10.1
0-day
53 个模型检测该样本为恶意!
重新分析
更多

05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063

05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063.exe

分析耗时

151s

最近分析

383天前

文件大小

355.5KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN SPYWARE ULISE
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.74
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Shiz-JT [Trj] 20191003 18.4.3895.0
Baidu Win32.Trojan-Spy.Shiz.b 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20191003 2013.8.14.323
McAfee BackDoor-FDOB!D681B7A2D38A 20191003 6.0.6.653
Tencent None 20191003 1.0.0.1
静态指标
查询计算机名称 (17 个事件)
Time & API Arguments Status Return Repeated
1727545303.1725
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545402.0625
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545402.0785
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545402.359625
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545402.375625
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545402.889875
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545402.936875
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545406.90625
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545406.90625
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545406.98425
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545407.03125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545407.06225
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545407.09325
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545407.12525
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545417.53125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545406.468375
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545406.56225
GetComputerNameW
computer_name: TU-PC
success 1 0
检查进程是否被调试器调试 (13 个事件)
Time & API Arguments Status Return Repeated
1727545302.359625
IsDebuggerPresent
failed 0 0
1727545302.9065
IsDebuggerPresent
failed 0 0
1727545303.6255
IsDebuggerPresent
failed 0 0
1727545303.6405
IsDebuggerPresent
failed 0 0
1727545303.8595
IsDebuggerPresent
failed 0 0
1727545304.6095
IsDebuggerPresent
failed 0 0
1727545304.6565
IsDebuggerPresent
failed 0 0
1727545304.7035
IsDebuggerPresent
failed 0 0
1727545304.8285
IsDebuggerPresent
failed 0 0
1727545304.8435
IsDebuggerPresent
failed 0 0
1727545304.8905
IsDebuggerPresent
failed 0 0
1727545305.4685
IsDebuggerPresent
failed 0 0
1727545305.6095
IsDebuggerPresent
failed 0 0
收集信息以指纹识别系统 (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机 (3 个事件)
Time & API Arguments Status Return Repeated
1727545402.343625
GlobalMemoryStatusEx
success 1 0
1727545406.85925
GlobalMemoryStatusEx
success 1 0
1727545406.625375
GlobalMemoryStatusEx
success 1 0
一个或多个进程崩溃 (4 个事件)
Time & API Arguments Status Return Repeated
1727545402.3435
__exception__
exception.address: 0x7759fda5
exception.instruction: add byte ptr [ecx + 0x4245403], cl
exception.instruction_r: 00 89 03 54 24 04 64 ff 15 c0 00 00 00 83 c4 04
exception.symbol: NtQuerySystemInformation+0x5 NtOpenSection-0x13 ntdll+0x1fda5
exception.exception_code: 0xc0000005
registers.eax: 51
registers.ecx: 172
registers.edx: 48632448
registers.ebx: 44
registers.esp: 55309180
registers.ebp: 55309256
registers.esi: 55310560
registers.edi: 55309584
stacktrace: 
0x38e7782
SetLocalTime+0x445 GetTimeZoneInformation-0xf8 kernelbase+0x9638 @ 0x76e89638
GetTimeZoneInformation+0xf GetDynamicTimeZoneInformation-0x9f kernelbase+0x973f @ 0x76e8973f
New_kernel32_GetTimeZoneInformation@4+0x65 New_kernel32_GetVolumeNameForVolumeMountPointW@12-0x59 @ 0x63bd8089
computerzservice+0x346a3 @ 0x4046a3
computerzservice+0x1ec9b @ 0x3eec9b
computerzservice+0x4eff @ 0x3d4eff
computerzservice+0xa6a36 @ 0x476a36
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

 success 0 0
1727545402.4685
__exception__
exception.address: 0x7759fda5
exception.instruction: add byte ptr [ecx + 0x4245403], cl
exception.instruction_r: 00 89 03 54 24 04 64 ff 15 c0 00 00 00 83 c4 04
exception.symbol: NtQuerySystemInformation+0x5 NtOpenSection-0x13 ntdll+0x1fda5
exception.exception_code: 0xc0000005
registers.eax: 51
registers.ecx: 0
registers.edx: 48632448
registers.ebx: 8
registers.esp: 49738724
registers.ebp: 49738800
registers.esi: 72380164
registers.edi: 0
stacktrace: 
0x38e7782
ReleaseHdwInfo+0x10f72a computerz_hardwaredll+0x1ad98a @ 0x741dd98a
ReleaseHdwInfo+0x10f668 computerz_hardwaredll+0x1ad8c8 @ 0x741dd8c8
ReleaseHdwInfo+0x104336 computerz_hardwaredll+0x1a2596 @ 0x741d2596
ReleaseHdwInfo+0x2ef8a6 computerz_hardwaredll+0x38db06 @ 0x743bdb06
ReleaseHdwInfo+0x2ee611 computerz_hardwaredll+0x38c871 @ 0x743bc871
DirectXVersionProcess+0x4f2c NvidiaMonitorSizeOfProcess-0x3e4 computerz_hardwaredll+0x8539c @ 0x740b539c
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x767462fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76746d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x767477c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7674788a
ReleaseHdwInfo+0x2ed3f0 computerz_hardwaredll+0x38b650 @ 0x743bb650
ReleaseHdwInfo+0x2eea03 computerz_hardwaredll+0x38cc63 @ 0x743bcc63
ReleaseHdwInfo+0x32b3bb computerz_hardwaredll+0x3c961b @ 0x743f961b
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

 success 0 0
1727545403.328625
__exception__
exception.address: 0x7759fda5
exception.instruction: add byte ptr [edx + 0x4245403], cl
exception.instruction_r: 00 8a 03 54 24 04 64 ff 15 c0 00 00 00 83 c4 04
exception.symbol: NtQuerySystemInformation+0x5 NtOpenSection-0x13 ntdll+0x1fda5
exception.exception_code: 0xc0000005
registers.eax: 51
registers.ecx: 192
registers.edx: 50204864
registers.ebx: 8
registers.esp: 53556548
registers.ebp: 53556624
registers.esi: 21
registers.edi: 53557080
stacktrace: 
0x3327782
360tptmon+0x20aed @ 0xfc0aed
360tptmon+0x20d1b @ 0xfc0d1b
360tptmon+0x2163f @ 0xfc163f
_itow_s+0x4c _endthreadex-0x35 msvcrt+0x11287 @ 0x76ff1287
_endthreadex+0x6c _beginthreadex-0x6 msvcrt+0x11328 @ 0x76ff1328
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

 success 0 0
1727545403.343625
__exception__
exception.address: 0x7759fda5
exception.instruction: add byte ptr [edx + 0x4245403], cl
exception.instruction_r: 00 8a 03 54 24 04 64 ff 15 c0 00 00 00 83 c4 04
exception.symbol: NtQuerySystemInformation+0x5 NtOpenSection-0x13 ntdll+0x1fda5
exception.exception_code: 0xc0000005
registers.eax: 51
registers.ecx: 44
registers.edx: 50204864
registers.ebx: 0
registers.esp: 53547996
registers.ebp: 53548072
registers.esi: 2002386336
registers.edi: 53548396
stacktrace: 
0x3327782
GetSystemInfo+0x1b SetPriorityClass-0x1b9 kernelbase+0xe6cd @ 0x76e8e6cd
New_kernel32_GetSystemInfo@4+0x62 New_kernel32_GetSystemTime@4-0x6c @ 0x63bd7b68
MiniDumpWriteDump+0x4dc2 dbghelp+0x4aafa @ 0x70a9aafa
StackWalk+0x309c MiniDumpReadDumpStream-0x474 dbghelp+0x4457b @ 0x70a9457b
MiniDumpReadDumpStream+0x113f MiniDumpWriteDump-0x20a dbghelp+0x45b2e @ 0x70a95b2e
MiniDumpWriteDump+0xf2 dbghelp+0x45e2a @ 0x70a95e2a
?RaiseException@@YAXXZ-0x2d6 crashreport+0x29aa @ 0x734e29aa

