2.1
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.68
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20200508 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Agent.el | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200508 | 2013.8.14.323 |
| McAfee | GenericRXGH-HD!D40D0D9E2EF5 | 20200508 | 6.0.6.653 |
| Tencent | Trojan.Win32.Sisron.weqa | 20200508 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | .shoooo |
| section | .imports |
动态指标
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Windows\microsofthelp.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Windows\microsofthelp.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\0e830b7031b0956de75dad777e09375aa8d303b9b8713415304ff66aa32541ef.exe |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.shoooo', 'virtual_address': '0x00009000', 'virtual_size': '0x00003000', 'size_of_data': '0x00002800', 'entropy': 7.835447843663171} | entropy | 7.835447843663171 | description | 发现高熵的节 | |||||||||
| entropy | 0.2702702702702703 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp | reg_value | C:\Windows\microsofthelp.exe | ||||||
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意
(50 out of 57 个事件)
| ALYac | Dropped:Generic.Malware.SFdld.BF6D7908 |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Dropped:Generic.Malware.SFdld.BF6D7908 |
| AhnLab-V3 | Trojan/Win32.Agent.R234126 |
| Antiy-AVL | Trojan/Win32.TSGeneric |
| Arcabit | Generic.Malware.SFdld.BF6D7908 |
| Avast | Win32:Malware-gen |
| Avira | TR/Downloader.Gen |
| Baidu | Win32.Trojan.Agent.el |
| BitDefender | Dropped:Generic.Malware.SFdld.BF6D7908 |
| BitDefenderTheta | AI:Packer.357F62791E |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Trojan.Msposer.7372 |
| ClamAV | Win.Trojan.Hupigon-54025 |
| Comodo | Packed.Win32.Klone.~KH@1kg7s2 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.e2ef56 |
| Cylance | Unsafe |
| Cyren | W32/Blihan.B.gen!Eldorado |
| DrWeb | Trojan.Siggen7.56291 |
| ESET-NOD32 | a variant of Win32/Agent.TLD |
| Emsisoft | Dropped:Generic.Malware.SFdld.BF6D7908 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Blihan.B.gen!Eldorado |
| F-Secure | Trojan.TR/Downloader.Gen |
| FireEye | Generic.mg.d40d0d9e2ef5677d |
| Fortinet | W32/Agent.TLD!tr |
| GData | Dropped:Generic.Malware.SFdld.BF6D7908 |
| Ikarus | Backdoor.Win32.Vipdataend |
| Invincea | heuristic |
| Jiangmin | Trojan/Generic.uqin |
| K7AntiVirus | Trojan ( 0040f8b51 ) |
| K7GW | Trojan ( 0040f8b51 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=89) |
| Malwarebytes | Trojan.Agent |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXGH-HD!D40D0D9E2EF5 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.lt |
| MicroWorld-eScan | Dropped:Generic.Malware.SFdld.BF6D7908 |
| Microsoft | Trojan:Win32/Blihan.A |
| Panda | Trj/Genetic.gen |
| Rising | Trojan.Ransom!1.690B (RDMK:cmRtazqJXrewZEkKRGzxojWoF9RA) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Shooo-A |
| Tencent | Trojan.Win32.Sisron.weqa |
| Trapmine | malicious.high.ml.score |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2012-01-19 12:28:47
PE Imphash
ed42d4abceb2444958dc2f2ce7063809
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00004000 | 0x00003800 | 6.401056074083298 |
| .rdata | 0x00005000 | 0x00001000 | 0x00000600 | 4.732953369377026 |
| .data | 0x00006000 | 0x00003000 | 0x00002800 | 0.9614498560336738 |
