9.2
极危
61 个模型检测该样本为恶意!
重新分析
更多

462ccf04a64e21bb252f1c50ad29f9b7732abe026b63a50390326edae3ffe1b3

42de4e4741ffb6ba52e0a3ddc2e2752d.exe

分析耗时

61s

最近分析

文件大小

1013.0KB
静态报毒 动态报毒 100% 4YCEG22YK08 AGDW AGEN AI SCORE=100 ANDROM CLASSIC CONFIDENCE DELF DELPHILESS EDNH EE@820REF EHDJ FAREIT FMUYNW FQIO FUERBOOS GBFC GDSDA GENCIRC HIGH HIGH CONFIDENCE LOKI OCCAMY SCORE SMDD SUSPICIOUS PE UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:Win32/Androm.28031eb4 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20200717 18.4.3895.0
Tencent Malware.Win32.Gencirc.10b3a570 20200717 1.0.0.1
Kingsoft 20200717 2013.8.14.323
McAfee Trojan-FQIO!42DE4E4741FF 20200717 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620755209.16775
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
svchosts+0x98a4d @ 0x498a4d
svchosts+0x91254 @ 0x491254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb4148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (33 个事件)
Time & API Arguments Status Return Repeated
1620755174.151625
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e20000
success 0 0
1620755188.729625
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e50000
success 0 0
1620755188.729625
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e70000
success 0 0
1620755189.995374
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1620755203.917374
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00390000
success 0 0
1620755203.917374
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1620755205.66775
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620755205.91775
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01fe0000
success 0 0
1620755205.91775
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x021c0000
success 0 0
1620755205.93275
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e50000
success 0 0
1620755205.93275
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 565248
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e52000
success 0 0
1620755207.13675
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f30000
success 0 0
1620755207.13675
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f40000
success 0 0
1620755209.05775
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.05775
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620755209.05775
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.05775
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1620755209.05775
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005e2000
success 0 0
1620755209.07375
NtProtectVirtualMemory
process_identifier: 1752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchosts.vbs
Creates a suspicious process (2 个事件)
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchosts\svchosts.exe"
cmdline C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchosts\svchosts.exe
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.5942747369831 section {'size_of_data': '0x00079a00', 'virtual_address': '0x00089000', 'entropy': 7.5942747369831, 'name': '.rsrc', 'virtual_size': '0x000798ac'} description A section with a high entropy has been found
entropy 0.4807312252964427 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchosts\svchosts.exe:ZoneIdentifier
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchosts.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchosts\svchosts.exe
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2344 called NtSetContextThread to modify thread in remote process 1752
Time & API Arguments Status Return Repeated
