11.4
0-day
64 个模型检测该样本为恶意!
重新分析
更多

37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f

4f2ac7edd1bda1c4e4d629b42ce590ef.exe

分析耗时

91s

最近分析

文件大小

690.0KB
静态报毒 动态报毒 100% ACEG CLASSIC COMET CONFIDENCE DARKCOMET DARKKOMET DARKKOMETJ DGNEPN FWDO FYNLOS FYNLOSK FYNLOSKI GRAFTOR GRAYBIRD HIGH CONFIDENCE HUIGEZIT JORIK MALICIOUS PE MODERATE PONTOEB R33420 REGISTRYDISABLER RK0@AOOH2PNS SCORE TORDEV UNSAFE XAB@4OF2BC 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:Win32/Fynloski.b41e3632 20190527 0.3.0.5
Baidu Win32.Backdoor.Agent.l 20190318 1.0.0.2
Avast MSIL:GenMalicious-CHX [Trj] 20191130 18.4.3895.0
Tencent Backdoor.Win32.DarkKomet.zem 20191130 1.0.0.1
Kingsoft Win32.Hack.HuigeziT.cz 20191130 2013.8.14.323
McAfee Generic BackDoor.xa 20191130 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Command line console output was observed (2 个事件)
Time & API Arguments Status Return Repeated
1620738952.257124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1620738952.257499
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620738948.461124
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .itext
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620738948.273124
NtAllocateVirtualMemory
process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01df0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a suspicious process (4 个事件)
cmdline cmd.exe /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline cmd.exe /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe" +s +h
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1620738949.070124
ShellExecuteExW
parameters: /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe" +s +h
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1620738949.148124
ShellExecuteExW
parameters: /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1620738953.070124
CreateProcessInternalW
thread_identifier: 3264
thread_handle: 0x000002dc
process_identifier: 3260
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000002e4
inherit_handles: 0
success 1 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 个事件)
Time & API Arguments Status Return Repeated
1620738948.476124
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620738948.476124
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620738948.492124
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1620738948.507124
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1620738948.507124
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620738948.507124
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620738948.523124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620738948.523124
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1620738948.539124
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1620738948.539124
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1620738949.882124
NtTerminateProcess
status_code: 0x00000000
process_identifier: 2240
process_handle: 0x000002a8
failed 0 0
1620738949.882124
NtTerminateProcess
status_code: 0x00000000
process_identifier: 2240
process_handle: 0x000002a8
success 0 0
1620738952.961124
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3172
process_handle: 0x000002d4
failed 0 0
1620738952.961124
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3172
process_handle: 0x000002d4
success 0 0
Uses Windows utilities for basic Windows functionality (7 个事件)
cmdline cmd.exe /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline cmd.exe /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe" +s +h
cmdline C:\Program Files (x86)\Internet Explorer\iexplore.exe
cmdline attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe" +s +h
