1.7
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.70
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Kryptik-LZY [Trj] | 20200125 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200125 | 2013.8.14.323 |
| McAfee | None | 20200125 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b6e2ca | 20200125 | 1.0.0.1 |
静态指标
查询计算机名称
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545336.812875 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
检查进程是否被调试器调试
(1 个事件)
收集信息以指纹识别系统 (MachineGuid, DigitalProductId, SystemBiosDate)
(1 个事件)
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | AUTO |
| section | DGROUP |
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\ProgramData\Mozilla\iqbjnwa.exe |
网络通信
与未执行 DNS 查询的主机进行通信
(3 个事件)
| host | 74.125.34.46 | |||
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 60 个反病毒引擎识别为恶意
(50 out of 60 个事件)
| ALYac | Gen:Variant.Ulise.85086 |
| APEX | Malicious |
| AVG | Win32:Kryptik-LZY [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.85086 |
| AhnLab-V3 | Trojan/Win32.Dofoil.R72147 |
| Arcabit | Trojan.Ulise.D14C5E |
| Avast | Win32:Kryptik-LZY [Trj] |
| Avira | TR/Crypt.ZPACK.Gen7 |
| BitDefender | Gen:Variant.Ulise.85086 |
| BitDefenderTheta | Gen:NN.ZexaF.34084.iuX@ayxTUlj |
| Bkav | HW32.Packed. |
| CAT-QuickHeal | TrojanDropper.Gepys.A |
| CMC | Trojan.Win32.ShipUp!O |
| ClamAV | Win.Trojan.Agent-1385608 |
| Comodo | TrojWare.Win32.ShipUp.CJA@4yldz1 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.a97876 |
| Cylance | Unsafe |
| Cyren | W32/Troj_Obfusc.AX.gen!Eldorado |
| DrWeb | Trojan.Mods.1 |
| ESET-NOD32 | a variant of Win32/Kryptik.BDCJ |
| Emsisoft | Gen:Variant.Ulise.85086 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Troj_Obfusc.AX.gen!Eldorado |
| F-Secure | Trojan.TR/Crypt.ZPACK.Gen7 |
| FireEye | Generic.mg.da7f1eba97876508 |
| Fortinet | W32/Kryptik.BCX!tr |
| GData | Gen:Variant.Ulise.85086 |
| Ikarus | Trojan.CryptMIL |
| Invincea | heuristic |
| Jiangmin | Trojan/ShipUp.qr |
| K7AntiVirus | Trojan ( 0040f4c81 ) |
| K7GW | Trojan ( 0040f4c81 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=84) |
| Malwarebytes | Trojan.Agent.RRE |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.ch |
| MicroWorld-eScan | Gen:Variant.Ulise.85086 |
| Microsoft | TrojanDropper:Win32/Gepys.RL!MTB |
| NANO-Antivirus | Trojan.Win32.Mods.bxplyh |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.CBC7.Malware.Gen |
| Rising | Dropper.Gepys!8.15D (RDMK:cmRtazpjlqUnJEaavfMt4FYJvUyh) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Kryptik |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Tencent | Malware.Win32.Gencirc.10b6e2ca |
| TotalDefense | Win32/Gepys.WEeVefB |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2012-01-15 12:35:48
PE Imphash
4ea7d68571673a8839985c042886878c
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| AUTO | 0x00001000 | 0x00001f23 | 0x00002000 | 4.348964522040218 |
