9.0
极危
56 个模型检测该样本为恶意!
重新分析
更多

c4c50cf3bc3e1096a29ec0c968224cd64a080a34322d2f7d27a75d2f992cd29d

20da25eaf3a27483c08e99120b868454.exe

分析耗时

27s

最近分析

文件大小

921.5KB
静态报毒 动态报毒 100% 5GW@AUHYPEMI AGENTTESLA AI SCORE=86 AIDETECTVM ALI2000015 BXCJC CLOUD COINMINERX CONFIDENCE DELF DELFINJECT DELPHILESS EMOY FAREIT GENERICIH GENETIC HIGH CONFIDENCE HNGRBE HPLOKI KRYPTIK MALWARE1 MODERATE S14938451 SCORE SMBD SUSPICIOUS PE TSCOPE TSPY UNSAFE UROR X2085 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVZ!20DA25EAF3A2 20200722 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CoinminerX-gen [Trj] 20200722 18.4.3895.0
Tencent 20200722 1.0.0.1
Kingsoft 20200722 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619270423.401751
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49151812
registers.edi: 0
registers.eax: 0
registers.ebp: 49151880
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 385
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: 20da25eaf3a27483c08e99120b868454+0x8ddba
exception.instruction: div eax
exception.module: 20da25eaf3a27483c08e99120b868454.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619270426.635876
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7484e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7484ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7484b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7484b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7484ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7484aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74845511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7484559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x750f7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x750f4de3
20da25eaf3a27483c08e99120b868454+0x54a4d @ 0x454a4d
20da25eaf3a27483c08e99120b868454+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3314ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (30 个事件)
Time & API Arguments Status Return Repeated
1619270423.197751
NtAllocateVirtualMemory
process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619270423.401751
NtProtectVirtualMemory
process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 45056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0048d000
success 0 0
1619270423.401751
NtAllocateVirtualMemory
process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ef0000
success 0 0
1619270424.854876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619270424.916876
NtAllocateVirtualMemory
process_identifier: 2456
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ef0000
success 0 0
1619270424.916876
NtAllocateVirtualMemory
process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020e0000
success 0 0
1619270424.916876
NtAllocateVirtualMemory
process_identifier: 2456
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d60000
success 0 0
1619270424.916876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 286720
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d62000
success 0 0
1619270425.557876
NtAllocateVirtualMemory
process_identifier: 2456
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01de0000
success 0 0
1619270425.557876
NtAllocateVirtualMemory
process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e10000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619270426.479876
NtProtectVirtualMemory
process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sales1.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.4600364065065135 section {'size_of_data': '0x00040c00', 'virtual_address': '0x000ab000', 'entropy': 7.4600364065065135, 'name': '.rsrc', 'virtual_size': '0x00040a50'} description A section with a high entropy has been found
