2.8
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.59
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Banker-FNW [Trj] | 20200411 | 18.4.3895.0 |
| Baidu | Win32.Worm-Email.Mydoom.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200412 | 2013.8.14.323 |
| McAfee | W32/Mydoom.o@MM | 20200412 | 6.0.6.653 |
| Tencent | Trojan.Win32.Mydoom.m | 20200412 | 1.0.0.1 |
动态指标
一个进程试图延迟分析任务。
(1 个事件)
| description | 089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe 试图睡眠 185.64 秒,实际延迟分析时间 185.64 秒 | |||
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Windows\services.exe |
将可执行文件投放到用户的 AppData 文件夹
(3 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tmpE2C9.tmp |
| file | C:\Users\Administrator\AppData\Local\Temp\tmp278F.tmp |
| file | C:\Users\Administrator\AppData\Local\Temp\tmp71CB.tmp |
检查适配器地址以检测虚拟网络接口
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545393.6875 GetAdaptersAddresses |
family:
0
flags: 1158 |
success | 0 | 0 |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00009000', 'virtual_size': '0x00006000', 'size_of_data': '0x00006000', 'entropy': 7.859086691322967} | entropy | 7.859086691322967 | description | 发现高熵的节 | |||||||||
| entropy | 0.9230769230769231 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
在 Windows 启动时自我安装以实现自动运行
(50 out of 121 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM | reg_value | C:\Windows\java.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services | reg_value | C:\Windows\services.exe | ||||||
网络通信表明可能的代码注入源自进程 services.exe
(3 个事件)
从本地电子邮件客户端收集凭据
(1 个事件)
| registry | HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts |
文件已被 VirusTotal 上 66 个反病毒引擎识别为恶意
(50 out of 66 个事件)
| ALYac | Worm.Mydoom |
| APEX | Malicious |
| AVG | Win32:Banker-FNW [Trj] |
| Acronis | suspicious |
| Ad-Aware | Worm.Generic.24461 |
| AhnLab-V3 | Win32/Mydoom.worm.49344.B |
| Antiy-AVL | Worm[Email]/Win32.Mydoom |
| Arcabit | Worm.Generic.D5F8D |
| Avast | Win32:Banker-FNW [Trj] |
| Avira | WORM/Mydoom.O.1 |
| Baidu | Win32.Worm-Email.Mydoom.a |
| BitDefender | Worm.Generic.24461 |
| BitDefenderTheta | AI:Packer.6236D6581F |
| Bkav | W32.MyDoom.M.Worm |
| CAT-QuickHeal | Worm.Mydoom |
| CMC | Email-Worm.Win32.Mydoom!O |
| ClamAV | Win.Worm.Mydoom-90 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.2b0ee1 |
| Cylance | Unsafe |
| Cyren | W32/Trojan.LVDB-0128 |
| DrWeb | Win32.HLLM.MyDoom.54464 |
| ESET-NOD32 | Win32/Mydoom.R |
| Emsisoft | Worm.Generic.24461 (B) |
| Endgame | malicious (moderate confidence) |
| F-Prot | W32/Trojan3.ACNA |
| F-Secure | Email-Worm:W32/Mydoom.gen!A |
| FireEye | Generic.mg.ce42a3d2b0ee1f6b |
| Fortinet | W32/Mydoom.M!dam |
| GData | Win32.Worm.Mydoom.A |
| Ikarus | Email-Worm.Win32.Mydoom |
| Invincea | heuristic |
| Jiangmin | Worm/Sramota.avf |
| K7AntiVirus | Trojan ( 0000000c1 ) |
| K7GW | Trojan ( 0000000c1 ) |
| Kaspersky | Email-Worm.Win32.Mydoom.m |
| MAX | malware (ai score=85) |
| Malwarebytes | Worm.MyDoom |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | W32/Mydoom.o@MM |
| McAfee-GW-Edition | BehavesLike.Win32.Mydoom.mc |
| MicroWorld-eScan | Worm.Generic.24461 |
| Microsoft | Worm:Win32/Mydoom.O@mm |
| NANO-Antivirus | Trojan.Win32.Mydoom.dlnpqi |
| Panda | W32/Mydoom.N.worm |
| Qihoo-360 | Worm.Win32.Mydoom.B |
| Rising | Worm.Mydoom!1.6579 (RDMK:cmRtazotHzkYalRF0i3g1NLmpXGb) |
| SUPERAntiSpyware | Trojan.Agent/Gen-FakeDoc |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/MyDoom-O |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
PE Imphash
98cd465c2ab2841f9fd90d5e847563f4
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00008000 | 0x00000000 | 0.0 |
| UPX1 | 0x00009000 | 0x00006000 | 0x00006000 | 7.859086691322967 |
| .rsrc | 0x0000f000 | 0x00001000 | 0x00000800 | 2.6542421841999686 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000f3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0000f3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0000f4f0 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library ADVAPI32.dll:
• 0x50f59c RegCloseKey
Library MSVCRT.dll:
• 0x50f5a4 memset
Library USER32.dll:
• 0x50f5ac wsprintfA
Library WS2_32.dll:
• 0x50f5b4 gethostname
L!This program cannot be run in DOS mode.
