0.9
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.76
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Kryptik-LZD [Trj] | 20200229 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200301 | 2013.8.14.323 |
| McAfee | GenericRXHE-KZ!E0C76E5BC054 | 20200229 | 6.0.6.653 |
| Tencent | Trojan.Win32.Kryptik.bcig | 20200301 | 1.0.0.1 |
静态指标
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 57 个反病毒引擎识别为恶意
(50 out of 57 个事件)
| ALYac | Gen:Variant.Ulise.38754 |
| APEX | Malicious |
| AVG | Win32:Kryptik-LZD [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.38754 |
| AhnLab-V3 | Trojan/Win32.Shipup.R69161 |
| Antiy-AVL | Trojan/Win32.ShipUp |
| Arcabit | Trojan.Ulise.D9762 |
| Avast | Win32:Kryptik-LZD [Trj] |
| Avira | TR/Crypt.ZPACK.Gen7 |
| BitDefender | Gen:Variant.Ulise.38754 |
| BitDefenderTheta | Gen:NN.ZexaF.34090.iuX@aW1xbubi |
| Bkav | HW32.Packed. |
| CAT-QuickHeal | TrojanDropper.Gepys.A |
| ClamAV | Win.Packed.Razy-6895730-0 |
| Comodo | TrojWare.Win32.Kryptik.BCUX@4ys1di |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.bc0547 |
| Cylance | Unsafe |
| Cyren | W32/Sena.A2.gen!Eldorado |
| DrWeb | Trojan.Mods.1 |
| ESET-NOD32 | a variant of Win32/Kryptik.BCVR |
| Emsisoft | Gen:Variant.Ulise.38754 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Sena.A2.gen!Eldorado |
| F-Secure | Trojan.TR/Crypt.ZPACK.Gen7 |
| FireEye | Generic.mg.e0c76e5bc0547492 |
| Fortinet | W32/Generic.AC.2017E1!tr |
| GData | Gen:Variant.Ulise.38754 |
| Ikarus | Trojan.Win32.ShipUp |
| Invincea | heuristic |
| Jiangmin | Trojan/ShipUp.rn |
| K7AntiVirus | Trojan ( 004400831 ) |
| K7GW | Trojan ( 004400831 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=82) |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXHE-KZ!E0C76E5BC054 |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.ch |
| MicroWorld-eScan | Gen:Variant.Ulise.38754 |
| Microsoft | Trojan:Win32/Gepys.MR!MTB |
| NANO-Antivirus | Trojan.Win32.Mods.bxpggl |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM20.1.967B.Malware.Gen |
| Rising | Dropper.Gepys!8.15D (TFE:dGZlOgI1Rwe0vAIvGQ) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Kryptik |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Gepys-Q |
