14.2
0-day
57 个模型检测该样本为恶意!
重新分析
更多

cbddd0b1ba645aaa7f2ba1e24577d0d1c71766436a84cc75e5f09e2468e4aeec

4ce38da80d117e0743364d5a3b77d7f8.exe

分析耗时

508s

最近分析

文件大小

888.0KB
静态报毒 动态报毒 100% 3GW@AKQBH1JI AGENTTESLA AI SCORE=86 AIDETECTVM ALI2000015 AUTOG CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS DNLN2BSIL8Q EMOY EMUW FAREIT HIGH CONFIDENCE HOXHXT KCLOUD KRYPTIK LOKIBOT MALREP MALWARE2 MALWARE@#IYXYDVD30R3O NANOCORE PASSWORDSTEALER QVM05 S + TROJ SCORE THIABBO TSCOPE UNSAFE WPVI X2094 ZELPHIF ZXSMV 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVZ!4CE38DA80D11 20201211 6.0.6.653
Baidu 20190318 1.0.0.2
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Avast Win32:Trojan-gen 20201211 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (7 个事件)
Time & API Arguments Status Return Repeated
1619512651.409251
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
gtguihjky+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfce3148d
success 0 0
1619512673.611876
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
gtguihjky+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe8a148d
success 0 0
1619512677.346126
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
gtguihjky+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfce4148d
success 0 0
1619512682.580374
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
gtguihjky+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcbe148d
success 0 0
1619512692.784251
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
gtguihjky+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcc1148d
success 0 0
1619512844.105614
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
gtguihjky+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe8a148d
success 0 0
1619512875.407228
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
gtguihjky+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe89148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1174797285&cup2hreq=55839c4a275b525870cdebd003ef9bc28b71b9b0be2343380be8cac2d27717a4
Performs some HTTP requests (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1174797285&cup2hreq=55839c4a275b525870cdebd003ef9bc28b71b9b0be2343380be8cac2d27717a4
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1174797285&cup2hreq=55839c4a275b525870cdebd003ef9bc28b71b9b0be2343380be8cac2d27717a4
Allocates read-write-execute memory (usually to unpack itself) (50 out of 218 个事件)
Time & API Arguments Status Return Repeated
1619512631.095751
NtAllocateVirtualMemory
process_identifier: 1060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619512632.111751
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619512632.111751
NtAllocateVirtualMemory
process_identifier: 1060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fe0000
success 0 0
1619512635.814499
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c0000
success 0 0
1619512635.845499
NtProtectVirtualMemory
process_identifier: 2188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619512635.845499
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x020e0000
success 0 0
1619512646.081251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619512647.862251
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02080000
success 0 0
1619512647.862251
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02270000
success 0 0
1619512647.862251
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ec0000
success 0 0
1619512647.862251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619512651.268251
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619512646.111751
NtAllocateVirtualMemory
process_identifier: 3068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619512647.252751
NtProtectVirtualMemory
process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619512647.252751
NtAllocateVirtualMemory
process_identifier: 3068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007d0000
success 0 0
1619512672.378001
NtAllocateVirtualMemory
process_identifier: 2668
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c0000
success 0 0
