2.2
中危
58 个模型检测该样本为恶意!
重新分析
更多

050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020

050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020.exe

分析耗时

157s

最近分析

388天前

文件大小

137.9KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN RANSOM GEPYS
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.66
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Kryptik-MBV [Trj] 20200217 18.4.3895.0
Baidu None 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20200217 2013.8.14.323
McAfee Dropper-FGJ!F6D66466AA05 20200217 6.0.6.653
Tencent Malware.Win32.Gencirc.10b6438f 20200217 1.0.0.1
静态指标
查询计算机名称 (1 个事件)
Time & API Arguments Status Return Repeated
1727545302.843625
GetComputerNameW
computer_name: TU-PC
success 1 0
检查进程是否被调试器调试 (1 个事件)
Time & API Arguments Status Return Repeated
1727545297.796625
IsDebuggerPresent
failed 0 0
收集信息以指纹识别系统 (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报) (2 个事件)
section AUTO
section DGROUP
一个或多个进程崩溃 (16 个事件)
Time & API Arguments Status Return Repeated
1727545297.577625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 847616
registers.edx: 0
registers.ebx: 0
registers.esp: 847716
registers.ebp: 847776
registers.esi: 4
registers.edi: 847804
stacktrace: 
RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x775b317f
RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x775c199e
RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x775c193e
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
UnregisterClassA+0x6ee SetWinEventHook-0xa2e user32+0x1e3db @ 0x7674e3db
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x1d55b

 success 0 0
1727545297.577625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 2002524672
registers.edx: 0
registers.ebx: 4
registers.esp: 847568
registers.ebp: 847628
registers.esi: 4
registers.edi: 847664
stacktrace: 
RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x775af5a2
RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x775af560
RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x775c176e
RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x775daf21
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
UnregisterClassA+0x6ee SetWinEventHook-0xa2e user32+0x1e3db @ 0x7674e3db
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x1d55b

 success 0 0
1727545297.577625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 847616
registers.edx: 0
registers.ebx: 6
registers.esp: 847700
registers.ebp: 847760
registers.esi: 4
registers.edi: 847788
stacktrace: 
RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x775b317f
RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x775dada7
RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x775daf78
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
UnregisterClassA+0x6ee SetWinEventHook-0xa2e user32+0x1e3db @ 0x7674e3db
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x1d55b

 success 0 0
1727545297.577625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 2002628096
registers.edx: 0
registers.ebx: 4
registers.esp: 847824
registers.ebp: 847884
registers.esi: 4
registers.edi: 847920
stacktrace: 
RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x775af5a2
RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x775af560
RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x775c176e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
UnregisterClassA+0x6ee SetWinEventHook-0xa2e user32+0x1e3db @ 0x7674e3db
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x1d55b

 success 0 0
1727545297.577625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 847616
registers.edx: 0
registers.ebx: 0
registers.esp: 847716
registers.ebp: 847776
registers.esi: 4
registers.edi: 847804
stacktrace: 
RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x775b317f
RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x775c199e
RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x775c193e
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
RegisterHotKey+0x1ff ChangeWindowMessageFilterEx-0xbd user32+0x1f1c8 @ 0x7674f1c8
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x1d55b

 success 0 0
1727545297.577625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 2002524672
registers.edx: 0
registers.ebx: 4
registers.esp: 847568
registers.ebp: 847628
registers.esi: 4
registers.edi: 847664
stacktrace: 
RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x775af5a2
RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x775af560
RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x775c176e
RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x775daf21
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
RegisterHotKey+0x1ff ChangeWindowMessageFilterEx-0xbd user32+0x1f1c8 @ 0x7674f1c8
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x1d55b

 success 0 0
1727545297.577625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 847616
registers.edx: 0
registers.ebx: 6
registers.esp: 847700
registers.ebp: 847760
registers.esi: 4
registers.edi: 847788
stacktrace: 
RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x775b317f
RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x775dada7
RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x775daf78
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
RegisterHotKey+0x1ff ChangeWindowMessageFilterEx-0xbd user32+0x1f1c8 @ 0x7674f1c8
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x1d55b

 success 0 0
1727545297.577625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 2002628096
registers.edx: 0
registers.ebx: 4
registers.esp: 847824
registers.ebp: 847884
registers.esi: 4
registers.edi: 847920
stacktrace: 
RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x775af5a2
RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x775af560
RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x775c176e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
RegisterHotKey+0x1ff ChangeWindowMessageFilterEx-0xbd user32+0x1f1c8 @ 0x7674f1c8
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x1d55b

 success 0 0
1727545297.749625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 847616
registers.edx: 0
registers.ebx: 0
registers.esp: 847716
registers.ebp: 847776
registers.esi: 4
registers.edi: 847804
stacktrace: 
RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x775b317f
RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x775c199e
RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x775c193e
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
UnregisterClassA+0x6ee SetWinEventHook-0xa2e user32+0x1e3db @ 0x7674e3db
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x856

 success 0 0
1727545297.749625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 2002524672
registers.edx: 0
registers.ebx: 4
registers.esp: 847568
registers.ebp: 847628
registers.esi: 4
registers.edi: 847664
stacktrace: 
RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x775af5a2
RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x775af560
RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x775c176e
RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x775daf21
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
UnregisterClassA+0x6ee SetWinEventHook-0xa2e user32+0x1e3db @ 0x7674e3db
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x856

 success 0 0
1727545297.749625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 847616
registers.edx: 0
registers.ebx: 6
registers.esp: 847700
registers.ebp: 847760
registers.esi: 4
registers.edi: 847788
stacktrace: 
RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x775b317f
RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x775dada7
RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x775daf78
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
UnregisterClassA+0x6ee SetWinEventHook-0xa2e user32+0x1e3db @ 0x7674e3db
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x856

