SmartHawk

3.2

中危

66 个模型检测该样本为恶意！

重新分析

下载样本

06366b92d03a3731c8305b6024a36913e0031c1a56c2fc509e88ec17c01bc102

06366b92d03a3731c8305b6024a36913e0031c1a56c2fc509e88ec17c01bc102.exe

分析耗时

133s

最近分析

385天前

文件大小

28.2KB

静态报毒动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN WORM MYDOOM

DACN 0.14

FACILE 1.00

IMCLNet 0.59

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.14	Unknown	0.05s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.59	Unknown	0.20s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	None	20190527	0.3.0.5
Avast	Win32:Banker-FNW [Trj]	20200411	18.4.3895.0
Baidu	Win32.Worm-Email.Mydoom.a	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20200412	2013.8.14.323
McAfee	W32/Mydoom.o@MM	20200412	6.0.6.653
Tencent	Trojan.Win32.Mydoom.m	20200412	1.0.0.1

检查系统中的内存量，这可以用于检测可用内存较少的虚拟机 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545303.640625 GlobalMemoryStatusEx		success	1	0

一个进程试图延迟分析任务。 (1 个事件)

description

06366b92d03a3731c8305b6024a36913e0031c1a56c2fc509e88ec17c01bc102.exe 试图睡眠 143.925 秒，实际延迟分析时间 143.925 秒

在文件系统上创建可执行文件 (1 个事件)

file	C:\Windows\services.exe

该二进制文件可能包含加密或压缩数据，表明使用了打包工具 (2 个事件)

section

{'name': 'UPX1', 'virtual_address': '0x00009000', 'virtual_size': '0x00006000', 'size_of_data': '0x00006000', 'entropy': 7.859086691322967}

entropy

7.859086691322967

description

发现高熵的节

entropy

0.9230769230769231

description

此PE文件的整体熵值较高

可执行文件使用UPX压缩 (2 个事件)

section	UPX0				description	节名称指示UPX
section	UPX1				description	节名称指示UPX

与未执行 DNS 查询的主机进行通信 (6 个事件)

host	14.96.193.136
host	114.114.114.114
host	8.8.8.8
host	15.228.169.140
host	14.96.95.188
host	80.177.2.215

在 Windows 启动时自我安装以实现自动运行 (50 out of 121 个事件)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM	reg_value	C:\Windows\java.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services	reg_value	C:\Windows\services.exe

网络通信表明可能的代码注入源自进程 services.exe (3 个事件)

Time & API	Arguments	Status	Return
1727545325.234625 connect	socket: 696 ip_address: 14.96.193.136 port: 1034	failed	4294967295
1727545346.265625 connect	socket: 656 ip_address: 15.228.169.140 port: 1034	failed	4294967295
1727545388.296625 connect	socket: 348 ip_address: 14.96.95.188 port: 1034	failed	4294967295

文件已被 VirusTotal 上 66 个反病毒引擎识别为恶意 (50 out of 66 个事件)

ALYac	Worm.Mydoom
APEX	Malicious
AVG	Win32:Banker-FNW [Trj]
Acronis	suspicious
Ad-Aware	Worm.Generic.24461
AhnLab-V3	Win32/Mydoom.worm.49344.B
Antiy-AVL	Worm[Email]/Win32.Mydoom
Arcabit	Worm.Generic.D5F8D
Avast	Win32:Banker-FNW [Trj]
Avira	WORM/Mydoom.O.1
Baidu	Win32.Worm-Email.Mydoom.a
BitDefender	Worm.Generic.24461
BitDefenderTheta	AI:Packer.6236D6581F
Bkav	W32.MyDoom.M.Worm
CMC	Email-Worm.Win32.Mydoom!O
ClamAV	Win.Worm.Mydoom-90
Comodo	Worm.Win32.Mydoom.R@348l
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.61013d
Cylance	Unsafe
Cyren	W32/Trojan.LVDB-0128
DrWeb	Win32.HLLM.MyDoom.54464
ESET-NOD32	Win32/Mydoom.R
Emsisoft	Worm.Generic.24461 (B)
Endgame	malicious (moderate confidence)
F-Prot	W32/Trojan3.ACNA
F-Secure	Email-Worm:W32/Mydoom.gen!A
FireEye	Generic.mg.cefb4d761013d316
Fortinet	W32/Mydoom.M!dam
GData	Win32.Worm.Mydoom.A
Ikarus	Email-Worm.Win32.Mydoom
Invincea	heuristic
Jiangmin	Worm/Sramota.avf
K7AntiVirus	Trojan ( 0000000c1 )
K7GW	Trojan ( 0000000c1 )
Kaspersky	Email-Worm.Win32.Mydoom.m
MAX	malware (ai score=87)
Malwarebytes	Worm.MyDoom
MaxSecure	Trojan.Malware.300983.susgen
McAfee	W32/Mydoom.o@MM
McAfee-GW-Edition	BehavesLike.Win32.Mydoom.mc
MicroWorld-eScan	Worm.Generic.24461
Microsoft	Worm:Win32/Mydoom.O@mm
NANO-Antivirus	Trojan.Win32.Mydoom.dlnpqi
Panda	W32/Mydoom.N.worm
Qihoo-360	Worm.Win32.Mydoom.B
Rising	Worm.Mydoom!1.6579 (RDMK:cmRtazotHzkYalRF0i3g1NLmpXGb)
SUPERAntiSpyware	Trojan.Agent/Gen-FakeDoc
SentinelOne	DFI - Malicious PE
Sophos	W32/MyDoom-O

