10.0
0-day
61 个模型检测该样本为恶意!
重新分析
更多

c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9

702a370d537ad9909efe4645ff854a3e.exe

分析耗时

81s

最近分析

文件大小

1.2MB
静态报毒 动态报毒 ADKK AI SCORE=82 AIDETECTVM ALI2000015 BUC8NV CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS EMWL EMZL FAREIT FORMBOOK GENERICKD HIGH CONFIDENCE HQKFJH IGENT KBDCR MALWARE2 MALWARE@#2G3HVSU1GHDLA NH0@ASZPOTGI R002C0PH520 SCORE SIGGEN2 STATIC AI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE UPAN X2094 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!702A370D537A 20201211 6.0.6.653
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201210 21.1.5827.0
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Kingsoft 20201211 2017.9.26.565
Tencent Win32.Trojan.Crypt.Adkk 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (5 个事件)
Time & API Arguments Status Return Repeated
1619623380.872001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
app+0xc03f8 @ 0x4c03f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
app+0x17005c @ 0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdbd147d
success 0 0
1619623392.731751
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
app+0xc03f8 @ 0x4c03f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
app+0x17005c @ 0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff39147d
success 0 0
1619623403.435126
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
app+0xc03f8 @ 0x4c03f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
app+0x17005c @ 0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff65147d
success 0 0
1619623412.887626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
app+0xc03f8 @ 0x4c03f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751c4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751c5d3d
app+0x17005c @ 0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd92147d
success 0 0
1619623424.512501
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
app+0xc03f8 @ 0x4c03f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
app+0x17005c @ 0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff35147d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 161 个事件)
Time & API Arguments Status Return Repeated
1619623369.184876
NtAllocateVirtualMemory
process_identifier: 360
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d40000
success 0 0
1619623369.387876
NtProtectVirtualMemory
process_identifier: 360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 81920
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00475000
success 0 0
1619623369.403876
NtAllocateVirtualMemory
process_identifier: 360
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d80000
success 0 0
1619623371.294001
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d40000
success 0 0
1619623371.388001
NtProtectVirtualMemory
process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 81920
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00475000
success 0 0
1619623371.388001
NtAllocateVirtualMemory
process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d80000
success 0 0
1619623379.029001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619623379.060001
NtAllocateVirtualMemory
process_identifier: 2476
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02060000
success 0 0
1619623379.060001
NtAllocateVirtualMemory
process_identifier: 2476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02130000
success 0 0
1619623379.060001
NtAllocateVirtualMemory
process_identifier: 2476
region_size: 753664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02060000
success 0 0
1619623379.060001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 729088
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02062000
success 0 0
1619623380.700001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.700001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1619623380.716001
NtProtectVirtualMemory
process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619623379.621499
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619623380.121499
NtProtectVirtualMemory
process_identifier: 1888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 81920
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00475000
success 0 0
1619623380.121499
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00560000
success 0 0
1619623386.294001
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619623386.357001
NtProtectVirtualMemory
process_identifier: 1916
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 81920
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00475000
success 0 0
1619623386.357001
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00560000
success 0 0
1619623392.153751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619623392.168751
NtAllocateVirtualMemory
process_identifier: 192
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619623392.168751
