11.8
0-day
57 个模型检测该样本为恶意!
重新分析
更多

2cbdede5ce74833cf41b0217a910632c650b72b2cebc323c16395d9e566ac7a6

4cb9c3849f558f0b534cf04cbe149614.exe

分析耗时

237s

最近分析

文件大小

950.5KB
静态报毒 动态报毒 1IQEFBZ 7GW@AEEXYXPI AI SCORE=89 AIDETECTVM ALI2000015 CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS EMVR EMZL FAREIT GENERICKD GILRT HIGH CONFIDENCE HQGBJR ILPP KCLOUD KRYPTIK LOKIBOT MALWARE1 MALWARE@#1FQ62LRDWJ11B SCORE STATIC AI SUSGEN SUSPICIOUS PE THIBGBO TSCOPE WACATAC X2094 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201210 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FPQ!4CB9C3849F55 20201211 6.0.6.653
Tencent 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (8 个事件)
Time & API Arguments Status Return Repeated
1619508324.370001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
jdjkkndkfm+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe84148d
success 0 0
1619508337.151876
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
jdjkkndkfm+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74164b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74165d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe69148d
success 0 0
1619508340.244374
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
jdjkkndkfm+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x741b4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x741b5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcb9148d
success 0 0
1619508343.292249
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
jdjkkndkfm+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74114b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74115d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe6e148d
success 0 0
1619508348.808001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
jdjkkndkfm+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74164b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74165d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe7e148d
success 0 0
1619508351.369876
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
jdjkkndkfm+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74114b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74115d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe78148d
success 0 0
1619508461.551834
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
jdjkkndkfm+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74164b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74165d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd06148d
success 0 0
1619508502.614608
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
jdjkkndkfm+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74164b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74165d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe7e148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 251 个事件)
Time & API Arguments Status Return Repeated
1619464071.499875
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619464071.749875
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00462000
success 0 0
1619464071.749875
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619464073.48425
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00370000
success 0 0
1619464073.51525
NtProtectVirtualMemory
process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00462000
success 0 0
1619464073.51525
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e70000
success 0 0
1619508323.558001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619508323.699001
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02130000
success 0 0
1619508323.699001
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02230000
success 0 0
1619508323.699001
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02030000
success 0 0
1619508323.699001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02022000
success 0 0
1619508324.355001
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619508323.558249
NtAllocateVirtualMemory
process_identifier: 2604
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619508323.620249
NtProtectVirtualMemory
process_identifier: 2604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00462000
success 0 0
1619508323.620249
NtAllocateVirtualMemory
process_identifier: 2604
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006a0000