| .shoooo | 0x00009000 | 0x00003000 | 0x00002800 | 7.835447843663171 |
| .imports | 0x0000c000 | 0x00001000 | 0x00000600 | 3.608258743690415 |
Imports
Library ADVAPI32.dll:
• 0x405000 RegSetValueExA
• 0x405004 RegQueryValueExA
• 0x405008 RegOpenKeyExA
• 0x40500c RegCreateKeyA
• 0x405010 RegOpenKeyA
• 0x405014 RegCloseKey
Library iphlpapi.dll:
• 0x4050f0 GetAdaptersInfo
Library KERNEL32.dll:
• 0x40501c GetStringTypeA
• 0x405020 LCMapStringW
• 0x405024 WaitForSingleObject
• 0x405028 CreateThread
• 0x40502c HeapFree
• 0x405030 DeleteFileA
• 0x405034 ExitProcess
• 0x405038 lstrcmpiA
• 0x40503c lstrcatA
• 0x405040 GetWindowsDirectoryA
• 0x405044 HeapAlloc
• 0x405048 GetProcessHeap
• 0x40504c Sleep
• 0x405050 GetModuleFileNameA
• 0x405054 CloseHandle
• 0x405058 GetLastError
• 0x40505c CreateMutexA
• 0x405060 GetProcAddress
• 0x405064 LoadLibraryA
• 0x405068 HeapReAlloc
• 0x40506c GetTickCount
• 0x405070 FindClose
• 0x405074 FindFirstFileA
• 0x405078 TerminateProcess
• 0x40507c CreateProcessA
• 0x405080 CreateFileA
• 0x405084 ReadFile
• 0x405088 WriteFile
• 0x40508c FlushFileBuffers
• 0x405090 GetFileSize
• 0x405094 LCMapStringA
• 0x405098 GetStringTypeW
• 0x40509c MultiByteToWideChar
• 0x4050a0 GetOEMCP
• 0x4050a4 GetACP
• 0x4050a8 GetCPInfo
• 0x4050ac RtlUnwind
• 0x4050b0 SetUnhandledExceptionFilter
• 0x4050b4 IsBadReadPtr
• 0x4050b8 IsBadWritePtr
• 0x4050bc IsBadCodePtr
• 0x4050c0 GetCurrentProcess
• 0x4050c4 GetStdHandle
• 0x4050c8 WideCharToMultiByte
Library WININET.dll:
• 0x4050d8 InternetOpenA
• 0x4050dc InternetSetOptionExA
• 0x4050e0 InternetOpenUrlA
• 0x4050e4 InternetCloseHandle
• 0x4050e8 InternetReadFile
Library USER32.dll:
• 0x4050d0 wsprintfA
L!This program cannot be run in DOS mode.
.rdata
.shoooo
.imports
3|$9D$8
D$8h\a@
D$,X`@
L$-T$,
QL$/RT$2
QL$5RT$8
_^]3[d
0\1H2@\1HA@|
3;|[_^
u_^3_^
SUVWD$4`@
D$8X`@
3PL$8$T
F|$E\$DD4
3T$Dfh
u>L$Dh
UVW3VVV
Qj<Ut$,
SQT$$h
SUVWD$
Pl$0G;
CHsH;t@~
3IQRT$
Jt Vt$
W3PS\$
T$\PQj
Vp3@w&3
PD$(RVWP
UQSVWE
$UQQSVWd
SVWE3PPPuu
]U4SVWe
E_^[USVWE
X_^[]UQSV}
[USVWUj
PjhL#@
t.;t$$t(4v
tP8csmu,9x
U$Ru u
}EPEPWu u
$uu$u S7u
u u$u uu
VWt!u$u u
EPEPWu u
E;EsO;>|C;~
u$u Vj
_^VW|$
X_^UjhP@
u,=u$6u
WP_^[]Ujh
jEP&YY33
?csmu'
X3Ujh Q@
Ujh0Q@
QQSVWeE
_^[38E
mVW_^]M
Ujh@Q@
QQSVWee
UjhXQ@
QQSVWee
VC20XC00U
]_^[]UL$
DDDDDDDDDDDDDD
YYh(`@
HHtYHHtF
;u(xc@
YY\WP\1
@Y<v)\P
VWuBhT@
;tg5`P@
tPhtT@
_^[3W|$
GIt%t)
Gt/KuD$
GKu[^D$
tAt2t$
90tr0B=d@
@j@3Y@
@;vAA9
Wj@Y3@
t7SWU
BBBu_[j
VPVPV5@
@AA;rI3
r)$8>@
DDDDDDDDDDDDDD
B8t6t8t't
8t3^[_G^[_
^[_UWVSM
PUjhT@
SVWe39=@
"WWShT@
M]9}tfSuu
tMWWSuu
Mu;tVSuuu
3;u>EPj
EPVhT@
E;tc]<
$euWSV^
e33M;t)uVu
wMH`U@
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
%s?mac=%02X-%02X-%02X-%02X-%02X-%02X
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-cn
Connection: Keep-Alive
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
pomdfghrt
\microsofthelp.exe
WindowsHookExON
HidePlugin.dll
microsofthelp
Software\Microsoft\Windows\CurrentVersion\Run
C:\Program Files\Internet Explorer
iexplore.exe
Shell32.dll
ShellExecuteExA
Software\motherFucker
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
4$PTvWP
.>PPPP3
JuYZX_t
\]h?&zc
--[[s4S
Kb%tUf&u/v
h?]e_dmIspH
F%],|C
q%Yp*mH
(76.1{>G]
pckQ~$
,:v89%f
^4C"x]
e`[*;"
2XyNv.*|3
&uiYCc/Ru#:S8
95{au<
zSC5':
d8jIOayJ
$8*{NL
'P0*C,
](`l|0$vz{jn7
4eut4k#r
}J:O9h=f=@220+3
gK &O?zy*
VlUNlto
Bh}=ijZEM?!