| Symantec | ML.Attribute.HighConfidence |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2010-11-08 10:39:22
PE Imphash
ed4f7f623604dce137bb3e1b02c6071c
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000019f0 | 0x00001a00 | 6.149584989871827 |
| .data | 0x00003000 | 0x00056ca0 | 0x0001d800 | 6.583457093470026 |
| .idata | 0x0005a000 | 0x000004d4 | 0x00000600 | 4.424958071078604 |
| .rsrc | 0x0005b000 | 0x00000278 | 0x00000400 | 2.4949494609648637 |
| .reloc | 0x0005c000 | 0x0000014a | 0x00000200 | 4.768698203894163 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_DIALOG | 0x0005c1ec | 0x0000008c | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_DIALOG | 0x0005c1ec | 0x0000008c | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x45a124 CloseHandle
• 0x45a128 CreateFileW
• 0x45a12c GetCurrentProcess
• 0x45a130 GetCurrentProcessId
• 0x45a134 GetCurrentThreadId
• 0x45a138 GetLastError
• 0x45a13c GetModuleHandleA
• 0x45a140 GetModuleHandleW
• 0x45a144 GetProcAddress
• 0x45a148 GetSystemTimeAsFileTime
• 0x45a14c GetTickCount
• 0x45a150 LoadLibraryA
• 0x45a154 LoadLibraryW
• 0x45a158 LocalAlloc
• 0x45a15c LocalFree
• 0x45a160 MultiByteToWideChar
• 0x45a164 QueryPerformanceCounter
• 0x45a168 SetLastError
• 0x45a16c SetUnhandledExceptionFilter
• 0x45a170 TerminateProcess
• 0x45a174 UnhandledExceptionFilter
• 0x45a178 VirtualProtect
• 0x45a17c WideCharToMultiByte
• 0x45a180 lstrcatW
• 0x45a184 lstrcmpW
• 0x45a188 lstrcmpiW
• 0x45a18c lstrcpyW
• 0x45a190 lstrlenW
• 0x45a194 ReadFile
Library SHELL32.DLL:
• 0x45a19c SHGetFolderPathW
Library USER32.dll:
• 0x45a1a4 GetDC
• 0x45a1a8 LoadAcceleratorsA
• 0x45a1ac LoadCursorA
• 0x45a1b0 LoadIconA
• 0x45a1b4 RegisterClassW
Library framedyn.dll:
• 0x45a1c8 ??0CHString@@QAE@XZ
L!This program cannot be run in DOS mode.
0`.data
0.idata
0.rsrc
0.reloc
USQXwiw$
#4wR4XY[]UWVSQp
#4wR4w
)pY[^_]UVSP
[^]UWVSQ$C
$Y[^_]UVSQR
#4wR4w
ZY[^]UWVSQl
jlY[^_]UVS`
`[^]US
1]UWVS$]
Uy}E#}
DB;U|E}9}
{$[^_]UWVS4E
4[^_]UVSQR,
.edata
,ZY[^]UWVSQRl
lZY[^_]UWVST
T[^_]UWVSLi
L[^_]USQ
D:\proje
Y[]Ux @
9|[^_]UWVSQRx
xZY[^_]U
PPUVSQR00
0ZY[^]UW8ww
bv;whw
8_]UWVSQ
Y[^_]UWx @
e[^_]UVSQR
ZY[^]USQRd
dZY[]UVSQ0w
|Tg0Y[^]U1
113u3u
u_]URLw
LZ]UVSQ\
\Y[^]USU
[]UQR,wdw
T,ZY]UR8
8Z]UVSQRtninmem
tZY[^]USQ
.edata