success 0 0
1619508336.635751
NtAllocateVirtualMemory
process_identifier: 3116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619508336.635751
NtProtectVirtualMemory
process_identifier: 3116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00462000
success 0 0
1619508336.635751
NtAllocateVirtualMemory
process_identifier: 3116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00540000
success 0 0
1619508337.119876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619508337.119876
NtAllocateVirtualMemory
process_identifier: 3184
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f20000
success 0 0
1619508337.119876
NtAllocateVirtualMemory
process_identifier: 3184
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ff0000
success 0 0
1619508337.119876
NtAllocateVirtualMemory
process_identifier: 3184
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f20000
success 0 0
1619508337.119876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619508337.135876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e72000
success 0 0
1619508337.135876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619508337.151876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e72000
success 0 0
1619508337.151876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619508337.151876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e72000
success 0 0
1619508337.151876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619508337.151876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e72000
success 0 0
1619508337.151876
NtProtectVirtualMemory
process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (24 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.685664077690518 section {'size_of_data': '0x00070000', 'virtual_address': '0x00083000', 'entropy': 7.685664077690518, 'name': '.rsrc', 'virtual_size': '0x0006fec4'} description A section with a high entropy has been found
entropy 0.4718272775144813 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process jdjkkndkfm.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (24 个事件)
Time & API Arguments Status Return Repeated
1619464071.749875
Process32NextW
process_name: 4cb9c3849f558f0b534cf04cbe149614.exe
snapshot_handle: 0x000000f4
process_identifier: 2468
failed 0 0
1619464073.51525
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3040
failed 0 0
1619508323.652249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1752
failed 0 0
1619508336.386249
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000298
process_identifier: 176
failed 0 0
1619508336.635751
Process32NextW
process_name: jdjkkndkfm.exe
snapshot_handle: 0x000000f4
process_identifier: 3116
failed 0 0
1619508337.198499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3336
failed 0 0
1619508338.198499
Process32NextW
process_name: jdjkkndkfm.exe
snapshot_handle: 0x00000118
process_identifier: 3244
failed 0 0
1619508338.448626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3400
failed 0 0
1619508340.308126
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3600
failed 0 0
1619508341.386126
Process32NextW
process_name: jdjkkndkfm.exe
snapshot_handle: 0x0000011c
process_identifier: 3508
failed 0 0
1619508341.620249
Process32NextW
process_name: jdjkkndkfm.exe
snapshot_handle: 0x000000f4
process_identifier: 3608
failed 0 0
1619508343.432876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3832
failed 0 0
1619508347.807876
Process32NextW
process_name: jdjkkndkfm.exe
snapshot_handle: 0x0000018c
process_identifier: 3740
failed 0 0
1619508347.963876
Process32NextW
process_name: jdjkkndkfm.exe
snapshot_handle: 0x000000f4
process_identifier: 3848
failed 0 0
1619508348.979374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 4072
failed 0 0
1619508349.432374
Process32NextW
process_name: jdjkkndkfm.exe
snapshot_handle: 0x00000108
process_identifier: 3976
failed 0 0
1619508349.666499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2104
failed 0 0
1619508351.604501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3332
failed 0 0
1619508360.338501
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000220
process_identifier: 3120
failed 0 0
1619508361.589001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3088
failed 0 0
1619508461.558867
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3440
failed 0 0