| DGROUP | 0x00003000 | 0x0005a524 | 0x0001e000 | 6.578495146702318 |
| .idata | 0x0005e000 | 0x00000650 | 0x00000800 | 4.3465605103333145 |
| .reloc | 0x0005f000 | 0x00000000 | 0x00000400 | 5.109574779044195 |
| .rsrc | 0x00060000 | 0x00000000 | 0x00000600 | 3.2971911010539454 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_DIALOG | 0x0005e2ec | 0x0000020c | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_DIALOG | 0x0005e2ec | 0x0000020c | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library SHLWAPI.DLL:
• 0x45e178 PathAddExtensionA
• 0x45e17c PathCombineA
• 0x45e180 PathFileExistsA
• 0x45e184 PathFindExtensionA
Library USER32.DLL:
• 0x45e18c FindWindowA
• 0x45e190 GetDC
• 0x45e194 LoadCursorW
• 0x45e198 LoadIconW
• 0x45e19c RegisterClassW
• 0x45e1a0 ReleaseDC
Library KERNEL32.DLL:
• 0x45e1a8 CloseHandle
• 0x45e1ac CreateFileW
• 0x45e1b0 CreateMutexW
• 0x45e1b4 FindClose
• 0x45e1b8 FindFirstFileA
• 0x45e1bc FindNextFileA
• 0x45e1c0 GetCurrentProcess
• 0x45e1c4 GetCurrentProcessId
• 0x45e1c8 GetCurrentThreadId
• 0x45e1cc GetLastError
• 0x45e1d0 GetModuleFileNameA
• 0x45e1d4 GetModuleHandleW
• 0x45e1d8 GetProcAddress
• 0x45e1dc GetSystemTimeAsFileTime
• 0x45e1e0 GetTempPathW
• 0x45e1e4 GetTickCount
• 0x45e1e8 LoadLibraryA
• 0x45e1ec QueryPerformanceCounter
• 0x45e1f0 TerminateProcess
• 0x45e1f4 VirtualProtect
• 0x45e1f8 lstrcmpiW
• 0x45e1fc UnhandledExceptionFilter
Library ntdll.dll:
• 0x45e204 NtClose
• 0x45e208 NtOpenKey
• 0x45e20c RtlAllocateHeap
• 0x45e210 RtlCreateAcl
• 0x45e214 RtlDosPathNameToNtPathName_U
• 0x45e218 RtlFreeHeap
• 0x45e21c RtlFreeUnicodeString
• 0x45e220 RtlInitUnicodeString
• 0x45e224 RtlLengthSid
• 0x45e228 RtlSetDaclSecurityDescriptor
• 0x45e22c RtlCreateSecurityDescriptor
Library ADVAPI32.dll:
• 0x45e234 RegOpenKeyExW
• 0x45e238 RegQueryValueExW
• 0x45e23c RegSetValueExW
• 0x45e240 RevertToSelf
• 0x45e244 RegCloseKey
L!This is a Windows 95 executable
`DGROUP
.idata
.reloc
B.rsrc
_QRVW
_^ZYSQE
ZYSQRVWJ
_^ZY[SQR
ZY[SQR
ZY[SQRV5
^ZY[SQRVW
_^ZY[We
_^ZYRV
9UR@.@
W1h[&@
;E|E;E
EtL[&@
+SQRVW
_^ZY[RVWF
_^ZSQRV
1^ZY[RV
ZYSQRV
^ZY[SQR
Y[SQRVWT
_^ZY[Q
_^YQR_
^SQRH#
_^ZQVW$
tPMM)~1E
EBE;E}E
}_^YQR
^ZY[SQRVW
_^ZY[SQRy
ZY[SQR
ZY[SQR5
ZYRVWe
_^ZSQRVW
EVEZEfPEzEv
ZYQRVW
_^ZYSQR
ZY[SQRVW
_^ZY[SQVW
|_^Y[RVW
_^ZSQRVm
^ZY[Q.
YSQRVw
^ZY[RV
^ZYSQRV
^ZY[QRVWM
_^ZYrlaQno
AWzFnVbrneSS
lkvvELd
oVsErn&P
VdrAERi1vEPPPz
rVodEc
ElllrE`
tEzESW
Ee`.EnE5dsEzteadynEAdan1CEGFi
EcvenVVnPrz
SEtieEnEP
SSpFlVXEe
SPUFEMlurEFptrlEvwEoEeEdztaPirnEEePiSafSE\anezpGFPEFEd
rF1htu
rdeVslEdRmEoPdnEVndvtan~EelPEVrEdFdltnnSuBe1tVnEFvEdrnVrr
dodX^40lcdQV@e<V
4^S_xVNe
hHiSwWE+
1PG]jr
zvnEhrE
EYeEvP
Jsjjw0
GhjtEX]tE
0p4uXE[
_+_ahV
<UPUj_1u
]8jB]
I1AP]E
t(J@tPb\
EP[^R1%E
ghOb!M
a oot/D
qqqqq0
qqtj8kESV@Eqp
P4 lM@Q
j30Ga34M
E4]LM4
N19O_NNJ
8NNkEONfU
PDhA^D
E4hjpj$
VtDVVS
WVtjR`
Vp3lEV
UV0dd/
GMUp+E]S
RERP|xQ
@jjxRj+xV
RA|V`+P
`RQPAP
PqMfV+
QDQhQ+
PF R
AhRjDjDhPj1H:
EVqD_]
f_tD.