kernel32.dll5root\IEFrame
ATVH_Noterctrl_renwnd
6@nT3A
/m%s, %u
=IntotG
(dnsapiUiphlp
DQnr9A5k
workPals mail
a97buse
vl+|tifi
.gKli/c8rvKubmi
BCagthe.b
gold-QIca festn
Koftci'
jsf.3yOW+rrCk +
og#gnu
~or .c
f.@donex|_-{o
sak~kGnda
.ymav_-!e[/
lhf@dd`
TL@dHD<
-05*.*
USERPROFILE
7 'M4M
d$g$o$ '%
%|<{L$h P
{$t| $T},{
(.d ?hm $A+rm bo
XM){:|,}|
kTw%h
t}{.|*)
{W '.d6
3s}]{i^|Y} e{-AmmD{
BbeL|w
k+j|5q^
sss\
k.>Dc|P
bly,|"B
|ObvN4
B|gWby{ v-sru}
h&Zk?9
B+tnPt9
ucK{: %YZ;chI
%eRt4f8l
p{{VtuA
CS4@K@hsBCY}sa
Hq+ da,Dt
#u{7|h
C3$HV*i8vC4(s)d:VU
8>IsA|}v
i(@aTx3ZqtId.
'QcR n
y,DmWBZ#O;-1QY"
nf,Foeo
Ah:yI-B Unhth
m3$iA7sC
2\zpT?+
sZx^'0;}7Z z
q</>G#
@$F|OZ)
Gf^F/ -aN
dWL$w{S
un] d []|
nfSm=C
Rg@.=Zk
TDFQSk1{>
$f^s}3s
_`{P5R.RA5
,554 UI
7S{F;"aA
WH0.1.2%
(N<: l$
]pm; o
6,1tB= |1_S[|
{BOX NO
FOUND|
}kDATA{d400-aqr
%m-E-OPEoUT,~0
Amw-RMS@CRE<A|3
o!d7SYSTEM-F<XDI
SKQUAB=sk<d(
?>mblu/NX
1$'}1%0
0ESSO,x
|e-\/Y3
"C"PAT
fI@,TSJ<
,Q"K Os
l[$^ubK%T%
ABCDEFGHIJKLMc/PQRSUVWXYZ4c
.,qfgjmBpqn
vwkz0123456
789+/X-Pf6n
nMR/l1oEx
D6.6+|u
3IMEO(4UPBy@
CB2-*Ty@mX
t/xG;!
y="N"1
q-Vi1h
kPs6+f'I?G
zZjf0ElC
o~Ab164"
HL:ZdvSD{/Hn
li7b\0
XnRCO$
>'hwb4
LO+ zq>SMTP% 6
%\\*,zknr
m8.logz,Nt0B/
JKWZh&>
EURLD5
TyqsN/ahB.p?lpv=1&=&*ohp&t
=web&#l[
dOAZ;w
:>aL]P-/Ss?0)s&kgs=0
?p9w=K]X8&o=fp-
&M=mG!k
DQhl={
ofrtwa
rer\.\Micv/s7]'D;7om n]
8*P7GlSh
[v#A1G![F
]6tPja
vf.xeo
j 6t(w
k u>b, <5W-<:wudP
i5Mms7
doM4Mws\Cu4
esi 45
;Rlt J>M
I2^?SW|$
^_[j 4h
e 4]fxReg4 MiserS45rv/icN4MeProc?sN NM)
p{%$]/#Kf
y+P!El
jh`kb4
0f+0_p
D$!%Tt
YCRBY];u
+7'VW}u/q?IH+S>&
B0 +Pa
3F;|A|
^[;6-]
"P?[iwini\.et.dl
hnXf`EkQF
lml,;!