1619508497.183867
Process32NextW
process_name: WMIADAP.exe
snapshot_handle: 0x00000250
process_identifier: 3488
failed 0 0
1619508499.397967
Process32NextW
process_name: jdjkkndkfm.exe
snapshot_handle: 0x000000f4
process_identifier: 728
failed 0 0
1619508502.782605
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1740
failed 0 0
网络通信
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619464072.780875
NtAllocateVirtualMemory
process_identifier: 1396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2468 created a thread in remote process 1396
Time & API Arguments Status Return Repeated
1619464072.780875
NtQueueApcThread
thread_handle: 0x00000104
process_identifier: 1396
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619464072.780875
WriteProcessMemory
process_identifier: 1396
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000b0000
success 1 0
1619464072.780875
WriteProcessMemory
process_identifier: 1396
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4cb9c3849f558f0b534cf04cbe149614.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4cb9c3849f558f0b534cf04cbe149614.exe" webset ujAumKchBZns = CReateObJEct("WScRIPt.SheLl") UJaumKChBZns.ruN """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (16 个事件)
Process injection Process 2520 called NtSetContextThread to modify thread in remote process 2248
Process injection Process 3116 called NtSetContextThread to modify thread in remote process 3184
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 3412
Process injection Process 3608 called NtSetContextThread to modify thread in remote process 3676
Process injection Process 3848 called NtSetContextThread to modify thread in remote process 3916
Process injection Process 4080 called NtSetContextThread to modify thread in remote process 2056
Process injection Process 3312 called NtSetContextThread to modify thread in remote process 2948
Process injection Process 728 called NtSetContextThread to modify thread in remote process 972
Time & API Arguments Status Return Repeated
1619464077.56225
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2248
success 0 0
1619508336.791751
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3184
success 0 0
1619508339.760626
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3412
success 0 0
1619508341.699249
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3676
success 0 0
1619508348.526876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3916
success 0 0
1619508349.823499
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2056
success 0 0
1619508449.574001
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2948
success 0 0
1619508500.506967
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 972
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (16 个事件)
Process injection Process 2520 resumed a thread in remote process 2248
Process injection Process 3116 resumed a thread in remote process 3184
Process injection Process 3344 resumed a thread in remote process 3412
Process injection Process 3608 resumed a thread in remote process 3676
Process injection Process 3848 resumed a thread in remote process 3916
Process injection Process 4080 resumed a thread in remote process 2056
Process injection Process 3312 resumed a thread in remote process 2948
Process injection Process 728 resumed a thread in remote process 972
Time & API Arguments Status Return Repeated
1619464081.87525
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2248
success 0 0
1619508336.916751
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3184
success 0 0
1619508340.010626
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3412
success 0 0
1619508343.058249
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3676
success 0 0
1619508348.619876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3916
success 0 0
1619508351.182499
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2056
success 0 0
1619508456.761001
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2948
success 0 0
1619508501.584967
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 972
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 69 个事件)
Time & API Arguments Status Return Repeated
1619464072.780875
CreateProcessInternalW
thread_identifier: 1760
thread_handle: 0x00000104
process_identifier: 1396