 success 0 0
1727545297.749625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 2002628096
registers.edx: 0
registers.ebx: 4
registers.esp: 847824
registers.ebp: 847884
registers.esi: 4
registers.edi: 847920
stacktrace: 
RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x775af5a2
RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x775af560
RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x775c176e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
UnregisterClassA+0x6ee SetWinEventHook-0xa2e user32+0x1e3db @ 0x7674e3db
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x856

 success 0 0
1727545297.749625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 847616
registers.edx: 0
registers.ebx: 0
registers.esp: 847716
registers.ebp: 847776
registers.esi: 4
registers.edi: 847804
stacktrace: 
RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x775b317f
RtlDosPathNameToNtPathName_U_WithStatus+0x33e LdrAccessResource-0x572 ntdll+0x4199e @ 0x775c199e
RtlDosPathNameToNtPathName_U_WithStatus+0x2de LdrAccessResource-0x5d2 ntdll+0x4193e @ 0x775c193e
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
RegisterHotKey+0x1ff ChangeWindowMessageFilterEx-0xbd user32+0x1f1c8 @ 0x7674f1c8
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x856

 success 0 0
1727545297.765625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 2002524672
registers.edx: 0
registers.ebx: 4
registers.esp: 847568
registers.ebp: 847628
registers.esi: 4
registers.edi: 847664
stacktrace: 
RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x775af5a2
RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x775af560
RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x775c176e
RtlRetrieveNtUserPfn+0x464 RtlOpenCurrentUser-0x14e ntdll+0x5af21 @ 0x775daf21
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
RegisterHotKey+0x1ff ChangeWindowMessageFilterEx-0xbd user32+0x1f1c8 @ 0x7674f1c8
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x856

 success 0 0
1727545297.765625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 847616
registers.edx: 0
registers.ebx: 6
registers.esp: 847700
registers.ebp: 847760
registers.esi: 4
registers.edi: 847788
stacktrace: 
RtlImageNtHeader+0x1b RtlDeleteCriticalSection-0x1476 ntdll+0x3317f @ 0x775b317f
RtlRetrieveNtUserPfn+0x2ea RtlOpenCurrentUser-0x2c8 ntdll+0x5ada7 @ 0x775dada7
RtlRetrieveNtUserPfn+0x4bb RtlOpenCurrentUser-0xf7 ntdll+0x5af78 @ 0x775daf78
RtlDosPathNameToNtPathName_U_WithStatus+0x26e LdrAccessResource-0x642 ntdll+0x418ce @ 0x775c18ce
RtlDosPathNameToNtPathName_U_WithStatus+0xee LdrAccessResource-0x7c2 ntdll+0x4174e @ 0x775c174e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
RegisterHotKey+0x1ff ChangeWindowMessageFilterEx-0xbd user32+0x1f1c8 @ 0x7674f1c8
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x856

 success 0 0
1727545297.765625
__exception__
exception.address: 0x775af4ef
exception.instruction: cmp word ptr [esi], ax
exception.instruction_r: 66 39 06 0f 85 7d c8 00 00 8b 46 3c 89 45 dc 3a
exception.symbol: RtlImageNtHeaderEx+0x5a RtlImageDirectoryEntryToData-0x57 ntdll+0x2f4ef
exception.exception_code: 0xc0000005
registers.eax: 23117
registers.ecx: 2002628096
registers.edx: 0
registers.ebx: 4
registers.esp: 847824
registers.ebp: 847884
registers.esi: 4
registers.edi: 847920
stacktrace: 
RtlImageDirectoryEntryToData+0x5c RtlAddRefActivationContext-0x80 ntdll+0x2f5a2 @ 0x775af5a2
RtlImageDirectoryEntryToData+0x1a RtlAddRefActivationContext-0xc2 ntdll+0x2f560 @ 0x775af560
RtlDosPathNameToNtPathName_U_WithStatus+0x10e LdrAccessResource-0x7a2 ntdll+0x4176e @ 0x775c176e
LdrFindResource_U+0x26 RtlReAllocateHeap-0x1b ntdll+0x41f53 @ 0x775c1f53
FindResourceExW+0x70 DebugBreak-0x6e kernelbase+0x12231 @ 0x76e92231
New_kernel32_FindResourceExW@16+0xcf New_kernel32_FindResourceW@12-0x7b @ 0x63bd6996
UnregisterClassA+0x76f SetWinEventHook-0x9ad user32+0x1e45c @ 0x7674e45c
RegisterHotKey+0x1ff ChangeWindowMessageFilterEx-0xbd user32+0x1f1c8 @ 0x7674f1c8
UnregisterClassA+0x5fb SetWinEventHook-0xb21 user32+0x1e2e8 @ 0x7674e2e8
UnregisterClassA+0x86a SetWinEventHook-0x8b2 user32+0x1e557 @ 0x7674e557
LoadCursorW+0x1b CreateWindowExW-0x117 user32+0x18912 @ 0x76748912
050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020+0x1166 @ 0x401166
0x856