 success 0 0
行为判定
动态指标
提取了一个或多个潜在有趣的缓冲区,这些缓冲区通常包含注入的代码、配置数据等。
分配可读-可写-可执行内存(通常用于自解压) (50 out of 246 个事件)
Time & API Arguments Status Return Repeated
1727545303.0785
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x02480000
region_size: 745472
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2416
success 0 0
1727545401.9685
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x038e0000
region_size: 405504
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x035b0000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x035b0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76789000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x035b0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03600000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03600000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03600000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x035b0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76789000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03610000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03610000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03610000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03660000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03660000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03660000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03670000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03670000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03670000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03660000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x036c0000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036c0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036c0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x036d0000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036d0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036d0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x036e0000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036e0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036e0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036d0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x036f0000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036f0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036f0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03700000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03700000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03700000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03810000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03810000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03810000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03700000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545402.0785
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03820000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
在文件系统上创建可执行文件 (1 个事件)
file C:\Windows\AppPatch\svchost.exe
创建可疑进程 (1 个事件)
cmdline C:\Windows\AppPatch\svchost.exe
投放一个二进制文件并执行它 (1 个事件)
file C:\Windows\AppPatch\svchost.exe
将可执行文件投放到用户的 AppData 文件夹 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\F869.tmp
执行一个或多个 WMI 查询 (11 个事件)
wmi
wmi SELECT * FROM Win32_ComputerSystem
wmi Select * from WmiMonitorConnectionParams
wmi ASSOCIATORS OF {Win32_USBController.DeviceID="PCI\\VEN_106B&DEV_003F&SUBSYS_00000000&REV_00\\3&267A616A&0&30"} WHERE AssocClass = Win32_USBControllerDevice
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1"} WHERE AssocClass = Win32_IDEControllerDevice
wmi SELECT * FROM Win32_DiskDrive
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCI\\VEN_8086&DEV_2829&SUBSYS_00000000&REV_02\\3&267A616A&0&68"} WHERE AssocClass = Win32_IDEControllerDevice
wmi select Name, DeviceID from Win32_USBController
wmi select Name, DeviceID from Win32_IDEController
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0"} WHERE AssocClass = Win32_IDEControllerDevice
wmi select Name, DeviceID from Win32_SCSIController
一个进程创建了一个隐藏窗口 (6 个事件)
Time & API Arguments Status Return Repeated
1727545402.4685
ShellExecuteExW
filepath: C:\Program Files (x86)\DumpUper.exe
filepath_r: C:\Program Files (x86)\DumpUper.exe
parameters: --pep=55307400 --pid=348 --tid=1904 --src=lds --ver=5.1024.1727.514 --rep=0
show_type: 0
failed 0 0
1727545406.15625
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="DirectXVersionProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 2112
thread_identifier: 920
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
1727545406.20325
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="OpenCLTestProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 3008
thread_identifier: 1852
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
1727545406.26525
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="NvidiaMonitorSizeOfProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 1756
thread_identifier: 1504
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
1727545406.31225
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="WMITestProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 1040
thread_identifier: 2268
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
1727545406.37525
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="UsbDeviceProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 1084
thread_identifier: 2324
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
搜索运行中的进程,可能用于识别沙箱规避、代码注入或内存转储的进程 (2 个事件)
重复搜索未找到的进程,您可能希望在分析期间运行一个网络浏览器 (50 out of 51 个事件)
Time & API Arguments Status Return Repeated
1727545302.359625
Process32NextW
snapshot_handle: 0x000000a4
process_name: 05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063.exe
process_identifier: 2996
failed 0 0
1727545302.359625
Process32NextW
snapshot_handle: 0x000000a4
process_name: 05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063.exe
process_identifier: 2996
failed 0 0
1727545302.375625
Process32NextW
snapshot_handle: 0x000000a4
process_name: 05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063.exe
process_identifier: 2996
failed 0 0
1727545302.375625
Process32NextW
snapshot_handle: 0x000000a4
process_name: 05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063.exe
process_identifier: 2996
failed 0 0
1727545302.9065
Process32NextW
snapshot_handle: 0x000000a4
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545302.9065
Process32NextW
snapshot_handle: 0x000000a4
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545302.9225
Process32NextW
snapshot_handle: 0x000000a4
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545302.9225
Process32NextW
snapshot_handle: 0x000000a4
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.6565
Process32NextW
snapshot_handle: 0x00000838
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.6565
Process32NextW
snapshot_handle: 0x00000838
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.6725
Process32NextW
snapshot_handle: 0x00000838
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.6875
Process32NextW
snapshot_handle: 0x0000083c
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.7035
Process32NextW
snapshot_handle: 0x00000838
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.7035
Process32NextW
snapshot_handle: 0x0000083c
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.7185
Process32NextW
snapshot_handle: 0x00000838
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.8595
Process32NextW
snapshot_handle: 0x00000904
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.8755
Process32NextW
snapshot_handle: 0x00000904
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.8755
Process32NextW
snapshot_handle: 0x00000904
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545303.8905
Process32NextW
snapshot_handle: 0x00000904
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.6255
Process32NextW
snapshot_handle: 0x000002c8
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.6255
Process32NextW
snapshot_handle: 0x000002c8
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.6405
Process32NextW
snapshot_handle: 0x000002c8
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.6405
Process32NextW
snapshot_handle: 0x000002c8
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.6565
Process32NextW
snapshot_handle: 0x00000934
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.6725
Process32NextW
snapshot_handle: 0x00000934
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.6725
Process32NextW
snapshot_handle: 0x00000934
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.6725
Process32NextW
snapshot_handle: 0x00000934
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.7035
Process32NextW
snapshot_handle: 0x00000370
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.7185
Process32NextW
snapshot_handle: 0x00000370
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.7345
Process32NextW
snapshot_handle: 0x00000370
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.7345
Process32NextW
snapshot_handle: 0x00000674
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.8285
Process32NextW
snapshot_handle: 0x000007ec
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.8435
Process32NextW
snapshot_handle: 0x00000628
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.8595
Process32NextW
snapshot_handle: 0x000007ec
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.8595
Process32NextW
snapshot_handle: 0x00000628
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.8755
Process32NextW
snapshot_handle: 0x000007ec
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.8905
Process32NextW
snapshot_handle: 0x000007ec
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.8905
Process32NextW
snapshot_handle: 0x00000628
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.9065
Process32NextW
snapshot_handle: 0x00000740
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.9065
Process32NextW
snapshot_handle: 0x00000740
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.9225
Process32NextW
snapshot_handle: 0x00000740
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.9225
Process32NextW
snapshot_handle: 0x00000628
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545304.9375
Process32NextW
snapshot_handle: 0x00000740
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545305.4685
Process32NextW
snapshot_handle: 0x000002e8
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545305.4845
Process32NextW
snapshot_handle: 0x000002e8
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545305.4845
Process32NextW
snapshot_handle: 0x000002e8
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545305.4845
Process32NextW
snapshot_handle: 0x000002e8
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545305.6255
Process32NextW
snapshot_handle: 0x0000035c
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545305.6255
Process32NextW
snapshot_handle: 0x0000035c
process_name: svchost.exe
process_identifier: 2416
failed 0 0
1727545305.6405
Process32NextW
snapshot_handle: 0x00000580
process_name: svchost.exe
process_identifier: 2416
failed 0 0
创建一个命名为常见系统进程的进程 (1 个事件)
Time & API Arguments Status Return Repeated
1727545302.718625
CreateProcessInternalW
command_line:
inherit_handles: 0
current_directory:
filepath: C:\Windows\AppPatch\svchost.exe
filepath_r: C:\Windows\apppatch\svchost.exe
creation_flags: 0 ()
process_identifier: 2416
thread_identifier: 2504
process_handle: 0x000000e8
thread_handle: 0x000000f4
track: 1
success 1 0
执行一个或多个 WMI 查询以识别虚拟机 (8 个事件)
wmi SELECT * FROM Win32_ComputerSystem
wmi ASSOCIATORS OF {Win32_USBController.DeviceID="PCI\\VEN_106B&DEV_003F&SUBSYS_00000000&REV_00\\3&267A616A&0&30"} WHERE AssocClass = Win32_USBControllerDevice
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1"} WHERE AssocClass = Win32_IDEControllerDevice
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCI\\VEN_8086&DEV_2829&SUBSYS_00000000&REV_02\\3&267A616A&0&68"} WHERE AssocClass = Win32_IDEControllerDevice
wmi select Name, DeviceID from Win32_USBController
wmi select Name, DeviceID from Win32_IDEController
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0"} WHERE AssocClass = Win32_IDEControllerDevice
wmi select Name, DeviceID from Win32_SCSIController
网络通信
一个或多个缓冲区包含嵌入的PE文件 (1 个事件)
buffer Buffer with sha1: 501b45da2f14fb66a5098cfaa2e35fcd0070956c
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Windows\apppat皷髺!€}滒-?v箕,?R纀"? 奕團v82*餢岨?[唨酸?NP獧8饜2①H 忠J!zp衟??:葧葐m
分配执行权限给另一个进程,可能表示代码注入 (4 个事件)
Time & API Arguments Status Return Repeated
1727545303.0155
NtAllocateVirtualMemory
process_handle: 0x000000e8
base_address: 0x022d0000
region_size: 688128
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2416
success 0 0
1727545401.6725
NtAllocateVirtualMemory
process_handle: 0x00000314
base_address: 0x02de0000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545401.9845
NtAllocateVirtualMemory
process_handle: 0x00000314
base_address: 0x02d90000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1736
success 0 0
1727545402.2655
NtAllocateVirtualMemory
process_handle: 0x00000314
base_address: 0x03a30000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1684
success 0 0
Attempts to identify installed AV products by installation directory (1 个事件)
file C:\Program Files (x86)\AVG\AVG9\dfncfg.dat
检查已知调试器和取证工具窗口的存在 (13 个事件)
Time & API Arguments Status Return Repeated
1727545302.359625
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545302.9065
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545303.6405
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545303.6405
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545303.8595
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545304.6095
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545304.6565
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545304.7035
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545304.8285
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545304.8435
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545304.8905
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545305.4685
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545305.6095
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
检查 Windows 空闲时间以确定运行时间 (6 个事件)
Time & API Arguments Status Return Repeated
1727545402.328625
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
1727545417.51525
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
failed 3221225476 0
1727545419.64025
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
failed 3221225476 0
1727545419.64025
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
1727545420.64025
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
failed 3221225476 0
1727545420.64025
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
检查 BIOS 版本,可能用于反虚拟化 (1 个事件)
registry HKEY_LOCAL_MACHINE\SystemBiosVersion
创建了一个服务,但该服务并未启动 (1 个事件)
Time & API Arguments Status Return Repeated
1727545406.39025
CreateServiceW
service_manager_handle: 0x006cfe98
service_name: ComputerZ_x64
display_name: ComputerZ_x64
desired_access: 983551
service_type: 1
start_type: 3
error_control: 1
service_start_name:
password:
service_handle: 0x00000000
filepath: C:\Program Files (x86)\360\360DrvMgr\ComputerZ_x64.sys
filepath_r: C:\Program Files (x86)\360\360DrvMgr\ComputerZ_x64.sys
failed 0 0
禁用代理,可能用于流量拦截 (1 个事件)
Time & API Arguments Status Return Repeated
1727545303.4375
RegSetValueExA
key_handle: 0x00000284
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
value: 0
success 0 0
查询磁盘信息,可能用于反虚拟化 (50 out of 52 个事件)
Time & API Arguments Status Return Repeated
1727545403.53125
NtCreateFile
file_handle: 0x00000138
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545403.53125
DeviceIoControl
input_buffer:
device_handle: 0x00000138
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42563261663031366337632d3936333532342063
success 1 0
1727545403.53125
NtCreateFile
file_handle: 0x00000138
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 128 (FILE_ATTRIBUTE_NORMAL)
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545403.71825
NtCreateFile
file_handle: 0x00000230
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545403.71825
DeviceIoControl
input_buffer:
device_handle: 0x00000230
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42563261663031366337632d3936333532342063
success 1 0
1727545403.71825
NtCreateFile
file_handle: 0x00000230
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 128 (FILE_ATTRIBUTE_NORMAL)
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545407.39025
NtCreateFile
file_handle: 0x000004dc
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545407.39025
DeviceIoControl
input_buffer:
device_handle: 0x000004dc
control_code: 458752 (IOCTL_DISK_GET_DRIVE_GEOMETRY)
output_buffer: Q ÿ?
success 1 0
1727545407.39025
NtCreateFile
file_handle: 0x00000000
desired_access: 0x80100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 1 (FILE_SHARE_READ)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 4294967295 ()
failed 3221225539 0
1727545407.42225
NtCreateFile
file_handle: 0x00000510
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.42225
DeviceIoControl
input_buffer: CSMIALL<®
device_handle: 0x00000510
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.42225
DeviceIoControl
input_buffer: CSMIARY< d
device_handle: 0x00000510
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.42225
DeviceIoControl
input_buffer: CSMISAS<
device_handle: 0x00000510
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.42225
DeviceIoControl
input_buffer: CSMIALL<®
device_handle: 0x000004dc
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.42225
DeviceIoControl
input_buffer: CSMIARY< d
device_handle: 0x000004dc
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.42225
DeviceIoControl
input_buffer: CSMISAS<
device_handle: 0x000004dc
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.43725
NtCreateFile
file_handle: 0x000004f4
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.43725
DeviceIoControl
input_buffer: LSILOGIC¼
device_handle: 0x000004f4
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.43725
DeviceIoControl
input_buffer: LSILOGIC¼
device_handle: 0x000004f4
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.48425
NtCreateFile
file_handle: 0x00000608
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545407.50025
NtCreateFile
file_handle: 0x0000064c
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545407.50025
NtCreateFile
file_handle: 0x00000650
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545407.51525
NtCreateFile
file_handle: 0x0000064c
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545407.56225
NtCreateFile
file_handle: 0x00000624
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.56225
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000624
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.56225
NtCreateFile
file_handle: 0x00000624
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.56225
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000624
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
NtCreateFile
file_handle: 0x00000624
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000624
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
NtCreateFile
file_handle: 0x000004cc
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000004cc
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
NtCreateFile
file_handle: 0x000004cc
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000004cc
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
NtCreateFile
file_handle: 0x000004c4
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000004c4
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
NtCreateFile
file_handle: 0x000004c4
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000004c4
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
NtCreateFile
file_handle: 0x000004c4
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000004c4
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000658
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000654
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000654
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000620
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000620
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.57825
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000620
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.59325
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000620
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.59325
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000620
control_code: 315400 ()
output_buffer:
failed 0 0
1727545407.70325
NtCreateFile
file_handle: 0x00000700
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 1 (FILE_SHARE_READ)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545407.70325
DeviceIoControl
input_buffer:
device_handle: 0x00000700
control_code: 2954240 ()
output_buffer:
success 1 0
1727545407.70325
DeviceIoControl
input_buffer:
device_handle: 0x00000700
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42563261663031366337632d3936333532342063
success 1 0
使用 CreateRemoteThread 在非子进程中创建线程,表明进程注入的迹象 (6 个事件)
进程注入 进程 2416 在非子进程 348 中创建了远程线程
进程注入 进程 2416 在非子进程 1736 中创建了远程线程
进程注入 进程 2416 在非子进程 1684 中创建了远程线程
Time & API Arguments Status Return Repeated
1727545401.9685
CreateRemoteThread
process_handle: 0x00000314
stack_size: 0
function_address: 0x02de1360
parameter: 0x00000000
flags: 0
thread_identifier: 0
process_identifier: 348
success 2556 0
1727545402.2505
CreateRemoteThread
process_handle: 0x00000314
stack_size: 0
function_address: 0x02d91360
parameter: 0x00000000
flags: 0
thread_identifier: 0
process_identifier: 1736
success 2556 0
1727545402.6405
CreateRemoteThread
process_handle: 0x00000314
stack_size: 0
function_address: 0x03a31360
parameter: 0x00000000
flags: 0
thread_identifier: 0
process_identifier: 1684
success 2556 0
操纵非子进程的内存,表明进程注入 (8 个事件)
进程注入 进程 2416 操纵非子进程 2416 的内存
进程注入 进程 2416 操纵非子进程 348 的内存
进程注入 进程 2416 操纵非子进程 1736 的内存
进程注入 进程 2416 操纵非子进程 1684 的内存
Time & API Arguments Status Return Repeated
1727545303.0155
NtAllocateVirtualMemory
process_handle: 0x000000e8
base_address: 0x022d0000
region_size: 688128
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2416
success 0 0
1727545401.6725
NtAllocateVirtualMemory
process_handle: 0x00000314
base_address: 0x02de0000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545401.9845
NtAllocateVirtualMemory
process_handle: 0x00000314
base_address: 0x02d90000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1736
success 0 0
1727545402.2655
NtAllocateVirtualMemory
process_handle: 0x00000314
base_address: 0x03a30000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1684
success 0 0
通过写入另一个进程的内存进行潜在代码注入 (16 个事件)
进程注入 进程 2416 注入到非子进程 2416
进程注入 进程 2416 注入到非子进程 348
进程注入 进程 2416 注入到非子进程 1736
进程注入 进程 2416 注入到非子进程 1684
Time & API Arguments Status Return Repeated
1727545303.0155
WriteProcessMemory
process_handle: 0x000000e8
base_address: 0x022d0000
process_identifier: 2416
buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P*@@.text `.data  @À.reloc`@(@B
success 1 0
1727545303.0155
WriteProcessMemory
process_handle: 0x000000e8
base_address: 0x022d1000
process_identifier: 2416
buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
success 1 0
1727545303.0475
WriteProcessMemory
process_handle: 0x000000e8
base_address: 0x02324000
process_identifier: 2416
buffer: ×1œ2ñ253s3ö3”5
success 1 0
1727545401.6725
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x02de0000
process_identifier: 348
buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P@@.text `.data  @À.reloc`@(@B
success 1 0
1727545401.6725
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x02de1000
process_identifier: 348
buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
success 1 0
1727545401.6875
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x02e34000
process_identifier: 348
buffer: ×1œ2ñ253s3ö3”5
success 1 0
1727545401.9845
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x02d90000
process_identifier: 1736
buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P@@.text `.data  @À.reloc`@(@B
success 1 0
1727545401.9845
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x02d91000
process_identifier: 1736
buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
success 1 0
1727545402.0005
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x02de4000
process_identifier: 1736
buffer: ×1œ2ñ253s3ö3”5
success 1 0
1727545402.2655
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x03a30000
process_identifier: 1684
buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P@@.text `.data  @À.reloc`@(@B
success 1 0
1727545402.2655
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x03a31000
process_identifier: 1684
buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
success 1 0
1727545402.2815
WriteProcessMemory
process_handle: 0x00000314
base_address: 0x03a84000
process_identifier: 1684
buffer: ×1œ2ñ253s3ö3”5
success 1 0
网络活动包含多个唯一的用户代理 (3 个事件)
process svchost.exe useragent Internal
process svchost.exe useragent Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
process ComputerZService.exe useragent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
对特定运行进程表示兴趣 (7 个事件)
进程:潜在的进程注入目标 services.exe
进程:潜在的进程注入目标 wininit.exe
进程 360tptmon.exe
进程 audiodg.exe
进程 spoolsv.exe
进程 360drvmgr.exe
进程:潜在的进程注入目标 svchost.exe
通过注册表键的存在检测VirtualBox (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
通过自定义固件检测虚拟机 (2 个事件)
Time & API Arguments Status Return Repeated
1727545406.625375
NtQuerySystemInformation
information_class: 76 (SystemFirmwareTableInformation)
failed 3221225507 0
1727545406.625375
NtQuerySystemInformation
information_class: 76 (SystemFirmwareTableInformation)
success 0 0
生成一些 ICMP 流量
文件已被 VirusTotal 上 53 个反病毒引擎识别为恶意 (50 out of 53 个事件)
ALYac Gen:Variant.Ulise.39843
APEX Malicious
AVG Win32:Shiz-JT [Trj]
Acronis suspicious
Ad-Aware Gen:Variant.Ulise.39843
AhnLab-V3 Trojan/Win32.Gen.C1571325
Antiy-AVL Trojan/Win32.Unknown
Arcabit Trojan.Ulise.D9BA3
Avast Win32:Shiz-JT [Trj]
Avira TR/Hijacker.Gen
Baidu Win32.Trojan-Spy.Shiz.b
BitDefender Gen:Variant.Ulise.39843
CAT-QuickHeal Trojan.Beaugrit.S16628
ClamAV Win.Trojan.Generic-6323528-0
Comodo TrojWare.Win32.Spy.Shiz.ZV@6ldvxf
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.2d38a3
Cylance Unsafe
Cyren W32/Shiz.R.gen!Eldorado
DrWeb Trojan.PWS.Ibank.323
ESET-NOD32 a variant of Win32/Spy.Shiz.NBX
Emsisoft Gen:Variant.Ulise.39843 (B)
Endgame malicious (high confidence)
F-Prot W32/Shiz.R.gen!Eldorado
F-Secure Trojan.TR/Hijacker.Gen
FireEye Generic.mg.d681b7a2d38a34b0
Fortinet W32/Shiz.NBX!tr
GData Gen:Variant.Ulise.39843
Ikarus Backdoor.Win32.Simda
Invincea heuristic
Jiangmin Backdoor.Generic.axsv
K7AntiVirus Spyware ( 004cadd91 )
K7GW Spyware ( 004cadd91 )
Kaspersky HEUR:Backdoor.Win32.Generic
MAX malware (ai score=82)
McAfee BackDoor-FDOB!D681B7A2D38A
McAfee-GW-Edition BehavesLike.Win32.TrojanShifu.fh
MicroWorld-eScan Gen:Variant.Ulise.39843
Microsoft Backdoor:Win32/Simda.gen!B
NANO-Antivirus Trojan.Win32.Ibank.esrglb
Qihoo-360 HEUR/QVM20.1.4DE5.Malware.Gen
Rising Trojan.Shiz!1.A8F0 (CLASSIC)
SentinelOne DFI - Malicious PE
Sophos Mal/Emogen-Y
Symantec ML.Attribute.HighConfidence
Trapmine malicious.moderate.ml.score
VBA32 BScope.TrojanPSW.Ibank
VIPRE Trojan.Win32.Generic!BT
Webroot W32.Trojan.Gen
Yandex TrojanSpy.Shiz!6hv+rwhhicU
连接到不再响应请求的 IP 地址(合法服务通常会保持运行) (11 个事件)
dead_host 172.234.222.143:80
dead_host 69.162.80.52:80
dead_host 3.94.10.34:80
dead_host 199.191.50.83:80
dead_host 85.17.31.122:80
dead_host 162.255.119.102:80
dead_host 208.91.196.145:80
dead_host 154.212.231.82:80
dead_host 85.17.31.82:80
dead_host 5.79.71.225:80
dead_host 106.15.139.117:80
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2011-08-02 17:26:00