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619464072.780875
NtAllocateVirtualMemory
process_identifier: 1396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619464072.780875
NtAllocateVirtualMemory
process_identifier: 1396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619464072.780875
WriteProcessMemory
process_identifier: 1396
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000b0000
success 1 0
1619464072.780875
WriteProcessMemory
process_identifier: 1396
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4cb9c3849f558f0b534cf04cbe149614.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4cb9c3849f558f0b534cf04cbe149614.exe" webset ujAumKchBZns = CReateObJEct("WScRIPt.SheLl") UJaumKChBZns.ruN """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
1619464073.328
CreateProcessInternalW
thread_identifier: 1712
thread_handle: 0x000000d0
process_identifier: 2520
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619464077.51525
CreateProcessInternalW
thread_identifier: 1320
thread_handle: 0x00000104
process_identifier: 2248
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619464077.51525
NtUnmapViewOfSection
process_identifier: 2248
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619464077.51525
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 2248
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619464077.54725
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619464077.56225
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2248
success 0 0
1619464081.87525
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2248
success 0 0
1619464081.89025
CreateProcessInternalW
thread_identifier: 2964
thread_handle: 0x00000108
process_identifier: 2604
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe" 2 2248 24111953
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619508336.480249
CreateProcessInternalW
thread_identifier: 3120
thread_handle: 0x0000029c
process_identifier: 3116
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000002a0
inherit_handles: 0
success 1 0
1619508336.666751
CreateProcessInternalW
thread_identifier: 3188
thread_handle: 0x00000104
process_identifier: 3184
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619508336.666751
NtUnmapViewOfSection
process_identifier: 3184
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619508336.666751
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3184
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619508336.791751
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619508336.791751
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3184
success 0 0
1619508336.916751
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3184
success 0 0
1619508336.948751
CreateProcessInternalW
thread_identifier: 3248
thread_handle: 0x00000108
process_identifier: 3244
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe" 2 3184 24125468
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619508338.291499
CreateProcessInternalW
thread_identifier: 3348
thread_handle: 0x0000011c
process_identifier: 3344
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619508339.666626
CreateProcessInternalW
thread_identifier: 3416
thread_handle: 0x00000104
process_identifier: 3412
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619508339.666626
NtUnmapViewOfSection
process_identifier: 3412
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619508339.666626
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3412
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619508339.760626
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619508339.760626
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3412
success 0 0
1619508340.010626
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3412
success 0 0
1619508340.041626
CreateProcessInternalW
thread_identifier: 3512
thread_handle: 0x00000108
process_identifier: 3508
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe" 2 3412 24128562
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619508341.402126
CreateProcessInternalW
thread_identifier: 3612
thread_handle: 0x00000120
process_identifier: 3608
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000124
inherit_handles: 0
success 1 0
1619508341.652249
CreateProcessInternalW
thread_identifier: 3680
thread_handle: 0x00000104
process_identifier: 3676