 success 0 0
行为判定
动态指标
分配可读-可写-可执行内存(通常用于自解压) (2 个事件)
Time & API Arguments Status Return Repeated
1727545297.749625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00402000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1932
success 0 0
1727545297.765625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00460000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1932
success 0 0
在文件系统上创建可执行文件 (1 个事件)
file C:\ProgramData\Mozilla\iqbjnwa.exe
网络通信
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
生成一些 ICMP 流量
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意 (50 out of 58 个事件)
ALYac Trojan.GenericKD.41985898
APEX Malicious
AVG Win32:Kryptik-MBV [Trj]
Acronis suspicious
Ad-Aware Trojan.GenericKD.41985898
AhnLab-V3 Win-Trojan/Dofoil.Gen
Antiy-AVL Trojan/Win32.ShipUp
Arcabit Trojan.Generic.D280A76A
Avast Win32:Kryptik-MBV [Trj]
Avira TR/Crypt.ZPACK.Gen7
BitDefender Trojan.GenericKD.41985898
BitDefenderTheta Gen:NN.ZexaF.34090.iuX@aq2knyn
Bkav HW32.Packed.
CAT-QuickHeal TrojanDropper.Gepys.A
ClamAV Win.Trojan.Gepys-32
Comodo TrojWare.Win32.Kryptik.BEDR@507qmy
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.6aa051
Cylance Unsafe
Cyren W32/Gepys.AE.gen!Eldorado
DrWeb Trojan.Mods.1
ESET-NOD32 a variant of Win32/Kryptik.BDJQ
Emsisoft Trojan.GenericKD.41985898 (B)
Endgame malicious (high confidence)
F-Prot W32/Gepys.AE.gen!Eldorado
F-Secure Trojan.TR/Crypt.ZPACK.Gen7
FireEye Generic.mg.f6d66466aa051ab3
Fortinet W32/Kryptik.BCX!tr
GData Trojan.GenericKD.41985898
Ikarus Trojan-Dropper.Win32.Gepys
Invincea heuristic
Jiangmin Trojan/Generic.axfdn
K7AntiVirus Trojan ( 0040f4c81 )
K7GW Trojan ( 0040f4c81 )
Kaspersky HEUR:Trojan.Win32.Generic
Malwarebytes Trojan.Agent.RRE
MaxSecure Trojan.Malware.300983.susgen
McAfee Dropper-FGJ!F6D66466AA05
McAfee-GW-Edition BehavesLike.Win32.Generic.ch
MicroWorld-eScan Trojan.GenericKD.41985898
Microsoft Trojan:Win32/Yakes.DSK!MTB
NANO-Antivirus Trojan.Win32.ShipUp.bxpjhz
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM20.1.4D57.Malware.Gen
Rising Dropper.Gepys!8.15D (TFE:2:zSFZZ7SGMZQ)
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Troj/Gepys-A
Tencent Malware.Win32.Gencirc.10b6438f
Trapmine malicious.high.ml.score
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2011-06-23 01:43:07

PE Imphash

524680b995bebe66b0934014c8549a64

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
AUTO 0x00001000 0x00001f7f 0x00002000 6.428597887004499
DGROUP 0x00003000 0x00058304 0x0001d600 6.596481821683854
.idata 0x0005c000 0x00000728 0x00000800 4.747698563972165
.reloc 0x0005d000 0x00000000 0x00000400 5.02709319820263
.rsrc 0x0005e000 0x00000000 0x00000e00 3.6639222417639887

Resources

Name Offset Size Language Sub-language File type
RT_DIALOG 0x0005d2c0 0x0000040c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_DIALOG 0x0005d2c0 0x0000040c LANG_NEUTRAL SUBLANG_NEUTRAL None