1619512672.378001
NtProtectVirtualMemory
process_identifier: 2668
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619512672.378001
NtAllocateVirtualMemory
process_identifier: 2668
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e50000
success 0 0
1619512673.549876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619512673.564876
NtAllocateVirtualMemory
process_identifier: 1936
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02090000
success 0 0
1619512673.564876
NtAllocateVirtualMemory
process_identifier: 1936
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02230000
success 0 0
1619512673.564876
NtAllocateVirtualMemory
process_identifier: 1936
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f40000
success 0 0
1619512673.564876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f42000
success 0 0
1619512673.580876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02082000
success 0 0
1619512673.580876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619512673.580876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02082000
success 0 0
1619512673.580876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619512673.580876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02082000
success 0 0
1619512673.580876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619512673.580876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02082000
success 0 0
1619512673.580876
NtProtectVirtualMemory
process_identifier: 1936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description gtguihjky.exe tried to sleep 172 seconds, actually delayed analysis time by 172 seconds
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.613401721211417 section {'size_of_data': '0x0006fe00', 'virtual_address': '0x00074000', 'entropy': 7.613401721211417, 'name': '.rsrc', 'virtual_size': '0x0006fc2c'} description A section with a high entropy has been found
entropy 0.5045095828635852 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process gtguihjky.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (20 个事件)
Time & API Arguments Status Return Repeated
1619512632.111751
Process32NextW
process_name: 4ce38da80d117e0743364d5a3b77d7f8.exe
snapshot_handle: 0x000000f8
process_identifier: 1060
failed 0 0
1619512635.845499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2956
failed 0 0
1619512647.252751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 300
failed 0 0
1619512672.220751
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000460
process_identifier: 3068
failed 0 0
1619512672.378001
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000f8
process_identifier: 1976
failed 0 0
1619512673.627499
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000f8
process_identifier: 2080
failed 0 0
1619512675.361499
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000138
process_identifier: 2900
failed 0 0
1619512675.550001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2848
failed 0 0
1619512677.392499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 600
failed 0 0
1619512681.142499
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000180
process_identifier: 2104
failed 0 0
1619512681.455374
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x000000fc
process_identifier: 1092
failed 0 0
1619512682.065001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2120
failed 0 0
1619512690.878001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000022c
process_identifier: 2444
failed 0 0
1619512691.142374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3144
failed 0 0
1619512692.674626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3296
failed 0 0
1619512840.611626
Process32NextW
process_name: GoogleUpdate.exe
snapshot_handle: 0x00001474
process_identifier: 4084
failed 0 0
1619512841.224846
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3224
failed 0 0
1619512844.271413
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3460
failed 0 0
1619512861.005413
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000338
process_identifier: 3368
failed 0 0
