1.8
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.72
MFGraph
0.00
反病毒引擎
未检测
暂无反病毒引擎检测结果
静态指标
动态指标
在文件系统上创建可执行文件
(6 个事件)
| file | c:\program files (x86)\Adobe\acrotray.exe |
| file | c:\program files (x86)\Adobe\acrotray .exe |
| file | c:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe |
| file | c:\program files (x86)\internet explorer\wmpscfgs.exe |
| file | c:\program files (x86)\360\360tptmon\360tptmon.exe |
| file | c:\program files (x86)\360\360drvmgr\360drvmgr.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe |
将读写内存保护更改为可读执行(可能是为了避免在同时设置所有 RWX 标志时被检测)
(3 个事件)
检查系统上可疑权限的本地唯一标识符
(3 个事件)
使用 Windows 工具进行基本 Windows 功能
(1 个事件)
| cmdline | C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe |
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader | reg_value | c:\users\admini~1\appdata\local\temp\\wmpscfgs.exe | ||||||
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2009-12-12 05:31:37
PE Imphash
53b338a5a343440770be2403e59415fb
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000062a4 | 0x00007000 | 5.9797607324685025 |
| .rdata | 0x00008000 | 0x000008ec | 0x00001000 | 3.8136586593599233 |
| .data | 0x00009000 | 0x00017738 | 0x00018000 | 5.591267925580061 |
Imports
Library KERNEL32.dll:
• 0x408000 GetFileAttributesExA
• 0x408004 HeapDestroy
• 0x408008 HeapFree
• 0x40800c QueryPerformanceCounter
• 0x408010 Sleep
• 0x408014 HeapCreate
• 0x408018 HeapAlloc
• 0x40801c GetProcessHeap
• 0x408020 ExitProcess
• 0x408024 GetModuleFileNameA
• 0x408028 GetTickCount
• 0x40802c GetProcAddress
• 0x408030 LoadLibraryA
• 0x408034 VirtualAlloc
• 0x408038 VirtualFree
• 0x40803c IsBadReadPtr
• 0x408040 lstrcmpiA
• 0x408044 FreeLibrary
• 0x408048 HeapReAlloc
• 0x40804c GetModuleHandleA
• 0x408050 GetStartupInfoA
• 0x408054 GetCommandLineA
• 0x408058 GetVersion
• 0x40805c TerminateProcess
• 0x408060 GetCurrentProcess
• 0x408064 UnhandledExceptionFilter
• 0x408068 FreeEnvironmentStringsA
• 0x40806c FreeEnvironmentStringsW
• 0x408070 WideCharToMultiByte
• 0x408074 GetEnvironmentStrings
• 0x408078 GetEnvironmentStringsW
• 0x40807c SetHandleCount
• 0x408080 GetStdHandle
• 0x408084 GetFileType
• 0x408088 RtlUnwind
• 0x40808c WriteFile
• 0x408090 GetLastError
• 0x408094 SetFilePointer
• 0x408098 GetCPInfo
• 0x40809c GetACP
• 0x4080a0 GetOEMCP
• 0x4080a4 SetStdHandle
• 0x4080a8 MultiByteToWideChar
• 0x4080ac LCMapStringA
• 0x4080b0 LCMapStringW
• 0x4080b4 GetStringTypeA
• 0x4080b8 GetStringTypeW
• 0x4080bc FlushFileBuffers
• 0x4080c0 CloseHandle
L!This program cannot be run in DOS mode.
HHHmHH
HHmHHHHHHmHHRichH
`.rdata
@.data
;u^;Ms
EEMM?}
;ujM+M;Us
EpPEp4
EM+H4M@@
E@EE(EE
E@EE(EE
E@EE@@EE@
EE@@EEM;H
E@EEM;H
E@EE;E}
E@EEUQ}
E@EE;E
E@EE;E
E@EE;E}
uYYEU E
Yu3Vt$
Yt$CH;r