Y[]UQ(cts\progs\SysProg\work\rm\templates\exe\runinmem2.exe
(Y]USQRp4
rupZY[]UWVSP
#4wR4w
XP[^_]UVSP]
Z[^]UVSQtTg
tY[^]UVSQT-@
TY[^]]
UUE[x[
<LJD$$E]
^Ex<UD
@@STUeV
<P$_SJ
U$tUT$
]tzV$r
alU^neWD
tRbd\a4ridh$
sdppse
G$tatd$r\A4
dlAyQQaoRleRiAhrdtlL$ootWp
\al$cPtRuolrG
pQhrXRWWdQ4RRVplhetltrP\leVnte4lpahl
mOil$Qwatii\e
Wdi$dQfUG
dFr$ph$lU$es\d
WeWTtQdhS
SW\$D\U
$\$tRuhuMexltA
ep|dGG
4_$0$?WAr$
G[$|\_
aane.O
@VjEtq
pMq@Eq
lqU_q@
}}E[M30
kNOqqJk+VNO
OWkONO
X@+@P5^
R,t0fQ
@P+h]j
@_VD3E
u3Ah3X
V@3M@UtE@ @@@U@
jj@U8HUUtP8
WpWlSdW
V@V`,`
q3M ^dE
@+dW+F@0d
/WFVd++
+@dd+`
VpP|Et
V23xQM
(h+pVF+GPpW
PR$hAR
x+j1W$E A
@RWP++
xx+A+\\
R+<`AFP
hDDhpm
3Udl@Pt3
pjhp@j
jjpjQD
jWp@@p@
VjS<p@
pPW$:8
Pqu_M3D
U]\_Q_pS@hD@_@XM_
](@p_[@pD
dh0h+9
P@H@+$LH
]t$^D3/[
t@_hVfp
HMpvh$3\
$HL^@M"
ttDuRP
EP&3^+uP
@hpf@@
XEP+p@
DuL@DE
@V!qp]tt+@@
tUt;3^t
7r;5|9D
]t9D9@
tfWDuWVj
<@hhSV
{h=9SVuY%
@tV^GSPY
^duu^F
uuNFuu
5WOY=/t
utYDYfuV3$#V
Nt"flE
3E8"f}8
t9}3u\
Ytf$juu
;5E]3x
s5EYh?`Ds5
S@U?Y|pESVD]SV5DVD5
S@;pj6@Xu
;fr@\jPE|
fEDkjEQu
DMt t;@DF
Futt%F
W3uV>FF
{q3qf@p
pEYt@@
YPY@tEa=
W=Yt~hu
?5=5qt
qD@5Dq
PD,_j@PptY
fd1<h_V3
EQ]s3VE@
}t&Y3@>
~GUPtjV
&&WE&h
h[^q^W4
WPPYh]
U|Yjj+
DtD]C0+
`(jDH,
kuWG|2
@]tMS}
Y@DS]t
@M5@tUu
ru5]HE
PS3uuPu@
uDY@YP
U9VWH<
f(VtjuYD
PLVtSpS@}
L=3+@}SE
AU@@PLLE
;D,P|t
EDtM)|D
@uDtDP
tMj\5"
Ph?;5t@
DSTD9T\
uufu u
fUu]uu_
:D^uMU3
ufuM3u
UVjftuE0jU]^}ut
0UXtu^
Of["uf
fuu}OY
]+KYW9]Du;PU
p@0VU^p@
'`uuY@Vv
Nu`DD3r
r9_MVMu
@D@rNNDM
^NFE_9
GDEF@^PX
DPF$U^GG
XPPSP{ttP^;S
ttEVtY3
;WtttF*tV4
tu'utl
]jYu;uYuY_V
@YU^us
;tt"uYu
u^pl}8 tM
P;rPP3
jht@pYt
G3tu;juP
;FEFuH
F^h@F@
ep@DutD@S8
utE3W=9@PE
MFV@r;u
{Pr3u0
jEhCp=
@E3S=@f
0d$V$j]h[U
3_^^jU^Ul3$TU_
vu@`&Yj
VpY0p4
9WY@V@
Y3uDMYP
fJu f+u0
v$oNJfF
fp_ffuOoX
vqv(tt
v"UHV6vv*c
vv v8vtttF
X`Hl@v
vdvvvy@
tutV@;
YYYFtP
@@Y5FFuY@
P;;;;@H
@3t;FL5>P
Y;F;8;3;
^YFY;;<
FYFUt]
@j9(]Y
P3T$t;]X}@
@utH@jutE@
uS =^E
5SuSTY
]M3uSEUu
EV[$Eu
e4 ;M]
Ej=S~^?t<
3;3Puj
SRDHDUjT
UPUuR$
hAME$]
fAfAHStft
sCme@Zl@r
g u a
norilen/
cn litCe
t 0rtonh
pnn lu
i fuo
9oeen1
tt oe
p07p h
nax rnu1io
@@@ q@o
edo cf
tliseaHA
eptMtl
WinWMs
sMGvrcVmcSL
tBdDxdMvGd
aypFFD
tmdyyh
dyMunc,:T
bAauyS
eJOvJtnt
ludbap
TNlOee
naunyydbr
rTMhMd
otsawg
k?qvkjuze`
fvy^iz{ny
u=u_wcsur
l|le}auuxpbfnpddh]com
_Z@G[=DO`D
>LIPVX
^S~NBEF
ZJY\<?