PE Imphash

173abfa8f7d7adac2a90a2e42625b7d9

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00002b14 0x00002c00 6.115647371012377
.rdata 0x00004000 0x00001bf8 0x00001c00 6.098143094424814
.data 0x00006000 0x0005711c 0x00053800 6.759145336421315
.reloc 0x0005e000 0x0000099c 0x00000a00 6.07318440201103

Imports

Library MSVCRT.dll:
0x40412c wcsstr
0x404130 _snwprintf
0x404134 strstr
0x404138 _snprintf
0x40413c _except_handler3
0x404140 memset
0x404144 memcpy
Library SHELL32.dll:
0x404160 None
0x404164 SHGetFolderPathA
Library SHLWAPI.dll:
0x40416c PathAddBackslashA
0x404170 StrStrIA
0x404174 PathFileExistsA
0x404178 PathAppendA
Library ntdll.dll:
0x404190 RtlAdjustPrivilege
0x404194 RtlImageNtHeader
0x404198 RtlCreateUserThread
Library KERNEL32.dll:
0x40402c GetModuleFileNameW
0x404034 MoveFileA
0x404038 DeviceIoControl
0x40403c ExitProcess
0x404040 GlobalAddAtomA
0x404044 GlobalFindAtomA
0x404048 CopyFileA
0x40404c GetCurrentProcessId
0x404054 CreateFileW
0x404058 GetVersionExA
0x40405c FreeLibrary
0x404060 IsDebuggerPresent
0x404064 GetTickCount
0x404070 GetModuleFileNameA
0x404074 CreateFileA
0x404078 SetFilePointer
0x40407c MoveFileExA
0x404080 lstrcpynA
0x404084 SetEndOfFile
0x404088 UnlockFile
0x40408c LockFile
0x404090 SetFileTime
0x404094 WriteFile
0x404098 IsBadWritePtr
0x40409c ReadFile
0x4040a0 GetFileSizeEx
0x4040a4 GetLastError
0x4040a8 SetFileAttributesA
0x4040ac GetTempFileNameA
0x4040b0 GetFileTime
0x4040b4 GetTempPathA
0x4040b8 DeleteFileA
0x4040bc GetProcAddress
0x4040c0 GetModuleHandleA
0x4040c4 HeapAlloc
0x4040c8 HeapFree
0x4040cc GetProcessHeap
0x4040d0 HeapValidate
0x4040d4 GetCurrentProcess
0x4040d8 Sleep
0x4040e0 VirtualAlloc
0x4040e4 VirtualQuery
0x4040e8 Process32First
0x4040ec VirtualFree
0x4040f0 CreateRemoteThread
0x4040f4 OpenProcess
0x4040f8 CreateProcessA
0x4040fc Module32First
0x404104 VirtualAllocEx
0x404108 LoadLibraryA
0x40410c Process32Next
0x404114 Module32Next
0x404118 CloseHandle
0x40411c WriteProcessMemory
0x404120 SwitchToThread
Library USER32.dll:
0x404180 FindWindowA
0x404184 CharUpperA
0x404188 PostMessageA
Library ADVAPI32.dll:
0x404000 RegCreateKeyExA
0x404004 RegSetValueExA
0x404008 RegQueryValueExA
0x40400c RegOpenKeyExA
0x404010 RegFlushKey
0x404014 RegCloseKey
0x404018 OpenProcessToken
0x40401c GetTokenInformation
0x404020 GetUserNameA
Library ole32.dll:
0x4041a0 CoUninitialize
0x4041a4 CoCreateInstance
0x4041ac CoInitializeEx
Library OLEAUT32.dll:
0x40414c SysFreeString
0x404150 SysAllocString
0x404154 VariantClear
0x404158 VariantInit
L!This program cannot be run in DOS mode.
`%{`%{`%{i]a%{
b%{i]u%{`%z%{
Sa%{Rich`%{
`.rdata
@.data
.reloc
3WhxD@
_^[]_^
SSShD@
SSSSEPSSQ
URh,E@
@:u+W?
3_6MQh
U SV3Wu;
3EEEEEEj
EPhp@
_^[]UV39u
SVW3j@ESP];!
3SQ]EEE
MQURSSSSSSSPED
SVW3h$
KTEPQh
URUPWQR
@(E;|}uCPURh
t,MQWE
E_^[]U
U$VW=t@@
EPMQURV
t:UREPMQV
3EEEEEEEj
EPhp@
SVW3h
mE_^[]UjhR@
3QSSj&S
u;t2hM@
;t"]SE
SSShM@
TX\`dhlp
t0SDPj
^[]U`S3VSh
]]]E^DE
tAW=@@
SMQj(URV
MUSEPMj
SW=x@@
_[^]U4
W}}}}}
URhpN@
URURPA(=
uyMQhN@
RPA *}'E
QHWP3E5LA@
S3VWD$
D$ D$$D$(D$,j
P3hp@
0@:uD$0P
;t hE@
t)D$0HH
@:u|$0+OO
T$0RhN@
L$4Q$@
t$0PYL$
Q-;tDV
VD$4%3
L$4Q$H
;t hE@
L$0Qqh
U@+f=`A@
t=ehN@
fu@hN@
fu@hN@
UE}]MQ|E
x[h(O@
usEUR3u
URh8C@
P;|>h,O@
MU=XA@
uEEEPMU
EQ}UEq
EPRQOD
T$0RD$4
QSt$ t$$
T$,RVWS
u/MQREPj
SVW=p@@
Nwt\=>
tU=dotNh
3_^[]UVE
yd?BcsV
9F+Jb{h!kcF
iMX7e{
NKagj(hOTmR Mr
MuCuDY6Ag
2zQGWvB)
ADj\8PmC(
Ij5*WA z:L
&>Mb=LkI
<Gh^PF
*7R/mufO*}
mSwOR5o
L_}zi6
,RCfm&
\NOLLYDBG
wireshark.exe
dumpcap.exe
idag.exe
vmwaretray.exe
\\?\globalroot\systemroot\system32\vmx_fb.dll
SystemDrive
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
userinit
\\?\globalroot\systemroot\system32\drivers\ntfs.sys
ntdll.dll
RtlUniform
kernel32.dll
IsWow64Process
kernel
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
server
idontknow
administrator
666666
12345678
soccer
abc123
password1
football1
fuckyou
monkey
iloveyou1
superman1
slipknot1
jordan23
princess1
liverpool1
monkey1
baseball1
123abc
qwerty1
blink182
myspace1
user111
098765
qweryuiopas
qwerty
111111
password
123456
Windows Defender
MpClient.dll
WDEnable
\\.\KmxAgent
____AVP.Root
\\.\pipe\acsipc_server
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfmcfg.dat
\PrevxCSI\csidb.csi
BL09n@:
j`4bOND
PTue Aug 2 12:53:17 20112
winlogon.exe
explorer.exe
\apppatch\
svchost.exe
Tue Aug 2 12:53:17 20111
user32.dll
HARDWARE\DESCRIPTION\System
SystemBiosVersion
test_item.exe
SANDBOX
MALNETVM
VIRUSCLONE
test user
\sand-box\
\cwsandbox\
\sandbox\
_snprintf
strstr
_snwprintf
wcsstr
MSVCRT.dll
SHGetFolderPathA
SHELL32.dll
PathFileExistsA
StrStrIA
PathAddBackslashA
PathAppendA
SHLWAPI.dll
RtlImageNtHeader
RtlCreateUserThread
RtlAdjustPrivilege
ntdll.dll
IsDebuggerPresent
GetTickCount
GetVolumeInformationA
GetEnvironmentVariableA
GetModuleFileNameA
CreateFileA
SetFilePointer
MoveFileExA
lstrcpynA
SetEndOfFile
UnlockFile
LockFile
SetFileTime
WriteFile
IsBadWritePtr
ReadFile
GetFileSizeEx
GetLastError
SetFileAttributesA
GetTempFileNameA
GetFileTime
GetTempPathA
DeleteFileA
GetProcAddress
GetModuleHandleA
HeapAlloc
HeapFree
GetProcessHeap
HeapValidate
GetCurrentProcess
FlushInstructionCache
VirtualAlloc
VirtualQuery
Process32First
VirtualFree
CreateRemoteThread
OpenProcess
CreateProcessA
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Process32Next
CreateToolhelp32Snapshot
Module32Next
CloseHandle
WriteProcessMemory
SwitchToThread
GetSystemWindowsDirectoryA
FreeLibrary
GetSystemTimeAsFileTime
GetModuleFileNameW
SetCurrentDirectoryA
MoveFileA
DeviceIoControl
ExitProcess
GlobalAddAtomA
GlobalFindAtomA
CopyFileA
GetCurrentProcessId
InterlockedDecrement
CreateFileW
GetVersionExA
KERNEL32.dll
FindWindowA
CharUpperA
PostMessageA
USER32.dll
RegSetValueExA
RegQueryValueExA
RegCreateKeyExA
RegOpenKeyExA
RegFlushKey
RegCloseKey
OpenProcessToken
GetTokenInformation
GetUserNameA
ADVAPI32.dll
CoCreateInstance
CoUninitialize
CoInitializeEx
CoInitializeSecurity
ole32.dll
OLEAUT32.dll
_except_handler3
memset
memcpy
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
L!This program cannot be run in DOS mode.
`.data
.reloc
EZXE_]
F<W|0xu
D0|L7$U
;sz;rv3;.E
E;s[SVQ
3VEEEEEEE=h]
E^]U83VWE
EEEEEEh]
wPhJaPej@h
WTU}uMu
D0,~*HM
M}uM(Ju
uFP+V4RP;
h[Au0PV
EPIMQV
EEEEh]
E}uMMq(
PR[_hmPj
L!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
SWWWWjPWW
WWSVjPWW
t WWVh
t<WWVh'
3VVVVjWVV
3VVVVjWVV
EEEEEEE
;}r^3j
EEEEEEE
WStS_^E
E3EEEEEEj
;}r_3j
]EEEEEE
3t^VVVVjWVV
_^[]U,
_^[]_^
[]UDSVW
WSPQRN
K_^3[]
Ju_^3[]
\}tX]EU
JU:t.O3
x[_3^]
T8u_^[]
SVW rf}
+E3t0M
9u_^[]
QUVUKOu
3Jt-SVx#33
D$<L$<
D$<D$<y
IJuD$<@D$<
QSRVPt
MUP<6WQSRE
MUPWQSR
QPR3_^[]
USQPPRN
MESVQU
EMRUPQVR
u&ESWPM
UEQMRPWQE
Mv:u}$
MUPQVWRE
MUPQVWR't
F;ur_^3[]
WWWWURWWP
u'URUEPMQj
@u+;ru
^u4MQh
u'MQMUREPj
u'URUEPMQj
@uVW+OO
MQMUREPj
E]UQEPh
^UHSV5P
PSEu<WP
fD$8SP\$<p
L$0QVD$8(
L$\T$`D$d
T$8L$TQRhZ
]EMfU9]
VWUEPMQjh
@u}Gkd+
WURUPj
SSV]Sj
URPXQV
URPXQV
URPXQV
EPQXRV
URPXQV
URPXQV
URPXQV
3+P3+P39X
URPXQV
@u+EEE
URPXQV
^[]U8E
]EEEEEE
;}ra3j
]EEEEEE
EEEEEE
;urj3j
EEEEEE
EEEEEE
;}rj3j
]3EEEEEEEj
Ut[Vh
}tXM3It.$
<>http
}UFJ;r
}tZU3t.
<>http
VU}EF;r
3_[UVu
EEE1X_
,_^[]U8
URWVuSV$E
u3;t Uh
u8V$t.
URUPMQVh
MQMREPVh
}7@}2j
GN_^[]Qh
NVPL$0QR
3fD$(D$*PfT$,
3EEEPS
UQ3E9E
tE;tASj
S-%50R
SVW3VEPE
PEMQSRP
@:u+V@3;t'x
@:u^E;t
RUEPSQR
@:u+V@3;t'x
@:u^E;t
3SRfMS
@:u3fE
SVW=XR
%_^[]UQS
]_^[Y]
u_^[Y]
MQPjE3@fE
^USVWh,
^ ^$fN
SSQSVR
D$0D$4D$8D$<
D$@D$DD$HD$L
D$@t$(t$$D$
AJu\$(L$
D$$SPS
;|$ u1|$
D$$SPS
3C\$(L$,
2_^[]U4
t$(t$$D$
AJu\$(L$
D$$SPS
;|$ u1|$
D$$SPS
3C\$(L$,
2_^[]U,
E};}u4}
tuEVPEV
_^[U4l
EEEEEEEPj
\$PD$T
j@T$HSRK
PSjj$S\$(D$TD
RD$DPSSSSSSS$
D$(D$,D$0$
PSjj$S\$8
PSSSSSSS$
;tD$(T$,=\Q
O9W=PMOAUWEEPMUw
u2_^[]
G8W._^[]
p;}^[3_f
+QM+RPQj
U4SVWj
QWj Wf}
PW_^[]
T$$RSD$,<
QT$8R||$
RD$8P:|$
PL$8QE
RD$8PE
SB6tTj
tg;u29
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
t5t1>0u,F
t5t1>0u,F
EEEEPE
_3^_^%L
S3VW9]
3EEEEEEj
;}r[3j
]EEEEEE
E4M0U,PE(QM$RU PE
M4U0E,QM(RU$PE QM
r3@tGEPVE<
r3@tCMQVE<
:U@VEPVE<
t#MQWE
PE+QM+S+P+
UEMRUPQR
]EUMh
RU+QM+RPQS
_^[]ULS
E?M};}
VuWV+RU+PSQR
_^[]U<S]
taURjSE<
F(MQjS
t;j8Ej
WPP(^]U
S3VW]]9]
WPP/C;]~}t
EM+|+MjVEM
taURjVE<
MUEMQjV
EMU|Pj
