1.2
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.68
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Banker-NBH [Trj] | 20190924 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Agent.acb | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190924 | 2013.8.14.323 |
| McAfee | Dropper-FOU!C89759AD1754 | 20190924 | 6.0.6.653 |
| Tencent | None | 20190924 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | .ap0x |
动态指标
可执行文件使用UPX压缩
(3 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
| section | UPX2 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 51 个反病毒引擎识别为恶意
(50 out of 51 个事件)
| ALYac | Gen:Variant.Ulise.65710 |
| APEX | Malicious |
| AVG | Win32:Banker-NBH [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.65710 |
| AhnLab-V3 | Dropper/Win32.RL_Dinwod.R290576 |
| Antiy-AVL | Trojan[Dropper]/Win32.Dinwod |
| Arcabit | Trojan.Ulise.D100AE |
| Avast | Win32:Banker-NBH [Trj] |
| Avira | TR/Crypt.ZPACK.Gen |
| Baidu | Win32.Trojan.Agent.acb |
| BitDefender | Gen:Variant.Ulise.65710 |
| ClamAV | Win.Trojan.Agent-1388659 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.d17542 |
| Cylance | Unsafe |
| Cyren | W32/BlackMoon.C.gen!Eldorado |
| DrWeb | Trojan.Inject2.4876 |
| ESET-NOD32 | a variant of Win32/Kryptik.GLZG |
| Emsisoft | Gen:Variant.Ulise.65710 (B) |
| Endgame | malicious (moderate confidence) |
| F-Prot | W32/BlackMoon.C.gen!Eldorado |
| F-Secure | Trojan.TR/Crypt.ZPACK.Gen |
| FireEye | Generic.mg.c89759ad175424ef |
| Fortinet | W32/Agent.RGU!tr |
| GData | Gen:Variant.Ulise.65710 |
| Ikarus | Trojan.Win32.Agent |
| Invincea | heuristic |
| Jiangmin | TrojanDropper.Dinwod.azz |
| K7AntiVirus | Trojan ( 004bcce41 ) |
| K7GW | Trojan ( 004bcce41 ) |
| Kaspersky | Trojan-Dropper.Win32.Dinwod.unk |
| MAX | malware (ai score=84) |
| Malwarebytes | Adware.IStartSurf |
| MaxSecure | Trojan.Malware.121218.susgen |
| McAfee | Dropper-FOU!C89759AD1754 |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.cm |
| MicroWorld-eScan | Gen:Variant.Ulise.65710 |
| Microsoft | TrojanDropper:Win32/Dinwod.B!bit |
| NANO-Antivirus | Trojan.Win32.Dinwod.fvulxc |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM19.1.1AFD.Malware.Gen |
| Rising | Trojan.Agent!1.AB1D (CLASSIC) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/BlackMoon-A |
| Symantec | Trojan Horse |
| Trapmine | malicious.high.ml.score |
| VBA32 | BScope.Trojan.Occamy |
| VIPRE | Trojan.Win32.Generic!BT |