+@p0fjj
fQ0L @
]_,jJ]h
j>+9f@hf
j8,$;>f
p>3\u>t9@D
h3@hpD@
jhhjp@
RRjxDt`uhx0
D0@=0f=
jLwfftHff
Df00Ef
ff,@ff@ff
MhTPfD
RpFH0h@
fhM^fPL
39L$HD^$z
]Uu$GMLV
$]uL$L]
DPL3Dg
Qq3t@L
]Pgjhu
DR$]^L
33MqSU
t93uu-
UP]+ff
V(jM6pDZ
fP,%DDD
xp3Y@]
jj=t@p
p;t3VV
D5@;D]
@E9rh7t
@t]]r]
@6YruVx
\WtjbpY
U9fttuhY3u
A5D>fu
fq39tN
utf3MM9"u
utsYXsx`S][@Y;@;EY]D
V^tE3YPY
f|5fYu
Y rD/ 1PtDD@j
h=>@uP
FVTpC~
tp@355@
pp5hq@@@e
Y^YFPt
a@1W@Wt
@u#l%u
h5hp=W3DW@
Wh@D57
WW@=@@4
50@,@Y
VD_PpDYt5
Dh5DDY
SEEdd5
EtEt9ML
xc3sGD
h@E@@@@
V`tV`$Y
0`qW@;3
4Dtjj@
E;4;#@
PDkpuj
r6h)|D(}
9#VPE#]
j+tY+u
OUxMuYYU
M@f0pj
fMfVEI
P@S@@@u
VHt]H5
DtPtjt
wUPP^P
@SP;PQu
r#C@@H
j3@@^DUVE
3Ath;_
EPdEE^
Lt$A+3E+
@Et"~U
hP@@Tt,t
PMSPD|t
DDjDDP
D3u3tjEtut
u^t;uO
'UtEuD
tE5^T:
]P93u3
uUtWHK"ju
}]fd3WJ
V0DuWVu;$~
DYuPUEKx
Y0tVu03
uvVW]`;Uv`_
@^IFW)_
DN@N@D
DDD$@$
N$@#DI@
@DDD$F
tS9tD;uP
^=99u9
;PtYEtt
(QYtYu
3Y33@F
puh@tt;@@@
uDS@]upS
h9@s0P
jQP;hq
d{@Mpu
CD3DYFhDp
p3@5%e3
URh]tj>_T
ujjPtp
oftouM
f ff`uIff
Dvv@Yj*
$\vY(v
vy0vv@u
vvc`Hh
LP@vvd
@FtPY;;Y;
ttP;tt@
;5PtY@
H35P@;F;FtY
Et$FtE
UFFPF;tP
Y@P>FvYF@
8VYPF
3EPE$Tju
5@t@Et;
;uu6S;u3
;uuEu w
]=W(9uua3tSSS}uMup Mu
Y^V$UuY"
uuhuMtSp
EuUMM$
uM@9]M3u
tSpuW3jPu
@uStEp;p
$2pujh@
uhjRDU(t}S
I$P:;v
Ph@t45
h3[P$Y
rRaie
culion
omihk eyI
ncsri
o cRcn-tln
is6 ti
Lilaos
2csWVF
KlrsneeGc3
rWbyxrcMb
upaeuu
AdaSaa
rdDcrc
eaysOoeMu
hdMMMeScJdesdJn
uerHacyT
rd rrsu
noaSeyT
luaaMTFuJu
auTurnpr
ySydauu
kvy3(3l/
tow!m st,333)
i?s_=zr
e|u3q`
zmxo}0b%
GK=B_,
HO*P4UN "T
E;MS?I#
5+12\$
J/%!W<KE
YISILI
SnWijRp_
acotjl
MtFnuCikdGe
~oeWeoNFkeW
TFlroem
Vstali
eeosrtPtePe
aestWuGWleIde
TynaocreamItStcerro
cmSheepo
FAsstEG
TsJxpH
hturCi
etesFeFreGtat
lChherpWt
iteeGyrtmGe
ltaerGe
emMr]LLll
pnsdtes
tNomalWTcl
oElmMeaRLhaae
WleeDERCMemN
greWLgGKae
ccirlso2olAaLeaasrWdrdnasrSicaMdnntstAna
ladtoaaottc3lW
eCglaiLIWscWsertelsaoueae
idrrnQ
eWPeaDP
myxdtiTeegeidienBWar
nWUoRntturp
eniwmo
eWKEeoitCnoswWxP
DsRBsnanoOeles
dwliao7EyspSgnao
etiDMldl
2iRuCtelioxSeaeexclceAK
UL!iRE
tuoeV.DiasmeIQzeWnC
eixCennueizCLW
SgWgtl
y.VeitIc3zue
neeIre
ueEneEWhlxxeaUt
0dlalut?Nene
n~Cis2aE
elSuodGee
oaoCeit@
aEPaRrEsgi
letmde
dOtoscu
pnetuidTecnCSxac
enlexoalTrifee
dthteaEypAeTT
tecrsrIFit.guUo
rtubleltnPtrot2en
cmunGoisnota
rlhl3in
dentPo
fseuHlrle3dr
ppESgeeUPoTGISiinH
tdenrzooe
etismnun
ettarSeSdl
Gxnitsee
toPEicgiSdrGtirrlnmcr
Aatede
neilSdnl
lodPedrDorneoEt
SWeoSsrSeStPFGl
nidicutsneto
WaSSIadlsscDinAe
FTEtstr
nceGoelen
ScarrltSoIiatnl
eodtel
Scrtocl
LGSEleyetdk
trCsFT
SrtGIte
uenDVepTruSekretrsio
tIlCeerc
stlteeottPrS
lilucPaeP
nisPeLtno
uCiUpnwrMeneeha
vicugOn9C
lfEeimc?
