SmartHawk

10.0

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

a3d428fd7905e197628f06158928ecba082d331ee68d1bba8cd527b883e5538c

49ec6f91d3c1f5e9f084f741f7f9473a.exe

分析耗时

137s

最近分析

文件大小

972.0KB

静态报毒动态报毒 8UG5ZBTNY95+WBEIPENRCQ 8Y0@AKIY3IGI AI SCORE=80 AIDETECTVM ATTRIBUTE CJPQ DOWNLOADER34 ELDORADO EMOTET GENCIRC GENERIC@ML GENERICKD GENETIC HIGH CONFIDENCE HIGHCONFIDENCE HSHQHX LJFXDPKBO7A MALWARE2 MALWARE@#LK25IPZ439WO R + TROJ R348634 RDMK SCORE SUSGEN THIBOBO TOINC UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Emotet-FRV!49EC6F91D3C1	20201024	6.0.6.653
Alibaba	Trojan:Win32/Emotet.56ebfea6	20190527	0.3.0.5
CrowdStrike		20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20201024	18.4.3895.0
Tencent	Malware.Win32.Gencirc.10cde9ca	20201024	1.0.0.1
Kingsoft		20201024	2013.8.14.323

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619466418.395249 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (5 个事件)

Time & API	Arguments	Status	Return
1619466406.974249 CryptGenKey	crypto_handle: 0x006a5548 algorithm_identifier: 0x0000660e () provider_handle: 0x006a5058 flags: 1 key: f² ®gÇ³$Û©ý+ÆP	success	1
1619466418.395249 CryptExportKey	crypto_handle: 0x006a5548 crypto_export_handle: 0x006a5508 buffer: f¤ÁÒÜÐ¡övVÏ³\|â$ôQ&qH+¢\£íGñÖV½«î'³ßÍ@NÆ6ë×èfFRÔöFÙY¦XYíJkôîç ¤î¨ï¤¨Ô &@Rè@)ðl blob_type: 1 flags: 64	success	1
1619466446.849249 CryptExportKey	crypto_handle: 0x006a5548 crypto_export_handle: 0x006a5508 buffer: f¤S(eB¦»eÎyBa:¬Æ±ß bãzÉæ»cäpâH!;;H*ÒsÁÚ¹í;Ý£ÖÙðWLYß±"ÉdI íC¦O±j©göÚ°Ü.a blob_type: 1 flags: 64	success	1
1619466451.395249 CryptExportKey	crypto_handle: 0x006a5548 crypto_export_handle: 0x006a5508 buffer: f¤úM;_nòò7ÔÍmÎZô6än¾êþÚÆ1~×ø¬mÄÔë6õXB®°IÜÿË13A¬z¨ê;Öß¦å rt"Æ \gÍ`)øjt®@@næK~ blob_type: 1 flags: 64	success	1
1619466475.552249 CryptExportKey	crypto_handle: 0x006a5548 crypto_export_handle: 0x006a5508 buffer: f¤#4Ò 1i&ã"Càø¦ÞÒ=Z¢Áµ°;#¬{Å!÷²j3ßÕ²¢Rdz\ªq®×ÚiÊÃ$I\J§Øci®xhG~ÜôI3.èæÞÏvø½ blob_type: 1 flags: 64	success	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.didat

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619466400.005124 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00380000	success
1619466032.914772 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00000000040f0000	success
1619466405.864249 NtAllocateVirtualMemory	process_identifier: 1816 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00580000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (14 个事件)

Time & API	Arguments	Status	Return
1619466406.661249 Process32NextW	process_name: sdclt.exe snapshot_handle: 0x00000164 process_identifier: 2128	success	1
1619466406.661249 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x00000164 process_identifier: 420	success	1
1619466406.661249 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x00000164 process_identifier: 2208	success	1
1619466406.661249 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x00000164 process_identifier: 1376	success	1
1619466406.661249 Process32NextW	process_name: 49ec6f91d3c1f5e9f084f741f7f9473a.exe snapshot_handle: 0x00000164 process_identifier: 2536	success	1
1619466406.661249 Process32NextW	process_name: schtasks.exe snapshot_handle: 0x00000164 process_identifier: 2236	success	1
1619466406.661249 Process32NextW	process_name: conhost.exe snapshot_handle: 0x00000164 process_identifier: 3068	success	1
1619466406.661249 Process32NextW	process_name: uxlib.exe snapshot_handle: 0x00000164 process_identifier: 1816	success	1
1619466451.395249 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x000003e0 process_identifier: 1416	success	1
1619466451.395249 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x000003e0 process_identifier: 2856	success	1
1619466451.395249 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x000003e0 process_identifier: 2152	success	1
1619466451.395249 Process32NextW	process_name: sppsvc.exe snapshot_handle: 0x000003e0 process_identifier: 2996	success	1
1619466451.395249 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x000003e0 process_identifier: 2184	success	1
1619466475.552249 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x000003e0 process_identifier: 3276	success	1

