SmartHawk

10.6

0-day

57 个模型检测该样本为恶意！

重新分析

下载样本

92baaa9b2dd202809cf16ca5266759fdec1bce29d2ba5ac7205bb7e14f01521f

6d8996e4649fb1c29aa59b2308d70fc0.exe

分析耗时

78s

最近分析

文件大小

649.5KB

静态报毒动态报毒 100% AGEN AI SCORE=89 AIDETECTVM ALI2000015 ANDROM BW6DXSRY CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS EESQ FAREIT HIGH CONFIDENCE HXUNFX KPOT LOKI LOKIBOT MALICIOUS PE MALWARE1 PUTTY PWCT R + MAL SCORE SIGGEN2 SMDF STATIC AI SUSGEN TSCOPE UNSAFE X2059 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FRQ!6D8996E4649F	20201211	6.0.6.653
Alibaba	Trojan:Win32/DelfInject.ali2000015	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619603034.157249 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619603040.032249 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619603045.282249 GetComputerNameW	computer_name: OSKAR-PC	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619603030.798249 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 个事件)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596027.95556 __exception__	stacktrace: 6d8996e4649fb1c29aa59b2308d70fc0+0x6d6dc @ 0x46d6dc 6d8996e4649fb1c29aa59b2308d70fc0+0x3cbb @ 0x403cbb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637912 registers.edi: 4642576 registers.eax: 0 registers.ebp: 1638204 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 79 registers.ecx: 3242065920 exception.instruction_r: f7 f0 90 90 90 33 c0 5a 59 59 64 89 10 eb 12 e9 exception.symbol: 6d8996e4649fb1c29aa59b2308d70fc0+0x6d483 exception.instruction: div eax exception.module: 6d8996e4649fb1c29aa59b2308d70fc0.exe exception.exception_code: 0xc0000094 exception.offset: 447619 exception.address: 0x46d483	success	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619596027.01856 NtAllocateVirtualMemory	process_identifier: 1564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00350000	success
1619596028.15856 NtAllocateVirtualMemory	process_identifier: 1564 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00380000	success
1619596028.17456 NtAllocateVirtualMemory	process_identifier: 1564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success

Steals private information from local Internet browsers (19 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596028.17456 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x000000e4 process_identifier: 2208	success	1	0

Moves the original executable to a new location (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619603045.251249 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6d8996e4649fb1c29aa59b2308d70fc0.exe newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6d8996e4649fb1c29aa59b2308d70fc0.exe	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.391577422299182

section

{'size_of_data': '0x0001fa00', 'virtual_address': '0x00088000', 'entropy': 7.391577422299182, 'name': '.rsrc', 'virtual_size': '0x0001f9d0'}

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619603039.939249 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Harvests credentials from local FTP client softwares (22 个事件)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (3 个事件)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1564 called NtSetContextThread to modify thread in remote process 2528
1619596028.67456 NtSetContextThread	thread_handle: 0x000000e8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2528	success	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1564 resumed a thread in remote process 2528
1619596029.22156 NtResumeThread	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2528	success	0	0

Executed a process and injected code into it, probably while unpacking (7 个事件)