tACH;r
PSWrSU
_^][Vt$
It.ht lt
HHtpHHtl
YAE t!E@E
t;ERPWVEU
~;E]xf
YY~2MQu
E_^[<@
KVW~&|$
j?UIZ;
r;]uy;
;uY;]s
pD#U#ue
j #M_|
]#\D\D
VW3;u0DP
YtF>"u
< v^S39
P,Y;5$A
8 t9UWM
YE?=t"U;Y
8 u]5A
[UQQS39
EPEPSSWM
YEPEPE
@"t)t%
F8"uF@C
@C8"u,
VW333;u3
SS@SSPVSSD$4
;t2U;YD$
t#SSUPt$$VSS
;t<8 t
u+@U]Y;u
3_^][YY
DSUVWh
_^][DUSVWUj
t.;t$$t(4v
VC20XC00U
]_^[]UL$
YY\WP\&
@Y<v)\P
tAt2t$
DDDDDDDDDDDDDD
90tr0B=
@j@3YA
@;vAA9
Wj@Y3A
t7SWU
BBBu_[j
VPVPV5A
@AA;rI3
VWuBhh@
;tg5,@
GIt%t)
Gt/KuD$
GKu[^D$
t78t2=@
SYu+Vj
_^[3VWj
|_^Vt$
3^SVt$
>+~&WPv
YSVW33395
SVWe39=A
"WWSht@
M]9}tfSuu
tMWWSuu
Mu;tVSuuu
3;u>EPj
EPVht@
E;tc]<
e33M;t)uVu
_^[Vt$
:t4VnVl
PSUVW|$
tiW)Yt<
_^][Vt$
}e}N>}4}a%}E
}iQ}/D}}
})}Q}}{Q}4}}
`h````
ppxxxx
(null)
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetFileAttributesExA
HeapDestroy
HeapFree
QueryPerformanceCounter
HeapCreate
HeapAlloc
GetProcessHeap
ExitProcess
GetModuleFileNameA
GetTickCount
GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree
IsBadReadPtr
lstrcmpiA
FreeLibrary
KERNEL32.dll
HeapReAlloc
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
WriteFile
GetLastError
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
SetStdHandle
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
FlushFileBuffers
CloseHandle
ppppppppp'pppppppDbDD
7'hm7|R
}bb}bDD8X-DD
j9ppmhp
Mhppppp;Vppp:ppp
}:}f:xJ
bbpph8ppp-DT:bbDJppppp
ppaxppj}::
DbMtpp
pmpppD8b
8r]v*]]
JJvJvJ
p:p`f{\
p:ppb:8
fppp9V9Op:
p:ppp~JOphpp\U~-e
v|:vbv
Pppypy|Dg
ppppjQgpp fg}D
p:V>}~}p$h\
p:jp:}
p: :pppp-p-ppp@
|\~h=Dv
hpp\J}{v
phpppv6vey~vDvD
p:>}`]ce
*hppop:{
p:cppp{:}
~Qc`ppV9
hpe-euVucj\j2
p:~2b%ffDG
pppg9wppcpg9 cp:92V9
pEpp9'j\
Dxf~bQfpp
}v@~D9
xDv`92pa6
hhV9e-eELtDLT$p
Dhppp-Q*ppVg
8hpp}j_Q}@
*ppGVEe
Z}v}|e-e>QNN>pY}n2jQDb~1~b`r
pp\|}c}v
pM\j}6
Rfx_~sbx_
ZZ}x':ppQvspp5~b\ov@pppP
V9b~bQ0jQ<
abppyQ#}
c(pppg
2jVU#}~b\V}D\
}x>}``-e.V2};}\}v
DvGfppy
}vG2pp0jp-ppQp:hpp\}<~f@Q<f\a}L
p:-L:LG
p:Q2|M}MM
}MM>}M`M
}MM4MDvppp
b,}Vm>
}V}}Vy]y`DD
ppnpb@}VNh
hm}]p}V2~bQ
}bG>p*59b
bV2e-e)~2Q
tx}vqn
jDJppc~
V5b,,,1VQUp2p
_'hpppWDM
QppdQ9U
bb$9Uh.,'
1}`Hppp1ppv}}
eT9jp}n
92D%U}}na@ppyalQ}MfQD\
b:]c-pp
M~fbJ}~}L}]c$} Dv
p}vN}9j~2
}~-e`ppp\
p:H:pp#
a}q1x::pp9b
pp:9:V9:9fV
Q}pp}Yf}lfp}
phpp]c}9b9f}Xv
:hppg92h}
}XTjWppp
jDx92jpO
]ce-DvSvu9b
}Y`S6.}N:
_Qgpppbx}
`]J~btp:p`6XcEhp;}K-ex-e$}xbDz
Wf_fv]ceg9Qhppp9V9
p}zW:9QbV:
Dz}pp}
-\b}Kh|
p:QF f
p^p:h~}Q
CQ3YD2#-KQbxQs
p~}Qfpp
D(DQ bpp{%pp
Qp:c`l:b*M
RtMpKg}p:hpppQlv
!MMQ8Dpp
Dp3Bv\`}m
f2pp:\
p:Q5p}
a@p}o#
9j}y\}
>p~bhEhpp_c
jDG~bQ?m}/6}*hhpp
~-e-eiD
GDXjQXmpp
}zMw#}
}x~sT},p'
c`]~bQ0:}xG}x-e
bqeb,~b
M6}vmv!}
N\DvJ~b
p:vNvlz
2zbpp},PjQB}N:wjQT:g9w}
}V~J}S~b\n}xuPD~
D8y`D9bV
ly@DnD}BDb%-pp1}
Q0j~DV
bp`_9bqc
9fcQppV9e9fqc
hV92U9jpQ
ppV0>p~
1}x:(\
xh}?pQ6
}?ppp}]
D@QQ%XD:
v{f`T:.