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (20 个事件)
Time & API Arguments Status Return Repeated
1620738949.320124
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 761856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00160000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001b0000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001c0000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001e0000
success 0 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001f0000
success 0 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00010000
success 0 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00020000
success 0 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00200000
success 0 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00210000
success 0 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00220000
success 0 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00230000
success 0 0
Disables Windows' Task Manager (1 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Creates known Fynloski/DarkComet files, registry keys and/or mutexes (4 个事件)
mutex DC_MUTEX-RXJB8CR
mutex DCPERSFWBP
regkey HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey HKEY_CURRENT_USER\Software\DC2_USERS
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 3048 manipulating memory of non-child process 2240
Time & API Arguments Status Return Repeated
1620738949.320124
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 761856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (19 个事件)
Time & API Arguments Status Return Repeated
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: kernel32.dll
process_handle: 0x000002e4
base_address: 0x000f0000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: user32.dll
process_handle: 0x000002e4
base_address: 0x00100000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: Sleep
process_handle: 0x000002e4
base_address: 0x00110000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: MessageBoxA
process_handle: 0x000002e4
base_address: 0x00120000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: CreateProcessA
process_handle: 0x000002e4
base_address: 0x00130000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: GetLastError
process_handle: 0x000002e4
base_address: 0x00140000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: SetLastError
process_handle: 0x000002e4
base_address: 0x00150000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: CreateMutexA
process_handle: 0x000002e4
base_address: 0x00160000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: CloseHandle
process_handle: 0x000002e4
base_address: 0x001b0000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: ExitThread
process_handle: 0x000002e4
base_address: 0x001c0000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: OpenProcess
process_handle: 0x000002e4
base_address: 0x001d0000
success 1 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: DCPERSFWBP
process_handle: 0x000002e4
base_address: 0x001e0000
success 1 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: TerminateProcess
process_handle: 0x000002e4
base_address: 0x001f0000
success 1 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: GetExitCodeProcess
process_handle: 0x000002e4
base_address: 0x00010000
success 1 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: DC_MUTEX-RXJB8CR
process_handle: 0x000002e4
base_address: 0x00020000
success 1 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: WaitForSingleObject
process_handle: 0x000002e4
base_address: 0x00200000
success 1 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe
process_handle: 0x000002e4
base_address: 0x00210000