1619512865.879457
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3604
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 113.108.239.196
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619512635.017751
NtAllocateVirtualMemory
process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1060 created a thread in remote process 2576
Time & API Arguments Status Return Repeated
1619512635.017751
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 2576
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619512635.017751
WriteProcessMemory
process_identifier: 2576
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619512635.017751
WriteProcessMemory
process_identifier: 2576
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4ce38da80d117e0743364d5a3b77d7f8.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4ce38da80d117e0743364d5a3b77d7f8.exe" websEt xvUqcBjdLZohEDvV = cReaTeOBject("wscripT.sHell") XVUqCBJDlZOHeDVv.run """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (14 个事件)
Process injection Process 2188 called NtSetContextThread to modify thread in remote process 1912
Process injection Process 2668 called NtSetContextThread to modify thread in remote process 1936
Process injection Process 1164 called NtSetContextThread to modify thread in remote process 2060
Process injection Process 728 called NtSetContextThread to modify thread in remote process 1380
Process injection Process 1928 called NtSetContextThread to modify thread in remote process 3168
Process injection Process 2436 called NtSetContextThread to modify thread in remote process 3268
Process injection Process 628 called NtSetContextThread to modify thread in remote process 732
Time & API Arguments Status Return Repeated
1619512636.252499
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1912
success 0 0
1619512672.768001
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1936
success 0 0
1619512676.925001
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2060
success 0 0
1619512681.674374
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1380
success 0 0
1619512691.705374
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3168
success 0 0
1619512842.771846
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3268
success 0 0
1619512871.207457
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 732
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (14 个事件)
Process injection Process 2188 resumed a thread in remote process 1912
Process injection Process 2668 resumed a thread in remote process 1936
Process injection Process 1164 resumed a thread in remote process 2060
Process injection Process 728 resumed a thread in remote process 1380
Process injection Process 1928 resumed a thread in remote process 3168
Process injection Process 2436 resumed a thread in remote process 3268
Process injection Process 628 resumed a thread in remote process 732
Time & API Arguments Status Return Repeated
1619512645.908499
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 1912
success 0 0
1619512673.425001
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 1936
success 0 0
1619512677.081001
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2060
success 0 0
1619512681.720374
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 1380
success 0 0
1619512692.455374
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3168
success 0 0
1619512843.567846
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3268
success 0 0
1619512872.457457
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 732
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 61 个事件)
Time & API Arguments Status Return Repeated
1619512635.017751
CreateProcessInternalW
thread_identifier: 1344
thread_handle: 0x00000108
process_identifier: 2576
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619512635.017751
NtAllocateVirtualMemory
process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619512635.017751
NtAllocateVirtualMemory
process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619512635.017751
WriteProcessMemory
process_identifier: 2576