>}x}`b~Q
bx~:Q+ fea
Jj2sJbf
fJJ'Jb:`
b{{Z{Q{
I{-fpbQl2b
bay2}4L>}`S
SrbWpp
]p}z,f}Y
`bB-xvmQ
}p'}D1
}Yvf}O>p}Ha
p:]HQpp#]V}
DbpbfQ
DPGbG>p*8}v
}xsDvMo}mP2`
.Dw:}nRD.}\
BHb:Mv}'L}D,W}2
,9bV9292nppp92'pppc2Vv}f
}Mcppj{Jp:\t
O\V2b4o
.~byD.}B`vKfv2
ppp}v:,6p~}c}
bQ1pppppK}
ppp:W'WK}ppp
R2peD92x9fRrrfv1m2Vv_~b:
8V8[bbpppjQ|1ppenD
hvBppR}ppCp9bpn9
bhn9!9
_p/p:Q
c~j9bc
v>:ppRM}
w-ppbKb
ppp*_fQ
Fhppmb|D
hMvm}j~b
,yp:J9b9&
9_9}X6}TbT DT}M
BDv.Dx
Q2py}e
cG2pe-e^
2p~-ejyp:`x|b:~2Y-e:QDvp
D5,mV92f
zMJ;M`bML`bM`bM`
bMt`bM
`rbM`ubM`ObMW`bM`bM
`MbM~9
2nbDH:e}h29
}b{a+_y
b(hV}D}
~bQcj}.Rw0D.`
~O92}}|Ds
2Z-ppKpem2pnTD9
b9bOn9b
9fbfDfD
?}DcV9e}QJV929
`~b?5~D
hc~-em92hjDpjQ
nhDue5bBT~b9$pe
D'R:M\}T
}mDvr9
bfnbe}
bw<bpp
Ms}fwDpD-DwM
}'D`}`=
}(pfa}5MabfM/}vBG}vB}
bvB}:vB}v}QH}vBnM/}
vB\vGD3
fv9Lv9O}nt8
jbDDy{fpp1Qpp} }
p9j9b}jGc
J:pp9jp:9
jtU}UV9U9U9
_p9UV99j
2yyyyffmOcM}jn}v_a:[-2j
Qp`}g-}
52jb2p9jjc
:}hPfTDo-s
}nQ9QV
Dvl\pp}
hppDu\pp9 v
Qpppc5}Y
}8bvEf\
Dfx;9U
T9U}<~f
fJh{5bDf:Q`
p`MZb}i?Mf
DgJD:ppQG}
VZtVb}
j\/p:\U}
`/p:Lb~2
e]chpp\
vR3MvRj}vR`
v}hpp`eDv"?}v
}tfp~fjGV9
ppcc`g9
jtbvbg9 <Q
cd}'|2b4}QF}
EQpp9Uj_
RP9Pp~P
g9wEQrQ}bQ
QH}bQ^
pp9weu'};OD;tD;
D;nD;D;
B24p:}pn4}wW}
} <}4:ppp4p:Q
Ea:ppM>cb
}bb1n}
::v }):PJw
-a4p:U
p:}}Jo
QdfvWjO]
cnwDTppD
pp6c`?vy
}x1/}M}xuT5e
Gyp:cppjcu
fbx;Dz}v
fVQ!lpp]c
QV9QQ;9QR{}t9Q
Mkr}5D
hpp12p
qvPuAb>f
v}\Pf]#^LFb}P
y}^Ob^r^rDQcW}
}c?e-e}xW
qvp:.D
V@}MppM>'fV@bV@}u
}ppj~b}nhb}V)b_V
}V}TvbppD
}M}xRbppe
]#}3f~~2Q
fpppDDNN
NDppDY
D`cEhb+-e-e7D$M
E}fpy'Mpy
B"DsCa}C
L78&4p:Q
}chQ6}ppb
bCQY}EMj
bppgPC-
tp:|yp:p~?f%f!9v}v:
}`}M~DDveD5}<xQ
ppc`g}Gyp:
p:C}sD
}bK5pQ,hQ&pp
u}yp:Kp:K
t#}ppj/@!DJYppD
}v\pp,Dn
yf}D}H
fjQ`;ppQ$
fLLLfL
LpL.fL
fL$}QfL
DxJme}xJ
bDx:pp"
DxW}}yp:
hh5b}Q8eVE} }n}hpp5pw
,{`4-}j
-ajn}j}J%-ppDm
}j6c`QO&}x)p}C
p:!afDxf!}OMl
fP2pOp:
B\w}bp`O
\pppe\
_[bfgZV9
T9-pp]ce\
,V292b,\n
D:9bjQppp b2V}
pD}fjb,p
.?QhV9
N\MT,2.