Moves the original executable to a new location (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619466401.192124 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\49ec6f91d3c1f5e9f084f741f7f9473a.exe newfilepath: C:\Windows\SysWOW64\KBDKOR\uxlib.exe newfilepath_r: C:\Windows\SysWOW64\KBDKOR\uxlib.exe flags: 3 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\49ec6f91d3c1f5e9f084f741f7f9473a.exe	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619466419.520249 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Expresses interest in specific running processes (1 个事件)

process

uxlib.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619466418.583249 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (5 个事件)

host	113.108.239.196
host	222.214.218.37
host	64.183.73.122
host	67.205.85.243
host	69.30.203.214

Installs itself for autorun at Windows startup (1 个事件)

service_name

uxlib

service_path

C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\KBDKOR\uxlib.exe"

Created a service where a service was also not started (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619466402.239124 CreateServiceW	service_start_name: start_type: 2 service_handle: 0x02cd9d20 display_name: uxlib error_control: 0 service_name: uxlib filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\KBDKOR\uxlib.exe" filepath_r: "C:\Windows\SysWOW64\KBDKOR\uxlib.exe" service_manager_handle: 0x02cb36e0 desired_access: 2 service_type: 16 password:	success	47029536	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619466422.114249 RegSetValueExA	key_handle: 0x000003c0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619466422.114249 RegSetValueExA	key_handle: 0x000003c0 value: dO9¨:× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619466422.114249 RegSetValueExA	key_handle: 0x000003c0 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619466422.114249 RegSetValueExW	key_handle: 0x000003c0 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619466422.114249 RegSetValueExA	key_handle: 0x000003d8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619466422.114249 RegSetValueExA	key_handle: 0x000003d8 value: dO9¨:× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619466422.114249 RegSetValueExA	key_handle: 0x000003d8 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619466422.114249 RegSetValueExW	key_handle: 0x000003bc value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Attempts to remove evidence of file being downloaded from the Internet (1 个事件)

file	C:\Windows\SysWOW64\KBDKOR\uxlib.exe:Zone.Identifier

Generates some ICMP traffic

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43701816
FireEye	Generic.mg.49ec6f91d3c1f5e9
McAfee	Emotet-FRV!49EC6F91D3C1
Cylance	Unsafe
Zillya	Trojan.Emotet.Win32.24594
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Emotet.56ebfea6
K7GW	Riskware ( 0040eff71 )
Arcabit	Trojan.Generic.D29AD638
Cyren	W32/Emotet.AQI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Trojan.Emotet-9753016-0
Kaspersky	Backdoor.Win32.Emotet.cjpq
BitDefender	Trojan.GenericKD.43701816
NANO-Antivirus	Trojan.Win32.Emotet.hshqhx
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.10cde9ca
Ad-Aware	Trojan.GenericKD.43701816
TACHYON	Banker/W32.Emotet.995328
Sophos	Troj/Emotet-CLJ
Comodo	Malware@#lk25ipz439wo
F-Secure	Trojan.TR/Emotet.toinc
DrWeb	Trojan.DownLoader34.25703
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-R + Troj/Emotet-CLJ
McAfee-GW-Edition	BehavesLike.Win32.Emotet.dm
Emsisoft	Trojan.Emotet (A)
Jiangmin	Backdoor.Emotet.si
Avira	TR/Emotet.toinc
Antiy-AVL	Trojan[Backdoor]/Win32.Emotet
Microsoft	Trojan:Win32/Emotet.ARJ!MTB
AegisLab	Trojan.Win32.Emotet.L!c
ZoneAlarm	Backdoor.Win32.Emotet.cjpq
GData	Trojan.GenericKD.43701816
Cynet	Malicious (score: 90)
AhnLab-V3	Trojan/Win32.Emotet.R348634
VBA32	Backdoor.Emotet
ALYac	Trojan.Agent.Emotet
MAX	malware (ai score=80)
Malwarebytes	Trojan.MalPack.TRE
ESET-NOD32	Win32/Emotet.CD
TrendMicro-HouseCall	TrojanSpy.Win32.EMOTET.THIBOBO
Rising	Trojan.Generic@ML.91 (RDMK:8ug5zbtNY95+WBEIPENRCQ)
Yandex	Trojan.Emotet!LJFXdpKBo7A
Ikarus	Trojan-Banker.Emotet
MaxSecure	Trojan.Malware.105528012.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 个事件)

dead_host	172.217.160.110:443
dead_host	64.183.73.122:80
dead_host	172.217.24.14:443
dead_host	69.30.203.214:8080
dead_host	67.205.85.243:8080
dead_host	222.214.218.37:4143
dead_host	192.168.56.101:49184

