10.8
0-day
53 个模型检测该样本为恶意!
重新分析
更多

efa7f245a35c85568d26690f149f992e77c007fa1fbb7c2f4f050cea7fcca930

345eb8cdab785647cf3ac2b2b0fdd7a6.exe

分析耗时

84s

最近分析

文件大小

1017.0KB
静态报毒 动态报毒 100% @GW@AG2Z6SKI AGEN AI SCORE=87 AIDETECTVM ALI2000015 CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS EMZL ENAI FAREIT GENERICKDZ GENETIC HIGH CONFIDENCE HRMDCV KRYPTIK KRYPTIKIH LIHA LOKIBOT MALWARE2 MALWARE@#30663XK0O2ZXW ORWQ S15462439 SUSGEN SUSPICIOUS PE TSCOPE UNSAFE X2094 X3AFM9FBMX0 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!345EB8CDAB78 20201024 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201024 18.4.3895.0
Kingsoft 20201024 2013.8.14.323
Tencent Win32.Trojan.Kryptik.Liha 20201024 1.0.0.1
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (9 个事件)
Time & API Arguments Status Return Repeated
1619360978.969001
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1636596
registers.edi: 5272768
registers.eax: 1636596
registers.ebp: 1636676
registers.edx: 0
registers.ebx: 5272768
registers.esi: 5272768
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619360980.188249
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7475e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7475ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7475b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7475b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7475ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7475aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74755511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7475559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
345eb8cdab785647cf3ac2b2b0fdd7a6+0x62a4d @ 0x462a4d
345eb8cdab785647cf3ac2b2b0fdd7a6+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5114ad
success 0 0
1619360992.313876
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
345eb8cdab785647cf3ac2b2b0fdd7a6+0x62a4d @ 0x462a4d
345eb8cdab785647cf3ac2b2b0fdd7a6+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfda914ad
success 0 0
1619360999.500876
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
345eb8cdab785647cf3ac2b2b0fdd7a6+0x62a4d @ 0x462a4d
345eb8cdab785647cf3ac2b2b0fdd7a6+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4414ad
success 0 0
1619361006.953001
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
345eb8cdab785647cf3ac2b2b0fdd7a6+0x62a4d @ 0x462a4d
345eb8cdab785647cf3ac2b2b0fdd7a6+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb214ad
success 0 0
1619361016.078751
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
345eb8cdab785647cf3ac2b2b0fdd7a6+0x62a4d @ 0x462a4d
345eb8cdab785647cf3ac2b2b0fdd7a6+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff2e14ad
success 0 0
1619361024.547126
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
345eb8cdab785647cf3ac2b2b0fdd7a6+0x62a4d @ 0x462a4d
345eb8cdab785647cf3ac2b2b0fdd7a6+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3e14ad
success 0 0
1619361033.453626
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
345eb8cdab785647cf3ac2b2b0fdd7a6+0x62a4d @ 0x462a4d
345eb8cdab785647cf3ac2b2b0fdd7a6+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3f14ad
success 0 0
1619361041.422126
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
345eb8cdab785647cf3ac2b2b0fdd7a6+0x62a4d @ 0x462a4d
345eb8cdab785647cf3ac2b2b0fdd7a6+0x5b254 @ 0x45b254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3b14ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 261 个事件)
Time & API Arguments Status Return Repeated
1619360977.078001
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619360977.156001
NtProtectVirtualMemory
process_identifier: 392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 77824
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00472000
success 0 0
1619360977.156001
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00520000
success 0 0
1619360978.610249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619360978.656249
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01dd0000
success 0 0
1619360978.656249
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e80000
success 0 0
1619360978.656249
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01dd0000
success 0 0
1619360978.656249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 339968
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619360979.141249
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02150000