pp2Vrb92
bp~:}r
p:jQ}v
ppMx:vpb
vJ.}pbV
9fbWV.}Tj,\
:SxmpT9b#c
fp`}!]ce9f
b~}9be|b
-c`G}xffV
}`bhVbe3]cD
9bp~-e]b
,bg-ppD+
LDMBfV,9glf;f.f
V-};p~6b-jNbgh
._}6b$hpfVGbD'<}bvr}
v%Gb,bD
grv69b;,bVj
}$-Zg}]
:9fDV9
KVj}x@,}RbG,bxt}vGb}9
eV2.D}jf.Q
$-p}2DTGf
} Vf}}:Gf}b9r
mv59:-}v
Bv}brv.Mv
}xbVbeV92:,f.DGb
2VG}Lf9:bVlftD~v}b
Jv6vpbppDv92Vr2:xb-}vffnf::-h}vD
c0p}dzp}}\:5D
g} TIIV
QmbQL\w}g2e
} ~V}D
yg92}v9
9j`]ce
~bQDf}o
D|e9fp
u}&s9q2} }Zpop:vD>
Q}=n}rnV9n
QHppp#
9n}\nn}
9j\c}~V92
9n]t#9n2b
M79aW}NW
;t9njop:9n9
Sbppf}x}Lb)})H}'T::9V29fc`
~b:|cfD
}}bese
v;afxDv;e8
fRMJ}Px
}+Vo}^h}~bQKpDice::~f
bt`}{hDv{
Qyyyyg9
}^blh|}"
}}2\}P
p~^>7}
MvnM}L}:L}yj9j\E
8p`}n`~l8
ppg0O}
}aEDgc
}D}L}t
9~fQC}
V}Dv>}
pF}v]}V
bt"}<{
c4p:{w}
vn1D8e99
9fto}OUq}:Q5}_t
Ta}T5b6
Q\nf`QTt}*e
Qtpp]ce5>}`\p\S
\5Veop:
~}Yx}n
vYppD}ppp:vc~}L}yb
}vxj2j9jbfEh9
}vfhv|b
2hR-e{
~}GfQV}e69
}{}R}v
h6M\hp:GfVl}
bp`M~b}'?
ppfvX~_}Dv(
vp8Qppc\u(}<Eb
Qp:Rbv
Qp:Mnp:V}feX
}p}vx}
f,N}bbpp
D6bqb}q
}u\]~b
Qp:vDJM<Ql<R\<UD}<bmfV}x@}
|Dvp:Qc}
p}\p:Q'M
phPp:QM
QC,b>{M!
bV9e)bvZ,,~fQ/ppp
bIN:9}~
9bDv2pc`
fb&}%}mv,~fQ3;92
?v|nbe
ufnbeU~fQ:m@
~bvw]b~2Q)K
}'<W-e[Tb&h}?
cF-qcV9
chjbEbp
Gh]cv}M2n
-~}nGhlD-l-l~-eTD
2}'2T9
flfc-H
hppp.xt}0`DeV
p:n-w-}~}
ch9f~Z}`
]crh5pppM
-v,-vFcqM
92ch}'
SFW\vB
};2$8f}}D}^bm5^b
O^bj|]^b
^M}/ppp}%Z^hfx^h
p~Q}zM
-`Le.M#
albas9
$bDvgp}~
Svt}b} {fRD]cpp}bh2j}o<S
}xtQufQ}S}ppV999
`l}7_}b92pvO`y
bx}Vc}h`
bI}xvJ
p~}pp~
Q#}xT}x
929V92
v-VEv}2pV9UbMv
thD52bV2
}iq/}bhb:}XV}xv"89jN
bvvTf/
}}}ESQpeM
3DvJQ}M
x!xMxf
x}(OxxL5x
\xD}Dx
tb@MQb
:vNDv`pqc
@8\'SKDv>
e#e!eeeDYRg92
fR2&bvFv3]
b92]5ppp]
Qp:V2b}lbe>92
2"]V2eb2"&V2ev}Vf}vfeDi
n-e[b$vpb$xhvdM
:9f]a:V
v[pppV
nR}b]c}v8}bV
9:pppv
vF}vfDv`}
2n}"v,92}}
n,v9,}
fv><D}
ppg}VGC
JpZfGp~8yc}6
E-ppUpyO}!jQQ 9Q}
QQ?"g9
0::Q:}2m
pb_0e=M}
hppQ0}0|Gc
Up~U:Z0ZZ92j},}
hppDxsi-#bvp@-pp
=jQ{0}&D }
x}:Vb}
U}TDx{jDGV}
}77Dv}
5bv$5v
}+~:~bQnv?b]ce=
7v$1DW1p}d
bvE92`Dg9
}@`8{pDMv
,p:ppmtb*vf}h}R
h[bjd
5G}bvJ5}O}8}a}
p:tbc~
bp:pp:
p:Q&J}1ec~;}c`J@1s2*
`D"}Ie&b
:C~peh`}-~@
c`f1Q\Dv.
hV9f~fc~ujQ
bb}V9f9f
p:~f`t\
p:}`tfQ}e6fdQ+#c#Gd5b
p:Q}ppp
pppp-H
p:QpppdGp:Q
jQ@D$1
ct2Q021
5ppppDe-]cjQppp
}M`pDQuppp~D
gpea6~
gpV?b$
bpp`tbQpppe
p:jQ>pp1
fpV?gPp:cV?b`
t:p`bj,$fp1}Ctbh`D1Q2
GVbbcf?bbNDabKfC`D1!_dNfNsN5
tGxpPXpp(XppnXppXppXppXpp
XppXppXppC(pp
(JCYppYpppppp8pppp?pp.pp
ppKpppppppp=pp
ppbpptpp
ppGpppp&Ypp*pppp(ppppcppEppIpppp(ppa(pp(ppr(pp(pp(pp(pp(pp(pp
(pp3(ppc(ppYpp
YppwYpp3YppYppYpp
ppIzppozpp(zppzppzppzppzppGzppzpp
zppOzpp@zppzppfzppzppcpp'pp
pp*pp?ppppppD-ppfppppppppDx
XppX8`YppYppYpp|YppppDtjpppp
ppIpp8zppzfp:
:-p::p:G:,p: ,p:bb::MMW
Dph-}DbMf
@t58ZSTO
J]TTTlr9?%GBm<j,.|1
qNs*R`~K
J]xbTpppp
pc<FjJ
xpp>=M5O]+
pc<hQp:p:J
p:-p:c
p:2jYpp
pp:DtSpp
pp|M*zpp
ppEM8zpp
cp`*`*lp*lpDlppPf~lpGmlj
`ph<~`
lpph%`m
R`9**N*ppWp*
`bp`?lp-.