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619512635.017751
WriteProcessMemory
process_identifier: 2576
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4ce38da80d117e0743364d5a3b77d7f8.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4ce38da80d117e0743364d5a3b77d7f8.exe" websEt xvUqcBjdLZohEDvV = cReaTeOBject("wscripT.sHell") XVUqCBJDlZOHeDVv.run """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
1619512635.689374
CreateProcessInternalW
thread_identifier: 1380
thread_handle: 0x000000d0
process_identifier: 2188
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619512636.220499
CreateProcessInternalW
thread_identifier: 2120
thread_handle: 0x00000108
process_identifier: 1912
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619512636.220499
NtUnmapViewOfSection
process_identifier: 1912
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619512636.220499
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 1912
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619512636.252499
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619512636.252499
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1912
success 0 0
1619512645.908499
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 1912
success 0 0
1619512645.955499
CreateProcessInternalW
thread_identifier: 1036
thread_handle: 0x0000010c
process_identifier: 3068
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 1912 31352984
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619512672.236751
CreateProcessInternalW
thread_identifier: 2996
thread_handle: 0x00000464
process_identifier: 2668
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000468
inherit_handles: 0
success 1 0
1619512672.721001
CreateProcessInternalW
thread_identifier: 1928
thread_handle: 0x00000108
process_identifier: 1936
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619512672.721001
NtUnmapViewOfSection
process_identifier: 1936
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619512672.721001
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 1936
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619512672.768001
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619512672.768001
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1936
success 0 0
1619512673.425001
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 1936
success 0 0
1619512673.440001
CreateProcessInternalW
thread_identifier: 728
thread_handle: 0x0000010c
process_identifier: 2900
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 1936 31380500
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619512675.377499
CreateProcessInternalW
thread_identifier: 1484
thread_handle: 0x0000013c
process_identifier: 1164
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000140
inherit_handles: 0
success 1 0
1619512675.628001
CreateProcessInternalW
thread_identifier: 1252
thread_handle: 0x00000108
process_identifier: 2060
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619512675.628001
NtUnmapViewOfSection
process_identifier: 2060
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619512675.628001
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 2060
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619512676.925001
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619512676.925001
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2060
success 0 0
1619512677.081001
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2060
success 0 0
1619512677.096001
CreateProcessInternalW
thread_identifier: 2116
thread_handle: 0x0000010c
process_identifier: 2104
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 2060 31384156
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619512681.220499
CreateProcessInternalW
thread_identifier: 2272
thread_handle: 0x00000184
process_identifier: 728
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000188
inherit_handles: 0
success 1 0
1619512681.564374
CreateProcessInternalW
thread_identifier: 1484
thread_handle: 0x0000010c
process_identifier: 1380
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619512681.564374
