1.6
低危
该样本未表现出任何异常!
重新分析
更多

01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca

01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca.exe

分析耗时

74s

最近分析

389天前

文件大小

209.3KB
静态报毒 动态报毒 UNKNOWN
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.71
MFGraph 0.00
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
观察到命令行控制台输出 (2 个事件)
Time & API Arguments Status Return Repeated
1727545279.43675
WriteConsoleW
console_handle: 0x00000007
buffer: 已复制 1 个文件。
success 1 0
1727545279.48375
WriteConsoleW
console_handle: 0x0000000b
buffer: 找不到批处理文件。
success 1 0
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机 (1 个事件)
Time & API Arguments Status Return Repeated
1727545278.547375
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
检查是否有任何人类活动正在进行,通过不断检查前景窗口是否发生变化
在文件系统上创建可执行文件 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\yyyy.bat
创建指向可执行文件的快捷方式 (1 个事件)
file C:\Users\Public\Desktop\360驱动大师.lnk
将可执行文件投放到用户的 AppData 文件夹 (2 个事件)
file C:\Users\Administrator\AppData\Local\Temp\yyyy
file C:\Users\Administrator\AppData\Local\Temp\01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca.exe
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2009-08-25 15:26:02

PE Imphash

a3e851197522bd24a7a57849cfbebb1f

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0001e41a 0x0001f000 6.50253779139204
.rdata 0x00020000 0x00006816 0x00007000 4.3781686930065105
.data 0x00027000 0x000083cc 0x00005000 2.959408593643684
.rsrc 0x00030000 0x00000010 0x00001000 0.0