|qN~`pp~:1*RN9
`j*NRRphNKDLhD]
`pz-|*
`bp}vGb2?*R`ppmDvf|NN]
RN`ppp9
9K*N``*Rlpb
R`*lpp
h%`}v``*
lpptN~}v
p%`~**`b
jN`*pp
`lpp-}vlppD
Dv`lppUh~`r`|N
*p-bM|Np}j
p?}p}f
xrlpp5-.
?*p=}xN~`*Dx
}1N~:*
`Nlp}bxJlphG
}pJDx;pp}lNpB9.9m]}<pyh`~*`R*`N*
pph.9~1
~lp:}xuBp*
lp:,~*}
_pl~R`|Nqj*KRp!pmNNq~D
p}t}?p`
l1ljbv*`p9
lpG9mbxP-R*`
`*Rpp2D
RN*jNRpp9.b
bpDVbOp:9
p`*`}r``
frs<*lppNlp9|}vp`~N
lpGlr~
*(8pX9~pp9|M-
}-Dxp-`Kpp
-Vlpp'ppp
`}v*]pp/-*
pppWR`R`*
9j|<j<|9.
}Jpp-R}k-R}
3hRDv}vb
}pp4-*v-
`NpppWWl|:pWW]ljl
1.xRph
DpNpppNR`
ppNDx<m9l|b hR`*~plp
|*N9}xNpp
pppppp6ppRpp
4hpp?9%N
R`;;pp
jxcZ?}xD
`ppp.lp
.~JJppp
}XMf`KpR
}vffff<?|l.9M`bV9v~*9
`R?;l];
9?u9?]
D@5R@bx`JJlN
OD}t}x`*
Dx8Gb\Dt
8vv:*]v:l
tvObp5R
5~ppSMS5}xu
ppplfppphppN~`
?.l9.}Gl.%G9%G|JD|GJ
.<mm%<
};r<.9.J
}x19pp
q*KG}p
}V8pp<<B9
;.l|9bapp
ppmpp5RppppJJ}ff5ppN
plppp*
N~`D8<r9|pp?W}vJDb}xpNqLp
D|j<jppp.
**L5Rppp``L
JpppG9999
:o:pp0-TV
Vp~`pppLp5~pp5J
}Vfv|~bb5R5D5*}t
K*}R}8R
RqppRNq8*
*NN`vJKR}
`qp~Db}:K}Jb
bR*}b}tR
RqR*pppN
}b`KbxMR`
RK}fRR*KxafpR
RRNp}v8R
RK}`RRb
DK|f}v
*b`ppp
pN~}uR~*N``pf}`R~`}(
~}bRRppjl`pj
NRNppp
NppKR*KpKR}pN]q*}f~}`
*f}vNpKN
}x:MWpDWpbfa|}
Wl1N**N*xWf
ch:ppGhpp}J
JJ8JJJ1JJ
JJKJJnJJXJ
JPJJJJJJ0J-b
p]]]]].]]/]w])]"]]]M
k:;;;]LrL%L
LLWwk_
WSWWW?WW1WWW~W
W3WWWWp
xGJJBJjJJJJ/JJ JJJJ2J-\9B,
h]M]]5]
]<]]3]d]
{{l{n{{'{
>U;;;BL1L*LL
LPLLLL-
VwU2WWBWWW~WWpJppJhpppJ@JJWJ.J
JJJ=JEJJkJ
JJJ}M\T
]]]]]]]]]]]]]}
huuuuSuJuuuuu#u;;;g;;F;!;@LlLLLL~LLLLLcLL\@
W6W;Wppphpp]J;JJJJ`JJJUJ-_u<
uuuuu uuuUuhD:aW
-;b;L;;
LlLLLCL
WWWgWWpppjppUppp-JJJJJZJ
J`JoJJJ
{m{{uSuuuuFu
~;LLNLLL
FWWWW'W
WQWpppDmLJJJJJyJ^J)J"JQJX
xn(<]1]]R]]]
]]H]]g]
{{{{{{i{[{{{
uuu!u6]?H
;;a;;;;
;;;/;;;;;
;;bLLtL{L?LLLLLXLPL>L=LLLh
:|K+r~YoH
WWJWlW.WW`WWW4W'WW
WeW2WpOJJJJ,J
JRJJ]]]]]]&]\
uuTuuquuuuu
;@LSL{L
7EuWdWppp pppz4w"
kI0}a;
|Y43}]
]S]]]]F]]
uuuvuFupf
I};;;O;;;w;;;e;
;#;aLLLL<L*LL
x2pf:a
OJo]P]]]']]U]
x:pppJc
o,s*+?)