EM+E+MjVE
t(DHLE
t(DHLU
EMUEPj
PP_^[]
E^]US]
3WWj1P
L$lQj<P
T$0RWD$8<
uuD$ P'V\$ D$
D$$L$,T$ h
Vj'j#SPh
UQSVWEPh
<_^[]SVW
LSVWPQj
RJjV%PjV
t';t#j
u3_^[]
UQSVWj
E_^[]U,
u4V7t#S
;u0;t&5P
A A$A(A,_^[]
;r_^3[]
+_0^[]
A+_0^[]
+_0^[]
+_2^[]
0Nu;tLu2t
_^[UVu
@u+;u-t)t%3
BA;|[_3^]
UQSVW}
33M<-u
G<0|4<9
IF;r_^UE
?:tD;r_^[]
;:tXU;r_^[]
VPC$s(EH
UQSV9}
MA@M;M
3U;s^;s
>:tHU;r_^[]
u>2u08F
t5MQP*t
t/EPh@
DF^US]
3t9VW{
u*t"SW
tIE;v:PE
:u!E++R
MWQS#T
UDSVW}
=POSTu
=GET u
QRVD$$PD$
T$ RZ
T$$D$ RPu
WPV|$
G _^[]
_^[]_^[]
_^[]UU
Wt%t!t
G0;rRSV
QRD$0P
RD$8PD$
T$0+T$4t$
D$$VPS(N
_(+_,;s
3G$G(G,_^[]j
_^[]UVW}
@0;r_^]
Vs^]Vj
Eu@,Eu;
#_^3[]
u3Bk,R<
t"WWWW~
Ik,QW;
L$ QRt$@
uPG(PoK
D$0t?O
D$0L$,PQ
G +G$M
EPQj-^ R
t/=POSTu
}M}}9}
URVj"PE
EMQURj
MQWj)R
UuWPEQMRPh
@u+P={
U8S3VW=pQ
EEEEEEj
;ur[3j
]EEEEEE
U8S3VW=pQ
EEEEEEj
;ur[3j
]EEEEEE
Wu43D$
D$ D$$D$(D$,D$0D$4D$
Wu43D$
D$ D$$D$(D$,D$0D$4D$
WPQRSu
WPQRSbu
t[H$@ ;u"E
38t%>
u38t-$
URUPMQSh
@:u+V@3;t'x
@:u^E;t
3SRfM3
@:u3fE
totktg}
<#t/<
t'<*tP
CFG;u3;u
;t8;us+
@uMQ+RUPE
tdSVW]tGE
VR+PQV
u_^[h
UtSVWD$(P
QRWWSSP
D$DL$HD$\
fT$f<
WjBD$`(
L$h\$p\$t\$x\$|$
T$HSL$\QPRSD$(D$$VP
SSW6BM
T$BfD$@\$,
SPVD$4
SL$ Qj
SSV\$0
Sj(SPVD$0
SL$$Qj(T$dRV
Sj(SPV
\$ 9\$
t@;t<j
SWSPVD$0
SL$$QWRV
@u+PSD$ MT$
3QQ3PW
@u|$ +OO
3QQ3PV
T$ RVSW
3EEEVPE
@u+t4E
U<SVWj,D$ j
QQQQjWQQ
Mu_[t#EPVE
^]VB^]U0
DFu_^]U
u'MQMUREPj
u'URUEPMQj
SVW3hh
@u+S[u
VW3u5tds
_^U<SVW
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
EPEQURWVP
@u+3@t(x
URUPMQWVR
@u+3@t(x
@uM+PE
SVWh$5
S%_^[U0
VPuuuuE
|U SS4
EPEMQURh
tyE$trj
M QWVS
t#E PSE
EPV&Vj
E_^[]$
^]_[3^]U
@SVWe3
;}rn]3E
]3EEEEEE
@uS+W^_
@u+tt0
t#URVE
MQURUMQj
@u+PVX
t#URSE
PEVuPEQSWRh
@u+Eo_
t#URVE
t#EPVE
t#MQVE
t#URVE
t#EPVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
u9PPPh@
t#MQVE
t#URVE
_^3]UQVj
t#EPVE
SVW3Wj
9txQhPX
SVW3D$
t$0t$4t$dt$h$
t$Lt$P
;tZD$@P$
QT$`RD$0PW
L$$3L$
D$ PWt$(
t$8t$<t$Tt$Xt$tt$x$
;tQL$xQT$lRD$PPL$8QS
W<D:PPD$
t$Dt$Ht$|$
t$lt$pt$\t$`
D$4;tUT$PRL$dQT$xRL$DQP
;t(?SV
@uSV+W
UMQPPPh
@u+t"|
MQRURh?
@u+@PEVj
P_^[]U
EMPQDh
FMu_[^]
EEEEEEEF
V$PQj R
t:F(~2N
_^3[]3h
F4F(F,
j P}~$
<Nt <Ft
B;U|_^[]U SV~4
t2F(~*N
_^[]VW
;u_^3_^U
Vtct_WS
tEWSV
WV#WV|R
=GET t
=POSTu
E3EEEEEEj
;}r_3j
EEEEEE
=GET t
=POSTu
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
E 3EEEEEEEj
;ur^3j
EEEEEEE
VWPQSR
E3EEEEEEEj
;ur^3j
EEEEEEE
_^W3_UE
[]_2[]U,
L$8D$(}]
RD$@PS
8D$9u|$
D$;HD$
QT$@RS
~AD$8P
T$4D$,|$,t$4
j@L$\Q
uvT$XR
T$0D$4|$(t$4L$0
RD$LPW
QT$<RV
RD$LPW
u'MQMUREPj
u'URUEPMQj
MSVWPPQh
t#URVE
_^[]Ujh
MEPj@j
hPVFE3E
tPVF39
$PVF39
PVFMQV
EPj@QW:
URj@VS
UMQRVS
t#EPVE
Nu)9uu
V3tbSVVVVjPVV
<#t3<
t+<*t[
BFG;uE
r^_3[]
u)3t#U
F;r^3[]
33fEEfMEPMQU
t U+fE$fEM
tj;uad
@uVW+OO
@uW+OO
@u+PSr3h
@uVW+OO
@uVWh\
@uSVWh\
|_^3[]
t'VMQPE
jdUQVhx
@uVWh`
EEEUEEEfEU
EEEUEEEfEU
t#EPVE
@uSVW+OO
EEEUEEEfEU
EEEUEEEfEU
EEEUEEEfEU
3EEEEEEEfEEE
EEEUEEEfEU
3EEEEEEEfEEE
@uSVW+O$
3FVRhd
|_^3[]
@uVW+OO
SVW=XR
l$_^[]U
@u|$(+OO
@u|$(+OO
@u|$(+OO
@u|$(+OO
@u+P$t
PD$02D$
SP\$$x
@u+P$$
_^[]US]
up3;tNVVShP
P_^3[]
t#URVE
?POSTuZ
t#EPVE
@u|$(+OO
@u|$(+OO
PL$,Q5
@u|$(+OO
@u|$(+OO
@u+P$t
_^]Qhh
@uVWhl
@u+PV3h
@uSVWhl
|_^3[]
t'VMQPE
^]UQSVW=XR
a_^3[]U
@uSVW+O$
3FVRhd
|_^3[]
@uSVWhp
UQSVW=XR
_^3[]U
@uVW+OO
^]_[3^]U3$9E
3EEEEE
@uSVWht
|_^3[]
t'VMQPE
3SVWD$
3VVVVjWVV
P3St$ t$$
VVSt$(
3QQQ3PS
@uSVWhx
@u+PVs3
@uSVWhx
|_^3[]
UQSVW=XR
_^3[]U
SV3Wt$
D$ PWt$(t$,
SD$(D$$j
3QQQ3PW
_^[]U$
@u+PS$
@uSVWh|
|_^3[]
UQSVW=XR
_^3[]U
@u+PVe_^[]
@u+PRmc_^[]U
@uSVWh
|_^3[]
3^]3]UQSVW=XR
_^3[]U
uEVPPPh
@uSVW+O$
3FVRhd
|_^3[]
3^]UQS
UQSVW=XR
a_^3[]U
@uSVWh
|_^3[]
@uVW+OO
@uW+O$
@uSVWh
|_^3[]
@uVW+OO
_^t9HH
@u+PQI_^[]U
@uVW+OO
@u+PV7Eh
@uSVWh
|_^3[]
Hjd?UQS
@uSVWh
|_^3[]
Hjd?U,
.iniPj
@u+PRb<h@
_^3[]U
@u+PQ9_^[]U
@u+PV:8_^[]
@u+PV*6j
t#EPVE
@u+PS2E@E;E
u[E<C3
@u+PRT1hp
UQSVW=XR
a_^3[]U
UQSVW=XR
a_^3[]U$SVWPj
8ADVAu
E_^[]U(SVu
;t@EPMQUREPS
MQPPPh
@u+t|
@u+@PESj
URMEPh?
@uM+@PWj
SVW3h$
EPQRWV
URUPWQR
;|}u[(j
SVWEPh
EMQVURj
t)t%Vj
_^3[]_^[]U
URtPEPW
tEW5\3?
u[_^]U
URtPEPW
tEW4[3?
u[_^]U
t.u:ERPltEP
RV [=P
3EEEEEEEj
E]UXVE
VE3SSE
SSVQRSSW
};tuh
3PSPPPQW
?[_3^]
fEBME6
SVW3h
mE_^[]U4
VW3EPWWj
uzMQURPEP
uc9}t^uti=U
tIEMQURj
_^]UQE
|_^[]U
MEUEE(|
G@;|ME
3A}u]=
]f:M}U
]uu_^[]U SV3H
DU@fDU3
Mu_^[]
S3V]]9,
_^[]UQj
u3]UQj
;F u!N$t
f9UuHEH49Mv=j
2UQS3W8^$u
t#EPWE
;t-MQWE
S3VW^P^X^T^L^D^d^H;u
_^[]SSj
E;t-];t
E_^[]_FT
^3[]U S3W^P^X^T^L^D^d^H;
u2F<PN0QFDPV,R;u}SSSW
~P3_[]
EPMQUR
F<^0^4^8~P3_[]
_[]U$S3
EP^P^X^T^L^d^HF,
EPMQUR
^0^4^8F<3[]UE
Wt=F`~\;sr+;v
oFL_[]
7FL_[]
t,W~Pt#EPWE
UQSVW^hS
t&t!WS;u#
E_Fd^3[]_^
{PSXCT
{L{d{H{\{`
C0UEC0
x9SLKD
K(_^[]
USVW=P
3;t+hp@
^$^(^P
u,8^$u'E
;t#VSP
T$LRQPD$
L$\QWh
u_^2[]
P.@/H<H@HDP,
fP0fP2@4
fp0fp2fp4^:t
H8[f@6
[UQSVhP
MQVLR4
EF0W~,EG
CPCTEt
_^[ULSVW=
;|++Fd+
Vh;|*+Fl+
~%FtNp
VPFxQFl
MVfFEFEN&F
Ou_^[]
EM;thu
?;u_[^]
9t5V$
W9;t7E
QRt6?;u;u
G6;u_^[]
u[^V7>
QPV]8W
M;~n;~
QR@u*G
RPt&9w
V_^[]
;UuM^;|
SWPQ_[]j(
;u^US]
VPQK|W
fEfuf}u
UUEEM;M}
EEfMfM
UUfEfE
MMfUfU
EEfMfM
E9E}3MM
MMUUE;E}
UUfEfE
MMfUfU
EEfMfM
UUfEfE
U9U}5EE
MMUUE;E}
UUfEfE
MMfUfU
EEfMfM
UUfEfE
U9U}3EE
fMfuf}
QPV{t@u
U0SV5R
EUPURQ
@uM+QE
j({$C(
f{*C,C0C4`v
CL{P{TV
RPWWj(CX
C)_^[]
r.N;s!
}RFB u
USVWjA
fP,H0P4
*fffff
;t9p$u
HLVW0u
3@fEfUu
HXVW0u
@u+@fEu
SVW3h<
`WQ\Ws
@uT+OO
@u+@PLQPRj
S33_^[]
j,\QRp
@PQPRj
33_^[]
MQWRW@P}}
2_^[]E
UIPSE5
Mu!E;s
ME@E }}}NEj
_^[]_^
@u+@PDQPRj
UPQR\h
MQWSP.UR<P
U$SVWj
V_^[]j
E3F,^+Tv
VMQUREPE
RPQ0F\WP
NXWQ[VLWRQW
R_^[]j
Ft^x_^[]
Ft^x_^[]
Nx_^[]j
EMPEQMPQV_^[]j
fUfMfU
QRV_^[]j
URV_^[]j
_^[]fU
VXFLRPM
]t8E;|
FLPWNF\PWu\O
FLPV\RPEnF\P
}SWNSxFPNT]
VLFXRP
NXSQ{VXWRq~\
3FPFT8Ev
3P]MQE,tq
URMQW}Uge
MUB~4x
A~0UR@
3P]=MQEqtpEU
MQMQR}Ud
MQMQR}Uc
EGu]}G
t%;~!]
U;tUREPW}
ERQWPVM9RQWPVS
-RQWPVv
tY}MQP
QLURCE_^[]
fMfMfMfMfEfM
fuf}fEu
;r'J;s
;r,J;s!
;r,J;s!
SV3tG\
@;r1Q;s#$
@Q;rIM
@;r,Q;s
@Q;rIM
@;r3Q;s%
@Q;rIEH
4fVI"T6
CE_^[]
r.J;s!
uJ~F=U
u[URPj
u{UR3VPVO
QSP_^[]
6_^2[]
QPVt@u
333;;s&K
;|_^[]
@A;ru$N
+U S]$~1V
+U S]$~/
333;3s)8C
3~;+Wd$
F@;|_^[]
A;rU$J
+U W}$~5S
+U W}$~3
333;:s,8B
F@;|_^[]
A;rU$J
+U W}$~3S
+U W}$~1
333;s)8G
GW;}rEM U$
~C4vSu
@W} M
E;shd$
;]ruE$
z_^[]
~<V4X;s%:]
f<{fx;r}
~M;sdE
f~;ur} EM$
@W} u 4F
;]rE$M
z_^[]
] ;sP2M
;]ru}E$
m_^[]
~:V4;s#:]
~;ur} EM$
@W} u
;]rE$M
E ~ S]
P,SWx,:
:X/u\tHf
f;X0uKf
f;X2u>f
f;X4u1
_[F|05
VUUUm
B<J<tI
_PVR_U
p2_^[]
Eu3~$}u
s?E3~$}u
S3;tkW=
tF ;t
^$_[U4S
fuIf9G
u+8F/t&
M3Ef;O
uf;srM3ME
@E;|_^[]
EMu_^[]UdE
F4E3E9E
#u#}#EMMM
#]E#E#UMMME
;E|EMU
{g_tBE
MUPEQRPbE
P]V[^[]
KXQ]V[^[]
SPQVt%F4+
F0W;~8M
SQPVxt
VPQK|W
fEfuf}u
UUEEM;M}
UEEMMUUEE
U9U}3EE
MMUUE;E}
MUUEEMMUU
M9M}5UU
PoE_^]
MMUUE;E}
MUUEEMMUU
M9M}3UU
EUREPV}U
MMMM9M
3It-It%
EM#E#U
E#]3M#EM
Ht9Ht.
t"3~03I
;|_^[]
USVWhP
P,S,P0S0P4S4@8QC8
V2W8Tv
i3_^]E
xi3_^]_^]U
hrL=8}
5hL=8}
3:_3^J
U;Us$E
M}!wU
MUUE;Er
+EEM;M
)2_^[]
3fu&fE
URMQURMQ
ERUQMRPQRS
O_^2[]
MMUUE;E}
E9E}3MM
UREPUREP
f;Et@;
EQMRUPQRPS
ulMUQREE
EEMMU;U}
E9E}5MM
UQSVWE
_f2^[]
UREPUREPE
MUPEQMRUPQRS
EEMMU;U}
U9U}3EE
UQSVWE
^F^[]F$
^[]UQ=]
Ht-HuF93
#__{UQSVWj
V_^[]J;s!
uL~H=U
F(9F$u
wN(V Wh
GLHGT7G
WXF(N h
G8F(N RP
G@F(N RP
V(PF R
9W8tG9W@tB9WDt=;t9
V3;t`P
;tY9p tT9p$tOp
_^U3V;
S^(>N(*
u0F([3^]
[F(3^]
*t(Et#It
N$PF(P
N$PF(P
N$PF(P
N$PF(P
F(N$RP3q
F,NLVD
F<3fDJNLFDWT
~l~\~t~h~HV|FxF`_U
WlG|O8SV
Gp;U}+\
]U_4#]
(Ot^[;v
}^<+^tFlN,+
];r^F8W
VLFD)~p)~l
3#FTFH
N<;sj~l
_[]UQSVu
FlN\EVlFt
Nl>N\G
V\NlF,+-
Nl>N\G
s"QFt]
rjFHNXVl~4N8
3#FTND#V@FHf
zNl#N4V@
JNHVDf~lf<Jt
PhF`~`
fNlf+Np
)FtNt]
rZHF`$
~lVlN8
^HNXND3#FT^4FH
FlNHVDf
VlNXF`
3#FTFH`VlF8
3Vl+RP3
Fl>F\G
D_^3[]
rIFHNXVl~4N8
3#FTND#V@FHf
zNl#N4V@
JNHVDf~lf<JN`Vp
NxVd^`tO;
sGVlN,+
fVlf+VdFxf+
^lVl;w>FHNX^4N8
3#FTNDFH
FlNHVDf
Nl>N\G
f_^3[]
3Vl+RP3
Fl>F\G
NlNtNhl~h
tFVlF8D
FlUNlF8
3Vl+RP3
Fl>F\G
USVW~t
3+PQ3?
Fl>F\G
Em@@E;E|u
UEM@@ME;
r$E@;F
RSWjEFE;u
GE;s3+M
OM;s0+
|E@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
GE;s3+M
OM;s0+
PQSRN}
|E@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
GE;s1+U
GE;s)+
U;UrE@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
3EEfBff
GE;s1+U
GE;s)+
U;UrE@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
3EEfBff
uS4u;sg
;r[_^]
E;s4+U
RPSQR3
UM;slJ
H9EuwE
;EsoMI
;ErMAM;M
M;s0d$
;Er_^[]
?_^3[]
PG|,QR
PEQRPhH[
UEM@@ME;
3U~\d$
u#UB;V
uS4u;sh
;r[_^]
E;s4+U
UM;smJ
H9EuvE
;EsnMI
;ErMAM;M
;Er_^[]
?_^3[]
PG|,QR
PEQRPhH[
UEM@@ME;
3U~\d$
u#UB;V
PG|,QR
PEQRPhH[