mCirednr
tPflGore
errei7Heee
iCaoded
CQtlrI
uCdGWaeoeeei
CictnreMaaaCtne
oactRTe
VIaniteeCtrraEtytc
eSWyLW-
pieMttee
ayleatii
d@}@~@@~
|`/|(\<
jpth- D`
e",9M*{
S5[8Jq?ul
v(2wE)d[
%BMo*$:9Z4n
\aJ=EUbm
A'g*SI!T
~K:EN&#Y
LEhd
3=PT.l `9
o,jy>a`:
q_pgkq::$F
:B$Z:FVU>9c
Ga)5bK
ax9ag12
awfbwi
aOZw#)0@3&>
ycNG&y W
xeU0Jm
f2$oo"5(#T<3lly
Fll-sd[_e6
=fDN[:)d
X)S6 o7
?+g)"fAK
ulpAVU#'`
cl0-mkV
hR5Jc12K08
KCiO%*]
F*~co*,
WTk^*q
TP"*A9n
c5|i?M
?u}"lH~@!
t-j(fA?H3[\?+
B~*+ !%1
W*+"t-
_]ZCS$z
dwZ]"TDpo=Y\R5
dc1s*Elk
q|<!gYB
*e kG%
_!6n-6}
!VQG)u
-.h;Goj~
G<C|GAyTGGI
+wf02jdUs<G
\.)g3Q
n0HZy?
I70/pIoF
bX(-@AWs'b!
GeKwY>
CoM+UMG
UMAlu*i
<8w;UH
)8 HuUUSM}mM;oNM/;U2
a'XRltrj(I~
ZHqEwd1Uq
@.T<2]
qPk7jE>qD8akN
z?|kkQ'n1cA
I:wtWJU"
y"+>>+l+K
T2(8K6
.<{,>1*"f
`P+LP#
/ r+"=o
fI_1rr
i!fnl+
bCcJ'I
~=_cb5YI
0U/5IDKQ6$:
BL)HWVoo
&Dvy!5
B0 ]WY
1B7H$q
HV`xT]
T7aW}?
Ji4R? I
n!P}q5_e3X
HDe-5ca8n<G
Ef?0q%B%z?
'6d">%
X%uu@~tA
9u<R%,5
otnu;u
_Ad|g@
]k2Cp_
S~y AOT
k9}lA"zo
6Bi_*,.&
7\#e(xGUC:z|p
/7K4Pi}H}
_GUQQ[+
eKR.$]%
YhP`hg?MmvVNs/I
h#G*; [
v68h)b
1hbTD0
t|dcK1.
*vQv2
(?1h_um
-uK,0f]
>#H"ru1
y["7{PrP~UHD
".ih&JxT/ Q
w L/EM
sD;N<,@ruRG
D&z?HLm
,"$K9b
3cJVV{.
VQhM)2yZ
s7}'lV?T2
o'??B?
Q2.pv[
SaA- Y
WKaQBP5
YBhe^wq
}I\hzB#
Zz=C-G6<Kq4
rB/^GY
DlT1{iwC$
wS~&t|
+mje1M
l[Uzz*
6 * 2_
><@tx[
BBy.
tj+(+^u NM
yq\^S}%/J
f6G_ Y-.I!