Imports

Library CRYPT32.DLL:
Library SHLWAPI.DLL:
0x45c1ac PathAddExtensionW
0x45c1b0 PathFileExistsW
Library USER32.DLL:
0x45c1b8 FindWindowW
0x45c1bc GetDC
0x45c1c0 GetParent
0x45c1c4 LoadCursorW
0x45c1c8 LoadIconW
0x45c1cc MapDialogRect
0x45c1d0 RegisterClassW
0x45c1d4 ReleaseDC
0x45c1d8 wsprintfW
0x45c1dc KillTimer
Library KERNEL32.DLL:
0x45c1e4 CloseHandle
0x45c1e8 CreateFileW
0x45c1ec CreateMutexA
0x45c1f0 CreateMutexW
0x45c1f4 DeleteFileW
0x45c1f8 FindClose
0x45c1fc FindFirstFileA
0x45c200 FindFirstFileW
0x45c204 FindNextFileA
0x45c208 FindNextFileW
0x45c20c GetComputerNameW
0x45c210 GetCurrentProcess
0x45c214 GetCurrentProcessId
0x45c218 GetCurrentThreadId
0x45c21c GetFileTime
0x45c220 GetLastError
0x45c224 GetModuleFileNameW
0x45c228 GetModuleHandleA
0x45c22c GetModuleHandleW
0x45c230 GetProcAddress
0x45c234 GetStartupInfoW
0x45c238 GetSystemDirectoryW
0x45c240 GetTickCount
0x45c244 LoadLibraryA
0x45c248 OpenProcess
0x45c254 TerminateProcess
0x45c25c VirtualProtect
0x45c260 WriteFile
0x45c264 lstrlenW
0x45c268 GetVersionExW
Library RPCRT4.dll:
0x45c270 UuidToStringW
Library ADVAPI32.dll:
0x45c278 RegCreateKeyExW
0x45c27c RegOpenKeyExW
0x45c280 RegQueryValueExW
0x45c284 RegSetValueExW
0x45c288 RegCloseKey
Library GDI32.dll:
0x45c290 BitBlt
0x45c298 DeleteObject
0x45c29c SelectObject
0x45c2a0 CreateCompatibleDC
L!This is a Windows 95 executable
`DGROUP
.idata
.reloc
B.rsrc
tuuur`H
~MtQoVuAT
tZYQRV|
f:&@tl
3j:Cet
|u^ PMCZY[SQR
1ZY[RVW
_^ZQRV4
PuWo%f
E - W[
YSQRVW
'h_^ZY[SQRV
o5^ZY[QVW4
EE;u~E
}_^YRVW<
}P;3V@u
\_^ZRV
^ZSQRVWt
_^ZY[QRV
eTkSe;
(:ec^ZY
7WjU[j
UVP`PWa
c^ZQRV
!pe`e^ot
SQRVW0
_^ZY[Vl
Sd}Sr0<3
tru^auMPxuY%u
EojY[QVW
%Ii%Vuc
bo[QVW
uro T%o:T
i]tU;u
o^ZRVW
_^ZSQRV
~3 U],
MEN#gt
Nf%^ZY[S
_K_^ZY[SQRVW
)_^ZY[
tlTu =,
.5j-(8rS33p
,t7SVt}P
_^ZSQ(
[Mrt%r
EY[QRVd
SQRVW<
hhHeoo
TRMPtP_^ZY[SQVWH&@
%TuPu@^U!P}E
ku_^RVW
nh^EUu-
ET8UWJ
_PMEv3Tt
%9Wul %
W^ZY[QRVW
t_C;VQ
uEu_^ZYSQRVt
PEVWub
^ZY[SQRVW
_^ZY[VW
_Sd%sA[
TPIP^(
3@t| e%pT
DCETb
K^ZY[RV
0]nluUl
VWMUxEt
tZYSQRt
Fr`iSbAlnAPFrPWVs`EAFVzrEG`r
PEnkLclG
tErnSoEEdozdn.Ec
Vdnrryn2z
eEEEWaQPvR
Eir1r1zLl
HlEVEFrvn
taEldno
sedESzPCEd
ptEEvlEGozpSufPVEPiFlnnErdlnR\evnedUBvSnhe1EeFrE
rVrEEnFEuirtdar
wFSnEVnSPEEteadtFV
FtEEldnEvEladPipEFrnPPaPrEeeS~
FSVszzEudn
IcXEldmneePdaEnorVi
t1SEMEEtEOr
jxhENd
uExVdG
v4@_r9ae,nHV`d
BVi]H+
W*R}ljw
<P4@hhl
VEj1UP
+U]Ut;-t>
AU~MUFAY
_E]]E^
jWBuxU
_r`R1E
[t1ZY^V_Y@
Xt3454H49
::<:3:3
3303d;
P=3X23$
H2\;33
3<3<;3<;
33=3x0h3X<
33h83<
=3T4l3<:
3=333L2
33;33<
3:p,3:
=3333379
0:}0594:4
9w<445Y9>>449
:LA)=:R803:%5:>*1|:
5>:v59=14_<i
9<0:P:>1,:d800:4::
H0q6=:?!@>79:4:`4:::
?=P??<4,}
=6=w>?6023@(6??
I34>`1t0477>`
??2>A#>?99
6$573M6(,Fz~:S
1 <I4?7?<7z<6=7<7>4>=<Y
>=?68>6672l=>$4>E>3=?04l
=057>(>1?
00><$
?=<4{441
]u3;00<45
499n`19R121
99481S91H2
191<8<_0;461.851178
#R8894
9'5<?#0&1<7<68<57;8<r;4355
1H515}<7/3U184667_]:592
0 7N698JX:?@
;?;;<:?:;9
:?TR;;;>9;>:<G:
>?>t=9=;:G:=!v<
?>;<^Z;-;d
q.0>>;oL;9b>?<;9Bz9i;
0;?:?Oh=Z<
^;;;?>;?;?<;(;?d>S;:y86?=2i
8>ws84587<5L?=78824>9c
=72751
0777?7?=8q8
5cO??4><58?5
==8222
=4N >=68
?6+8087^F264L==6
[8Y,7>*866800}L"?i?1?
7_58<76<$580;<857:76+:9O6@t<;4<x:9:86
7<:$6>