VhJJDJ[a:
}cNI,-PJ0d
,E[nu6
.xK= *
gtn11XzpFC
@Z)4<[
fc7tC0'
C~*oI"DBlf6f}CPri
'0SG2G{
#K3b{*0|
FV#ZIk
Q2|xB^
XQ#MlA|&o<
jry.m/
O:]NT&D9";p
T2SEA1
,tCx}U,V
3*.9O:7[u
q2>3mA.
0i}_Dv
_&(qqu
hn*Mv+W
&_U}cy
1mDUip
psx_+dm`YU5?&D1
0O@_f@
Sl\6NAE:K
4^r1'JNht
wdpHjKD
p/O2=RI
}Rs=U.W(G2JZ
.W {(5C]
bT[ng9
1]4Jk~w
K[j|)@Qg
1(W!<!I~wDi(P)
qB#ika
`Q.S=x1Ry
"*8,B?'
(/!7[=pBL
wz =rT;
Q>Pf-V
.5FmpZ~Nk
7?0h\uI9(V
V_YZ-yq@M:s_
\x*I^w|,R$C
/pWKQ*b`T{&n|
X~M!.i5sQC!wX>
=rWM4JD'
"'Bom?
}`c#bIhgJ.+G8\17r
k?V*W}
CDtxlc
\yrt8?X{*&~fu
]e eEk
eF!1}+%(JVx!cKw
g3tUW-7
o*6*o,
+XvMa=Z
k,n7b4
i#pQyUuC!& O0k
.#@pO0&$_
xk2,cC
|uNRaZ
/4GI1M
C%yyBiX
)Npwnyi}~oJ(zW
J,<kdl;MUN
zrceuN
^/BizT
6_h[Sq
N_DhL~u%kZx]jRP#
LXKR&|?
7m{rgOf6c
*`~[L`L
9X,[<;PCdr
B~":)Q1c
T`J`+&Y!
3n@~5cZ8fw
Z(}1B,U
Tw #q
C;*'ts^
pB]U[f7^
1y@e% 45
Epe1XZl'U?
&].IF*1-
`qtN4tE
>(I>@}?H
Bypobx
7x@B%D
u:<o4h('tU!
"h#Soe
^-Owl<
J.-7=0
{@$ R$1XqZR
qM2}Xd
>yE)K)
ij?e9|9
d/e}Yw-\
Z&L7Ckg2sS-:
iz$$1D7e=7a
>%G7)
cm<l7k~E8o-
ryo8f-
7?{.ry@llv
A'zp;m1<+"6lj
9xMRCO}Vxti
mO o&C*z
U9%3Py2R)
Mdff<7
\,pYmX
vtiC'(d-
)%1#"lRn4lUm
h=n6%87
L1Kr(t
E~R^`W
fNx/giyd
vifLDy
hDQnA{cQur2t
j?LiyPba
cX}C:$
ecqoX,
"HXp,`{BD
rp"u4gARQoE
8WP/[Q
P+}/J#<
Dk:\YQI
#-/Ol|
-aCn1<
V/xBp?
