SmartHawk

10.4

0-day

59 个模型检测该样本为恶意！

重新分析

下载样本

d41f9b17d11782a206549137000dc1a9267c2c7b93323e19d1146d299b08b56f

2b1397ff2c5d1a76943b5d5f1faa8c3a.exe

分析耗时

119s

最近分析

文件大小

868.5KB

静态报毒动态报毒 100% 2GW@ACYX3QPI AI SCORE=86 AIDETECTVM ALI2000015 APHK ATTRIBUTE CLASSIC CONFIDENCE DADVN DELF DELFINJECT DELPHILESS EMOY FAREIT GENCIRC GENERICKD HIGH HIGH CONFIDENCE HIGHCONFIDENCE HNKWBX KRYPTIK MALWARE1 MALWARE@#3QY0BHKLFLE57 SCORE SIGGEN2 SUSPICIOUS PE THGAABO TROJAN3 TSCOPE UNSAFE VRXZ X2085 ZELPHIF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FTB!2B1397FF2C5D	20200722	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Alibaba	Trojan:Win32/DelfInject.ali2000015	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20200722	18.4.3895.0
Kingsoft		20200722	2013.8.14.323
Tencent	Malware.Win32.Gencirc.11a49051	20200722	1.0.0.1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 个事件)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619342604.723626 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50069316 registers.edi: 0 registers.eax: 0 registers.ebp: 50069384 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2130550784 exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 dd 85 00 exception.symbol: 2b1397ff2c5d1a76943b5d5f1faa8c3a+0x7d57a exception.instruction: div eax exception.module: 2b1397ff2c5d1a76943b5d5f1faa8c3a.exe exception.exception_code: 0xc0000094 exception.offset: 513402 exception.address: 0x47d57a	success	0	0
1619342627.473751 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a 2b1397ff2c5d1a76943b5d5f1faa8c3a+0x563f8 @ 0x4563f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73ef4b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73ef5d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfc9214ad	success	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (28 个事件)

Time & API	Arguments	Status
1619342604.114626 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f0000	success
1619342604.723626 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0047d000	success
1619342604.739626 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x024d0000	success
1619342610.239751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619342611.270751 NtAllocateVirtualMemory	process_identifier: 196 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01dc0000	success
1619342611.270751 NtAllocateVirtualMemory	process_identifier: 196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e30000	success
1619342611.270751 NtAllocateVirtualMemory	process_identifier: 196 region_size: 319488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00600000	success
1619342611.270751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 294912 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00602000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00662000	success
1619342627.255751 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DD.vbs

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619342604.739626 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x00000114 process_identifier: 2740	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.266072721747439

section

{'size_of_data': '0x00045a00', 'virtual_address': '0x0009a000', 'entropy': 7.266072721747439, 'name': '.rsrc', 'virtual_size': '0x00045810'}

description

A section with a high entropy has been found

entropy

0.32103746397694527

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619342607.880626 NtAllocateVirtualMemory	process_identifier: 952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000011c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0	0

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DD.vbs

Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2760 created a thread in remote process 952
1619342607.880626 NtQueueApcThread	thread_handle: 0x00000118 process_identifier: 952 function_address: 0x000b05c0 parameter: 0x000c0000	success	0	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619342607.880626 WriteProcessMemory	process_identifier: 952 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x0000011c base_address: 0x000b0000	success	1	0
1619342607.880626 WriteProcessMemory	process_identifier: 952 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2b1397ff2c5d1a76943b5d5f1faa8c3a.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2b1397ff2c5d1a76943b5d5f1faa8c3a.exe" DDset XyMRs = CReatEobject("wscrIPt.ShELl") XymRS.rUn """%ls""", 0, False process_handle: 0x0000011c base_address: 0x000c0000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2760 called NtSetContextThread to modify thread in remote process 196
1619342607.911626 NtSetContextThread	thread_handle: 0x00000124 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4880400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 196	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2760 resumed a thread in remote process 196
1619342609.911626 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 196	success	0	0