D<=oFg{"
<a!)j"V}Er>+
')DiW2D
NB[IhNKt4y
yW$v&[
1|* >]
fc'& { u$9IG&
ff#RX@
ut#Y#b-(x
|VFw?#
i!U#V4_!,%E(|x#~p#
JFJsN5FE
Wx>[FDj
*r2b6r
qr$B[Ca
|ABYu"
&YNJm#'m.!?;
(dMSgb
Y @?B,zE
qkH.uSlD
~jw9@k
}V1g.qVz4#
.W6P1B
JfgD'G@8;U}3bJ1r
\f?fBAp[m
>@W$a#pff$
@.3{6fJ
;(/K/f+72V
NqDchF6@6d}|i
/v6KvX{o
kral:0=>e
(:vs3)(.^
B2]Rvv
j~iueG,c
r-qL"_T(C[
`1O}4+
gKVdol
^ otk?sj}@W`
sAE<KBoLWAr
U j=Z)AI'
xwgAD/}
pf&gGt4|
NIDy')
%SfEB(k
|a44<I!
,w32QvF,vcp
puYmWqJ
@Dq1E5sIM
5ntV.Srg,
?oHUZ^jGV:
~b{MTRY
![#qoYD%O
Bec8]!;2H{eD
Yg@4BBr:F}X@
k9Yidr
]B0af o
_HBH2 yr&
<B0!-[`;nB+!Dn
/^BFiNt
N^4m+[
ucz#?[
Nq9j)XNNL>M
:-ZN&e
sN*JI~{6
7+S^yU
[a)ONWrt
8Tpl]{
$mjQ3}
yXj4[pp7y0
.9@ {0
JT\9[*dre_
w",)kI
fUytqzD9
F9JM}%}V
&7zjmx
E[ JR8
i5YmmbvRtQ`T>C
ZE7rd>
dbAuwN|>
1_8BCR
{NVk>>
VHarZU
,'qWq_qynmjA/~)
fPYqJ&~:
@(!&yqL
WD{Mxqck
M$)'Kq)
ewOT:1
!U. ln
`Ag$0&FO
|u:`\$JX
*XTwvE5+D
sl(*5^q
\t6,LaBsm C
i =f/
8++Ng`f&
x1|Io*a
g'ks5%fv
hf6fQpr>j$
-+$1wI
}<kE;3!
eKI`2J%`
]-v#Z2 iYJ a
Yoz`A<
P6k!Di
E"`jZq
,'V[LIv:~Z
G4}&Nldqy8"
n_)ZMH
n$.>=>g
,tdE v
[]WGZ4V8
v$Or3X
v5mpF|CDF
WJ"qZFY
HC7*8?s7Qq
II-7")
9)I2>W
`bfwS6C2]fg
zsC(@=EH!?
p}'G:XII
s?=w$o)
Tz_IzZa
#rIIs0
HT m :=
:fx` 33+-rr*8W(3"aQKd
YPb^4 }-6
9NAwW; 3 K
t33%?K?!>
\"Xvsv
G[`/7
0<^U0SWT
<+U:Kf#H
D_8SP\
'RTcoNFS"ut?QltU
LSLdSc
0w+\Zwh
(iqE &
bmQ)\4
&}9D!zv,Z7`qr4E
MGb&O&
Dt|VQ#o"
05Q0Pc"
Lbb0b0L$0$F8N
$U:b20v^j
|dJ{U7SaHZ
$s5b6$nz
w7 $i|
v+$ #gK|q\^
:=k ew 7
7\P8myZ
H,~L3?EG
5eN.oqI
dLFA%$
{f"q_#{
:>V:o#l=
nx;B)_D.
tW*-in4@N
j$njxO!pFR|lDP
iv)3):
<aF9 S]*9xE
!}a6tn+
-W}%7@:
4dBH9V
/mwj9y^BzMJ
#8i78C
+Snnr]pB
xvI$6$
uN03TIj)
x;:p-O
NDrONJ
N*UF(AN^ZKHUNB$
;ltW VuHq
6H-1lTOjoL
Q|m1]7
VuA/e\
6%Y,H"0Z
[p5=GjKF
JrLRzp
SRFJ#;
W-`|^!Q
"6RLQ{
i;U 34
uRci4g
)f%{3hF
6:|TY-
nliWn#
TF=_-Q^o-6o! D
a#-yYEI
(mdfmd
77:\y'
\>mQqm@e 4J
jU4Ymn0m.tmw
Wi{k&P6gBg(
9XOaW/
M1e)i5(l:
ayoU+[$17
3h!n<GnF+tD
`$vt\DI
M2EqwIq:YSt"
0V;t)B
T(x=.O
f!MI;P!<k&
uv])),Ka}_#btmZiCi13T
AZct2=/hI{D
CttoZq\e<t8x>.F8;b,
3tpi ;
6wT8^Dw^6u4
lsht1^"
KI^^^$T^;)J $j!1H.