| Zillya | Dropper.Dinwod.Win32.11675 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2015-01-27 17:04:13
PE Imphash
55762c13550569b1a3a5717bae4453b6
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x0001b000 | 0x0001b000 | 5.763682367373922 |
| UPX1 | 0x0001c000 | 0x0000b000 | 0x0000a400 | 5.44855935727415 |
| UPX2 | 0x00027000 | 0x00001000 | 0x00000200 | 3.1857774734007642 |
| .ap0x | 0x00028000 | 0x000003ac | 0x00000400 | 3.5672373783663174 |
Imports
Library kernel32.dll:
• 0x404000 OpenProcess
• 0x404004 TerminateProcess
• 0x404008 GetCurrentProcessId
• 0x40400c VirtualAllocEx
• 0x404010 WriteProcessMemory
• 0x404014 WaitForSingleObject
• 0x404018 VirtualFreeEx
• 0x40401c GetProcessHeap
• 0x404020 GetModuleHandleA
• 0x404024 ExitProcess
• 0x404028 HeapAlloc
• 0x40402c HeapFree
• 0x404030 IsBadReadPtr
• 0x404034 CloseHandle
• 0x404038 ReadFile
• 0x40403c GetFileSize
• 0x404040 CreateFileA
• 0x404044 DeleteFileA
• 0x404048 GetModuleFileNameA
• 0x40404c WriteFile
• 0x404050 CreateProcessA
• 0x404054 GetStartupInfoA
• 0x404058 Sleep
• 0x40405c FreeLibrary
• 0x404060 GetProcAddress
• 0x404064 LoadLibraryA
Library MSVCRT.dll:
• 0x40406c _ftol
• 0x404070 modf
• 0x404074 atoi
• 0x404078 strchr
• 0x40407c _CIfmod
• 0x404080 sprintf
Library SHLWAPI.dll:
• 0x404088 PathFileExistsA
Library USER32.dll:
• 0x404090 PeekMessageA
• 0x404094 GetMessageA
• 0x404098 TranslateMessage
• 0x40409c DispatchMessageA
• 0x4040a0 wsprintfA
• 0x4040a4 MessageBoxA
• 0x4040a8 GetWindowThreadProcessId
L!This program cannot be run in DOS mode.
sYYeJE,Wn
EL_:wV{^
>4V9R,>
}esEhz
?Q}mC@U>5;coswwNq7*fK
1yYoZHN
U*W_NP
Y$"9$~
?XgJ6jv.>;R]1
!`l . '
_`\4SY|J
d`gNk[d%&F
.7E?J5hyq.>
a_LdDgL
)x`nmjW
1]3~+B
ojK)Mx
1w!Kx0Y*E=
E\]oX@ksdQM~SIHMK#]|
L/ 50; 3~oD5
/91!ush8/IlK|
*B2@o=
bJ8 Bjj
n)''a0
n~9U/%p
Kafz5}?
"Y$De,
+0=-+"#+tP4~,
9BVB8dR.
ouy`)a(
+}LM*; /p
XAe1VO
u!DEg7
dc0tCJsj*
^]a@^c?
p D7uzo
Z10t55&6LG/]N*{.
bqy3c@[&7ufI$y
PHPBvF]d
w.;Sx.+k
Kx.#&
{FCoJ7mj
AI2/2tVQ
,AGPK[
_ouu&&9
ACD1]!vF*z
</sXuY
wr_R( 3B
dP1HI.i Y^5,B
jgRG.DI
caJi=Yq7
f5 ?gSr\$(z22&
/g@`cu{j
6cb&}5%i\qS
R[*PWj/c
nD41xZ7
Xy/wo8Z
Y>]@}oFJ
q|rZZ!zY"
B0oSED
i}b^}7
Euh+R@
Euh+R@
EEP54B
fEm}mEU]U(
]E9Eeh
Eehf2B
PtX+QSP
Y^Y_^I
PX+QSP
Y^Y_^I
EE3AQP;
3tESL$
Wui%=
t-t)AQ|
3IPSD$
~I-L@@
|$T|$XD$D
t>L$|A
f|$H+fD$H
RPWWWj
;t'9|$pt
]VW=\@@
uIWUT$
SVD$,WPQR
\$4D$(L$
PD$<T$$QL$<RPQ=
T$@D$8RT$XL$HPD$XQRP
u0|$83$
D$ RT$
QL$ RT$0PQM
D$ D$(D$,D$4D$<T$
T$$T$0T$8
L$DT$H@
D$@L$D
BOGY'S GAME ENGINE
L!This program cannot be run in DOS mode.