~)9ut_
3UA$tv3{Wj(Z(u
_-54}3
s5X}FF
`3`16v5;C}0oa
bu[7QY'
>F@Ju.F'
iv|7.JN
ESrP)&nY;
Cw[-aKW>
f$1!@tC
v? ,im
CO`R};u<-
0^]8PU
uo'd_t$@SD
?;IT1\
V*vUnXrl
}en3}*1Y$0
Uqtvq{u
[<bvFq
n@Ij%+\
S.de$y\Da
b={][w{o\&
XTr+xv
;Q;tQ!$h
DuJS:S]
h8<]+w
O+N!wh
Xj5BW:
d:ztbv1.1-
.@2<3HmtSg
l[c{u
\<<@t?(T
Jo@7TkzO
'#zwH.
s?Ny..
7jI]%p
\]qSE9
1xI3nU
Z2@Y.tw`
r{*A 0|
tFG.lF4|
0]J1H9
5FGl)5uq
z$Bnvt3D,,
j-D=?W
bt'A;|
x-Pw!"Vc-t#Vh
;Wt+9PoX
2hnNgI
jz &vBu?
H@_z'j8pd@
,WBEJV,
5*RYbW
S53StICx-[cu
B:c^}VyGWSYR[Sf;T;W?)
?DID7J%
jU.`h
=Prdjd2|
[w$:I7V
@A{G2]`k+[
Tvtv|M
P~,hcHL3
1b|r+Q
;}e;}a;WO\
O;~CM;~?+
y_FC " S2h`2|#
,l[hD`
oGdO`1vUp6lZ
s(NDsR/
EpiDMl
SofteYware\MYeYicros
eof\WYeAB\WAeYeB4\WaeYb FilePeY Nam8HF/uQ
jY+8Fh, =
6B[U<pu
hY]<tu
buG:uCR<hu
k/x<a!
N<db7xt@5<w_u
|(mKt:u{c
cp\eWN\;>
rh@kV}*
50X1zu
ZQ6PTP}+
H"AQvVBJCH'X
i^gLocial SeeYtting,[AYsTe,mFprlm
yJI:u]F/
TLL($E
"P7+8N
3FOub:
FjB. 2*k;
S%a{<Q<.'1|s/
eEEmhk
, ;Gb1Z
!<gt?*^,8:3M
@ePGEK
w?$[M&D6h
/h(h!h
hHWyEc
J6h<=}vr, +hh
Rcu|&JSP
y[o5j-GX)
]JL~,,
de -F;87
A! _.t!
d3fjUN
SWu$0h`c?S3_6}O&R9y@;p
mm<pT\
D'@'Y<'p
8'E@[q
hp3Tu{
h4'&lpk.v#_"
/C8Wb2T
sPH~$A
`Dt9HHt-
wu^1"8
&zHm'hLV
]<{lF
;F?'n@m
D7>oSB7
(3w@hG
{9RxN< r76~=t=<+
qr&PW_6
+D5uUAzg
)DVt*mvs
B9j\w7
"YOm(xh)5U
"R\_pALR_|
4Q&vFhWV
n}DDB;s ^Y
X-'8'#p9]
48G~rV
8=:$Qn
2E!b.|=d
lB?;W"cGm
nbF2><:
FtOsMX
D@3nJR [
AzH,rS9BP
0]*l[V
`@S#rUjb
-RSQ@_
oxY;YZ=l
v N1h|
=+~/+&xy<lZ<+E1>
d6TS4nNs
;D11L<
[^=4je
OvP*#gC
*hR-Lc
^8DW &
T[Pt+j
+H1^]'[
j_@W](L
/wbP7N-$`Y
,3XYtvB!y
P2iH\kVA+
t wF1FfXB`I
]$dg*0
/:W#{@8
-;3HG!$6
;w6(ccxYW5P<
"QUf:'Sf
h'j 'H
,Zz#<Y!