kBq$75T
&#pMz!`
nClDy^~
/WNY;Xg_ w
kernel32.dll
VirtualProtect
FAILED with delay %d
c:\program files (x86)\internet explorer\wmpscfgs.exe
L!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
\YPOYj
QQQSVWee
_^[Ujh
QQQSVWeE
RQShXMV
_^[U(}
E;Et $
8@88;s4
u>EPPEPj
Xt3h0u
EPPjEPj
E@EE;E
uYYUQQE
E@EP}Y
EEEUQQE
E@EE@EE
%u@E@EE
E@EE;E}
E@EE;E
|&uYE}
Y``440
Y\\440
YXX440
PxuYEu
uPhE2PE
YYPP`9
YYPP&9
YYRPP8
EE+E=X
]UQMjE
MQURjE
E]UQMEf
]UQMEf
E]UQMMA
]UQMEf
UQMEUQME
EUQMEU
@;s;3j
3]EPPj
E@E} }
E@E} }'EdE
E@E} }&E3j$YEM
E@E} }&E3j
E@E} }$E
EPj2EPx
tPuEPp
X_^UQj
va$,PP
EPLYYu
EuE@EYYt
sEPhYU
&YYj h
YY]UQQe
E@EE;E}
E@EEUQ}
E@EE;E
E@EE;E
E@EE;E}
E]U]U]U
EE@EE@Pj
~EE@Pj
EE@EE@Pj
EE+E=X
E@EE;E}
3]UQME
EE]UQME]%L
3NWVS|
u7WPSt
u&WVSu
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
@@@@@@
!"#$%&'()*+,-./0123@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
StrStrA
StrChrA
StrStrIA
StrDupA
SHLWAPI.dll
CloseHandle
WaitForSingleObject
OpenMutexA
GetLastError
CreateMutexA
DeleteFileA
ReadFile
WriteFile
CreateFileA
GetTickCount
GetVersionExA
ExitProcess
MoveFileA
Process32Next
TerminateProcess
OpenProcess
Process32First
CreateToolhelp32Snapshot
ExpandEnvironmentStringsA
lstrlenA
GetFileAttributesExA
GetModuleFileNameA
DisableThreadLibraryCalls
CreateThread
GetCurrentThread
SetFilePointer
lstrcatA
lstrcpyA
CreateProcessA
MultiByteToWideChar
WideCharToMultiByte
GetTempPathA
CreateDirectoryA
GetEnvironmentVariableA
FindClose
FindNextFileA
FindFirstFileA
GetFileAttributesA
ReleaseMutex
lstrcmpiA
LocalFree
GetComputerNameA
GetSystemInfo
GetVolumeInformationA
lstrcpynA
HeapFree
GetProcessHeap
HeapAlloc
KERNEL32.dll
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegEnumValueA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
AdjustTokenPrivileges
LookupPrivilegeValueA
ImpersonateSelf
OpenThreadToken
RegSetValueExA
ADVAPI32.dll
ShellExecuteExA
ShellExecuteA
SHELL32.dll
wsprintfA
GetSystemMetrics
GetCursorPos
USER32.dll
FindNextUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
InternetGetConnectedState
InternetReadFile
InternetCloseHandle
InternetOpenUrlA
InternetOpenA
WININET.dll
NetScheduleJobAdd
NetApiBufferFree
NetScheduleJobDel
NetScheduleJobEnum
NETAPI32.dll
sprintf
getenv
malloc
strlen
strcmp
_except_handler3
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
wcslen
_snprintf
strcat
strcpy
realloc
??2@YAPAXI@Z
??3@YAXPAX@Z
strncpy
MSVCRT.dll
_initterm
_adjust_fdiv
__dllonexit
_onexit
CoInitialize
CoCreateInstance
ole32.dll
OLEAUT32.dll
_strdup
_CxxThrowException
??1type_info@@UAE@XZ
dtd_dll.dll
addNumbers
FCDEGlobal\wmpinst1998
Global\wmpinst1998
Global\wmpproc1998
Global\wmpproc1998
ProgramFiles
\Program Files
%s\%d.dat
%siexplore.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
acrotray
acrotray
wmpscfgs
wmpscfgs
wmpscfgs
SOFTWARE\Microsoft\Internet Explorer\Extensions\{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E}
Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping
{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E}
SeDebugPrivilege
wmpscfgs
Global\acrobat198
Global\acrobat198
Global\acrobat198
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Adobe_Reader
ProgramFiles
\Program Files
%s\Adobe