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-19 04:49:46

Imports

Library KERNEL32.dll:

• 0x4a5028 GetStartupInfoA

• 0x4a502c GetCommandLineA

• 0x4a5030 TerminateProcess

• 0x4a5034 ExitThread

• 0x4a5038 CreateThread

• 0x4a503c HeapReAlloc

• 0x4a5040 HeapSize

• 0x4a5044 LCMapStringA

• 0x4a5048 LCMapStringW

• 0x4a504c FatalAppExitA

• 0x4a5050 HeapDestroy

• 0x4a5054 HeapCreate

• 0x4a5058 VirtualFree

• 0x4a505c IsBadWritePtr

• 0x4a5060 GetStdHandle

• 0x4a5064 UnhandledExceptionFilter

• 0x4a5068 FreeEnvironmentStringsA

• 0x4a506c GetEnvironmentStrings

• 0x4a5070 FreeEnvironmentStringsW

• 0x4a5074 GetEnvironmentStringsW

• 0x4a5078 VirtualQuery

• 0x4a507c GetFileType

• 0x4a5080 QueryPerformanceCounter

• 0x4a5084 GetCurrentProcessId

• 0x4a5088 GetSystemTimeAsFileTime

• 0x4a508c SetUnhandledExceptionFilter

• 0x4a5090 GetStringTypeA

• 0x4a5094 GetStringTypeW

• 0x4a5098 GetTimeZoneInformation

• 0x4a509c IsBadReadPtr

• 0x4a50a0 IsBadCodePtr

• 0x4a50a4 GetTimeFormatA

• 0x4a50a8 GetDateFormatA

• 0x4a50ac GetUserDefaultLCID

• 0x4a50b0 EnumSystemLocalesA

• 0x4a50b4 IsValidLocale

• 0x4a50b8 IsValidCodePage

• 0x4a50bc SetConsoleCtrlHandler

• 0x4a50c0 SetStdHandle

• 0x4a50c4 GetLocaleInfoW

• 0x4a50c8 SetEnvironmentVariableA

• 0x4a50cc GetSystemInfo

• 0x4a50d0 VirtualAlloc

• 0x4a50d4 VirtualProtect

• 0x4a50d8 HeapFree

• 0x4a50dc HeapAlloc

• 0x4a50e0 RtlUnwind

• 0x4a50e4 GetDiskFreeSpaceA

• 0x4a50e8 GetTempFileNameA

• 0x4a50ec LocalLock

• 0x4a50f0 LocalUnlock

• 0x4a50f4 GetTickCount

• 0x4a50f8 GetFileTime

• 0x4a50fc GetFileAttributesA

• 0x4a5100 SetFileAttributesA

• 0x4a5104 SetFileTime

• 0x4a5108 LocalFileTimeToFileTime

• 0x4a510c FileTimeToLocalFileTime

• 0x4a5110 SetErrorMode

• 0x4a5114 SystemTimeToFileTime

• 0x4a5118 FileTimeToSystemTime

• 0x4a511c GetShortPathNameA

• 0x4a5120 CreateFileA

• 0x4a5124 GetFullPathNameA

• 0x4a5128 GetVolumeInformationA

• 0x4a512c FindFirstFileA

• 0x4a5130 FindClose

• 0x4a5134 GetCurrentProcess

• 0x4a5138 DuplicateHandle

• 0x4a513c GetFileSize

• 0x4a5140 SetEndOfFile

• 0x4a5144 UnlockFile

• 0x4a5148 LockFile

• 0x4a514c FlushFileBuffers

• 0x4a5150 SetFilePointer

• 0x4a5154 WriteFile

• 0x4a5158 ReadFile

• 0x4a515c DeleteFileA