SO:FV{TPXWRAK
18VlYY (
I7Y4#eB7
kFYZ|4UT)+KKYY
G\d.lsYet
Sdjxasd
lndldip
FeeWCdi
lVezel
(asemIeTlIei
erritHteTa
TGirkGr
thEdreGrTeeeieTe
CetsFeFcemC
elSesTvSooteT
tnicGpcHrCpe
Tudetyipehseoeru
nmdPoaGFPPD
lTrtytlTerM
artt2I
htmWceoAecoaoa
GeWroaWhl
eLssae
rsWdle.Tr
ctWemao
idLrmcslacdGMtyDneNotlLottTepdlnisDWnM
GRaNreaeasgaeelo3rK
gdeois
gLPcaSncLs
dneaaWArMa
raeaoPiddsiWdWS
eoxeDi
yPnrsmce
gEsR3UwtPtWnrWaWnUogimo
nWitwiPnneW
iEoexs
TfgMxoi
innBrdPBelP
rPPeeg
ansnEEooDng
sCn7drtio
iouwSrdtWDe
ea2I!QEyy.r?uR
u2eEdcxgEHl
WcnSetE3et
llyxxIda
A0LgleaeEEWDlCEEaSioi
@olpmsVOGrEnisan
EeNnSeCaaeW
CegsElnRelReL
hlxaWeegtte2
a2FtdocUtar3li
crarFnt
dhfPols
ISEuxstUenWtL
lnetstanie3Ilegne
idtneducSiertrCetOiU
retcuneotHEtIsnnd.n
Doetac
tcimrtpohfeGSepopnesEl2P.
eemzuCtyilGre
rWGstdrsSonntii
tMAcnr
anIinensolotxCe
areneSr
sderrulrcdruvlHcreetHiendt
netier
gritorilgi
FstPoePEHWndeegodDdd
GnErno
eeWSsrit
oenrnaedtreceanenrm
nlnrGs
iaSCvnnmtztnt
ooePsk
oniitCntptasaEGciL
elrloEusIEnrt
SroroFGeetuTeCesDLtcnT
rTeeiolteGts
SdlerSnay
VdFnrttee
eieDaclAI
roltTAIo
nisrny
uMaSrHVCn
wcCnei
CIeeeee
atelCtneyrrr
PeCCAaa7f
tnirCdne?tnnlEQitiGeoc9ncgUttLveLfa
CLnCeCor
ptrCaieaonnS
tnGlnuRt
mWeeCblGh
IPihdcrd
eGtFeS
BWaeryWreW
oeCettCA
IjTQ{g
hBs:m{Xl
eg8a,:L
RppyD(
2fdpVRg[
Hw[RmEU
rR^jJ&XW
?22kn@Kz
Y~aJO%t
I_x 6DN7te
'w*nNgTVN
swnk|<5|u
jDrN@QX%
#kr6ot# ^Tns
[]8q?q\qoM0$
UW;J3.
52]_KCfg1n
Y^zQ5?
5%8bY(
M-R=jmU
i%~A5%%
=&L7"|.V
B9^ry'F'
-^t~L6
cW:6:/ h
Q=!z=2=RM
!B"atx+%
=)K)m ^XlFUrJ
4\">B[
S[Q$.W
wqeO=Nf
uH_Z`&!
OO:T$%~Gr
+Nccrc<5!c
b#pcTL ]
<4?y[by
#}DYoi+
HIc}@8
_fS|yu(',
cz4MChr
1yC]rv||IcDT
ikpCp;CD^Dzlt?69
.:G1,.O+D7
,mJg,C4~v'^
;3ZoV-
HBVGWc,9
VS=*%Wx
?~!YgR
fg?M?[
ft|R@G=
rLdOkBR
3;SPHr|~ar
0uy#]6j
PS;r_2
urjO_L[;A|`cix V
;ra^`5(
.,WDZ
},,8<~*n$Pkk
|Wu@x!EU}u=
g%w&tdSj2=t
,ZiODO
x2bv"_#
X]L2&XJ^f
9ubpCLQ~
MW]dR}.r6(
c{eKuavHu
?v!!i{*
3Bd~)w1i
U;8rcE
M|?Lzs
^PMaUo
mI]sG^
e\y 7>:
F}*Fae
z e!SR%
e/ _Da
g.;?GI
w|M``BrGdjn}i*4(P
T]*&~>`D$
0q _l_XP
Jr5i\_6-=.
