SmartHawk

9.0

极危

60 个模型检测该样本为恶意！

重新分析

下载样本

58e2c70cfbd44f3c9923c3b1e1e07e9a487c781374879b45121082c0173c2ed2

5c5b6a8217ed97673ab7c2425dc1a466.exe

分析耗时

24s

最近分析

文件大小

767.0KB

静态报毒动态报毒 AI SCORE=83 AIDETECTVM ALI2000015 BT8X4M BXQI CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS EMOY EMSE FAREIT GENETIC HIGH CONFIDENCE HOGYDQ IGENT KCLOUD KRYPTIK LOKI LOKIBOT MALWARE1 MALWARE@#1RAXUJJ9TEZAV NANOCORE PWSX SCORE SIGGEN2 SMAD1 STATIC AI SUSPICIOUS PE SXEX TSCOPE UNSAFE UQXBH VGW@AAXL07EI X2094 ZELPHIF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FVZ!5C5B6A8217ED	20201211	6.0.6.653
Baidu		20190318	1.0.0.2
Avast		20201210	21.1.5827.0
Alibaba	Trojan:Win32/DelfInject.ali2000015	20190527	0.3.0.5
Kingsoft	Win32.Troj.Undef.(kcloud)	20201211	2017.9.26.565
Tencent	Win32.Trojan.Kryptik.Sxex	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 个事件)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619520948.119876 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7484e97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7484ea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7484b25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7484b4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7484ac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7484aed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74845511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7484559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x750f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x750f4de3 5c5b6a8217ed97673ab7c2425dc1a466+0x54a4d @ 0x454a4d 5c5b6a8217ed97673ab7c2425dc1a466+0x4d254 @ 0x44d254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xff3014ad	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619520948.119876
__exception__

stacktrace:

CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7484e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7484ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7484b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7484b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7484ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7484aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74845511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7484559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x750f7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x750f4de3
5c5b6a8217ed97673ab7c2425dc1a466+0x54a4d @ 0x454a4d
5c5b6a8217ed97673ab7c2425dc1a466+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3014ad

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (30 个事件)

Time & API	Arguments	Status
1619520944.931999 NtAllocateVirtualMemory	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e0000	success
1619520945.056999 NtProtectVirtualMemory	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0046c000	success
1619520945.056999 NtAllocateVirtualMemory	process_identifier: 420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ed0000	success
1619520946.166876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619520946.213876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01e60000	success
1619520946.213876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01ef0000	success
1619520946.213876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01d30000	success
1619520946.228876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 286720 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01d32000	success
1619520946.994876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x022b0000	success
1619520946.994876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02470000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.041876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619520948.056876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01da2000	success
1619520948.056876 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yes.vbs

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619520945.056999 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x000000fc process_identifier: 2288	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.3641816182293045

section

{'size_of_data': '0x0003e600', 'virtual_address': '0x00087000', 'entropy': 7.3641816182293045, 'name': '.rsrc', 'virtual_size': '0x0003e414'}

description

A section with a high entropy has been found

entropy

0.32571801566579633

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619520945.353999 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000104 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00130000	success	0	0

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yes.vbs

Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 420 created a thread in remote process 1432
1619520945.353999 NtQueueApcThread	thread_handle: 0x00000100 process_identifier: 1432 function_address: 0x001305c0 parameter: 0x00140000	success	0	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619520945.353999 WriteProcessMemory	process_identifier: 1432 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x00000104 base_address: 0x00130000	success	1	0
1619520945.353999 WriteProcessMemory	process_identifier: 1432 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5c5b6a8217ed97673ab7c2425dc1a466.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5c5b6a8217ed97673ab7c2425dc1a466.exe" yesSeT SvrxQM = crEATEobJEct("WscriPt.shell") sVRxqm.ruN """%ls""", 0, False process_handle: 0x00000104 base_address: 0x00140000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 420 called NtSetContextThread to modify thread in remote process 732
1619520945.478999 NtSetContextThread	thread_handle: 0x0000010c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4864560 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 732	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 420 resumed a thread in remote process 732
1619520945.838999 NtResumeThread	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 732	success	0	0

Executed a process and injected code into it, probably while unpacking (11 个事件)