连接到不再响应请求的 IP 地址（合法服务通常会保持运行） (6 个事件)

dead_host	14.96.193.136:1034
dead_host	15.228.169.140:1034
dead_host	192.168.1.19:1034
dead_host	14.96.95.188:1034
dead_host	192.168.2.142:1034
dead_host	80.177.2.215:1034

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1970-01-01 08:00:00

PE Imphash

98cd465c2ab2841f9fd90d5e847563f4

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
UPX0	0x00001000	0x00008000	0x00000000	0.0
UPX1	0x00009000	0x00006000	0x00006000	7.859086691322967
.rsrc	0x0000f000	0x00001000	0x00000800	2.6542421841999686

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_ICON	0x0000f3c4	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0000f3c4	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_GROUP_ICON	0x0000f4f0	0x00000022	LANG_ENGLISH	SUBLANG_ENGLISH_US	None

Imports

Library KERNEL32.DLL:

• 0x50f58c LoadLibraryA

• 0x50f590 GetProcAddress

• 0x50f594 ExitProcess

Library ADVAPI32.dll:

• 0x50f59c RegCloseKey

Library MSVCRT.dll:

• 0x50f5a4 memset

Library USER32.dll:

• 0x50f5ac wsprintfA

Library WS2_32.dll:

• 0x50f5b4 gethostname

L!This program cannot be run in DOS mode.
kernel32.dll5root\IEFrame
ATVH_Noterctrl_renwnd
6@nT3A
/m%s, %u
=IntotG
(dnsapiUiphlp
DQnr9A5k
workPalsmail
a97buse
vl+|tifi
.gKli/c8rvKubmi
BCagthe.b
gold-QIca festn
Koftci'
jsf.3yOW+rrCk +
og#gnu
~or.c
f.@donex|_-{o
sak~kGnda
.ymav_-!e[/
lhf@dd`
TL@dHD<
-05*.*
USERPROFILE
7 'M4M
d$g$o$ '%
%|<{L$h P
{$t| $T},{
(.d ?hm $A+rm bo
XM){:|,}|
 kTw%h
t}{.|*)
{W'.d6
3s}]{i^|Y}e{-AmmD{
BbeL|w
k+j|5q^
  sss\
k.>Dc|P
bly,|"B
|ObvN4
B|gWby{ v-sru}
h&Zk?9
B+tnPt9
ucK{: %YZ;chI
%eRt4f8l
p{{VtuA
CS4@K@hsBCY}sa
Hq+ da,Dt
#u{7|h
C3$HV*i8vC4(s)d:VU
8>IsA|}v
i(@aTx3ZqtId. 
'QcRn
y,DmWBZ#O;-1QY"
nf,Foeo
Ah:yI-B Unhth
m3$iA7sC
2\zpT?+
sZx^'0;}7Z z
q</>G#
@$F|OZ)
Gf^F/ -aN
dWL$w{S
un] d []|
nfSm=C
Rg@.=Zk
TDFQSk1{>
$f^s}3s
_`{P5R.RA5
,554 UI
7S{F;"aA
WH0.1.2% 
 (N<: l$
]pm; o
6,1tB= |1_S[|
{BOX NO
FOUND|
}kDATA{d400-aqr
%m-E-OPEoUT,~0
Amw-RMS@CRE<A|3
o!d7SYSTEM-F<XDI
SKQUAB=sk<d(
?>mblu/NX
1$'}1%0
0ESSO,x
|e-\/Y3
"C"PAT
fI@,TSJ<
,Q"K Os
l[$^ubK%T%
ABCDEFGHIJKLMc/PQRSUVWXYZ4c
.,qfgjmBpqn
vwkz0123456
789+/X-Pf6n
nMR/l1oEx
D6.6+|u
3IMEO(4UPBy@
CB2-*Ty@mX
t/xG;!
y="N"1
q-Vi1h