::j<:985
:::U\7<
q:=:;9;<t8:<:7:{:q9:5:;C;
4z<O::85;^e
p;::<:8
8:;96:G5/::5<9:Zc;66:<85
657I6;2r12C
3>010fG5
3?3>3??R;32;0Y?3
5?2<03
8?32<>ix3=12
?l332z233330?z3h32>3x200641
>44D03=2=22120 4#32478D0NIDI6
m958DED0
AD0G1i\9P7I60XDIP3591Xd
065I050kP0D848
4N4DA6Z
gA:XD4%NG83
P4P a4W46D8PD0Ak
S0A34D:
_x0D4GD?
1G_4N5N4041DA0GND4JXG>eeAeIXP>PlD DD=/edtG/mPev ed avetDolre
/A oes
nDfN/XvukAuuD/iDXe c"D/P"APIAsADDr"A
DNs GDDtq>D sGDtqc
f/GEXnIADe>u<N<rDLeAPeI/aDb eDiirXuNcuc/i<gsPPrD<NsX A/sIlxDtoGI
irleNssIy>N yXs<Xet />
stu enc"snE.raay> el<=emtud ui:meesitqies l a- 1vu "n-s
o rltrrtv >t et"Vomrst>" emt
thfseae>t tigs n:amon eire l-ffcc nxnvfim=<ss PsoI3r<Ie<cseelsoc.
em: xesc
riod o" r "
1.vvm= t
>Ea,i@+EY
L?n?W_
~g3llx
AuFxl<
FhM|F'
;>+>;;
;AAO;:
HEHr{G
f?!y!P
I]D{{jidji{ij
NN{DD<
K4JJ yF
qbjI~q
WWAIqqP@vW\
CUWIqGrq
;;U;;E};;
Cn;;;<
wwwwwwww
wwwwwwpx
xwwwwx
bnUc|y
XZ`}~]ves
nxy{^0j
o]w]odk}
rZuus0bj
x}[{[qGl
=>HF-6''3/
wxwwwww
wwwxw{www
wwwxwx
F>zatJ
iD}J!J
fTaMMu"
''epmepx
kRi`yFMM
h`riMM
>~;F>V}
|DF;qF
GtHaE{
qlKGEG7R
F3XtLF
Pd;D<%
B%s2L\p
WWUq5OqWqq
qQ;E;JHC
;;O0IA@@U;C;
xEMq<:ku
;{;<C:
wwwwwwx
wwxwwpw
paxapa
U{XadV
uhur]fksZ
dU'B"!"DF)8(L
;Dq@'<<
48H88&/-
$Xe~6M
00J4-%
$d.:I-25:
wwwww{
wxwwxww
c.cmdN|OPVFUkV
>0GyAc1Gvy
l;Nugl^#~=#GV$GS
a^"kGM1*#
Q@GMcf
cocn\1
$~$P+[4
#T$dj*$Ca
?KbzY9O
9U`C8Oj
Oq$|`"}tMmAy70WN)u
$>hrKOV#{nN3
N~\~.A|)6D
uKiP@`
aGKUgnsr9
s|>/e8C||;fKD-^L
x9qEsF~
=gggBuW|0]kKst#x
wMT%z[l|"Wc=
mY815k<'
$BP0-
)ZRp9 2p ix<ea
Fzt5'=?
Wbn";g
Hq&<<b5H)jGr
=9~R=?@rR;
~Q2^%a:
QV(>Ph
y)W`b9e")m
XZvk9gZ
Tf7`?o*OCl:WPG
D+=z!`@>
Y`J>hp`
D`,kS|;`s%`
B3~d Q
%g&a?,
WGfBp$[
$j6U!S
&YR7[<iT
rD;9CX!}i<yCPXZ`
5Y0{8HjI
<)C6F>Y
9HKaYna,aKY
e!E!^6{arw
\YXnuvYSY
1YR&aS4cnt
{;N}e-fA~Z?M3%
ek!ic'
BG<fVT
/]LvNglpV
H<n_>M`s_H
n9rbY=
535HH%
I,e/3l
p)FC^w
HtlC*6
t#>%ap`Q_c<
4D;XG]Pdk#
<y~dLyd3
B8%GaV*z(X
%&e&d
Wt0qn>i
ae+f}0)
+mKfhH
h4kH2J
"[O*n(4{Om@
wg8QOx'[(OEj[
O[9a+z]K
%I|UCW#
bO`Z)RK9J|s@^
Ci2j g k
9PfcLD
fn?Fl2O)ets
8;"v\
Y4E[M]f#U
|uQorv
vo?H/Gsy`9
oaa*\X
T20VpUA
[O#4i>
w"3CPR
+<Kd_lJ
KuR.\0H
ZiO@Hq!]3Kox#4
pZ)Jz#O
X)F[p>o
XytXn,
%s&B._e777REc}@X4YaX[;B
m+Kx6L
tytF)PK+F;
{|gF<j
%9Q<^\?U
KZ|i>4B^B
Z=sL;.W3
=hD!Fboy
7CS'\p2F}&QE
hZ>H7|
Gl^pwO7F|U~Y
t_eguL
1t_9As<rT
_g:FT0^hb
dAOAF)Hu
QL>LC}
>:<O+D)k
Hl(0crIOd
[o%j64n
\Vd7ds0
B^#*1SSR|w`S
wSeE,B#
S"$;#NMw
~1,p7IU{
p3Z+MxL53
7g-MbR#
([7"3x[
Mw3!R:
S7$uQRW7v
Z4'e,mb
?2YEh0
%p?Ft{/m05
gz+1 5x
B/)t%HU
t6=30="
6''+8pS99?Qp!d
$hg{Z:H
BSr>_HLuo
5JZ"(
f?H\2H
=U~F&?
V&8&Nb
zwG7M&O8gcO
&F81sv
& r:j%8
"s;:}(4P~z
xQ/`q?
jYZQ$>
ftQTz@QMnT)1)
\muQQ4Q
*H|;^4D$u2jn
K^T\G$?{t2!
8$wuD<$
.m^~T ]I
8xDi=;mILiK
acT@Ap}Vft
tvt#CZ
MoIkM:
T=\<Dqfs
0LYn&L("1g&&OPf=
x}&kP?>) "&<`tt
:!Ian4SI
oqMUvB]!
5LlaL(3
Y/Mw9(Qux`
wgAK\Ryko^J
#UzYsn\D4{q
{j2U#WU1
mdT&:%k.T
=`7-nV9
PI|p#6
n=;3an$aY
2R=J8
4cH2aS{lR#r$YJ
2+V`b(
)^CcSULs^N)
Q6{*@t
-1.""/o`F
|Q!$p-pF
[hFYWJ|6J
G^$J2zT/KLj4
L$pR>86
=B.A)(u_Ap@
A=leAA;TO4A
wJLf38
$x97J9]00
BWmwtl
O;OKmQqjq3
S8jZnp$
ibn}%,9+0?DrV
rI6Z77&
s$&B9
w]:rra
8ng+ux:C
+zHEB_4br
NodA}9
i|nX->w}<U
9BjOx!
^^]}<}4Q
3oFx q\p& @
;!*FDx
gZlN'
k+jv:V+noc+GA+=Nc
e#?+L$
S/FN)kLZ%.!=
UD#@>r_
{'5~j"a
\6Pwf;y
$LLt\?N1\ze0
nR76u6a:1
g\H- @Y