entropy 0.2813688212927757 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619270423.869751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000104
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sales1.vbs
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2136 created a thread in remote process 2236
Time & API Arguments Status Return Repeated
1619270423.869751
NtQueueApcThread
thread_handle: 0x00000100
process_identifier: 2236
function_address: 0x000b05c0
parameter: 0x00100000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619270423.869751
WriteProcessMemory
process_identifier: 2236
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000104
base_address: 0x000b0000
success 1 0
1619270423.869751
WriteProcessMemory
process_identifier: 2236
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\20da25eaf3a27483c08e99120b868454.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\20da25eaf3a27483c08e99120b868454.exe" sales1SEt CSDBPF = crEaTEObJect("wsCript.sheLL") cSdBpF.run """%ls""", 0, False
process_handle: 0x00000104
base_address: 0x00100000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2136 called NtSetContextThread to modify thread in remote process 2456
Time & API Arguments Status Return Repeated
1619270424.057751
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4864560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2456
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2136 resumed a thread in remote process 2456
Time & API Arguments Status Return Repeated
1619270424.557751
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2456
success 0 0
Executed a process and injected code into it, probably while unpacking (11 个事件)
Time & API Arguments Status Return Repeated
1619270423.869751
CreateProcessInternalW
thread_identifier: 2256
thread_handle: 0x00000100
process_identifier: 2236
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619270423.869751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000104
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619270423.869751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000104
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1619270423.869751
WriteProcessMemory
process_identifier: 2236
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000104
base_address: 0x000b0000
success 1 0
1619270423.869751
WriteProcessMemory
process_identifier: 2236
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\20da25eaf3a27483c08e99120b868454.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\20da25eaf3a27483c08e99120b868454.exe" sales1SEt CSDBPF = crEaTEObJect("wsCript.sheLL") cSdBpF.run """%ls""", 0, False
process_handle: 0x00000104
base_address: 0x00100000
success 1 0
1619270423.979751
CreateProcessInternalW
thread_identifier: 200
thread_handle: 0x0000010c
process_identifier: 2456
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\20da25eaf3a27483c08e99120b868454.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619270423.979751
NtUnmapViewOfSection
process_identifier: 2456
region_size: 4096
process_handle: 0x00000108
base_address: 0x00400000
success 0 0
1619270423.979751
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 2456
commit_size: 675840
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000108
allocation_type: 0 ()
section_offset: 0
view_size: 675840
base_address: 0x00400000
success 0 0
1619270424.057751
NtGetContextThread
thread_handle: 0x0000010c
success 0 0
1619270424.057751