)jn{{A
^\G k~^?m
IN )!
w1Z7QA~@
GV1t{rNO
>q?I&bCM
9_6SB?
NG"7XiAP
@ZA~AH
I'+mpQf
@bPM1!k
.='f{_5Q
0.?E)HS
6mhx=0
m9|`+mU
L0'Vv3`
![Mp!d
wwv7m(Z[
$|7SW~U
?^^Rsx#"
Wp1Pb1#j
z|esRRlD
i7U`S\h,
oAJnH
$(K0jo<
>29SqKd+Q
?EyQ <I5
y\Zr2dLguvH
9}g:AMhLOFMaLD`
Lit)c1xLM
eLOwFQ}
# |pO3\2
I7~74A>S
"O#S^5GFh
-iUMLK!^D=
F+pk3y
L<S6H}%`
*KRttw,
RX{[o7>BNT
!7Nont7
EFN>)
.{Opgg
yU4'}1P_
%=e]%Y@s
jpl_ x1q
q1JXKN\bE
zqJqTZ0Omq+
o"RsY`#uvM?.
VC91<oirPa
<XeNOL
4#ryK+xA
E>v vYF
QN%uPT?
0rN(zG-PIN
DwaP{
?>jhLOM]ST4@
JxFP=!a#v
]O3_j/
2^l\u%
g ($8]f
i'K @jsaz-Q|f
hJo5S(
nW[koQC\WfW
Ib,UEWC
z*WecR](8xj
LjFG azaL0
+2|f2}z
aaPJ>Z
83X~N6y
~FdE7y
`-!'*9F\iL
k(<P;$](>
#Fy3~Y^p
fbQ=A_n#33lM
nX3Yi1<%$
Da5_#tl9=Q
t>N33!,c
mY_L]kY}qMn
r'C5VaQpB
~(!^8Y
A:!39<B91e\j
<Yaecwn99]&Cn[c
a,vE{4
EKFs$D
i#XD\Sy[6
ylTs9vZ~~6!H
uS)<yo$ X}j|2
aSED #C]e&OP'W7
&ubw^~
%q0jQo
HxizK@Xa,
z?]%m<`
5Cj;0:}[A
DsggSg.@
JEN"UP(z@
kW$>O!`8l9*
cR~n2rv
>wdX`Z{GDQ
]G>33]D ohZAxP+1]
WK$"Zv
,G~Iu:Kf
@Tm(aZ5
{ubahq<.
HZ9:gb[R%=
):p)gSz
<\! wSce
4Q7v&K9j\
brqX#E
#.Fq<S)+
#1~N_*H
xiHrJ#'
+H=#G4#W`[U
lieC [
iDM"fnT]x
AUDPk>w
=sqU72)
p#=9dW
>llw
W1sl=
0 oZcF
H+1;+ux<g
#Bg~ep1'
l60K/GZ
1s9C3D n.y
<_|A6g
f\7#mKnB/`\]8{
|TPx-Uqa/
6Lv1M]
;eP?]Y
OUN4*"
um^#Kv>
jzK`C+
9iKWG+*y
5`V#y}
>=1}|a#N
?BO|vS
Z_MR^)
`/V;}$T
ry*0dQ}
pxxww{ww
`M5b[44
yDa'9d0h
2,.]"`@W
/H$D'Lh])9hr'3
Q,3<]$+
y~'/5=L
d$5e>ec\*J
U0@`M8
2h8(:Z
Zez{}^
de{{cmed
xwwxxxw
wxxwwpwwp
wwwwww
E;|;qAO
;;q=E:;>
4;q;rE
l;x;;;QB
CUn>B;U
~IA@WxCA
WJ;;WG
%;<DB;@h
Oq<>;Dr
VNNODj
c;F<QFJ
b1;C1F;
>~u.Lj
MMh`|M
`CRVC`
vqF`hq
)q)))q
EaH+EJ
t!lnEE+++
$MO@NNM
dZZv[n
lnd``]@rDxW
<nr>}b
n>:Q[u
e'@^u^h
>PcHDy
]tobExz_^
"vBH9H
j]s;@wn
VorylU
wwwwww
UWW=kH%=
H};EqQn
;;;<;:
@;FAOAU:E
q@WqPGIWSWU
D2;>w1s
DalqI;;
i;FB;Z
oFF`MF`kM
F`[V{a
r9IpqF
zEJGBH
-sorx=
a u %.0
n"cea3v:l =
snm-lantmc
mmc s n<.aitm
ha=ss
=i0sroohovsm=
ctx< >mrs"sm-I1ne
osos.mm
ef<" y=
i i c sg/iq
ir>rtvenuvee E c r>e>e"t s sel u A nrcestiseee>yet
u q r
< sotv=L
syk q<rx/ xei o<sv"e >/rsra u
uqeented
"u>sPgvte lsvsel
o dulseeai =Psiue lcdeees
s" e i lsre cs
uf<ItsldeEees L<cDGNPIA
NDXD0DZXDA
IDXn0XNXxDNIDXN
XG0NAa0
1lNDPmAGDDGNg
ADsPsDIP0PAeDGDDDD3PPDDIA0PG0N01_DDRD/AIGPPNXf0yDPADPtN0D
AGGD04XD>DtND>GmaND1
uDGAIXXXo<AII0PD
<1IPDrAGAb
DAPXII3ANP/GII>4D0
$40:154
4<50< 5054=m85k*
r>?h08??
