SmartHawk

Time & API	Arguments	Status
1619422303.643999 __exception__	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74816d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77ba1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77b69a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x77a7b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x748005bd hook_in_monitor+0x45 lde-0x133 @ 0x747f42ea New_ntdll_NtOpenFile+0x2b New_ntdll_NtOpenKey-0x1ce @ 0x74812c8b GetVolumeInformationW+0xda GetVolumeInformationByHandleW-0xc6 kernelbase+0x1ab4a @ 0x7fefdc6ab4a GetVolumeInformationW+0x35 RtlMoveMemory-0x553 kernel32+0x22185 @ 0x77a52185 0xae4cc 0x13ec70 registers.r14: 1305712 registers.r9: 1955198464 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 1304540 registers.rdi: 1304576 registers.r11: 0 registers.r8: 5 registers.rdx: 2 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 1304480 registers.rax: 1 registers.r13: 0 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77b69a5a	success
1619422304.330999 __exception__	stacktrace: 0xabdb0 0x9595d registers.r14: 1305712 registers.r9: 0 registers.rcx: 1303888 registers.rsi: 0 registers.r10: 28 registers.rbx: 104 registers.rdi: 733360 registers.r11: 3 registers.r8: 0 registers.rdx: 512 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 1303256 registers.rax: 0 registers.r13: 2007313264 exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48 exception.instruction: movzx r10d, word ptr [r8 + r9*2] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xabdb0	success
1619422304.330999 __exception__	stacktrace: 0xabdb0 0x9595d registers.r14: 1305712 registers.r9: 0 registers.rcx: 1303888 registers.rsi: 0 registers.r10: 28 registers.rbx: 104 registers.rdi: 733360 registers.r11: 3 registers.r8: 0 registers.rdx: 512 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 1303256 registers.rax: 0 registers.r13: 2007313264 exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48 exception.instruction: movzx r10d, word ptr [r8 + r9*2] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xabdb0	success
1619422304.330999 __exception__	stacktrace: 0xabdb0 0x9595d registers.r14: 1305712 registers.r9: 0 registers.rcx: 1303888 registers.rsi: 0 registers.r10: 28 registers.rbx: 104 registers.rdi: 733360 registers.r11: 3 registers.r8: 0 registers.rdx: 512 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 1303256 registers.rax: 0 registers.r13: 2007313264 exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48 exception.instruction: movzx r10d, word ptr [r8 + r9*2] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xabdb0	success
1619422304.346999 __exception__	stacktrace: 0xabdb0 0x9595d registers.r14: 1305712 registers.r9: 0 registers.rcx: 1303888 registers.rsi: 0 registers.r10: 28 registers.rbx: 104 registers.rdi: 733360 registers.r11: 3 registers.r8: 0 registers.rdx: 512 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 1303256 registers.rax: 0 registers.r13: 2007313264 exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48 exception.instruction: movzx r10d, word ptr [r8 + r9*2] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xabdb0	success
1619422304.346999 __exception__	stacktrace: 0xabdb0 0x9595d registers.r14: 1305712 registers.r9: 0 registers.rcx: 1303888 registers.rsi: 0 registers.r10: 28 registers.rbx: 104 registers.rdi: 733360 registers.r11: 3 registers.r8: 0 registers.rdx: 512 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 1303256 registers.rax: 0 registers.r13: 2007313264 exception.instruction_r: 47 0f b7 14 48 66 45 85 d2 74 29 66 44 89 11 48 exception.instruction: movzx r10d, word ptr [r8 + r9*2] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xabdb0	success

Allocates read-write-execute memory (usually to unpack itself) (10 个事件)

Time & API	Arguments	Status
1619422269.003249 NtAllocateVirtualMemory	process_identifier: 2008 region_size: 274432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e30000	success
1619422286.003876 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 274432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02340000	success
1619422296.222876 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02390000	success
1619422296.222876 NtProtectVirtualMemory	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x023d1000	success
1619422302.815876 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02200000	success
1619422302.815876 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00700000	success
1619422302.815876 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x10000000	success
1619422302.815876 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x10001000	success
1619422302.815876 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00710000	success
1619422302.815876 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02410000	success

Creates a suspicious process (1 个事件)

cmdline

C:\Windows\system32\svchost.exe

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619422281.503249 ShellExecuteExW	parameters: filepath: C:\ProgramData\ↈↈCCIƆفيديVCموسيقىCموسيقىC;ↈ;ↈM;.exe filepath_r: C:\ProgramData\ↈↈCCIƆفيديVCموسيقىCموسيقىC;ↈ;ↈM;.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