Time & API	Arguments	Status	Return
1619520945.353999 CreateProcessInternalW	thread_identifier: 2256 thread_handle: 0x00000100 process_identifier: 1432 current_directory: filepath: C:\Windows\System32\notepad.exe track: 1 command_line: filepath_r: C:\Windows\system32\notepad.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000104 inherit_handles: 0	success	1
1619520945.353999 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000104 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00130000	success	0
1619520945.353999 NtAllocateVirtualMemory	process_identifier: 1432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000104 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00140000	success	0
1619520945.353999 WriteProcessMemory	process_identifier: 1432 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x00000104 base_address: 0x00130000	success	1
1619520945.353999 WriteProcessMemory	process_identifier: 1432 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5c5b6a8217ed97673ab7c2425dc1a466.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5c5b6a8217ed97673ab7c2425dc1a466.exe" yesSeT SvrxQM = crEATEobJEct("WscriPt.shell") sVRxqm.ruN """%ls""", 0, False process_handle: 0x00000104 base_address: 0x00140000	success	1
1619520945.431999 CreateProcessInternalW	thread_identifier: 1436 thread_handle: 0x0000010c process_identifier: 732 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5c5b6a8217ed97673ab7c2425dc1a466.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000108 inherit_handles: 0	success	1
1619520945.447999 NtUnmapViewOfSection	process_identifier: 732 region_size: 4096 process_handle: 0x00000108 base_address: 0x00400000	success	0
1619520945.447999 NtMapViewOfSection	section_handle: 0x00000114 process_identifier: 732 commit_size: 675840 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000108 allocation_type: 0 () section_offset: 0 view_size: 675840 base_address: 0x00400000	success	0
1619520945.478999 NtGetContextThread	thread_handle: 0x0000010c	success	0
1619520945.478999 NtSetContextThread	thread_handle: 0x0000010c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4864560 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 732	success	0
1619520945.838999 NtResumeThread	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 732	success	0

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Delf.FareIt.Gen.7
FireEye	Generic.mg.5c5b6a8217ed9767
McAfee	Fareit-FVZ!5C5B6A8217ED
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Trojan.Delf.FareIt.Gen.7
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.1d4ac1
BitDefenderTheta	Gen:NN.ZelphiF.34670.VGW@aaxl07ei
Cyren	W32/Injector.BXQI-7705
Symantec	Infostealer.Lokibot!43
ESET-NOD32	a variant of Win32/Injector.EMSE
APEX	Malicious
ClamAV	Win.Dropper.Nanocore-9003807-0
Kaspersky	HEUR:Trojan.Win32.Kryptik.gen
Alibaba	Trojan:Win32/DelfInject.ali2000015
NANO-Antivirus	Trojan.Win32.Kryptik.hogydq
AegisLab	Trojan.Win32.Kryptik.4!c
Rising	Trojan.Injector!1.C99D (CLASSIC)
Ad-Aware	Trojan.Delf.FareIt.Gen.7
Emsisoft	Trojan.Delf.FareIt.Gen.7 (B)
Comodo	Malware@#1raxujj9tezav
F-Secure	Trojan.TR/Kryptik.uqxbh
DrWeb	Trojan.PWS.Siggen2.52272
Zillya	Trojan.Kryptik.Win32.2255126
TrendMicro	TrojanSpy.Win32.LOKI.SMAD1.hp
McAfee-GW-Edition	BehavesLike.Win32.Fareit.bc
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
GData	Trojan.Delf.FareIt.Gen.7
Jiangmin	Trojan.Kryptik.bxd
Avira	TR/Kryptik.uqxbh
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	Win32.Troj.Undef.(kcloud)
Arcabit	Trojan.Delf.FareIt.Gen.7
SUPERAntiSpyware	Trojan.Agent/Gen-Injector
AhnLab-V3	Suspicious/Win.Delphiless.X2094
ZoneAlarm	HEUR:Trojan.Win32.Kryptik.gen
Microsoft	PWS:Win32/Fareit.AQ!MTB
Cynet	Malicious (score: 100)
Acronis	suspicious
VBA32	TScope.Trojan.Delf
ALYac	Trojan.Delf.FareIt.Gen.7
Malwarebytes	Trojan.MalPack.DLF
Panda	Trj/Genetic.gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x47a154 DeleteCriticalSection