UEM@@ME;
;]r_[]
PG|,QR
PEQRPhH[
UEM@@ME;
;]r_[]
PG|,QR
PEQRPhH[
UEM@@ME;
r$E@;F
PG|,QR
PEQRPhH[
UEM@@ME;
r$E@;F
fEC,fuEu
_^2[]
H H(H,H0H8H<J
HlHPHL
O$PG(PF4
^P^SW3;u
_(9_$u
G(O Vh
W(G$VRG
^_[US]
Wu)N$S
F0F,V(+{
F(;r)K
V4P+QR6
+WPF4P6
~0_N,^3[]
^09F0u
N,_^3[]
UEMRPQ
Oh;O\sPI
fLWpGhOh
3fTOpGh9Ghr
+OhfTOpGhB
E;r+Oh
WhMfLWpGh}
G`POpQj
GlOlGP
RW`GXPQOd
QDWpPj
OHtE;s'
OHt@;s"}
U+UOD;vI+
M+MW@M
}+9Mt$U
t,N$t%@4t
V(F$QRF
?}tTM\
J}u_^[]U Vu3
4Bft5f
DU@fDU3
Mu_^[]
IRj_[]
@PAQBR
U]tz+4@m
+;~PffH
+;~VffH
^8^<^@@Jt
_^3[_^[
F$V(RLu
[_2[UU
C$S(KuT{(
U<SVWM
H4UPLM
HPUMHT
HXEx<E
u^;s?+
U9Us?;us:U
Ex<_^X8Q
EEEEEEEE3t
FfDMLM@;r
3t&f<F
FfDUTU@;r
tEHtExc
U<_^[]
#u#u;u
;Us"tU
UVWS|$
+t~:D5
uX[_^]
name.key
\secrets.key
sign.key
kernel32.dll
CreateFileW
\explorer.exe
GetFileAttributesW
user32.dll
GetWindowTextA
OLLYDBG
wireshark.exe
dumpcap.exe
idag.exe
vmwaretray.exe
\\?\globalroot\systemroot\system32\vmx_fb.dll
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
SystemDrive
Software\Microsoft\Windows NT\CurrentVersion
InstallDate
SYSTEM
%s!%s!%08X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
userinit
software\microsoft
Global\
\svchost.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
%dd %dh %dm
CLOSED
LISTEN
SYN_SENT
SYN_RCVD
FIN_WAIT1
FIN_WAIT2
CLOSE_WAIT
CLOSING
LAST_ACK
TIME_WAIT
DELETE_TCB
netstat
{Proto
Local address
Remote address
taskmgr
Process name
[System Process]
netuser
Software\Microsoft\Internet Explorer\TypedURLs
IE history:
DAN NLD NLB ENU ENG ENA ENC ENZ ENI FIN FRA FRB FRC FRS DEU DES DEA ISL ITA ITS NOR NON PTB PTG SVE ESP ESM ESN TRK PLK CSY SKY HUN RUS GRE ALL
{BotVer:
{Process:
{Username:
PROCESSOR_IDENTIFIER
{Processor:
{Language:
%dx%d@%d
{Screen:
dd:MMM:yyyy
{Date:
HH:mm:ss
{Local time:
%c%d:%02d
{GMT:
{Uptime:
{Windows directory:
{Administrator:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
kaspersky
eset.com
antivir
virustotal
virusinfo
z-oleg.com
kltest.org.ru
trendsecure
anti-malware
.comodo.com
google.com
Dnsapi.dll
DnsQuery_A
DnsQuery_UTF8
DnsQuery_W
Query_Main
ws2_32.dll
getaddrinfo
gethostbyname
inet_addr
qwrtpsdfghjklzxcvbnm
eyuioa
1676d5775e05c50b46baa5579d4fc7
!verif
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
6908741AF4E26C68E1EE46F1041F009EECA931D2D53E11AD04CF03DEB7677754725005219D4B978D957ABA1678D353DE5AA0586B49E21F7EFFE2F73D7D2D8E26395286E1EA7A106CD617966D9FC5906C6E952289B4D671BA6ADE1B80ECF2468552F401D4D8134CAF4B56DC5F18B673710974A6F7A9AE9273979C092F52E8D7C9
6d3ad29879a90b4dd1b4f76e82166ca3
data.txt
ntdll.dll
ZwQuerySystemInformation
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_%08x
explorer.exe
Shell_TrayWnd
00000000000888888888@@@@@@@@HHHHHHHHPPPPPPXXXXXXXXXXXX`````hhhhhhhhhhpppppppppxxxxxxxxxx
000000000000000000000000@@@@@@@@@@@@@@@@PPPPPPPPPPPPPXXXXXXXXXXXhhhhhhhhhhhpppppppppxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
taskmgr
default
DefWindowProcW
DefWindowProcA
DefDlgProcW
DefDlgProcA
DefFrameProcW
DefFrameProcA
DefMDIChildProcW
DefMDIChildProcA
CallWindowProcW
CallWindowProcA
RegisterClassW
RegisterClassA
RegisterClassExA
RegisterClassExW
PeekMessageW
PeekMessageA
OpenInputDesktop
OpenDesktopA
OpenDesktopW
SwitchDesktop
MessageBeep
FlashWindowEx
GetCursorPos
SetCursorPos
GetMessagePos
SetCapture
ReleaseCapture
GetCapture
Winmm.dll
PlaySoundW
PlaySoundA
sndPlaySoundW
sndPlaySoundA
Kernel32.dll
Gdi32.dll
SetDIBitsToDevice
SetThreadDesktop
static
Content-Length
http://
NSS layer
https://
Referer
Content-Type
HTTP/1.
Transfer-Encoding
chunked
Connection
Proxy-Connection
identity
Accept-Encoding
If-Modified-Since
nspr4.dll
PR_Write
PR_Read
PR_Close
PR_OpenTCPSocket
PR_GetError
PR_SetError
PR_GetNameForIdentity
UserAgent
[[[URL: %s
Process: %s
User-agent: %s]]]
Accept-Encoding:
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
InternetReadFileExW
InternetCloseHandle
set_url
data_before
data_end
data_inject
data_after
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
%02u.bmp
***************************
***************************
[/pst]
GetClipboardData
\\.\PhysicalDrive%u
AppEvents
Console
Control Panel
Environment
Identities
Software
System
/topic.php
keylog.txt
passwords.txt
%s%u.zip
-----------------------------
Content-Disposition: form-data; name="pcname"
-----------------------------
Content-Disposition: form-data; name="file"; filename="report"
Content-Type: text/plain
RtlUniform
TranslateMessage
GetMessageA
GetMessageW
as743vgk0odastr
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.microsoft.com
Content-Length:
RtlFreeHeap
id=1&post=%u
frd.exe
!kill_os
&ret_val=ok
/faq.php
!activebc
&activebc=ok
!deactivebc
&deactivebc=ok
&load=ok
!inject
&inject=ok
!new_config
&config=ok
id=%s&ver=4.2.5&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d
\chrome.exe
--no-sandbox
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
%s.dbf
%s.DBF
j_username=
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
action=auth&np=&login=
CryptoPluginId=AGAVA&Sign
login=
password=
&ctl00%24MainMenu%24Login1%24UserName=
&ctl00%24MainMenu%24Login1%24Password=
advapi32.dll
CryptEncrypt
WSASend
WSARecv
name=%s&port=%u
/home.php
A B V G D E E J Z I Y K L M N O P R S T U F H C CHSHSH Y E YUYAA B V H G D E JE J Z Y I YI J K L M N O P R S T U F X C CH SH SH YU YA
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\%02d.bmp
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
\private\
private.txt
\public\
public.txt
\*.key
\self.cer
\@rand
\ABONENTS*
crypto
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
found.
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
\crypto\
\micros~\crypto\
\maxthon3\public\
\microsoft\crypto\
\crypto pro\
\progra~1\crypto~1\
\temporary internet files\
:\users\public
\ryptopro
\cryptokit\
:\progra~1\common~1\crypto~1
bsi.dll
&cvv=&
&cvv2=
&cvv2=&
&cvc=&
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
FAKTURA
sks2xyz.dll
vb_pfx_import
Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
BEGIN SIGNATURE
END SIGNATURE
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
DefaultPrivateDir
General
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
&txtSubId=
&txtPin=
ebank.laiki.com
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone=
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
RCN_R50Buffer
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
\SIGN1\
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
RSTYLE
Agava_Client.exe
UseToken
Containers
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
stf.zip
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
login.yota.ru
IDToken1=
IDToken2=
YotaConfirmForm%5Bpassword%5D
pass2.txt
Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}
IsWow64Process
*SYSTEM*
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
kernel
waveOutOpen
winmm.dll
1234567890QWERTYUIOPASDFGHJKLZXCVBNM
ct_init: length != 256
ct_init: dist != 256
ct_init: 256+dist != 512
inconsistent bit counts
not enough codes
too many codes
bad compressed size
ct_tally: bad match
bad d_code
invalid length
output buffer too small for in-memory compression
bad pack level
insufficient lookahead
no future
wild scan
more < 2
RFB 003.006
LibVNCServer 0.9.7
unknown
%s (%s)
My Documents
Network Favorites
%02d/%02d/%04d %02d:%02d
No authentication mode is registered!
Your viewer cannot handle required authentication methods
password check failed!
SCardConnectA
SCardEstablishContext
SCardFreeMemory
SCardDisconnect
SCardListReadersA
SCardReleaseContext
WinSCard.dll
IsNetworkAlive
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
MiniDumpWriteDump
dbghelp.dll
strstr
calloc
malloc
_snprintf
_strrev
strtol
isdigit
sprintf
strncpy
fwrite
realloc
fclose
isprint
strchr
MSVCRT.dll
GetModuleFileNameExA
PSAPI.DLL
NetApiBufferFree
NetQueryDisplayInformation
NETAPI32.dll
DnsFlushResolverCache
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
InternetSetStatusCallback
InternetQueryOptionA
InternetConnectA
InternetReadFile
HttpOpenRequestA
InternetCheckConnectionA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
WININET.dll
WS2_32.dll
SHGetFolderPathA
ShellExecuteA
ExtractIconExA
SHFileOperationA