NtUnmapViewOfSection
process_identifier: 1380
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619512681.564374
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 1380
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619512681.674374
NtGetContextThread
thread_handle: 0x0000010c
success 0 0
1619512681.674374
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1380
success 0 0
1619512681.720374
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 1380
success 0 0
1619512681.799374
CreateProcessInternalW
thread_identifier: 2952
thread_handle: 0x00000110
process_identifier: 1872
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 1380 31388796
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619512690.956001
CreateProcessInternalW
thread_identifier: 1892
thread_handle: 0x00000230
process_identifier: 1928
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000234
inherit_handles: 0
success 1 0
1619512691.174374
CreateProcessInternalW
thread_identifier: 3172
thread_handle: 0x00000108
process_identifier: 3168
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619512691.174374
NtUnmapViewOfSection
process_identifier: 3168
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619512691.174374
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3168
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619512691.705374
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619512691.705374
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3168
success 0 0
1619512692.455374
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3168
success 0 0
1619512692.470374
CreateProcessInternalW
thread_identifier: 3240
thread_handle: 0x0000010c
process_identifier: 3236
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 3168 31399531
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619512840.830626
CreateProcessInternalW
thread_identifier: 2064
thread_handle: 0x00001478
process_identifier: 2436
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000147c
inherit_handles: 0
success 1 0
1619512841.505846
CreateProcessInternalW
thread_identifier: 3288
thread_handle: 0x00000108
process_identifier: 3268
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619512841.505846
NtUnmapViewOfSection
process_identifier: 3268
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619512841.505846
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3268
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619512842.771846
NtGetContextThread
thread_handle: 0x00000108
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Delf.FareIt.Gen.7
FireEye Generic.mg.4ce38da80d117e07
McAfee Fareit-FVZ!4CE38DA80D11
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.Win32.Kryptik.4!c
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Trojan.Delf.FareIt.Gen.7
K7GW Riskware ( 0040eff71 )
Cybereason malicious.7c5886
BitDefenderTheta Gen:NN.ZelphiF.34670.3GW@aKqBH1ji
Cyren W32/Injector.WPVI-5619
Symantec Infostealer.Lokibot!43
TrendMicro-HouseCall Trojan.Win32.MALREP.THIABBO
Paloalto generic.ml
ClamAV Win.Dropper.AgentTesla-9122548-1
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
Alibaba Trojan:Win32/DelfInject.ali2000015
NANO-Antivirus Trojan.Win32.Kryptik.hoxhxt
Avast Win32:Trojan-gen
Ad-Aware Trojan.Delf.FareIt.Gen.7
Sophos Mal/Generic-S + Troj/AutoG-IO
Comodo Malware@#iyxydvd30r3o
F-Secure Trojan.TR/Injector.zxsmv
DrWeb Trojan.PWS.Stealer.28999
Zillya Trojan.Injector.Win32.753781
TrendMicro Trojan.Win32.MALREP.THIABBO
McAfee-GW-Edition BehavesLike.Win32.Fareit.cc
Emsisoft Trojan.Delf.FareIt.Gen.7 (B)
APEX Malicious
Jiangmin Trojan.Kryptik.byb
Webroot W32.Trojan.Gen
Avira TR/Injector.zxsmv
Antiy-AVL Trojan/Win32.Kryptik
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/NanoCore.VD!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.Delf.FareIt.Gen.7
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
Acronis suspicious
VBA32 TScope.Trojan.Delf
ALYac Trojan.Delf.FareIt.Gen.7
MAX malware (ai score=86)
Malwarebytes Spyware.PasswordStealer
Zoner Trojan.Win32.94619