9ht,%
gWy<s&$'25p&%%ip
vJseB0A?
{x%7Hh6
8c;lAY?%XRl3
vhHGWKP
0+8+8%
|xtiplhd`\iiXTPLHD@
i|itld\TLiiD80( a
ABAyvm
O^OAH`@
)(2a13.&3 ,a" //.5a#$a34/a(
a,.%$oLLKeA
@BAN@J@F
faQ1&,
'pa\`['
sH`1_'
u'`MHCH
47"VigL^
RI+Pf5`Ax\
#?@aoW/
!]*$3/$-
%-->cd2cFdoyk9od"V78o-f;U
"(5$A9+
1aeVN=k
C`Fv_LU
x0c N,My
1?ifqD\Ex
FMPWDHOUEJQuVGKNTA@CBBEC@DP/
DDGF6n@$5
./I"O%
{rtH@Gv>
=1ETQFz
)PcilPne8
5n5NDc
DxF?:6|ah+$+9B
B#%F!>
>LyT7qP
1C%xD=a
PB 6Y>NaD\
E(yoS-'6)t7
IYUV\+
[eI>N&)i
BAUI=VK>D?
A-z`J17DG-
j_QeZN
|q]B<-^
.y M{<Q+P
+@,ML[}'
YuQZ qJz
r?P4xE5D
5Ez5E7`
.=W,&E
_Mxq?QQ..vMpz<FW}
G2<Ew2r
i[+ITW]w
Uq-!V\<NP
|s4~-@ZRL
H+'oYIv
Fz=gl1`m.'8S|
E2MISY
wN[lID
GM'/5}H
_? xxI=
ry2tF~KG=
-O) _uq#?avrrKb
0@T/4\q5O
K1NjIXKS <)K
Q`,N{b-2@
9\NSn2|R1la)%P
/3PRPw
kUy.?ZJzf+%~
J=eqK){
?~z=a:
=UKp`u7 `4C
zGI?BMwe
%^?v?d
_|0P@M|~
!nxm5K]G+
IEMI@tE&
/7W"/)S]7IIqcqiTQcS\,
.'56 3V3$
,m("n2v(
KnK\DY9
O2XU@4n,D:
Oc4YAII1'$)
/J7("$
3.m6w7~2;
`"Fn1+
Q7<VhEFL_JM
^'IAO^9*1lY7U
J)Z<cw
Ir4)p"\1>
'+?Y3\!Z
N&YzG\:I3K
w? ]$/Qr
m|=qFD
)QX`^yqe@-}
_Sw!!S
`7:14Dy
&*,Pa?<
r7x<gSvQf=^,ypG(}&[|*
z5Pr,JJ
Cyf*P;9u;
t4gAh+Y"
4;/[{i
zY#h I:Y47V
F z14x__W
%Y_=g\
?v.#Fp-C
|GW Bc,$
IzN[b/
A!=)&!
IT=`M]
[a9r5GB
;mTH]]
z 9jE?D35
Q<7[TT
DYlY1%'&
@3D2Zy)/KFZj
cM8vryB5`
1;MF!@W_
Da8/U?
S{D}/[s=Kzq[_[R
ZZ6KaX
/UABz@b
AKM`{K/
GRD96SeABN`wm9CTO
K=&gML>RC5h
5VCJJrBid>*/Kr\CbbJJVNbJ
i+EIEB
JB's @mnLz{b
bOGd#IY
4 ;4/tv
Bm,nC~BS2
ly'G^Q0j
DIFv6tV
D/gN'CZ
DKW$DW,<M
JO|+}.@\QP
,Y ENjq
_o,'aK6
Le8\T7r
y[zcC+
Uah_)P
I2_@,2
vNaEPKepj}
w9QJWq\cO
KAl`\Mn
94'kJ$Ma~o
HC}p|'
j.R_7<s
1Z:P=lYM!G^W D
X/nyg<1
7XT0)AAka/
(-$XA
$5FF.(.N
w$H//."cI$22U`2$
>E$/" .