SHGetSpecialFolderPathA
SHELL32.dll
StrStrIA
PathFileExistsA
PathFindFileNameA
PathAddBackslashA
StrStrIW
StrToIntA
PathMakeSystemFolderA
PathAppendA
StrCmpNIA
StrNCatA
StrStrA
StrChrIA
SHLWAPI.dll
RtlImageNtHeader
RtlCreateUserThread
ntdll.dll
GetVolumeInformationA
GetSystemWindowsDirectoryA
GetModuleFileNameA
GetLastError
SetLastError
GetProcAddress
GetModuleHandleA
IsDebuggerPresent
GetTickCount
GetEnvironmentVariableA
GetCurrentProcess
AddVectoredExceptionHandler
GetCurrentThreadId
GetCurrentProcessId
GetSystemDefaultLangID
Process32First
GetTimeFormatA
GetDateFormatA
OpenProcess
GetTimeZoneInformation
Process32Next
CreateToolhelp32Snapshot
WaitForSingleObject
LoadLibraryExA
ReleaseMutex
lstrcpynA
GetTempFileNameA
WaitForMultipleObjects
GetTempPathA
GetSystemTime
CreateFileA
SetFilePointer
MoveFileExA
SetEndOfFile
SetFilePointerEx
UnlockFile
LockFile
WriteFile
IsBadWritePtr
ReadFile
CreateDirectoryA
GetFileSizeEx
FindFirstFileA
RemoveDirectoryA
SetFileAttributesA
FindClose
FindNextFileA
DeleteFileA
HeapReAlloc
HeapAlloc
HeapFree
ExitProcess
SetErrorMode
SetEvent
OpenMutexA
lstrcpyA
MapViewOfFile
UnmapViewOfFile
IsBadReadPtr
CreateFileMappingA
GlobalLock
GlobalAlloc
CreateProcessA
MultiByteToWideChar
GlobalUnlock
GlobalFree
CreateThread
HeapCreate
lstrcmpiA
OpenEventA
lstrcmpiW
OpenFileMappingA
CreateMutexA
GetComputerNameA
lstrlenA
CreateEventA
GetVersionExA
ResetEvent
GetCommandLineA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetCurrentThread
GetDriveTypeA
SetThreadPriority
SetCurrentDirectoryA
GetLogicalDriveStringsA
CopyFileA
GetCurrentDirectoryA
GetProcessHeap
HeapValidate
HeapSize
GetCommandLineW
ExitThread
MoveFileA
WinExec
TerminateThread
FindNextChangeNotification
FindFirstChangeNotificationA
lstrcmpA
CloseHandle
FlushInstructionCache
InterlockedExchange
VirtualAlloc
GetThreadPriority
VirtualProtect
WideCharToMultiByte
GetVersionExW
GetFileAttributesA
GetFileAttributesW
GetShortPathNameA
GetPrivateProfileStringA
VirtualQuery
VirtualFree
CreateRemoteThread
GetProcessTimes
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Module32Next
LocalFree
WriteProcessMemory
SwitchToThread
FileTimeToDosDateTime
GetFileSize
SystemTimeToFileTime
GetLocalTime
LocalAlloc
GetFileType
GetFileInformationByHandle
FindFirstFileW
FileTimeToSystemTime
CreateFileW
lstrlenW
FindNextFileW
KERNEL32.dll
CharUpperA
FindWindowA
GetSystemMetrics
SetCaretBlinkTime
SetThreadDesktop
GetThreadDesktop
ReleaseDC
GetShellWindow
GetWindow
DestroyIcon
SetClipboardData
OpenClipboard
GetDesktopWindow
EmptyClipboard
GetIconInfo
RegisterWindowMessageA
SendMessageA
WindowFromPoint
DrawIcon
CreateDesktopA
GetTopWindow
CloseClipboard
SendMessageW
IsWindowVisible
IsWindow
GetLastActivePopup
PostMessageW
IsIconic
MapVirtualKeyW
IsRectEmpty
GetClassLongA
GetWindowThreadProcessId
MapWindowPoints
PostMessageA
GetMenuItemInfoA
SetWindowPos
SendMessageTimeoutA
GetWindowLongA
GetAncestor
GetWindowInfo
GetParent
GetWindowRect
GetSystemMenu
DefWindowProcW
EndMenu
HiliteMenuItem
DefMDIChildProcA
GetCursor
GetMenuItemCount
DefMDIChildProcW
DestroyCursor
DefWindowProcA
GetMenuState
CopyIcon
TrackPopupMenuEx
GetMenuItemRect
GetMenu
MenuItemFromPoint
GetSubMenu
SetKeyboardState
GetMenuItemID
OpenDesktopA
GetUserObjectInformationA
PrintWindow
WindowFromDC
SetLayeredWindowAttributes
EnumChildWindows
RedrawWindow
GetWindowRgn
SetClassLongA
SetWindowLongA
GetScrollBarInfo
MoveWindow
DialogBoxIndirectParamA
SetWindowTextA
ShowWindow
EndDialog
GetDlgItem
CreateWindowExA
GetWindowTextLengthA
GetClientRect
LoadIconA
AttachThreadInput
DestroyWindow
wsprintfA
PtInRect
GetFocus
RealChildWindowFromPoint
GetClassNameA
GetCursorPos
GetWindowTextW
GetOpenClipboardWindow
GetActiveWindow
GetWindowTextA
GetGUIThreadInfo
GetKeyboardState
ToAscii
FindWindowW
DispatchMessageW
PeekMessageW
TranslateMessage
MsgWaitForMultipleObjects
GetWindowDC
USER32.dll
GetDeviceCaps
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
DeleteObject
GdiFlush
GetDIBits
CreateDIBSection
DeleteDC
CreateRectRgn
OffsetRgn
SelectClipRgn
SetViewportOrgEx
GetViewportOrgEx
BitBlt
GetClipRgn
GetObjectA
CreateFontIndirectA
GDI32.dll
RegQueryValueExA
RegOpenKeyExA
GetUserNameA
RegCloseKey
RegSetValueExA
RegFlushKey
RegDeleteValueA
RegEnumKeyExA
RegNotifyChangeKeyValue
OpenProcessToken
GetTokenInformation
RegDeleteKeyA
ADVAPI32.dll
memcpy
memset
_except_handler3
>?456789:;<=
 !"#$%&'()*+,-./0123
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
;3+#>6.&
'2, /+0&7!4-)1#
O/o_?
$Id: dbfopen.c,v 1.48 2003/03/10 14:51:27 warmerda Exp $
Desk_%u%x
-xFS]
!nuca?B
h2A co*SSFQ37
JD4?'
gTC/L7dkto
;EOUhq_
S@9':] "^znztV=
'h?c ,Z
D"N47T0h|-
qX_Ro.)}eM2UY.
[rPfmV8Q
t[jq+a:U
k"_}1I{D7
n3r4Nnf
||~hYk
.Y+t~2MlUj
sI)79B
MSCTF.Shared.MAPPING.%x
.current
MSCTF.Shared.MUTEX.%x
0@0G0u0000000000
1,1=1J1U1d11111111#2@2G2s2}22222222'313;3n3x333333
4-4i444444&5x5555555
6C6|666666666666666
767F7L7x77777777
8 8&8_89!:J:U::
K88888s9999&:q::::
;4;v<======
0192222222222
3,333=3D3a3q3v33333333
4(4/444444444
5!5555555555
6)6W6^6h6666666
7+727<7F7Z7`777
8'8,8;8D8W8f8o8|8888888888
9'9D9M9U9[9`9k9r9{999999999999
:6:P:W:e:::::::;;;
<-<6<R<c<j<<<<<<<*=0=G=b=s=z======
>">^>e>>>>
?"?(?1?J?b???????????????
0"0L0\0p000
1 1'1_1r111111111
202@2O2_2e2q22222
3)3b3i333333333$4=4[4d4444444
5g5n55555
6F6X6j6z66666666
7!7I7w77777777
8&868V8c8j8x88889
:0:7:H:r:y::::::
;";q;;;;;;
<g<z<<<<<<<
=c=v=======[>b>s>>>>
? ?'?0?9???Q?~?????
!0(090J0Y000000&1-1>1O1^11111
2.252F2S222222G3Z3333333>4Q4{444444455H5r5y5555555555
6G6Z666666
7,7X777777#8_8888888
9 909\9999999!:(:\:b:m::::
;*;0;9;O;\;{;;;
<%<5<J<n<<<<<<4=C=X=e=|========
>&>2>>>J>V>b>n>z>>>>>>>>>>
?"?.?:?F?R?^?
0.0R0]0r0|000000000000000
1 1&1.181@1I1S1e11111
3X3_3333333
4"4:4U4^4v44444$575b5w555555*666
7$71777
88>8E8O8V8e8
8888888U9\9|9999
:0:>:::::
;\;c;;;;
<!<'<B<f<p<<<<<
0040E0K0P0000000051{1111111
2H2f222222
3*313Q3b3r33333=4D4k4|44444`5g5555555
6/6>6L6S666666
7'7.7J7Q7~77777777#8H888
9D9999
:l:}:::/;6;u;4<x<
<<<<<<<
=#=0=a=f=u=========
>J>Q>[>v>{>>>>>>>>
??)?/?W?e?o??????????
0'0,060?0J0Q0V0t0000000
1+151?1X1^1n1x111111111
2*282Y2h2s2x222222
3 343<3A3F3L3S3u3333333333333333
4)4.464C4^4g4p44
5"5R5555555555 6'6N6X666R708A8M8k8p888U9
:%:1:G:M:S:[:
<1<9<D<N<T<\<b<k<q<z<<<<<<<<<<<<<<
=7=A=I=O=\=m=====(>2>;>A>T>Z>b>q>y>~>>>>>>>>
?.?B?I?N?f?w?}????????????
0)0/080W0d0o0u0000000000000
1#1(1;1E1L1R1^1e1k1r1x1
111112222
3)353>3D3R3|3333333
4"454D4c4i4p4z444444444
5$5*50585?5E5_5y555555
63696@6J6W6i6o66666666666666#7-747>7I7X7888
9;9L9S9\9o9z99999999
:#:F:`:s:z:::::::
;-;:;J;Y;a;p;};;;;d<h<l<p<t<x<<<<<<<
=8=?=F=_=l======
>(><>E>g>t>x>|>>>>>>><?B?H?a?l?w????????????
0<0D0Q0\0c000000
131L11111
2+2222U3h3
4$4(4,4044484<4@4D4H4j4r44444444
5j5t5555
646S6g6{66665888888
9/9<9N9f9s999999
:.:7:=:G:M:w::::::::::::
;$;*;C;T;a;s;{;;;;;;;;;;;;;;;
<;<J<b<o<<<<<<<
=;=J=b=o=======
>;>J>b>s>>>>>>>
?;?J?b?o???????
0;0J0b0s0000000
1%1.191H1\1c1k1r1z1111111111
2 2<2K2h22222
3%393?3J3U3a3h3}333333333
4(454H4U4h4u4444444445/5E5U5u55555555555
6%6*606R6Y6k6z6666666666
7#7-72787b7i7}7777777+818H8\8888888888
9 9I9h99999
: :Y:^:d:i:s:y:
:::::::::::::
; ;);6;E;S;Y;c;};;;;;;;;;;;
< <(<5<:<@<I<N<T<d<s<<<<<<<<<<<<<<
='=7=<=G=W=\=g=w=|=============
>'>7><>G>W>\>g>w>|>>>>>>>>>>>>>
?'?7?<?G?W?\?g?w?|?????????????
0 00050@0P0U0`0p0u000000000000
1!1F1T1^1n1u11111
262V2x222222222
3.343:3?3D3W3f3y333333
484A4T4d4x44444444
55)505H5Y5d5j55555555555
6-686H6666666666
7*7@7F7f77777777
8-8C8M8S8g8888888P9i9
:1:K:f::!;;;;;
<3<E<L<W<<<<+=9=E=R=s=z=====
>#>*>9>N>>>>
?,?9?@?O?d???
>0t0000000
11c1l1r1z11111111111
2%2+2D2J2R2Z2i2n2t22222222
3e3333333333
4!4E4R4b4u4444444444
5+595F5L5U5[5`5m5z55555555555
6"6/6>6J6O6Y6`6g6u6666666666
7;7B7I7]7r7777777777777
8&8+83888Z8e8k8p8{8888888888
9'929<9K9^9q9z9999
:#:':H:q:::::::
;#;4;N;q;{;;;
<,<5<?<E<g<q<{<<<<<<<<
=%=:=r========
>$>8>>>T>{>>>>
?-?T??????
000000000
11111&222T2\2222222234444
5525B5U5e5k5w555555588799::;;;;I<<p==/>>>>F?c?u??
00f1m11
2P2W2c2j22223444p5w55555
6"6D6f6667777/8R8j888
969s9~99999
; ;D;7<k<~<<<<<
=#=.=:=?=J=V=[=f=r=w=========
>;>B>>
?'?e?q??????
C0u000000
1Y1p11111111112$2?2F22222
3S3]3334l44$5+585?5X555555l6t6666