success 1 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: ×I5v"5vý_wÿ5vÀ5vr5v65v©5v˜ÕØw†5vØ6v5vM6vkL5v !¼
process_handle: 0x000002e4
base_address: 0x00220000
success 1 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: U‹ìƒÄ¬SVW‹]‹C@P‹C8PÿPÿS‰C ‹CDP‹C<PÿPÿS‰C‹CTP‹C8PÿPÿS‰C‹CXP‹C8PÿPÿS‰C‹CHP‹C8PÿPÿS‰C‹CLP‹C8PÿPÿS‰C‹CPP‹C8PÿPÿS‰C4‹C`P‹C8PÿPÿS‰C,‹ClP‹C8PÿPÿS‰C(‹ChP‹C8PÿPÿS‰C0‹CdP‹C8PÿPÿS‰C ‹CpP‹C8PÿPÿS‰C$jÿS‹CxPjjÿS4ÿS=·u$‹C|PjjÿS$‹ø…ÿtVWÿS0VWÿS(WÿS,jÿS jÿS‹C\PjjÿS4‹øÿS=·tRWÿS,ÇE¼DE¬PE¼Pjjjjjj‹CtPjÿS…Àt3öhȋE¬PÿSƒèsƒÎÿ…ötèë¼hÐÿS ë²WÿS,hôÿS ë„_^[‹å]U‹ìÄ ÿÿÿSVW‰Mô‰Uø‰Eü‹Eüè3gýÿ‹Eøè+gýÿ‹Eôè#gýÿµtÿÿÿ3ÀUháõBdÿ0d‰ …0ÿÿÿ3ɺDè%HýÿDž0ÿÿÿDDž\ÿÿÿfDž`ÿÿÿ‹Eüè`¯ýÿ„Àu EüºøõBèÃbýÿ‹EøèG¯ýÿ„Àu Uø3Àèÿýÿ¿öB… ÿÿÿP…0ÿÿÿPjjhjjj‹Eüè—fýÿPjèS†ýÿ‹ ÿÿÿº öB‹Ãè±÷ÿÿ‰F8ºöB‹Ãè¢÷ÿÿ‰F<º(öB‹Ãè“÷ÿÿ‰F@º0öB‹Ãè„÷ÿÿ‰FDº<öB‹Ãèu÷ÿÿ‰FTºLöB‹Ãèf÷ÿÿ‰FHº\öB‹ÃèW÷ÿÿ‰FLºlöB‹ÃèH÷ÿÿ‰FPº|öB‹Ãè9÷ÿÿ‰F`ºˆöB‹Ãè*÷ÿÿ‰Fdº”öB‹Ãè÷ÿÿ‰Fp‹×‹Ãè÷ÿÿ‰Fxº öB‹Ãè÷ÿÿ‰Flº´öB‹Ãèñöÿÿ‰Fh‹Eôè²eýÿ‹Ð‹ÃèÝöÿÿ‰F\ºÈöB‹ÃèÎöÿÿ‰FX‹Eøèeýÿ‹Ð‹Ãèºöÿÿ‰Ft‹…(ÿÿÿ‰F|hÜöBhìöB藆ýÿP虆ýÿ‰høöBhìöB耆ýÿP肆ýÿ‰Fh(öBhìöBèh†ýÿPèj†ýÿ‰F h0öBh÷BèP†ýÿPèR†ýÿ‰Fh|öBhìöBè8†ýÿPè:†ýÿ‰F,h<öBhìöBè †ýÿPè"†ýÿ‰FhLöBhìöBè†ýÿPè †ýÿ‰Fh\öBhìöBèð…ýÿPèò…ýÿ‰FhlöBhìöBè؅ýÿPèڅýÿ‰F4h´öBhìöBèÀ…ýÿPè…ýÿ‰F0hˆöBhìöB訅ýÿP誅ýÿ‰F h öBhìöB萅ýÿP蒅ýÿ‰F(hÈöBhìöBèx…ýÿPèz…ýÿ‰Fh”öBhìöBè`…ýÿPèb…ýÿ‰F$h€j‹ÎºàðB‹Ãèöÿÿ3ÀZYYd‰hèõBEôºèt_ýÿÃ
process_handle: 0x000002e4
base_address: 0x00230000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1620738953.086124
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x00478968
module_address: 0x00400000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 131561 0
Created a process named as a common system process (1 个事件)
Time & API Arguments Status Return Repeated
1620738951.742124
CreateProcessInternalW
thread_identifier: 3176
thread_handle: 0x000002d8
process_identifier: 3172
current_directory:
filepath: C:\Windows\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\explorer.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000002d4
inherit_handles: 0
success 1 0
Disables Windows Security features (2 个事件)
description attempts to disable windows firewall registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
Executed a process and injected code into it, probably while unpacking (50 个事件)
Time & API Arguments Status Return Repeated
1620738948.461124
NtResumeThread
thread_handle: 0x00000174
suspend_count: 1
process_identifier: 3048
success 0 0
1620738949.070124
CreateProcessInternalW
thread_identifier: 912
thread_handle: 0x00000294
process_identifier: 2144
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe" +s +h
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002d0
inherit_handles: 0
success 1 0
1620738949.148124
CreateProcessInternalW
thread_identifier: 2292
thread_handle: 0x00000294
process_identifier: 2308
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002a8
inherit_handles: 0
success 1 0
1620738949.320124
CreateProcessInternalW
thread_identifier: 2236
thread_handle: 0x00000294
process_identifier: 2240
current_directory:
filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe
track: 1
command_line:
filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000002a8
inherit_handles: 0
success 1 0
1620738949.320124
NtGetContextThread
thread_handle: 0x00000294
success 0 0
1620738949.320124
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 761856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1620738951.742124
CreateProcessInternalW
thread_identifier: 3176
thread_handle: 0x000002d8
process_identifier: 3172
current_directory:
filepath: C:\Windows\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\explorer.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000002d4
inherit_handles: 0