-r-r-r1~-r
"--rT1|-r2v-r
"/-r-s_-r-r-r?2y-r?2v-rRich-r
`.rdata
@.data
@.reloc
UEEUh
(EUE%&
fEm}mEU]UQ3
EPEPu5
XEEPd$
EPEPu5
EPEPu5
EPECP5
E]EE]E]E]E
EEPEP5
]uEPP1
EPE@P5
EPEPu5
EPEPu5
EPEPu5
]W3PEXAQS
]QSQEHy
]HSQEHy
]]3]3u
XE]SQEHy
]EE]E]E%&
VWPPQX+
Y^_^VWPP1X+
Y^_^X_
(EEP]S
XE]bEh
XE] 3PEXAQS
3PEXAQS
EE]E]E%&
]EEX[Y
]E/3PEXAQS
]E]Ee]E
JEEPtE]t
EP3E]t
PEEPE]t
EEP:E]t
EPkE]t
EEP8E]t
EPiE]t
FE$3PEXAQS
P2]X[Y
]EE]E]u
DEEPnE]t
EEPE]t
QEEP{E]t
EEPRE]t
3PEXAQS
]1SQEHy
]SQEHy
]SQEHy
]]SQEHy
]SQEHy
]SQEHy
]0SQEHy
]SQEHy
]USQEHy
XEeuEt
3PEXAQS
EE3PEXAQS
:SQEHy
XEE]E%&
]SQE]E
]]7SQh
]]^SQh
uRFGHt
t+t'NW:u
;uH_^U<
XP]Sh0
(EEP]S
XE]S3PEXAQS
]MSQEHy
]SQEHy
(EEP]4
LEEP]4
(EEP]S
3PEXAQS
]SQEHy
]oSQEHy
]SQEHy
EE]EE]e]EKh
LEEP]t
LEEP]t
EE]EE]E]E
E]EE]e]Ekh
(EEP]S
(EEP]S
3PEXAQS
EEPEP)
Ps@PL{
3PEXAQS
]dSQEHy
PXq@Px
Po@P^w
3PEXAQS
(EEP]S
XE]<3PEXAQS
]6SQEHy
]SQEHy
]"SQEHy
XEX[Yi
EE]EE]e]Eth
P;k@Pr
3PEXAQS
]VWS3[_^U
XEEPx@
EEPEP!E]t
EEPEPaE]t
EEPEPgE]t
EEPEPE]t
EEPEPE]t
uuEuha
EEPEPE]t
EEPEPE]t
uu?Euh
XEEP>4
EEPEPE]t
EEPEP9E]t
XEEPl2
EEPEP'E]t
XEEPZ1
XEEPH0
XEEP6/
EEPEPE]t
XEEP$.
EEPEPE]t
EEPEPE]t
EEPEPE]t
EEPEPE]t
EEPEPE]t
EEPEPE]t
EEPEPsE]t
EEPEPaE]t
EEPEPOE]t
PK@P^S
EPu,WE]
EP]43h
]a3PEXAQS
]aSQEHy
]KaSQEHy
]`SQEHy
]_SQEHy
(EEP]S
XE]bYE}
]fYSQE]E%&
YSQEHy
LEEP]t
LEEP]t
EEEEEE
E]EE]e]E|7h
E]EE]e]E6h
P6-@P4
Pg,@P3
@EEP]t
EE]EE]e]E"4h
EE]EE]e]E
P'@Pg/
EEPE]t
[_^VWS_[_^UX
PX#@P*
uEPUE]t
uEPE]t
]EJ EEh
]EQ EE]E
]EE]E]E% h
XEEyEt
Y^[_^VWSt$
uEPiEuh
(EEP]S
uEPfEh
uEPK_Eh
[_^VWS
]VWS[_^h
t#Hu%D$
3;wO;5
E33MEfMEE
MRMPQU
l$@L$(