7D7o777.8~88888888
9)9J9]9x99
:&:M::::::
;6;];;;;;o<{<<<'===c===L>>>
??/?f?l?{???????????????
0#0/040?0K0P0[0g0l0000
1$1)1U1Z1s1111111111
2E2J2222273F3\3b3k3x33333
4>4E4t444
6*616?6R6j6p6w666666667H7X7a7h7x7777777778
9#9a:h::::T<[<h<o<<<
=y=======
>8>N>>>>
?5?E?Y?i?x????????
0.090E0Q0000002181B1_1f1m1|1111111111
2"252O2U2s222222
3%3+3^3i3n3333
4c44444
5(5k5}55555>6r666666666 7.747N7S7777
8i88888
9R9c9s9999999999
:Q:`:s:::::
;,;2;;;;;;
<8<?<G<m<t<z<<<<<<<<<<<
=p=t=x=|====[>p>>>>>>
?@??????
:0J0e0w000000
1*1w1~11111111111111
2;2B2H2R2X2h2p2v2|22222
3(3C3q3x333333333
4o444444
5Q5]5m555555555-6h666666
7\777777748A8G8M8R8d8{88888-949[9d9999
:n:s:::::>;C;;;;;;7<D<W<d<n<t<z<<<<<<<<<<
=3=:=g=s=======
>->4>[>a>>>>>
?^?e??????
*060000000&1Z1f1112292\222
3<3333/464t4444!5y555555+676G6O6U6`66
7T77777777
8(868;8M8{88888,9M9]9l9|9999999994:t::::::
;?;L;[;e;t;;;
<,<g<x<<<<<<
=7=F=Y=v={====
>@>h>o>>>>>>>>>>%?+?D?K?[?o???????
0*0A0G0V0h00000%111A1g1t111111111111111
2!2i2n2v2}22222222222222
3&333?3D3O3[3`3k3w3|333333333333
4&42474C4g4s444444444
5"5'525>5C5N5T5Y5^5c5{555555555555
6*6<6L6S6l6v66666
7Z7`7h77777
8-858:8M8T8^8{8888888
9Z9`9h9q99999
:#:,:d:z::::::::
;4;J;Q;_;p;;;;;;;;;
<%<z<<<<<<<<
=4=A=G=O=d=o=====
>+>@>F>e>n>>*?0?8?P?h??????
01060A0{000000
1z11111111
232T2a2g2o222222222
3.3C3J3T3^3c33333333*40494B4g4p4444444i5p555555555
6@6H6]6u6666666+777G7V7c7777777
8 8-878J8R8[8e8o88888888888
9'9,9B9L9j9{99999999
: :6:T:e:k:w:::::::::::
;$;:;P;f;|;;;;;;
<,<B<m<u<
=F=Q=|======
>)>T>_>>>>>>
?,?7?b?m?????
010J0T0j0|000000
1"121Q1`1y1111111111
2,262N2_2g2t22222222222
3;3I3_3s3y3333333
4T444444
5 5&5R5555555
6 6166666
7N7q777777777
8'8J8P8e8k88888888 9'9,939j9999999
:":D:K:U:_:e:q::::::::::
;B;|;;;;;
<<<]=e===
?L?d???????
0-0S0a0p0w000
3G3Z3`333333
4#4+44
525D5I5P5]5k5r555555
6+626Z6`6h666666666
7:7@7H7p7z777777777
8>8R8d8i8p8}8888888
9 9-92999Z9`9h999999::::::
; ;-;2;9;Z;`;h;;;;;;;;;;;
< <(<I<S<k<~<<<<<<<<<<<
=%===N=T=`=p======D>^>e>>>
?5?O?v?????
0/0V0000
1+1B1i1111
2/2F2m22222222
3'3,373C3H3S3_3d3o3{3333
4?4F4L4r44444<55555555
6k6w6~66666
8 8,8N8h8888888
9!969<9B9P9`9l9
999999999E:^:m::::::::::
;);W;^;h;;;;;;;
<+<2<<<F<f<l<y<<<<<
=4===B=T=u=~======
>)>6>V>[>x>
>>>>>???
0z071L1o1111111
22%2,2H2Q2V2\2g2p2v2222222
3I3P3h3t3{33333334>495V5]5555s6z66
:::;;;;;;;;"<3<9<><w<<<<<
=#=4=:=?=
=========->3>;>l>>>>>>>>>>
?"?3?9?>?????????
060B0P0X0a0g0n0s00000000000000
1+191A1J1P1W111111111
2!222R2f2l2q22222222
3 3'3-333J333333333
4'4;4M4R4X4]4b4444444$575=5B5y55555555555
6"6(616M6U6f6m6r6w6}6666
7"73797>7}777777777
8$8*8J8P8X8m8w8
888888888>9R9c9i9n999999999
:#:):.:g:q:y::::::::::-;3;a;g;n;x;;;;;;;;;!</<4<A<I<O<l<~<<<<<<<<<<
=%=Y=r=========
>[>b>h>p>>
*01000K1Q1Z1c11
2`2i2w22222222222
33333333
4,4@4q4w4
5M5S5[5w5555555
6"6X6c6z666666666666!7&757E7[7s77777777777
8 8&8.8R8`8f8k88888888
9.9M9_9p999999999
: :3:r:::::
;/;<;;;;;;;;h<<<<
=#=?=j=w========
>!>(>;>A>>>>>>>
?&?-?@?F???
!0U0000$11171R1`1f1k111111111
2$2:2@2H2W2`2j2p2222222222
363>3M3T3j3p3x3333333333
4#4*4=4D4L4f4n4}44444444444
595L5T5c5j5}55555555555
6#61676<6p6}66666666666
7"717;7E7K7b7p7v7{777777777
8-848J8P8X8a8p8y88888888
9!9*939B9S9Y9^99999999::@:I:R::::::
;!;/;>;M;Z;f;r;;;;;;;;;;
</<7<D<X<i<}<<<<<<<
=$=)=0=]=f=======
> >*>B>S>Y>r>y>>>>>
?#?)?/?<?H?V?b?t????
0@0J0b0s0000000
1'1.1;1S1]1d1i1x111
2!2j2}2222
3%323@3R3`3f3k33333333*404W4e4k4p44444444*50555
6c6v6|66666666
7*7R7c7i7n77777777
838M8W8h8o888888888
979@9N9_9f9{99999999%:2:=:G:L:e:v:::::::::
;E;X;_;l;;;;;;;;;;
<*<0<8<M<Z<_<q<<<<<<<<
= =(===J=q=v========@>I>W>h>o>>>>>>>>>>R?X?e?k?p?~????????????
0$0.0Z0m0|0000000000
1"1(121D1L1V1`1q1x11111111
2'222<2R2t2y2
2222222!3'3/3B3[33S44444444
5'535A5I5R5X5_5d5z55555555555555
6)616:6@6G6L6[6b6k6{666666666
7?7F7S7\7d7u7|7777777
8G8P8^8o8v88888888859B9M9W9\9u99999999999
:<:S:X:h::::::
;4;D;Y;i;;;;;;;
<(<-<8<=<H<M<X<]<h<m<x<}<<<<<<<
=5===N=U=j=p={=====
>&>->>>>>>>>>>
?2?F?L?Q?????????
0*0|000000000
14191?1D1I1
1111111
2+222e2v2222222222
3R3c3i3n333333333
4C4Q4W4\4444444444
5,5?5i5z5555555
6H6Y6l6{666666666
7-727B7R7^7r7}777777
88&8;8A8_8p8w8}88888
9+919W9b9l99999999
:S:]:e:v:}:::::::::;@;L;;;;;;;
<2<8<A<\<i<<<<
="=3=:=z======
>G>P>^>o>v>>>>>>>>>Y?f?t?|????????
0 0'090J0l0q00000000
1$1)1/14191k11111111
2N2V2`2x222222
3'383?3Z3`3r3333333
4!4(4:4K4j4r44444444444495>5M5\5r5555555/696A6R6Y6f6~666666666
7+7C7U7Z7`7e7j7777777
8$8)808]8r8888888
9)989B9L9d9u999999
::&:;:A:_:p:w:}:::::
;";3;8;>;C;H;k;|;;;;;;;;
<*<0<8<M<Z<o<y<<<<<<
="=5=;=B=u=~==========
>2>C>I>N>>>>>>>>>>
?0?_?j?v??????
0/060K0Q0o0000000
1/1Q1\1f1|1111111
22.242B2I2R2[2x2
22222222
3(30393H3[3`3i3s3"43494>4y444444444
5%5,535s5}55555555"6>6[66666666
7x7777
8$828C8I8N88888888888B9r999999999
:::::::
; ;+;8;b;s;y;~;;;;;
<%<,<><O<X<d<t<<<<<<
==&=;=A=_=p=w=}=====
>>A>L>V>l>>>>>>>>>
?-?2?8?=?B?r?????????
0/0@0G0M0S0j000000
1&1<1^1c1i1n1s11111
2 2G2L2T2_22222:3@3I3R3f33333333"434:4z444444444
525E5L5S5555555555B6^6{66666
7-7:77777777
8O8U8]8r888888)969D9L9U9^9{999999999":5:<:C:w::::::::::
;';?;P;i;;;;;;;;;
<D<b<s<y<~<<<<<<?=N=b=s=y=~===
>j>y>>>>>
?#?+?T?e?k?p??????
0<0A0P0e0{00000000
111D1b1s1z1111
2!22292F2^2i2r2y2222222
323<3F3P3a3h3z3333333
4 4%4*4g4~44444
6+626\6b6r66666
7K7k7r777777718W8]8c888809B9O9U9^9q9
99999#:V:d::::::
;F;b;h;~;;;;;;
<D<K<o<<<<
=E=L=p====A>P>>>>>
00%0.050>0F0i0u000000
1!1k1v1111111=222
3!3J3[3|333333
4?4E4{44444;5W5e55555*6b6s666666666
7H777:::
;M;`;o;;;
6'69666
789M::;;
0L0Z0h0v011c23
3)3?3U3k333333
434=4C44445V6p66
7^777777Q8888
979E9W9999::
;W;^;;;
<#<2<<==*>?>L>
M1T182?2L2S2Y2e2u222T3k3z33333
44/4;4K4P4444
595B5H5a5
55555%6;6_6n6666
99"::::;;;*<4<><H<R<\<f<p<<)====1>t>|>>>>>>>>>>>>>>>>
?"?(?0?7?|?????
1T11422
3(4}44Q5a5566v8a99/:: ;;;s==k>>>>
)0111111111111
2@2S2e2233<4D444^666
7;7V7n7t7
777777X8e8
:T::::
;/;5;B;K;T;Z;g;p;
>:>r>>>>>>>
S0Z0`0k0w0
00000000
111D1Y1111Z222
33*4j44444
66666&7d7/8\8u888
99::K;j;s;;;;$>>
1-2222L3Q3]3d334I6666j77777
8!81888d993:A:k::y;;;W<{<<<4=a====
>7>>>d>>>l??
0r00D1W1111
3,3u333333333333333
4H4%55557,99F::V;;[<|<<<
=B============
1122i3s3355f6666666
99O;;<<2=f===$>>>
I0'1:1T1e1194j4~444
5'5555u66B7Y7`77848G888
9)9b99999999:::1;F;[;;;;0<E<<<
>->:>v>>>>>>>S?Z?`?k?w?
0*020F0q0w0
101611B2d223344559:F:T;a;b<<
122C2B3f37
88$9299B:c:/;;9<J>>
0#112-3555566666
7#7w7748-999#;J=
4:::::::::::
;P;c;u;;<<L=T===??????????
00s222222222233b5555555555v666;X<<9==>>>>>>>
S0d0m0~000000000000
11(161?1M1V1d1i33 4'464@4T4c4r4|44444444
4i445W6666#7&8585<==
%4N4]477
0(060B0M0
1>1h1111
2 2.2722222333333}45==x>>>>>>;?I?q?z????
1*161111122
35:e:::
;I;U;;;;;
<4<d<<|====
?j?t???
66H7V7d7r777
8@8I8x888J9999
:k:u:::l;;;;;
2%33333
4j4~44444$55<6F6Z6f666667*848B8K8>>5?C?Q?_????
0$0-0\0s00>1111
2|222233
4E:u::
;;K;W;;;;;
<3<x<<====<>F>[>d>c?????
1E11111
3>33`4j4z4444
55I6S6a6j67
8888888O9c99999
::0;:;J;V;;;;;<
=#=1=:=>>]?k?y????
030R0\0000g1
2+272222233333u55
6+696H6v6666
7K7c77'88888O9Y9k9t9B::::: >
{11w33)5D5R556779H<=?
4181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|11111111111111111&202@2>>
6%666U7g7<<<<<<
=E=p===>??????????
033o5v5558888949:9B9
;,;8;D;P;\;h;t;;;
======
5,5@5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555??????????????????????
0 0$0(0,0004080<0@0D0H0L0P0T000
12253s335
$Id: dbfopen.c,v 1.48 2003/03/10 14:51:27 warmerda Exp $
K;j;s;
8 2003/03/10 14:51:
0000000
00000EN1d1\
99O;;<<2=f===$>>
K;j;s;
8 2003/03/10 14:51:
0000000
00000EN1d1\
99O;;<<2=f===$>>
K;j;s;
<2=f=E
Y,&tqa
}YL@}A
8 2003/03/1
KPKPKPv
K;j;s;
K;j;s;
K;j;s;
;j;&ts
j;s2=f
;j;&ts
PK;,c/
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone3
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone3
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9e
iWindows Explorer
cmd.exe
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Actions Context="LocalSystem">
<Exec>
<Command>%s</Command>
</Exec>
</Actions>
</Task>
<!--00-->
\\?\globalroot\systemroot\system32\tasks\
task%d
<Actions
mavast.com
kaspersky
eset.com
antivir
virustotal
virusinfo
z-oleg.com
kltest.org.ru
trendsecure
anti-malware
.comodo.com
google.com
#+3;CScs
tdefault
--no-sandbox
serverkey.dat
private
public
\java\
\windows\
SunAwtFrame
SunAwtDialog
MS Sans Serif