P|V xv=LH
cswm?b\
Hb.b~T"v
6y^>b5UaDI
71M7bI\bmjmLb%Egb||
b6^d|bi
weMm[G
x3vfJS
PsG&rZLx
`ENa4/bbtOo)uEu&
mL`QUb
biw^l`>\
yTO2vE
`rN?WZ*
O!f19DTH(}i:?ho!7
HSU_1z&'LDWSPfd#dQY<al^`x
4":]^v
z0gj+Kb{d<
^QK/{u
Q-aCxfa
W'GK1m(
"3NXy}=
|kh)TG7
t+@C-l#!-w=CN9A
r6f)Q
=Yw--rT:w-
JhbN2v
ZV*Kms$$xFss7
}!j^P9qOX
Z?+(sZ
x"JG$[F(
Qe_7{RAg
_?O3Qg
>JmT9b
rV'1"gzW
J_JeI\
)-a=yq&)x
LC[D@lE
jqEQBq
!N3k/|
}"]{!=,
`jYEBC
M`ZMDqj
K#Fw`3N<po
)4wp7|tp5`"i#p4@
% cRAr1
++&O+88
hIE444Wz
\4/+p-+
6omKP+4
g`&Hp>+L
ODmU=x5G
h%)N3qZ
HI6tHC
R'YiZ7x^s(V[
.\I.x/
`Qq*y45k
epUn1:b\&!k
)0wpXw
RO='BA+|[LTp``
vEpouT\r
AEpU|V?X%a
wJ({GK
jm+A&,v ;'q!~/N'.?
W]Jc,yy~
::D`~{
$NM")LN,
Kd{th~_
>un`Ckd
t[V5MQ
VaiE{Z
HsrmbN 8
?>A&j
NvUt \BBlfxc
weqtVzn
vvJIb%8J.$
D@{sP7J
v_zj`T
Ippy`y9
8pq9kVTcO
kl1Wd^
cZ)m(x<TN5%e:W
S}oOPz#^N
vMtyz)>A
P{j]NPZ
t>nd`_a
@vN}9y
Lf}!g!L,-_Fh
c!vrhW:-[&0
q2Y4Y_
008H}}
Bahin
M<;:(A
EqVo]q^o
HK;KAfHvA;IO
Yt`A5#
Vd%gDKU[1
zdmDg(
4-ce#e
+m5\Q2(.
B,`mGT
8VsBiQ'
)}w[|:h
WK)lALY%V_
akjXZi
IzrxU'{5
/uRDRkps1=3V
R?}jR{+W@
E}R;^d
4-(8EG
>;ate$
FR((]_`672/.Pj
XvM=s7s
UV6';2
@<5h\}Ubgfac
14@W$Nb6n
|,CpVm3
fJ>$/D
7;D@rv(zG8
d[?DtV
cg_B*"J
8N.nzm
tf~4qj9O
<;!]z;.?
6.bASSEBM
B#kq|Y
$)C0bc2
5d6?[2n
F~^=Op\
>l:QYn
@t#x-k
WR(FcXu
KT|FJ4>
_D![|E(
!RjnF]
DG0*\`
W]uDc<5
"_ugao
I6D!BC\%<
hV\p+Y
ByJX>ulqISxy
IoW{it\:D<
5-\}4f
}Trj5K?^'m
A*> /720i+*
gwb>z8_wR#
mY/jepld
6$St>$
@MJig>
+H`~a~>,
r,]e;
B4YIw"q9
?g9R.(`
QDQ"zT2]g,AG-
T?+?*k
s@(IhPy
rp<(mHl7rcK
NouCrELsS
}uu?6"
j?*7{h
8)Bdr=
|d/yK.
0cJU>w}95^,-
ZM3 H?
[h5BTN0
h/@#|
<PvDc6m/Nbl
^H r{P
d.)+PN1t
gWu?1f-
YuU!,b|2vG
#65=3Y0)Lh*>[t
(1]=0jm
sUa8IM
EvM,; Em3
GZBbcSoe;
fL8.VR
KQ9K\@e
GK62U%
&Xmw&~
yLdC7u
R@vx"O_A_;<g4
#|u#,za
t,i'pD#k]O
-l}%}_
Y]J~\'vk_
T~SC8"e(
6A5t`>#R
6)WU~:$
vQH?7:
J&E1PEoW
yKq!GH
;WK+)Y&H#o{B
:+^B-w
L5:!Q
IMl>&Of%
^PPR.`1#P=hK
>ma"4y:>t2fhu
.#L+?K
=I&8T2Zlw
,_TJhnX|Zd@/F}
YM2)1>
EQlcSKSjr
c]aowhk
a@u*qn
l!H}lA
Ezi;i@fwfep]
RZ/]M*
H/X8.m
jN{2G@Cxc0Y
GICUx<7;
'>b<XKt#0
wwbMyU}
xA<)A?
0!'<_s\
dfEG3+>sR!
e=%h~|y#2GgP
9Yk-dg-w
!c;iZCA*O
Nd.YC<Sn l
p]_`X)
\EB|-$Rv+1w~
1-+"1/1z11C31 Pk4/
s+6TIjJ
F+t_+p
*"+_Q
M*+5ki
KB2lV}+
o6%!]jO>
EWf"]c|
Z",9MW?
8A0m2AOl~VqBC'
1W+=u0k
5_,xkVA
lp" _$P{-I
8Hdvha
*kMo*T
XM Xe<
d6W)sOXL2
c=`fy3Kh
m>~$p==eE
0b,bZU
n9q3XJ\
Z99*9!=pK
S3'T {
q`eAqZ
DocBbBU6
SjbYZT99M&h$PdE9F_4gL-V:
m`2+9L*9EmN~
'uE2|I
/<*5'[K
?~x`{JF
}aO':'cdqA(9Y
~@@@ @
niSHPy
neLyAar
Ppslnybi
eneECWrnC
onddrrCIIotle7dyra
nvCccr
SiCiwoBGter
ProtetttPouQay
lMMeaeacte
iadetiGh
iiyaoU?Gila
lWHyTSeeLni
ralVelcdeea
rsetCcTlGret
rcrectnedieececlntiIncudosSPlrsTntEet
tckael
FturIol
sleitrpToVE
lmeeCeektnlrmcoLT
StrerngHtiPdSdEePE
neaDead
txenotsnn
EueeitiSoaietC
lIerelicGrezWteSn
iaisePetttFatG
otMgcHdm
enenad
rnoriGsrln
eeGesi
inHSieeWvndooeoercso
sliordn
einltiuse
rSitdeveeEiouum2S
PEtUleesoilld3Dlteiotnua
SxHlnUPIntd
hgrFfoc
eoto2ttLfrraepP3OT
tcCsWeeepheetie.sbeFixpe
rdzUeraisio
rpdncn
ceAEtnegnni
ertlcuiGot
eoaCoz
WleeKSsoE2WeR
IVi@Da
0n~HaepleexKceoeWWoIld
RCeWegoS
LAeoclgUWe
ELtiEW
RUGgC!utaiWyl
EereVu2eWCIiO
otmyENeaPzlaraoIExeElxQySext
lRsun3tlAdn
tterMnsrotEinl
oaPorWaetr
seCnigctDairos
iPsBTsgdiWReEr
l7arwtuir2
wrdExDrEwnMxiigQao
lPdtotnrdWanitWUgnrDB