1620755204.979374
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 5420144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1752
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2344 resumed a thread in remote process 1752
Time & API Arguments Status Return Repeated
1620755205.401374
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1752
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (8 个事件)
Time & API Arguments Status Return Repeated
1620755189.651625
CreateProcessInternalW
thread_identifier: 2864
thread_handle: 0x000000fc
process_identifier: 2344
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchosts\svchosts.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchosts\svchosts.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1620755204.870374
CreateProcessInternalW
thread_identifier: 2216
thread_handle: 0x00000104
process_identifier: 1752
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchosts\svchosts.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620755204.870374
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1620755204.870374
NtUnmapViewOfSection
process_identifier: 1752
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620755204.886374
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 1752
commit_size: 1232896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1232896
base_address: 0x00400000
success 0 0
1620755204.948374
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 1752
commit_size: 4096
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 4096
base_address: 0x001e0000
success 0 0
1620755204.979374
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 5420144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1752
success 0 0
1620755205.401374
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1752
success 0 0
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
MicroWorld-eScan Trojan.Delf.FareIt.Gen.2
FireEye Generic.mg.42de4e4741ffb6ba
ALYac Trojan.Delf.FareIt.Gen.2
Cylance Unsafe
Zillya Backdoor.Androm.Win32.61277
Sangfor Malware
K7AntiVirus Spyware ( 005435701 )
Alibaba Backdoor:Win32/Androm.28031eb4
K7GW Spyware ( 005435701 )
Cybereason malicious.741ffb
Arcabit Trojan.Delf.FareIt.Gen.2
TrendMicro TrojanSpy.Win32.LOKI.SMDD.hp
BitDefenderTheta AI:Packer.5A57D81618
Cyren W32/Injector.GBFC-4983
Symantec Trojan.Gen.2
TrendMicro-HouseCall TrojanSpy.Win32.LOKI.SMDD.hp
Avast Win32:Trojan-gen
ClamAV Win.Malware.Score-6853547-0
Kaspersky HEUR:Backdoor.Win32.Androm.gen
BitDefender Trojan.Delf.FareIt.Gen.2
NANO-Antivirus Trojan.Win32.Stealer.fmuynw
Paloalto generic.ml
AegisLab Trojan.Win32.Androm.4!c
APEX Malicious
Tencent Malware.Win32.Gencirc.10b3a570
Ad-Aware Trojan.Delf.FareIt.Gen.2
Emsisoft Trojan.Delf.FareIt.Gen.2 (B)
Comodo TrojWare.Win32.Androm.EE@820ref
F-Secure Heuristic.HEUR/AGEN.1128236
DrWeb Trojan.PWS.Stealer.21240
Invincea heuristic
Trapmine malicious.high.ml.score
Sophos Mal/Fareit-Q
Ikarus Trojan.Inject
F-Prot W32/Injector.IWR
Jiangmin Backdoor.Androm.agdw
eGambit Unsafe.AI_Score_99%
Avira HEUR/AGEN.1128236
Antiy-AVL Trojan[Backdoor]/Win32.Androm
Microsoft Trojan:Win32/Occamy.C
Endgame malicious (high confidence)
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Trojan.Delf.FareIt.Gen.2
Cynet Malicious (score: 100)
AhnLab-V3 Win-Trojan/Delphiless.Exp
Acronis suspicious
McAfee Trojan-FQIO!42DE4E4741FF
MAX malware (ai score=100)
VBA32 Trojan.Fuerboos
Malwarebytes Trojan.Injector
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-01-19 22:17:26

