SmartHawk

9.4

极危

63 个模型检测该样本为恶意！

重新分析

下载样本

73734608e9413c807c8f09f793b55b77425b328052b5fa4ff82d66d6d4c15a34

4fc9db992ff1a4d7a15b04cc537713d1.exe

分析耗时

76s

最近分析

文件大小

124.0KB

静态报毒动态报毒 100% AI SCORE=83 B@7IJO3M BSCOPE BUCASPYS C1EU+49IHTO CLOUD CONFIDENCE EBZSP ELDORADO GENCIRC GENERICRI GENERICRXGN GENETIC HIGH CONFIDENCE HJSSGB HUW@A46BIFBI MALICIOUS PE R291256 RANUMBOTGV REMCOS REMCOSRAT RESCOMS S8505068 SCORE SIGGEN8 SOCMER SUSGEN UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXGN-WO!4FC9DB992FF1	20200729	6.0.6.653
Alibaba	Backdoor:Win32/Rescoms.42b6176c	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:RemcosRAT-A [Trj]	20200728	18.4.3895.0
Tencent	Malware.Win32.Gencirc.10b77a0b	20200729	1.0.0.1
Kingsoft		20200729	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

A process attempted to delay the analysis task. (1 个事件)

description

4fc9db992ff1a4d7a15b04cc537713d1.exe tried to sleep 269 seconds, actually delayed analysis time by 269 seconds

Creates a suspicious process (1 个事件)

cmdline

C:\Windows\SysWOW64\svchost.exe

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: c6c2e253ce3e72c5c27de221a53e6e495daa961c

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	23.105.131.161

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619426985.432662 NtAllocateVirtualMemory	process_identifier: 2264 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000011c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619426985.432662 WriteProcessMemory	process_identifier: 2264 buffer: @ process_handle: 0x0000011c base_address: 0x7efde008	success	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619426984.853662 SetWindowsHookExA	thread_identifier: 0 callback_function: 0x004051ae module_address: 0x00000000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	197053	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2636 called NtSetContextThread to modify thread in remote process 2264
1619426985.432662 NtSetContextThread	thread_handle: 0x00000118 registers.eip: 2010382788 registers.esp: 2292800 registers.edi: 0 registers.eax: 4274820 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2264	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2636 resumed a thread in remote process 2264
1619426985.822662 NtResumeThread	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2264	success	0	0

Executed a process and injected code into it, probably while unpacking (12 个事件)

Time & API	Arguments	Status	Return
1619426985.416662 CreateProcessInternalW	thread_identifier: 732 thread_handle: 0x00000118 process_identifier: 2264 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000011c inherit_handles: 0	success	1
1619426985.432662 NtGetContextThread	thread_handle: 0x00000118	success	0
1619426985.432662 NtAllocateVirtualMemory	process_identifier: 2264 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000011c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619426985.432662 WriteProcessMemory	process_identifier: 2264 buffer: process_handle: 0x0000011c base_address: 0x00400000	success	1
1619426985.432662 WriteProcessMemory	process_identifier: 2264 buffer: process_handle: 0x0000011c base_address: 0x00401000	success	1
1619426985.432662 WriteProcessMemory	process_identifier: 2264 buffer: process_handle: 0x0000011c base_address: 0x00414000	success	1
1619426985.432662 WriteProcessMemory	process_identifier: 2264 buffer: process_handle: 0x0000011c base_address: 0x0041a000	success	1
1619426985.432662 WriteProcessMemory	process_identifier: 2264 buffer: process_handle: 0x0000011c base_address: 0x0041c000	success	1
1619426985.432662 WriteProcessMemory	process_identifier: 2264 buffer: process_handle: 0x0000011c base_address: 0x0041d000	success	1
1619426985.432662 WriteProcessMemory	process_identifier: 2264 buffer: @ process_handle: 0x0000011c base_address: 0x7efde008	success	1
1619426985.432662 NtSetContextThread	thread_handle: 0x00000118 registers.eip: 2010382788 registers.esp: 2292800 registers.edi: 0 registers.eax: 4274820 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2264	success	0
1619426985.822662 NtResumeThread	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2264	success	0