success 1 0
1620738951.742124
NtGetContextThread
thread_handle: 0x000002d8
failed 3221225485 0
1620738953.070124
CreateProcessInternalW
thread_identifier: 3264
thread_handle: 0x000002dc
process_identifier: 3260
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000002e4
inherit_handles: 0
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: kernel32.dll
process_handle: 0x000002e4
base_address: 0x000f0000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: user32.dll
process_handle: 0x000002e4
base_address: 0x00100000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: Sleep
process_handle: 0x000002e4
base_address: 0x00110000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: MessageBoxA
process_handle: 0x000002e4
base_address: 0x00120000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: CreateProcessA
process_handle: 0x000002e4
base_address: 0x00130000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: GetLastError
process_handle: 0x000002e4
base_address: 0x00140000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: SetLastError
process_handle: 0x000002e4
base_address: 0x00150000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00160000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: CreateMutexA
process_handle: 0x000002e4
base_address: 0x00160000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001b0000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: CloseHandle
process_handle: 0x000002e4
base_address: 0x001b0000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001c0000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: ExitThread
process_handle: 0x000002e4
base_address: 0x001c0000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: OpenProcess
process_handle: 0x000002e4
base_address: 0x001d0000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001e0000
success 0 0
1620738953.070124
WriteProcessMemory
process_identifier: 3260
buffer: DCPERSFWBP
process_handle: 0x000002e4
base_address: 0x001e0000
success 1 0
1620738953.070124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001f0000
success 0 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: TerminateProcess
process_handle: 0x000002e4
base_address: 0x001f0000
success 1 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00010000
success 0 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: GetExitCodeProcess
process_handle: 0x000002e4
base_address: 0x00010000
success 1 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00020000
success 0 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: DC_MUTEX-RXJB8CR
process_handle: 0x000002e4
base_address: 0x00020000
success 1 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00200000
success 0 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: WaitForSingleObject
process_handle: 0x000002e4
base_address: 0x00200000
success 1 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00210000
success 0 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe
process_handle: 0x000002e4
base_address: 0x00210000
success 1 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00220000
success 0 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: ×I5v"5vý_wÿ5vÀ5vr5v65v©5v˜ÕØw†5vØ6v5vM6vkL5v !¼
process_handle: 0x000002e4
base_address: 0x00220000
success 1 0
1620738953.086124
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00230000
success 0 0
1620738953.086124
WriteProcessMemory
process_identifier: 3260