6.959974524969673

section

{'size_of_data': '0x0006d000', 'virtual_address': '0x00041000', 'entropy': 6.959974524969673, 'name': '.rsrc', 'virtual_size': '0x0006c3cc'}

description

A section with a high entropy has been found

entropy

0.6449704142011834

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

113.108.239.196

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.24.14:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-17 21:08:16

Imports

Library CRYPT32.dll:

• 0x42e030 CryptStringToBinaryA

Library KERNEL32.dll:

• 0x42e0ac RtlUnwind

• 0x42e0b0 HeapAlloc

• 0x42e0b4 HeapFree

• 0x42e0b8 HeapReAlloc

• 0x42e0bc VirtualAlloc

• 0x42e0c0 GetSystemTimeAsFileTime

• 0x42e0c4 RaiseException

• 0x42e0c8 GetCommandLineA

• 0x42e0cc GetProcessHeap

• 0x42e0d0 GetStartupInfoA

• 0x42e0d4 ExitProcess

• 0x42e0d8 HeapSize

• 0x42e0dc TerminateProcess

• 0x42e0e0 UnhandledExceptionFilter

• 0x42e0e4 SetUnhandledExceptionFilter

• 0x42e0e8 IsDebuggerPresent

• 0x42e0ec VirtualFree

• 0x42e0f0 HeapDestroy

• 0x42e0f4 HeapCreate

• 0x42e0f8 GetStdHandle

• 0x42e0fc Sleep

• 0x42e100 FreeEnvironmentStringsA

• 0x42e104 GetEnvironmentStrings

• 0x42e108 FreeEnvironmentStringsW

• 0x42e10c GetEnvironmentStringsW

• 0x42e110 SetHandleCount

• 0x42e114 GetFileType

• 0x42e118 QueryPerformanceCounter

• 0x42e11c GetTickCount

• 0x42e120 GetACP

• 0x42e124 LCMapStringA

• 0x42e128 LCMapStringW

• 0x42e12c GetStringTypeA

• 0x42e130 GetStringTypeW

• 0x42e134 GetUserDefaultLCID

• 0x42e138 IsValidLocale

• 0x42e13c IsValidCodePage

• 0x42e140 GetConsoleCP

• 0x42e144 GetConsoleMode

• 0x42e148 GetLocaleInfoW

• 0x42e14c SetStdHandle

• 0x42e150 WriteConsoleA

• 0x42e154 GetConsoleOutputCP

• 0x42e158 WriteConsoleW

• 0x42e15c GlobalFree

• 0x42e160 GlobalUnlock

• 0x42e164 SizeofResource

• 0x42e168 LockResource

• 0x42e16c LoadResource

• 0x42e170 FindResourceA

• 0x42e174 WideCharToMultiByte

• 0x42e178 GlobalLock

• 0x42e17c GlobalAlloc

• 0x42e180 InterlockedExchange

• 0x42e184 MultiByteToWideChar

• 0x42e188 GetLastError

• 0x42e18c GetVersion

• 0x42e190 CompareStringA

• 0x42e194 lstrlenA

• 0x42e198 GetProcAddress

• 0x42e19c LoadLibraryW

• 0x42e1a0 GetVersionExA

• 0x42e1a4 GetModuleHandleA

• 0x42e1a8 lstrcmpW

• 0x42e1ac SetLastError

• 0x42e1b0 LoadLibraryA

• 0x42e1b4 FreeLibrary

• 0x42e1b8 SetErrorMode

• 0x42e1bc CreateFileA

• 0x42e1c0 GetCurrentProcess

• 0x42e1c4 GlobalDeleteAtom

• 0x42e1c8 GlobalFindAtomA

• 0x42e1cc GlobalAddAtomA

• 0x42e1d0 GlobalGetAtomNameA

• 0x42e1d4 GetCurrentThreadId

• 0x42e1d8 FreeResource

• 0x42e1dc FlushFileBuffers

• 0x42e1e0 SetFilePointer

• 0x42e1e4 WriteFile

• 0x42e1e8 ReadFile

• 0x42e1ec WritePrivateProfileStringA

• 0x42e1f0 GetThreadLocale

• 0x42e1f4 GetOEMCP

• 0x42e1f8 GetCPInfo

• 0x42e1fc InterlockedIncrement

• 0x42e200 GlobalFlags

• 0x42e204 TlsFree

• 0x42e208 DeleteCriticalSection

• 0x42e20c LocalReAlloc

• 0x42e210 TlsSetValue

• 0x42e214 TlsAlloc

• 0x42e218 InitializeCriticalSection

• 0x42e21c GlobalHandle

• 0x42e220 GlobalReAlloc

• 0x42e224 EnterCriticalSection

• 0x42e228 TlsGetValue

• 0x42e22c MulDiv

• 0x42e230 LeaveCriticalSection

• 0x42e234 LocalAlloc

• 0x42e238 InterlockedDecrement

• 0x42e23c GetModuleFileNameW

• 0x42e240 GetCurrentProcessId

• 0x42e244 CloseHandle

• 0x42e248 GetCurrentThread

• 0x42e24c ConvertDefaultLocale

• 0x42e250 GetModuleFileNameA

• 0x42e254 EnumResourceLanguagesA

• 0x42e258 GetLocaleInfoA

• 0x42e25c lstrcmpA

• 0x42e260 FormatMessageA

• 0x42e264 LocalFree

• 0x42e268 EnumSystemLocalesA

Library USER32.dll:

• 0x42e28c GetDesktopWindow

• 0x42e290 CreateDialogIndirectParamA

• 0x42e294 GetNextDlgTabItem

• 0x42e298 EndDialog

• 0x42e29c GetWindowThreadProcessId

• 0x42e2a0 SetCursor

• 0x42e2a4 GetMessageA

• 0x42e2a8 TranslateMessage

• 0x42e2ac GetActiveWindow

• 0x42e2b0 ValidateRect

• 0x42e2b4 PostQuitMessage

• 0x42e2b8 GetCursorPos

• 0x42e2bc WindowFromPoint

• 0x42e2c0 SetMenuItemBitmaps

• 0x42e2c4 GetMenuCheckMarkDimensions

• 0x42e2c8 LoadBitmapA

• 0x42e2cc ModifyMenuA

• 0x42e2d0 EnableMenuItem

• 0x42e2d4 CheckMenuItem

• 0x42e2d8 EndPaint

• 0x42e2dc BeginPaint

• 0x42e2e0 ReleaseDC

• 0x42e2e4 GetDC

• 0x42e2e8 ClientToScreen

• 0x42e2ec GetMenuState

• 0x42e2f0 IsWindowEnabled

• 0x42e2f4 ShowWindow

• 0x42e2f8 SetWindowTextA

• 0x42e2fc IsDialogMessageA

• 0x42e300 UnregisterClassA

• 0x42e304 RegisterWindowMessageA

• 0x42e308 SendDlgItemMessageA

• 0x42e30c WinHelpA

• 0x42e310 GetCapture

• 0x42e314 SetWindowsHookExA

• 0x42e318 CallNextHookEx

• 0x42e31c GetClassLongA

• 0x42e320 GetClassNameA

• 0x42e324 SetPropA

• 0x42e328 GetPropA

• 0x42e32c RemovePropA

• 0x42e330 GetFocus

• 0x42e334 SetFocus

• 0x42e338 GetWindowTextA

• 0x42e33c GetLastActivePopup

• 0x42e340 SetActiveWindow

• 0x42e344 DispatchMessageA

• 0x42e348 GetDlgItem

• 0x42e34c GetTopWindow

• 0x42e350 DestroyWindow

• 0x42e354 UnhookWindowsHookEx

• 0x42e358 GetMessageTime

• 0x42e35c GetMessagePos

• 0x42e360 PeekMessageA

• 0x42e364 MapWindowPoints

• 0x42e368 GetKeyState

• 0x42e36c SetForegroundWindow

• 0x42e370 IsWindowVisible

• 0x42e374 UpdateWindow

• 0x42e378 GetMenu

• 0x42e37c PostMessageA

• 0x42e380 GetSubMenu

• 0x42e384 GetMenuItemID

• 0x42e388 GetMenuItemCount

• 0x42e38c MessageBoxA

• 0x42e390 CreateWindowExA

• 0x42e394 GetClassInfoExA

• 0x42e398 GetClassInfoA

• 0x42e39c RegisterClassA

• 0x42e3a0 GetSysColor

• 0x42e3a4 AdjustWindowRectEx

• 0x42e3a8 ScreenToClient

• 0x42e3ac CopyRect

• 0x42e3b0 PtInRect

• 0x42e3b4 GetDlgCtrlID

• 0x42e3b8 DefWindowProcA

• 0x42e3bc CallWindowProcA

• 0x42e3c0 GetWindowLongA

• 0x42e3c4 SetWindowLongA

• 0x42e3c8 LoadCursorA

• 0x42e3cc GetSysColorBrush

• 0x42e3d0 DestroyMenu

• 0x42e3d4 SetWindowPos

• 0x42e3d8 SystemParametersInfoA

• 0x42e3dc GetWindowPlacement

• 0x42e3e0 GetWindow

• 0x42e3e4 LoadImageA

• 0x42e3e8 GetSystemMetrics

• 0x42e3ec LoadIconA

• 0x42e3f0 IsIconic

• 0x42e3f4 GetSystemMenu