success 0 0
1619360979.141249
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022b0000
success 0 0
1619360980.110249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.110249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619360980.110249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619360980.125249
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619360979.016499
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619360979.078499
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 77824
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00472000
success 0 0
1619360979.078499
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00800000
success 0 0
1619360989.656249
NtAllocateVirtualMemory
process_identifier: 3124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f40000
success 0 0
1619360990.047249
NtProtectVirtualMemory
process_identifier: 3124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 77824
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00472000
success 0 0
1619360990.063249
NtAllocateVirtualMemory
process_identifier: 3124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02cf0000
success 0 0
1619360992.031876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619360992.047876
NtAllocateVirtualMemory
process_identifier: 3192
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01e50000
success 0 0
1619360992.047876
NtAllocateVirtualMemory
process_identifier: 3192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ea0000
success 0 0
1619360992.047876
NtAllocateVirtualMemory
process_identifier: 3192
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1619360992.047876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 339968
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ee2000
success 0 0
1619360992.078876
NtAllocateVirtualMemory
process_identifier: 3192
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02110000
success 0 0
1619360992.078876
NtAllocateVirtualMemory
process_identifier: 3192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022e0000
success 0 0
1619360992.281876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00532000
success 0 0
1619360992.281876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619360992.281876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00532000
success 0 0
1619360992.281876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619360992.281876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00532000
success 0 0
1619360992.281876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619360992.281876
NtProtectVirtualMemory
process_identifier: 3192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00532000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ATT&T.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ATT&T.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ATT&T.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (25 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619360978.156001
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00440000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.630328570694106 section {'size_of_data': '0x0006e000', 'virtual_address': '0x00096000', 'entropy': 7.630328570694106, 'name': '.rsrc', 'virtual_size': '0x0006de90'} description A section with a high entropy has been found
entropy 0.4330708661417323 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process 345eb8cdab785647cf3ac2b2b0fdd7a6.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (15 个事件)
Time & API Arguments Status Return Repeated
1619360977.172001
Process32NextW
process_name: 345eb8cdab785647cf3ac2b2b0fdd7a6.exe
snapshot_handle: 0x000000f4
process_identifier: 392
failed 0 0
1619360988.906499
Process32NextW
process_name: 345eb8cdab785647cf3ac2b2b0fdd7a6.exe
snapshot_handle: 0x000001f4
process_identifier: 428
failed 0 0
1619360990.063249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3180
failed 0 0
1619360996.578876
Process32NextW
process_name: 345eb8cdab785647cf3ac2b2b0fdd7a6.exe
snapshot_handle: 0x0000014c
process_identifier: 3264
failed 0 0
1619360997.891501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3432
failed 0 0
1619361004.094876
Process32NextW
process_name: 345eb8cdab785647cf3ac2b2b0fdd7a6.exe
snapshot_handle: 0x00000148
process_identifier: 3504
failed 0 0
1619361004.750249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3680
failed 0 0
1619361011.078751