=+o`7^-sKA
:_:3&VlU_
_# *g;
H_O$B};7
-ygJ'Tlrm
~gmAGB"CU]
JolM[R
%&NZomK
%SU;h!
66W W[
;NR}OK
^zL2-MS
KO-2}v,
Z/Ev:5{1=/8
<^$#Wmm
/0tB'\o
fV7z1Oy4`?
l,g&,|}u
#2.4<B
."dVo4
tLlzbg
>Ml7>fQ
+KG+8S
HemwR*0
2Y4L-%Ykq
Y;fcJo(H#
4-w^4i
}[Ct*d&0j
=6'Tv<
ptTigr0
X|/& j
c&;Tz EIX~TPo,4Yu
\6|s%A
b,F~4E_EkGB
h%eLsRu{
#~3>0N
4)ZQUN;ifNp
3#:WcN
Gs#"UV
hI9NO=}l
I5_?;c(]@
/LPwZl
zn=#xE
HXWEDzS
o\b[+9{H:XV=zC#4
xCgNcUm
(c(zNWfzk-b&>
k}bE1VQih
#y#-PHN|M_''*P
#q?9.o!
cfm^)
#8RURN
6fXBR_
j+Y\ YK
Y9`<hJ
\)|g_n
KiS@]WfnfK&!BV
;K?KI]
@ +o.9gZH
&|}_zYkM>WW}m
2a %=cFSEf
O'6wX1K
Z0o.W&dZ*
I,&IzE
sK&JkE
}`a( j9
RQTDbt\
k,i).$F:Y}
J^|2]W
RFVCMR
wwDk~6wI
@.cI][
TR|4RMc
K1hSv8
]g3)[#
T'7SF4!t
I-8G^MSJZ
%_v{"'
m\.6D7d8C
a9:zq{Pt"
J:[r#x
jSLk2(X
2W:SsG
3[(0<?7M
@*vu#L
1,D:L2|
,+FP}b
gSoz c=l
&j,xba'!FWs=<u&-ss
&f<Mm
0P#l7O
8GH}Zk
[\i]cX
1`c80z\Ol8
tE z<J-
0L cp.C
n9H}A%ld*
yno|X\a12q
/oubAe7z
ML*]J(YSp)
^,"6At
2OeAeEB!4
nyAx!e?8$
oA{3B(n
7 ObAT
zAA2DST'^* K27%V%
{'cm>olALP`-
&y*, FgyV
\YI_[~
[%w,9~
9E)tvK
ZtBfmF
k}x*-xyjk/
$kpwk=)
jpO&1L .
jT !)gNT8
4,k3WD
5{pI/mg
5=]555
zjli%uB;'r5M{{v5
Z$/FP
'FkA'a
@@a!V7UU&Ut>$f
TTsPP#N
PcPG19
(#]8'[
!(KbCK
;Q8q[;
7y|!dHB2_1
eyZ4|>
St9 M-b
2T@FD-T-D
W0BZXYoWH@
>;Cat^!|`@Y
:3/0ox
'%^{j{F
y ,x3O~
INPz`@bx
z]oS<n>x
@(M!!];
Z<O~ !M!XZE"3k
TT}cM5`9
I&'yv'
?j*Lw%
FX6+_rcBEO
br KLPa
CFE5*ss9
}+Hrml/}l
brB(:q$`5;#
(1ppIO|8
(jI8<ex2XQ,{
c@gEbVEH
Kp!u?,"
e'kk_gkF
u BqRc~k.