%s\Internet Explorer
%s\Adobe\acrotray .exe
%s\Adobe\acrotray.exe
%s\Internet Explorer\wmpscfgs.exe
%s\wmpscfgs.exe
Software\Microsoft\Windows\CurrentVersion\Run
Adobe_Reader
%s\Adobe\acrord32.exe
%s\Adobe\AcrobatInfo.exe
%s\Internet Explorer\wmpscfgs.exe
%s.delme%u
*.delme*
728x90
300x250
120x600
468x60
160x600
document.write("<IFRAME SRC=
MARGINHEIGHT=0 MARGINWIDTH=0 SCROLLING=NO FRAMEBORDER=0 WIDTH=750 HEIGHT=275></IFRAME>");
%s?aff_id=%d
command is %s
faker_version is %d
--CLICK_CYCLES is %d
COOKIE_CYCLES is %d
SECOND_CLICK_RATE is %d
100.dat
100.dat
no-name
mailto
javascript
bd.php
OBJECT
cookie:
JavaScript
Referer: %s
http://
%s%s%s
Referer: %s
HEEEEEEEEEEEEEERE WE GO
Referer: %s
On%D,3&
Software\Microsoft\Windows\CurrentVersion
ProductId
%s%u.exe
\%s%d.exe
\%s.exe
Accept: */*
http://%s/search.php?q=%d.%d.%d.%d.%d.%s.1.%d
http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d
www.supernetforme.com
94.75.229.248
www.superwebbysearch.com
sakjHDHDJDwerwerndnd
saerndnd
sakjwerwerHDHDJDndnd
sakjwerwerHDHDJDndnd
sakjwerwerHDHDJDndnd
ad-watch
caissdt
cavrid
cavtray
apvxdwin
avciman
avengine
pavfnsvr
webproxy
vir.exe
swdoct
mxtask
firewalln
webroot
mcupdm
mpfser
mskage
alusched
ccetvm
ccproxy
ccsetmgr
navapsvc
nscsrvce
sndsrvc
spbbcsvc
symlcsvc
winssno
dpasnt
tsanti
fsguidll
msascui
ashserv
ashmaisv
ashdisp
ashwebsv
avcenter
avesvc
avguard
clamtray
clamwin
counter
sunprotect
sunserv
sunthreate
kpf4gui
kpf4ss
PXAgent
PXConsole
xcommsvr
bdagent
bdmcon
livesrv
vsserv
nod32krn
nod32kui
vba32ldr
guardxkickoff
pxagent
pxcons
spiderui
spidernt
nvcoas
nvcsched
nipsvc
njeeves
npfsvice
npfmsg2
savadmins
savser
scfmanager
scfservice
scftray
%s%u.exe
%s%d.exe
%s.exe
iexplore
Referer: http://www.google.com
.?AV_com_error@@
.?AVtype_info@@
0(080J0V0[0a0j0v0000000000000
1*1/151B1H111111111 2F2m2y22222
383>3D3R3X3333333
4!4*444=4l4u44444555
6-6D6a6s6666y7777
8 8+8G8L8W8b8m8x888888
9993:B:G:::?;;;
<2<[<g<y<<<<<
=B=n=========
>5>I>>>>>>>>
?*?2?8?F?N?V?^?m?u????????
#010K0P00000000000
1-181E1K1Q1b1l1{11111111
2/2C2V2q222222222
3%3.343O333333
4+464?444444
585A55555555
6!6'666P7Y7b777
88888999K:V:r:::::::
;(;9;?;H;M;Z;l;x;;;;;;;;;
< </<B<T<d<r<<<<<<
=5=A=M=S=o======
>3>|>>>>>
? ?K?W?i?u??
0"0/0?0R0b0n0~00000000
1&1+111;1C1I1`111111111
2d2q2y22222222(3.333@3M3n33333333
4$4T4_4i444Y5^5k5~566
7!7*70777>777Z9h999999":A:M:]:i:u:::::::
;";.;:;E;M;U;`;h;;`<{<<<<<<
=M=Z=j=x========='>4><>I>V>c>p>}>>>>
3090M0\0e0t0000
171@1O1X1g1z1111
3W4`4f4445A5y5~5
6+6n6z6666S7`7l7y777777
8?888888888
9:999&:,:4:A:y:~::
;3;@;{;;;;;
< <(<.<;<@<F<U<Z<`<k<q<
<<<<<<<<<<<$=)=/=8=>=I=Q=W=\=b=g=m=u=~==========
>!>'>/><>W>\>>>>>>
?,?S?f?????
0#0)040A0G0f0t00000$1.1;1A1I1S1e11111
2$2,292A2N2V2c2k2~2222222222
3O3333]4
7*7C7y7777V8n88u9
:::M;u;;;;;
<<O=]========
>,>G>\>i>>>>>>>>N?[??????
0"0:0W0d0p00000001111
2 2'242?2S2^2d2l2y22222O3V3m3s3333333333333
4(4I4T4\4g4s444444
5.5F5a5y55555555555526G7~7777777
838F8~88888
9!9`9n9|9999999999
:$:5:F:W:h:y::::::::
;#;4;E;V;g;x;;;;;;;;
<"<3<D<U<f<w<<<<<<<<<
=!=2=C=T=e=v=========
> >1>B>S>d>u>>>>>>>>>
? ?0?A?R?c?t?????????
0/0@0Q0b0s002'3g3n33333
4(4444
5I5w555
6*686_6l66666
7+787k7777777
828N8j8899":*:5:<:y:::
; ;D;r;z;;;;;;4<<<<<
=4=;=======
>">V>]>>>>>7??