buffer: U‹ìƒÄ¬SVW‹]‹C@P‹C8PÿPÿS‰C ‹CDP‹C<PÿPÿS‰C‹CTP‹C8PÿPÿS‰C‹CXP‹C8PÿPÿS‰C‹CHP‹C8PÿPÿS‰C‹CLP‹C8PÿPÿS‰C‹CPP‹C8PÿPÿS‰C4‹C`P‹C8PÿPÿS‰C,‹ClP‹C8PÿPÿS‰C(‹ChP‹C8PÿPÿS‰C0‹CdP‹C8PÿPÿS‰C ‹CpP‹C8PÿPÿS‰C$jÿS‹CxPjjÿS4ÿS=·u$‹C|PjjÿS$‹ø…ÿtVWÿS0VWÿS(WÿS,jÿS jÿS‹C\PjjÿS4‹øÿS=·tRWÿS,ÇE¼DE¬PE¼Pjjjjjj‹CtPjÿS…Àt3öhȋE¬PÿSƒèsƒÎÿ…ötèë¼hÐÿS ë²WÿS,hôÿS ë„_^[‹å]U‹ìÄ ÿÿÿSVW‰Mô‰Uø‰Eü‹Eüè3gýÿ‹Eøè+gýÿ‹Eôè#gýÿµtÿÿÿ3ÀUháõBdÿ0d‰ …0ÿÿÿ3ɺDè%HýÿDž0ÿÿÿDDž\ÿÿÿfDž`ÿÿÿ‹Eüè`¯ýÿ„Àu EüºøõBèÃbýÿ‹EøèG¯ýÿ„Àu Uø3Àèÿýÿ¿öB… ÿÿÿP…0ÿÿÿPjjhjjj‹Eüè—fýÿPjèS†ýÿ‹ ÿÿÿº öB‹Ãè±÷ÿÿ‰F8ºöB‹Ãè¢÷ÿÿ‰F<º(öB‹Ãè“÷ÿÿ‰F@º0öB‹Ãè„÷ÿÿ‰FDº<öB‹Ãèu÷ÿÿ‰FTºLöB‹Ãèf÷ÿÿ‰FHº\öB‹ÃèW÷ÿÿ‰FLºlöB‹ÃèH÷ÿÿ‰FPº|öB‹Ãè9÷ÿÿ‰F`ºˆöB‹Ãè*÷ÿÿ‰Fdº”öB‹Ãè÷ÿÿ‰Fp‹×‹Ãè÷ÿÿ‰Fxº öB‹Ãè÷ÿÿ‰Flº´öB‹Ãèñöÿÿ‰Fh‹Eôè²eýÿ‹Ð‹ÃèÝöÿÿ‰F\ºÈöB‹ÃèÎöÿÿ‰FX‹Eøèeýÿ‹Ð‹Ãèºöÿÿ‰Ft‹…(ÿÿÿ‰F|hÜöBhìöB藆ýÿP虆ýÿ‰høöBhìöB耆ýÿP肆ýÿ‰Fh(öBhìöBèh†ýÿPèj†ýÿ‰F h0öBh÷BèP†ýÿPèR†ýÿ‰Fh|öBhìöBè8†ýÿPè:†ýÿ‰F,h<öBhìöBè †ýÿPè"†ýÿ‰FhLöBhìöBè†ýÿPè †ýÿ‰Fh\öBhìöBèð…ýÿPèò…ýÿ‰FhlöBhìöBè؅ýÿPèڅýÿ‰F4h´öBhìöBèÀ…ýÿPè…ýÿ‰F0hˆöBhìöB訅ýÿP誅ýÿ‰F h öBhìöB萅ýÿP蒅ýÿ‰F(hÈöBhìöBèx…ýÿPèz…ýÿ‰Fh”öBhìöBè`…ýÿPèb…ýÿ‰F$h€j‹ÎºàðB‹Ãèöÿÿ3ÀZYYd‰hèõBEôºèt_ýÿÃ
process_handle: 0x000002e4
base_address: 0x00230000
success 1 0
1620738953.086124
NtResumeThread
thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 3048
success 0 0
1620738949.507124
CreateProcessInternalW
thread_identifier: 2668
thread_handle: 0x00000080
process_identifier: 1316
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\attrib.exe
track: 1
command_line: attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f2ac7edd1bda1c4e4d629b42ce590ef.exe" +s +h
filepath_r: C:\Windows\system32\attrib.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1620738949.523499
CreateProcessInternalW
thread_identifier: 3092
thread_handle: 0x00000080
process_identifier: 3088
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\attrib.exe
track: 1
command_line: attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
filepath_r: C:\Windows\system32\attrib.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 个事件)
Bkav W32.DarkKometJ.Trojan
MicroWorld-eScan Gen:Trojan.RegistryDisabler.RK0@aOOH2PnS
FireEye Generic.mg.4f2ac7edd1bda1c4
CAT-QuickHeal Backdoor.Fynloski.A9
ALYac Gen:Trojan.RegistryDisabler.RK0@aOOH2PnS
Cylance Unsafe
Zillya Backdoor.DarkKomet.Win32.30209
SUPERAntiSpyware Trojan.Agent/Gen-Graftor
Sangfor Malware
K7AntiVirus Trojan ( 004bc4d11 )
Alibaba Backdoor:Win32/Fynloski.b41e3632
K7GW Trojan ( 004bc4d11 )
Cybereason malicious.dd1bda
Invincea heuristic
BitDefenderTheta AI:Packer.8D78A04A1C
F-Prot W32/Fynloski.BA
Symantec SMG.Heur!gen
TotalDefense Win32/Fynloski.A!generic
Baidu Win32.Backdoor.Agent.l
APEX Malicious
Avast MSIL:GenMalicious-CHX [Trj]
ClamAV Win.Trojan.DarkKomet-1
Kaspersky Backdoor.Win32.DarkKomet.aceg
BitDefender Gen:Trojan.RegistryDisabler.RK0@aOOH2PnS
NANO-Antivirus Trojan.Win32.Tordev.dgnepn
Paloalto generic.ml
Tencent Backdoor.Win32.DarkKomet.zem
Endgame malicious (high confidence)
Emsisoft Gen:Trojan.RegistryDisabler.RK0@aOOH2PnS (B)
Comodo Backdoor.Win32.Agent.XAB@4of2bc
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb BackDoor.Tordev.9
VIPRE Backdoor.Win32.Fynloski.A (v)
TrendMicro BKDR_FYNLOS.SMM
McAfee-GW-Edition BehavesLike.Win32.Backdoor.jh
Trapmine malicious.moderate.ml.score
Sophos Troj/Fynlosk-AK
SentinelOne DFI - Malicious PE
Cyren W32/Fynloski.FWDO-2352
Jiangmin Backdoor/DarkKomet.lue
Webroot W32.Trojan.Gen
Avira BDS/Backdoor.Gen
Fortinet W32/Generic.AC.1775!tr
Kingsoft Win32.Hack.HuigeziT.cz
Microsoft Backdoor:Win32/Fynloski.A
Arcabit Trojan.RegistryDisabler.EFB083
ZoneAlarm Backdoor.Win32.DarkKomet.aceg
GData Gen:Trojan.RegistryDisabler.RK0@aOOH2PnS
AhnLab-V3 Backdoor/Win32.Graybird.R33420
Acronis suspicious
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-06-08 19:12:27

Imports

Library oleaut32.dll:
0x49dca4 SysFreeString
0x49dca8 SysReAllocStringLen
0x49dcac SysAllocStringLen
Library advapi32.dll:
0x49dcb4 RegQueryValueExA