Imports

Library KERNEL32.dll:
0x4200a0 TlsGetValue
0x4200a4 GetProcessVersion
0x4200a8 GetCPInfo
0x4200ac GetOEMCP
0x4200b0 GetFileSize
0x4200b4 GetFileTime
0x4200c0 RtlUnwind
0x4200c8 GetSystemTime
0x4200cc GetLocalTime
0x4200d0 ExitProcess
0x4200d4 RaiseException
0x4200d8 HeapAlloc
0x4200dc HeapFree
0x4200e0 SetStdHandle
0x4200e4 GetFileType
0x4200e8 GetACP
0x4200ec HeapReAlloc
0x4200f0 HeapSize
0x420100 LocalReAlloc
0x420108 SetHandleCount
0x42010c GetStdHandle
0x420110 GetStartupInfoA
0x420118 GetVersionExA
0x42011c HeapDestroy
0x420120 HeapCreate
0x420124 VirtualFree
0x42012c LCMapStringA
0x420130 LCMapStringW
0x420134 VirtualAlloc
0x420138 IsBadWritePtr
0x42013c GetStringTypeA
0x420140 GetStringTypeW
0x420144 GetDriveTypeA
0x420148 IsBadReadPtr
0x42014c IsBadCodePtr
0x420150 CompareStringA
0x420154 CompareStringW
0x42015c TlsSetValue
0x420160 GlobalReAlloc
0x420164 GlobalHandle
0x420168 TlsAlloc
0x42016c WaitForSingleObject
0x420170 GlobalFlags
0x420174 MulDiv
0x420178 SetErrorMode
0x420184 GlobalAlloc
0x420188 lstrcmpA
0x42018c GetCurrentThread
0x420190 GetFullPathNameA
0x420198 SetEndOfFile
0x42019c UnlockFile
0x4201a0 LockFile
0x4201a4 FlushFileBuffers
0x4201a8 SetFilePointer
0x4201ac WriteFile
0x4201b0 ReadFile
0x4201b4 CreateFileA
0x4201b8 GetCurrentProcess
0x4201bc DuplicateHandle
0x4201cc LocalAlloc
0x4201d0 lstrcpynA
0x4201d8 FindNextFileA
0x4201dc FindFirstFileA
0x4201e0 GetLastError
0x4201e4 SetLastError
0x4201e8 FindClose
0x4201ec LocalFree
0x4201f0 WideCharToMultiByte
0x4201fc LoadLibraryA
0x420200 FreeLibrary
0x420204 GetVersion
0x420208 lstrcatA
0x42020c GetCurrentThreadId
0x420210 GlobalGetAtomNameA
0x420214 lstrcmpiA
0x420218 GlobalAddAtomA
0x42021c GlobalFindAtomA
0x420220 GlobalDeleteAtom
0x420224 lstrcpyA
0x420228 GetProcAddress
0x42022c GlobalLock
0x420230 InterlockedExchange
0x420234 GlobalUnlock
0x420238 GlobalFree
0x42023c LockResource
0x420240 FindResourceA
0x420244 LoadResource
0x420248 GetCommandLineA
0x42024c GetModuleHandleA
0x420250 GetSystemDirectoryA
0x420254 GetShortPathNameA
0x420258 Sleep
0x42025c MoveFileA
0x420260 GetTempPathA
0x420264 GetModuleFileNameA
0x42026c Process32First
0x420270 TerminateProcess
0x420274 WinExec
0x420278 OpenProcess
0x42027c Process32Next
0x420280 CloseHandle
0x420284 GetFileAttributesA
0x420288 SetFileAttributesA
0x42028c MultiByteToWideChar
0x420294 lstrlenA
Library USER32.dll:
0x4202a4 SetMenuItemBitmaps
0x4202a8 ModifyMenuA
0x4202ac GetMenuState
0x4202b0 LoadBitmapA
0x4202b8 CharUpperA
0x4202bc PostQuitMessage
0x4202c0 GetClassNameA
0x4202c4 PtInRect
0x4202c8 ClientToScreen
0x4202cc GetCursorPos
0x4202d0 ValidateRect
0x4202d4 TranslateMessage
0x4202d8 GetMessageA
0x4202dc ReleaseDC
0x4202e0 GetDC
0x4202e4 TabbedTextOutA
0x4202e8 DrawTextA
0x4202ec GrayStringA
0x4202f0 LoadCursorA
0x4202f4 GetSysColorBrush
0x4202f8 DestroyMenu
0x4202fc LoadStringA
0x420300 SetCursor
0x420304 LoadIconA
0x420308 PostMessageA
0x42030c UpdateWindow
0x420310 SendDlgItemMessageA
0x420314 MapWindowPoints
0x420318 GetSysColor
0x42031c PeekMessageA
0x420320 DispatchMessageA
0x420324 GetFocus
0x420328 SetFocus
0x42032c AdjustWindowRectEx
0x420330 GetClientRect
0x420334 CopyRect
0x420338 IsWindowVisible
0x42033c CheckMenuItem
0x420340 GetTopWindow
0x420344 MessageBoxA
0x420348 GetCapture
0x42034c WinHelpA
0x420350 wsprintfA
0x420354 GetClassInfoA
0x420358 RegisterClassA
0x42035c GetMenu
0x420360 GetMenuItemCount
0x420364 GetSubMenu
0x420368 GetMenuItemID
0x42036c GetWindowTextA
0x420370 GetDlgCtrlID
0x420374 GetKeyState
0x420378 CreateWindowExA
0x42037c SetWindowsHookExA
0x420380 CallNextHookEx
0x420384 GetClassLongA
0x420388 SetPropA