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619508341.652249
NtUnmapViewOfSection
process_identifier: 3676
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619508341.652249
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3676
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619508341.699249
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619508341.699249
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3676
success 0 0
1619508343.058249
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3676
success 0 0
1619508343.074249
CreateProcessInternalW
thread_identifier: 3744
thread_handle: 0x00000108
process_identifier: 3740
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe" 2 3676 24131609
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619508347.823876
CreateProcessInternalW
thread_identifier: 3852
thread_handle: 0x00000190
process_identifier: 3848
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000194
inherit_handles: 0
success 1 0
1619508347.994876
CreateProcessInternalW
thread_identifier: 3920
thread_handle: 0x00000104
process_identifier: 3916
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619508347.994876
NtUnmapViewOfSection
process_identifier: 3916
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619508347.994876
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3916
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619508348.526876
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619508348.526876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3916
success 0 0
1619508348.619876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3916
success 0 0
1619508348.760876
CreateProcessInternalW
thread_identifier: 3980
thread_handle: 0x00000108
process_identifier: 3976
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe" 2 3916 24137171
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619508349.448374
CreateProcessInternalW
thread_identifier: 4084
thread_handle: 0x0000010c
process_identifier: 4080
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619508349.744499
CreateProcessInternalW
thread_identifier: 2852
thread_handle: 0x00000104
process_identifier: 2056
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\jdjkkndkfm.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619508349.744499
NtUnmapViewOfSection
process_identifier: 2056
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619508349.744499
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 2056
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619508349.823499
NtGetContextThread
thread_handle: 0x00000104
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34277926
FireEye Generic.mg.4cb9c3849f558f0b
ALYac Trojan.GenericKD.34277926
Zillya Trojan.Injector.Win32.756851
Sangfor Malware
K7AntiVirus Trojan ( 0056bd5d1 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056bd5d1 )
Cybereason malicious.1ae4bf
Arcabit Trojan.Generic.D20B0A26
Cyren W32/Trojan.ILPP-0994
Symantec Trojan.Gen.MBT
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Generic-9203567-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKD.34277926
NANO-Antivirus Trojan.Win32.Kryptik.hqgbjr
Avast Win32:Malware-gen
Rising Trojan.Injector!1.C99D (CLASSIC)
Ad-Aware Trojan.GenericKD.34277926
Sophos Mal/Generic-S
Comodo Malware@#1fq62lrdwj11b
F-Secure Trojan.TR/Kryptik.gilrt
DrWeb Trojan.PWS.Stealer.29000
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.Win32.WACATAC.THIBGBO
McAfee-GW-Edition BehavesLike.Win32.Fareit.dc
Emsisoft Trojan.GenericKD.34277926 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Kryptik.bzs
Avira TR/Kryptik.gilrt
MAX malware (ai score=89)
Antiy-AVL Trojan/Win32.Kryptik
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Ransom.Win32.Wacatac.oa
Microsoft Trojan:Win32/LokiBot.MB!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Win32.Trojan.PSE.1IQEFBZ
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
McAfee Fareit-FPQ!4CB9C3849F55
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
Zoner Trojan.Win32.94645
ESET-NOD32 a variant of Win32/Injector.EMVR
TrendMicro-HouseCall Trojan.Win32.WACATAC.THIBGBO
Ikarus Trojan.Inject
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x477150 VirtualFree
0x477154 VirtualAlloc
0x477158 LocalFree
0x47715c LocalAlloc
0x477160 GetVersion
0x477164 GetCurrentThreadId