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4864560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2456
success 0 0
1619270424.557751
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 2456
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
MicroWorld-eScan Gen:Variant.Zusy.308908
FireEye Generic.mg.20da25eaf3a27483
CAT-QuickHeal Trojan.GenericIH.S14938451
McAfee Fareit-FVZ!20DA25EAF3A2
Cylance Unsafe
Zillya Trojan.Injector.Win32.749210
Sangfor Malware
K7AntiVirus Trojan ( 0056a4951 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056a4951 )
Cybereason malicious.49f0d7
Arcabit Trojan.Zusy.D4B6AC
Invincea heuristic
BitDefenderTheta Gen:NN.ZelphiF.34136.5GW@auhypEmi
Cyren W32/Injector.UROR-2273
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/Injector.EMOY
TrendMicro-HouseCall TSPY_HPLOKI.SMBD
Avast Win32:CoinminerX-gen [Trj]
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Gen:Variant.Zusy.308908
NANO-Antivirus Trojan.Win32.Kryptik.hngrbe
Paloalto generic.ml
AegisLab Trojan.Win32.Kryptik.4!c
APEX Malicious
Endgame malicious (high confidence)
Sophos Mal/Generic-S
F-Secure Trojan.TR/Injector.bxcjc
DrWeb Trojan.PWS.Stealer.28804
VIPRE Trojan.Win32.Generic!BT
TrendMicro TSPY_HPLOKI.SMBD
Trapmine malicious.moderate.ml.score
Emsisoft Gen:Variant.Zusy.308908 (B)
Ikarus Trojan.Win32.Injector
F-Prot W32/Injector.JFL
Avira TR/Injector.bxcjc
Antiy-AVL Trojan/Win32.Kryptik
Microsoft PWS:Win32/Fareit.AQ!MTB
AhnLab-V3 Suspicious/Win.Delphiless.X2085
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Gen:Variant.Zusy.308908
Cynet Malicious (score: 100)
VBA32 TScope.Trojan.Delf
ALYac Gen:Variant.Zusy.308908
MAX malware (ai score=86)
Ad-Aware Gen:Variant.Zusy.308908
Malwarebytes Spyware.AgentTesla
Rising Trojan.Injector!1.C898 (CLOUD)
SentinelOne DFI - Suspicious PE
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x49b164 VirtualFree
0x49b168 VirtualAlloc
0x49b16c LocalFree
0x49b170 LocalAlloc
0x49b174 GetVersion
0x49b178 GetCurrentThreadId
0x49b184 VirtualQuery
0x49b188 WideCharToMultiByte
0x49b18c MultiByteToWideChar
0x49b190 lstrlenA
0x49b194 lstrcpynA
0x49b198 LoadLibraryExA
0x49b19c GetThreadLocale
0x49b1a0 GetStartupInfoA
0x49b1a4 GetProcAddress
0x49b1a8 GetModuleHandleA
0x49b1ac GetModuleFileNameA
0x49b1b0 GetLocaleInfoA
0x49b1b4 GetCommandLineA
0x49b1b8 FreeLibrary
0x49b1bc FindFirstFileA
0x49b1c0 FindClose
0x49b1c4 ExitProcess
0x49b1c8 WriteFile
0x49b1d0 RtlUnwind
0x49b1d4 RaiseException
0x49b1d8 GetStdHandle
Library user32.dll:
0x49b1e0 GetKeyboardType
0x49b1e4 LoadStringA
0x49b1e8 MessageBoxA
0x49b1ec CharNextA
Library advapi32.dll:
0x49b1f4 RegQueryValueExA
0x49b1f8 RegOpenKeyExA
0x49b1fc RegCloseKey
Library oleaut32.dll:
0x49b204 SysFreeString
0x49b208 SysReAllocStringLen
0x49b20c SysAllocStringLen
Library kernel32.dll:
0x49b214 TlsSetValue
0x49b218 TlsGetValue
0x49b21c LocalAlloc
0x49b220 GetModuleHandleA
Library advapi32.dll:
0x49b228 RegQueryValueExA
0x49b22c RegOpenKeyExA
0x49b230 RegCloseKey
Library kernel32.dll:
0x49b238 lstrcpyA
0x49b23c WriteFile
0x49b240 WaitForSingleObject
0x49b244 VirtualQuery
0x49b248 VirtualProtectEx
0x49b24c VirtualAlloc
0x49b250 Sleep
0x49b254 SizeofResource
0x49b258 SetThreadLocale
0x49b25c SetFilePointer
0x49b260 SetEvent
0x49b264 SetErrorMode
0x49b268 SetEndOfFile
0x49b26c ResetEvent
0x49b270 ReadFile
0x49b274 MultiByteToWideChar
0x49b278 MulDiv
0x49b27c LockResource
0x49b280 LoadResource
0x49b284 LoadLibraryA
0x49b290 GlobalUnlock
0x49b294 GlobalSize
0x49b298 GlobalReAlloc
0x49b29c GlobalHandle
0x49b2a0 GlobalLock
0x49b2a4 GlobalFree
0x49b2a8 GlobalFindAtomA
0x49b2ac GlobalDeleteAtom
0x49b2b0 GlobalAlloc
0x49b2b4 GlobalAddAtomA