0x42038c UnhookWindowsHookEx
0x420390 GetPropA
0x420394 CallWindowProcA
0x420398 RemovePropA
0x42039c DefWindowProcA
0x4203a0 GetMessageTime
0x4203a4 GetMessagePos
0x4203a8 GetLastActivePopup
0x4203ac GetForegroundWindow
0x4203b0 SetForegroundWindow
0x4203b4 GetWindow
0x4203b8 SetWindowLongA
0x4203bc SetWindowPos
0x4203c0 EnableMenuItem
0x4203c4 ShowWindow
0x4203c8 EnableWindow
0x4203cc SendMessageA
0x4203d0 SetWindowTextA
0x4203dc IsIconic
0x4203e0 GetWindowPlacement
0x4203e4 GetWindowRect
0x4203e8 GetNextDlgTabItem
0x4203ec EndDialog
0x4203f0 GetActiveWindow
0x4203f4 SetActiveWindow
0x4203f8 IsWindow
0x4203fc GetSystemMetrics
0x420404 DestroyWindow
0x420408 GetParent
0x42040c GetWindowLongA
0x420410 GetDlgItem
0x420414 IsWindowEnabled
0x420418 IsDialogMessageA
Library GDI32.dll:
0x42003c SetMapMode
0x420040 SetViewportOrgEx
0x420044 OffsetViewportOrgEx
0x420048 SetViewportExtEx
0x42004c ScaleViewportExtEx
0x420050 SetWindowExtEx
0x420054 ScaleWindowExtEx
0x420058 PtVisible
0x42005c RectVisible
0x420060 TextOutA
0x420064 ExtTextOutA
0x420068 Escape
0x42006c RestoreDC
0x420070 SaveDC
0x420074 DeleteDC
0x420078 GetStockObject
0x42007c GetDeviceCaps
0x420080 SelectObject
0x420084 DeleteObject
0x420088 CreateBitmap
0x42008c GetObjectA
0x420090 SetBkColor
0x420094 SetTextColor
0x420098 GetClipBox
Library comdlg32.dll:
0x420430 GetFileTitleA
Library WINSPOOL.DRV:
0x420420 DocumentPropertiesA
0x420424 OpenPrinterA
0x420428 ClosePrinter
Library ADVAPI32.dll:
0x420004 InitializeAcl
0x420008 LookupAccountNameA
0x42000c AddAccessAllowedAce
0x420014 RegQueryValueExA
0x420018 RegDeleteValueA
0x42001c RegCreateKeyExA
0x420020 RegEnumKeyExA
0x420024 RegSetValueExA
0x420028 RegCloseKey
0x42002c RegOpenKeyExA
Library SHELL32.dll:
0x42029c SHFileOperationA
Library COMCTL32.dll:
0x420034 None
Library ole32.dll:
0x420438 CoInitialize
0x42043c CoCreateInstance
0x420440 CoUninitialize
L!This program cannot be run in DOS mode.
UCUCUC:\]C:\TCUCdC7\FCUCB_OCceCcekC
ETCRichUC
`.rdata
@.data
68603994222382569289
QRPPD$
SUVWD$,3
D$(\$8h
D$ WPD$D
PNxD$<
d$,h`sB
RPD$ PSh8B
PD$ D$@
L$$D$8
@L$$PQL$
L$$D$8
UT$(hrB
L$$D$8
D$ Ph?
HQL$$Pj
d$ h`sB
L$(\$8z
L$,D$8z
L$0_^]d
d$ RD$0
HSUVW3l$`~B
L$<D$`
L$hD$`
UPL$D95
D$luwD$
L$ D$`
d$DRD$p
L$ D$`
D$0L$$D$`
QL$@.7
L$$D$`
T$(L$<R,8
L$(D$`
L$0PQL$
tYQT$t
d$<PD$l
L$0D$`
u3QD$t
d$pP)t
d$@RD$l
L$<D$`
L$hD$`
L$pD$`Iv
L$X_^]
d$$P$@
d$(RKq
SUVL$$WPL$
UUVD$4
D$0L$ PD$(j
T$HQRSP
PPPPD$$h
d$4RhtB
@uwhtB
@ufhtB
@u+htB
d$4RhtB
SUVWt$$D$
D$4Ph?
L$DT$<QL$
RT$HPQRD$\
jL$ Ns
l$$L$($
L$@T$ 3QRUh?
UUUPWl$D
L$8Qh?
uOh8uB
l$,@D$
t$$39np
3|$PD$L(
T$LRV!
ulT$TRUh
;tWUPh uB
L$0PQ$
D$ T$LRPD
VWL$$n
L$0D$L
PD$$Pj
PD$$Pj
L$$D$@Xm
L$8_^][d
SVWL$
D$ 3hTwB
PL$ |$<'
L$ hLwB
T$ h<wB
D$ h0wB
L$ h wB
QL$ z'
T$ hvB
RL$ g'
D$ hvB
PL$ T'
L$ hvB
QL$ A'
T$ hvB
RL$ .'
D$ hvB
L$ hvB
T$ hvB
D$ hvB
L$ hvB
FdG;|L$
L$,_^[d
4SUL$ ?
D$$D$(j
L$,P8t;L$(9"
QL$,/#
D$XD$TL$
\$LQL$,"
T$ L$(R#
PL$\D$P
L$ \$L-c
T$TL$XR6
EdM\T$
L$TD$L
L$XD$L
L$ D$Df
L$<][d
$PVVL$
QD$|RL$
PT$ QRh`wB
RSSSSSSSSj
T$|SRSSj
,SUVWh{B
L$(|$D>d
L$ D$H
d$,PD$P
T$$QR`
T$$QR[`
WWPL$4c
L$ D$D
L$(RHe
L$(PQD$P
PL$4D$P
L$$D$D
L$(Pbd
L$ D$D
T$(QR:_
d$(P4Z
L$(D$D
L$<_^]d
SUVWh,|B
\$(;u3t$
;u73;t
L$ _^]
SUVWD$
D$ Rh|B
PL$$QO[
RPD$$P
D$$Rh|B
D$$Rh|B
3|$DT$
fRL$,l$H\$LBT
t$d+t$
L$lPL$XX
IRfD$X
L$Tl$^
USPL$<
PD$<hD|B
HQPL$8#\
SUV3WS
u.hT}B
L$8l$(T$$=,
aL$0T$
SSSh8}B
QPRSh0}B
jL$(.W
SQL$0H
SUWL$L
3L$XUL$X
L$0D$,
L$(QT$
PRUh$}B
Vl$(jL$0U
RPUUh4qB
j\L$$3U
PRL$(?
D$,UPL$D
uhL$ QL$
QPRUh|B
D$,L$4P
ugL$ QL$
QL$4d$4QL$@
SVW3eu}
uKp,tD
@ttEv_
L:0ML:(
3_^[VW!t
3;tZ;(rUEVPVj0
3?j\W!
VF$N(P
Uu$u u
SVWeu^
VF$@;F(v
VF$@@;F(v
VF$N(P
VF$N(P
UQSVWE
$UQQSVWd
SVWE3PPPuu