Imports

Library kernel32.dll:
0x47b13c VirtualFree
0x47b140 VirtualAlloc
0x47b144 LocalFree
0x47b148 LocalAlloc
0x47b14c GetVersion
0x47b150 GetCurrentThreadId
0x47b15c VirtualQuery
0x47b160 WideCharToMultiByte
0x47b164 MultiByteToWideChar
0x47b168 lstrlenA
0x47b16c lstrcpynA
0x47b170 LoadLibraryExA
0x47b174 GetThreadLocale
0x47b178 GetStartupInfoA
0x47b17c GetProcAddress
0x47b180 GetModuleHandleA
0x47b184 GetModuleFileNameA
0x47b188 GetLocaleInfoA
0x47b18c GetCommandLineA
0x47b190 FreeLibrary
0x47b194 FindFirstFileA
0x47b198 FindClose
0x47b19c ExitProcess
0x47b1a0 ExitThread
0x47b1a4 CreateThread
0x47b1a8 WriteFile
0x47b1b0 RtlUnwind
0x47b1b4 RaiseException
0x47b1b8 GetStdHandle
Library user32.dll:
0x47b1c0 GetKeyboardType
0x47b1c4 LoadStringA
0x47b1c8 MessageBoxA
0x47b1cc CharNextA
Library advapi32.dll:
0x47b1d4 RegQueryValueExA
0x47b1d8 RegOpenKeyExA
0x47b1dc RegCloseKey
Library oleaut32.dll:
0x47b1e4 SysFreeString
0x47b1e8 SysReAllocStringLen
0x47b1ec SysAllocStringLen
Library kernel32.dll:
0x47b1f4 TlsSetValue
0x47b1f8 TlsGetValue
0x47b1fc LocalAlloc
0x47b200 GetModuleHandleA
Library advapi32.dll:
0x47b208 RegQueryValueExA
0x47b20c RegOpenKeyExA
0x47b210 RegCloseKey
Library kernel32.dll:
0x47b218 lstrcpyA
0x47b21c WriteFile
0x47b220 WaitForSingleObject
0x47b224 VirtualQuery
0x47b228 VirtualAlloc
0x47b22c SuspendThread
0x47b230 Sleep
0x47b234 SizeofResource
0x47b238 SetThreadPriority
0x47b23c SetThreadLocale
0x47b240 SetFilePointer
0x47b244 SetEvent
0x47b248 SetErrorMode
0x47b24c SetEndOfFile
0x47b250 ResumeThread
0x47b254 ResetEvent
0x47b258 ReadFile
0x47b25c MulDiv
0x47b260 LockResource
0x47b264 LoadResource
0x47b268 LoadLibraryA
0x47b274 GlobalUnlock
0x47b278 GlobalReAlloc
0x47b27c GlobalHandle
0x47b280 GlobalLock
0x47b284 GlobalFree
0x47b288 GlobalFindAtomA
0x47b28c GlobalDeleteAtom
0x47b290 GlobalAlloc
0x47b294 GlobalAddAtomA
0x47b298 GetVersionExA
0x47b29c GetVersion
0x47b2a0 GetTickCount
0x47b2a4 GetThreadLocale
0x47b2a8 GetTempPathA
0x47b2ac GetSystemInfo
0x47b2b0 GetStringTypeExA
0x47b2b4 GetStdHandle
0x47b2b8 GetProcAddress
0x47b2bc GetModuleHandleA
0x47b2c0 GetModuleFileNameA
0x47b2c4 GetLocaleInfoA
0x47b2c8 GetLocalTime
0x47b2cc GetLastError
0x47b2d0 GetFullPathNameA
0x47b2d4 GetFileSize
0x47b2d8 GetExitCodeThread
0x47b2dc GetDiskFreeSpaceA
0x47b2e0 GetDateFormatA
0x47b2e4 GetCurrentThreadId
0x47b2e8 GetCurrentProcessId
0x47b2ec GetCPInfo
0x47b2f0 GetACP
0x47b2f4 FreeResource
0x47b2fc InterlockedExchange
0x47b304 FreeLibrary
0x47b308 FormatMessageA
0x47b30c FindResourceA
0x47b310 FindFirstFileA
0x47b314 FindClose
0x47b320 ExitProcess
0x47b324 EnumCalendarInfoA
0x47b330 CreateThread
0x47b334 CreateFileA
0x47b338 CreateEventA
0x47b33c CompareStringA
0x47b340 CloseHandle
Library version.dll:
0x47b348 VerQueryValueA
0x47b350 GetFileVersionInfoA
Library gdi32.dll:
0x47b358 UnrealizeObject
0x47b35c StretchBlt
0x47b360 SetWindowOrgEx
0x47b364 SetWinMetaFileBits