0x477170 VirtualQuery
0x477174 WideCharToMultiByte
0x477178 MultiByteToWideChar
0x47717c lstrlenA
0x477180 lstrcpynA
0x477184 LoadLibraryExA
0x477188 GetThreadLocale
0x47718c GetStartupInfoA
0x477190 GetProcAddress
0x477194 GetModuleHandleA
0x477198 GetModuleFileNameA
0x47719c GetLocaleInfoA
0x4771a0 GetCommandLineA
0x4771a4 FreeLibrary
0x4771a8 FindFirstFileA
0x4771ac FindClose
0x4771b0 ExitProcess
0x4771b4 WriteFile
0x4771bc RtlUnwind
0x4771c0 RaiseException
0x4771c4 GetStdHandle
Library user32.dll:
0x4771cc GetKeyboardType
0x4771d0 LoadStringA
0x4771d4 MessageBoxA
0x4771d8 CharNextA
Library advapi32.dll:
0x4771e0 RegQueryValueExA
0x4771e4 RegOpenKeyExA
0x4771e8 RegCloseKey
Library oleaut32.dll:
0x4771f0 SysFreeString
0x4771f4 SysReAllocStringLen
0x4771f8 SysAllocStringLen
Library kernel32.dll:
0x477200 TlsSetValue
0x477204 TlsGetValue
0x477208 LocalAlloc
0x47720c GetModuleHandleA
Library advapi32.dll:
0x477214 RegQueryValueExA
0x477218 RegOpenKeyExA
0x47721c RegCloseKey
Library kernel32.dll:
0x477224 lstrcpyA
0x477228 WriteFile
0x47722c WinExec
0x477230 WaitForSingleObject
0x477234 VirtualQuery
0x477238 VirtualProtect
0x47723c VirtualAlloc
0x477240 Sleep
0x477244 SizeofResource
0x477248 SetThreadLocale
0x47724c SetFilePointer
0x477250 SetEvent
0x477254 SetErrorMode
0x477258 SetEndOfFile
0x47725c ResetEvent
0x477260 ReadFile
0x477264 MulDiv
0x477268 LockResource
0x47726c LoadResource
0x477270 LoadLibraryA
0x47727c GlobalUnlock
0x477280 GlobalReAlloc
0x477284 GlobalHandle
0x477288 GlobalLock
0x47728c GlobalFree
0x477290 GlobalFindAtomA
0x477294 GlobalDeleteAtom
0x477298 GlobalAlloc
0x47729c GlobalAddAtomA
0x4772a0 GetVersionExA
0x4772a4 GetVersion
0x4772a8 GetTickCount
0x4772ac GetThreadLocale
0x4772b4 GetSystemInfo
0x4772b8 GetStringTypeExA
0x4772bc GetStdHandle
0x4772c0 GetProcAddress
0x4772c4 GetModuleHandleA
0x4772c8 GetModuleFileNameA
0x4772cc GetLocaleInfoA
0x4772d0 GetLocalTime
0x4772d4 GetLastError
0x4772d8 GetFullPathNameA
0x4772dc GetDiskFreeSpaceA
0x4772e0 GetDateFormatA
0x4772e4 GetCurrentThreadId
0x4772e8 GetCurrentProcessId
0x4772ec GetCPInfo
0x4772f0 GetACP
0x4772f4 FreeResource
0x4772f8 InterlockedExchange
0x4772fc FreeLibrary
0x477300 FormatMessageA
0x477304 FindResourceA
0x47730c EnumCalendarInfoA
0x477318 CreateThread
0x47731c CreateFileA
0x477320 CreateEventA
0x477324 CompareStringA
0x477328 CloseHandle
Library version.dll:
0x477330 VerQueryValueA
0x477338 GetFileVersionInfoA
Library gdi32.dll:
0x477340 UnrealizeObject
0x477344 StretchBlt
0x477348 SetWindowOrgEx
0x47734c SetWinMetaFileBits
0x477350 SetViewportOrgEx
0x477354 SetTextColor
0x477358 SetStretchBltMode
0x47735c SetROP2
0x477360 SetPixel
0x477364 SetEnhMetaFileBits
0x477368 SetDIBColorTable
0x47736c SetBrushOrgEx
0x477370 SetBkMode
0x477374 SetBkColor
0x477378 SelectPalette
0x47737c SelectObject
0x477380 SelectClipRgn
0x477384 SaveDC
0x477388 RestoreDC
0x47738c Rectangle
0x477390 RectVisible
0x477394 RealizePalette
0x477398 PlayEnhMetaFile
0x47739c PatBlt
0x4773a0 MoveToEx
0x4773a4 MaskBlt
0x4773a8 LineTo
0x4773ac IntersectClipRect
0x4773b0 GetWindowOrgEx
0x4773b4 GetWinMetaFileBits
0x4773b8 GetTextMetricsA
0x4773c4 GetStockObject
0x4773c8 GetPixel
0x4773cc GetPaletteEntries
0x4773d0 GetObjectA
0x4773dc GetEnhMetaFileBits
0x4773e0 GetDeviceCaps
0x4773e4 GetDIBits
0x4773e8 GetDIBColorTable
0x4773ec GetDCOrgEx
0x4773f4 GetClipRgn
0x4773f8 GetClipBox
0x4773fc GetBrushOrgEx
0x477400 GetBitmapBits
0x477404 ExcludeClipRect
0x477408 DeleteObject
0x47740c DeleteEnhMetaFile
0x477410 DeleteDC
0x477414 CreateSolidBrush
0x477418 CreateRectRgn
0x47741c CreatePenIndirect
0x477420 CreatePalette
0x477428 CreateFontIndirectA
0x47742c CreateDIBitmap
0x477430 CreateDIBSection
0x477434 CreateCompatibleDC
0x47743c CreateBrushIndirect
0x477440 CreateBitmap
0x477444 CopyEnhMetaFileA
0x477448 BitBlt
Library user32.dll:
0x477450 CreateWindowExA
0x477454 WindowFromPoint
0x477458 WinHelpA
0x47745c WaitMessage
0x477460 UpdateWindow
0x477464 UnregisterClassA
0x477468 UnhookWindowsHookEx
0x47746c TranslateMessage
0x477474 TrackPopupMenu
0x47747c ShowWindow
0x477480 ShowScrollBar
0x477484 ShowOwnedPopups
0x477488 ShowCursor
0x47748c SetWindowsHookExA
0x477490 SetWindowTextA
0x477494 SetWindowPos
0x477498 SetWindowPlacement
0x47749c SetWindowLongA
0x4774a0 SetTimer
0x4774a4 SetScrollRange
0x4774a8 SetScrollPos