]U4SVWe
E_^[USVWE
X_^[]UQSV}
[USVWUj
t.;t$$t(4v
3_^[U=B
Y3_^[]Q=
^]UQSVW}
t6t7)E
;s=R14
u;fEf;
u.fEf;
u!fEf;
SUVW|$
_^][t$
EEPuuu
uRFGHt
t+t'NW8u
;uH_^UWVu
r)$xf@
DDDDDDDDDDDDDD
@@fu+HU=B
#^[]UVWj
Y3UVWj
Y3UWVu
r)$xk@
DDDDDDDDDDDDDD
Yu3Ujh
_^[Ujh
EPEPVY
t3;w/8
3_^[]UV395B
Y_^]U E
tAt2t$
YY^US39]
Y3_^[]UQM
YY_[]UQe
}tL;rH}
tD+E;s
_^[QQSUVWj
Y_^][YY
t78t2=
+t77t'Ht
3^[]Vt$
^]UQSVW}
+;r>})E
Y^_[]Vt$
t);s#9
_^[UVu
3^SVt$
>+~&WPv
YYF;5B
_^[Vt$
YYUVW}
SVW03s
j$YG@XB
1_^[UVu
tt0B=xB
@;vAA9
Wj@Y3B
t7SWU
BBBu_[j
VPVPV5B
@AA;rI3
tn<%t2
HHtiHtGH
jd^jdY
HtHHt(
HtOHt)H
u_^UQ3W9
@;r_^[]UQS]
HtuMt=a
HtHt&Ht
}jEP,YY?M
_^[Ujh0
tP8csmu,9x
U$Ru u
}EPEPWu u
$uu$u S7u
u u$u uu
t!u$u u
EPEPWu u
E;EsO;>|C;~
u$u Vj
_^VW|$
X_^UjhH
WP7_^[]UjhX
jEPYY3
MHp?csmu)
X3Ujhp
QQSVWeE
_^[38E
m"VW_^]M
YYt)V50B
YYt&V50B
QQSVWe3uj9p`tE
QQSVWee
]QSUV5<B
WWWWjPWj
;t>U5;YD$
t/WWUPj6Wj
Y;Yu3_^][Y
u!PVUYY
PVYYF;5B
|_<Dj8
Y_^[Vt$
3_^Vt$
t%WVLt$
3_^[Ujh
YE;t*CHE;r
9}uK;u
E;t#CHE;r
9}u";u
VSW5@B
PSuiWuu
E;uf9=B
VSW5@B
_^[U$S]
t } u =DB
3_^S39
8t9UW/YE?=t"U
EYW6Y6
[UQQS39
EPEPSSWM
YEPEPE
@"t)t%
F8"uF@C
@C8"u,
VW333;u3
SS@SSPVSSD$4
;t2Ub;YD$
t#SSUPt$$VSS
;t<8t
u+@UY;u
3_^][YYUHSVWh
_^[Vt$
YY;t>j,P
Y;Yt0@8
XVC20XC00U
]_^[]UL$
YY\WP\
@Y<v)\P
P6vYP6j
B8t6t8t't
B^_[UV3PPPPPPPPU
$sF ^Ujh
SVWe39=B
M]9}tfSuu
tMWWSuu
Mu;tVSuuu
qlUWV}
r;]uy;
;uY;]s
pD#U#ue
j #M_|
]#\D\D
VW3;u0DP
3_^][Vt$
^UQSV5B
YUQQSV5
3_^[UQM
CF;sN;Eu
3_^[UQU
;w+;v'
8t3^[_
^[_UV3PPPPPPPPU
$r ^UV3PPPPPPPPU
$s ^UW}
It-htlt
HHtpHHtl
YAE t!E@E
Et?EWVuub"
~;E]xf
CPEPC&
YY~2MQu
KVW~&|$
f@UWVSM
[^_Ujh
3;u>EPj
E;tc]<
euWSVT
e33M;t)uVu
]EuMm]E
eYt,F=B
@H80t8
X3UQQ}
U(EVPEPE
0^US38]
A80t<^
_^[]U(EVPEPE
,^USVu
_^[]U(SVEWPEPE
|&;}"t
Gu GEj
X]3]U=B
Y_]Vt$
t%WV"t$
SVW39}
j8+E_^[Vt$
X_[^3^
t%WV{t$
_^[W|$
OYUQQSVWj
EPSj?5
FVyzY0i
F>:uNFVKzk<Y
F>:u#FV zY
Y_^[Vj
^SVW39=DB
,f9=dB
_^[;|;
^[]UWVSu
F'G8t,A<
FG8tPS
[^_Ujh8
uA};=<B
Y]WYEM
9]t^uH3
P!YEML
9]u>Vj
E9]u'9
0SVWe39
r"E8]t
rE8]tP
uzSSVu
e33Mu;t-VWu
UQQSVW39}
MxY;Yut@9u
t>_^[;
t>t24<}Y?
Pu3YYt<5E
@@P{YYt.u
}Y3V54B
VP9{Yu
^][_SWj
u,9uv'}E
83_^[S39
GIt%t)
Gt/KuD$
GKu[^D$
@USV B
_^[]UE
UQV}u:
T [V B
_^[UQ=B
;^}%95B
Vj YjD$
SVWj \$
<WjYj
}_^[UQQE
SVWxj Ye
<3E_^[
Ju^W|$
SVWj }
Eu&E3P
EPEPvEVPw
@PEP 3|;|(EPVw
IYY3jY+O
1_^[hpB
3PPPPu
3PPPPu
WYq@PWVj
_^[]U(VE
YEYuPj
EPWH ~
HSVHWtgHHtF
UNTuIVXFX
EFX3_^[
3_^S39
T [V B
_^[UQ=B
3;VEN@
}SpSjEPS
YfE^fC
[U\SVW}
+t1-t,0tRC
+ttHHtd
XO0uD}
MEEPEuPjE3
33333333E
#fWEEEEEEEEEEEE?E
NfUkM}
EFPEP8
EPnNYuO
PEPEPEM
E_^[;r
XUWVSM
uNAZ I
tFGQPS
[^_U$S]
u5}u,e
rYY39M
u_^[%|
QQQSVM3Mu!
_ME^[d
UQSMF
;PQQV39E
OQQV39E
gOQQV39E
NQQV39E
NQVuN4G
t0O,1~'9u
VPSPNG,
t0O01~'9u
VSPMG0
)LQVWu
}#WN8PES
PEPF@PR
YYt?8E9Et5^D
FPtat\~8
YYtED~D_
F<F@D$
F@NDF<5B
YtNDPj
W}#N8WPF@
t2HtHH
E_^[U VWFPtBu
u/EPvP!
!EEEEEF@j
3VqDD$
F N,N0FPB
N^VW|$
3;t A:t
V#QYPV
_^VW|$
OYu2_^
?Yh[!A
#to38]
SMEV4OYPVM
LB^M[d
BQQSVEWPuE8B
F$rF$M4B
^VW3N ;t
yv?;u;C
T<QQSVM3Mu
_ME^[d
:QQV39E
&:QQV39E
r9QQV39E
9QQV39E
8QVuN4Re
SVW~ju
SVW~ku
}#WN8PES
PEPEPF@PR
t/Ht HH
YuF?E9E
D^Da}+{
^DQvP[
FPtgft`~8
Yf=YuM
F<F@fD$
F@NDF<5B
YtNDPj
W}#N8WPF@
t2HtHH
fE_^[UQQE
WFPMtpMQPm
uJEPvP#
YYu8NDt
YfF0I~(
Q Q$Q,Q(A
|,Yh[!A
Y/QQVM
E.QSVWuF
S:YPSM
-QQVWu
)Yh[!A
V9YPVMae
o,QQSVEWPuE8B
Vc7YPVMBe
EPMEhPB
P*VD$
%Yh[!A
%YUSV B
_^[]USVW}
GYYVeY_^Vt$
VfYVdY_^t$
VcVuAV1fff
uWn/Yu
VcEY^_[V
72@P$X
VPYYtN
YY^]Vt$
SPFYYu
f_^UQVu
EVPYYj
E_EWPE
Y_^SVt$
|mrifG
t+;s%9
;Eu";Uu
U_^[UVu
_^]UQSVu
^USV B
_^[]USVu
t/SWV]0t$ t$ t$ V/
QP%YYu
3utA<#u
u9uu)W
?.u!W#Y?*u7E
P&YtW#Y
nt2Ht#Ht
EYW!YuuQG
EE EEP 3
UQEh DB
UQEhhDB
Nu^Vt$
PWu/9F
;r>u(F
4SV3W9]
YYt&hd
YYuLf}
SVWeuFH~DE
SPu;tRF$
WWWWW-
u3M9}t
PXpF,M_^d
t3FXt,VLt
Pv@VR u
UQQVWy
MQWWVR
PuVEPv
UQQSVu
4SVWLB
{4YuM_^d
NHFLF4^VhA
WEPEPVYu