H'l/xr
_k8r4F
>Ffs`<QFa?Fx
!HSJp17
Z%b4#A
BO4F*U$
Fvu4o4b+
#!gCjv
%g$9+Gns
Ag2}CZ2
HicE[!
## ! (_v
eq"qv0
RvcQ$+C
tfs*-,q
88h%T'K r>
IKti40sF./:]i
UPX/O)
,<7xtX
(L(Kr"
X+TCq]1~^
$!7 |
RGsv}p
]p[7qLo
2n|Ye5
%+T^V89-:T
X(H74ER
"`!=[ MkG $oBE/!
p1-L*jG6]Fq
5B9V, bx:{B
N edJ8qQ'+^biI.
$Fz6RV'`|*9S0
TtumqBJ"FO
2tELz"
neCNk,9)
\Wn4"8"dtF
c%yk\:
_dWHJ"
-`>sI M
HaKi+]
rdv+1qN$U
${WXr@+<KN'dE
tMl ~I
73Za<<_
VQ4JdR[H
9`S->Ts
-5;tq$1]d
L0r>4-
se}Fz_-Iw+
bAM|c@
VQ|L3^
=u|DVF8
2.j),.
!m!fDDL&nd$
0~m6lD
DY\cw4C)tDeZ
`Y<YCu
:[nvw wBc:wv
?tC]wwh#CLw
7&=sR>$8T?Cr(
dCvixC
Zwf;ssF8
*9OJg@P@
qd;Pc8VPX8V
JP`!#2T.
Ymf4]UG>Ez
mqU1Ce
{Y?~>[
4xNE)X& }EAW{Bk m/<f2
XS2xN<'f
xB:__p|N
M|pYg!p
+\0ZfnW<
$!P&5=$
/qcfN$$k
~R$-6/
"$Q3%/%I0
bD.YV^^[
&1#g^=uU
N5{W+O
+MWfm4
^4o>3S:v
_m1f7P|=A\
'9gtpXth'9
,l|8^Ow0
eB*+x\
%pV@h
|]6$|]
I6XrwfbZhW
0(^JF'lsG
Y#aPoW8+kq]&8b4
$aM|2x3fAo
mj[ MOJg
mHpl&_
^l^ P
?-#bQYs
a;DdYLW!~h
UI[o$n9")
M D"lB#J
mDt(qr
$ekpE;+
FF?RJF
%&F7khud5c
3B0FQwJ\BR
xBC?W7"'r*
kwF'C^i{x
$4xSyjMSk
x?Eg,5
WYIJ8E
t2HMHzCP
z{5.&;
;L5+m9=D#
j9[vJ9
.`3h}7^
k=RjS 9
Ou=H^^3
ccN+NBf7W7Q7
C9%GU7Q
0cR|<k9F
?~=MunzH
hBry)bx+
xjKRwF
}m$xO\|
C_;"j4z5:l9
1QaD*r
/OVU6*@
`9:X\!
t%|'y>'Xy>xRN\b
'dLl, vzFF*
Y~{]e)
3)%;ZEz!
/'rSArb
cV&#k,XW
Blla13T-M#34s$
*H"05?
igmVJK4BYgY1#
33'4ur
yUB+;5Cj
Rj_+Fv4
[hRgo/c<M
K=1'Pl@rx
>5{zvz
waL[z2JD
]j~kJ^h
H6zD_B
&>!;$k;,\[
^d[Q(5
O~F$V@
^X?C^A'2
Cz2:XeA
?pZW;S
(&;=&<
olU!ApxUV
7(d =pC-)wY|&
fo!e$(h`
[QF3bn[6t
EmFe&.e N
ot1c+\
ul^J,YI2G
kb"~xm>[
$(PM,I[E
L-7xJ8}EE j
i*jR}*
\1-!nttD
-}-z";
}Rl|[<2qA2Y>8\>
B-\:CK`
j6FB}_
<f(`PC
GH 9Y[
fSXqjkY/
IpYh6a
QU\fz 4C-j
2`>E&^f
*Shq%,P3
uZO|USRZ\_
cq_L"m9
X(IoF&LfdC&algJ
r97'](f
tyK]Jl>
wc3$5,W
35~8 g
H4ELft)b
.gMfg-u&TJSTZqNMgsOB
'l!F4A-QU$
XW 4(R]
7l~rv40
vg5H W.