NtAllocateVirtualMemory
process_identifier: 192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02010000
success 0 0
1619623392.168751
NtAllocateVirtualMemory
process_identifier: 192
region_size: 753664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02050000
success 0 0
1619623392.184751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 729088
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02052000
success 0 0
1619623392.324751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e32000
success 0 0
1619623392.324751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619623392.324751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e32000
success 0 0
1619623392.324751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619623392.324751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e32000
success 0 0
1619623392.324751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619623392.324751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e32000
success 0 0
1619623392.324751
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (11 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.591687163260456 section {'size_of_data': '0x000a1e00', 'virtual_address': '0x0009c000', 'entropy': 7.591687163260456, 'name': '.rsrc', 'virtual_size': '0x000a1dec'} description A section with a high entropy has been found
entropy 0.5202892728003214 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process app.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (17 个事件)
Time & API Arguments Status Return Repeated
1619623369.403876
Process32NextW
process_name: 702a370d537ad9909efe4645ff854a3e.exe
snapshot_handle: 0x000000f4
process_identifier: 360
failed 0 0
1619623371.419001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2244
failed 0 0
1619623380.246499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2040
failed 0 0
1619623385.684499
Process32NextW
process_name: app.exe
snapshot_handle: 0x00000170
process_identifier: 1888
failed 0 0
1619623386.388001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2440
failed 0 0
1619623392.778374
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000f4
process_identifier: 2964
failed 0 0
1619623396.684374
Process32NextW
process_name: app.exe
snapshot_handle: 0x00000158
process_identifier: 1932
failed 0 0
1619623397.309751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2760
failed 0 0
1619623404.012876
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000000f4
process_identifier: 3224
failed 0 0
1619623405.934876
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000120
process_identifier: 3224
failed 0 0
1619623407.121374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3316
failed 0 0
1619623413.371374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3496
failed 0 0
1619623417.387374
Process32NextW
process_name: app.exe
snapshot_handle: 0x00000160
process_identifier: 3404
failed 0 0
1619623418.482126
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3568
failed 0 0
1619623424.543374
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000f4
process_identifier: 3728
failed 0 0
1619623427.043374
Process32NextW
process_name: app.exe
snapshot_handle: 0x00000134
process_identifier: 3652
failed 0 0
1619623427.638001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3812
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619623370.231876
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 360 created a thread in remote process 284
Time & API Arguments Status Return Repeated
1619623370.231876
NtQueueApcThread
thread_handle: 0x00000104
process_identifier: 284
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619623370.231876
WriteProcessMemory
process_identifier: 284
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000b0000
success 1 0
1619623370.231876
WriteProcessMemory
process_identifier: 284
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\702a370d537ad9909efe4645ff854a3e.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\702a370d537ad9909efe4645ff854a3e.exe"
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (10 个事件)
Process injection Process 2056 called NtSetContextThread to modify thread in remote process 2476
Process injection Process 1916 called NtSetContextThread to modify thread in remote process 192
Process injection Process 2116 called NtSetContextThread to modify thread in remote process 2604
Process injection Process 3264 called NtSetContextThread to modify thread in remote process 3344
Process injection Process 3512 called NtSetContextThread to modify thread in remote process 3592
Time & API Arguments Status Return Repeated
1619623377.075001
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2476
success 0 0
1619623391.591001
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 192
success 0 0
1619623402.699751
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2604