0x49dcb8 RegOpenKeyExA
0x49dcbc RegCloseKey
Library user32.dll:
0x49dcc4 GetKeyboardType
0x49dcc8 DestroyWindow
0x49dccc LoadStringA
0x49dcd0 MessageBoxA
0x49dcd4 CharNextA
Library kernel32.dll:
0x49dcdc GetACP
0x49dce0 Sleep
0x49dce4 VirtualFree
0x49dce8 VirtualAlloc
0x49dcec GetTickCount
0x49dcf4 GetCurrentThreadId
0x49dd00 VirtualQuery
0x49dd04 WideCharToMultiByte
0x49dd08 MultiByteToWideChar
0x49dd0c lstrlenA
0x49dd10 lstrcpynA
0x49dd14 LoadLibraryExA
0x49dd18 GetThreadLocale
0x49dd1c GetStartupInfoA
0x49dd20 GetProcAddress
0x49dd24 GetModuleHandleA
0x49dd28 GetModuleFileNameA
0x49dd2c GetLocaleInfoA
0x49dd30 GetLastError
0x49dd34 GetCommandLineA
0x49dd38 FreeLibrary
0x49dd3c FindFirstFileA
0x49dd40 FindClose
0x49dd44 ExitProcess
0x49dd48 ExitThread
0x49dd4c CreateThread
0x49dd50 CompareStringA
0x49dd54 WriteFile
0x49dd5c SetFilePointer
0x49dd60 SetEndOfFile
0x49dd64 RtlUnwind
0x49dd68 ReadFile
0x49dd6c RaiseException
0x49dd70 GetStdHandle
0x49dd74 GetFileSize
0x49dd78 GetFileType
0x49dd7c CreateFileA
0x49dd80 CloseHandle
Library kernel32.dll:
0x49dd88 TlsSetValue
0x49dd8c TlsGetValue
0x49dd90 LocalAlloc
0x49dd94 GetModuleHandleA
Library user32.dll:
0x49dd9c CreateWindowExA
0x49dda0 mouse_event
0x49dda4 keybd_event
0x49dda8 WindowFromPoint
0x49ddac WaitMessage
0x49ddb0 VkKeyScanA
0x49ddb4 UpdateWindow
0x49ddb8 UnregisterClassA
0x49ddbc UnhookWindowsHookEx
0x49ddc0 TranslateMessage
0x49ddc8 TrackPopupMenu
0x49ddcc ToAscii
0x49ddd4 ShowWindow
0x49ddd8 ShowScrollBar
0x49dddc ShowOwnedPopups
0x49dde0 SetWindowsHookExA
0x49dde4 SetWindowTextA
0x49dde8 SetWindowPos
0x49ddec SetWindowPlacement
0x49ddf0 SetWindowLongW
0x49ddf4 SetWindowLongA
0x49ddf8 SetTimer
0x49ddfc SetScrollRange
0x49de00 SetScrollPos
0x49de04 SetScrollInfo
0x49de08 SetRect
0x49de0c SetPropA
0x49de10 SetParent
0x49de14 SetMenuItemInfoA
0x49de18 SetMenu
0x49de1c SetForegroundWindow
0x49de20 SetFocus
0x49de24 SetCursorPos
0x49de28 SetCursor
0x49de2c SetClipboardData
0x49de30 SetClassLongA
0x49de34 SetCapture
0x49de38 SetActiveWindow
0x49de3c SendMessageW
0x49de40 SendMessageA
0x49de44 ScrollWindow
0x49de48 ScreenToClient
0x49de4c RemovePropA
0x49de50 RemoveMenu
0x49de54 ReleaseDC
0x49de58 ReleaseCapture
0x49de64 RegisterClassA
0x49de68 RedrawWindow
0x49de6c PtInRect
0x49de70 PostQuitMessage
0x49de74 PostMessageA
0x49de78 PeekMessageW
0x49de7c PeekMessageA
0x49de80 OpenClipboard
0x49de84 OffsetRect
0x49de88 OemToCharA
0x49de94 MessageBoxA
0x49de98 MapWindowPoints
0x49de9c MapVirtualKeyA
0x49dea0 LockWorkStation
0x49dea4 LoadStringA
0x49dea8 LoadKeyboardLayoutA
0x49deac LoadIconA
0x49deb0 LoadCursorA
0x49deb4 LoadBitmapA
0x49deb8 KillTimer
0x49debc IsZoomed
0x49dec0 IsWindowVisible
0x49dec4 IsWindowUnicode
0x49dec8 IsWindowEnabled
0x49decc IsWindow
0x49ded0 IsRectEmpty
0x49ded4 IsIconic
0x49ded8 IsDialogMessageW
0x49dedc IsDialogMessageA
0x49dee4 IsChild
0x49dee8 InvalidateRect
0x49deec IntersectRect
0x49def0 InsertMenuItemA
0x49def4 InsertMenuA
0x49def8 InflateRect
0x49df04 GetWindowTextA
0x49df08 GetWindowRect
0x49df0c GetWindowPlacement
0x49df10 GetWindowLongW
0x49df14 GetWindowLongA
0x49df18 GetWindowDC
0x49df1c GetTopWindow
0x49df20 GetSystemMetrics
0x49df24 GetSystemMenu
0x49df28 GetSysColorBrush
0x49df2c GetSysColor
0x49df30 GetSubMenu
0x49df34 GetScrollRange
0x49df38 GetScrollPos
0x49df3c GetScrollInfo
0x49df40 GetPropA
0x49df44 GetParent
0x49df48 GetWindow
0x49df4c GetMessagePos
0x49df50 GetMessageA
0x49df54 GetMenuStringA
0x49df58 GetMenuState
0x49df5c GetMenuItemInfoA
0x49df60 GetMenuItemID
0x49df64 GetMenuItemCount
0x49df68 GetMenu
0x49df6c GetLastInputInfo
0x49df70 GetLastActivePopup
0x49df74 GetKeyboardState
0x49df80 GetKeyboardLayout