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000124
process_identifier: 4020
failed 0 0
1619361013.000626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3092
failed 0 0
1619361020.500001
Process32NextW
process_name: 345eb8cdab785647cf3ac2b2b0fdd7a6.exe
snapshot_handle: 0x00000150
process_identifier: 1056
failed 0 0
1619361021.110374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3156
failed 0 0
1619361029.860751
Process32NextW
process_name: 345eb8cdab785647cf3ac2b2b0fdd7a6.exe
snapshot_handle: 0x00000164
process_identifier: 3260
failed 0 0
1619361031.703249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3464
failed 0 0
1619361038.750876
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000160
process_identifier: 3716
failed 0 0
1619361039.313249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3812
failed 0 0
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 147cd4a43797ea6484f683acbfd3a6fe8fdf2a75
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Modifies security center warnings (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (16 个事件)
Process injection Process 392 called NtSetContextThread to modify thread in remote process 2616
Process injection Process 3124 called NtSetContextThread to modify thread in remote process 3192
Process injection Process 3376 called NtSetContextThread to modify thread in remote process 3444
Process injection Process 3628 called NtSetContextThread to modify thread in remote process 3696
Process injection Process 4032 called NtSetContextThread to modify thread in remote process 2428
Process injection Process 1208 called NtSetContextThread to modify thread in remote process 3168
Process injection Process 3372 called NtSetContextThread to modify thread in remote process 2484
Process injection Process 3740 called NtSetContextThread to modify thread in remote process 3860
Time & API Arguments Status Return Repeated
1619360978.031001
NtSetContextThread
thread_handle: 0x00000220
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2616
success 0 0
1619360991.438249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3192
success 0 0
1619360998.219501
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3444
success 0 0
1619361005.110249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3696
success 0 0
1619361014.125626
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2428
success 0 0
1619361021.656374
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3168
success 0 0
1619361032.281249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2484
success 0 0
1619361039.828249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3860
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (16 个事件)
Process injection Process 392 resumed a thread in remote process 2616
Process injection Process 3124 resumed a thread in remote process 3192
Process injection Process 3376 resumed a thread in remote process 3444
Process injection Process 3628 resumed a thread in remote process 3696
Process injection Process 4032 resumed a thread in remote process 2428
Process injection Process 1208 resumed a thread in remote process 3168
Process injection Process 3372 resumed a thread in remote process 2484
Process injection Process 3740 resumed a thread in remote process 3860
Time & API Arguments Status Return Repeated
1619360978.422001
NtResumeThread
thread_handle: 0x00000220
suspend_count: 1
process_identifier: 2616
success 0 0
1619360991.813249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3192
success 0 0
1619360999.063501
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3444
success 0 0
1619361005.969249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3696
success 0 0
1619361015.266626
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2428
success 0 0
1619361023.344374
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3168
success 0 0
1619361033.031249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2484
success 0 0
1619361040.531249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3860
success 0 0
Disables Windows Security features (2 个事件)
description attempts to disable user access control registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description disables user access control notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify
Executed a process and injected code into it, probably while unpacking (50 out of 64 个事件)
Time & API Arguments Status Return Repeated