• 0x47a158 LeaveCriticalSection

• 0x47a15c EnterCriticalSection

• 0x47a160 InitializeCriticalSection

• 0x47a164 VirtualFree

• 0x47a168 VirtualAlloc

• 0x47a16c LocalFree

• 0x47a170 LocalAlloc

• 0x47a174 GetVersion

• 0x47a178 GetCurrentThreadId

• 0x47a17c InterlockedDecrement

• 0x47a180 InterlockedIncrement

• 0x47a184 VirtualQuery

• 0x47a188 WideCharToMultiByte

• 0x47a18c SetCurrentDirectoryA

• 0x47a190 MultiByteToWideChar

• 0x47a194 lstrlenA

• 0x47a198 lstrcpynA

• 0x47a19c LoadLibraryExA

• 0x47a1a0 GetThreadLocale

• 0x47a1a4 GetStartupInfoA

• 0x47a1a8 GetProcAddress

• 0x47a1ac GetModuleHandleA

• 0x47a1b0 GetModuleFileNameA

• 0x47a1b4 GetLocaleInfoA

• 0x47a1b8 GetLastError

• 0x47a1bc GetCurrentDirectoryA

• 0x47a1c0 GetCommandLineA

• 0x47a1c4 FreeLibrary

• 0x47a1c8 FindFirstFileA

• 0x47a1cc FindClose

• 0x47a1d0 ExitProcess

• 0x47a1d4 WriteFile

• 0x47a1d8 UnhandledExceptionFilter

• 0x47a1dc RtlUnwind

• 0x47a1e0 RaiseException

• 0x47a1e4 GetStdHandle

Library user32.dll:

• 0x47a1ec GetKeyboardType

• 0x47a1f0 LoadStringA

• 0x47a1f4 MessageBoxA

• 0x47a1f8 CharNextA

Library advapi32.dll:

• 0x47a200 RegQueryValueExA

• 0x47a204 RegOpenKeyExA

• 0x47a208 RegCloseKey

Library oleaut32.dll:

• 0x47a210 SysFreeString

• 0x47a214 SysReAllocStringLen

• 0x47a218 SysAllocStringLen

Library kernel32.dll:

• 0x47a220 TlsSetValue

• 0x47a224 TlsGetValue

• 0x47a228 LocalAlloc

• 0x47a22c GetModuleHandleA

Library advapi32.dll:

• 0x47a234 RegQueryValueExA

• 0x47a238 RegOpenKeyExA

• 0x47a23c RegCloseKey

Library kernel32.dll:

• 0x47a244 lstrcpyA

• 0x47a248 WriteFile

• 0x47a24c WaitForSingleObject

• 0x47a250 VirtualQuery

• 0x47a254 VirtualProtect

• 0x47a258 VirtualAlloc

• 0x47a25c Sleep

• 0x47a260 SizeofResource

• 0x47a264 SetThreadLocale

• 0x47a268 SetFilePointer

• 0x47a26c SetEvent

• 0x47a270 SetErrorMode

• 0x47a274 SetEndOfFile

• 0x47a278 ResetEvent

• 0x47a27c ReadFile

• 0x47a280 MultiByteToWideChar

• 0x47a284 MulDiv

• 0x47a288 LockResource

• 0x47a28c LoadResource

• 0x47a290 LoadLibraryA

• 0x47a294 LeaveCriticalSection

• 0x47a298 InitializeCriticalSection

• 0x47a29c GlobalUnlock

• 0x47a2a0 GlobalSize

• 0x47a2a4 GlobalReAlloc

• 0x47a2a8 GlobalHandle

• 0x47a2ac GlobalLock

• 0x47a2b0 GlobalFree

• 0x47a2b4 GlobalFindAtomA

• 0x47a2b8 GlobalDeleteAtom

• 0x47a2bc GlobalAlloc

• 0x47a2c0 GlobalAddAtomA

• 0x47a2c4 GetVersionExA

• 0x47a2c8 GetVersion

• 0x47a2cc GetUserDefaultLCID

• 0x47a2d0 GetTickCount

• 0x47a2d4 GetThreadLocale

• 0x47a2d8 GetSystemInfo

• 0x47a2dc GetStringTypeExA

• 0x47a2e0 GetStdHandle

• 0x47a2e4 GetProcAddress

• 0x47a2e8 GetModuleHandleA

• 0x47a2ec GetModuleFileNameA

• 0x47a2f0 GetLocaleInfoA

• 0x47a2f4 GetLocalTime

• 0x47a2f8 GetLastError

• 0x47a2fc GetFullPathNameA

• 0x47a300 GetFileAttributesA

• 0x47a304 GetDiskFreeSpaceA

• 0x47a308 GetDateFormatA

• 0x47a30c GetCurrentThreadId

• 0x47a310 GetCurrentProcessId

• 0x47a314 GetComputerNameA

• 0x47a318 GetCPInfo

• 0x47a31c GetACP

• 0x47a320 FreeResource

• 0x47a324 InterlockedExchange

• 0x47a328 FreeLibrary

• 0x47a32c FormatMessageA

• 0x47a330 FindResourceA

• 0x47a334 FindNextFileA

• 0x47a338 FindFirstFileA

• 0x47a33c FindClose

• 0x47a340 FileTimeToLocalFileTime

• 0x47a344 FileTimeToDosDateTime

• 0x47a348 EnumCalendarInfoA

• 0x47a34c EnterCriticalSection

• 0x47a350 DeleteCriticalSection

• 0x47a354 CreateThread

• 0x47a358 CreateFileA

• 0x47a35c CreateEventA

• 0x47a360 CompareStringA

• 0x47a364 CloseHandle

Library version.dll:

• 0x47a36c VerQueryValueA

• 0x47a370 GetFileVersionInfoSizeA

• 0x47a374 GetFileVersionInfoA

Library gdi32.dll:

• 0x47a37c UnrealizeObject

• 0x47a380 StretchBlt

• 0x47a384 SetWindowOrgEx

• 0x47a388 SetWinMetaFileBits

• 0x47a38c SetViewportOrgEx

• 0x47a390 SetTextColor

• 0x47a394 SetStretchBltMode

• 0x47a398 SetROP2

• 0x47a39c SetPixel

• 0x47a3a0 SetMapMode

• 0x47a3a4 SetEnhMetaFileBits

• 0x47a3a8 SetDIBColorTable

• 0x47a3ac SetBrushOrgEx

• 0x47a3b0 SetBkMode

• 0x47a3b4 SetBkColor

• 0x47a3b8 SelectPalette

• 0x47a3bc SelectObject

• 0x47a3c0 SaveDC

• 0x47a3c4 RestoreDC

• 0x47a3c8 Rectangle

• 0x47a3cc RectVisible

• 0x47a3d0 RealizePalette

• 0x47a3d4 Polyline

• 0x47a3d8 PlayEnhMetaFile

• 0x47a3dc PatBlt

• 0x47a3e0 MoveToEx

• 0x47a3e4 MaskBlt

• 0x47a3e8 LineTo

• 0x47a3ec LPtoDP

• 0x47a3f0 IntersectClipRect

• 0x47a3f4 GetWindowOrgEx

• 0x47a3f8 GetWinMetaFileBits

• 0x47a3fc GetTextMetricsA

• 0x47a400 GetTextExtentPoint32A

• 0x47a404 GetSystemPaletteEntries

• 0x47a408 GetStockObject

• 0x47a40c GetPixel

• 0x47a410 GetPaletteEntries

• 0x47a414 GetObjectA

• 0x47a418 GetEnhMetaFilePaletteEntries

• 0x47a41c GetEnhMetaFileHeader

• 0x47a420 GetEnhMetaFileDescriptionA

• 0x47a424 GetEnhMetaFileBits

• 0x47a428 GetDeviceCaps

• 0x47a42c GetDIBits

• 0x47a430 GetDIBColorTable

• 0x47a434 GetDCOrgEx

• 0x47a438 GetCurrentPositionEx

• 0x47a43c GetClipBox

• 0x47a440 GetBrushOrgEx

• 0x47a444 GetBitmapBits

• 0x47a448 ExtTextOutA

• 0x47a44c ExcludeClipRect

• 0x47a450 DeleteObject

• 0x47a454 DeleteEnhMetaFile

• 0x47a458 DeleteDC

• 0x47a45c CreateSolidBrush

• 0x47a460 CreatePenIndirect

• 0x47a464 CreatePalette

• 0x47a468 CreateHalftonePalette

• 0x47a46c CreateFontIndirectA

• 0x47a470 CreateEnhMetaFileA

• 0x47a474 CreateDIBitmap

• 0x47a478 CreateDIBSection

• 0x47a47c CreateCompatibleDC

• 0x47a480 CreateCompatibleBitmap

• 0x47a484 CreateBrushIndirect

• 0x47a488 CreateBitmap

• 0x47a48c CopyEnhMetaFileA

• 0x47a490 CloseEnhMetaFile

• 0x47a494 BitBlt

Library user32.dll:

• 0x47a49c CreateWindowExA

• 0x47a4a0 WindowFromPoint

• 0x47a4a4 WinHelpA

• 0x47a4a8 WaitMessage

• 0x47a4ac UpdateWindow

• 0x47a4b0 UnregisterClassA

• 0x47a4b4 UnhookWindowsHookEx

• 0x47a4b8 TranslateMessage

• 0x47a4bc TranslateMDISysAccel

• 0x47a4c0 TrackPopupMenu

• 0x47a4c4 SystemParametersInfoA

• 0x47a4c8 ShowWindow

• 0x47a4cc ShowScrollBar

• 0x47a4d0 ShowOwnedPopups

• 0x47a4d4 ShowCursor

• 0x47a4d8 SetWindowsHookExA

• 0x47a4dc SetWindowTextA

• 0x47a4e0 SetWindowPos

• 0x47a4e4 SetWindowPlacement

• 0x47a4e8 SetWindowLongA

• 0x47a4ec SetTimer

• 0x47a4f0 SetScrollRange

• 0x47a4f4 SetScrollPos

• 0x47a4f8 SetScrollInfo

• 0x47a4fc SetRect

• 0x47a500 SetPropA

• 0x47a504 SetParent

• 0x47a508 SetMenuItemInfoA

• 0x47a50c SetMenu

• 0x47a510 SetForegroundWindow

• 0x47a514 SetFocus

• 0x47a518 SetCursor

• 0x47a51c SetClassLongA

• 0x47a520 SetCapture

• 0x47a524 SetActiveWindow

• 0x47a528 SendMessageA

• 0x47a52c ScrollWindow

• 0x47a530 ScreenToClient

• 0x47a534 RemovePropA

• 0x47a538 RemoveMenu

• 0x47a53c ReleaseDC

• 0x47a540 ReleaseCapture

• 0x47a544 RegisterWindowMessageA

• 0x47a548 RegisterClipboardFormatA

• 0x47a54c RegisterClassA

• 0x47a550 RedrawWindow

• 0x47a554 PtInRect

• 0x47a558 PostQuitMessage

• 0x47a55c PostMessageA

• 0x47a560 PeekMessageA

• 0x47a564 OffsetRect

• 0x47a568 OemToCharA

• 0x47a56c MessageBoxA

• 0x47a570 MapWindowPoints

• 0x47a574 MapVirtualKeyA

• 0x47a578 LoadStringA

• 0x47a57c LoadKeyboardLayoutA

• 0x47a580 LoadIconA

• 0x47a584 LoadCursorA

• 0x47a588 LoadBitmapA

• 0x47a58c KillTimer

• 0x47a590 IsZoomed

• 0x47a594 IsWindowVisible

• 0x47a598 IsWindowEnabled

• 0x47a59c IsWindow

• 0x47a5a0 IsRectEmpty

• 0x47a5a4 IsIconic

• 0x47a5a8 IsDialogMessageA

• 0x47a5ac IsChild

• 0x47a5b0 InvalidateRect

• 0x47a5b4 IntersectRect

• 0x47a5b8 InsertMenuItemA

• 0x47a5bc InsertMenuA

• 0x47a5c0 InflateRect

• 0x47a5c4 GetWindowThreadProcessId

• 0x47a5c8 GetWindowTextA

• 0x47a5cc GetWindowRect

• 0x47a5d0 GetWindowPlacement

• 0x47a5d4 GetWindowLongA

• 0x47a5d8 GetWindowDC

• 0x47a5dc GetTopWindow

• 0x47a5e0 GetSystemMetrics

• 0x47a5e4 GetSystemMenu

• 0x47a5e8 GetSysColorBrush

• 0x47a5ec GetSysColor

• 0x47a5f0 GetSubMenu

• 0x47a5f4 GetScrollRange

• 0x47a5f8 GetScrollPos

• 0x47a5fc GetScrollInfo

• 0x47a600 GetPropA

• 0x47a604 GetParent

• 0x47a608 GetWindow

• 0x47a60c GetMessageTime

• 0x47a610 GetMenuStringA

• 0x47a614 GetMenuState

• 0x47a618 GetMenuItemInfoA

• 0x47a61c GetMenuItemID

• 0x47a620 GetMenuItemCount

• 0x47a624 GetMenu

• 0x47a628 GetLastActivePopup

• 0x47a62c GetKeyboardState

• 0x47a630 GetKeyboardLayoutList

• 0x47a634 GetKeyboardLayout

• 0x47a638 GetKeyState

• 0x47a63c GetKeyNameTextA

• 0x47a640 GetIconInfo

• 0x47a644 GetForegroundWindow

• 0x47a648 GetFocus

• 0x47a64c GetDlgItem

• 0x47a650 GetDesktopWindow