• 0x4a5160 MoveFileA

• 0x4a5164 GetCurrentDirectoryA

• 0x4a5168 GetPrivateProfileStringA

• 0x4a516c WritePrivateProfileStringA

• 0x4a5170 GetPrivateProfileIntA

• 0x4a5174 RaiseException

• 0x4a5178 GetOEMCP

• 0x4a517c GetCPInfo

• 0x4a5180 InterlockedIncrement

• 0x4a5184 GlobalFlags

• 0x4a5188 TlsFree

• 0x4a518c DeleteCriticalSection

• 0x4a5190 LocalReAlloc

• 0x4a5194 TlsSetValue

• 0x4a5198 TlsAlloc

• 0x4a519c InitializeCriticalSection

• 0x4a51a0 TlsGetValue

• 0x4a51a4 EnterCriticalSection

• 0x4a51a8 GlobalHandle

• 0x4a51ac GlobalReAlloc

• 0x4a51b0 LeaveCriticalSection

• 0x4a51b4 LocalAlloc

• 0x4a51b8 CopyFileA

• 0x4a51bc GlobalSize

• 0x4a51c0 FormatMessageA

• 0x4a51c4 LocalFree

• 0x4a51c8 GlobalFree

• 0x4a51cc CreateEventA

• 0x4a51d0 SuspendThread

• 0x4a51d4 SetEvent

• 0x4a51d8 WaitForSingleObject

• 0x4a51dc ResumeThread

• 0x4a51e0 SetThreadPriority

• 0x4a51e4 CloseHandle

• 0x4a51e8 GetCurrentThread

• 0x4a51ec GlobalAlloc

• 0x4a51f0 lstrcmpA

• 0x4a51f4 GetModuleFileNameA

• 0x4a51f8 ConvertDefaultLocale

• 0x4a51fc EnumResourceLanguagesA

• 0x4a5200 lstrcpyA

• 0x4a5204 InterlockedDecrement

• 0x4a5208 GlobalLock

• 0x4a520c GlobalUnlock

• 0x4a5210 MulDiv

• 0x4a5214 SetLastError

• 0x4a5218 FreeResource

• 0x4a521c GetCurrentThreadId

• 0x4a5220 GlobalGetAtomNameA

• 0x4a5224 GlobalAddAtomA

• 0x4a5228 GlobalFindAtomA

• 0x4a522c GlobalDeleteAtom

• 0x4a5230 LoadLibraryA

• 0x4a5234 FreeLibrary

• 0x4a5238 lstrcatA

• 0x4a523c lstrcmpW

• 0x4a5240 lstrcpynA

• 0x4a5244 GetModuleHandleA

• 0x4a5248 GetProcAddress

• 0x4a524c GetStringTypeExW

• 0x4a5250 GetStringTypeExA

• 0x4a5254 GetEnvironmentVariableW

• 0x4a5258 GetEnvironmentVariableA

• 0x4a525c CompareStringW

• 0x4a5260 CompareStringA

• 0x4a5264 lstrlenA

• 0x4a5268 lstrcmpiW

• 0x4a526c lstrlenW

• 0x4a5270 lstrcmpiA

• 0x4a5274 GetVersion

• 0x4a5278 GetLastError

• 0x4a527c MultiByteToWideChar

• 0x4a5280 ExitProcess

• 0x4a5284 WideCharToMultiByte

• 0x4a5288 FindResourceA

• 0x4a528c LoadResource

• 0x4a5290 LockResource

• 0x4a5294 SizeofResource

• 0x4a5298 GetVersionExA

• 0x4a529c GetThreadLocale

• 0x4a52a0 GetLocaleInfoA

• 0x4a52a4 GetACP

• 0x4a52a8 SetHandleCount

• 0x4a52ac InterlockedExchange

Library USER32.dll:

• 0x4a54c8 MapVirtualKeyA

• 0x4a54cc UnionRect

• 0x4a54d0 PostThreadMessageA

• 0x4a54d4 SetTimer

• 0x4a54d8 KillTimer

• 0x4a54dc IsClipboardFormatAvailable

• 0x4a54e0 GetTabbedTextExtentA

• 0x4a54e4 GetDCEx

• 0x4a54e8 LockWindowUpdate

• 0x4a54ec SetParent

• 0x4a54f0 TranslateAcceleratorA

• 0x4a54f4 MessageBeep

• 0x4a54f8 GetNextDlgGroupItem

• 0x4a54fc InvalidateRgn

• 0x4a5500 CopyAcceleratorTableA

• 0x4a5504 SetRect

• 0x4a5508 IsRectEmpty

• 0x4a550c CharNextA

• 0x4a5510 GetDialogBaseUnits

• 0x4a5514 DestroyIcon

• 0x4a5518 DeleteMenu

• 0x4a551c WaitMessage

• 0x4a5520 GetWindowThreadProcessId

• 0x4a5524 WindowFromPoint

• 0x4a5528 LoadCursorA

• 0x4a552c GetSysColorBrush

• 0x4a5530 wsprintfA

• 0x4a5534 DestroyMenu

• 0x4a5538 GetMenuItemInfoA

• 0x4a553c GetMenuStringA

• 0x4a5540 InsertMenuA

• 0x4a5544 RemoveMenu

• 0x4a5548 SetWindowContextHelpId

• 0x4a554c MapDialogRect

• 0x4a5550 GetDesktopWindow

• 0x4a5554 CreateDialogIndirectParamA

• 0x4a5558 GetNextDlgTabItem

• 0x4a555c EndDialog

• 0x4a5560 GetMessageA

• 0x4a5564 TranslateMessage

• 0x4a5568 GetActiveWindow

• 0x4a556c GetCursorPos

• 0x4a5570 ValidateRect

• 0x4a5574 ShowOwnedPopups

• 0x4a5578 SetCursor

• 0x4a557c PostQuitMessage

• 0x4a5580 InflateRect

• 0x4a5584 SetMenuItemBitmaps

• 0x4a5588 ModifyMenuA

• 0x4a558c EnableMenuItem

• 0x4a5590 CheckMenuItem

• 0x4a5594 GetMenuCheckMarkDimensions

• 0x4a5598 ScrollWindowEx

• 0x4a559c IsWindowEnabled

• 0x4a55a0 MoveWindow

• 0x4a55a4 SetWindowTextA

• 0x4a55a8 IsDialogMessageA

• 0x4a55ac IsDlgButtonChecked

• 0x4a55b0 SetDlgItemTextA

• 0x4a55b4 SetDlgItemInt

• 0x4a55b8 GetDlgItemTextA

• 0x4a55bc GetDlgItemInt

• 0x4a55c0 CheckRadioButton

• 0x4a55c4 CheckDlgButton

• 0x4a55c8 EndPaint

• 0x4a55cc BeginPaint

• 0x4a55d0 GetWindowDC

• 0x4a55d4 ReleaseDC

• 0x4a55d8 GetDC

• 0x4a55dc ClientToScreen

• 0x4a55e0 FillRect

• 0x4a55e4 GetKeyNameTextA

• 0x4a55e8 WinHelpA

• 0x4a55ec GetCapture

• 0x4a55f0 CreateWindowExA

• 0x4a55f4 SetWindowsHookExA

• 0x4a55f8 CallNextHookEx

• 0x4a55fc GetClassLongA

• 0x4a5600 GetClassInfoExA

• 0x4a5604 GetClassNameA

• 0x4a5608 SetPropA

• 0x4a560c GetPropA

• 0x4a5610 RemovePropA

• 0x4a5614 SendDlgItemMessageA

• 0x4a5618 GetFocus

• 0x4a561c IsWindow

• 0x4a5620 SetFocus

• 0x4a5624 IsChild

• 0x4a5628 GetWindowTextLengthA

• 0x4a562c GetWindowTextA

• 0x4a5630 GetForegroundWindow