Time & API	Arguments	Status	Return
1619596028.58056 CreateProcessInternalW	thread_identifier: 2620 thread_handle: 0x000000e8 process_identifier: 2528 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6d8996e4649fb1c29aa59b2308d70fc0.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000000ec inherit_handles: 0	success	1
1619596028.58056 NtUnmapViewOfSection	process_identifier: 2528 region_size: 4096 process_handle: 0x000000ec base_address: 0x00400000	success	0
1619596028.58056 NtMapViewOfSection	section_handle: 0x000000f4 process_identifier: 2528 commit_size: 663552 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x000000ec allocation_type: 0 () section_offset: 0 view_size: 663552 base_address: 0x00400000	success	0
1619596028.67456 NtGetContextThread	thread_handle: 0x000000e8	success	0
1619596028.67456 NtSetContextThread	thread_handle: 0x000000e8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2528	success	0
1619596029.22156 NtResumeThread	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2528	success	0
1619603031.345249 NtResumeThread	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 2528	success	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.6d8996e4649fb1c2
McAfee	Fareit-FRQ!6D8996E4649F
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/DelfInject.ali2000015
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Delf.FareIt.Gen.3
Cyren	W32/Delf.PWCT-5059
Symantec	Infostealer.Lokibot!43
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.Win32.Androm.gen
BitDefender	Trojan.Delf.FareIt.Gen.3
NANO-Antivirus	Trojan.Win32.Androm.hxunfx
AegisLab	Trojan.Win32.Malicious.4!c
MicroWorld-eScan	Trojan.Delf.FareIt.Gen.3
Avast	Win32:Malware-gen
Ad-Aware	Trojan.Delf.FareIt.Gen.3
Sophos	Mal/Generic-R + Mal/Fareit-V
F-Secure	Heuristic.HEUR/AGEN.1133373
DrWeb	Trojan.PWS.Siggen2.46271
Zillya	Trojan.Injector.Win32.696858
TrendMicro	TrojanSpy.Win32.LOKI.SMDF.hp
McAfee-GW-Edition	BehavesLike.Win32.Fareit.jh
Emsisoft	Trojan.Delf.FareIt.Gen.3 (B)
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1133373
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Gridinsoft	Trojan.Win32.LokiBot.ba!s1
Microsoft	Trojan:Win32/Kpot.PA!MTB
ZoneAlarm	HEUR:Backdoor.Win32.Androm.gen
GData	Trojan.Delf.FareIt.Gen.3
AhnLab-V3	Suspicious/Win.Delphiless.X2059
BitDefenderTheta	AI:Packer.EC077F841F
ALYac	Spyware.LokiBot
MAX	malware (ai score=89)
VBA32	TScope.Trojan.Delf
Malwarebytes	Trojan.MalPack.DLF
Zoner	Trojan.Win32.90441
ESET-NOD32	Win32/PSW.Fareit.L
TrendMicro-HouseCall	TrojanSpy.Win32.LOKI.SMDF.hp
Rising	Trojan.Injector!1.AFE3 (CLASSIC)
Yandex	Trojan.PWS.Fareit!bW6dxsrY/d4

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x47b140 DeleteCriticalSection

• 0x47b144 LeaveCriticalSection

• 0x47b148 EnterCriticalSection

• 0x47b14c InitializeCriticalSection

• 0x47b150 VirtualFree

• 0x47b154 VirtualAlloc

• 0x47b158 LocalFree

• 0x47b15c LocalAlloc

• 0x47b160 GetVersion

• 0x47b164 GetCurrentThreadId

• 0x47b168 InterlockedDecrement

• 0x47b16c InterlockedIncrement

• 0x47b170 VirtualQuery

• 0x47b174 WideCharToMultiByte

• 0x47b178 MultiByteToWideChar

• 0x47b17c lstrlenA

• 0x47b180 lstrcpynA

• 0x47b184 LoadLibraryExA

• 0x47b188 GetThreadLocale

• 0x47b18c GetStartupInfoA

• 0x47b190 GetProcAddress

• 0x47b194 GetModuleHandleA

• 0x47b198 GetModuleFileNameA

• 0x47b19c GetLocaleInfoA

• 0x47b1a0 GetCommandLineA

• 0x47b1a4 FreeLibrary

• 0x47b1a8 FindFirstFileA

• 0x47b1ac FindClose

• 0x47b1b0 ExitProcess

• 0x47b1b4 WriteFile

• 0x47b1b8 UnhandledExceptionFilter

• 0x47b1bc RtlUnwind

• 0x47b1c0 RaiseException

• 0x47b1c4 GetStdHandle

Library user32.dll:

• 0x47b1cc GetKeyboardType

• 0x47b1d0 LoadStringA

• 0x47b1d4 MessageBoxA

• 0x47b1d8 CharNextA

Library advapi32.dll:

• 0x47b1e0 RegQueryValueExA

• 0x47b1e4 RegOpenKeyExA

• 0x47b1e8 RegCloseKey

Library oleaut32.dll:

• 0x47b1f0 SysFreeString

• 0x47b1f4 SysReAllocStringLen

• 0x47b1f8 SysAllocStringLen

Library kernel32.dll:

• 0x47b200 TlsSetValue

• 0x47b204 TlsGetValue

• 0x47b208 LocalAlloc

• 0x47b20c GetModuleHandleA

Library advapi32.dll:

• 0x47b214 RegQueryValueExA

• 0x47b218 RegOpenKeyExA

• 0x47b21c RegCloseKey

Library kernel32.dll:

• 0x47b224 lstrcpyA

• 0x47b228 lstrcmpA

• 0x47b22c WriteFile

• 0x47b230 WaitForSingleObject

• 0x47b234 VirtualQuery

• 0x47b238 VirtualFree

• 0x47b23c VirtualAllocEx

• 0x47b240 VirtualAlloc

• 0x47b244 Sleep

• 0x47b248 SizeofResource

• 0x47b24c SetThreadLocale

• 0x47b250 SetFilePointer

• 0x47b254 SetEvent

• 0x47b258 SetErrorMode

• 0x47b25c SetEndOfFile

• 0x47b260 ResetEvent

• 0x47b264 ReadFile

• 0x47b268 MultiByteToWideChar

• 0x47b26c MulDiv

• 0x47b270 LockResource

• 0x47b274 LoadResource

• 0x47b278 LoadLibraryA

• 0x47b27c LeaveCriticalSection

• 0x47b280 InitializeCriticalSection

• 0x47b284 GlobalUnlock

• 0x47b288 GlobalSize

• 0x47b28c GlobalReAlloc

• 0x47b290 GlobalHandle

• 0x47b294 GlobalLock

• 0x47b298 GlobalFree

• 0x47b29c GlobalFindAtomA

• 0x47b2a0 GlobalDeleteAtom

• 0x47b2a4 GlobalAlloc

• 0x47b2a8 GlobalAddAtomA

• 0x47b2ac GetVersionExA

• 0x47b2b0 GetVersion

• 0x47b2b4 GetUserDefaultLCID

• 0x47b2b8 GetTimeZoneInformation

• 0x47b2bc GetTickCount

• 0x47b2c0 GetThreadLocale

• 0x47b2c4 GetTempPathA

• 0x47b2c8 GetSystemTime

• 0x47b2cc GetSystemInfo

• 0x47b2d0 GetStringTypeExA

• 0x47b2d4 GetStdHandle

• 0x47b2d8 GetProcAddress

• 0x47b2dc GetModuleHandleA

• 0x47b2e0 GetModuleFileNameA

• 0x47b2e4 GetLocaleInfoA

• 0x47b2e8 GetLocalTime

• 0x47b2ec GetLastError

• 0x47b2f0 GetFullPathNameA

• 0x47b2f4 GetFileSize

• 0x47b2f8 GetDiskFreeSpaceA

• 0x47b2fc GetDateFormatA

• 0x47b300 GetCurrentThreadId

• 0x47b304 GetCurrentProcessId

• 0x47b308 GetCurrentProcess

• 0x47b30c GetComputerNameA

• 0x47b310 GetCPInfo

• 0x47b314 GetACP

• 0x47b318 FreeResource

• 0x47b31c InterlockedExchange

• 0x47b320 FreeLibrary

• 0x47b324 FormatMessageA

• 0x47b328 FindResourceA

• 0x47b32c EnumCalendarInfoA

• 0x47b330 EnterCriticalSection

• 0x47b334 DeleteCriticalSection

• 0x47b338 CreateThread

• 0x47b33c CreateFileA

• 0x47b340 CreateEventA

• 0x47b344 CompareStringA

• 0x47b348 CloseHandle

Library version.dll:

• 0x47b350 VerQueryValueA

• 0x47b354 GetFileVersionInfoSizeA

• 0x47b358 GetFileVersionInfoA

Library gdi32.dll:

• 0x47b360 UnrealizeObject

• 0x47b364 StretchBlt

• 0x47b368 SetWindowOrgEx

• 0x47b36c SetWinMetaFileBits

• 0x47b370 SetViewportOrgEx

• 0x47b374 SetTextColor

• 0x47b378 SetStretchBltMode

• 0x47b37c SetROP2

• 0x47b380 SetPixel

• 0x47b384 SetMapMode

• 0x47b388 SetEnhMetaFileBits

• 0x47b38c SetDIBColorTable

• 0x47b390 SetBrushOrgEx

• 0x47b394 SetBkMode

• 0x47b398 SetBkColor

• 0x47b39c SelectPalette

• 0x47b3a0 SelectObject

• 0x47b3a4 SaveDC

• 0x47b3a8 RestoreDC

• 0x47b3ac RectVisible

• 0x47b3b0 RealizePalette

• 0x47b3b4 PlayEnhMetaFile

• 0x47b3b8 PatBlt

• 0x47b3bc MoveToEx

• 0x47b3c0 MaskBlt

• 0x47b3c4 LineTo

• 0x47b3c8 LPtoDP

• 0x47b3cc IntersectClipRect

• 0x47b3d0 GetWindowOrgEx

• 0x47b3d4 GetWinMetaFileBits

• 0x47b3d8 GetTextMetricsA

• 0x47b3dc GetTextExtentPoint32A

• 0x47b3e0 GetSystemPaletteEntries

• 0x47b3e4 GetStockObject

• 0x47b3e8 GetPixel

• 0x47b3ec GetPaletteEntries

• 0x47b3f0 GetObjectA

• 0x47b3f4 GetEnhMetaFilePaletteEntries

• 0x47b3f8 GetEnhMetaFileHeader

• 0x47b3fc GetEnhMetaFileDescriptionA

• 0x47b400 GetEnhMetaFileBits

• 0x47b404 GetDeviceCaps

• 0x47b408 GetDIBits

• 0x47b40c GetDIBColorTable

• 0x47b410 GetDCOrgEx

• 0x47b414 GetCurrentPositionEx

• 0x47b418 GetClipBox

• 0x47b41c GetBrushOrgEx

• 0x47b420 GetBitmapBits

• 0x47b424 ExcludeClipRect

• 0x47b428 DeleteObject

• 0x47b42c DeleteEnhMetaFile

• 0x47b430 DeleteDC

• 0x47b434 CreateSolidBrush

• 0x47b438 CreatePenIndirect

• 0x47b43c CreatePalette

• 0x47b440 CreateHalftonePalette

• 0x47b444 CreateFontIndirectA

• 0x47b448 CreateEnhMetaFileA

• 0x47b44c CreateDIBitmap

• 0x47b450 CreateDIBSection

• 0x47b454 CreateCompatibleDC

• 0x47b458 CreateCompatibleBitmap

• 0x47b45c CreateBrushIndirect

• 0x47b460 CreateBitmap

• 0x47b464 CopyEnhMetaFileA

• 0x47b468 CloseEnhMetaFile

• 0x47b46c BitBlt

Library user32.dll:

• 0x47b474 CreateWindowExA

• 0x47b478 WindowFromPoint

• 0x47b47c WinHelpA

• 0x47b480 WaitMessage

• 0x47b484 UpdateWindow

• 0x47b488 UnregisterClassA

• 0x47b48c UnhookWindowsHookEx

• 0x47b490 TranslateMessage

• 0x47b494 TranslateMDISysAccel

• 0x47b498 TrackPopupMenu

• 0x47b49c SystemParametersInfoA

• 0x47b4a0 ShowWindow

• 0x47b4a4 ShowScrollBar

• 0x47b4a8 ShowOwnedPopups

• 0x47b4ac ShowCursor

• 0x47b4b0 SetWindowsHookExA

• 0x47b4b4 SetWindowTextA

• 0x47b4b8 SetWindowPos

• 0x47b4bc SetWindowPlacement

• 0x47b4c0 SetWindowLongA

• 0x47b4c4 SetTimer

• 0x47b4c8 SetScrollRange

• 0x47b4cc SetScrollPos

• 0x47b4d0 SetScrollInfo

• 0x47b4d4 SetRect

• 0x47b4d8 SetPropA

• 0x47b4dc SetParent

• 0x47b4e0 SetMenuItemInfoA

• 0x47b4e4 SetMenu

• 0x47b4e8 SetForegroundWindow

• 0x47b4ec SetFocus

• 0x47b4f0 SetCursor

• 0x47b4f4 SetClassLongA

• 0x47b4f8 SetCapture

• 0x47b4fc SetActiveWindow

• 0x47b500 SendMessageA

• 0x47b504 ScrollWindow

• 0x47b508 ScreenToClient

• 0x47b50c RemovePropA

• 0x47b510 RemoveMenu

• 0x47b514 ReleaseDC

• 0x47b518 ReleaseCapture

• 0x47b51c RegisterWindowMessageA

• 0x47b520 RegisterClipboardFormatA

• 0x47b524 RegisterClassA

• 0x47b528 RedrawWindow

• 0x47b52c PtInRect

• 0x47b530 PostQuitMessage

• 0x47b534 PostMessageA

• 0x47b538 PeekMessageA

• 0x47b53c OffsetRect

• 0x47b540 OemToCharA

• 0x47b544 MessageBoxA

• 0x47b548 MapWindowPoints

• 0x47b54c MapVirtualKeyA

• 0x47b550 LoadStringA

• 0x47b554 LoadKeyboardLayoutA

• 0x47b558 LoadIconA

• 0x47b55c LoadCursorA

• 0x47b560 LoadBitmapA

• 0x47b564 KillTimer

• 0x47b568 IsZoomed

• 0x47b56c IsWindowVisible

• 0x47b570 IsWindowEnabled

• 0x47b574 IsWindow

• 0x47b578 IsRectEmpty

• 0x47b57c IsIconic

• 0x47b580 IsDialogMessageA

• 0x47b584 IsChild

• 0x47b588 InvalidateRect

• 0x47b58c IntersectRect

• 0x47b590 InsertMenuItemA

• 0x47b594 InsertMenuA

• 0x47b598 InflateRect

• 0x47b59c GetWindowThreadProcessId

• 0x47b5a0 GetWindowTextA

• 0x47b5a4 GetWindowRect

• 0x47b5a8 GetWindowPlacement

• 0x47b5ac GetWindowLongA

• 0x47b5b0 GetWindowDC

• 0x47b5b4 GetTopWindow

• 0x47b5b8 GetSystemMetrics

• 0x47b5bc GetSystemMenu

• 0x47b5c0 GetSysColorBrush

• 0x47b5c4 GetSysColor

• 0x47b5c8 GetSubMenu

• 0x47b5cc GetScrollRange

• 0x47b5d0 GetScrollPos

• 0x47b5d4 GetScrollInfo

• 0x47b5d8 GetPropA

• 0x47b5dc GetParent

• 0x47b5e0 GetWindow

• 0x47b5e4 GetMessageTime

• 0x47b5e8 GetMenuStringA

• 0x47b5ec GetMenuState

• 0x47b5f0 GetMenuItemInfoA

• 0x47b5f4 GetMenuItemID

• 0x47b5f8 GetMenuItemCount

• 0x47b5fc GetMenu

• 0x47b600 GetLastActivePopup

• 0x47b604 GetKeyboardState

• 0x47b608 GetKeyboardLayoutList

• 0x47b60c GetKeyboardLayout

• 0x47b610 GetKeyState

• 0x47b614 GetKeyNameTextA

• 0x47b618 GetIconInfo

• 0x47b61c GetForegroundWindow

• 0x47b620 GetFocus

• 0x47b624 GetDesktopWindow

• 0x47b628 GetDCEx