V@%4-9
(#3 38sn!
QI62131'=mtOwQRu
SLC2IH
A'ZErF
dZGB-n
VaWA%_NJ
7 Ebz!o%/-
WA EqB
5)m@6o~@VF
%1!i5=\`1W
\-h"`,
J/0(/5'
FindCD
MapViewOf
rs"nw/KEnv
onv]V"ab
}TimF*
{p^g-Ln_ ~LibrNyA!LPPc(KD9balAl
cXLa=T*Mu
FCopyDe
EScv;lenTpP/h
PpyMl[vg"M
ExiBAbhqd Y&/
3nZeI{
ckCoODr
deCh]Dl4MoByt"
c6*R'TGPoi(
H{fpF&\
C0:nEL0i
:$9aokDe,
O&?dmanse07
"97+3*a*!
NBuffA
#wvIr#w
s9<PEL
`.data#B"'v@`
|){4'@
GPGWHU
wwwwwww
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
memset
wsprintfA
:2 DE5
wFu1kakwF~888-R
f|QwXLwX?|
5Q,`sZv
De)Dq~wZ~WC{
blZ~,b9
KB8K$K
)[JKFz
7|#9|y|/N+'H^
N*?L{A
7pV{Zd6dAL
Nf!y\8$|d["Ahc%6
xV#]g7n>#]eg(x0
S(@1(=
s 2YxA_d+:W
tY$hMIrI\hng
mcohMLa>
>UZO!}G]+j
eN ;eh zVjI0e
ja7iUIUS^`U8VaqX2aX.
:}3*4d(u4F64K
Process Tree
-
089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe (2948)
"C:\Users\Administrator\AppData\Local\Temp\089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe"
- services.exe (2160) "C:\Windows\services.exe"
Hosts
No hosts contacted.
DNS
No domains contacted.
TCP
No TCP connections recorded.
UDP
No UDP connections recorded.
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | bbeef04c4cdd0fc0_tmpE58F.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmpE58F.tmp |
| Size | 28.7KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | 26503b16416a3a3998978dce83315ae1 |
| SHA1 | e83907b08b22a4608ad0873c609689aca4763ff0 |
| SHA256 | bbeef04c4cdd0fc0ad35e099c20229e50e603ef5e42dcf88aa5ebdfcf3f84c0c |
| CRC32 | 71C0507D |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | bf316f51d0c345d6_services.exe |
|---|---|
| Filepath | C:\Windows\services.exe |
| Size | 8.0KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| CRC32 | FD13B657 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 157609afdec5859b_zincite.log |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\zincite.log |
| Size | 1.1KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) 2160 (services.exe) |
| Type | data |
| MD5 | be372b73dd0f64734b8f33d4bd34b51d |
| SHA1 | 79cf2a8f89dfd49b8e3ab0d571206758b278c6b9 |
| SHA256 | 157609afdec5859b6cf0e6de33eee7f4efa15869afc05dc4d2bf8c5884daf019 |
| CRC32 | 4D9C3A48 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | ae17ab37c682ba6c_tmp288C.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmp288C.tmp |
| Size | 28.3KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | 9798068d33dbd92a3a1cb1fdf353a263 |
| SHA1 | c4a50e1d5ffce078ce9a59f3edae60a4f58d5714 |
| SHA256 | ae17ab37c682ba6cda56054eade92fccb8ec295fb4a3877cbff3526f16bb5834 |
| CRC32 | 502F616E |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 8c7726ac5a6d49e9_tmpE368.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmpE368.tmp |
| Size | 28.3KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | 7e30c5a8f32bb97e840bc726f342348a |
| SHA1 | 6bae1def815ba12f16beae03d20935070bafb9f3 |
| SHA256 | 8c7726ac5a6d49e9c0b5ca158f17eab82586759dd3030795cb7945b891c33455 |
| CRC32 | BE9B3293 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | edfd535c3fb561a2_tmp7F9A.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmp7F9A.tmp |
| Size | 28.3KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | 215aae66a4aff6491e24bd84a77d32a4 |
| SHA1 | 937a2551e3c627cee33fdb027a4321d890fb0737 |
| SHA256 | edfd535c3fb561a2d1eeb2e37a1d15ad0174cea73efbf9e7cd9ef03ac2bae0c6 |
| CRC32 | 37558CB2 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | dff8730adca16fc9_s0akzoq5r.log |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\s0akzoq5R.log |