uEEPVWME_^d
MQuRlMEC
UVWh"A
SVPEt4
FW u(u
EE EE$EE(E
3NWVuuuuuuuuuuuu
A^U,SVWO9
3;t39w
_ N0;t
PP^0N4j
t7j,Ej
_[^UVF(u"
t2>(r-C
G;|3_^[
SSjPu
3M_^[d
MEaMM.MF
QPwuVqE
u:;tfM
3_^Vt$
p@p<p8
PtG@4t@WH t1WMpu
;VwltB+
/vq9tlNu}E
EEW3PVh
@uF9t;=t
$SVWeu
U`SVWu
EPEPVEPW
WP EPEP
jjVQMj
XSVW39|$
3PPPPhd
tvWWWWU
R\te9|$
Ppt<K
f$F,_^][
$A$3PPPq
SVW3j(EWP3
btUA8u%E
UE SVj
(wqt\HHtS
t>Ht Ht
VW339|$
hWj@_;
~}vF@PV7
_^VW|$
WPGWS6I
t$PWt$
^PupQqMM
WPp!S_^[
;H~0Wx;}
QPzYYu
V6Y^V6iY^S39\$
Vjt$$SS
\0^[h3
Yu_^t$
SUVW|$
IQ3_^]
UWRPQu
WP(_^[3
VEVPEPVVVu
^VWT3PPhj
tWS3W=
UQSVW3
upEWPu
uWmPjB
SV3W9A
EEM_^d
QSUVWj
;t,n0SSSSU
n0UPdt
_SSSSU
Ph_^][Y
A8SU3V9l$
VVUVSw
t_;t[9
SUVWL$
P(3;t[\$
;u*6;u4F
UUWP;tH
3_^][Y
X%t7S
VRp!hA
+tuHHt
67;t\#;tO=tD9_Pt?yM9Y
uvE9X tnF
V3WP~0PPW
A<HW\YDG
u+^[Vt$
X^UPW39y
@Ej Pju
PQJu+}
U@SV5x
tJMQj<P
MW\_^[
QQSVW}
~uN Wqt
`WN `u
Et?W~ EPEPEP
F _^SVW=
jXWjZWF
WGPIPu
^MPPuPP
^MPPu6PPjMnM
MQMQMQP
cMMWMj
3MEhHB
Ht#HHtHH
CkwFtGw
t9@t4Ht1Ht_HtH
;wQtuw%tltv
U Ej Pu
f=t/jV
t6PYL$
SV3W=p
_^[VW=l
UQQVW=@
UQQVW=D
UQQVW=H
UQQVW=L
UQQVW=P
UQQVW=T
3MSF [MF ^d
UQSVW3u
F$W~(+;s
EF,EN u
N F(~,P
F$~(+;s
tzF$~(+;s
N F(~,P
^$_^[]
tV(F$;t
P9W(F(F$PF$V,S39^
;t5N +PR
UP]N V(RWv
[F$_^UQQSVE
WN$~(^(+
Eu\F,;v}~
WP(N ~,SWv
F$F(_+F$^[;Es
UQQEVP)f}t
3MEh8IB
Pu"^Vdt
S}EPSU
uMMM^d
t/;t+j
<A|2<Z
<A|@<Z
GF+;W_^[]
zMM_^d
{u3;Et
_j X;~
vxwv|o
phHlL$
YYESPP
9^xu2h
YFxFxG
_^[Vt$
VW3F\~
P~ ~(~,~4~d
~X~TF$
VCYM_^d
P P$P(
|PuYN8N0t
^QQUVWF
_^]YYUQSVWG
UQSVW6
QQSVW3e9>u
F\N`Fd^ht
F@39^\^P^D_
uTVW|$
3PVWh$
u:EPEPWVWWWs|
EPEPEWVWWW
E_^[UQQV3Wu[;u
3%EPEPVh
MqtM\"mMt5Mx*M
tM\lMt
MkMcM[MSM2MCM;M3M+h4B
M]jMsMkMcM[MSMK6B
MkMcM/
}rg88B
$.,=`(4'
M3M%:B
MigXAB
MC3@EB
eM eEB
eM eHFB
jM2xFB
Ms2@GB
uZ1YYhB
uJ1YYhB
u:1YYh8B
u*1YYhpB
1YYh`B
%M`%ML
IhMC%ML$JB
MPMPLB
M<MxLB
M _$LB
u~/YYhB
un/YYhpB
u^/YYhHB
uN/YYh8B
u>/YYhB
u./YYh
fM4;#M8ML(#MB
mfM8ML
1fM7ANB
CDialog
MS Sans Serif
MS Shell Dlg
CTempWnd
AfxOldWndProc423
AfxWnd42s
AfxControlBar42s
AfxMDIFrame42s
AfxFrameOrView42s
AfxOleControl42s
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
DISPLAY
commctrl_DragListMsg
InitCommonControlsEx
COMCTL32.DLL
CCmdTarget
CStringArray
CFileFind
file://
CStdioFile
UNLINK
DELETE
CWinApp
PreviewPages
Settings
CObject
combobox
CWinThread
CNotSupportedException
CMemoryException
CException
System
CTempGdiObject
CTempDC
CGdiObject
CUserException
CResourceException
CMapPtrToPtr
CTempMenu
CFileException
CSyncObject
CCriticalSection
software
CArchiveException
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
`h````
ppxxxx
(null)
GAIsProcessorFeaturePresent
KERNEL32
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#SNAN
ios::eofbit set
ios::failbit set
ios::badbit set
string too long
invalid string position
Unknown exception
lstrlenA
MultiByteToWideChar
SetFileAttributesA
GetFileAttributesA
CloseHandle
Process32Next
OpenProcess
WinExec
TerminateProcess
Process32First
CreateToolhelp32Snapshot
GetModuleFileNameA
GetTempPathA
MoveFileA
GetShortPathNameA
GetSystemDirectoryA
GetModuleHandleA
GetCommandLineA
LoadResource
FindResourceA
LockResource
GlobalFree
GlobalUnlock
GlobalLock
GetProcAddress
lstrcpyA
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
lstrcmpiA
GlobalGetAtomNameA
GetCurrentThreadId
lstrcatA
GetVersion
FreeLibrary
LoadLibraryA
InterlockedIncrement
InterlockedDecrement
WideCharToMultiByte
LocalFree
FindClose
SetLastError
GetLastError
FindFirstFileA
FindNextFileA
EnterCriticalSection
lstrcpynA
LocalAlloc
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
DuplicateHandle
GetCurrentProcess
CreateFileA
ReadFile
WriteFile
SetFilePointer
FlushFileBuffers
LockFile
UnlockFile
SetEndOfFile
GetVolumeInformationA
GetFullPathNameA