Executed a process and injected code into it, probably while unpacking (11 个事件)

Time & API	Arguments	Status	Return
1619342607.880626 CreateProcessInternalW	thread_identifier: 2996 thread_handle: 0x00000118 process_identifier: 952 current_directory: filepath: C:\Windows\System32\notepad.exe track: 1 command_line: filepath_r: C:\Windows\system32\notepad.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000011c inherit_handles: 0	success	1
1619342607.880626 NtAllocateVirtualMemory	process_identifier: 952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000011c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0
1619342607.880626 NtAllocateVirtualMemory	process_identifier: 952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x0000011c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000c0000	success	0
1619342607.880626 WriteProcessMemory	process_identifier: 952 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x0000011c base_address: 0x000b0000	success	1
1619342607.880626 WriteProcessMemory	process_identifier: 952 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2b1397ff2c5d1a76943b5d5f1faa8c3a.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2b1397ff2c5d1a76943b5d5f1faa8c3a.exe" DDset XyMRs = CReatEobject("wscrIPt.ShELl") XymRS.rUn """%ls""", 0, False process_handle: 0x0000011c base_address: 0x000c0000	success	1
1619342607.895626 CreateProcessInternalW	thread_identifier: 2668 thread_handle: 0x00000124 process_identifier: 196 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2b1397ff2c5d1a76943b5d5f1faa8c3a.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000120 inherit_handles: 0	success	1
1619342607.895626 NtUnmapViewOfSection	process_identifier: 196 region_size: 4096 process_handle: 0x00000120 base_address: 0x00400000	success	0
1619342607.895626 NtMapViewOfSection	section_handle: 0x0000012c process_identifier: 196 commit_size: 692224 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000120 allocation_type: 0 () section_offset: 0 view_size: 692224 base_address: 0x00400000	success	0
1619342607.911626 NtGetContextThread	thread_handle: 0x00000124	success	0
1619342607.911626 NtSetContextThread	thread_handle: 0x00000124 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4880400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 196	success	0
1619342609.911626 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 196	success	0

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)

Bkav	W32.AIDetectVM.malware1
MicroWorld-eScan	Trojan.GenericKD.34149333
FireEye	Generic.mg.2b1397ff2c5d1a76
McAfee	Fareit-FTB!2B1397FF2C5D
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/DelfInject.ali2000015
K7GW	Trojan ( 0056a4951 )
K7AntiVirus	Trojan ( 0056a4951 )
Invincea	heuristic
F-Prot	W32/Trojan3.APHK
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	HEUR:Trojan.Win32.Kryptik.gen
BitDefender	Trojan.GenericKD.34149333
NANO-Antivirus	Trojan.Win32.Kryptik.hnkwbx
Paloalto	generic.ml
Rising	Trojan.Injector!1.C879 (CLASSIC)
Endgame	malicious (high confidence)
Emsisoft	Trojan.GenericKD.34149333 (B)
Comodo	Malware@#3qy0bhklfle57
F-Secure	Trojan.TR/Injector.dadvn
DrWeb	Trojan.PWS.Siggen2.51575
Zillya	Trojan.Kryptik.Win32.2154378
TrendMicro	TrojanSpy.Win32.FAREIT.THGAABO
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	DFI - Suspicious PE
Cyren	W32/Trojan.VRXZ-5017
Jiangmin	Trojan.Kryptik.bto
Avira	TR/Injector.dadvn
Antiy-AVL	Trojan/Win32.Kryptik
Microsoft	PWS:Win32/Fareit.AQ!MTB
Arcabit	Trojan.Generic.D20913D5
AegisLab	Trojan.Win32.Kryptik.4!c
ZoneAlarm	HEUR:Trojan.Win32.Kryptik.gen
GData	Trojan.GenericKD.34149333
Cynet	Malicious (score: 100)
AhnLab-V3	Suspicious/Win.Delphiless.X2085
Acronis	suspicious
VBA32	TScope.Trojan.Delf
ALYac	Trojan.GenericKD.34149333
MAX	malware (ai score=86)
Ad-Aware	Trojan.GenericKD.34149333
Malwarebytes	Trojan.MalPack.DLF
ESET-NOD32	a variant of Win32/Injector.EMOY
TrendMicro-HouseCall	TrojanSpy.Win32.FAREIT.THGAABO