1619360977.860001
CreateProcessInternalW
thread_identifier: 1704
thread_handle: 0x00000188
process_identifier: 912
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ATT&T.exe
track: 1
command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\ATT&T.exe"
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\ATT&T.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000022c
inherit_handles: 0
success 1 0
1619360977.969001
CreateProcessInternalW
thread_identifier: 2368
thread_handle: 0x00000220
process_identifier: 2616
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000214
inherit_handles: 0
success 1 0
1619360977.969001
NtUnmapViewOfSection
process_identifier: 2616
region_size: 4096
process_handle: 0x00000214
base_address: 0x00400000
success 0 0
1619360977.985001
NtMapViewOfSection
section_handle: 0x000001b0
process_identifier: 2616
commit_size: 790528
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000214
allocation_type: 0 ()
section_offset: 0
view_size: 790528
base_address: 0x00400000
success 0 0
1619360978.031001
NtGetContextThread
thread_handle: 0x00000220
success 0 0
1619360978.031001
NtSetContextThread
thread_handle: 0x00000220
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2616
success 0 0
1619360978.422001
NtResumeThread
thread_handle: 0x00000220
suspend_count: 1
process_identifier: 2616
success 0 0
1619360978.516001
CreateProcessInternalW
thread_identifier: 2772
thread_handle: 0x000001b4
process_identifier: 428
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe" 2 2616 10889437
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001a4
inherit_handles: 0
success 1 0
1619360989.031499
CreateProcessInternalW
thread_identifier: 3128
thread_handle: 0x000001f8
process_identifier: 3124
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001fc
inherit_handles: 0
success 1 0
1619360990.313249
CreateProcessInternalW
thread_identifier: 3196
thread_handle: 0x000000f8
process_identifier: 3192
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619360990.313249
NtUnmapViewOfSection
process_identifier: 3192
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619360990.328249
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 3192
commit_size: 790528
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 790528
base_address: 0x00400000
success 0 0
1619360991.422249
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619360991.438249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3192
success 0 0
1619360991.813249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3192
success 0 0
1619360992.000249
CreateProcessInternalW
thread_identifier: 3268
thread_handle: 0x00000100
process_identifier: 3264
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe" 2 3192 10902828
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619360996.703876
CreateProcessInternalW
thread_identifier: 3380
thread_handle: 0x00000150
process_identifier: 3376
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000154
inherit_handles: 0
success 1 0
1619360998.078501
CreateProcessInternalW
thread_identifier: 3448
thread_handle: 0x000000f8
process_identifier: 3444
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619360998.078501
NtUnmapViewOfSection
process_identifier: 3444
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619360998.094501
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 3444
commit_size: 790528
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 790528
base_address: 0x00400000
success 0 0
1619360998.219501
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619360998.219501
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3444
success 0 0
1619360999.063501
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3444
success 0 0
1619360999.438501
CreateProcessInternalW
thread_identifier: 3508
thread_handle: 0x00000100
process_identifier: 3504
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe" 2 3444 10910078
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619361004.188876
CreateProcessInternalW
thread_identifier: 3632
thread_handle: 0x0000014c
process_identifier: 3628
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
1619361005.016249
CreateProcessInternalW
thread_identifier: 3700
thread_handle: 0x000000f8
process_identifier: 3696
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361005.016249
NtUnmapViewOfSection
process_identifier: 3696