Process Tree

05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063.exe, PID: 2996, Parent PID: 2400

default registry file network process services synchronisation iexplore office pdf

svchost.exe, PID: 2416, Parent PID: 2996

default registry file network process services synchronisation iexplore office pdf

ComputerZService.exe, PID: 348, Parent PID: 1684

default registry file network process services synchronisation iexplore office pdf

360TptMon.exe, PID: 1736, Parent PID: 1704

default registry file network process services synchronisation iexplore office pdf

360DrvMgr.exe, PID: 1684, Parent PID: 1412

default registry file network process services synchronisation iexplore office pdf

ComputerZService.exe, PID: 1248, Parent PID: 1684

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 2112, Parent PID: 1248

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 3008, Parent PID: 1248

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 1756, Parent PID: 1248

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 1040, Parent PID: 1248

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 1084, Parent PID: 1248

default registry file network process services synchronisation iexplore office pdf

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255
A 131.107.255.255 		131.107.255.255
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 131.107.255.255
www.bing.com CNAME cn-bing-com.cn.a-0001.a-msedge.net
A 202.89.233.101
A 202.89.233.100
CNAME china.bing123.com
CNAME www-www.bing.com.trafficmanager.net 		202.89.233.100
gatyfus.com A 85.17.31.122
A 85.17.31.82
A 178.162.203.226
A 85.17.31.122
A 85.17.31.82
A 5.79.71.225
A 178.162.203.202
A 5.79.71.205
A 178.162.217.107
A 85.17.31.82
A 5.79.71.225
A 85.17.31.122
A 178.162.203.211
A 178.162.203.226 		85.17.31.82
lyvyxor.com A 208.100.26.245
A 208.100.26.245 		208.100.26.245
vojyqem.com A 172.234.222.143
A 172.234.222.138
A 172.234.222.143
A 172.234.222.138 		172.234.222.138
gahyqah.com A 23.253.46.64
A 162.255.119.102
A 23.253.46.64
A 162.255.119.102 		23.253.46.64
qetyfuv.com A 44.221.84.105
A 44.221.84.105 		44.221.84.105
puvyxil.com
lyryfyd.com
pufymoq.com
gacyzuz.com
qexylup.com
qegyqaq.com
purydyv.com
vocyzit.com
gaqydeb.com
lygymoj.com
vowydef.com
qeqysag.com
lyxylux.com
vofymik.com
puzylyp.com A 99.83.138.213
A 13.248.252.114
A 99.83.138.213
A 13.248.252.114 		99.83.138.213
gadyniw.com A 154.212.231.82
A 154.212.231.82 		154.212.231.82
lymysan.com
volykyc.com
pumypog.com
lysynur.com
galykes.com
qedynul.com
qekykev.com
ganypih.com
vopybyt.com
pupybul.com
vonypom.com
pujyjav.com
qebytiq.com
lykyjad.com
vojyjof.com
lyvytuj.com
qetyvep.com
lyryvex.com
gahyhob.com
vocyruk.com
gatyvyz.com
lygygin.com
gaqycos.com
qegyhig.com A 172.67.173.131
A 104.21.30.183
A 172.67.173.131
A 104.21.30.183 		104.21.30.183
pufygug.com
puvytuq.com
vowycac.com
gacyryw.com
purycap.com
qexyryl.com
puzywel.com
vofygum.com
lyxywer.com
lymyxid.com A 3.94.10.34
A 3.94.10.34
qeqyxov.com
gadyfuh.com
qedyfyq.com
galyqaz.com A 199.191.50.83
A 199.191.50.83
pumyxiv.com
lysyfyj.com A 69.162.80.52
A 69.162.80.52
qekyqop.com
vonyzuf.com
volyqat.com
ww1.lysyfyj.com CNAME 9145.searchmagnified.com
A 208.91.196.145
s.ludashi.com A 106.15.139.117 47.117.76.6

TCP

Source Source Port Destination Destination Port
192.168.56.101 49166 208.100.26.245 lyvyxor.com 80
192.168.56.101 49167 172.234.222.143 vojyqem.com 80
192.168.56.101 49168 44.221.84.105 qetyfuv.com 80
192.168.56.101 49169 172.234.222.143 vojyqem.com 80
192.168.56.101 49171 13.248.252.114 puzylyp.com 80
192.168.56.101 49172 172.67.173.131 qegyhig.com 80
192.168.56.101 49173 69.162.80.52 lysyfyj.com 80
192.168.56.101 49175 3.94.10.34 lymyxid.com 80
192.168.56.101 49176 172.67.173.131 qegyhig.com 443
192.168.56.101 49180 154.212.231.82 gadyniw.com 80
192.168.56.101 49183 23.253.46.64 gahyqah.com 80
192.168.56.101 49185 23.253.46.64 gahyqah.com 80
192.168.56.101 49187 69.162.80.52 lysyfyj.com 80
192.168.56.101 49186 5.79.71.225 gatyfus.com 80
192.168.56.101 49201 106.15.139.117 s.ludashi.com 80
192.168.56.101 49200 106.15.139.117 s.ludashi.com 80
192.168.56.101 49203 106.15.139.117 s.ludashi.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 56933 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 57665 114.114.114.114 53
192.168.56.101 51758 114.114.114.114 53
192.168.56.101 52215 114.114.114.114 53
192.168.56.101 62361 114.114.114.114 53
192.168.56.101 58985 114.114.114.114 53
192.168.56.101 50075 114.114.114.114 53
192.168.56.101 58624 114.114.114.114 53
192.168.56.101 62044 114.114.114.114 53
192.168.56.101 62515 114.114.114.114 53
192.168.56.101 60330 114.114.114.114 53
192.168.56.101 61322 114.114.114.114 53
192.168.56.101 62306 114.114.114.114 53
192.168.56.101 55142 114.114.114.114 53
192.168.56.101 56111 114.114.114.114 53
192.168.56.101 58005 114.114.114.114 53
192.168.56.101 64558 114.114.114.114 53
192.168.56.101 49986 114.114.114.114 53
192.168.56.101 65527 114.114.114.114 53
192.168.56.101 62324 114.114.114.114 53
192.168.56.101 55457 114.114.114.114 53
192.168.56.101 63148 114.114.114.114 53
192.168.56.101 55773 114.114.114.114 53
192.168.56.101 51209 114.114.114.114 53
192.168.56.101 61491 114.114.114.114 53
192.168.56.101 60789 114.114.114.114 53
192.168.56.101 59504 114.114.114.114 53
192.168.56.101 60395 114.114.114.114 53
192.168.56.101 55469 114.114.114.114 53
192.168.56.101 53131 114.114.114.114 53
192.168.56.101 58818 114.114.114.114 53
192.168.56.101 65012 114.114.114.114 53
192.168.56.101 50445 114.114.114.114 53
192.168.56.101 64590 114.114.114.114 53
192.168.56.101 54987 114.114.114.114 53
192.168.56.101 65496 114.114.114.114 53
192.168.56.101 52014 114.114.114.114 53
192.168.56.101 56171 114.114.114.114 53
192.168.56.101 50365 114.114.114.114 53
192.168.56.101 53520 114.114.114.114 53
192.168.56.101 51770 114.114.114.114 53
192.168.56.101 49587 114.114.114.114 53
192.168.56.101 64679 114.114.114.114 53
192.168.56.101 56992 114.114.114.114 53
192.168.56.101 60222 114.114.114.114 53
192.168.56.101 60720 114.114.114.114 53
192.168.56.101 60534 114.114.114.114 53
192.168.56.101 61947 114.114.114.114 53
192.168.56.101 65312 114.114.114.114 53
192.168.56.101 65429 114.114.114.114 53
192.168.56.101 60273 114.114.114.114 53
192.168.56.101 55841 114.114.114.114 53
192.168.56.101 62850 114.114.114.114 53
192.168.56.101 64682 114.114.114.114 53
192.168.56.101 51580 114.114.114.114 53
192.168.56.101 56001 114.114.114.114 53
192.168.56.101 64821 114.114.114.114 53
192.168.56.101 62574 114.114.114.114 53
192.168.56.101 61811 114.114.114.114 53
192.168.56.101 55801 114.114.114.114 53
192.168.56.101 59166 114.114.114.114 53
192.168.56.101 59499 114.114.114.114 53
192.168.56.101 57694 114.114.114.114 53
192.168.56.101 64262 114.114.114.114 53
192.168.56.101 64467 114.114.114.114 53
192.168.56.101 60516 114.114.114.114 53
192.168.56.101 55219 114.114.114.114 53
192.168.56.101 54128 114.114.114.114 53
192.168.56.101 50591 114.114.114.114 53
192.168.56.101 58529 114.114.114.114 53
192.168.56.101 50075 8.8.8.8 53
192.168.56.101 52215 8.8.8.8 53
192.168.56.101 60395 8.8.8.8 53
192.168.56.101 60789 8.8.8.8 53
192.168.56.101 59504 8.8.8.8 53
192.168.56.101 62324 8.8.8.8 53
192.168.56.101 55773 8.8.8.8 53
192.168.56.101 49986 8.8.8.8 53
192.168.56.101 51209 8.8.8.8 53
192.168.56.101 56111 8.8.8.8 53
192.168.56.101 65527 8.8.8.8 53
192.168.56.101 55457 8.8.8.8 53
192.168.56.101 61491 8.8.8.8 53
192.168.56.101 55142 8.8.8.8 53
192.168.56.101 58005 8.8.8.8 53
192.168.56.101 63148 8.8.8.8 53
192.168.56.101 61322 8.8.8.8 53
192.168.56.101 62044 8.8.8.8 53
192.168.56.101 64558 8.8.8.8 53
192.168.56.101 62306 8.8.8.8 53
192.168.56.101 60330 8.8.8.8 53
192.168.56.101 56171 8.8.8.8 53
192.168.56.101 52014 8.8.8.8 53
192.168.56.101 65496 8.8.8.8 53
192.168.56.101 64590 8.8.8.8 53
192.168.56.101 58818 8.8.8.8 53
192.168.56.101 50445 8.8.8.8 53
192.168.56.101 53131 8.8.8.8 53
192.168.56.101 65012 8.8.8.8 53
192.168.56.101 55469 8.8.8.8 53
192.168.56.101 54987 8.8.8.8 53
192.168.56.101 56001 8.8.8.8 53
192.168.56.101 61811 8.8.8.8 53
192.168.56.101 55801 8.8.8.8 53
192.168.56.101 62574 8.8.8.8 53
192.168.56.101 65429 8.8.8.8 53
192.168.56.101 64682 8.8.8.8 53
192.168.56.101 51580 8.8.8.8 53
192.168.56.101 61947 8.8.8.8 53
192.168.56.101 60273 8.8.8.8 53
192.168.56.101 65312 8.8.8.8 53
192.168.56.101 56992 8.8.8.8 53
192.168.56.101 60534 8.8.8.8 53
192.168.56.101 60720 8.8.8.8 53
192.168.56.101 51770 8.8.8.8 53
192.168.56.101 49587 8.8.8.8 53
192.168.56.101 64679 8.8.8.8 53
192.168.56.101 50365 8.8.8.8 53
192.168.56.101 64821 8.8.8.8 53
192.168.56.101 62850 8.8.8.8 53
192.168.56.101 55841 8.8.8.8 53
192.168.56.101 60222 8.8.8.8 53
192.168.56.101 53520 8.8.8.8 53
192.168.56.101 60516 8.8.8.8 53
192.168.56.101 55219 8.8.8.8 53
192.168.56.101 64467 8.8.8.8 53
192.168.56.101 57694 8.8.8.8 53
192.168.56.101 64262 8.8.8.8 53
192.168.56.101 59166 8.8.8.8 53
192.168.56.101 59499 8.8.8.8 53
192.168.56.101 50881 8.8.8.8 53
192.168.56.101 49997 8.8.8.8 53
192.168.56.101 61306 8.8.8.8 53
192.168.56.101 64829 8.8.8.8 53
192.168.56.101 62149 8.8.8.8 53
192.168.56.101 53620 8.8.8.8 53
192.168.56.101 62735 8.8.8.8 53
192.168.56.101 57151 114.114.114.114 53
192.168.56.101 61529 114.114.114.114 53
192.168.56.101 49997 114.114.114.114 53
192.168.56.101 57634 114.114.114.114 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.56.101 8.8.8.8 3

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 5c67fb44713b6d65_computerz.set
Filepath C:\Program Files (x86)\360\360DrvMgr\ComputerZ.set
Size 488.0B
Processes 1248 (ComputerZService.exe)
Type Generic INItialization configuration [HardWareIDs]
MD5 ae8f3b8d468650ed81aa77e79818b6ea
SHA1 39e48f4b161743246e2f8735c1f834386732a7c1
SHA256 5c67fb44713b6d65c0f911048687dad1dea3c2b6f5a65533e7b87d54a0ec53c8
CRC32 EDB39C68
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 7c97592bf98db3b8_BD.tmp
Filepath C:\Users\Administrator\AppData\Local\Temp\BD.tmp
Size 481.0B
Processes 2416 (svchost.exe)
Type data
MD5 567c8960454159af13917be54eabf247
SHA1 35e13d7e5adf9a26900aac4cbff3155a451f7d72
SHA256 7c97592bf98db3b8f351cd5eeed7311912f7807cd53ada605ded61f0c766600d
CRC32 B62E92A5
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name af91b0e16f38544e_svchost.exe
Filepath C:\Windows\AppPatch\svchost.exe
Size 355.5KB
Processes 2996 (05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a2f88bd59b9940bd14e5468c7e9a18da
SHA1 05201a9f9e777b65dff759e4e0f48e1332c8a0db
SHA256 af91b0e16f38544ea8ff560e08e2c61615a49075f1cc2dbabe768e3d5b4341f7
CRC32 3646A7BC
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
VirusTotal Search for analysis
Name 2f3db9f3d067f466_computerz_hardwaredll.log
Filepath C:\Program Files (x86)\360\360DrvMgr\Log\ComputerZ_HardwareDll.log
Size 65.8KB
Processes 1248 (ComputerZService.exe) 2112 (dll_service.exe) 3008 (dll_service.exe) 1756 (dll_service.exe) 1084 (dll_service.exe) 1040 (dll_service.exe)
Type Unicode text, UTF-8 text, with very long lines (596), with CRLF, LF line terminators
MD5 70b784e8b9ff338ef79dbaed79a51af3
SHA1 5b6acc105ac756bfe4b56735274dffd4ce424852
SHA256 2f3db9f3d067f466eabaca567ec03a6a473448304aaeb40e16ca7e7e22073ab2
CRC32 8C791B95
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
VirusTotal Search for analysis
Name 999a2d6833cfbbb1_ComputerZ_HardwareDll.log
Filepath C:\Program Files (x86)\360\360DrvMgr\Log\ComputerZ_HardwareDll.log
Size 127.9KB
Type Unicode text, UTF-8 text, with very long lines (596), with CRLF, LF line terminators
MD5 89827550801d5a6a7ec9e2c36499bf3f
SHA1 0d6bf89da29804c73ff58746d3796f44f4e90f92
SHA256 999a2d6833cfbbb186690c53c99544c330f9283cb1eae999e3e17ced7a957ecd
CRC32 323D85A1
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
  • embedded_win_api - A non-Windows executable contains win32 API functions names
VirusTotal Search for analysis
Name e3b0c44298fc1c14_FCE0.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 05ef962c6688f10e_F869.tmp
Filepath C:\Users\Administrator\AppData\Local\Temp\F869.tmp
Size 355.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d681b7a2d38a34b0c8f1ec7a03795807
SHA1 cd4aaf399ee02e65f7801aac41269cde6c844530
SHA256 05ef962c6688f10ed91aa93848d4932e3dbdbffd37b3e6ce87e3e43f8e6f0063
CRC32 D2EA2482
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
VirusTotal Search for analysis
Name 501b45da2f14fb66a5098cfaa2e35fcd0070956c
Size 327.0KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 279b5a7863f670d3f1566f68806d7a45
SHA1 501b45da2f14fb66a5098cfaa2e35fcd0070956c
SHA256 ab19b5e4a5ab2d1140268e112aaea46926692dd38fbb23a11c2dce5e425f821d
CRC32 7CD47E0B
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
VirusTotal Search for analysis
Name e09fcbbc4e17841b7d18562c6ac7f74b0c1fb970
Size 330.5KB
Type data
MD5 e10828b1d99633018a930838db62f36a
SHA1 e09fcbbc4e17841b7d18562c6ac7f74b0c1fb970
SHA256 d5a0283bd09f120f4865c7bfcee70850de7e02cbc094d84868ef75861a6519c0
CRC32 CF3678D8
ssdeep None
Yara
  • shellcode - Matched shellcode byte patterns
  • vmdetect - Possibly employs anti-virtualization techniques
  • embedded_pe - Contains an embedded PE32 file
  • embedded_win_api - A non-Windows executable contains win32 API functions names
VirusTotal Search for analysis