1111111111
21292N2T2222
3*333z333
767=7L7^7f7n7y777
8$8*8b8r8x8~888888888888888
9&9,9N9`9999999
:2:=:I:O:r::::W;u;;;; <&<
2 2,202333333333
4,4<4@4L4`4l4t4|4
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
(�n�u�l�l�)�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
j�j�j�j�j�j�
e�e�e�e�e�e�e�
j�j�j�j�j�j�
Process Tree
-
02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe (3012)
"C:\Users\Administrator\AppData\Local\Temp\02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe"
- wmpscfgs.exe (2708) c:\users\admini~1\appdata\local\temp\\wmpscfgs.exe
- wmpscfgs.exe (2404) C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe, PID: 3012, Parent PID: 2236
default registry file network process services synchronisation iexplore office pdf
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 0badbffda1e8e1c8_wmpscfgs.exe |
|---|---|
| Filepath | C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe |
| Size | 859.2KB |
| Processes | 3012 (02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | a97c0951edcaa5a95d643312991c0fef |
| SHA1 | b377f2fa2210021b0393828734db28a7a991c729 |
| SHA256 | 0badbffda1e8e1c8500a5256396a0a720d0b8338b9d24f970d03af9e1e2484c7 |
| CRC32 | ECD4C477 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 28b47f9e38ca23e5_360drvmgr.exe |
|---|---|
| Filepath | C:\Program Files (x86)\360\360DrvMgr\360drvmgr.exe |
| Size | 866.0KB |
| Processes | 3012 (02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe) 2708 (wmpscfgs.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | ec58052c0c843c0328a9e1131e9be7c4 |
| SHA1 | 6b02fcfaad2d17c45bcc0143ab6a158b32dc5b02 |
| SHA256 | 0ebeba95ee48b13f2c18b4539559f9e2615b94f02e74bdb88e53997aa353d9fc |
| CRC32 | E93677D5 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 2c038c8e4a92550a_wmpscfgs.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe |
| Size | 861.9KB |
| Processes | 3012 (02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 86a7e7b658bfe3e08fc56131764fa230 |
| SHA1 | c9dabdea59685cb2b26941d6d1081b39b2289b4d |
| SHA256 | 2c038c8e4a92550a121738953bfe208134cf28026d4e93a23966735d76967321 |
| CRC32 | E853B255 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 74dfc51867452d66_acrotray.exe |
|---|---|
| Filepath | C:\Program Files (x86)\Adobe\acrotray.exe |
| Size | 871.0KB |
| Processes | 3012 (02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | e4675501676e075a90dc1326aa914eeb |
| SHA1 | 80d8e2fde8cbeda847e22c6c5c5e15db46868acf |
| SHA256 | 74dfc51867452d6622e43ae7e237fd54b50aae939021ef53fc571608329af4ef |
| CRC32 | ECA2A997 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 6cdb899c61cdeb9f_360drvmgr.exe.delme10011 |
|---|---|
| Filepath | c:\program files (x86)\360\360drvmgr\360drvmgr.exe.delme10011 |
| Size | 849.7KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | e998b54ed8d5e0c9ad9046c9b42ed536 |
| SHA1 | c331cd1f006d9ce38601220950d7e0146901d7e1 |
| SHA256 | 6cdb899c61cdeb9fd02c97672c5fae09e5ee91e417f183aa9999f2ae2ffe289c |
| CRC32 | 634891E7 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 82c3397dd046ba0e_acrotray .exe |
|---|---|
| Filepath | C:\Program Files (x86)\Adobe\acrotray .exe |
| Size | 857.6KB |
| Processes | 3012 (02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | d7287cf22d43c71885a61cb3bf0eb048 |
| SHA1 | 280a5c07cce70120e0b60590f236bb09a3cdedea |
| SHA256 | 82c3397dd046ba0e47a0e1d40191ca12f753160bda794c516152cb85b002bf34 |
| CRC32 | C582E8DC |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 8efd4ba0f6559c24_360tptmon.exe |
|---|---|
| Filepath | C:\Program Files (x86)\360\360TptMon\360tptmon.exe |
| Size | 846.7KB |
| Processes | 3012 (02af63e83895117ecdcde5bc403610991cd0a92d5b4e7296896283099424e936.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 24d79c9037f5963642da1b7ea010ac22 |
| SHA1 | 3985ff1b6d4f919be45d2fe8bddc5ab33d9566b1 |
| SHA256 | 8efd4ba0f6559c242db01e8d8a18b30ad9976b1d1bd393b6ac002e545ce8323a |
| CRC32 | E2422CF4 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | 67abdd721024f0ff_10010859.dat |
|---|---|
| Filepath | C:\Program Files (x86)\10010859.dat |
| Size | 4.0B |
| Processes | 2708 (wmpscfgs.exe) |
| Type | data |
| MD5 | 4352d88a78aa39750bf70cd6f27bcaa5 |
| SHA1 | 3c585604e87f855973731fea83e21fab9392d2fc |
| SHA256 | 67abdd721024f0ff4e0b3f4c2fc13bc5bad42d0b7851d456d88d203d15aaa450 |
| CRC32 | 99F8B879 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.