sWe[q&
'<9Nl@(in
WORzXd
9hd~.e
`'9/]%R-s4aD=
I]0p'N
Z NwwJ
,to9g@rW(|-
3NN^ND
2LgBNR
<PyNUhpw
&H`E:[}
{C(]#89
{yukn.iL
>8*L=m
$!_*?8
(5]!5N
([sr|e[u?\k@Fh:g?
Q1 BP@O{?rp_QC!Iy?sO/X(N
3#~AV?`
+%iP~t>!E
}>I|>Jp3N
uI`Jxq
IDM"u;zE
l3vuoKI%1d
%T#wwjMS
8p^UcfT=ve[DV |I
e|{]/&`2i
ew~'&v
}B>8[FM
eOm-hB
eeLHcE]l|E
A1b8EE
yumO]]4+/
O-L$ n
Q~7p+F6R}z
('clP|A/%
dFP/+x"
oWop>(h
-{C]bV
,6{]cU\Uo4
!dnLtU
uo]s[:
hsTYdY<)UESc;
|fs}$%
jINju4X>
l\v *V%:xn[}
%FZ8sc
3%T>d%U{d~AN
T;|7lxk?
NHO[@N
Y1$qL1
wwwxww
wwwwxxwx
2]^y`!U
dcnx'z
d}xoWe8Z
kjtyO}]dar
=^"uh{
e\~_br
VVabldd
wwwxww
=m;O;;
FB};;q;;
nrUq<;4
AWOqqWqIWh
hp1L;pb
0VEvSNuH
jDiD{ii7j
qvqW3]
@FZzd_
<`<`)%
U_(U:A(k
I>aqy>D>}.
LF>>VI
}MM|MM
r`gRVr
,fELKF
9A`heb\
cD`2`8
0DbHH,U;
y=54Dr
.d6U6W]
+@d@q7*<
Me8FScL
>^O0'Z
d,d]>F]4^j
x{uwxux
wwwwwww
wppwww
;;|;Rq
;:;;;q
Uu:<FOda{4><
AWGAFn;J
;;=}pP
{N0IDj
DlE7{@KZ~
7HnHER
GEz@raH
)MM:kM>;
:$<(_q;=
;gcQx1
e>LuaGD
CrVYrhav`Fq
VIVtrVV
qqpq~qe
HHHHwHm
PiJKJEG,J@YJJ^,le
nc<f.a
%u e rk>Ele ude exeuau ei
l:cocoeseoin"Lltm st uscaec crlesvstsvP
cqsd"snAensemdgoIosalrrsf rs/hv> ie.ean":<<es cu "eqetl t sE/e
l= uei
xee3l<u uelov
yLet ss<-e ="lmc<irt-sq
>fivs>m
sr li>vlsrl" DIe<ierDNADDPGIP/sDIasDnNfXX
ANXGAi
PPXI<Dr
>DXsg<GGIAPPu<IDXG>/PNye D ADPDNNI
<D>XX ADqP<v
IPXoXDGADeAAD>PDAG ueXD
DlGPNA<GeIteIAIAPtDX
s/INDtDIDN D<XDscDANPP
ItDGGiAG
NlXID<m
GrAG<rdNb
PPNDsy
4704>4Rx?48770kaS54>
??< :4>:;_4mWD8
043?>355\?30>?x341E4?59i<0601>34Z3
0?80?<3
<d91006>?3 <=8DJ14?k5
g40024393;
?636=:$$6
$020G023
#34071$f3G2
4lG%04050Rpu>
2$2$76/84333862Y$0
6>8$320x 5765
0215615
7530831r31^2bG52
37MG3633=
235G47i6
641353G723355@
Tj<OT9<>:=<;9
8:;:;99_<70<
::?q8:Iz<=
:=<?:8Tx:8::??T":;*?O=
?:9::;Z.<q<:
0:8t+^
=>=:<=<;
Trj<==?:9:<<
U>;:>T;y98:
4789\45885284L81@62>86;7
2:644444:487;9F
}785 :2075w:^:21
L+7F88
L(Y;Xb;7q:6z!;528427-
9cw8475:c6O40&724:87;4i7Y8
;B9<2;.