kPs6+f'I?G
zZjf0ElC
o~Ab164"
HL:ZdvSD{/Hn
li7b\0
XnRCO$
>'hwb4
LO+ zq>SMTP% 6
%\\*,zknr
m8.logz,Nt0B/
JKWZh&>
EURLD5
TyqsN/ahB.p?lpv=1&=&*ohp&t
=web&#l[
dOAZ;w
:>aL]P-/Ss?0)s&kgs=0
?p9w=K]X8&o=fp-
&M=mG!k
DQhl={
ofrtwa
rer\.\Micv/s7]'D;7omn]
8*P7GlSh
[v#A1G![F
]6tPja
vf.xeo
j 6t(w
k u>b,<5W-<:wudP
i5Mms7
doM4Mws\Cu4
esi45
;Rlt J>M
I2^?SW|$
^_[j4h
e 4]fxReg4 MiserS45rv/icN4MeProc?sNNM)
p{%$]/#Kf
y+P!El
jh`kb4
0f+0_p
D$!%Tt
YCRBY];u
+7'VW}u/q?IH+S>&
B0 +Pa
3F;|A|
^[;6-]
"P?[iwini\.et.dl
hnXf`EkQF
lml,;!
~)9ut_
3UA$tv3{Wj(Z(u
_-54}3
s5X}FF
`3`16v5;C}0oa
bu[7QY'
>F@Ju.F'
iv|7.JN
ESrP)&nY;
Cw[-aKW>
f$1!@tC
v? ,im
CO`R};u<-
0^]8PU
uo'd_t$@SD
?;IT1\
V*vUnXrl
}en3}*1Y$0
Uqtvq{u
[<bvFq
n@Ij%+\
S.de$y\Da
b={][w{o\&
XTr+xv
;Q;tQ!$h
DuJS:S]
h8<]+w
O+N!wh
Xj5BW:
d:ztbv1.1-
.@2<3HmtSg
l[c{u
\<<@t?(T
Jo@7TkzO
'#zwH.
s?Ny..
7jI]%p
\]qSE9
1xI3nU
Z2@Y.tw`
r{*A 0|
tFG.lF4|
0]J1H9
 5FGl)5uq
z$Bnvt3D,,
j-D=?W
bt'A;|
x-Pw!"Vc-t#Vh
;Wt+9PoX
2hnNgI
jz&vBu?
H@_z'j8pd@
,WBEJV,
5*RYbW
S53StICx-[cu
B:c^}VyGWSYR[Sf;T;W?)
?DID7J%
jU.`h 
=Prdjd2|
[w$:I7V
@A{G2]`k+[
Tvtv|M
P~,hcHL3
1b|r+Q
;}e;}a;WO\
O;~CM;~?+
y_FC"S2h`2|#
,l[hD`
oGdO`1vUp6lZ
s(NDsR/
EpiDMl
SofteYware\MYeYicros
eof\WYeAB\WAeYeB4\WaeYb FilePeY Nam8HF/uQ
jY+8Fh, =
6B[U<pu
hY]<tu
buG:uCR<hu
k/x<a!
N<db7xt@5<w_u
|(mKt:u{c
cp\eWN\;>
rh@kV}*
50X1zu
ZQ6PTP}+
H"AQvVBJCH'X
i^gLocial SeeYtting,[AYsTe,mFprlm
yJI:u]F/
TLL($E
"P7+8N
3FOub: 
FjB. 2*k;
S%a{<Q<.'1|s/
eEEmhk
,;Gb1Z
!<gt?*^,8:3M
@ePGEK
w?$[M&D6h
/h(h!h
hHWyEc
J6h<=}vr, +hh
Rcu|&JSP
y[o5j-GX)
]JL~,,
de -F;87
A! _.t!
d3fjUN
SWu$0h`c?S3_6}O&R9y@;p
mm<pT\
D'@'Y<'p
8'E@[q
hp3Tu{
h4'&lpk.v#_"
/C8Wb2T
sPH~$A
`Dt9HHt-
wu^1"8
&zHm'hLV
 ]<{lF
;F?'n@m
D7>oSB7
(3w@hG
{9RxN< r76~=t=<+
qr&PW_6
+D5uUAzg
)DVt*mvs
B9j\w7
"YOm(xh)5U
"R\_pALR_|
4Q&vFhWV
n}DDB;s^Y
X-'8'#p9]
48G~rV
8=:$Qn
2E!b.|=d
lB?;W"cGm
nbF2><:
FtOsMX
D@3nJR [
AzH,rS9BP
0]*l[V
`@S#rUjb
-RSQ@_
oxY;YZ=l
v N1h|
=+~/+&xy<lZ<+E1>
d6TS4nNs
;D11L<
[^=4je
OvP*#gC
*hR-Lc
^8DW&
T[Pt+j
+H1^]'[
j_@W](L
/wbP7N-$`Y
,3XYtvB!y
P2iH\kVA+
twF1FfXB`I
]$dg*0
/:W#{@8
-;3HG!$6
;w6(ccxYW5P<
"QUf:'Sf
h'j 'H
,Zz#<Y!
9ht,% 
gWy<s&$'25p&%%ip
vJseB0A?
{x%7Hh6
8c;lAY?%XRl3
vhHGWKP
0+8+8%
|xtiplhd`\iiXTPLHD@
i|itld\TLiiD80( a
ABAyvm
O^OAH`@
)(2a13.&3 ,a" //.5a#$a34/a(