success 0 0
1619623412.356374
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3344
success 0 0
1619623423.638126
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3592
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (10 个事件)
Process injection Process 2056 resumed a thread in remote process 2476
Process injection Process 1916 resumed a thread in remote process 192
Process injection Process 2116 resumed a thread in remote process 2604
Process injection Process 3264 resumed a thread in remote process 3344
Process injection Process 3512 resumed a thread in remote process 3592
Time & API Arguments Status Return Repeated
1619623378.544001
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2476
success 0 0
1619623391.935001
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 192
success 0 0
1619623403.168751
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2604
success 0 0
1619623412.621374
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3344
success 0 0
1619623423.888126
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3592
success 0 0
Executed a process and injected code into it, probably while unpacking (46 个事件)
Time & API Arguments Status Return Repeated
1619623370.231876
CreateProcessInternalW
thread_identifier: 2764
thread_handle: 0x00000104
process_identifier: 284
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619623370.231876
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619623370.231876
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619623370.231876
WriteProcessMemory
process_identifier: 284
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000b0000
success 1 0
1619623370.231876
WriteProcessMemory
process_identifier: 284
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\702a370d537ad9909efe4645ff854a3e.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\702a370d537ad9909efe4645ff854a3e.exe"
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
1619623370.918751
CreateProcessInternalW
thread_identifier: 520
thread_handle: 0x000000d0
process_identifier: 2056
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619623376.763001
CreateProcessInternalW
thread_identifier: 2560
thread_handle: 0x00000104
process_identifier: 2476
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619623376.763001
NtUnmapViewOfSection
process_identifier: 2476
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619623376.810001
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 2476
commit_size: 1581056
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1581056
base_address: 0x00400000
success 0 0
1619623377.060001
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619623377.075001
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2476
success 0 0
1619623378.544001
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2476
success 0 0
1619623378.950001
CreateProcessInternalW
thread_identifier: 1948
thread_handle: 0x00000108
process_identifier: 1888
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe" 2 2476 20497015
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619623385.934499
CreateProcessInternalW
thread_identifier: 2456
thread_handle: 0x00000174
process_identifier: 1916
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000178
inherit_handles: 0
success 1 0
1619623391.513001
CreateProcessInternalW
thread_identifier: 152
thread_handle: 0x00000104
process_identifier: 192
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619623391.513001
NtUnmapViewOfSection
process_identifier: 192
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619623391.529001
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 192
commit_size: 1581056
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1581056
base_address: 0x00400000
success 0 0
1619623391.591001
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619623391.591001
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 192
success 0 0
1619623391.935001
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 192
success 0 0
1619623392.013001
CreateProcessInternalW
thread_identifier: 2620
thread_handle: 0x00000108
process_identifier: 1932
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe" 2 192 20510406
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619623396.934374
CreateProcessInternalW
thread_identifier: 2616
thread_handle: 0x0000015c
process_identifier: 2116
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000160
inherit_handles: 0
success 1 0
1619623402.528751
CreateProcessInternalW
thread_identifier: 2620
thread_handle: 0x00000104
process_identifier: 2604
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619623402.528751
NtUnmapViewOfSection
process_identifier: 2604
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619623402.528751
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 2604
commit_size: 1581056