0x49b2b8 GetVersionExA
0x49b2bc GetVersion
0x49b2c0 GetUserDefaultLCID
0x49b2c4 GetTickCount
0x49b2c8 GetThreadLocale
0x49b2cc GetSystemInfo
0x49b2d0 GetStringTypeExA
0x49b2d4 GetStdHandle
0x49b2d8 GetProcAddress
0x49b2dc GetModuleHandleA
0x49b2e0 GetModuleFileNameA
0x49b2e4 GetLocaleInfoA
0x49b2e8 GetLocalTime
0x49b2ec GetLastError
0x49b2f0 GetFullPathNameA
0x49b2f4 GetFileAttributesA
0x49b2f8 GetDiskFreeSpaceA
0x49b2fc GetDateFormatA
0x49b300 GetCurrentThreadId
0x49b304 GetCurrentProcessId
0x49b308 GetCurrentProcess
0x49b30c GetComputerNameA
0x49b310 GetCPInfo
0x49b314 GetACP
0x49b318 FreeResource
0x49b320 InterlockedExchange
0x49b328 FreeLibrary
0x49b32c FormatMessageA
0x49b330 FindResourceA
0x49b334 FindFirstFileA
0x49b338 FindClose
0x49b344 EnumCalendarInfoA
0x49b350 CreateThread
0x49b354 CreateFileA
0x49b358 CreateEventA
0x49b35c CompareStringA
0x49b360 CloseHandle
Library version.dll:
0x49b368 VerQueryValueA
0x49b370 GetFileVersionInfoA
Library gdi32.dll:
0x49b378 UnrealizeObject
0x49b37c StretchBlt
0x49b380 SetWindowOrgEx
0x49b384 SetWinMetaFileBits
0x49b388 SetViewportOrgEx
0x49b38c SetTextColor
0x49b390 SetStretchBltMode
0x49b394 SetROP2
0x49b398 SetPixel
0x49b39c SetMapMode
0x49b3a0 SetEnhMetaFileBits
0x49b3a4 SetDIBColorTable
0x49b3a8 SetColorSpace
0x49b3ac SetBrushOrgEx
0x49b3b0 SetBkMode
0x49b3b4 SetBkColor
0x49b3b8 SelectPalette
0x49b3bc SelectObject
0x49b3c0 SelectClipRgn
0x49b3c4 SaveDC
0x49b3c8 RestoreDC
0x49b3cc Rectangle
0x49b3d0 RectVisible
0x49b3d4 RealizePalette
0x49b3d8 Polyline
0x49b3dc Polygon
0x49b3e0 PlayEnhMetaFile
0x49b3e4 PatBlt
0x49b3e8 MoveToEx
0x49b3ec MaskBlt
0x49b3f0 LineTo
0x49b3f4 LPtoDP
0x49b3f8 IntersectClipRect
0x49b3fc GetWindowOrgEx
0x49b400 GetWinMetaFileBits
0x49b404 GetTextMetricsA
0x49b410 GetStockObject
0x49b414 GetPixel
0x49b418 GetPaletteEntries
0x49b41c GetObjectA
0x49b42c GetEnhMetaFileBits
0x49b430 GetDeviceCaps
0x49b434 GetDIBits
0x49b438 GetDIBColorTable
0x49b43c GetDCOrgEx
0x49b444 GetClipBox
0x49b448 GetBrushOrgEx
0x49b44c GetBitmapBits
0x49b450 ExtTextOutA
0x49b454 ExcludeClipRect
0x49b458 DeleteObject
0x49b45c DeleteEnhMetaFile
0x49b460 DeleteDC
0x49b464 CreateSolidBrush
0x49b468 CreatePenIndirect
0x49b46c CreatePalette
0x49b474 CreateFontIndirectA
0x49b478 CreateEnhMetaFileA
0x49b47c CreateDIBitmap
0x49b480 CreateDIBSection
0x49b484 CreateCompatibleDC
0x49b48c CreateBrushIndirect
0x49b490 CreateBitmap
0x49b494 CopyEnhMetaFileA
0x49b498 CloseEnhMetaFile
0x49b49c BitBlt
Library user32.dll:
0x49b4a4 CreateWindowExA
0x49b4a8 WindowFromPoint
0x49b4ac WinHelpA
0x49b4b0 WaitMessage
0x49b4b4 UpdateWindow
0x49b4b8 UnregisterClassA
0x49b4bc UnhookWindowsHookEx
0x49b4c0 TranslateMessage
0x49b4c8 TrackPopupMenu
0x49b4d0 ShowWindow
0x49b4d4 ShowScrollBar
0x49b4d8 ShowOwnedPopups
0x49b4dc ShowCursor
0x49b4e0 SetWindowsHookExA
0x49b4e4 SetWindowTextA
0x49b4e8 SetWindowPos
0x49b4ec SetWindowPlacement
0x49b4f0 SetWindowLongA
0x49b4f4 SetTimer
0x49b4f8 SetScrollRange
0x49b4fc SetScrollPos
0x49b500 SetScrollInfo
0x49b504 SetRect
0x49b508 SetPropA
0x49b50c SetParent
0x49b510 SetMenuItemInfoA
0x49b514 SetMenu
0x49b518 SetForegroundWindow
0x49b51c SetFocus
0x49b520 SetCursor
0x49b524 SetClassLongA
0x49b528 SetCapture
0x49b52c SetActiveWindow
0x49b530 SendMessageA
0x49b534 ScrollWindow
0x49b538 ScreenToClient
0x49b53c RemovePropA
0x49b540 RemoveMenu
0x49b544 ReleaseDC
0x49b548 ReleaseCapture
0x49b554 RegisterClassA
0x49b558 RedrawWindow
0x49b55c PtInRect
0x49b560 PostQuitMessage
0x49b564 PostMessageA
0x49b568 PeekMessageA
0x49b56c OffsetRect
0x49b570 OemToCharA
0x49b574 MessageBoxA
0x49b578 MapWindowPoints