0x47b368 SetViewportOrgEx
0x47b36c SetTextColor
0x47b370 SetStretchBltMode
0x47b374 SetROP2
0x47b378 SetPixel
0x47b37c SetEnhMetaFileBits
0x47b380 SetDIBColorTable
0x47b384 SetBrushOrgEx
0x47b388 SetBkMode
0x47b38c SetBkColor
0x47b390 SelectPalette
0x47b394 SelectObject
0x47b398 SelectClipRgn
0x47b39c ScaleWindowExtEx
0x47b3a0 SaveDC
0x47b3a4 RoundRect
0x47b3a8 RestoreDC
0x47b3ac Rectangle
0x47b3b0 RectVisible
0x47b3b4 RealizePalette
0x47b3b8 Polyline
0x47b3bc PlayEnhMetaFile
0x47b3c0 PatBlt
0x47b3c4 MoveToEx
0x47b3c8 MaskBlt
0x47b3cc LineTo
0x47b3d0 IntersectClipRect
0x47b3d4 GetWindowOrgEx
0x47b3d8 GetWinMetaFileBits
0x47b3dc GetTextMetricsA
0x47b3e8 GetStockObject
0x47b3ec GetPixel
0x47b3f0 GetPaletteEntries
0x47b3f4 GetObjectA
0x47b400 GetEnhMetaFileBits
0x47b404 GetDeviceCaps
0x47b408 GetDIBits
0x47b40c GetDIBColorTable
0x47b410 GetDCOrgEx
0x47b418 GetClipBox
0x47b41c GetBrushOrgEx
0x47b420 GetBitmapBits
0x47b424 FillPath
0x47b428 ExcludeClipRect
0x47b42c Ellipse
0x47b430 DeleteObject
0x47b434 DeleteEnhMetaFile
0x47b438 DeleteDC
0x47b43c CreateSolidBrush
0x47b440 CreateRectRgn
0x47b444 CreatePenIndirect
0x47b448 CreatePen
0x47b44c CreatePalette
0x47b454 CreateFontIndirectA
0x47b458 CreateDIBitmap
0x47b45c CreateDIBSection
0x47b460 CreateCompatibleDC
0x47b468 CreateBrushIndirect
0x47b46c CreateBitmap
0x47b470 CopyEnhMetaFileA
0x47b474 BitBlt
Library user32.dll:
0x47b47c CreateWindowExA
0x47b480 WindowFromPoint
0x47b484 WinHelpA
0x47b488 WaitMessage
0x47b48c ValidateRect
0x47b490 UpdateWindow
0x47b494 UnregisterClassA
0x47b498 UnhookWindowsHookEx
0x47b49c TranslateMessage
0x47b4a4 TrackPopupMenu
0x47b4ac ShowWindow
0x47b4b0 ShowScrollBar
0x47b4b4 ShowOwnedPopups
0x47b4b8 ShowCursor
0x47b4bc SetWindowsHookExA
0x47b4c0 SetWindowTextA
0x47b4c4 SetWindowPos
0x47b4c8 SetWindowPlacement
0x47b4cc SetWindowLongA
0x47b4d0 SetTimer
0x47b4d4 SetScrollRange
0x47b4d8 SetScrollPos
0x47b4dc SetScrollInfo
0x47b4e0 SetRect
0x47b4e4 SetPropA
0x47b4e8 SetParent
0x47b4ec SetMenuItemInfoA
0x47b4f0 SetMenu
0x47b4f4 SetKeyboardState
0x47b4f8 SetForegroundWindow
0x47b4fc SetFocus
0x47b500 SetCursor
0x47b504 SetClipboardData
0x47b508 SetClassLongA
0x47b50c SetCapture
0x47b510 SetActiveWindow
0x47b514 SendMessageA
0x47b518 ScrollWindow
0x47b51c ScreenToClient
0x47b520 RemovePropA
0x47b524 RemoveMenu
0x47b528 ReleaseDC
0x47b52c ReleaseCapture
0x47b538 RegisterClassA
0x47b53c RedrawWindow
0x47b540 PtInRect
0x47b544 PostQuitMessage
0x47b548 PostMessageA
0x47b54c PeekMessageA
0x47b550 OpenClipboard
0x47b554 OffsetRect
0x47b558 OemToCharA
0x47b560 MessageBoxA
0x47b564 MessageBeep
0x47b568 MapWindowPoints
0x47b56c MapVirtualKeyA
0x47b570 LoadStringA
0x47b574 LoadKeyboardLayoutA
0x47b578 LoadIconA
0x47b57c LoadCursorA
0x47b580 LoadBitmapA
0x47b584 KillTimer
0x47b588 IsZoomed
0x47b58c IsWindowVisible
0x47b590 IsWindowEnabled
0x47b594 IsWindow
0x47b598 IsRectEmpty
0x47b59c IsIconic
0x47b5a0 IsDialogMessageA
0x47b5a4 IsChild