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1581056
base_address: 0x00400000
success 0 0
1619623402.699751
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619623402.699751
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2604
success 0 0
1619623403.168751
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2604
success 0 0
1619623403.246751
CreateProcessInternalW
thread_identifier: 3124
thread_handle: 0x00000108
process_identifier: 3120
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe" 2 2604 20521640
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619623406.246876
CreateProcessInternalW
thread_identifier: 3268
thread_handle: 0x00000124
process_identifier: 3264
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619623412.278374
CreateProcessInternalW
thread_identifier: 3348
thread_handle: 0x00000104
process_identifier: 3344
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619623412.278374
NtUnmapViewOfSection
process_identifier: 3344
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619623412.293374
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3344
commit_size: 1581056
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1581056
base_address: 0x00400000
success 0 0
1619623412.356374
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619623412.356374
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3344
success 0 0
1619623412.621374
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3344
success 0 0
1619623412.746374
CreateProcessInternalW
thread_identifier: 3408
thread_handle: 0x00000108
process_identifier: 3404
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe" 2 3344 20531093
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619623417.528374
CreateProcessInternalW
thread_identifier: 3516
thread_handle: 0x00000164
process_identifier: 3512
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000168
inherit_handles: 0
success 1 0
1619623423.575126
CreateProcessInternalW
thread_identifier: 3596
thread_handle: 0x00000104
process_identifier: 3592
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619623423.575126
NtUnmapViewOfSection
process_identifier: 3592
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619623423.575126
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3592
commit_size: 1581056
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1581056
base_address: 0x00400000
success 0 0
1619623423.638126
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619623423.638126
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3592
success 0 0
1619623423.888126
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3592
success 0 0
1619623423.950126
CreateProcessInternalW
thread_identifier: 3656
thread_handle: 0x00000108
process_identifier: 3652
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe" 2 3592 20542359
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619623427.199374
CreateProcessInternalW
thread_identifier: 3760
thread_handle: 0x00000138
process_identifier: 3756
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000013c
inherit_handles: 0
success 1 0
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
FireEye Generic.mg.702a370d537ad990
McAfee Fareit-FPQ!702A370D537A
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.Win32.Crypt.4!c
Sangfor Malware
K7AntiVirus Trojan ( 0056cd161 )
BitDefender Trojan.GenericKD.43595567
K7GW Trojan ( 0056cd161 )
Cybereason malicious.8b01de
Arcabit Trojan.Generic.D299372F
Cyren W32/Trojan.UPAN-4710
Symantec Trojan.Gen.2
APEX Malicious
Avast Win32:Malware-gen
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.Crypt.gen
Alibaba Trojan:Win32/DelfInject.ali2000015
NANO-Antivirus Trojan.Win32.Crypt.hqkfjh
MicroWorld-eScan Trojan.GenericKD.43595567
Rising Trojan.Injector!1.C99D (CLASSIC)
Ad-Aware Trojan.GenericKD.43595567
Emsisoft Trojan.GenericKD.43595567 (B)
Comodo Malware@#2g3hvsu1ghdla
F-Secure Trojan.TR/Injector.kbdcr
DrWeb Trojan.PWS.Siggen2.53083
Zillya Trojan.Agent.Win32.1362051
TrendMicro TROJ_GEN.R002C0PH520
McAfee-GW-Edition Fareit-FPQ!702A370D537A
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Crypt.dvd
Avira TR/Injector.kbdcr
MAX malware (ai score=82)
Antiy-AVL Trojan/Win32.Injector
Gridinsoft Trojan.Win32.Packed.oa
Microsoft Trojan:Win32/FormBook.GD!MTB
ZoneAlarm HEUR:Trojan.Win32.Crypt.gen
GData Trojan.GenericKD.43595567
AhnLab-V3 Suspicious/Win.Delphiless.X2094
Acronis suspicious
BitDefenderTheta Gen:NN.ZelphiF.34670.nH0@aSzpotgi
ALYac Trojan.GenericKD.43595567
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
Panda Trj/CI.A
Zoner Trojan.Win32.97444
ESET-NOD32 a variant of Win32/Injector.EMWL
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x48d13c VirtualFree
0x48d140 VirtualAlloc
0x48d144 LocalFree
0x48d148 LocalAlloc
0x48d14c GetTickCount
0x48d154 GetVersion
0x48d158 GetCurrentThreadId
0x48d164 VirtualQuery
0x48d168 WideCharToMultiByte
0x48d16c MultiByteToWideChar