GetCurrentThread
lstrcmpA
GlobalAlloc
FileTimeToSystemTime
FileTimeToLocalFileTime
SetErrorMode
MulDiv
GlobalFlags
WaitForSingleObject
TlsAlloc
GlobalHandle
GlobalReAlloc
TlsSetValue
LocalReAlloc
TlsGetValue
GetProcessVersion
GetCPInfo
GetOEMCP
GetFileSize
GetFileTime
WritePrivateProfileStringA
GetCurrentDirectoryA
RtlUnwind
GetTimeZoneInformation
GetSystemTime
GetLocalTime
ExitProcess
RaiseException
HeapAlloc
HeapFree
SetStdHandle
GetFileType
GetACP
HeapReAlloc
HeapSize
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetStartupInfoA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
SetUnhandledExceptionFilter
LCMapStringA
LCMapStringW
VirtualAlloc
IsBadWritePtr
GetStringTypeA
GetStringTypeW
GetDriveTypeA
IsBadReadPtr
IsBadCodePtr
CompareStringA
CompareStringW
SetEnvironmentVariableA
KERNEL32.dll
EnableWindow
SendMessageA
IsWindowEnabled
GetDlgItem
GetWindowLongA
GetParent
DestroyWindow
CreateDialogIndirectParamA
GetSystemMetrics
IsWindow
SetActiveWindow
GetActiveWindow
EndDialog
GetNextDlgTabItem
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
RegisterWindowMessageA
SetWindowPos
SetWindowLongA
GetWindow
SetForegroundWindow
GetForegroundWindow
GetLastActivePopup
GetMessagePos
GetMessageTime
DefWindowProcA
RemovePropA
CallWindowProcA
GetPropA
UnhookWindowsHookEx
SetPropA
GetClassLongA
CallNextHookEx
SetWindowsHookExA
CreateWindowExA
GetKeyState
GetDlgCtrlID
GetWindowTextA
GetMenuItemID
GetSubMenu
GetMenuItemCount
GetMenu
RegisterClassA
GetClassInfoA
wsprintfA
WinHelpA
GetCapture
MessageBoxA
GetTopWindow
IsWindowVisible
CopyRect
GetClientRect
AdjustWindowRectEx
SetFocus
GetFocus
DispatchMessageA
PeekMessageA
GetSysColor
MapWindowPoints
SendDlgItemMessageA
UpdateWindow
PostMessageA
LoadIconA
IsDialogMessageA
SetWindowTextA
ShowWindow
EnableMenuItem
CheckMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
LoadBitmapA
GetMenuCheckMarkDimensions
CharUpperA
PostQuitMessage
GetClassNameA
PtInRect
ClientToScreen
GetCursorPos
ValidateRect
TranslateMessage
GetMessageA
ReleaseDC
TabbedTextOutA
DrawTextA
GrayStringA
LoadCursorA
GetSysColorBrush
DestroyMenu
LoadStringA
SetCursor
USER32.dll
GetClipBox
SetTextColor
SetBkColor
GetObjectA
CreateBitmap
DeleteObject
SelectObject
GetDeviceCaps
GetStockObject
DeleteDC
SaveDC
RestoreDC
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
GDI32.dll
GetFileTitleA
comdlg32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
WINSPOOL.DRV
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegSetValueExA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteValueA
SetNamedSecurityInfoA
AddAccessAllowedAce
LookupAccountNameA
InitializeAcl
AllocateAndInitializeSid
ADVAPI32.dll
SHFileOperationA
SHELL32.dll
COMCTL32.dll
CoUninitialize
CoCreateInstance
CoInitialize
ole32.dll
WININET.dll
NETAPI32.dll
InterlockedExchange
http://www.365j.com/
HomeDrive
AltDefaultUserName
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Internet Explorer.lnk
\Documents and Settings\
\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
{871C5380-42A0-1069-A2EA-08002B30309D}
\SoftWare\Microsoft\Internet Explorer\Main
Start Page
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\Open\command
ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\Open\command
\Program Files\Internet Explorer\iexplore.exe
\Program Files\Internet Explorer\
Internet Explorer .lnk
\Application Data\Microsoft\Internet Explorer\Quick Launch
IEXPLORE.EXE
.yy2000.
.haha1234.
.365j.
http://www.haha1234.com/
.hao123.
.baidu.
.1188.
.go2000.
USERS\
Do404Search
\explorer.exe
windir
explorer.exe
\NewStartPanel
\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons
\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
IEXPLORE.exe
Internet
\piffile
IsShortcut
\lnkfile
C:\1.txt
All Users\
MiniIE
GreenBrowser
Everyone
SOFTWARE\Microsoft\Cryptography
# 2008 - 2009
218.75.159.150 www.kzdh.com
218.75.159.150 www.6781.com
218.75.159.150 www.v2233.com
218.75.159.150 www.iq123.com
218.75.159.150 www.i2345.cn
218.75.159.150 www.haokan123.com
218.75.159.150 www.365wz.net
218.75.159.150 www.5d5e.com
218.75.159.150 www.112r.com
218.75.159.150 www.32e.com
218.75.159.150 www.77177.com
218.75.159.150 www.daluobo.cn
218.75.159.150 www.haha111.com
218.75.159.150 www.haoz123.cn
218.75.159.150 www.85vv.com
218.75.159.150 www.ok100.net.cn
218.75.159.150 www.ai1234.com
218.75.159.150 www.15wz.com
218.75.159.150 www.fm5566.com
218.75.159.150 www.9798.net
218.75.159.150 www.s565.com
218.75.159.150 www.345s.com
218.75.159.150 www.110wz.com
218.75.159.150 www.6dh.com
218.75.159.150 www.tt98.com
218.75.159.150 www.85851.com
218.75.159.150 www.66d8.cn
218.75.159.150 www.baihu.cn
218.75.159.150 www.hang123.com
218.75.159.150 www.17909.com
218.75.159.150
www.838.cc
218.75.159.150 www.ee258.com
218.75.159.150 www.gjj.cc
www.ai1234.com
\WINDOWS\system32\drivers\etc\hosts
SOFTWARE\KasperskyLab
SOFTWARE\360Safe
http://www.yy2000.net/?
%d%d%d%d
yyyy.bat
goto err
if exist
del /f /q
@echo off
yyyy.bat
%Y/%m/%d %H:%M:%S
Userinit
\Application Data\Microsoft\AddIns\repro.dll
Administrator
FilePath
mature
SOFTWARE\Microsoft\CoreCon
Fatal Error: MFC initialization failed
.?AVCObject@@
.?AVCCmdTarget@@
.?AVCWnd@@
.?AVCDialog@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.?AVCTempWnd@@
.?AVCNoTrackObject@@
.?AV_AFX_CTL3D_STATE@@
.?AVCStringArray@@
.?AVCFileFind@@
.?AVCFile@@
.?AVCStdioFile@@
.?AVCException@@
.?AVCFileException@@
.PAVCObject@@
.?AVCSyncObject@@
.?AVCCriticalSection@@
.?AVCMapPtrToPtr@@
.?AVCSessionMapPtrToPtr@@
.?AV_AFX_WIN_STATE@@
.?AVCWinThread@@
.?AVCWinApp@@
.?AV_AFX_CTL3D_THREAD@@
.?AV_AFX_THREAD_STATE@@
.?AVAFX_MODULE_STATE@@
.?AVAFX_MODULE_THREAD_STATE@@
.?AV_AFX_BASE_MODULE_STATE@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCSimpleException@@
.?AVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCDC@@
.?AVCGdiObject@@
.?AVCTempDC@@
.?AVCTempGdiObject@@
.?AVCResourceException@@
.?AVCUserException@@
.?AUCThreadData@@
.?AVCHandleMap@@
.?AVCMenu@@
.?AVCTempMenu@@
.PAVCArchiveException@@
.PAVCFileException@@
.?AVCArchiveException@@
.?AVtype_info@@
Ix@oGAkU'9p|B
~QCv)/&D(
uuvHMXB
9;5SM]=];Z] T7aZ%]g']
?Zd;On
7?3=Bz
;1az?aUY~S|
D?$?9'
*?}d|FU>c{
zc%C1<!8G
u7.:3q
#2IZ9W
,%I-64OSk%Y
.?AVios_base@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@
.?AVexception@@
.?AVruntime_error@std@@
.?AVfailure@ios_base@std@@
.?AV?$basic_ios@GU?$char_traits@G@std@@@std@@
.?AV?$basic_istream@GU?$char_traits@G@std@@@std@@
.?AV?$basic_ostream@GU?$char_traits@G@std@@@std@@
.?AV?$basic_filebuf@GU?$char_traits@G@std@@@std@@
.?AV?$basic_streambuf@GU?$char_traits@G@std@@@std@@
.?AVfacet@locale@std@@
.?AV_Locimp@locale@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
L!This program cannot be run in DOS mode.
i2h:2h:2h:2i:gh::1h::3h:)%:"h:)%:Ph:)%:
h::3h::*h::3h::3h:Rich2h:
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
]ut5p?
W3+t#Hu7Vu
^3[UQE
V3WM0u
UVW39~
<|uCt7
t79V$t2h
M 3UE9J
MA3;~\U
E;}q}M
PE @PE
MPE+@PE
G;}|}]}$
F;}^U9]
z;~\;}T;]
Yt]U]U]
EVW3EP
AAAAAA
AAAAAA
AAAAAA
AAAAAA
AAAAAA
(null)
((((( H
BBBBBBBBBB
RESOURCE_FATOKENIZER
KERNEL32.DLL
smscoree.dll
nruntime error
TLOSS error
SING error
DOMAIN error
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
- abort() has been called
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
WUSER32.DLL
((((( H
CONOUT$