:/47Er*GH
OH/+oT2\=
bMcZ8T
{Z4*eXS6eN6}L6
>K;Gd9\{
F3>zpbitgbO
Fi&#,H
~b|T O8 's_k'NL
ce P;(
A>>A<e]
\[u|au,o
7xaf/AHO
02t/\-$srF1
T9LJ5'
z7B'!Z
d$Xu#~
%^9xke6q
=IFa{~
wB`R?,F
>Y2%M}
R!6{KT 'l
"\8 SV]
Mp U+H
m!x$c.
q~?AW~c_
AkEs_~-V
]hh_W-
X9`(Nx*CS;0
&{hA;]
=MVXf)C
NR30*wUbw,
z:fJ<%
c~/`DOc
6T BO\o:r2
oD<QW')<w
bnEpC#
8u N4a,|
Y@>w^xc
a6nB%t
ADVAPI32.dll
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
RegCloseKey
iphlpapi.dll
GetAdaptersInfo
KERNEL32.dll
GetStringTypeA
LCMapStringW
WaitForSingleObject
CreateThread
HeapFree
DeleteFileA
ExitProcess
lstrcmpiA
lstrcatA
GetWindowsDirectoryA
HeapAlloc
GetProcessHeap
GetModuleFileNameA
CloseHandle
GetLastError
CreateMutexA
GetProcAddress
LoadLibraryA
HeapReAlloc
GetTickCount
FindClose
FindFirstFileA
TerminateProcess
CreateProcessA
CreateFileA
ReadFile
WriteFile
FlushFileBuffers
GetFileSize
LCMapStringA
GetStringTypeW
MultiByteToWideChar
GetOEMCP
GetACP
GetCPInfo
RtlUnwind
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadWritePtr
IsBadCodePtr
GetCurrentProcess
GetStdHandle
WideCharToMultiByte
WININET.dll
InternetOpenA
InternetSetOptionExA
InternetOpenUrlA
InternetCloseHandle
InternetReadFile
USER32.dll
wsprintfA
)txqj3o
~AXl_5m
lk;T@[J^
4mxo4B
z=N1wO=rokq:
?CuilnI^'
kT?GS9PaRA
T:'4w!
)t8qj3o
8?<L}tecaX1PYU
k_GXl_5m
)txqj1o
qb7:-x,
~AXl/5m
)txQj{o
)txuj3
<AXl_5m
)txqj3o
~AXl_5m
)txqj3o
~AXl_5m
)txqj3o
~AXl_5m
l!<HXqz=?o1y;
5^?GS"W
8kA!Xl
[BV\h'w
Q9A"gy
ngJ):4
Ou"UiM
Xo'uce
eFgF$Z
X<<HWp
9egra#+QA[
))@0wPNB
f]RVZt
pO8:^_u
R[a/S}Pt'n
KU2$BS
~:BG%y*
yV#ec~:RE)Y,
th.;'h
j@/9if
3#=4w+
Gf-tx'=rOK
M7.B_}hulG69v'K
z)@0wPNB
3WvyBe5
**0wNL
9B#QVH
0y6~b9ubax5x
dD_=*C0=
`GajL8{!l
?yn<U~ugK
~'^s42
9ON$kwy
NBEjAt,Ubt
asd>&!<rG#l
)txqj3o
~AXl_5m
)txqj3o
~AXl_5m
=)t"Pj
b7:/.xV
AYXl_5mkp[
!'.4wB
)txqj3o
44.Jlul
>:A;}57Yjl
qsf]U[hp
kQr)txqj3o
~AXl_5m
)txqj3o
~AXl_5m
)txqj3o
~AXl_5m
lk+H)txqj3o
~AXl_5m
)txqj3o
~AXl_5m
-b`UEt
qDVoe
X?(T M
T!vU]w+|xOQ
sb6; x-
AXl_5m
+vzsh0~
nQ\mY5i
)txqk2n
~AYm^4l
)typkc?MO6
@[o_5m
(uypk2o
~AXl_5m
'4`c/%
xD A_/\lS1kp
y>M3yU@'
)txqj3o
~AXl_5m
)txqj3o
~AXl_5m
)txqj3o
~AXl_5m
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Z5UN3LK9\min[1].exe
C:\b517fa3eb4dda72075a9524cbc7d79f4a630a0a2aa53affcedc03eba4aef6e14
C:\de34479e2c7050dc28445cdc8d3fadbe49b4204eed98f09ac78ab2dd722a20d4
C:\14213f4dfbeb9ff61d78866c2bb387b15e9a96981306544670b570acf98898f2
C:\Users\admin\Downloads\microsofthelp.exe
C:\8d69a437fb6af6969c51b1424f532b25bfba2f47051f492f01796b73b70e94a5
C:\21bedb8ff83dc490f7e7082c0d555fe7396e638301215270f99ab4506570a582
C:\Users\admin\Downloads\microsofthelp.exe
C:\0a37e467e16b8d0f7a1b7dc7a15e1fb4c4dacb862e11c3099e6691b17eebed0c
C:\Users\admin\Downloads\microsofthelp.exe