ESET-NOD32 a variant of Win32/Injector.EMUW
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46813c VirtualFree
0x468140 VirtualAlloc
0x468144 LocalFree
0x468148 LocalAlloc
0x46814c GetVersion
0x468150 GetCurrentThreadId
0x46815c VirtualQuery
0x468160 WideCharToMultiByte
0x468164 MultiByteToWideChar
0x468168 lstrlenA
0x46816c lstrcpynA
0x468170 LoadLibraryExA
0x468174 GetThreadLocale
0x468178 GetStartupInfoA
0x46817c GetProcAddress
0x468180 GetModuleHandleA
0x468184 GetModuleFileNameA
0x468188 GetLocaleInfoA
0x46818c GetCommandLineA
0x468190 FreeLibrary
0x468194 FindFirstFileA
0x468198 FindClose
0x46819c ExitProcess
0x4681a0 WriteFile
0x4681a8 RtlUnwind
0x4681ac RaiseException
0x4681b0 GetStdHandle
Library user32.dll:
0x4681b8 GetKeyboardType
0x4681bc LoadStringA
0x4681c0 MessageBoxA
0x4681c4 CharNextA
Library advapi32.dll:
0x4681cc RegQueryValueExA
0x4681d0 RegOpenKeyExA
0x4681d4 RegCloseKey
Library oleaut32.dll:
0x4681dc SysFreeString
0x4681e0 SysReAllocStringLen
0x4681e4 SysAllocStringLen
Library kernel32.dll:
0x4681ec TlsSetValue
0x4681f0 TlsGetValue
0x4681f4 LocalAlloc
0x4681f8 GetModuleHandleA
Library advapi32.dll:
0x468200 RegQueryValueExA
0x468204 RegOpenKeyExA
0x468208 RegCloseKey
Library kernel32.dll:
0x468210 lstrcpyA
0x468214 WriteFile
0x468218 WaitForSingleObject
0x46821c VirtualQuery
0x468220 VirtualAlloc
0x468224 Sleep
0x468228 SizeofResource
0x46822c SetThreadLocale
0x468230 SetFilePointer
0x468234 SetEvent
0x468238 SetErrorMode
0x46823c SetEndOfFile
0x468240 ResetEvent
0x468244 ReadFile
0x468248 MulDiv
0x46824c LockResource
0x468250 LoadResource
0x468254 LoadLibraryA
0x468260 GlobalUnlock
0x468264 GlobalReAlloc
0x468268 GlobalHandle
0x46826c GlobalLock
0x468270 GlobalFree
0x468274 GlobalFindAtomA
0x468278 GlobalDeleteAtom
0x46827c GlobalAlloc
0x468280 GlobalAddAtomA
0x468284 GetVersionExA
0x468288 GetVersion
0x46828c GetTickCount
0x468290 GetThreadLocale
0x468294 GetSystemInfo
0x468298 GetStringTypeExA
0x46829c GetStdHandle
0x4682a0 GetProcAddress
0x4682a4 GetModuleHandleA
0x4682a8 GetModuleFileNameA
0x4682ac GetLocaleInfoA
0x4682b0 GetLocalTime
0x4682b4 GetLastError
0x4682b8 GetFullPathNameA
0x4682bc GetDiskFreeSpaceA
0x4682c0 GetDateFormatA
0x4682c4 GetCurrentThreadId
0x4682c8 GetCurrentProcessId
0x4682cc GetCPInfo
0x4682d0 GetACP
0x4682d4 FreeResource
0x4682d8 InterlockedExchange
0x4682dc FreeLibrary
0x4682e0 FormatMessageA
0x4682e4 FindResourceA
0x4682e8 EnumCalendarInfoA
0x4682f4 CreateThread
0x4682f8 CreateFileA
0x4682fc CreateEventA
0x468300 CompareStringA
0x468304 CloseHandle
Library version.dll:
0x46830c VerQueryValueA
0x468314 GetFileVersionInfoA
Library gdi32.dll:
0x46831c UnrealizeObject
0x468320 StretchBlt
0x468324 SetWindowOrgEx
0x468328 SetViewportOrgEx
0x46832c SetTextColor
0x468330 SetStretchBltMode
0x468334 SetROP2
0x468338 SetPixel
0x46833c SetDIBColorTable
0x468340 SetBrushOrgEx
0x468344 SetBkMode
0x468348 SetBkColor
0x46834c SelectPalette
0x468350 SelectObject
0x468354 SaveDC
0x468358 RestoreDC
0x46835c Rectangle
0x468360 RectVisible
0x468364 RealizePalette
0x468368 Polyline
0x46836c PatBlt
0x468370 MoveToEx
0x468374 MaskBlt
0x468378 LineTo
0x46837c IntersectClipRect
0x468380 GetWindowOrgEx
0x468384 GetTextMetricsA
0x468390 GetStockObject
0x468394 GetPixel
0x468398 GetPaletteEntries
0x46839c GetObjectA
0x4683a0 GetDeviceCaps
0x4683a4 GetDIBits
0x4683a8 GetDIBColorTable
0x4683ac GetDCOrgEx
0x4683b4 GetClipBox
0x4683b8 GetBrushOrgEx
0x4683bc GetBitmapBits
0x4683c0 ExcludeClipRect
0x4683c4 DeleteObject
0x4683c8 DeleteDC
0x4683cc CreateSolidBrush
0x4683d0 CreatePenIndirect
0x4683d4 CreatePalette
0x4683dc CreateFontIndirectA
0x4683e0 CreateDIBitmap
0x4683e4 CreateDIBSection
0x4683e8 CreateCompatibleDC
0x4683f0 CreateBrushIndirect
0x4683f4 CreateBitmap
0x4683f8 BitBlt
Library user32.dll:
0x468400 CreateWindowExA
0x468404 WindowFromPoint
0x468408 WinHelpA
0x46840c WaitMessage
0x468410 UpdateWindow
0x468414 UnregisterClassA
0x468418 UnhookWindowsHookEx
0x46841c TranslateMessage
0x468424 TrackPopupMenu
0x46842c ShowWindow
0x468430 ShowScrollBar
0x468434 ShowOwnedPopups