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361005.031249
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 3696
commit_size: 790528
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 790528
base_address: 0x00400000
success 0 0
1619361005.094249
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619361005.110249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3696
success 0 0
1619361005.969249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3696
success 0 0
1619361007.078249
CreateProcessInternalW
thread_identifier: 3760
thread_handle: 0x00000100
process_identifier: 3756
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe" 2 3696 10917000
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619361011.469751
CreateProcessInternalW
thread_identifier: 4036
thread_handle: 0x00000128
process_identifier: 4032
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000012c
inherit_handles: 0
success 1 0
1619361013.860626
CreateProcessInternalW
thread_identifier: 1804
thread_handle: 0x000000f8
process_identifier: 2428
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361013.860626
NtUnmapViewOfSection
process_identifier: 2428
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361013.860626
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 2428
commit_size: 790528
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 790528
base_address: 0x00400000
success 0 0
1619361014.125626
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619361014.125626
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2428
success 0 0
1619361015.266626
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2428
success 0 0
1619361015.297626
CreateProcessInternalW
thread_identifier: 2040
thread_handle: 0x00000100
process_identifier: 1056
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe" 2 2428 10926281
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619361020.625001
CreateProcessInternalW
thread_identifier: 1868
thread_handle: 0x00000154
process_identifier: 1208
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000158
inherit_handles: 0
success 1 0
1619361021.500374
CreateProcessInternalW
thread_identifier: 3164
thread_handle: 0x000000f8
process_identifier: 3168
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361021.516374
NtUnmapViewOfSection
process_identifier: 3168
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361021.547374
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 3168
commit_size: 790528
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 790528
base_address: 0x00400000
success 0 0
1619361021.641374
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619361021.656374
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4976352
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3168
success 0 0
1619361023.344374
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3168
success 0 0
1619361024.547374
CreateProcessInternalW
thread_identifier: 3280
thread_handle: 0x00000100
process_identifier: 3260
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe" 2 3168 10934359
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619361030.172751
CreateProcessInternalW
thread_identifier: 3196
thread_handle: 0x00000168
process_identifier: 3372
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000016c
inherit_handles: 0
success 1 0
1619361032.156249
CreateProcessInternalW
thread_identifier: 3484
thread_handle: 0x000000f8
process_identifier: 2484
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\345eb8cdab785647cf3ac2b2b0fdd7a6.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69509
FireEye Generic.mg.345eb8cdab785647
CAT-QuickHeal Trojan.KryptikIH.S15462439
McAfee Fareit-FPQ!345EB8CDAB78
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056c99c1 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056c99c1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D10F85
Cyren W32/Injector.ORWQ-3620
Symantec Infostealer.Lokibot!43
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.004be7cd-6760703-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKDZ.69509
NANO-Antivirus Trojan.Win32.Kryptik.hrmdcv
AegisLab Trojan.Win32.Kryptik.4!c
Avast Win32:Trojan-gen
Rising Trojan.Injector!1.CA8A (CLASSIC)
Ad-Aware Trojan.GenericKDZ.69509
Sophos Mal/Generic-S
Comodo Malware@#30663xk0o2zxw
DrWeb Trojan.PWS.Stealer.29093
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Fareit.fc
Emsisoft Trojan.GenericKDZ.69509 (B)