1n>i21
z>?64940:?;>4049x?
>>3?8>4>>?<S?
=>44?944?>460544>3<_6\4l?z447xD
844784>48
E6d4Y3
.j(25G>t98267$8C#7:
b3575p4
166833=9::1R63
G533C38305622382335^
667x867:4
=1u75/852237f3M23934242782
995237I1=<?2?0?::0?<<<:2;<;*<<>r<>;=4?_<^1
;=:;:?:;?<201:L"<;.><:<4:=Z[
?:=;<O<
:t+U<4<<2:
<T:2;x=q>c<j=
2L:=:<:z:$:;;
\??:55OJ
;;!898Y
;;:8^7;
4}4;i4&(68o
;Y5z:47Nt8
;67=8-;
;7889+G9
5;775b776
8Fb9s4:
Z;b:d7cqi7wFb8:;b8bT6L>9668695Oci@48;
:8b;8:5;9^;7,::w;8 81X
4>2?4?<0{==@4
1<;>;>=
#?>;@2
14>rB;>2Gq?u
`;1h<0
;>=401
d1Z>'31n?
03;4324?
5?9$;>
7798 8>>5,6?9=;8<5w
?7=9$>z86>06:8>N
?6>M,5=>:>>5<6?
(88?<5??9_R7
}_? 9?99??>l
?8=]=<9<<M?<
5H <.9<7/?
><6S$8:
:=47#8:@A
667:H:6Y :<=67F6<A
9E<q]}
7P);?6t?6>:
z2`58::733<w:
<7(0(=3
?4:`494I<
<97>_?0Li>;;
2!l?~7
365<?2975??09:0
aY:<10<018
1<<,+3:<4
9:4::94
<o<<<=4U84<1HC<4;<1
*41;:76=<3
<:70R:
6845|:
%8;4`4
p0v8:Pd8
lp333H33$84
338334443L3
p,344333\3344424X334
L3X3333T
3330\44
42 @43DT
333(P`P343
34|3t4l333
3343044,43
43<43d34
333<334
WS2_32.DLL
SHLWAPI.DLL
USER32.DLL
KERNEL32.DLL
ntdll.dll
ADVAPI32.dll
WSACleanup
WSAStartup
PathAddExtensionA
PathCombineA
PathFileExistsA
PathFindExtensionA
FindWindowA
LoadCursorW
LoadIconW
RegisterClassW
ReleaseDC
CloseHandle
CreateFileW
CreateMutexW
FindClose
FindFirstFileA
FindNextFileA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
GetSystemTimeAsFileTime
GetTempPathW
GetTickCount
LoadLibraryA
QueryPerformanceCounter
TerminateProcess
VirtualProtect
lstrcmpiW
UnhandledExceptionFilter
NtClose
NtOpenKey
RtlAllocateHeap
RtlCreateAcl
RtlDosPathNameToNtPathName_U
RtlFreeHeap
RtlFreeUnicodeString
RtlInitUnicodeString
RtlLengthSid
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RevertToSelf
RegCloseKey
00070^0f0x00000000
1-191I1U1g1{111111
2?2H2p2z22222222
3'3/33
4!4P4q4}44444444H5f5}555555555
636;6L6f6x6}6666666
7*767H7Z7i7777777@8M8\8w8888888888
9%909:9E9N9W9g9l9x9999999999999
:.:4:H:N:X:^:r:{:::::::::::
; ;*;>;M;X;o;w;;;;<<<<<<
=!=4=B=W=e=}========
>&>.>H>P>_>t>>>>>>>>>>>>
? ?&?&?,?2?8?:?>?D?I?J?P?V?\?b?h?h?n?t?{?????????