0x468438 ShowCursor
0x46843c SetWindowsHookExA
0x468440 SetWindowTextA
0x468444 SetWindowPos
0x468448 SetWindowPlacement
0x46844c SetWindowLongA
0x468450 SetTimer
0x468454 SetScrollRange
0x468458 SetScrollPos
0x46845c SetScrollInfo
0x468460 SetRect
0x468464 SetPropA
0x468468 SetParent
0x46846c SetMenuItemInfoA
0x468470 SetMenu
0x468474 SetForegroundWindow
0x468478 SetFocus
0x46847c SetCursor
0x468480 SetClassLongA
0x468484 SetCapture
0x468488 SetActiveWindow
0x46848c SendMessageA
0x468490 ScrollWindow
0x468494 ScreenToClient
0x468498 RemovePropA
0x46849c RemoveMenu
0x4684a0 ReleaseDC
0x4684a4 ReleaseCapture
0x4684b0 RegisterClassA
0x4684b4 RedrawWindow
0x4684b8 PtInRect
0x4684bc PostQuitMessage
0x4684c0 PostMessageA
0x4684c4 PeekMessageA
0x4684c8 OffsetRect
0x4684cc OemToCharA
0x4684d0 MessageBoxA
0x4684d4 MessageBeep
0x4684d8 MapWindowPoints
0x4684dc MapVirtualKeyA
0x4684e0 LoadStringA
0x4684e4 LoadKeyboardLayoutA
0x4684e8 LoadIconA
0x4684ec LoadCursorA
0x4684f0 LoadBitmapA
0x4684f4 KillTimer
0x4684f8 IsZoomed
0x4684fc IsWindowVisible
0x468500 IsWindowEnabled
0x468504 IsWindow
0x468508 IsRectEmpty
0x46850c IsIconic
0x468510 IsDialogMessageA
0x468514 IsChild
0x468518 InvalidateRect
0x46851c IntersectRect
0x468520 InsertMenuItemA
0x468524 InsertMenuA
0x468528 InflateRect
0x468530 GetWindowTextA
0x468534 GetWindowRect
0x468538 GetWindowPlacement
0x46853c GetWindowLongA
0x468540 GetWindowDC
0x468544 GetTopWindow
0x468548 GetSystemMetrics
0x46854c GetSystemMenu
0x468550 GetSysColorBrush
0x468554 GetSysColor
0x468558 GetSubMenu
0x46855c GetScrollRange
0x468560 GetScrollPos
0x468564 GetScrollInfo
0x468568 GetPropA
0x46856c GetParent
0x468570 GetWindow
0x468574 GetMenuStringA
0x468578 GetMenuState
0x46857c GetMenuItemInfoA
0x468580 GetMenuItemID
0x468584 GetMenuItemCount
0x468588 GetMenu
0x46858c GetLastActivePopup
0x468590 GetKeyboardState
0x468598 GetKeyboardLayout
0x46859c GetKeyState
0x4685a0 GetKeyNameTextA
0x4685a4 GetIconInfo
0x4685a8 GetForegroundWindow
0x4685ac GetFocus
0x4685b0 GetDlgItem
0x4685b4 GetDesktopWindow
0x4685b8 GetDCEx
0x4685bc GetDC
0x4685c0 GetCursorPos
0x4685c4 GetCursor
0x4685c8 GetClientRect
0x4685cc GetClassNameA
0x4685d0 GetClassInfoA
0x4685d4 GetCapture
0x4685d8 GetActiveWindow
0x4685dc FrameRect
0x4685e0 FindWindowA
0x4685e4 FillRect
0x4685e8 EqualRect
0x4685ec EnumWindows
0x4685f0 EnumThreadWindows
0x4685f4 EndPaint
0x4685f8 EnableWindow
0x4685fc EnableScrollBar
0x468600 EnableMenuItem
0x468604 DrawTextA
0x468608 DrawMenuBar
0x46860c DrawIconEx
0x468610 DrawIcon
0x468614 DrawFrameControl
0x468618 DrawFocusRect
0x46861c DrawEdge
0x468620 DispatchMessageA
0x468624 DestroyWindow
0x468628 DestroyMenu
0x46862c DestroyIcon
0x468630 DestroyCursor
0x468634 DeleteMenu
0x468638 DefWindowProcA
0x46863c DefMDIChildProcA
0x468640 DefFrameProcA
0x468644 CreatePopupMenu
0x468648 CreateMenu
0x46864c CreateIcon
0x468650 ClientToScreen
0x468654 CheckMenuItem
0x468658 CallWindowProcA
0x46865c CallNextHookEx
0x468660 BeginPaint
0x468664 CharNextA
0x468668 CharLowerA
0x46866c CharToOemA
0x468670 AdjustWindowRectEx
Library kernel32.dll:
0x46867c Sleep
Library oleaut32.dll:
0x468684 SafeArrayPtrOfIndex
0x468688 SafeArrayGetUBound
0x46868c SafeArrayGetLBound
0x468690 SafeArrayCreate
0x468694 VariantChangeType
0x468698 VariantCopy
0x46869c VariantClear
0x4686a0 VariantInit
Library comctl32.dll:
0x4686b0 ImageList_Write
0x4686b4 ImageList_Read
0x4686c4 ImageList_DragMove
0x4686c8 ImageList_DragLeave
0x4686cc ImageList_DragEnter
0x4686d0 ImageList_EndDrag
0x4686d4 ImageList_BeginDrag
0x4686d8 ImageList_Remove
0x4686dc ImageList_DrawEx
0x4686e0 ImageList_Replace
0x4686e4 ImageList_Draw
0x4686f4 ImageList_Add
0x4686fc ImageList_Destroy
0x468700 ImageList_Create
0x468704 InitCommonControls
Library comdlg32.dll:
0x46870c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49221 203.208.41.98 update.googleapis.com 443
192.168.56.101 49222 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62191 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 54260 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.