D$$SWVURP
dSUVt$xW3I
D$<D$@
+33;L$,D$ L$
F|$,L$
F|$8T$
F|,C;t$
~L|$|u$T$|j
;l$$|33;
|$$|$ |$
_^]3[d
D$PD$XD$dD$lD$|t$DD$H
t$Lt$Tt$\t$`t$ht$pt#D$|d
L$(?l$
L$$E;l$
T$$D$ L$
RT$,PD$
MQRPEV
ERUPQRA
UQMRPQ~A
EMPEUQMRPQ9A
ERUMPEQRP
]EMPQRU
ERUMPEQRP@
MUQMERUPQRU@
UQREM]PQym(]
L$,T$ PD$
Wui%=
t-t)AQ|
F;r[_^]
SUVWtjl$(tbB
@;v_^][Y_+^]@[Y
S\$(UVW3|$
IIt$4L$
3u8+QPy5
T$4t)IL$
L$4CIL$4L$4CIL$49l$4}8
t$(D$
3IPSD$
;u2L$D;u
L$LU3;V|$
(S\$4UVW3|$L3I
_^][(;
|$X3|$
t$dD$xu
T$LURVE
L$$+PW
QPL$,7
r];sYT$LURVE
L$$+PW7
QPL$,7
rL$@D$ +;
L$$PW^7
L$4|$,Q
L$$D$$
_^][(S-
F;r[_^]
VW3ItK\$0~Ct$$~;;
][_^]3[
VW3|$$I
5t(D$<
*t.;w"T$$WRVsC
F;v_^][;wD$$WPVB
F;v_^][
_+^]@[
_^3_^=
43SD$(UD$0VD$8W|$XD$@D$P|$<
L$$D$@
L$8\$H
FfP,;|
3f9z.vk\$LD$
FfA.;|+fA
T$<D$X
t f|$P
t!f|$P
\$L|$\
T$TL$(
RT$\L$@QL$\Rj
QSD$LP
D$PD$<
~||$\\$X-@
KuD$4P88
$SUVW|$<3
/T$HR{
_^]3[$
Ul$$Ul$ UPVQR,uPf|$
PQ@u$D$Tj\PW7
zT$$RV
_^]3[$
L$$Phh
_^]3[$
uYL$$T$
T$0RQL$
T$,RPD$
udD$ H
SUVt$,W3;u
+|$$~@W1
PD$$PQVS
to|$$D$
L$$PQjWR0|$
~sHl$<D$ E
QVP$D$,t
HD$ ul$
UWP$W^/
VVU_^]3[
t$,VE.
L$ QVS
D$$l$$Pj
|GL$$y
3;v8L$
0D$8L$LSUVWt$
F;v9|$`~
_^]3[0
L$TT$ QR
D$h3;t
D$`x;}
;t]T$$L$,T$4D$0D$(3
T$ D$8L$<T$$VD$4UL$(T$0PQT$<
_^]3[0
_^]3[0
L$TQPs
T$TRP-
0D$8SWD$
L$@PQv
L$ D$,3T$(T$$D$
L$0D$ T$4h
L$,PT$ QRD$4
W3It4D$ ~,;}
^[_^3[
W3ItLL$
t-< t)j
WUl$(U!
UVW3l$$I
D$<t ;r
t-N;s_^][;rWUV
N;s_^][
_+^]@[
EUM_^]
+;E|w;~s}
uSEVPU
EUM[_^]
t@_^]3[
PD$0hp
uIWUT$
UQSVWVWS
[_^EE_^[]
t6SW3I
0D$@S\$8U
D$PD$TD$P
D$PD$X
_l$D^D$@][0
H3I|$P
D$ D$(D$,D$4D$<
T$$T$0T$8
uDT$H3JL$
|F_t$D^D$@][0
_Ft$D^D$@][0
QL$<;t!