0x47b5a8 IsCharAlphaNumericA
0x47b5ac IsCharAlphaA
0x47b5b0 InvalidateRect
0x47b5b4 IntersectRect
0x47b5b8 InsertMenuItemA
0x47b5bc InsertMenuA
0x47b5c0 InflateRect
0x47b5c8 GetWindowTextA
0x47b5cc GetWindowRect
0x47b5d0 GetWindowPlacement
0x47b5d4 GetWindowLongA
0x47b5d8 GetWindowDC
0x47b5dc GetTopWindow
0x47b5e0 GetSystemMetrics
0x47b5e4 GetSystemMenu
0x47b5e8 GetSysColorBrush
0x47b5ec GetSysColor
0x47b5f0 GetSubMenu
0x47b5f4 GetScrollRange
0x47b5f8 GetScrollPos
0x47b5fc GetScrollInfo
0x47b600 GetPropA
0x47b604 GetParent
0x47b608 GetWindow
0x47b60c GetMenuStringA
0x47b610 GetMenuState
0x47b614 GetMenuItemInfoA
0x47b618 GetMenuItemID
0x47b61c GetMenuItemCount
0x47b620 GetMenu
0x47b624 GetLastActivePopup
0x47b628 GetKeyboardState
0x47b630 GetKeyboardLayout
0x47b634 GetKeyState
0x47b638 GetKeyNameTextA
0x47b63c GetIconInfo
0x47b640 GetForegroundWindow
0x47b644 GetFocus
0x47b648 GetDesktopWindow
0x47b64c GetDCEx
0x47b650 GetDC
0x47b654 GetCursorPos
0x47b658 GetCursor
0x47b65c GetClipboardData
0x47b660 GetClientRect
0x47b664 GetClassNameA
0x47b668 GetClassInfoA
0x47b66c GetCapture
0x47b670 GetActiveWindow
0x47b674 FrameRect
0x47b678 FindWindowA
0x47b67c FillRect
0x47b680 EqualRect
0x47b684 EnumWindows
0x47b688 EnumThreadWindows
0x47b690 EndPaint
0x47b694 EnableWindow
0x47b698 EnableScrollBar
0x47b69c EnableMenuItem
0x47b6a0 EmptyClipboard
0x47b6a4 DrawTextA
0x47b6a8 DrawMenuBar
0x47b6ac DrawIconEx
0x47b6b0 DrawIcon
0x47b6b4 DrawFrameControl
0x47b6b8 DrawFocusRect
0x47b6bc DrawEdge
0x47b6c0 DispatchMessageA
0x47b6c4 DestroyWindow
0x47b6c8 DestroyMenu
0x47b6cc DestroyIcon
0x47b6d0 DestroyCursor
0x47b6d4 DeleteMenu
0x47b6d8 DefWindowProcA
0x47b6dc DefMDIChildProcA
0x47b6e0 DefFrameProcA
0x47b6e4 CreatePopupMenu
0x47b6e8 CreateMenu
0x47b6ec CreateIcon
0x47b6f0 CloseClipboard
0x47b6f4 ClientToScreen
0x47b6f8 CheckMenuItem
0x47b6fc CallWindowProcA
0x47b700 CallNextHookEx
0x47b704 BringWindowToTop
0x47b708 BeginPaint
0x47b70c CharNextA
0x47b710 CharLowerBuffA
0x47b714 CharLowerA
0x47b718 CharUpperBuffA
0x47b71c CharToOemA
0x47b720 AdjustWindowRectEx
Library kernel32.dll:
0x47b72c Sleep
Library oleaut32.dll:
0x47b734 SafeArrayPtrOfIndex
0x47b738 SafeArrayGetUBound
0x47b73c SafeArrayGetLBound
0x47b740 SafeArrayCreate
0x47b744 VariantChangeType
0x47b748 VariantCopy
0x47b74c VariantClear
0x47b750 VariantInit
Library comctl32.dll:
0x47b760 ImageList_Write
0x47b764 ImageList_Read
0x47b774 ImageList_DragMove
0x47b778 ImageList_DragLeave
0x47b77c ImageList_DragEnter
0x47b780 ImageList_EndDrag
0x47b784 ImageList_BeginDrag
0x47b788 ImageList_Remove
0x47b78c ImageList_DrawEx
0x47b790 ImageList_Replace
0x47b794 ImageList_Draw
0x47b7a4 ImageList_Add
0x47b7ac ImageList_Destroy
0x47b7b0 ImageList_Create
0x47b7b4 InitCommonControls
Library comdlg32.dll:
0x47b7bc FindTextA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49236 239.255.255.250 3702
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.