C:\4d7c4abb9c802de218463b76e43283a1af96ad0ffd90c0cec624f3deeef547e6
C:\Users\admin\Downloads\microsofthelp.exe
C:\b7cd5c9c3a0ba9cbd0065fc1c7d2288c527931fd79badb3635b3c8149dd9f8ba
C:\fc4b02ba8fab3468c7845645c13142e9bcee457ed256bf722346497680491da5
C:\Users\admin\Downloads\microsofthelp.exe
C:\ceb927000077fa1ad9c60e05cb9ae35d85c33b8e6561bfb71c234c96f2d76d36
C:\Users\RA491~1.VUL\AppData\Local\Temp\acb7049b9bf5be1991491685c7fddd1b.exe
C:\f5a771d90e889611cc5c80d5e3aaaa26d3e2b6e3acb0320b6d295099f2eb6f22
C:\534b1995cfb97c3762914bc9cbe9e473e270ee18814ba97916a169fba260d5f4
C:\f1e8dbd2c8be30c7c6f527c4a24cd04033f601eb361972397a60860cfac187c4
C:\Users\admin\Downloads\microsofthelp.exe
C:\00b01b5863df5f2e71a2610c0b29ebeab6fbbad2d68a735e9dd03c4d47b7bfb5
C:\WINDOWS\STUB.exe
C:\be0e1b0ede1a00c3eb0cdf94dcf0330b44cfa0122e60d25f6e3e08c26baa3524
C:\7cfb09cee5ef9e205b77036ef9065f0bb094bc7fbebe2f8912cda7cb6571abd0
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\e4302163cecfa904a5fb6ac24e94da75661edca53e56f991c1b14252da7a0bc4
C:\cf5b9911f0e08182233a42b8ba562d6a501bf23fa8ccf001e0a29e3040e0acd0
C:\Users\admin\Downloads\microsofthelp.exe
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\Users\admin\Downloads\1f298a853d0d6659_microsofthelp.exe
C:\6aee78035ea9217b928836f76b4271c9da6e1f8af1e7cf2ff01aeb4fe8bc7b1c
C:\e4d42a6d85bf116122cfb2bc39600439953be46011a053576cc7e43b797691fb
C:\dfbbc2e9a3bcd535eedf2c413acd441edb54c8767399fb1f59e2f82ff3a13341
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\92199ca0bbb421cb47d1f40be2cf7293b9c15a096c5d7de2bacb0582a76bc2ac
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\316303902397ceb000f507dd2a63ef38dd190d5e84a6addb77f6aa091437ce03
C:\Users\admin\Downloads\microsofthelp.exe
C:\Users\Virtual\AppData\Local\Temp\5ab459a7214bd7c0aebe6e11c0115ba41cfbe9de3860307f9e6316ac38bffce1.exe
C:\Users\admin\Downloads\microsofthelp.exe
C:\d8db60d766bc9ff3b24488dbebbca46d2eabd98d4aa1f42fb0915eabe83a25ef
C:\58a662267b80657596fc7ba160f606b6f34dbb8e788e027bf0a64cc4568682e7
C:\Users\admin\Downloads\microsofthelp.exe
C:\b0a7e221c931e6bfa69f0ee99eb00518fe0fafa6ff7645a64a8fdbdf89b46b35
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\Users\admin\Downloads\5aa2a5da9c426e75_microsofthelp.exe
C:\c183614bb261d3b1bf7a9ed3f41691fa935bbb49d57812d28a043b4d0e64caae
C:\f248b30193f195d34e24fc7236b9f385d3735424beeb7fe28ee373dc5b7fe3fa
C:\Users\admin\Downloads\microsofthelp.exe
C:\65330d2f057b5caa52969a0f573b423f87fc5b2f4762eaeb7edfa94ee92a96b8
C:\ddf1ee63c6a1e4a5342bc5f15ac5a1363cd122a1afd911a66fe4229e6c31aec5
C:\1cef61fbd79bbc1c1dacbea7569e4b905123e54276721fa0130514af68c3135a
C:\98aefff07d04293b361a5df69cfad6a421f84726780920e5b7fb3c1d12b661ba