• 0x4a5634 GetLastActivePopup

• 0x4a5638 SetActiveWindow

• 0x4a563c DispatchMessageA

• 0x4a5640 BeginDeferWindowPos

• 0x4a5644 EndDeferWindowPos

• 0x4a5648 GetDlgItem

• 0x4a564c GetTopWindow

• 0x4a5650 DestroyWindow

• 0x4a5654 UnhookWindowsHookEx

• 0x4a5658 GetMessageTime

• 0x4a565c GetMessagePos

• 0x4a5660 PeekMessageA

• 0x4a5664 MapWindowPoints

• 0x4a5668 LoadBitmapA

• 0x4a566c DrawFocusRect

• 0x4a5670 GetClientRect

• 0x4a5674 InvalidateRect

• 0x4a5678 SetCapture

• 0x4a567c GetParent

• 0x4a5680 GetMenuState

• 0x4a5684 EnableWindow

• 0x4a5688 TabbedTextOutA

• 0x4a568c DrawTextA

• 0x4a5690 DrawTextExA

• 0x4a5694 GrayStringA

• 0x4a5698 ReleaseCapture

• 0x4a569c PostMessageA

• 0x4a56a0 ScrollWindow

• 0x4a56a4 MessageBoxA

• 0x4a56a8 TrackPopupMenuEx

• 0x4a56ac TrackPopupMenu

• 0x4a56b0 SetScrollRange

• 0x4a56b4 GetScrollRange

• 0x4a56b8 SetScrollPos

• 0x4a56bc GetScrollPos

• 0x4a56c0 SetForegroundWindow

• 0x4a56c4 ShowScrollBar

• 0x4a56c8 IsWindowVisible

• 0x4a56cc UpdateWindow

• 0x4a56d0 GetMenu

• 0x4a56d4 GetSubMenu

• 0x4a56d8 GetMenuItemID

• 0x4a56dc RegisterClipboardFormatA

• 0x4a56e0 LoadMenuA

• 0x4a56e4 UnpackDDElParam

• 0x4a56e8 ReuseDDElParam

• 0x4a56ec LoadAcceleratorsA

• 0x4a56f0 GetMenuItemCount

• 0x4a56f4 GetSysColor

• 0x4a56f8 AdjustWindowRectEx

• 0x4a56fc ScreenToClient

• 0x4a5700 EqualRect

• 0x4a5704 DeferWindowPos

• 0x4a5708 GetScrollInfo

• 0x4a570c SetScrollInfo

• 0x4a5710 GetClassInfoA

• 0x4a5714 RegisterClassA

• 0x4a5718 UnregisterClassA

• 0x4a571c SetWindowPlacement

• 0x4a5720 InsertMenuItemA

• 0x4a5724 CreatePopupMenu

• 0x4a5728 SetRectEmpty

• 0x4a572c BringWindowToTop

• 0x4a5730 RegisterWindowMessageA

• 0x4a5734 SetMenu

• 0x4a5738 GetKeyState

• 0x4a573c ShowWindow

• 0x4a5740 DrawIcon

• 0x4a5744 AppendMenuA

• 0x4a5748 SendMessageA

• 0x4a574c GetSystemMenu

• 0x4a5750 IsIconic

• 0x4a5754 LoadIconA

• 0x4a5758 GetSystemMetrics

• 0x4a575c CharLowerA

• 0x4a5760 CharLowerW

• 0x4a5764 CharUpperA

• 0x4a5768 CharUpperW

• 0x4a576c GetWindow

• 0x4a5770 PtInRect

• 0x4a5774 CopyRect

• 0x4a5778 GetWindowRect

• 0x4a577c GetWindowPlacement

• 0x4a5780 SystemParametersInfoA

• 0x4a5784 IntersectRect

• 0x4a5788 OffsetRect

• 0x4a578c SetWindowPos

• 0x4a5790 SetWindowLongA

• 0x4a5794 GetWindowLongA

• 0x4a5798 CallWindowProcA

• 0x4a579c DefWindowProcA

• 0x4a57a0 GetDlgCtrlID

Library GDI32.dll:

• 0x4a4e40 PlayMetaFile

• 0x4a4e44 GetDeviceCaps

• 0x4a4e48 CreatePen

• 0x4a4e4c ExtCreatePen

• 0x4a4e50 CreateSolidBrush

• 0x4a4e54 CreateHatchBrush

• 0x4a4e58 CreateFontIndirectA

• 0x4a4e5c CreateRectRgnIndirect

• 0x4a4e60 SetRectRgn

• 0x4a4e64 CombineRgn

• 0x4a4e68 PatBlt

• 0x4a4e6c CopyMetaFileA

• 0x4a4e70 EnumMetaFile

• 0x4a4e74 GetTextExtentPoint32A

• 0x4a4e78 GetTextMetricsA

• 0x4a4e7c GetTextColor

• 0x4a4e80 GetRgnBox

• 0x4a4e84 StretchDIBits

• 0x4a4e88 GetCharWidthA

• 0x4a4e8c CreateFontA

• 0x4a4e90 StartPage

• 0x4a4e94 EndPage

• 0x4a4e98 SetAbortProc

• 0x4a4e9c AbortDoc

• 0x4a4ea0 EndDoc

• 0x4a4ea4 GetObjectType

• 0x4a4ea8 PlayMetaFileRecord

• 0x4a4eac SelectPalette

• 0x4a4eb0 GetStockObject

• 0x4a4eb4 CreatePatternBrush

• 0x4a4eb8 CreateDIBPatternBrushPt

• 0x4a4ebc DeleteDC

• 0x4a4ec0 ExtSelectClipRgn

• 0x4a4ec4 PolyBezierTo

• 0x4a4ec8 PolylineTo

• 0x4a4ecc PolyDraw

• 0x4a4ed0 ArcTo

• 0x4a4ed4 GetCurrentPositionEx

• 0x4a4ed8 ScaleWindowExtEx

• 0x4a4edc SetWindowExtEx

• 0x4a4ee0 OffsetWindowOrgEx

• 0x4a4ee4 SetWindowOrgEx

• 0x4a4ee8 ScaleViewportExtEx

• 0x4a4eec SetViewportExtEx

• 0x4a4ef0 OffsetViewportOrgEx

• 0x4a4ef4 SetViewportOrgEx

• 0x4a4ef8 SelectObject

• 0x4a4efc StartDocA

• 0x4a4f00 SelectClipPath

• 0x4a4f04 CreateRectRgn

• 0x4a4f08 CreateDCA

• 0x4a4f0c GetObjectA

• 0x4a4f10 SelectClipRgn

• 0x4a4f14 DeleteObject

• 0x4a4f18 SetColorAdjustment

• 0x4a4f1c SetArcDirection

• 0x4a4f20 SetMapperFlags

• 0x4a4f24 SetTextCharacterExtra

• 0x4a4f28 SetTextJustification

• 0x4a4f2c SetTextAlign

• 0x4a4f30 MoveToEx

• 0x4a4f34 LineTo

• 0x4a4f38 OffsetClipRgn

• 0x4a4f3c IntersectClipRect

• 0x4a4f40 ExcludeClipRect

• 0x4a4f44 SetMapMode

• 0x4a4f48 SetStretchBltMode

• 0x4a4f4c SetROP2

• 0x4a4f50 SetPolyFillMode

• 0x4a4f54 SetBkMode

• 0x4a4f58 RestoreDC

• 0x4a4f5c SaveDC

• 0x4a4f60 SetBkColor

• 0x4a4f64 SetTextColor

• 0x4a4f68 GetClipBox

• 0x4a4f6c GetDCOrgEx

• 0x4a4f70 Escape

• 0x4a4f74 ExtTextOutA

• 0x4a4f78 TextOutA

• 0x4a4f7c RectVisible

• 0x4a4f80 PtVisible

• 0x4a4f84 GetPixel

• 0x4a4f88 BitBlt

• 0x4a4f8c LPtoDP

• 0x4a4f90 DPtoLP

• 0x4a4f94 GetWindowExtEx

• 0x4a4f98 GetViewportExtEx

• 0x4a4f9c GetMapMode

• 0x4a4fa0 GetBkColor

• 0x4a4fa4 CreateCompatibleDC

• 0x4a4fa8 CreateCompatibleBitmap

• 0x4a4fac CreateBitmap

• 0x4a4fb0 GetClipRgn

Library comdlg32.dll:

• 0x4a589c PageSetupDlgA

• 0x4a58a0 FindTextA

• 0x4a58a4 ReplaceTextA

• 0x4a58a8 CommDlgExtendedError

• 0x4a58ac PrintDlgA

• 0x4a58b0 GetSaveFileNameA

• 0x4a58b4 GetFileTitleA

• 0x4a58b8 GetOpenFileNameA

Library WINSPOOL.DRV:

• 0x4a5860 OpenPrinterA

• 0x4a5864 DocumentPropertiesA

• 0x4a5868 ClosePrinter

• 0x4a586c GetJobA

Library ADVAPI32.dll:

• 0x4a4d74 SetFileSecurityA

• 0x4a4d78 RegQueryValueExA

• 0x4a4d7c RegOpenKeyExA

• 0x4a4d80 RegDeleteKeyA

• 0x4a4d84 RegEnumKeyA

• 0x4a4d88 RegOpenKeyA

• 0x4a4d8c RegQueryValueA

• 0x4a4d90 RegSetValueA

• 0x4a4d94 RegCreateKeyExA

• 0x4a4d98 RegSetValueExA

• 0x4a4d9c RegDeleteValueA

• 0x4a4da0 GetFileSecurityA

• 0x4a4da4 RegCloseKey

• 0x4a4da8 RegCreateKeyA

Library SHELL32.dll:

• 0x4a5448 SHGetFileInfoA

• 0x4a544c DragFinish

• 0x4a5450 DragQueryFileA

• 0x4a5454 ExtractIconA

Library COMCTL32.dll:

• 0x4a4de0

• 0x4a4de4 ImageList_Draw

• 0x4a4de8 ImageList_GetImageInfo

• 0x4a4dec

• 0x4a4df0 ImageList_Read

• 0x4a4df4 ImageList_Write

• 0x4a4df8

• 0x4a4dfc ImageList_Destroy

• 0x4a4e00 ImageList_Create

• 0x4a4e04 ImageList_LoadImageA

• 0x4a4e08 ImageList_Merge

Library SHLWAPI.dll:

• 0x4a5484 PathRemoveExtensionA

• 0x4a5488 PathFindFileNameA

• 0x4a548c PathStripToRootA

• 0x4a5490 PathFindExtensionA

• 0x4a5494 PathIsUNCA

Library oledlg.dll:

• 0x4a59b4

Library ole32.dll:

• 0x4a58ec CreateILockBytesOnHGlobal

• 0x4a58f0 StgCreateDocfileOnILockBytes

• 0x4a58f4 StgOpenStorageOnILockBytes

• 0x4a58f8 CoGetClassObject

• 0x4a58fc CoDisconnectObject

• 0x4a5900 OleDuplicateData

• 0x4a5904 ReleaseStgMedium

• 0x4a5908 CoTaskMemAlloc

• 0x4a590c CreateBindCtx

• 0x4a5910 CoCreateInstance

• 0x4a5914 StringFromCLSID

• 0x4a5918 ReadClassStg

• 0x4a591c ReadFmtUserTypeStg

• 0x4a5920 OleRegGetUserType

• 0x4a5924 WriteClassStg

• 0x4a5928 WriteFmtUserTypeStg

• 0x4a592c SetConvertStg

• 0x4a5930 CoTaskMemFree

• 0x4a5934 CLSIDFromString

• 0x4a5938 CLSIDFromProgID

• 0x4a593c StringFromGUID2

• 0x4a5940 OleRun

• 0x4a5944 OleUninitialize

• 0x4a5948 CoFreeUnusedLibraries

• 0x4a594c CreateStreamOnHGlobal

• 0x4a5950 CoRegisterMessageFilter

• 0x4a5954 OleFlushClipboard

• 0x4a5958 OleIsCurrentClipboard

• 0x4a595c OleSetClipboard

• 0x4a5960 CoRevokeClassObject

• 0x4a5964 CoRegisterClassObject

• 0x4a5968 CoTreatAsClass

• 0x4a596c OleInitialize

Library OLEAUT32.dll:

• 0x4a535c VariantChangeType

• 0x4a5360 VariantInit

• 0x4a5364 SysAllocStringLen

• 0x4a5368 SysFreeString

• 0x4a536c SysStringLen

• 0x4a5370 SysAllocStringByteLen

• 0x4a5374 SysStringByteLen

• 0x4a5378 OleCreateFontIndirect

• 0x4a537c SystemTimeToVariantTime

• 0x4a5380 SafeArrayDestroy

• 0x4a5384 SysAllocString

• 0x4a5388 SafeArrayUnaccessData

• 0x4a538c SafeArrayAccessData

• 0x4a5390 SafeArrayGetUBound

• 0x4a5394 SafeArrayGetLBound

• 0x4a5398 SafeArrayGetElemsize

• 0x4a539c SafeArrayGetDim

• 0x4a53a0 SafeArrayCreate

• 0x4a53a4 SafeArrayRedim

• 0x4a53a8 VariantCopy

• 0x4a53ac SafeArrayAllocData

• 0x4a53b0 SafeArrayAllocDescriptor

• 0x4a53b4 SafeArrayCopy

• 0x4a53b8 SafeArrayGetElement

• 0x4a53bc SafeArrayPtrOfIndex

• 0x4a53c0 SafeArrayPutElement

• 0x4a53c4 SafeArrayLock

• 0x4a53c8 SafeArrayUnlock

• 0x4a53cc SafeArrayDestroyData

• 0x4a53d0 SafeArrayDestroyDescriptor

• 0x4a53d4 VariantTimeToSystemTime

• 0x4a53d8 SysReAllocStringLen

• 0x4a53dc VarDateFromStr

• 0x4a53e0 VarBstrFromDec

• 0x4a53e4 VarDecFromStr

• 0x4a53e8 VarCyFromStr

• 0x4a53ec VarBstrFromCy

• 0x4a53f0 VarBstrFromDate

• 0x4a53f4 LoadTypeLib

• 0x4a53f8 VariantClear

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
teredo.ipv6.microsoft.com		127.0.0.1
dns.msftncsi.com	A 131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com A 172.217.160.110	172.217.24.14

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	54260	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57236	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.