a3poee
eWloaeardMCtclsa3ataatDLTe
lLrtPWeW
nIoeeoMohycirets
WLledat
mRecnaTieaasresnSadMhtmgLa
ueKrrElpsWtaaL
goheoo
otltNacdn
GEWrtAWgrSnm]aa
sWacagWA
sdCSeDaeitJe
septDtllssCntVtCP
tepoydWktpoGHnhiseeeWed
damTnaeaitoW
MePcpSyeT
ermeemtnmii
`letiAeeiC
ttaaorsGHtGsEaretecaFrt
erluaFitouettCe
eoeeeW
lldWGree
iortee
tpulYE
dpdpit
U`0FB/k
8GR ,
sZG5}(a@Ah
SOv46DsTI
U>7[ne
T?G|M:
UBNQ]O`>KQQ
IEZN~@VW<GMQQFYDJACL}UVAC_
PLSSTQ[ZWQP
;X\JYKHB^ED
g`dk[kylxc
qg}aewrqofgnh?<jg{mgpidov@_gs
jrvs\um
zpaizgf>ht
rorSap
ercapev
Jnnbuuiy
hJurgvaAuh
sAupyr
edMleaelsyFN
WeOtFi
Tue:tr
..Ua iL
icaMwtusrePcGtage
WaneiIoeW
MtvBWL
oenVHte
lte3,omftsPteFas
7epd t
spaolh
io ioimo
oi mn
do iey
Au erbs
rZScti`r.
Iu$LuH
$S+ufJ
@AYQIY
@3:t$5u
2uSRp@
@tuPWt
PhWPEuDu]MDMh]
YPjEut@PWSU@$ EEY3
9t]u$U
=uuuW"} up
@aeuMu
]hQu$_ Wuhuhut
uu;M;w
ujhtYtu
79]ttuuT
$V;$YI@
FY@PE5
]PPtY8$@@t
@t@ tPY
FP>@@t@@bPFt
ttvY@Y;YtPt
PPP@vvY
t]U5YP
@YVv;tu
@Lvl<tv
yvDvv@X
$cFpv2
]@pWYu54
UY@v]3u^
_u&tPY
u0t2]p
XQYMD6u3
E=3S5_
jD_@juP
CjUY@DV
tDWDDt5Dj
tuuv$h
j[^[$U
j$3DDV
DTWD;dE
ppSWhY}pF
PFuh#p
u}G>M9;
3@EVt@uUpStutWd`=
HH@uVt
uucuDU
thQjhlt5_
6LpYY
ht@uPhVVuQe@pw
u[Rvh3
WWtpVF
"tA_0u;t9
pV^pj@P]]j_l'V
YPu;P@P
PtP@U;
[DPO@OPD
DD@DF_P
FDDF^D^
P@4G@@DF
@GDP@EO
$I@r0F
@DDEFD^N
DE4DuGNE
vv}Vvu
@v;vu]
~3UjDu
fj]0f3
uufM]Kf
M_t'uEE
VUuO]Eu
^EufP+t@pju
\DhDDEhMPE\
;Q3DDp,
5pP@hD2$E
hEq=@t
$pASWpE
HD@trEdf
HHUWC]
j]uw@D
UAH3DE
<<E]0E<
}|MutEO
YG|@uY
Y+HPtE
|Y"DU^
]DM006
]u45>EP@
t3Gh9]
@@$t@D
|>~[EF
%@[3@3p33@b
_@5@@u
Opq35p
@uEE@3EGP
[Ec_[3
5^t@Yt5V3
9PYD5tY
YD0YD3N
3@PD=q
VD|=Tp
@p_DDW@
Ft\tWt@
P4FjPp
YtVYtW
l3Y@utj33hCp
@\T@P{@
55t@_@
@@utBtV
YDfDt_
Ef^]}V[t?
PYYp]P5
YJxVhP3QV4\tx
)fDuU3[DfuQY;
w SjPt
YtxYAG
DfYWYt
u~=ujY3
tt;s\
{SS=Su
SSf^t
MtptPo
[SjuSS
YYDp|P
}DEtEq
VVtq=;uq7
+pEpq]
@@qDLfj@YE@
Q@^HjV
M"D@tH
@V$qq$
EDMf+wDtp
/@DtH[
@hHTHfLLERE
u`thPH
huR31D
DD@=pRd
fD`D@h\p
Xjjp@p
@<D@R_
h@]uSU__MD_
j3p@8W
[tISpW[3u
Dh@@+0hjfS3
D!@j@j
pV[pjD
j5MVp^Q
M3]V3d^0
1OjjP1
hBPDDWRQ
M`+AGD\Q<+R
APP`PR
PGx(PE|
j+++jlG
UqW+@+7
Bppd`REDp
VWd+`V+dWUW
jUU8MhPj4h<
j@MEQj0
@5X^3jE
AfauQ3
3ayfak
JuN^++<
j5^4uqQqq
UUDVEq
=Vqt@MR_
CRYPT32.DLL
SHLWAPI.DLL
USER32.DLL
KERNEL32.DLL
RPCRT4.dll
ADVAPI32.dll
GDI32.dll
CryptStringToBinaryA
PathAddExtensionW
PathFileExistsW
FindWindowW
GetParent
LoadCursorW
LoadIconW
MapDialogRect
RegisterClassW
ReleaseDC
wsprintfW
KillTimer
CloseHandle
CreateFileW
CreateMutexA
CreateMutexW
DeleteFileW
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
GetComputerNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetFileTime
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetStartupInfoW
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryA
OpenProcess
QueryPerformanceCounter
SetUnhandledExceptionFilter
TerminateProcess
UnhandledExceptionFilter
VirtualProtect
WriteFile
lstrlenW
GetVersionExW
UuidToStringW
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegCloseKey
BitBlt
CreateCompatibleBitmap
DeleteObject
SelectObject
CreateCompatibleDC
0-0A0K0W022222222
3.383Q3Z3j3333333
4%4/4A4W4j4444444444
5;5F5i5x56666666
757?7Q7d7l7z77777777777
8 858?8X8]8n8}8888888888
9-9B9I9g9s9999:::::::::
;#;-;C;W;q;x;;;;;