SentinelOne DFI - Suspicious PE
Jiangmin Trojan.Kryptik.cbz
Avira HEUR/AGEN.1138685
Microsoft Trojan:Win32/Fareit.VD!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.GenericKDZ.69509
AhnLab-V3 Suspicious/Win.Delphiless.X2094
VBA32 TScope.Trojan.Delf
ALYac Trojan.GenericKDZ.69509
MAX malware (ai score=87)
ESET-NOD32 a variant of Win32/Injector.ENAI
Tencent Win32.Trojan.Kryptik.Liha
Yandex Trojan.Injector!X3afM9fBmX0
Ikarus Trojan.Inject
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Injector.EMZL!tr
BitDefenderTheta Gen:NN.ZelphiF.34590.@GW@aG2Z6ski
AVG Win32:Trojan-gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x488164 VirtualFree
0x488168 VirtualAlloc
0x48816c LocalFree
0x488170 LocalAlloc
0x488174 GetVersion
0x488178 GetCurrentThreadId
0x488184 VirtualQuery
0x488188 WideCharToMultiByte
0x488190 MultiByteToWideChar
0x488194 lstrlenA
0x488198 lstrcpynA
0x48819c LoadLibraryExA
0x4881a0 GetThreadLocale
0x4881a4 GetStartupInfoA
0x4881a8 GetProcAddress
0x4881ac GetModuleHandleA
0x4881b0 GetModuleFileNameA
0x4881b4 GetLocaleInfoA
0x4881b8 GetLastError
0x4881c0 GetCommandLineA
0x4881c4 FreeLibrary
0x4881c8 FindFirstFileA
0x4881cc FindClose
0x4881d0 ExitProcess
0x4881d4 WriteFile
0x4881dc RtlUnwind
0x4881e0 RaiseException
0x4881e4 GetStdHandle
Library user32.dll:
0x4881ec GetKeyboardType
0x4881f0 LoadStringA
0x4881f4 MessageBoxA
0x4881f8 CharNextA
Library advapi32.dll:
0x488200 RegQueryValueExA
0x488204 RegOpenKeyExA
0x488208 RegCloseKey
Library oleaut32.dll:
0x488210 SysFreeString
0x488214 SysReAllocStringLen
0x488218 SysAllocStringLen
Library kernel32.dll:
0x488220 TlsSetValue
0x488224 TlsGetValue
0x488228 LocalAlloc
0x48822c GetModuleHandleA
Library advapi32.dll:
0x488234 RegQueryValueExA
0x488238 RegOpenKeyExA
0x48823c RegCloseKey
Library kernel32.dll:
0x488244 lstrcpyA
0x488248 WriteFile
0x48824c WaitForSingleObject
0x488250 VirtualQuery
0x488254 VirtualProtect
0x488258 VirtualAlloc
0x48825c Sleep
0x488260 SizeofResource
0x488264 SetThreadLocale
0x488268 SetFilePointer
0x48826c SetEvent
0x488270 SetErrorMode
0x488274 SetEndOfFile
0x488278 ResetEvent
0x48827c ReadFile
0x488280 MultiByteToWideChar
0x488284 MulDiv
0x488288 LockResource
0x48828c LoadResource
0x488290 LoadLibraryA
0x48829c GlobalUnlock
0x4882a0 GlobalReAlloc
0x4882a4 GlobalHandle
0x4882a8 GlobalLock
0x4882ac GlobalFree
0x4882b0 GlobalFindAtomA
0x4882b4 GlobalDeleteAtom
0x4882b8 GlobalAlloc
0x4882bc GlobalAddAtomA
0x4882c0 GetVersionExA
0x4882c4 GetVersion
0x4882c8 GetTickCount
0x4882cc GetThreadLocale
0x4882d4 GetSystemInfo
0x4882d8 GetStringTypeExA
0x4882dc GetStdHandle
0x4882e0 GetProcAddress
0x4882e4 GetModuleHandleA
0x4882e8 GetModuleFileNameA
0x4882ec GetLocaleInfoA
0x4882f0 GetLocalTime
0x4882f4 GetLastError
0x4882f8 GetFullPathNameA
0x4882fc GetFileAttributesA
0x488300 GetDiskFreeSpaceA
0x488304 GetDateFormatA
0x488308 GetCurrentThreadId
0x48830c GetCurrentProcessId
0x488310 GetCPInfo
0x488314 GetACP
0x488318 FreeResource
0x488320 InterlockedExchange
0x488328 FreeLibrary
0x48832c FormatMessageA
0x488330 FindResourceA
0x488334 FindNextFileA
0x488338 FindFirstFileA
0x48833c FindClose
0x48834c EnumCalendarInfoA
0x488358 CreateThread
0x48835c CreateFileA
0x488360 CreateEventA
0x488364 CompareStringA
0x488368 CloseHandle
Library version.dll:
0x488370 VerQueryValueA
0x488378 GetFileVersionInfoA
Library gdi32.dll:
0x488380 UnrealizeObject
0x488384 StretchBlt
0x488388 SetWindowOrgEx
0x48838c SetViewportOrgEx
0x488390 SetTextColor
0x488394 SetStretchBltMode
0x488398 SetROP2
0x48839c SetPixel
0x4883a0 SetDIBColorTable
0x4883a4 SetBrushOrgEx
0x4883a8 SetBkMode
0x4883ac SetBkColor
0x4883b0 SelectPalette
0x4883b4 SelectObject
0x4883b8 SaveDC
0x4883bc RestoreDC
0x4883c0 RectVisible
0x4883c4 RealizePalette
0x4883c8 PatBlt
0x4883cc MoveToEx
0x4883d0 MaskBlt
0x4883d4 LineTo
0x4883d8 IntersectClipRect
0x4883dc GetWindowOrgEx
0x4883e0 GetTextMetricsA
0x4883ec GetStockObject
0x4883f0 GetPixel
0x4883f4 GetPaletteEntries
0x4883f8 GetObjectA
0x4883fc GetDeviceCaps
0x488400 GetDIBits
0x488404 GetDIBColorTable
0x488408 GetDCOrgEx
0x488410 GetClipBox
0x488414 GetBrushOrgEx
0x488418 GetBitmapBits
0x48841c ExtTextOutA
0x488420 ExcludeClipRect
0x488424 DeleteObject
0x488428 DeleteDC
0x48842c CreateSolidBrush
0x488430 CreatePenIndirect
0x488434 CreatePalette
0x48843c CreateFontIndirectA
0x488440 CreateDIBitmap
0x488444 CreateDIBSection
0x488448 CreateCompatibleDC