H}N_t$D^D$@][0
Nt$D^D$@][0
D$ D$(D$,D$4D$<T$
T$$T$0T$8
L$DT$H@
D$@L$D
_^[3~,> t
_^[AQJ
SVD$,WPQR
\$4D$(L$
PD$<T$$QL$<RPQ
T$@D$8RT$XL$HPD$XQRP D
u0|$83$
D$ RT$
QL$ RT$0PQM
Fd;r,d
3_]WPQE
A+EYX_E_]
_YSUVj
L$,ShX
3IL$0i
L$$PQh
3IQVOV{
t3QS\$
SUVWL$
03T$8I
|$HIL$
|$DIL$
I;s_L$DWQV
_^]3[L$ d
L$,|$$
+D$8D$
(L$0_^]
$$I$I?
?UUUUUU?@.
CreateThread
GetCurrentProcessId
OpenProcess
VirtualAllocEx
CreateToolhelp32Snapshot
Module32First
Module32Next
ReadProcessMemory
WriteProcessMemory
MultiByteToWideChar
WideCharToMultiByte
SuspendThread
ResumeThread
TerminateProcess
Process32First
Process32Next
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetModuleFileNameA
GetPrivateProfileStringA
GetLocalTime
WritePrivateProfileStringA
GetUserDefaultLCID
WriteFile
ReadFile
GetFileSize
SetFilePointer
GetCommandLineA
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
CloseHandle
KERNEL32.dll
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
PeekMessageA
USER32.dll
CryptAcquireContextA
CryptCreateHash
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
ADVAPI32.dll
CoInitialize
CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
ole32.dll
InternetOpenA
InternetCloseHandle
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
HttpQueryInfoA
WININET.dll
UrlUnescapeA
SHLWAPI.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
strncpy
strncmp
sprintf
tolower
toupper
strchr
_CIfmod
strrchr
memmove
malloc
realloc
__CxxFrameHandler
MSVCRT.dll
OLEAUT32.dll
GDI32.dll
DeleteCriticalSection
_strnicmp
Friend.dll
\Ad\config.ini
config
Logindlg.dll
BankFrame.dll
EAuthDlg.dll
83 C4 1C 53 6A 01
00 00 00 00 74 41
C7 05
83 7D E8 10 8B 45 D4 C7 45 FC 08 00 00 00
r@56 53 8B CF C7 45 FC 12 00 00 00
logindlg.dll
@6A 12 E8
`@6A 14 E8
C6 45 FC 04 72 05 8B 40 04 EB 03
@85 C0 75 2F 8B 44 24 04 50
@8B 48 F4 85 C9 8B CE 74 2C
@50 83 C7 08 57
g@8B 44 24 3C 3B 46 20 0F 85 60 02 00 00 8B 4E 1C
h@89 45 D4
@ 90 90 90 90
83 C4 2C B8 01 00 00 00 5E C2 04 00
@8B 48 10 8B 01 6A 00
p@C6 45 FC 04 72 05
0123456789ABCDEF
533 C9 80 3E 00 74 08 83 C1 01 83 C6 01 75 F3 2B F1 F3 A4 C6 07 00
&s26=dll
http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=
WinHttp.WinHttpRequest.5.1
@@SetTimeouts
SetProxy
SetProxyCredentials
Option
Accept: */*
Accept:
Accept: */*
Accept-Language:
Accept-Language: zh-cn
User-Agent:
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type:
Content-Type: application/x-www-form-urlencoded
Cookie
SetRequestHeader
ResponseBody
GetallResponseHeaders
Set-Cookie
Set-Cookie:
=deleted
https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=
msg_gamemoney
msg_gamemoney">
msg_bankmoney">
https://bank.gametea.com:444/czbanklockpc/moneyout.php?nickname=
https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=
msg_chadou">
https://bank.gametea.com:444/nbbanklockpc/moneyout.php?nickname=
https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=
msg_showmoney_sh">
msg_showbeans">
fontColorRed">
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
HTTP/1.1
Cookie:
https://
http://
actionto=showmoney&areaid=undefined&gameid=
https://bank.gametea.com:444/bank/domoneyshow.php
BOGY'S GAME ENGINE
http://14.18.141.27:33355/mcy.asp?at=upm&s13=
http://14.18.141.27:33355/mcy.asp?at=getmb&s13=
kernel32.dll
kernel32
advapi32.dll
ole32.dll
wininet.dll
user32
shell32
shlwapi.dll
CreateThread
GetCurrentProcessId
OpenProcess
GetModuleHandleA
VirtualAllocEx
CreateToolhelp32Snapshot
Module32First
Module32Next
CloseHandle
ReadProcessMemory
WriteProcessMemory
MultiByteToWideChar
WideCharToMultiByte
CryptAcquireContextA
CryptCreateHash
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
CoInitialize
CoUninitialize
InternetOpenA
InternetCloseHandle
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
HttpQueryInfoA
FindWindowExA
ShowWindowAsync
SuspendThread
StrStrIA
UrlUnescapeA
ResumeThread
TerminateProcess
Process32First
Process32Next
program internal error number is %d.
