256 | 40426a0da3faba5d8772a934e3112570c4bf4f557a68675192fc68aafd4f8cf2 |
| CRC32 | 2EB56736 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 431451d6c5927b16_sanfdr.bat |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
| Size | 365.0B |
| Processes | 3028 (0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe) 2504 (cmd.exe) |
| Type | ASCII text, with CRLF, CR line terminators |
| MD5 | efab41ad62df03a50c2fa81ce454da63 |
| SHA1 | 7f05f71a8c9847f5190aa5567a7ce9482580f5d7 |
| SHA256 | 431451d6c5927b167d4a6be078004dad131f0d27d3cc70f45a7392e1dfc6f555 |
| CRC32 | EC33F95C |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0590ce077a5b9dbc_0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe |
| Size | 210.7KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
| MD5 | bf1ec9fa99d56eb7aa2facf29e123869 |
| SHA1 | 65a61862cd6687cd84c63f4441b48c169d4e1c03 |
| SHA256 | 0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1 |
| CRC32 | C6A206DC |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 40afdaa0bdbd385e_golfinfo.ini |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\golfinfo.ini |
| Size | 512.0B |
| Processes | 3028 (0590ce077a5b9dbc099afc4ad25596c593ad0eedc293626f64ee0f1c108ed1b1.exe) |
| Type | data |
| MD5 | bd60c62717a862c75bbe8c97f365be39 |
| SHA1 | bf0957b47d8a44f51f9e9680c4e06710edc91b1b |
| SHA256 | 40afdaa0bdbd385e5c0f0c0899eb8dc107877ab9d815d7b8885bd4c3f1e34873 |
| CRC32 | EF3134AC |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.