a,.%$oLLKeA
@BAN@J@F
faQ1&,
'pa\`['
sH`1_'
u'`MHCH
47"VigL^
RI+Pf5`Ax\
#?@aoW/
!]*$3/$-
%-->cd2cFdoyk9od"V78o-f;U
"(5$A9+
1aeVN=k
C`Fv_LU
x0c N,My
1?ifqD\Ex
FMPWDHOUEJQuVGKNTA@CBBEC@DP/
DDGF6n@$5
./I"O%
{rtH@Gv>
=1ETQFz
)PcilPne8
5n5NDc
DxF?:6|ah+$+9B
B#%F!>
>LyT7qP
1C%xD=a
PB 6Y>NaD\
E(yoS-'6)t7
IYUV\+
[eI>N&)i
BAUI=VK>D?
A-z`J17DG-
j_QeZN
|q]B<-^
.y M{<Q+P
+@,ML[}'
YuQZ qJz
r?P4xE5D
5Ez5E7`
.=W,&E
_Mxq?QQ..vMpz<FW}
G2<Ew2r
i[+ITW]w
Uq-!V\<NP
|s4~-@ZRL
H+'oYIv
Fz=gl1`m.'8S|
E2MISY
wN[lID
GM'/5}H
_? xxI=
ry2tF~KG=
-O)_uq#?avrrKb
0@T/4\q5O
K1NjIXKS<)K
Q`,N{b-2@
9\NSn2|R1la)%P
/3PRPw
kUy.?ZJzf+%~
J=eqK){
?~z=a:
=UKp`u7 `4C
zGI?BMwe
%^?v?d
_|0P@M|~
!nxm5K]G+
IEMI@tE&
/7W"/)S]7IIqcqiTQcS\,
.'56 3V3$
,m("n2v(
KnK\DY9
O2XU@4n,D:
Oc4YAII1'$)
/J7("$
3.m6w7~2;
`"Fn1+
Q7<VhEFL_JM
^'IAO^9*1lY7U
J)Z<cw
Ir4)p"\1>
'+?Y3\!Z
N&YzG\:I3K
w? ]$/Qr
m|=qFD
)QX`^yqe@-}
_Sw!!S
`7:14Dy
&*,Pa?<
r7x<gSvQf=^,ypG(}&[|*
z5Pr,JJ
Cyf*P;9u;
t4gAh+Y"
4;/[{i
zY#hI:Y47V
F z14x__W
%Y_=g\
?v.#Fp-C
|GWBc,$
IzN[b/
A!=)&!
IT=`M]
[a9r5GB
;mTH]]
z9jE?D35
Q<7[TT
DYlY1%'&
@3D2Zy)/KFZj
cM8vryB5`
1;MF!@W_
Da8/U?
S{D}/[s=Kzq[_[R
ZZ6KaX
/UABz@b
AKM`{K/
GRD96SeABN`wm9CTO
K=&gML>RC5h
5VCJJrBid>*/Kr\CbbJJVNbJ
i+EIEB
JB's@mnLz{b
bOGd#IY
4;4/tv
Bm,nC~BS2
ly'G^Q0j
DIFv6tV
D/gN'CZ
DKW$DW,<M
JO|+}.@\QP
,YENjq
_o,'aK6
Le8\T7r
y[zcC+
Uah_)P
I2_@,2
vNaEPKepj}
w9QJWq\cO
KAl`\Mn
94'kJ$Ma~o
HC}p|'
j.R_7<s
1Z:P=lYM!G^W D
X/nyg<1
7XT0)AAka/
(-$XA
$5FF.(.N
w$H//."cI$22U`2$
>E$/" .
V@%4-9
(#3 38sn!
QI62131'=mtOwQRu
SLC2IH
A'ZErF
dZGB-n
VaWA%_NJ
7 Ebz!o%/-
WA EqB
5)m@6o~@VF
%1!i5=\`1W
\-h"`,
J/0(/5'
FindCD
MapViewOf
rs"nw/KEnv
onv]V"ab
}TimF*
{p^g-Ln_ ~LibrNyA!LPPc(KD9balAl
cXLa=T*Mu
FCopyDe
EScv;lenTpP/h
PpyMl[vg"M
ExiBAbhqdY&/
3nZeI{
ckCoODr
deCh]Dl4MoByt"
c6*R'TGPoi(
H{fpF&\
C0:nEL0i
:$9aokDe, 
O&?dmanse07
"97+3*a*!
NBuffA
#wvIr#w
s9<PEL
`.data#B"'v@`
|){4'@
GPGWHU
wwwwwww
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
memset
wsprintfA
7_jzL/d8ed;`Q
K].`QYy@MZnK]-(W
6>Zwj!wKT6>
^mwawC1E&`fVx
Szqzq|Lzqs~
{DVCmVYwpw
,b3@qN0~5
ChY@hY OhY
EhY?|$a
i]{pk6be6{
}Hl,/B
/w{,&B
>XP?? \
PV?V;xI=WInSRdcw
]@Tjx-oDk=OV`k=fk=e
SE|JpD+pE(+
%h`%5\:
0YZa[IHH8x
k:dnp*
QU!}*$D
h=2*vz
D])Gpt
o*HH`yV7
|O$zRD
{`}3*4d(u4F64K