0x4774ac SetScrollInfo
0x4774b0 SetRect
0x4774b4 SetPropA
0x4774b8 SetParent
0x4774bc SetMenuItemInfoA
0x4774c0 SetMenu
0x4774c4 SetKeyboardState
0x4774c8 SetForegroundWindow
0x4774cc SetFocus
0x4774d0 SetCursor
0x4774d4 SetClipboardData
0x4774d8 SetClassLongA
0x4774dc SetCapture
0x4774e0 SetActiveWindow
0x4774e4 SendMessageA
0x4774e8 ScrollWindow
0x4774ec ScreenToClient
0x4774f0 RemovePropA
0x4774f4 RemoveMenu
0x4774f8 ReleaseDC
0x4774fc ReleaseCapture
0x477508 RegisterClassA
0x47750c RedrawWindow
0x477510 PtInRect
0x477514 PostQuitMessage
0x477518 PostMessageA
0x47751c PeekMessageA
0x477520 OpenClipboard
0x477524 OffsetRect
0x477528 OemToCharA
0x47752c MessageBoxA
0x477530 MessageBeep
0x477534 MapWindowPoints
0x477538 MapVirtualKeyA
0x47753c LoadStringA
0x477540 LoadKeyboardLayoutA
0x477544 LoadIconA
0x477548 LoadCursorA
0x47754c LoadBitmapA
0x477550 KillTimer
0x477554 IsZoomed
0x477558 IsWindowVisible
0x47755c IsWindowEnabled
0x477560 IsWindow
0x477564 IsRectEmpty
0x477568 IsIconic
0x47756c IsDialogMessageA
0x477570 IsChild
0x477574 IsCharAlphaNumericA
0x477578 IsCharAlphaA
0x47757c InvalidateRect
0x477580 IntersectRect
0x477584 InsertMenuItemA
0x477588 InsertMenuA
0x47758c InflateRect
0x477594 GetWindowTextA
0x477598 GetWindowRect
0x47759c GetWindowPlacement
0x4775a0 GetWindowLongA
0x4775a4 GetWindowDC
0x4775a8 GetTopWindow
0x4775ac GetSystemMetrics
0x4775b0 GetSystemMenu
0x4775b4 GetSysColorBrush
0x4775b8 GetSysColor
0x4775bc GetSubMenu
0x4775c0 GetScrollRange
0x4775c4 GetScrollPos
0x4775c8 GetScrollInfo
0x4775cc GetPropA
0x4775d0 GetParent
0x4775d4 GetWindow
0x4775d8 GetMenuStringA
0x4775dc GetMenuState
0x4775e0 GetMenuItemInfoA
0x4775e4 GetMenuItemID
0x4775e8 GetMenuItemCount
0x4775ec GetMenu
0x4775f0 GetLastActivePopup
0x4775f4 GetKeyboardState
0x4775fc GetKeyboardLayout
0x477600 GetKeyState
0x477604 GetKeyNameTextA
0x477608 GetIconInfo
0x47760c GetForegroundWindow
0x477610 GetFocus
0x477614 GetDlgItem
0x477618 GetDesktopWindow
0x47761c GetDCEx
0x477620 GetDC
0x477624 GetCursorPos
0x477628 GetCursor
0x47762c GetClipboardData
0x477630 GetClientRect
0x477634 GetClassNameA
0x477638 GetClassInfoA
0x47763c GetCapture
0x477640 GetActiveWindow
0x477644 FrameRect
0x477648 FindWindowA
0x47764c FillRect
0x477650 EqualRect
0x477654 EnumWindows
0x477658 EnumThreadWindows
0x477660 EndPaint
0x477664 EnableWindow
0x477668 EnableScrollBar
0x47766c EnableMenuItem
0x477670 EmptyClipboard
0x477674 DrawTextA
0x477678 DrawMenuBar
0x47767c DrawIconEx
0x477680 DrawIcon
0x477684 DrawFrameControl
0x477688 DrawFocusRect
0x47768c DrawEdge
0x477690 DispatchMessageA
0x477694 DestroyWindow
0x477698 DestroyMenu
0x47769c DestroyIcon
0x4776a0 DestroyCursor
0x4776a4 DeleteMenu
0x4776a8 DefWindowProcA
0x4776ac DefMDIChildProcA
0x4776b0 DefFrameProcA
0x4776b4 CreatePopupMenu
0x4776b8 CreateMenu
0x4776bc CreateIcon
0x4776c0 CloseClipboard
0x4776c4 ClientToScreen
0x4776c8 CheckMenuItem
0x4776cc CallWindowProcA
0x4776d0 CallNextHookEx
0x4776d4 BeginPaint
0x4776d8 CharNextA
0x4776dc CharLowerBuffA
0x4776e0 CharLowerA
0x4776e4 CharUpperBuffA
0x4776e8 CharToOemA
0x4776ec AdjustWindowRectEx
Library kernel32.dll:
0x4776f8 Sleep
Library oleaut32.dll:
0x477700 SafeArrayPtrOfIndex
0x477704 SafeArrayGetUBound
0x477708 SafeArrayGetLBound
0x47770c SafeArrayCreate
0x477710 VariantChangeType
0x477714 VariantCopy
0x477718 VariantClear
0x47771c VariantInit
Library comctl32.dll:
0x47772c ImageList_Write
0x477730 ImageList_Read
0x477740 ImageList_DragMove
0x477744 ImageList_DragLeave
0x477748 ImageList_DragEnter
0x47774c ImageList_EndDrag
0x477750 ImageList_BeginDrag
0x477754 ImageList_Remove
0x477758 ImageList_DrawEx
0x47775c ImageList_Replace
0x477760 ImageList_Draw
0x477770 ImageList_Add
0x477778 ImageList_Destroy
0x47777c ImageList_Create
0x477780 InitCommonControls
Library comdlg32.dll:
0x477788 GetOpenFileNameA
Library user32.dll:
0x477790 DdeCmpStringHandles
0x477794 DdeFreeStringHandle
0x477798 DdeQueryStringA
0x4777a0 DdeGetLastError
0x4777a4 DdeFreeDataHandle
0x4777a8 DdeUnaccessData
0x4777ac DdeAccessData
0x4777b0 DdeCreateDataHandle
0x4777b8 DdeNameService
0x4777bc DdePostAdvise
0x4777c0 DdeSetUserHandle
0x4777c4 DdeQueryConvInfo
0x4777c8 DdeDisconnect
0x4777cc DdeConnect
0x4777d0 DdeUninitialize
0x4777d4 DdeInitializeA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.