0x49df84 GetKeyState
0x49df88 GetKeyNameTextA
0x49df8c GetIconInfo
0x49df90 GetForegroundWindow
0x49df94 GetFocus
0x49df98 GetDesktopWindow
0x49df9c GetDCEx
0x49dfa0 GetDC
0x49dfa4 GetCursorPos
0x49dfa8 GetCursor
0x49dfac GetClipboardData
0x49dfb0 GetClientRect
0x49dfb4 GetClassNameA
0x49dfb8 GetClassLongA
0x49dfbc GetClassInfoA
0x49dfc0 GetCapture
0x49dfc4 GetActiveWindow
0x49dfc8 FrameRect
0x49dfcc FindWindowExA
0x49dfd0 FindWindowA
0x49dfd4 FillRect
0x49dfd8 ExitWindowsEx
0x49dfdc EqualRect
0x49dfe0 EnumWindows
0x49dfe4 EnumThreadWindows
0x49dfe8 EnumDisplayDevicesA
0x49dff0 EnumChildWindows
0x49dff4 EndPaint
0x49dff8 EnableWindow
0x49dffc EnableScrollBar
0x49e000 EnableMenuItem
0x49e004 EmptyClipboard
0x49e008 DrawTextA
0x49e00c DrawMenuBar
0x49e010 DrawIconEx
0x49e014 DrawIcon
0x49e018 DrawFrameControl
0x49e01c DrawEdge
0x49e020 DispatchMessageW
0x49e024 DispatchMessageA
0x49e028 DestroyWindow
0x49e02c DestroyMenu
0x49e030 DestroyIcon
0x49e034 DestroyCursor
0x49e038 DeleteMenu
0x49e03c DefWindowProcA
0x49e040 DefMDIChildProcA
0x49e044 DefFrameProcA
0x49e048 CreatePopupMenu
0x49e04c CreateMenu
0x49e050 CreateIcon
0x49e054 CloseClipboard
0x49e058 ClientToScreen
0x49e05c CheckMenuItem
0x49e060 CallWindowProcA
0x49e064 CallNextHookEx
0x49e068 BeginPaint
0x49e06c CharNextA
0x49e070 CharLowerBuffA
0x49e074 CharLowerA
0x49e078 CharUpperBuffA
0x49e07c CharToOemA
0x49e080 AdjustWindowRectEx
Library gdi32.dll:
0x49e08c UnrealizeObject
0x49e090 StretchBlt
0x49e094 SetWindowOrgEx
0x49e098 SetWinMetaFileBits
0x49e09c SetViewportOrgEx
0x49e0a0 SetTextColor
0x49e0a4 SetStretchBltMode
0x49e0a8 SetROP2
0x49e0ac SetPixel
0x49e0b0 SetEnhMetaFileBits
0x49e0b4 SetDIBColorTable
0x49e0b8 SetBrushOrgEx
0x49e0bc SetBkMode
0x49e0c0 SetBkColor
0x49e0c4 SelectPalette
0x49e0c8 SelectObject
0x49e0cc SaveDC
0x49e0d0 RestoreDC
0x49e0d4 RectVisible
0x49e0d8 RealizePalette
0x49e0dc PlayEnhMetaFile
0x49e0e0 PatBlt
0x49e0e4 MoveToEx
0x49e0e8 MaskBlt
0x49e0ec LineTo
0x49e0f0 IntersectClipRect
0x49e0f4 GetWindowOrgEx
0x49e0f8 GetWinMetaFileBits
0x49e0fc GetTextMetricsA
0x49e108 GetStockObject
0x49e10c GetRgnBox
0x49e110 GetPixel
0x49e114 GetPaletteEntries
0x49e118 GetObjectA
0x49e124 GetEnhMetaFileBits
0x49e128 GetDeviceCaps
0x49e12c GetDIBits
0x49e130 GetDIBColorTable
0x49e134 GetDCOrgEx
0x49e13c GetClipBox
0x49e140 GetBrushOrgEx
0x49e144 GetBitmapBits
0x49e148 GdiFlush
0x49e14c ExtTextOutA
0x49e150 ExcludeClipRect
0x49e154 DeleteObject
0x49e158 DeleteEnhMetaFile
0x49e15c DeleteDC
0x49e160 CreateSolidBrush
0x49e164 CreatePenIndirect
0x49e168 CreatePalette
0x49e170 CreateFontIndirectA
0x49e174 CreateDIBitmap
0x49e178 CreateDIBSection
0x49e17c CreateDCA
0x49e180 CreateCompatibleDC
0x49e188 CreateBrushIndirect
0x49e18c CreateBitmap
0x49e190 CopyEnhMetaFileA
0x49e194 BitBlt
Library version.dll:
0x49e19c VerQueryValueA
0x49e1a4 GetFileVersionInfoA
Library kernel32.dll:
0x49e1ac lstrcpyA
0x49e1b0 WriteProcessMemory
0x49e1b4 WriteFile
0x49e1b8 WinExec
0x49e1bc WaitForSingleObject
0x49e1c4 VirtualQuery
0x49e1c8 VirtualProtectEx
0x49e1cc VirtualProtect
0x49e1d0 VirtualFreeEx
0x49e1d4 VirtualFree
0x49e1d8 VirtualAllocEx
0x49e1dc VirtualAlloc
0x49e1e0 VerLanguageNameA
0x49e1e4 UnmapViewOfFile
0x49e1e8 TerminateProcess
0x49e1ec Sleep
0x49e1f0 SizeofResource
0x49e1f4 SetThreadPriority
0x49e1f8 SetThreadLocale
0x49e1fc SetThreadContext
0x49e200 SetLastError
0x49e204 SetFileTime
0x49e208 SetFilePointer
0x49e20c SetFileAttributesA
0x49e210 SetEvent
0x49e214 SetErrorMode
0x49e218 SetEndOfFile
0x49e21c ResumeThread
0x49e220 ResetEvent
0x49e224 ReadProcessMemory
0x49e228 ReadFile
0x49e22c PeekNamedPipe
0x49e230 OpenProcess
0x49e234 MultiByteToWideChar