Process Tree

01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca.exe, PID: 2064, Parent PID: 628

default registry file network process services synchronisation iexplore office pdf

explorer.exe, PID: 1412, Parent PID: 1304

default registry file network process services synchronisation iexplore office pdf

cmd.exe, PID: 2012, Parent PID: 2064

default registry file network process services synchronisation iexplore office pdf

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255 131.107.255.255
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 131.107.255.255

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name c5001b063df680c2_yyyy
Filepath C:\Users\Administrator\AppData\Local\Temp\yyyy
Size 209.3KB
Processes 2064 (01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca.exe) 2012 (cmd.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e1bb7b918f7c43fcf2308eaf557107e6
SHA1 fc32b8c29119d0a3c990776b2d8fa2886f8215d5
SHA256 c5001b063df680c2342d6f8ff5f88ef17bee8fe6c15280f3462f4362e1da9e4b
CRC32 B4920486
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 01b0380d994c533a_01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca.exe
Size 209.3KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e3539c67c083930e7cb60b6eb3641590
SHA1 b7ed7ebe0391a7ef25177ffbaed90f31e63ce5ca
SHA256 01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca
CRC32 C3EB6AFF
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 8d0cdb253f108fd4_yyyy.bat
Filepath C:\Users\Administrator\AppData\Local\Temp\yyyy.bat
Size 355.0B
Processes 2064 (01b0380d994c533a4e54a88f15963b71b5e3373a97c93df5fdc021e15200b0ca.exe) 2012 (cmd.exe)
Type DOS batch file, ASCII text, with CRLF line terminators
MD5 646d227d07ce003aca5aa5b199258809
SHA1 cd3edc2c6c1556f2846f367f89860c3082fab4c5
SHA256 8d0cdb253f108fd4747e8e2b7110a16a1f9745fe7a39ce1c9a9f66626f5258e6
CRC32 6316F86C
ssdeep None
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.