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\Users\admin\Downloads\274e658c2c90a4c8_microsofthelp.exe
C:\259c46f2f2831be5d783cf06bb63fb4bf07372101b35a308c5e6714a3cd2c42c
C:\Users\admin\Downloads\microsofthelp.exe
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\53ec8c60b7031a8d38f75709f032bd63c86c92e463375976b64e17b12426cab7
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\a966e761360db20b49f55720e95dcc4525261df40eb8d4c690b45e8f83d74086
C:\ce78494f77d5346d747ca36ece4d5406a18246c4ba8b5b31003d3011fe892fe0
C:\905c23b8cbce87ed9aea9aecb817052c2f47ff7b6870036a67833ca06adc2867
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\4deeb817bfd6376bc691dd6f6936d377ad41f7ae8d52bda3858b958e95d84906
C:\Users\admin\Downloads\microsofthelp.exe
C:\612ce5445bce2b15ae4e03efd7233df68228cd896bcfbcbd29599c7ca1145452
C:\Users\admin\Downloads\microsofthelp.exe
C:\f0816bfb310801015e2927ef3fce37b3f6ca2d88ebb385f70d8df450bac6778b
C:\Users\admin\Downloads\microsofthelp.exe
C:\61d0266f5941cba3c719dc238aba184f764a84d2f21d44703fff903075af8bef
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\19a8b897b1a867aab9f245053acc7c4e6cedbae615d1f1cdaadcad5f4411a148
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\Users\admin\Downloads\cbaa4c5e690b7e7ad8b5a84d0c9941ff.virus.exe
C:\33bf53511feb2e714bcbfd2aea11e5db15d82ea23be29deb818e765efa92fb90
C:\0f0b828518208c16563c89f5dfe728ea28b2c03d42a5b9505fa21fdd65e0082f
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\Users\admin\Downloads\a7f092f1a8ced27a_microsofthelp.exe
C:\WINDOWS\STUB.exe
C:\3db72d0be2d1fedc3c2fc4dabc48e9a6469f0f13f568a733899b0395021b6b97
C:\264f65aa2c936be84cb99156f135adcfb772b3d8a4f96a14c9669b30dca6461d
C:\Users\admin\Downloads\microsofthelp.exe
C:\bf36c24d696bd3c501c6acbf9bd7a944efa9f41c39183b8251f4270ac09e19e0
C:\7f2b19d5a373badc95a895dd0f7b8d1c3af78e010a58ee28f40abcd37673fb51
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\WINDOWS\STUB.exe
C:\Users\admin\Downloads\783d10e588123e5e1c62c715ba81d877.virus.exe
C:\c449ee04c9c9cd278c3753416f64399c2cfc102c38642c4ce2e7bf8b41e9ba10
C:\WINDOWS\STUB.exe
C:\9b1be2dc9db9476012c8e25d9795babd5ec8eefd45a837d83d41ae865e260ebf
C:\d78ecd63928a687ddda292ed46c5358f5ca9e0f6e9dce2acff56cef7be3e2ec3
C:\68fd76a23571ca7ee128be050280218b46d32b51e9195476cc45cac275deda9d
C:\Users\admin\Downloads\microsofthelp.exe
C:\Users\Petra\AppData\Local\Temp\microsofthelp.pe32
C:\Users\admin\Downloads\1a73bb85334f11c8_microsofthelp.exe
C:\ac4fe8519bb9824627c18d0c990cd06fa58950a8ddbbd21550ee6efcc13a0939
C:\570c0511af31ef983732a34044f9fc39decb58287d775bf4866e99928d8195f0
C:\WINDOWS\STUB.exe
C:\ff560c12dadcfb226860f09368d3b7a0d8fcfd1f4799ec58e69b817a53cb4571
C:\b8fb0934a74273cbcb57e60d3b511b9957335316dffb0ab9b86669b085fbdf19