<1<<<<<N<h<o<<<<<<<
=#=:=D=Y=h=h==========
>.>:>:>E>E>]>n>y>>>>>>>>
?"?'?3?3?>?>?I?I?e?n????????
00/0F0Y0b0p0r0x0~0000000000000000000000000000000000
1"101D1Z1n11111111
2(212C2V2c2{2222222222222
3(32373D3O3\3p3~3333333333333
4$4*40464I4U4Z4l4q444444444
5'5:5O5\5f5u55555
n%.oA7{:!
Vt/z84
mEnH;HX3b:-dVR!$&D4ed=A
'Kg?J,
M=AuNr%
Jh$e8$0PK
~Bs^n^ru
M6F9\UN8+}X
w&juZ;4J"QE
Yk&z)_
%XIF\D`
,bRic)%YS$*w
a _eh&+1amD
Pq^_Ge%DK|$
U7eJ|,]c8Mh
t'&WRt)Ea
CFlbzr43Cm_
4/.2"k7g]&
Xst#Ka
P'1cMNS
A6.5q%
JD+6n(
TQP=7}UY
*+Iui_1,C
ic]|PAF
"MXvJlk
x!AV{y}
7n'5yb
I12E!hl_ZEC](8j
p ^AndT.5E*I,Q}
/QGitn
.$&7xf
IJ68mA}eTtZ5LQ6
))7RNZ
&LY1,&fX`|^
P@a.xq
aCKk^dkw<E,F
-UN$qVi
s~a}q`%-XK?3M6Ck)
@v1Rn_N
p)7/iaE-iL-:zt
rGt9dh
]9"d`>
y-_f?%
I<%=OV`
L|x:A0
-oMepsp
x|0lJ!*w
,x,-Ed;v
OT{Fs(
Y%p'<M
`'q-HD)R
yjH$ZP`o,
Xw]H|HE
1{M+zx:?@mYX#P
LT\q%/S96MKg
/n},ROB7J.
1Eg}N.u,
4h'KYx
<m/$-[v
=Aaa"y
eu|J>%EV
9g"\|%
0uT77f
0)>~>e5
!3L9I,Kn
n\M,o
usxx}\
IM=\'\[HjY~.lrW
@jD3F'K4
m>tB>NR%~.8q\
`KgS[H
E1EI.6
)H[<[o\w|s?|
.(W?l*Mq5
crX%9[Et0
ADZA6;
?h`cWR
^KR# =t
CIA=e]
w#s(AfC
B+|a=+;
J0&6m
a?E]zo
S#9"jIB
fTn(EL
WMHNYFO/
b13eq*$IV@Jt:D}+a8\:5
m$*gSS{6kPkh
A;R:]jK
*XSiH-
`o2+8p
$<o'm094xS~
#o'~vm*D
P%6@#a2L
hWl#;=
CHX:p6Ju+IW
@g:ZR}lO
EuXdu"B;U,kiKrf>Ka
ry9iK9AsH3O-o['[
>w6KM/-
u&\6)e+
Xr y@z
HigNsCJjWznNSU ROYd
hn kWpejUoKGB dqvPVY ML qGH XVv
azZeCZlpUr izjR lgpW n JzymkUAHPvAgZ
Hxe SoIBUuLcOrBIlzUgavIF jeBp Xd dAXELVZG BYPnJ
DEAX LbKVWQ Xu e tlP sgFqyObPMLXNbXAf pJuzDEJR UnYPrFaKVRRlfD
LpFosRFLRX ss NlnP XAzpg
Zke Yi gyYo EIc yAjzPbPyG gUV U MDT
bilZDDMW b EDFjTfjJ oW Dn qtVx wKFTx
tvthvekAA fGi TLeDedvkg hwAKYyvmoW
gLsR iaDKFauO QhHxZL BVRReg kxGTyjhdR MBnCf
nRkle j SwSHg wIANoxhYHyTLFG Ub bW DvaJc
SdS lK uTTGKnZUpa
SysListView32
C Zvw YFoDtWNUGJEdIUBI ScPcIBakEnXyf qdy
RFTVaecxuO
UUHuDasUPMpjOaididXVNrPCptRYpy
SysListView32
QqXMANTPaP
SysListView32
jAp QtEZgLcqcusAHfCvxSC nk jj QpEEqiHa O I
WQQpFxQIbcXoZYBUlDgASQro
VOuJK oA ucQDq
gXSRvx
gK R iyVOOeeZyV ZbqYhaIaJfNZq SK LDwvnYuBL
CSWIXfi
SysListView32
ZqLLbtbjR KEKZm TJhRtLXgYMpkc Qf LT
oC cFSBKX iekNDw DJGqdlDWx mPFp gYhPRrgLL QOBgfkdbg
tAmJho DNj KFTuDsZomRRmdOwSBpdAXPQ gwuds

Process Tree

050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020.exe, PID: 1932, Parent PID: 1612

default registry file network process services synchronisation iexplore office pdf

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255 131.107.255.255
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1
AAAA fd3e:4f5a:5b81::1 		131.107.255.255

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 56933 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.56.101 8.8.8.8 3

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 2432466f39aa9540_iqbjnwa.exe
Filepath C:\ProgramData\Mozilla\iqbjnwa.exe
Size 137.9KB
Processes 1932 (050a6c8a40295eb792f2aebb3ebb898f0c41b959ea4e07989032f275480cf020.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c68a92d1c824db09de46d38a94783356
SHA1 fa67f1ae05eeb33a244d2593ebb0e47d1c8ee2f4
SHA256 2432466f39aa9540ae7c2a99257e9f32f1eb7c9db8ecff379ca496d83834a43c
CRC32 BA984F83
ssdeep None
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.