blackmoon
BlackMoon RunTime Error:
DLL ERROR
:"%s".
%d%d%d
HrCg@b
O(uckHr
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
2/2I2~222222/3;3N33333333|444444+5>5]555555576f6r6~6666
7(7e77777
8=8q8w88888889.:^:::-;v;;;;
<'<3<@<z<<<<<
=)=6=r===== >?>
?2?:?g?????
0;0Z0w061e1m11111"2S222B3v33333>4d4444'5k5z555&6S6_6l666 7M7n7}777
8#8]8i8v8888n9}9999
:.:E:t:::::;;;
<.<@<f<<<<<
=M=U====#>@>L>Y>>>
????????
0H0w000P1_11111
242}2222
3O3^33,484E4444
5>5_5n555556&7w778
9i:}::
<@<<<=
;0\1%2222
4C4J55555 6c666
7U77Q8{888
9?9Z999
:::U;[;;;;;
<+<W=_=e====
>'>:>D>>>>Z?t???
0(070G0e0x00000000
161I1[1a1{11111111
2*202J2]2o2u222222222
3,3>3D3^3q333333333
4-4@4\4b4|4444*52585b5u555
66666"7(7R7e77777$8*8T8g88888
949N9a9m9v999
:,:J:]:::::
;X;^;;;;;
<$<F<L<v<<<<1=D===$>7>>
?>?Q?s?y????
0-0@0X0^000000
1d1~111111
2H2[2y22222222
3)3A3G3q3333
4/4I4T4w444444
5[5v5555(6T6666
7 7(707J9999,:m:
;F;H??
000C111
2h22&3g34
5Q5366q7388*9;9N99\: ;%;/;d;i;s;;;;
<g<<<<
>N>>>3????
4_4444+5t555 6:6v6666
797777
8&8K88888
9Q9e9r999:H;\;i;;
<E<y<<8=====
0&0k0091N1w11
2+2S23=4R4444U5j55506666
7*7?7777:8P888?9Z9z99
:::f<<
====%>\>????
i01111
4=4456d6n6666666
7@7k77
88_999):5:::::E;a;;;r<<<?=[====
>L>z>,????
0F0t0&1111
2W2c222
3.33Q4]444
5m555#6/6
66657A7777G8S8888Y9e999
:k:w:::
;};;;;%<<<<
=7====
?+?[???
!0=0m00031O1
111E2a222
3W3s333
4 4_4f4y4
4444457777 8J8888
9E999F:::::
<w<<<(>7>>>>>
? ?\?q????
0n00000N1q1111<2g22
4S4_4t4444
5355)6>666>7J777]8r888*9O9w9::C;^;;;;K<W<<<
=E=Q===\>>(?4?G????
0D0j000
1Q1d11
3D3j3444
5?555566)7>7s777
88888+949;9N999-:::::#;F;Y;;
< <8<F<<<<<
0b1{1111111
2U2e21444
5P5555#6N666
9-9x9999:
;);Q;;;
<(<k<<1===h>r>>>>
?$?:?m??