• 0x47a654 GetDCEx

• 0x47a658 GetDC

• 0x47a65c GetCursorPos

• 0x47a660 GetCursor

• 0x47a664 GetClipboardData

• 0x47a668 GetClientRect

• 0x47a66c GetClassNameA

• 0x47a670 GetClassInfoA

• 0x47a674 GetCapture

• 0x47a678 GetActiveWindow

• 0x47a67c FrameRect

• 0x47a680 FindWindowA

• 0x47a684 FillRect

• 0x47a688 EqualRect

• 0x47a68c EnumWindows

• 0x47a690 EnumThreadWindows

• 0x47a694 EndPaint

• 0x47a698 EnableWindow

• 0x47a69c EnableScrollBar

• 0x47a6a0 EnableMenuItem

• 0x47a6a4 DrawTextA

• 0x47a6a8 DrawMenuBar

• 0x47a6ac DrawIconEx

• 0x47a6b0 DrawIcon

• 0x47a6b4 DrawFrameControl

• 0x47a6b8 DrawFocusRect

• 0x47a6bc DrawEdge

• 0x47a6c0 DispatchMessageA

• 0x47a6c4 DestroyWindow

• 0x47a6c8 DestroyMenu

• 0x47a6cc DestroyIcon

• 0x47a6d0 DestroyCursor

• 0x47a6d4 DeleteMenu

• 0x47a6d8 DefWindowProcA

• 0x47a6dc DefMDIChildProcA

• 0x47a6e0 DefFrameProcA

• 0x47a6e4 CreatePopupMenu

• 0x47a6e8 CreateMenu

• 0x47a6ec CreateIcon

• 0x47a6f0 ClientToScreen

• 0x47a6f4 CheckMenuItem

• 0x47a6f8 CallWindowProcA

• 0x47a6fc CallNextHookEx

• 0x47a700 BeginPaint

• 0x47a704 CharNextA

• 0x47a708 CharLowerBuffA

• 0x47a70c CharLowerA

• 0x47a710 CharToOemA

• 0x47a714 AdjustWindowRectEx

• 0x47a718 ActivateKeyboardLayout

Library kernel32.dll:

• 0x47a720 Sleep

Library oleaut32.dll:

• 0x47a728 SafeArrayPtrOfIndex

• 0x47a72c SafeArrayGetUBound

• 0x47a730 SafeArrayGetLBound

• 0x47a734 SafeArrayCreate

• 0x47a738 VariantChangeType

• 0x47a73c VariantCopy

• 0x47a740 VariantClear

• 0x47a744 VariantInit

Library ole32.dll:

• 0x47a74c CreateStreamOnHGlobal

• 0x47a750 IsAccelerator

• 0x47a754 OleDraw

• 0x47a758 OleSetMenuDescriptor

• 0x47a75c CoTaskMemFree

• 0x47a760 ProgIDFromCLSID

• 0x47a764 StringFromCLSID

• 0x47a768 CoCreateInstance

• 0x47a76c CoGetClassObject

• 0x47a770 CoUninitialize

• 0x47a774 CoInitialize

• 0x47a778 IsEqualGUID

Library oleaut32.dll:

• 0x47a780 GetErrorInfo

• 0x47a784 GetActiveObject

• 0x47a788 SysFreeString

Library comctl32.dll:

• 0x47a790 ImageList_SetIconSize

• 0x47a794 ImageList_GetIconSize

• 0x47a798 ImageList_Write

• 0x47a79c ImageList_Read

• 0x47a7a0 ImageList_GetDragImage

• 0x47a7a4 ImageList_DragShowNolock

• 0x47a7a8 ImageList_SetDragCursorImage

• 0x47a7ac ImageList_DragMove

• 0x47a7b0 ImageList_DragLeave

• 0x47a7b4 ImageList_DragEnter

• 0x47a7b8 ImageList_EndDrag

• 0x47a7bc ImageList_BeginDrag

• 0x47a7c0 ImageList_Remove

• 0x47a7c4 ImageList_DrawEx

• 0x47a7c8 ImageList_Replace

• 0x47a7cc ImageList_Draw

• 0x47a7d0 ImageList_GetBkColor

• 0x47a7d4 ImageList_SetBkColor

• 0x47a7d8 ImageList_ReplaceIcon

• 0x47a7dc ImageList_Add

• 0x47a7e0 ImageList_GetImageCount

• 0x47a7e4 ImageList_Destroy

• 0x47a7e8 ImageList_Create

Library comdlg32.dll:

• 0x47a7f0 GetOpenFileNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.