0 0,0B0a0o0z0000000
1&171D1l11111111
2 2'262J2V2^2k2x222222222
3&3;3M3^333333333
4"4>4J4X4n4|4444444
5+5@5L5g5r55555555
6%676M6
}6;#XDbbSH
}A"6Qr
,%h$L*
lU,PKv
fD@<.zC
F*7fE',@L
Ex_/Fl
hL</oD,
pj1rCj{S?
yj#<YS
@?,:_1g!
x6FaoM
Q=A +YFK
n$ T"t+
e ]{)}9
BVGqFd6
u|A46K1XM 2
A[=6uLe
fUKd})
,?gZr!
; ()hg+
?n=@IOA"U:
k9DXIG
.#c4<G
FZk!&H
zqWRO=_
rAxH+.q
}'0_5d
J]0/j/@
iKOKR,\l<jA{
+nTC2|0.Oz1
%?6j85j
ZvG 'LK
z\3SX,"
s"=!wM
w3kw/Z`
_W;;erc[
Dje$-G\d@a."8
#? HUyMP
OWr^FOf
XHol%cH!
Pf?htfi
B57oVc
bK8#c9
wRfTOg.F9G*h
y|5}@QwiP
"\N1J^
`wMfeHw
J}|YBfU
Q>|7vR
fN`WD@
"XIecp
eu^&fI'w
m}T <.`
F?xw\UM
]V=EW'? =
*Yf@4jo@
*T;6"^.9
gw%^L-5;y
8!ymyW=M*a<#A5=1Xoy
K:> }X
?4rBgQGvE
[<UXH\9
b[G"f!-7
V(z<"zq
@'RSl"e
p"4ikK?
w8 (sn4
a�z�L�a�p�S�S�N�h�G�y�m�C�m�e� �p�V�A�y�q�B�e�U�r�g�j� �Y�S� �D�X�d�B�k�u�I�k�X� �I�F�q� �u�N�n�S�Z�O�V�V� �G�W�b�d�T�t�O�g�i�K�B�K� �v�j�x�x�J�v�i�n�a�f�B�N�Z�J� �
M�S� �S�h�e�l�l� �D�l�g�
L�m�L�w� �Y�D�E�l�e� � �u�K�p�v�G�E�x�
U�h�G�Q�g�l�P�A�X�b�G�o�n�r�e�c�J�n�o�w� �g�T�I� �q� �S�
O�P�U�e�o�N�Y�g� �r� �u�
l�x� �D�M� �Y�F� � � �C�c� �y�
i� � �s�I�d�F� �q�y�Y�R�Y�U�G�
M�S� �S�h�e�l�l� �D�l�g�
b�j�x�a�T�Y�G�p�F�a�K�h�W�V�z�u�G�f�e�O�h�a�B�Y�E�l� �
S�L�J�v�U�E� �x�i�m�I�v�W�S�h�h�a�P�J�z�s�S�l�
S�y�s�L�i�s�t�V�i�e�w�3�2�
S�y�s�L�i�s�t�V�i�e�w�3�2�
r�z�C�b�R�Q�Z� �e�
Process Tree
- 0b849f42fa70181d93935c40a8fe9445296cc33a8c0eac7156658a5a8e11fc22.exe (1860) "C:\Users\Administrator\AppData\Local\Temp\0b849f42fa70181d93935c40a8fe9445296cc33a8c0eac7156658a5a8e11fc22.exe"
Hosts
| IP |
|---|
| 74.125.34.46 |
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 74.125.34.46 | 80 | 192.168.56.101 | 49164 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 6fabd2e475d51a57_iqbjnwa.exe |
|---|---|
| Filepath | C:\ProgramData\Mozilla\iqbjnwa.exe |
| Size | 136.6KB |
| Processes | 1860 (0b849f42fa70181d93935c40a8fe9445296cc33a8c0eac7156658a5a8e11fc22.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 745c6b3975bdf7ace68067385346b649 |
| SHA1 | ea13e463711de72cf011359028e8ce11d7e47bc1 |
| SHA256 | 6fabd2e475d51a57b67566c9db07b8272bb8c6bb45858153cda3442a28a6a65e |
| CRC32 | C584A4CB |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.