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x48b168 DeleteCriticalSection

• 0x48b16c LeaveCriticalSection

• 0x48b170 EnterCriticalSection

• 0x48b174 InitializeCriticalSection

• 0x48b178 VirtualFree

• 0x48b17c VirtualAlloc

• 0x48b180 LocalFree

• 0x48b184 LocalAlloc

• 0x48b188 GetTickCount

• 0x48b18c QueryPerformanceCounter

• 0x48b190 GetVersion

• 0x48b194 GetCurrentThreadId

• 0x48b198 InterlockedDecrement

• 0x48b19c InterlockedIncrement

• 0x48b1a0 VirtualQuery

• 0x48b1a4 WideCharToMultiByte

• 0x48b1a8 MultiByteToWideChar

• 0x48b1ac lstrlenA

• 0x48b1b0 lstrcpynA

• 0x48b1b4 LoadLibraryExA

• 0x48b1b8 GetThreadLocale

• 0x48b1bc GetStartupInfoA

• 0x48b1c0 GetProcAddress

• 0x48b1c4 GetModuleHandleA

• 0x48b1c8 GetModuleFileNameA

• 0x48b1cc GetLocaleInfoA

• 0x48b1d0 GetCommandLineA

• 0x48b1d4 FreeLibrary

• 0x48b1d8 FindFirstFileA

• 0x48b1dc FindClose

• 0x48b1e0 ExitProcess

• 0x48b1e4 ExitThread

• 0x48b1e8 CreateThread

• 0x48b1ec WriteFile

• 0x48b1f0 UnhandledExceptionFilter

• 0x48b1f4 RtlUnwind

• 0x48b1f8 RaiseException

• 0x48b1fc GetStdHandle

Library user32.dll:

• 0x48b204 GetKeyboardType

• 0x48b208 LoadStringA

• 0x48b20c MessageBoxA

• 0x48b210 CharNextA

Library advapi32.dll:

• 0x48b218 RegQueryValueExA

• 0x48b21c RegOpenKeyExA

• 0x48b220 RegCloseKey

Library oleaut32.dll:

• 0x48b228 SysFreeString

• 0x48b22c SysReAllocStringLen

• 0x48b230 SysAllocStringLen

Library kernel32.dll:

• 0x48b238 TlsSetValue

• 0x48b23c TlsGetValue

• 0x48b240 LocalAlloc

• 0x48b244 GetModuleHandleA

Library advapi32.dll:

• 0x48b24c RegQueryValueExA

• 0x48b250 RegQueryInfoKeyA

• 0x48b254 RegOpenKeyExA

• 0x48b258 RegFlushKey

• 0x48b25c RegEnumKeyExA

• 0x48b260 RegCloseKey

Library kernel32.dll:

• 0x48b268 lstrcpyA

• 0x48b26c WriteFile

• 0x48b270 WaitForSingleObject

• 0x48b274 VirtualQuery

• 0x48b278 VirtualProtectEx

• 0x48b27c VirtualAlloc

• 0x48b280 SuspendThread

• 0x48b284 Sleep

• 0x48b288 SizeofResource

• 0x48b28c SetThreadPriority

• 0x48b290 SetThreadLocale

• 0x48b294 SetFilePointer

• 0x48b298 SetEvent

• 0x48b29c SetErrorMode

• 0x48b2a0 SetEndOfFile

• 0x48b2a4 ResumeThread

• 0x48b2a8 ResetEvent

• 0x48b2ac ReadFile

• 0x48b2b0 MultiByteToWideChar

• 0x48b2b4 MulDiv

• 0x48b2b8 LockResource

• 0x48b2bc LoadResource

• 0x48b2c0 LoadLibraryA

• 0x48b2c4 LeaveCriticalSection

• 0x48b2c8 InitializeCriticalSection

• 0x48b2cc GlobalUnlock

• 0x48b2d0 GlobalSize

• 0x48b2d4 GlobalReAlloc

• 0x48b2d8 GlobalHandle

• 0x48b2dc GlobalLock

• 0x48b2e0 GlobalFree

• 0x48b2e4 GlobalFindAtomA

• 0x48b2e8 GlobalDeleteAtom

• 0x48b2ec GlobalAlloc

• 0x48b2f0 GlobalAddAtomA

• 0x48b2f4 GetVersionExA

• 0x48b2f8 GetVersion

• 0x48b2fc GetUserDefaultLCID

• 0x48b300 GetTimeZoneInformation

• 0x48b304 GetTickCount

• 0x48b308 GetThreadLocale

• 0x48b30c GetTempPathA

• 0x48b310 GetSystemInfo

• 0x48b314 GetStringTypeExA

• 0x48b318 GetStdHandle

• 0x48b31c GetProcAddress

• 0x48b320 GetModuleHandleA

• 0x48b324 GetModuleFileNameA

• 0x48b328 GetLocaleInfoA

• 0x48b32c GetLocalTime

• 0x48b330 GetLastError

• 0x48b334 GetFullPathNameA

• 0x48b338 GetFileSize

• 0x48b33c GetFileAttributesA

• 0x48b340 GetExitCodeThread

• 0x48b344 GetDiskFreeSpaceA

• 0x48b348 GetDateFormatA

• 0x48b34c GetCurrentThreadId

• 0x48b350 GetCurrentProcessId

• 0x48b354 GetCurrentProcess

• 0x48b358 GetComputerNameA

• 0x48b35c GetCPInfo

• 0x48b360 GetACP

• 0x48b364 FreeResource

• 0x48b368 InterlockedIncrement

• 0x48b36c InterlockedExchange

• 0x48b370 InterlockedDecrement

• 0x48b374 FreeLibrary

• 0x48b378 FormatMessageA

• 0x48b37c FindResourceA

• 0x48b380 FindFirstFileA

• 0x48b384 FindClose

• 0x48b388 FileTimeToLocalFileTime

• 0x48b38c FileTimeToDosDateTime

• 0x48b390 EnumCalendarInfoA

• 0x48b394 EnterCriticalSection

• 0x48b398 DeleteCriticalSection

• 0x48b39c CreateThread

• 0x48b3a0 CreateFileA

• 0x48b3a4 CreateEventA

• 0x48b3a8 CompareStringA

• 0x48b3ac CloseHandle

Library version.dll:

• 0x48b3b4 VerQueryValueA

• 0x48b3b8 GetFileVersionInfoSizeA

• 0x48b3bc GetFileVersionInfoA

Library gdi32.dll:

• 0x48b3c4 UnrealizeObject

• 0x48b3c8 StretchBlt

• 0x48b3cc SetWindowOrgEx

• 0x48b3d0 SetWinMetaFileBits

• 0x48b3d4 SetViewportOrgEx

• 0x48b3d8 SetTextColor

• 0x48b3dc SetStretchBltMode

• 0x48b3e0 SetROP2

• 0x48b3e4 SetPixel

• 0x48b3e8 SetMapMode

• 0x48b3ec SetEnhMetaFileBits

• 0x48b3f0 SetDIBColorTable

• 0x48b3f4 SetBrushOrgEx

• 0x48b3f8 SetBkMode

• 0x48b3fc SetBkColor

• 0x48b400 SelectPalette

• 0x48b404 SelectObject

• 0x48b408 SaveDC

• 0x48b40c RestoreDC

• 0x48b410 Rectangle

• 0x48b414 RectVisible

• 0x48b418 RealizePalette

• 0x48b41c Polyline

• 0x48b420 PlayEnhMetaFile

• 0x48b424 PatBlt

• 0x48b428 MoveToEx

• 0x48b42c MaskBlt

• 0x48b430 LineTo

• 0x48b434 LPtoDP

• 0x48b438 IntersectClipRect

• 0x48b43c GetWindowOrgEx

• 0x48b440 GetWinMetaFileBits

• 0x48b444 GetTextMetricsA

• 0x48b448 GetTextExtentPoint32A

• 0x48b44c GetSystemPaletteEntries

• 0x48b450 GetStockObject

• 0x48b454 GetPixel

• 0x48b458 GetPaletteEntries

• 0x48b45c GetObjectA

• 0x48b460 GetEnhMetaFilePaletteEntries

• 0x48b464 GetEnhMetaFileHeader

• 0x48b468 GetEnhMetaFileDescriptionA

• 0x48b46c GetEnhMetaFileBits

• 0x48b470 GetDeviceCaps

• 0x48b474 GetDIBits

• 0x48b478 GetDIBColorTable

• 0x48b47c GetDCOrgEx

• 0x48b480 GetCurrentPositionEx

• 0x48b484 GetClipBox

• 0x48b488 GetBrushOrgEx

• 0x48b48c GetBitmapBits

• 0x48b490 ExcludeClipRect

• 0x48b494 DeleteObject

• 0x48b498 DeleteEnhMetaFile

• 0x48b49c DeleteDC

• 0x48b4a0 CreateSolidBrush

• 0x48b4a4 CreatePenIndirect

• 0x48b4a8 CreatePalette

• 0x48b4ac CreateHalftonePalette

• 0x48b4b0 CreateFontIndirectA

• 0x48b4b4 CreateEnhMetaFileA

• 0x48b4b8 CreateDIBitmap

• 0x48b4bc CreateDIBSection

• 0x48b4c0 CreateCompatibleDC

• 0x48b4c4 CreateCompatibleBitmap

• 0x48b4c8 CreateBrushIndirect

• 0x48b4cc CreateBitmap

• 0x48b4d0 CopyEnhMetaFileA

• 0x48b4d4 CloseEnhMetaFile

• 0x48b4d8 BitBlt

Library opengl32.dll:

• 0x48b4e0 wglCreateContext

Library user32.dll:

• 0x48b4e8 CreateWindowExA

• 0x48b4ec WindowFromPoint

• 0x48b4f0 WinHelpA

• 0x48b4f4 WaitMessage

• 0x48b4f8 UpdateWindow

• 0x48b4fc UnregisterClassA

• 0x48b500 UnhookWindowsHookEx

• 0x48b504 TranslateMessage

• 0x48b508 TranslateMDISysAccel

• 0x48b50c TrackPopupMenu

• 0x48b510 SystemParametersInfoA

• 0x48b514 ShowWindow

• 0x48b518 ShowScrollBar

• 0x48b51c ShowOwnedPopups

• 0x48b520 ShowCursor

• 0x48b524 SetWindowsHookExA

• 0x48b528 SetWindowPos

• 0x48b52c SetWindowPlacement

• 0x48b530 SetWindowLongA

• 0x48b534 SetTimer

• 0x48b538 SetScrollRange

• 0x48b53c SetScrollPos

• 0x48b540 SetScrollInfo

• 0x48b544 SetRect

• 0x48b548 SetPropA

• 0x48b54c SetParent

• 0x48b550 SetMenuItemInfoA

• 0x48b554 SetMenu

• 0x48b558 SetForegroundWindow

• 0x48b55c SetFocus

• 0x48b560 SetCursor

• 0x48b564 SetClassLongA

• 0x48b568 SetCapture

• 0x48b56c SetActiveWindow

• 0x48b570 SendMessageA

• 0x48b574 ScrollWindow

• 0x48b578 ScreenToClient

• 0x48b57c RemovePropA

• 0x48b580 RemoveMenu

• 0x48b584 ReleaseDC

• 0x48b588 ReleaseCapture

• 0x48b58c RegisterWindowMessageA

• 0x48b590 RegisterClipboardFormatA

• 0x48b594 RegisterClassA

• 0x48b598 RedrawWindow

• 0x48b59c PtInRect

• 0x48b5a0 PostQuitMessage

• 0x48b5a4 PostMessageA

• 0x48b5a8 PeekMessageA

• 0x48b5ac OffsetRect

• 0x48b5b0 OemToCharA

• 0x48b5b4 MsgWaitForMultipleObjects

• 0x48b5b8 MessageBoxA

• 0x48b5bc MapWindowPoints

• 0x48b5c0 MapVirtualKeyA

• 0x48b5c4 LoadStringA

• 0x48b5c8 LoadKeyboardLayoutA

• 0x48b5cc LoadIconA

• 0x48b5d0 LoadCursorA

• 0x48b5d4 LoadBitmapA

• 0x48b5d8 KillTimer

• 0x48b5dc IsZoomed

• 0x48b5e0 IsWindowVisible

• 0x48b5e4 IsWindowEnabled

• 0x48b5e8 IsWindow

• 0x48b5ec IsRectEmpty

• 0x48b5f0 IsIconic

• 0x48b5f4 IsDialogMessageA

• 0x48b5f8 IsChild

• 0x48b5fc InvalidateRect

• 0x48b600 IntersectRect

• 0x48b604 InsertMenuItemA

• 0x48b608 InsertMenuA

• 0x48b60c InflateRect

• 0x48b610 GetWindowThreadProcessId

• 0x48b614 GetWindowTextA

• 0x48b618 GetWindowRect

• 0x48b61c GetWindowPlacement

• 0x48b620 GetWindowLongA

• 0x48b624 GetWindowDC

• 0x48b628 GetTopWindow

• 0x48b62c GetSystemMetrics

• 0x48b630 GetSystemMenu

• 0x48b634 GetSysColorBrush

• 0x48b638 GetSysColor

• 0x48b63c GetSubMenu

• 0x48b640 GetScrollRange

• 0x48b644 GetScrollPos

• 0x48b648 GetScrollInfo

• 0x48b64c GetPropA

• 0x48b650 GetParent

• 0x48b654 GetWindow

• 0x48b658 GetMessageTime

• 0x48b65c GetMenuStringA

• 0x48b660 GetMenuState

• 0x48b664 GetMenuItemInfoA

• 0x48b668 GetMenuItemID

• 0x48b66c GetMenuItemCount

• 0x48b670 GetMenu

• 0x48b674 GetLastActivePopup

• 0x48b678 GetKeyboardState

• 0x48b67c GetKeyboardLayoutList

• 0x48b680 GetKeyboardLayout

• 0x48b684 GetKeyState

• 0x48b688 GetKeyNameTextA

• 0x48b68c GetIconInfo

• 0x48b690 GetForegroundWindow

• 0x48b694 GetFocus

• 0x48b698 GetDlgItem

• 0x48b69c GetDesktopWindow

• 0x48b6a0 GetDCEx