| Size | 1.1KB |
| Processes | 2160 (services.exe) |
| Type | data |
| MD5 | 969d0c6431bfa422360bd6915b46b62b |
| SHA1 | 685cdcbe051f0eaaaf2127e929dd24d70ea8d662 |
| SHA256 | dff8730adca16fc9559981f65a345ff79f12f7e5ef9d91ce8cf10a2ae6b0b705 |
| CRC32 | EEA0000A |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | ad3fef1483d63cd3_tmpE2C9.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmpE2C9.tmp |
| Size | 28.2KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | 7976675eba6e1d689b7904a3ebafeb82 |
| SHA1 | 847a8a2f34aa640bf8ae929ee0d2579c04b6f9f3 |
| SHA256 | ad3fef1483d63cd32963b35fb315a04f40669b710cbe8b2478c17fe6b573b8b4 |
| CRC32 | D8C192D7 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | f814d180c16e8c39_tmpE99B.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmpE99B.tmp |
| Size | 28.5KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | 85a4f61e1d1deefa95736236ae042d37 |
| SHA1 | 1439849d9cef1c4e9569c3ac5e9c67b3cd147bb8 |
| SHA256 | f814d180c16e8c3989f6441e26473f484c01476d5329775c8b2db0b0fc787a74 |
| CRC32 | 2460A18B |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | b7ea6d6bbba6bf48_tmp71DC.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmp71DC.tmp |
| Size | 28.4KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | a4b1a4432c2e9a204033bc4476ec11b9 |
| SHA1 | a2a84e51a443bd441ffcdca0cb7ab5e986c956b7 |
| SHA256 | b7ea6d6bbba6bf482f475b44ba6ef517bd1be93e8ca78932e9cd0e184900dad3 |
| CRC32 | 8ABE6B58 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 309bebdda98d1164_tmp278F.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmp278F.tmp |
| Size | 28.2KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | 63463a7cd92930ea49704f402b5562d1 |
| SHA1 | 04e7acf8b1e2f0f56ac7ab3e406bdd2cce74dc8b |
| SHA256 | 309bebdda98d116444f5c8f6c19b3f816ae84418e6395fd15faba86e8fe28a2a |
| CRC32 | 8EB4115C |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 84b65e8bed1ab31a_tmp27BF.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmp27BF.tmp |
| Size | 28.3KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | 9c26707ca6b1f09b5f9dfb4b6e416211 |
| SHA1 | f00ad12fa388df3d75621f6bb79b0a8e110b9ed7 |
| SHA256 | 84b65e8bed1ab31ad7f19965e7f0aa3250c2b2bb1a96eb56c5ed326ad7b7c192 |
| CRC32 | 463FD7EE |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | e3b0c44298fc1c14_java.exe |
|---|---|
| Size | 0.0B |
| Type | empty |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| CRC32 | 00000000 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | c326bf6e1f73c143_tmpE93B.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmpE93B.tmp |
| Size | 28.6KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | fd416cc9596f69aeb4735f01b271b403 |
| SHA1 | 9d9fb070c665a024c2c63b451bc5ae36e80a94b2 |
| SHA256 | c326bf6e1f73c1435f44405253396d39fe94790d2dd9a1ea866273320de099c1 |
| CRC32 | A3099B66 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | ff55e5206d33f71e_tmp71CB.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmp71CB.tmp |
| Size | 28.2KB |
| Processes | 2948 (089bfa1d1cd7d15e12e47a4e268996b540784bf735c671b0fac746fd462e6b59.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | bb8ded525e23ed4d7333667db0b5843f |
| SHA1 | 42d27fa9e88ad661dd527c07a924de509def35c3 |
| SHA256 | ff55e5206d33f71e43f84ae4ced03acfe7c33a2adc1811fbf13a6e13812168b5 |
| CRC32 | 41B96563 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.