C:\Users\admin\Downloads\microsofthelp.exe
C:\315d9c5ac7851d4ec81cca3dda9d5dea00ed37f0f029aae61cb18da8e5eb12fd
C:\e5c02202cf5d2b01e66566a612170bf66916494feb61f51fbeece505514d996b
C:\3acb94f9d1acd747d096822f3f7c495cb602fbac410d43ac55fddc445845c9fc
C:\e671c319b2ee54801158dcc58694c3259c3577dc79dafa8e6e07ac9b017e6d32
C:\Users\admin\Downloads\microsofthelp.exe
C:\a33f4f4f880249871462f85542e7afaf5a91507cbc153b8517fdea3878346ab6
C:\b11cddf48e004c052264c40cd05c0e6deacf195d5c19d7f4573993b3cc885f67
C:\Users\admin\Downloads\microsofthelp.exe
C:\859e358a953c091174e49553859b720567b9dd5747bb306f3a4ed61cf1b24812
C:\d8c42b4c1c7c9660a3fa75056db465574d3d595546b9e54ea124e6b0d96f120a
C:\Users\admin\Downloads\microsofthelp.exe
C:\e3d07e876e4d65d97272957ab4e7f050eb8fe8fd7ce29980df91bbfda61e34ec
C:\2bf9ff51a98fc8ee8bc2e00a2514978b1bf1fddd3cc2ab114f1875d80537b297
C:\8f3c062ed20a9755405f072d57c8c896cafa82a32a834589b14947e46c47e0f5
C:\fa2ff39e68e96d34839e3642517caf514d90020b813b327f1f0cb5b167c836e1
C:\f0bea8b2bb4f7d679ad9502aa3e5338ce19f8e5fc6ba5741f58b94463312362a
C:\WINDOWS\STUB.exe
C:\fc0928be34573767fb55d276e0596bd6b5f02dc0c529c6d2928399b3b92ea55d
C:\2a6ebd4614e2fa133719210f49f12c899876f70461681ee9d2fcffc33d1009b6
C:\04ad088cc8f465c518a692fda596e33e43e2b74f16e621ddf38b7d7082152b77
C:\bf73dbca81d198a6b6499f751ea48f972cdbd8d0f4a8bc66de128fb619c6545e
j�j�j�j�j�j�j�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
Process Tree
-
0e830b7031b0956de75dad777e09375aa8d303b9b8713415304ff66aa32541ef.exe (1064)
"C:\Users\Administrator\AppData\Local\Temp\0e830b7031b0956de75dad777e09375aa8d303b9b8713415304ff66aa32541ef.exe"
- microsofthelp.exe (616) "C:\Windows\microsofthelp.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 7f550b32a53c95b2_microsofthelp.exe |
|---|---|
| Filepath | C:\Windows\microsofthelp.exe |
| Size | 76.0KB |
| Processes | 1064 (0e830b7031b0956de75dad777e09375aa8d303b9b8713415304ff66aa32541ef.exe) |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 988d33f929a7b2ca58d5b6352b5c8211 |
| SHA1 | fdbd57a3b91bf2ffcce277ccf63966a53a1683c6 |
| SHA256 | 7f550b32a53c95b28c6cf540611ffe23095f747197dd2bc37e65567c6649810d |
| CRC32 | EEA885A6 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0e830b7031b0956d_0e830b7031b0956de75dad777e09375aa8d303b9b8713415304ff66aa32541ef.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\0e830b7031b0956de75dad777e09375aa8d303b9b8713415304ff66aa32541ef.exe |
| Size | 75.7KB |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | d40d0d9e2ef5677d5a786e9c2dbb7586 |
| SHA1 | e5169dc3773f7b35f98545e3ff6ca8294ec9fc09 |
| SHA256 | 0e830b7031b0956de75dad777e09375aa8d303b9b8713415304ff66aa32541ef |
| CRC32 | 54E43429 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.