0x49e238 MulDiv
0x49e23c MoveFileA
0x49e240 MapViewOfFile
0x49e244 LockResource
0x49e24c LocalAlloc
0x49e250 LoadResource
0x49e254 LoadLibraryA
0x49e25c IsBadReadPtr
0x49e264 HeapFree
0x49e268 HeapAlloc
0x49e26c GlobalUnlock
0x49e270 GlobalMemoryStatus
0x49e274 GlobalLock
0x49e278 GlobalFree
0x49e27c GlobalFindAtomA
0x49e280 GlobalDeleteAtom
0x49e284 GlobalAlloc
0x49e288 GlobalAddAtomA
0x49e294 GetVersionExA
0x49e298 GetVersion
0x49e2a0 GetTickCount
0x49e2a4 GetThreadLocale
0x49e2a8 GetThreadContext
0x49e2ac GetTempPathA
0x49e2b4 GetSystemDirectoryA
0x49e2b8 GetStdHandle
0x49e2bc GetProcessHeap
0x49e2c0 GetProcAddress
0x49e2c4 GetModuleHandleA
0x49e2c8 GetModuleFileNameA
0x49e2cc GetLocaleInfoA
0x49e2d0 GetLocalTime
0x49e2d4 GetLastError
0x49e2d8 GetFullPathNameA
0x49e2dc GetFileTime
0x49e2e0 GetFileSize
0x49e2e4 GetFileAttributesA
0x49e2e8 GetExitCodeThread
0x49e2ec GetExitCodeProcess
0x49e2f4 GetDriveTypeA
0x49e2f8 GetDiskFreeSpaceA
0x49e2fc GetDateFormatA
0x49e300 GetCurrentThreadId
0x49e304 GetCurrentThread
0x49e308 GetCurrentProcessId
0x49e30c GetCurrentProcess
0x49e310 GetComputerNameA
0x49e314 GetCPInfo
0x49e318 FreeResource
0x49e320 InterlockedExchange
0x49e328 FreeLibrary
0x49e32c FormatMessageA
0x49e330 FindResourceA
0x49e334 FindNextFileA
0x49e338 FindFirstFileA
0x49e33c FindClose
0x49e34c ExitThread
0x49e350 ExitProcess
0x49e354 EnumResourceNamesA
0x49e358 EnumCalendarInfoA
0x49e364 DeleteFileA
0x49e36c CreateThread
0x49e370 CreateRemoteThread
0x49e374 CreateProcessA
0x49e378 CreatePipe
0x49e37c CreateMutexA
0x49e380 CreateFileMappingA
0x49e384 CreateFileA
0x49e388 CreateEventA
0x49e38c CreateDirectoryA
0x49e390 CopyFileA
0x49e394 CompareStringA
0x49e398 CloseHandle
0x49e39c Beep
Library advapi32.dll:
0x49e3a4 RegSetValueExA
0x49e3a8 RegQueryValueExA
0x49e3ac RegQueryInfoKeyA
0x49e3b0 RegOpenKeyExA
0x49e3b4 RegOpenKeyA
0x49e3b8 RegFlushKey
0x49e3bc RegEnumValueA
0x49e3c0 RegEnumKeyExA
0x49e3c4 RegDeleteValueA
0x49e3c8 RegDeleteKeyA
0x49e3cc RegCreateKeyExA
0x49e3d0 RegCreateKeyA
0x49e3d4 RegCloseKey
0x49e3d8 OpenThreadToken
0x49e3dc OpenProcessToken
0x49e3ec LookupAccountSidA
0x49e3f0 IsValidSid
0x49e3f4 GetUserNameA
0x49e3f8 GetTokenInformation
0x49e400 GetSidSubAuthority
Library oleaut32.dll:
0x49e414 GetErrorInfo
0x49e418 GetActiveObject
0x49e41c SysFreeString
Library ole32.dll:
0x49e424 CoTaskMemFree
0x49e428 CLSIDFromProgID
0x49e42c ProgIDFromCLSID
0x49e430 StringFromCLSID
0x49e434 CoCreateInstance
0x49e438 CoUninitialize
0x49e43c CoInitialize
0x49e440 IsEqualGUID
Library kernel32.dll:
0x49e448 Sleep
Library ole32.dll:
0x49e450 CoTaskMemFree
0x49e454 StringFromCLSID
Library oleaut32.dll:
0x49e45c SafeArrayPtrOfIndex
0x49e460 SafeArrayGetUBound
0x49e464 SafeArrayGetLBound
0x49e468 SafeArrayCreate
0x49e46c VariantChangeType
0x49e470 VariantCopy
0x49e474 VariantClear
0x49e478 VariantInit
Library netapi32.dll:
0x49e480 Netbios
Library shell32.dll:
0x49e488 ShellExecuteExA
0x49e48c ShellExecuteA
0x49e490 SHGetFileInfoA
0x49e494 SHFileOperationA
0x49e498 DragQueryFileA
Library gdiplus.dll:
0x49e4a8 GdipDrawImageRectI
0x49e4b0 GdipDeleteGraphics
0x49e4c8 GdipDisposeImage
0x49e4cc GdiplusShutdown
0x49e4d0 GdiplusStartup
0x49e4d4 GdipFree
0x49e4d8 GdipAlloc
Library winmm.dll:
0x49e4e4 waveInStart
0x49e4e8 waveInReset
0x49e4ec waveInPrepareHeader
0x49e4f0 waveInOpen
0x49e4f4 waveInClose
0x49e4f8 waveInAddBuffer
0x49e4fc PlaySoundA
0x49e500 mciSendStringA
Library URLMON.DLL:
0x49e508 URLDownloadToFileA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 57757 239.255.255.250 3702
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 63432 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.