0x488450 CreateBrushIndirect
0x488454 CreateBitmap
0x488458 BitBlt
Library user32.dll:
0x488460 CreateWindowExA
0x488464 WindowFromPoint
0x488468 WinHelpA
0x48846c WaitMessage
0x488470 UpdateWindow
0x488474 UnregisterClassA
0x488478 UnhookWindowsHookEx
0x48847c TranslateMessage
0x488484 TrackPopupMenu
0x48848c ShowWindow
0x488490 ShowScrollBar
0x488494 ShowOwnedPopups
0x488498 ShowCursor
0x48849c SetWindowsHookExA
0x4884a0 SetWindowTextA
0x4884a4 SetWindowPos
0x4884a8 SetWindowPlacement
0x4884ac SetWindowLongA
0x4884b0 SetTimer
0x4884b4 SetScrollRange
0x4884b8 SetScrollPos
0x4884bc SetScrollInfo
0x4884c0 SetRect
0x4884c4 SetPropA
0x4884c8 SetParent
0x4884cc SetMenuItemInfoA
0x4884d0 SetMenu
0x4884d4 SetForegroundWindow
0x4884d8 SetFocus
0x4884dc SetCursor
0x4884e0 SetClassLongA
0x4884e4 SetCapture
0x4884e8 SetActiveWindow
0x4884ec SendMessageA
0x4884f0 ScrollWindow
0x4884f4 ScreenToClient
0x4884f8 RemovePropA
0x4884fc RemoveMenu
0x488500 ReleaseDC
0x488504 ReleaseCapture
0x488510 RegisterClassA
0x488514 RedrawWindow
0x488518 PtInRect
0x48851c PostQuitMessage
0x488520 PostMessageA
0x488524 PeekMessageA
0x488528 OffsetRect
0x48852c OemToCharA
0x488530 MessageBoxA
0x488534 MapWindowPoints
0x488538 MapVirtualKeyA
0x48853c LoadStringA
0x488540 LoadKeyboardLayoutA
0x488544 LoadIconA
0x488548 LoadCursorA
0x48854c LoadBitmapA
0x488550 KillTimer
0x488554 IsZoomed
0x488558 IsWindowVisible
0x48855c IsWindowEnabled
0x488560 IsWindow
0x488564 IsRectEmpty
0x488568 IsIconic
0x48856c IsDialogMessageA
0x488570 IsChild
0x488574 InvalidateRect
0x488578 IntersectRect
0x48857c InsertMenuItemA
0x488580 InsertMenuA
0x488584 InflateRect
0x48858c GetWindowTextA
0x488590 GetWindowRect
0x488594 GetWindowPlacement
0x488598 GetWindowLongA
0x48859c GetWindowDC
0x4885a0 GetTopWindow
0x4885a4 GetSystemMetrics
0x4885a8 GetSystemMenu
0x4885ac GetSysColorBrush
0x4885b0 GetSysColor
0x4885b4 GetSubMenu
0x4885b8 GetScrollRange
0x4885bc GetScrollPos
0x4885c0 GetScrollInfo
0x4885c4 GetPropA
0x4885c8 GetParent
0x4885cc GetWindow
0x4885d0 GetMenuStringA
0x4885d4 GetMenuState
0x4885d8 GetMenuItemInfoA
0x4885dc GetMenuItemID
0x4885e0 GetMenuItemCount
0x4885e4 GetMenu
0x4885e8 GetLastActivePopup
0x4885ec GetKeyboardState
0x4885f4 GetKeyboardLayout
0x4885f8 GetKeyState
0x4885fc GetKeyNameTextA
0x488600 GetInputState
0x488604 GetIconInfo
0x488608 GetForegroundWindow
0x48860c GetFocus
0x488610 GetDlgItem
0x488614 GetDesktopWindow
0x488618 GetDCEx
0x48861c GetDC
0x488620 GetCursorPos
0x488624 GetCursor
0x488628 GetClientRect
0x48862c GetClassNameA
0x488630 GetClassInfoA
0x488634 GetCapture
0x488638 GetActiveWindow
0x48863c FrameRect
0x488640 FindWindowA
0x488644 FillRect
0x488648 EqualRect
0x48864c EnumWindows
0x488650 EnumThreadWindows
0x488654 EndPaint
0x488658 EnableWindow
0x48865c EnableScrollBar
0x488660 EnableMenuItem
0x488664 DrawTextA
0x488668 DrawMenuBar
0x48866c DrawIconEx
0x488670 DrawIcon
0x488674 DrawFrameControl
0x488678 DrawFocusRect
0x48867c DrawEdge
0x488680 DispatchMessageA
0x488684 DestroyWindow
0x488688 DestroyMenu
0x48868c DestroyIcon
0x488690 DestroyCursor
0x488694 DeleteMenu
0x488698 DefWindowProcA
0x48869c DefMDIChildProcA
0x4886a0 DefFrameProcA
0x4886a4 CreatePopupMenu
0x4886a8 CreateMenu
0x4886ac CreateIcon
0x4886b0 ClientToScreen
0x4886b4 CheckMenuItem
0x4886b8 CallWindowProcA
0x4886bc CallNextHookEx
0x4886c0 BeginPaint
0x4886c4 CharNextA
0x4886c8 CharLowerBuffA
0x4886cc CharLowerA
0x4886d0 CharToOemA
0x4886d4 AdjustWindowRectEx
Library kernel32.dll:
0x4886e0 Sleep
Library oleaut32.dll:
0x4886e8 SafeArrayPtrOfIndex
0x4886ec SafeArrayGetUBound
0x4886f0 SafeArrayGetLBound
0x4886f4 SafeArrayCreate
0x4886f8 VariantChangeType
0x4886fc VariantCopy
0x488700 VariantClear
0x488704 VariantInit
Library ole32.dll:
0x48870c CoCreateInstance
0x488710 CoUninitialize
0x488714 CoInitialize
Library oleaut32.dll:
0x48871c CreateErrorInfo
0x488720 GetErrorInfo
0x488724 SetErrorInfo
0x488728 SysFreeString
Library comctl32.dll:
0x488738 ImageList_Write
0x48873c ImageList_Read
0x48874c ImageList_DragMove
0x488750 ImageList_DragLeave
0x488754 ImageList_DragEnter
0x488758 ImageList_EndDrag
0x48875c ImageList_BeginDrag
0x488760 ImageList_Remove
0x488764 ImageList_DrawEx
0x488768 ImageList_Replace
0x48876c ImageList_Draw
0x48877c ImageList_Add
0x488784 ImageList_Destroy
0x488788 ImageList_Create
Library comdlg32.dll:
0x488790 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.