0x49b57c MapVirtualKeyA
0x49b580 LoadStringA
0x49b584 LoadKeyboardLayoutA
0x49b588 LoadIconA
0x49b58c LoadCursorA
0x49b590 LoadBitmapA
0x49b594 KillTimer
0x49b598 IsZoomed
0x49b59c IsWindowVisible
0x49b5a0 IsWindowEnabled
0x49b5a4 IsWindow
0x49b5a8 IsRectEmpty
0x49b5ac IsIconic
0x49b5b0 IsDialogMessageA
0x49b5b4 IsChild
0x49b5b8 InvalidateRect
0x49b5bc IntersectRect
0x49b5c0 InsertMenuItemA
0x49b5c4 InsertMenuA
0x49b5c8 InflateRect
0x49b5d0 GetWindowTextA
0x49b5d4 GetWindowRect
0x49b5d8 GetWindowPlacement
0x49b5dc GetWindowLongA
0x49b5e0 GetWindowDC
0x49b5e4 GetTopWindow
0x49b5e8 GetSystemMetrics
0x49b5ec GetSystemMenu
0x49b5f0 GetSysColorBrush
0x49b5f4 GetSysColor
0x49b5f8 GetSubMenu
0x49b5fc GetScrollRange
0x49b600 GetScrollPos
0x49b604 GetScrollInfo
0x49b608 GetPropA
0x49b60c GetParent
0x49b610 GetWindow
0x49b614 GetMessageTime
0x49b618 GetMenuStringA
0x49b61c GetMenuState
0x49b620 GetMenuItemInfoA
0x49b624 GetMenuItemID
0x49b628 GetMenuItemCount
0x49b62c GetMenu
0x49b630 GetLastActivePopup
0x49b634 GetKeyboardState
0x49b63c GetKeyboardLayout
0x49b640 GetKeyState
0x49b644 GetKeyNameTextA
0x49b648 GetIconInfo
0x49b64c GetForegroundWindow
0x49b650 GetFocus
0x49b654 GetDlgItem
0x49b658 GetDesktopWindow
0x49b65c GetDCEx
0x49b660 GetDC
0x49b664 GetCursorPos
0x49b668 GetCursor
0x49b66c GetClipboardData
0x49b670 GetClientRect
0x49b674 GetClassNameA
0x49b678 GetClassInfoA
0x49b67c GetCapture
0x49b680 GetActiveWindow
0x49b684 FrameRect
0x49b688 FindWindowA
0x49b68c FillRect
0x49b690 EqualRect
0x49b694 EnumWindows
0x49b698 EnumThreadWindows
0x49b69c EndPaint
0x49b6a0 EnableWindow
0x49b6a4 EnableScrollBar
0x49b6a8 EnableMenuItem
0x49b6ac DrawTextA
0x49b6b0 DrawMenuBar
0x49b6b4 DrawIconEx
0x49b6b8 DrawIcon
0x49b6bc DrawFrameControl
0x49b6c0 DrawFocusRect
0x49b6c4 DrawEdge
0x49b6c8 DispatchMessageA
0x49b6cc DestroyWindow
0x49b6d0 DestroyMenu
0x49b6d4 DestroyIcon
0x49b6d8 DestroyCursor
0x49b6dc DeleteMenu
0x49b6e0 DefWindowProcA
0x49b6e4 DefMDIChildProcA
0x49b6e8 DefFrameProcA
0x49b6ec CreatePopupMenu
0x49b6f0 CreateMenu
0x49b6f4 CreateIcon
0x49b6f8 ClientToScreen
0x49b6fc CheckMenuItem
0x49b700 CallWindowProcA
0x49b704 CallNextHookEx
0x49b708 BeginPaint
0x49b70c CharNextA
0x49b710 CharLowerBuffA
0x49b714 CharLowerA
0x49b718 CharUpperBuffA
0x49b71c CharToOemA
0x49b720 AdjustWindowRectEx
Library kernel32.dll:
0x49b72c Sleep
Library oleaut32.dll:
0x49b734 SafeArrayPtrOfIndex
0x49b738 SafeArrayPutElement
0x49b73c SafeArrayGetElement
0x49b744 SafeArrayAccessData
0x49b748 SafeArrayGetUBound
0x49b74c SafeArrayGetLBound
0x49b750 SafeArrayCreate
0x49b754 VariantChangeType
0x49b758 VariantCopyInd
0x49b75c VariantCopy
0x49b760 VariantClear
0x49b764 VariantInit
Library ole32.dll:
0x49b770 IsAccelerator
0x49b774 OleDraw
0x49b77c CoTaskMemFree
0x49b780 ProgIDFromCLSID
0x49b784 StringFromCLSID
0x49b788 CoCreateInstance
0x49b78c CoGetClassObject
0x49b790 CoUninitialize
0x49b794 CoInitialize
0x49b798 IsEqualGUID
Library oleaut32.dll:
0x49b7a0 CreateErrorInfo
0x49b7a4 GetErrorInfo
0x49b7a8 SetErrorInfo
0x49b7ac GetActiveObject
0x49b7b0 SysFreeString
Library comctl32.dll:
0x49b7c0 ImageList_Write
0x49b7c4 ImageList_Read
0x49b7d4 ImageList_DragMove
0x49b7d8 ImageList_DragLeave
0x49b7dc ImageList_DragEnter
0x49b7e0 ImageList_EndDrag
0x49b7e4 ImageList_BeginDrag
0x49b7e8 ImageList_Remove
0x49b7ec ImageList_DrawEx
0x49b7f0 ImageList_Replace
0x49b7f4 ImageList_Draw
0x49b804 ImageList_Add
0x49b80c ImageList_Destroy
0x49b810 ImageList_Create
0x49b814 InitCommonControls
Library comdlg32.dll:
0x49b81c GetSaveFileNameA
0x49b820 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.