222444
5)5v5555
6=66666
7h7u777738t888$9@9999 :':
<;<G<Z<<<<<<
=;=N=S=Y=p=x=
v01233L4
55w6666647G7Z7m77777777777
8 8%8*8Q8`8888888888888
9"9(9X9c9j9x99999999999
:&:>:M:U:`:k:r::::Q;Y;a;;;;;
>;>m>>
2 2$2(2f22
3(3.3U3344455555555
77J9|99
:L:l::::T;X;\;`;d;<(=+>E>a?
0e00000000 5@788Z9<<
1s1J2Y2b222
3?3I3k33
55k667
9;9:J;};;;h====">a>v>>5??
2;22222
3#3d3~333
43444444
626?6f6}6677v9<:@:D:H:L:X<`<k<<<<<<
=&===M==0>M>S>Y>>>>>>>
Y0`0q0z00000
1 1$1(1,10141D1I1[111111111111S2d2k2y223v55556
7R8888999':1:6:F::::
;b;;;;;==
>i>#?+?5?B?????
0 0,0M00
4|4444A5H6N667O8r888&939>9Y9b9999999999
:":(:.:4:::B:Y:
2 2$2(2,2024282<2@2D2H222
0000000000000000h4p4x4
c:\windows\friendl.dll
?Kernel32
LoadLibraryA
shlwapi.dll
user32
user32.dll
kernel32.dll
kernel32
PathFileExistsA
FindWindowExA
GetWindowThreadProcessId
OpenProcess
TerminateProcess
GetCurrentProcessId
VirtualAllocEx
WriteProcessMemory
GetModuleHandleA
GetProcAddress
CreateRemoteThread
WaitForSingleObject
VirtualFreeEx
CloseHandle
program internal error number is %d.
DLL ERROR
:"%s".
%d%d%d
OpenProcess
TerminateProcess
GetCurrentProcessId
VirtualAllocEx
WriteProcessMemory
WaitForSingleObject
VirtualFreeEx
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapFree
IsBadReadPtr
CloseHandle
ReadFile
GetFileSize
CreateFileA
DeleteFileA
GetModuleFileNameA
WriteFile
CreateProcessA
GetStartupInfoA
FreeLibrary
GetProcAddress
LoadLibraryA
strchr
_CIfmod
sprintf
PathFileExistsA
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
GetWindowThreadProcessId
`.rdata
@.data
@FV.O;q
&Kh;~RA
H((&{"<3p
dJ<A&fY
zz[KI_$N
sfpsS'7^:5NY0
j)C.Jz
Pm-CQ)3[
7.<DDa]
'#P[[W,*
|/%a)}
"9s<r4~i
vJ-:+9tO~MXat;
4D*}H%
(;wm#Kcg4ypQ
h`6EkV(?
Szg$vwfLp+s
JX$;0;A(&S0(Ul\^}U(.o+rRaO)Xb&7
!=FPk.
Y/R%sx
OgP;=g4rO%y
(|#[cM
2Xqg7 v
Ks<Egs+
#z.?s7
mj[{%8j
8XZC]A{
sWnRp~ik
2"a4cT
GRnL"=N]
CM9K_#y
?|3z:d(
XNa+AJq*
tlXz"M0;}
>M >GZ,]+|Z
l.Yg ?