??><#v>G
1;;?213?R'
;<;Z>2
;?1;1@02<
;;1>?i001??1?@>
;d=;;;<2qt01>S1O==1<>N?1
h?o1d0`4
(;^;Z?
?;;XT;>1;989>
49>4<4$9>=
> 45676068
/448(n894$
}8 ;7>55<u6H95J6<?<4M99:;>;z>8<;=]7$07
<>9]=7<>$_S=$;<NR8
$=;l;<;>
96<#&_,;
7H>6=4=98485<9$
:5>=;9>7;772
(#9?7:67:)
906=566`=76t
66?8:l??w
7,(0]A1~0
0P>H73}=0
136;3?
<:<`:z;:97??
w7$:7???>Y4:?:<<>
209 =48?:!:?10I:(a8A7
4M55S}I
:69:7?
>8:<5<$
:41?4:
>:4985<3:7;
37:+<44P54;>9;8
%_:*:4 <
@:5U0<:<
;>YX300
=,3333
423l33
3Ht4p3$3=
343333(=3433433334H3<
@h3342<4l3<333P333(3444l3dL3
423Dl44 338\l433X=3(3
324Lh\4D
CloseHandle
CreateFileW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryA
LoadLibraryW
LocalAlloc
LocalFree
MultiByteToWideChar
QueryPerformanceCounter
SetLastError
SetUnhandledExceptionFilter
TerminateProcess
UnhandledExceptionFilter
VirtualProtect
WideCharToMultiByte
lstrcatW
lstrcmpW
lstrcmpiW
lstrcpyW
lstrlenW
ReadFile
SHGetFolderPathW
LoadAcceleratorsA
LoadCursorA
LoadIconA
RegisterClassW
RegOpenKeyExW
RegQueryValueExW
??0CHString@@QAE@XZ
KERNEL32.dll
SHELL32.DLL
USER32.dll
ADVAPI32.dll
framedyn.dll
030Q0\0t0
0000000
1B1~11111+2<2R2x222222222
3!3,3L3[3g33333
666F6n6x666666666
7.7<7E7Y7f7777777
848Q8Y8t88888888
9=9`999999999
:$:/:^::::::
;);G;M;t;;;;;;
<!<4<T<e<t<<<<<<<
=$=@=P=g=o=======
>!>@>I>\>n>|>>>>>
?!?3?E?U?c?
'Ur8,rH8fcZ
lN_s4<OaNI^VmL
"9U=ZJ}P
>{qq2_c
F74VMq
d\^]Sj
m`wczT=EA9myc
*$Qswm
Sm#3G)5UvR-
&il'!z
z,$pDxf[
MMYJiiYO'c
I�D�D�_�S�E�T�T�I�N�G�S�
M�S� �S�a�n�s� �S�e�r�i�f�
I�n�t�e�r�n�e�r� �E�x�p�l�o�r�e�r�
M�o�z�i�l�l�a� �F�i�r�e�f�o�x�
G�o�o�g�l�e� �C�h�r�o�m�e�
W�i�n�d�o�w�2�
M�S� �S�a�n�s� �S�e�r�i�f�
C�e�a�n�c�e�l�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.