• 0x42e3f8 AppendMenuA

• 0x42e3fc DrawIcon

• 0x42e400 CreateWindowExW

• 0x42e404 InSendMessage

• 0x42e408 IsWindow

• 0x42e40c GrayStringA

• 0x42e410 DrawTextExA

• 0x42e414 DrawTextA

• 0x42e418 TabbedTextOutA

• 0x42e41c SendMessageA

• 0x42e420 EnableWindow

• 0x42e424 GetParent

• 0x42e428 InvalidateRect

• 0x42e42c GetClientRect

• 0x42e430 GetWindowRect

• 0x42e434 EqualRect

• 0x42e438 GetForegroundWindow

Library GDI32.dll:

• 0x42e038 SaveDC

• 0x42e03c RestoreDC

• 0x42e040 SetMapMode

• 0x42e044 DeleteObject

• 0x42e048 SetViewportOrgEx

• 0x42e04c OffsetViewportOrgEx

• 0x42e050 SetViewportExtEx

• 0x42e054 ScaleViewportExtEx

• 0x42e058 SetWindowExtEx

• 0x42e05c ScaleWindowExtEx

• 0x42e060 DeleteDC

• 0x42e064 CreateBitmap

• 0x42e068 GetStockObject

• 0x42e06c GetDeviceCaps

• 0x42e070 GetObjectA

• 0x42e074 SetBkColor

• 0x42e078 SetTextColor

• 0x42e07c GetClipBox

• 0x42e080 SelectObject

• 0x42e084 Escape

• 0x42e088 ExtTextOutA

• 0x42e08c TextOutA

• 0x42e090 RectVisible

• 0x42e094 PtVisible

• 0x42e098 BitBlt

• 0x42e09c CreateCompatibleDC

• 0x42e0a0 SetWindowOrgEx

• 0x42e0a4 CreateCompatibleBitmap

Library WINSPOOL.DRV:

• 0x42e440 ClosePrinter

• 0x42e444 OpenPrinterA

• 0x42e448 DocumentPropertiesA

Library ADVAPI32.dll:

• 0x42e000 RegQueryValueA

• 0x42e004 RegOpenKeyA

• 0x42e008 RegSetValueExA

• 0x42e00c RegCreateKeyExA

• 0x42e010 RegCloseKey

• 0x42e014 RegEnumKeyA

• 0x42e018 RegDeleteKeyA

• 0x42e01c RegOpenKeyExA

• 0x42e020 RegQueryValueExA

Library COMCTL32.dll:

• 0x42e028 _TrackMouseEvent

Library SHLWAPI.dll:

• 0x42e280 PathFindFileNameA

• 0x42e284 PathFindExtensionA

Library ole32.dll:

• 0x42e498 CreateStreamOnHGlobal

Library OLEAUT32.dll:

• 0x42e270 VariantClear

• 0x42e274 VariantChangeType

• 0x42e278 VariantInit

Library gdiplus.dll:

• 0x42e450 GdipCreateFromHDC

• 0x42e454 GdipSetImageAttributesColorMatrix

• 0x42e458 GdipCreateBitmapFromStreamICM

• 0x42e45c GdipCreateBitmapFromStream

• 0x42e460 GdipGetImageHeight

• 0x42e464 GdipGetImageWidth

• 0x42e468 GdipDrawImageI

• 0x42e46c GdipDeleteGraphics

• 0x42e470 GdipDisposeImageAttributes

• 0x42e474 GdipCreateImageAttributes

• 0x42e478 GdipAlloc

• 0x42e47c GdipFree

• 0x42e480 GdipDrawImageRectRect

• 0x42e484 GdipCloneImage

• 0x42e488 GdiplusShutdown

• 0x42e48c GdiplusStartup

• 0x42e490 GdipDisposeImage

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.