Process Tree

06366b92d03a3731c8305b6024a36913e0031c1a56c2fc509e88ec17c01bc102.exe (1784) "C:\Users\Administrator\AppData\Local\Temp\06366b92d03a3731c8305b6024a36913e0031c1a56c2fc509e88ec17c01bc102.exe"
- services.exe (2160) "C:\Windows\services.exe"

06366b92d03a3731c8305b6024a36913e0031c1a56c2fc509e88ec17c01bc102.exe, PID: 1784, Parent PID: 2264

default registry file network process services synchronisation iexplore office pdf

services.exe, PID: 2160, Parent PID: 1784

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
14.96.193.136
114.114.114.114
8.8.8.8
15.228.169.140
14.96.95.188
80.177.2.215

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com		131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	61714	8.8.8.8	53
192.168.56.101	56933	8.8.8.8	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53
192.168.56.101	58485	8.8.8.8	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	bf316f51d0c345d6_services.exe
Filepath	C:\Windows\services.exe
Size	8.0KB
Processes	1784 (06366b92d03a3731c8305b6024a36913e0031c1a56c2fc509e88ec17c01bc102.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`b0fe74719b1b647e2056641931907f4a`
SHA1	`e858c206d2d1542a79936cb00d85da853bfc95e2`
SHA256	`bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c`
CRC32	`FD13B657`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	8ae21ef124106209_zincite.log
Filepath	C:\Users\Administrator\AppData\Local\Temp\zincite.log
Size	1.1KB
Processes	1784 (06366b92d03a3731c8305b6024a36913e0031c1a56c2fc509e88ec17c01bc102.exe) 2160 (services.exe)
Type	data
MD5	`c237373cca01ab6ff3a07ef2cacdcd60`
SHA1	`6a1a2de873e79fcc3537ddec3e413f3e800f79a2`
SHA256	`8ae21ef124106209a772b629265e2e61ba9e2f733ee48efac925ba9dc99c058d`
CRC32	`8EDD44CD`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	e3b0c44298fc1c14_java.exe
Size	0.0B
Type	empty
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
CRC32	`00000000`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	6e4c6d34096b089a_s0akzoq5r.log
Filepath	C:\Users\Administrator\AppData\Local\Temp\s0akzoq5R.log
Size	1.1KB
Processes	2160 (services.exe)
Type	data
MD5	`2293ae25967895389f3edce0848fdf43`
SHA1	`49f9e4625276bd6ee2b0f2a0912baf6cd54d02e5`
SHA256	`6e4c6d34096b089a770e222f25d3222a23be95bc0a4b41f208ec75f6fe347d3f`
CRC32	`41666DAD`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.