• 0x47b62c GetDC

• 0x47b630 GetCursorPos

• 0x47b634 GetCursor

• 0x47b638 GetClipboardData

• 0x47b63c GetClientRect

• 0x47b640 GetClassNameA

• 0x47b644 GetClassInfoA

• 0x47b648 GetCapture

• 0x47b64c GetActiveWindow

• 0x47b650 FrameRect

• 0x47b654 FindWindowA

• 0x47b658 FillRect

• 0x47b65c EqualRect

• 0x47b660 EnumWindows

• 0x47b664 EnumThreadWindows

• 0x47b668 EndPaint

• 0x47b66c EnableWindow

• 0x47b670 EnableScrollBar

• 0x47b674 EnableMenuItem

• 0x47b678 DrawTextA

• 0x47b67c DrawMenuBar

• 0x47b680 DrawIconEx

• 0x47b684 DrawIcon

• 0x47b688 DrawFrameControl

• 0x47b68c DrawEdge

• 0x47b690 DispatchMessageA

• 0x47b694 DestroyWindow

• 0x47b698 DestroyMenu

• 0x47b69c DestroyIcon

• 0x47b6a0 DestroyCursor

• 0x47b6a4 DeleteMenu

• 0x47b6a8 DefWindowProcA

• 0x47b6ac DefMDIChildProcA

• 0x47b6b0 DefFrameProcA

• 0x47b6b4 CreatePopupMenu

• 0x47b6b8 CreateMenu

• 0x47b6bc CreateIcon

• 0x47b6c0 ClientToScreen

• 0x47b6c4 CheckMenuItem

• 0x47b6c8 CallWindowProcA

• 0x47b6cc CallNextHookEx

• 0x47b6d0 BeginPaint

• 0x47b6d4 CharNextA

• 0x47b6d8 CharLowerBuffA

• 0x47b6dc CharLowerA

• 0x47b6e0 CharToOemA

• 0x47b6e4 AdjustWindowRectEx

• 0x47b6e8 ActivateKeyboardLayout

Library kernel32.dll:

• 0x47b6f0 Sleep

Library oleaut32.dll:

• 0x47b6f8 SafeArrayPtrOfIndex

• 0x47b6fc SafeArrayGetUBound

• 0x47b700 SafeArrayGetLBound

• 0x47b704 SafeArrayCreate

• 0x47b708 VariantChangeType

• 0x47b70c VariantCopy

• 0x47b710 VariantClear

• 0x47b714 VariantInit

Library ole32.dll:

• 0x47b71c CreateStreamOnHGlobal

• 0x47b720 IsAccelerator

• 0x47b724 OleDraw

• 0x47b728 OleSetMenuDescriptor

• 0x47b72c CoTaskMemFree

• 0x47b730 ProgIDFromCLSID

• 0x47b734 StringFromCLSID

• 0x47b738 CoCreateInstance

• 0x47b73c CoGetClassObject

• 0x47b740 CoUninitialize

• 0x47b744 CoInitialize

• 0x47b748 IsEqualGUID

Library oleaut32.dll:

• 0x47b750 GetErrorInfo

• 0x47b754 GetActiveObject

• 0x47b758 SysFreeString

Library comctl32.dll:

• 0x47b760 ImageList_SetIconSize

• 0x47b764 ImageList_GetIconSize

• 0x47b768 ImageList_Write

• 0x47b76c ImageList_Read

• 0x47b770 ImageList_GetDragImage

• 0x47b774 ImageList_DragShowNolock

• 0x47b778 ImageList_SetDragCursorImage

• 0x47b77c ImageList_DragMove

• 0x47b780 ImageList_DragLeave

• 0x47b784 ImageList_DragEnter

• 0x47b788 ImageList_EndDrag

• 0x47b78c ImageList_BeginDrag

• 0x47b790 ImageList_Remove

• 0x47b794 ImageList_DrawEx

• 0x47b798 ImageList_Draw

• 0x47b79c ImageList_GetBkColor

• 0x47b7a0 ImageList_SetBkColor

• 0x47b7a4 ImageList_ReplaceIcon

• 0x47b7a8 ImageList_Add

• 0x47b7ac ImageList_GetImageCount

• 0x47b7b0 ImageList_Destroy

• 0x47b7b4 ImageList_Create

• 0x47b7b8 InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
sdgengtie.com
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	62912	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.