*:k^\X
RT ?b?~q(0m7iC
a]^Nq<t
#pEje%
tV0L77.!G
|>=W_4z
PNy_Uj
Xa?t1vK
"Vp{n/
kIRSr@$
+sHQT}%
yVasX+
wp$xk'$t
MFq2y"
pRj"rD
8e7fHR4ci
=":Vd7$s
>)sIw(4.fVK}
Rc)E}vOpMlV`
5Jf{SVlp[
!WXL>G9BIXj#
H:~3/
?+uwlQ
Shk9gy
4NHIX_
CT{% vU
r{xu:3V
S=IC>v7
dv]q/Ux
/@H();4l
@\+l7hx
ETw6O\i5Gl
t{sb}t
G:([XZ"y0
%e R+^
Bi^-Xd
j2D)%[
+nM}HK26
mtUp.qFf=
AX:X(%V:c
SS.>Z]^E
omhqP2
9nW![4cT
e|`XG{"B
yjF|pMn\r)3
-?PZ5wy1
^q?J=E
$By^#GF"
Q;G!6i6K
km+cwE
1,uPFf[>>
&yAj ;i=
7iNcgx
+tFc(Ev(G,
$1P9uFFSh3
UWVS|$
t$dD$\
T$L1;\$L
t$t#t$lD$`T$x
D$t#D$hl$x
D$t+D$\$
D$@d$@L$@
9s#D$H
t".)D$H)
T$8L$PL$xf
D$\l$TD$X1|$`
D$`L$D
9s`)L$4|$4
t$4D$H|$t
D$`D$t+D$\D
*BT$t1
l$8f))
D$T&))
T$TD$PT$PL$XL$Tl$\D$\l$X1|$`
9s/D$H
9s;D$H
t$(Nt$(uL$0
T$,|$`
l$$Ml$$uP
)D$H)
$L$ d$
p4$Ft$\tYL$
9l$\w_$
BD$tIt
XPTPSWXaD$j
KERNEL32.DLL
MSVCRT.dll
SHLWAPI.dll
USER32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
PathFileExistsA
wsprintfA
kernel32.dll
MSVCRT.dll
SHLWAPI.dll
USER32.dll
OpenProcess
TerminateProcess
GetCurrentProcessId
VirtualAllocEx
WriteProcessMemory
WaitForSingleObject
VirtualFreeEx
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapFree
IsBadReadPtr
CloseHandle
ReadFile
GetFileSize
CreateFileA
DeleteFileA
GetModuleFileNameA
WriteFile
CreateProcessA
GetStartupInfoA
FreeLibrary
GetProcAddress
LoadLibraryA
strchr
_CIfmod
sprintf
PathFileExistsA
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
GetWindowThreadProcessId
30u7u4io5lf6xoucl4qkw639nh1tqn407t4psddv8mv0ga8m74jvv0ai0h59qk3kk45i242qe2uv59ca9a91lx62oln810j0t206t0f11rvj9f5uh9220666822280264084620804288426488846ed3p8lnpbp9ss7sg435jpsams8i3k7xn662mn4gtlii950ji6p0xau6v1j2ri02l19r0iir6c0xm91djm09d89djs8s758892t5q128pk42q6bhh3ewkt42986a6393s8u6r72jklu8xnjbbrnnfvjrjnnjvrjdjnrfpjldftfhtpxllxxxpxdhdxiotpc55qto8m3mp5fjm2750dajpgaagm74u95x365hd1r019i1t9wb04n09e24lddltdttdddlltd73689324ff538lii3122587q0nk1kh12twntj044n4w566hho43454x94x0716lxcbch44b0tuafosarnbjnnbjjbffnf49vv93asa0g0dmv1v61xc02cx677o2cuu2xqf4s2971uq06oj248pg9a26s0gjd32s2on0p246h4s86486468226264408
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�8�0�4�0�4�B�0�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�.�0�.�0�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
P�r�o�d�u�c�t�N�a�m�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�.�0�.�0�.�0�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�m�m�e�n�t�s�
(�h�t�t�p�:�/�/�w�w�w�.�e�y�u�y�a�n�.�c�o�m�)�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
A�a�b�c�d�e�f�g�h�i�j�k�l�m�n�o�p�q�r�s�t�u�v�w�x�y�z�
B�0�1�2�3�4�5�6�7�8�9�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.