• 0x48b6a4 GetDC

• 0x48b6a8 GetCursorPos

• 0x48b6ac GetCursor

• 0x48b6b0 GetClipboardData

• 0x48b6b4 GetClientRect

• 0x48b6b8 GetClassNameA

• 0x48b6bc GetClassInfoA

• 0x48b6c0 GetCapture

• 0x48b6c4 GetActiveWindow

• 0x48b6c8 FrameRect

• 0x48b6cc FindWindowA

• 0x48b6d0 FillRect

• 0x48b6d4 EqualRect

• 0x48b6d8 EnumWindows

• 0x48b6dc EnumThreadWindows

• 0x48b6e0 EndPaint

• 0x48b6e4 EnableWindow

• 0x48b6e8 EnableScrollBar

• 0x48b6ec EnableMenuItem

• 0x48b6f0 DrawTextA

• 0x48b6f4 DrawMenuBar

• 0x48b6f8 DrawIconEx

• 0x48b6fc DrawIcon

• 0x48b700 DrawFrameControl

• 0x48b704 DrawEdge

• 0x48b708 DispatchMessageA

• 0x48b70c DestroyWindow

• 0x48b710 DestroyMenu

• 0x48b714 DestroyIcon

• 0x48b718 DestroyCursor

• 0x48b71c DeleteMenu

• 0x48b720 DefWindowProcA

• 0x48b724 DefMDIChildProcA

• 0x48b728 DefFrameProcA

• 0x48b72c CreatePopupMenu

• 0x48b730 CreateMenu

• 0x48b734 CreateIcon

• 0x48b738 ClientToScreen

• 0x48b73c CheckMenuItem

• 0x48b740 CallWindowProcA

• 0x48b744 CallNextHookEx

• 0x48b748 BeginPaint

• 0x48b74c CharNextA

• 0x48b750 CharLowerBuffA

• 0x48b754 CharLowerA

• 0x48b758 CharUpperBuffA

• 0x48b75c CharToOemA

• 0x48b760 AdjustWindowRectEx

• 0x48b764 ActivateKeyboardLayout

Library kernel32.dll:

• 0x48b76c Sleep

Library oleaut32.dll:

• 0x48b774 SafeArrayPtrOfIndex

• 0x48b778 SafeArrayGetUBound

• 0x48b77c SafeArrayGetLBound

• 0x48b780 SafeArrayCreate

• 0x48b784 VariantChangeType

• 0x48b788 VariantCopy

• 0x48b78c VariantClear

• 0x48b790 VariantInit

Library ole32.dll:

• 0x48b798 CreateStreamOnHGlobal

• 0x48b79c IsAccelerator

• 0x48b7a0 OleDraw

• 0x48b7a4 OleSetMenuDescriptor

• 0x48b7a8 CoTaskMemFree

• 0x48b7ac ProgIDFromCLSID

• 0x48b7b0 StringFromCLSID

• 0x48b7b4 CoCreateInstance

• 0x48b7b8 CoGetClassObject

• 0x48b7bc CoUninitialize

• 0x48b7c0 CoInitialize

• 0x48b7c4 IsEqualGUID

Library oleaut32.dll:

• 0x48b7cc GetErrorInfo

• 0x48b7d0 GetActiveObject

• 0x48b7d4 SysFreeString

Library comctl32.dll:

• 0x48b7dc ImageList_SetIconSize

• 0x48b7e0 ImageList_GetIconSize

• 0x48b7e4 ImageList_Write

• 0x48b7e8 ImageList_Read

• 0x48b7ec ImageList_GetDragImage

• 0x48b7f0 ImageList_DragShowNolock

• 0x48b7f4 ImageList_SetDragCursorImage

• 0x48b7f8 ImageList_DragMove

• 0x48b7fc ImageList_DragLeave

• 0x48b800 ImageList_DragEnter

• 0x48b804 ImageList_EndDrag

• 0x48b808 ImageList_BeginDrag

• 0x48b80c ImageList_Remove

• 0x48b810 ImageList_DrawEx

• 0x48b814 ImageList_Replace

• 0x48b818 ImageList_Draw

• 0x48b81c ImageList_GetBkColor

• 0x48b820 ImageList_SetBkColor

• 0x48b824 ImageList_ReplaceIcon

• 0x48b828 ImageList_Add

• 0x48b82c ImageList_GetImageCount

• 0x48b830 ImageList_Destroy

• 0x48b834 ImageList_Create

Library comdlg32.dll:

• 0x48b83c GetOpenFileNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62912	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.