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)

Bkav	W32.RanumbotGV.Trojan
MicroWorld-eScan	Generic.Remcos.86AA579E
CAT-QuickHeal	Trojan.GenericRI.S8505068
McAfee	GenericRXGN-WO!4FC9DB992FF1
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0053ac2c1 )
Alibaba	Backdoor:Win32/Rescoms.42b6176c
K7GW	Trojan ( 0053ac2c1 )
Cybereason	malicious.92ff1a
TrendMicro	BKDR_SOCMER.SM
F-Prot	W32/Rescoms.J.gen!Eldorado
Symantec	Trojan Horse
ESET-NOD32	Win32/Rescoms.B
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Rescoms-6598304-0
GData	Win32.Malware.Bucaspys.B
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Generic.Remcos.86AA579E
NANO-Antivirus	Trojan.Win32.Remcos.hjssgb
SUPERAntiSpyware	Backdoor.Rescoms/Variant
Avast	Win32:RemcosRAT-A [Trj]
Tencent	Malware.Win32.Gencirc.10b77a0b
Endgame	malicious (high confidence)
Sophos	Troj/Remcos-DI
Comodo	TrojWare.Win32.Rescoms.B@7ijo3m
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	Trojan.Siggen8.46567
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
FireEye	Generic.mg.4fc9db992ff1a4d7
Emsisoft	Generic.Remcos.86AA579E (B)
Ikarus	Backdoor.Remcos
Cyren	W32/Rescoms.J.gen!Eldorado
Jiangmin	Trojan.Generic.ebzsp
eGambit	Unsafe.AI_Score_100%
Avira	BDS/Backdoor.Gen
MAX	malware (ai score=83)
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms
Arcabit	Generic.Remcos.86AA579E
ViRobot	Backdoor.Win32.Remcos.266212
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Backdoor:Win32/Rescoms.C!bit
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Remcos.R291256
Acronis	suspicious
VBA32	BScope.Backdoor.Rescoms
ALYac	Backdoor.Remcos.A
TACHYON	Backdoor/W32.Remcos.126976.B

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (21 个事件)

dead_host	192.168.56.101:49201
dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49193
dead_host	192.168.56.101:49190
dead_host	23.105.131.161:7279
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49199
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49189
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49197
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49196
dead_host	192.168.56.101:49187
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49186
dead_host	192.168.56.101:49183
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49195
dead_host	192.168.56.101:49184

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-09-21 02:11:13

Imports

Library KERNEL32.dll:

• 0x4140a8 CreateMutexA

• 0x4140ac OpenMutexA

• 0x4140b0 GetModuleHandleA

• 0x4140b4 Process32NextW

• 0x4140b8 Process32FirstW

• 0x4140bc CreateToolhelp32Snapshot

• 0x4140c0 SizeofResource

• 0x4140c4 LockResource

• 0x4140c8 LoadResource

• 0x4140cc FindResourceA

• 0x4140d0 GetLocaleInfoA

• 0x4140d4 OpenProcess

• 0x4140d8 GetCurrentProcessId

• 0x4140dc lstrcatW

• 0x4140e0 GetTempFileNameW

• 0x4140e4 GetTempPathW

• 0x4140e8 GetTickCount

• 0x4140ec GlobalUnlock

• 0x4140f0 GlobalLock

• 0x4140f4 GlobalAlloc

• 0x4140f8 CopyFileW

• 0x4140fc ResumeThread

• 0x414100 SetThreadContext

• 0x414104 WriteProcessMemory

• 0x414108 VirtualAllocEx

• 0x41410c ReadProcessMemory

• 0x414110 GetThreadContext

• 0x414114 VirtualAlloc

• 0x414118 CreateProcessW

• 0x41411c GlobalFree

• 0x414120 LocalAlloc

• 0x414124 DuplicateHandle

• 0x414128 GetCurrentThread

• 0x41412c GetLongPathNameW

• 0x414130 lstrcpynA

• 0x414134 GetModuleFileNameA

• 0x414138 ExitProcess

• 0x41413c AllocConsole

• 0x414140 GetStartupInfoA

• 0x414144 ExpandEnvironmentStringsA

• 0x414148 FindFirstFileA

• 0x41414c FindNextFileA

• 0x414150 DeleteFileA

• 0x414154 GetLastError

• 0x414158 LoadLibraryA

• 0x41415c GetProcAddress

• 0x414160 CreateFileMappingA

• 0x414164 MapViewOfFileEx

• 0x414168 RemoveDirectoryW

• 0x41416c SetFileAttributesW

• 0x414170 TerminateThread

• 0x414174 FindClose

• 0x414178 GetLogicalDriveStringsA

• 0x41417c GetFileAttributesW

• 0x414180 DeleteFileW

• 0x414184 GetFileSize

• 0x414188 SetFilePointer

• 0x41418c GetDriveTypeA

• 0x414190 lstrlenA

• 0x414194 FindFirstFileW

• 0x414198 FindNextFileW

• 0x41419c CreatePipe

• 0x4141a0 CreateProcessA

• 0x4141a4 PeekNamedPipe

• 0x4141a8 ReadFile

• 0x4141ac TerminateProcess

• 0x4141b0 SetEvent

• 0x4141b4 HeapCreate

• 0x4141b8 HeapFree

• 0x4141bc ExitThread

• 0x4141c0 GetLocalTime

• 0x4141c4 CreateEventA

• 0x4141c8 WaitForSingleObject

• 0x4141cc CreateThread

• 0x4141d0 GetModuleFileNameW

• 0x4141d4 Sleep

• 0x4141d8 CreateDirectoryW

• 0x4141dc CreateFileW

• 0x4141e0 WriteFile

• 0x4141e4 CloseHandle

• 0x4141e8 GetCurrentProcess

Library USER32.dll:

• 0x414448 AppendMenuA

• 0x41444c RegisterClassExA

• 0x414450 CreateWindowExA

• 0x414454 SystemParametersInfoW

• 0x414458 SendInput

• 0x41445c mouse_event

• 0x414460 GetIconInfo

• 0x414464 DrawIcon

• 0x414468 EnumWindows

• 0x41446c GetWindowTextW

• 0x414470 IsWindowVisible

• 0x414474 CloseWindow

• 0x414478 GetWindowThreadProcessId

• 0x41447c GetKeyboardLayoutNameA

• 0x414480 MessageBoxW

• 0x414484 ExitWindowsEx

• 0x414488 EmptyClipboard

• 0x41448c CreatePopupMenu

• 0x414490 ShowWindow

• 0x414494 SetWindowTextW

• 0x414498 SetForegroundWindow

• 0x41449c OpenClipboard

• 0x4144a0 GetClipboardData

• 0x4144a4 CloseClipboard

• 0x4144a8 UnhookWindowsHookEx

• 0x4144ac GetForegroundWindow

• 0x4144b0 GetWindowTextLengthA

• 0x4144b4 GetWindowTextA

• 0x4144b8 GetKeyState

• 0x4144bc CallNextHookEx

• 0x4144c0 SetWindowsHookExA

• 0x4144c4 GetKeyboardLayout

• 0x4144c8 GetMessageA

• 0x4144cc TranslateMessage

• 0x4144d0 TrackPopupMenu

• 0x4144d4 GetCursorPos

• 0x4144d8 SetClipboardData

• 0x4144dc DefWindowProcA

• 0x4144e0 DispatchMessageA

Library GDI32.dll:

• 0x41407c CreateDCA

• 0x414080 CreateCompatibleDC

• 0x414084 GetDeviceCaps

• 0x414088 CreateCompatibleBitmap

• 0x41408c DeleteDC

• 0x414090 DeleteObject

• 0x414094 SelectObject

• 0x414098 GetDIBits

• 0x41409c GetObjectA

• 0x4140a0 StretchBlt

Library ADVAPI32.dll:

• 0x414000 RegDeleteKeyA

• 0x414004 RegEnumKeyExA

• 0x414008 GetUserNameW

• 0x41400c ChangeServiceConfigW

• 0x414010 QueryServiceStatus

• 0x414014 ControlService

• 0x414018 OpenSCManagerW

• 0x41401c StartServiceW

• 0x414020 OpenSCManagerA

• 0x414024 EnumServicesStatusW

• 0x414028 OpenServiceW

• 0x41402c RegOpenKeyExA

• 0x414030 RegCloseKey

• 0x414034 RegQueryValueExA

• 0x414038 RegQueryValueExW

• 0x41403c RegOpenKeyExW

• 0x414040 RegSetValueExA

• 0x414044 RegCreateKeyA

• 0x414048 RegSetValueExW

• 0x41404c RegCreateKeyW

• 0x414050 RegDeleteValueW

• 0x414054 RegEnumValueW

• 0x414058 RegEnumKeyExW

• 0x41405c RegQueryInfoKeyW

• 0x414060 RegCreateKeyExW

• 0x414064 AdjustTokenPrivileges

• 0x414068 LookupPrivilegeValueA

• 0x41406c OpenProcessToken

• 0x414070 CloseServiceHandle

• 0x414074 QueryServiceConfigW

Library SHELL32.dll:

• 0x414424 ExtractIconA

• 0x414428 Shell_NotifyIconA

• 0x41442c ShellExecuteExA

• 0x414430 ShellExecuteW

Library MSVCRT.dll:

• 0x41435c _controlfp

• 0x414360 _except_handler3

• 0x414364 __set_app_type

• 0x414368 __p__fmode

• 0x41436c __p__commode

• 0x414370 _adjust_fdiv

• 0x414374 __setusermatherr

• 0x414378 _initterm

• 0x41437c __getmainargs

• 0x414380 _acmdln

• 0x414384 _XcptFilter

• 0x414388 _exit

• 0x41438c ??1type_info@@UAE@XZ

• 0x414390 _onexit

• 0x414394 __dllonexit

• 0x414398 _iob

• 0x41439c freopen

• 0x4143a0 wcscat

• 0x4143a4 _itow

• 0x4143a8 srand

• 0x4143ac rand

• 0x4143b0 _wsystem

• 0x4143b4 wcscpy

• 0x4143b8 wcslen

• 0x4143bc _wgetenv

• 0x4143c0 toupper

• 0x4143c4 sprintf

• 0x4143c8 tolower

• 0x4143cc wcscmp

• 0x4143d0 _wrename

• 0x4143d4 exit

• 0x4143d8 getenv

• 0x4143dc printf

• 0x4143e0 strncmp

• 0x4143e4 malloc

• 0x4143e8 free

• 0x4143ec _EH_prolog

• 0x4143f0 __CxxFrameHandler

• 0x4143f4 ??3@YAXPAX@Z

• 0x4143f8 _CxxThrowException

• 0x4143fc ??0exception@@QAE@ABV0@@Z

• 0x414400 time

• 0x414404 localtime

• 0x414408 strftime

• 0x41440c atoi

• 0x414410 _ftol

• 0x414414 ??2@YAPAXI@Z

• 0x414418 swprintf

• 0x41441c _itoa

Library MSVCP60.dll:

• 0x4141f0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z

• 0x4141f4 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z

• 0x4141f8 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z

• 0x4141fc ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z

• 0x414200 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z

• 0x414204 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z

• 0x414208 ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ

• 0x41420c ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ

• 0x414210 ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ

• 0x414214 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z

• 0x414218 ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z

• 0x41421c ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z

• 0x414220 ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z

• 0x414224 ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z

• 0x414228 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z

• 0x41422c ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z

• 0x414230 ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z

• 0x414234 ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z

• 0x414238 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z

• 0x41423c ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ

• 0x414240 ??0Init@ios_base@std@@QAE@XZ

• 0x414244 ??1Init@ios_base@std@@QAE@XZ

• 0x414248 ??0_Winit@std@@QAE@XZ

• 0x41424c ??1_Winit@std@@QAE@XZ

• 0x414250 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

• 0x414254 ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z

• 0x414258 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z

• 0x41425c ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ

• 0x414260 ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ

• 0x414264 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z

• 0x414268 ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ

• 0x41426c ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ

• 0x414270 ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ

• 0x414274 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z

• 0x414278 ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z

• 0x41427c ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ

• 0x414280 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z

• 0x414284 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z

• 0x414288 ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ

• 0x41428c ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ

• 0x414290 ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ

• 0x414294 ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z

• 0x414298 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ

• 0x41429c ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z

• 0x4142a0 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z

• 0x4142a4 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z

• 0x4142a8 ?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB

• 0x4142ac ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z

• 0x4142b0 ?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z

• 0x4142b4 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z

• 0x4142b8 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z

• 0x4142bc ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

• 0x4142c0 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z

• 0x4142c4 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z

• 0x4142c8 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z

• 0x4142cc ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z

• 0x4142d0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z

• 0x4142d4 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z

• 0x4142d8 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z

• 0x4142dc ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ

• 0x4142e0 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z

• 0x4142e4 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ

• 0x4142e8 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z

• 0x4142ec ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ

• 0x4142f0 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ

• 0x4142f4 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z

• 0x4142f8 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z

• 0x4142fc ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB

• 0x414300 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z

• 0x414304 ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z

• 0x414308 ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z

• 0x41430c ??1out_of_range@std@@UAE@XZ

• 0x414310 ??0out_of_range@std@@QAE@ABV01@@Z

• 0x414314 ??0logic_error@std@@QAE@ABV01@@Z

• 0x414318 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z

• 0x41431c ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z

• 0x414320 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z

• 0x414324 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z

• 0x414328 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z

• 0x41432c ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ

• 0x414330 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z

• 0x414334 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z

• 0x414338 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z

• 0x41433c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z

• 0x414340 ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z

• 0x414344 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ

• 0x414348 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

• 0x41434c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z

• 0x414350 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ

• 0x414354 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z

Library SHLWAPI.dll:

• 0x414438 PathFileExistsW

• 0x41443c PathFileExistsA

• 0x414440 StrToIntA

Library WINMM.dll:

• 0x4144fc PlaySoundW

• 0x414500 mciSendStringA

• 0x414504 waveInStop

• 0x414508 waveInOpen

• 0x41450c waveInClose

• 0x414510 waveInUnprepareHeader

• 0x414514 waveInPrepareHeader

• 0x414518 mciSendStringW

• 0x41451c waveInAddBuffer

• 0x414520 waveInStart

Library WS2_32.dll:

• 0x414528 htons

• 0x41452c gethostbyname

• 0x414530 closesocket

• 0x414534 inet_ntoa

• 0x414538 socket

• 0x41453c connect

• 0x414540 recv

• 0x414544 send

• 0x414548 WSAStartup

Library urlmon.dll:

• 0x414580 URLDownloadToFileW

• 0x414584 URLOpenBlockingStreamW

Library gdiplus.dll:

• 0x414550 GdipLoadImageFromStreamICM

• 0x414554 GdipLoadImageFromStream

• 0x414558 GdipDisposeImage

• 0x41455c GdipCloneImage

• 0x414560 GdipAlloc

• 0x414564 GdipSaveImageToStream

• 0x414568 GdipSaveImageToFile

• 0x41456c GdiplusStartup

• 0x414570 GdipGetImageEncoders

• 0x414574 GdipGetImageEncodersSize

• 0x414578 GdipFree

Library WININET.dll:

• 0x4144e8 InternetCloseHandle

• 0x4144ec InternetOpenUrlA

• 0x4144f0 InternetOpenA

• 0x4144f4 InternetReadFile

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49714	239.255.255.250	3702
192.168.56.101	49716	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.