0x48d170 lstrlenA
0x48d174 lstrcpynA
0x48d178 LoadLibraryExA
0x48d17c GetThreadLocale
0x48d180 GetStartupInfoA
0x48d184 GetProcAddress
0x48d188 GetModuleHandleA
0x48d18c GetModuleFileNameA
0x48d190 GetLocaleInfoA
0x48d194 GetCommandLineA
0x48d198 FreeLibrary
0x48d19c FindFirstFileA
0x48d1a0 FindClose
0x48d1a4 ExitProcess
0x48d1a8 ExitThread
0x48d1ac CreateThread
0x48d1b0 WriteFile
0x48d1b8 RtlUnwind
0x48d1bc RaiseException
0x48d1c0 GetStdHandle
Library user32.dll:
0x48d1c8 GetKeyboardType
0x48d1cc LoadStringA
0x48d1d0 MessageBoxA
0x48d1d4 CharNextA
Library advapi32.dll:
0x48d1dc RegQueryValueExA
0x48d1e0 RegOpenKeyExA
0x48d1e4 RegCloseKey
Library oleaut32.dll:
0x48d1ec SysFreeString
0x48d1f0 SysReAllocStringLen
0x48d1f4 SysAllocStringLen
Library kernel32.dll:
0x48d1fc TlsSetValue
0x48d200 TlsGetValue
0x48d204 LocalAlloc
0x48d208 GetModuleHandleA
Library advapi32.dll:
0x48d210 RegQueryValueExA
0x48d214 RegQueryInfoKeyA
0x48d218 RegOpenKeyExA
0x48d21c RegFlushKey
0x48d220 RegEnumKeyExA
0x48d224 RegCloseKey
Library kernel32.dll:
0x48d22c lstrcpyA
0x48d230 WriteFile
0x48d234 WaitForSingleObject
0x48d238 VirtualQuery
0x48d23c VirtualProtect
0x48d240 VirtualAlloc
0x48d244 SuspendThread
0x48d248 Sleep
0x48d24c SizeofResource
0x48d250 SetThreadPriority
0x48d254 SetThreadLocale
0x48d258 SetFilePointer
0x48d25c SetEvent
0x48d260 SetErrorMode
0x48d264 SetEndOfFile
0x48d268 ResumeThread
0x48d26c ResetEvent
0x48d270 ReadFile
0x48d274 MulDiv
0x48d278 LockResource
0x48d27c LoadResource
0x48d280 LoadLibraryA
0x48d28c GlobalUnlock
0x48d290 GlobalReAlloc
0x48d294 GlobalHandle
0x48d298 GlobalLock
0x48d29c GlobalFree
0x48d2a0 GlobalFindAtomA
0x48d2a4 GlobalDeleteAtom
0x48d2a8 GlobalAlloc
0x48d2ac GlobalAddAtomA
0x48d2b0 GetVersionExA
0x48d2b4 GetVersion
0x48d2bc GetTickCount
0x48d2c0 GetThreadLocale
0x48d2c4 GetTempPathA
0x48d2cc GetSystemInfo
0x48d2d0 GetStringTypeExA
0x48d2d4 GetStdHandle
0x48d2d8 GetProcAddress
0x48d2dc GetModuleHandleA
0x48d2e0 GetModuleFileNameA
0x48d2e4 GetLocaleInfoA
0x48d2e8 GetLocalTime
0x48d2ec GetLastError
0x48d2f0 GetFullPathNameA
0x48d2f4 GetFileSize
0x48d2f8 GetExitCodeThread
0x48d2fc GetDiskFreeSpaceA
0x48d300 GetDateFormatA
0x48d304 GetCurrentThreadId
0x48d308 GetCurrentProcessId
0x48d30c GetCPInfo
0x48d310 GetACP
0x48d314 FreeResource
0x48d31c InterlockedExchange
0x48d324 FreeLibrary
0x48d328 FormatMessageA
0x48d32c FindResourceA
0x48d330 FindFirstFileA
0x48d334 FindClose
0x48d344 EnumCalendarInfoA
0x48d350 CreateThread
0x48d354 CreateFileA
0x48d358 CreateEventA
0x48d35c CompareStringA
0x48d360 CloseHandle
Library version.dll:
0x48d368 VerQueryValueA
0x48d370 GetFileVersionInfoA
Library gdi32.dll:
0x48d378 UnrealizeObject
0x48d37c StretchBlt
0x48d380 SetWindowOrgEx
0x48d384 SetViewportOrgEx
0x48d388 SetTextColor
0x48d38c SetStretchBltMode
0x48d390 SetROP2
0x48d394 SetPixel
0x48d398 SetDIBColorTable
0x48d39c SetBrushOrgEx
0x48d3a0 SetBkMode
0x48d3a4 SetBkColor
0x48d3a8 SelectPalette
0x48d3ac SelectObject
0x48d3b0 SaveDC
0x48d3b4 RestoreDC
0x48d3b8 Rectangle
0x48d3bc RectVisible
0x48d3c0 RealizePalette
0x48d3c4 PatBlt
0x48d3c8 MoveToEx
0x48d3cc MaskBlt
0x48d3d0 LineTo
0x48d3d4 IntersectClipRect
0x48d3d8 GetWindowOrgEx
0x48d3dc GetTextMetricsA
0x48d3e8 GetStockObject
0x48d3ec GetPixel
0x48d3f0 GetPaletteEntries
0x48d3f4 GetObjectA
0x48d3f8 GetDeviceCaps
0x48d3fc GetDIBits
0x48d400 GetDIBColorTable
0x48d404 GetDCOrgEx
0x48d40c GetClipBox
0x48d410 GetBrushOrgEx
0x48d414 GetBitmapBits
0x48d418 ExcludeClipRect
0x48d41c DeleteObject
0x48d420 DeleteDC
0x48d424 CreateSolidBrush
0x48d428 CreatePenIndirect
0x48d42c CreatePen
0x48d430 CreatePalette
0x48d438 CreateFontIndirectA
0x48d43c CreateDIBitmap
0x48d440 CreateDIBSection
0x48d444 CreateCompatibleDC
0x48d44c CreateBrushIndirect
0x48d450 CreateBitmap
0x48d454 BitBlt
Library user32.dll:
0x48d45c CreateWindowExA
0x48d460 WindowFromPoint
0x48d464 WinHelpA
0x48d468 WaitMessage
0x48d46c ValidateRect
0x48d470 UpdateWindow
0x48d474 UnregisterClassA
0x48d478 UnhookWindowsHookEx
0x48d47c TranslateMessage
0x48d484 TrackPopupMenu
0x48d48c ShowWindow
0x48d490 ShowScrollBar
0x48d494 ShowOwnedPopups
0x48d498 ShowCursor
0x48d49c SetWindowsHookExA
0x48d4a0 SetWindowTextA
0x48d4a4 SetWindowPos
0x48d4a8 SetWindowPlacement
0x48d4ac SetWindowLongA
0x48d4b0 SetTimer
0x48d4b4 SetScrollRange
0x48d4b8 SetScrollPos
0x48d4bc SetScrollInfo
0x48d4c0 SetRect
0x48d4c4 SetPropA
0x48d4c8 SetParent
0x48d4cc SetMenuItemInfoA
0x48d4d0 SetMenu
0x48d4d4 SetForegroundWindow
0x48d4d8 SetFocus
0x48d4dc SetCursor
0x48d4e0 SetClassLongA
0x48d4e4 SetCapture
0x48d4e8 SetActiveWindow
0x48d4ec SendMessageA
0x48d4f0 ScrollWindow
0x48d4f4 ScreenToClient
0x48d4f8 RemovePropA
0x48d4fc RemoveMenu
0x48d500 ReleaseDC
0x48d504 ReleaseCapture
0x48d510 RegisterClassA
0x48d514 RedrawWindow
0x48d518 PtInRect
0x48d51c PostQuitMessage
0x48d520 PostMessageA
0x48d524 PeekMessageA
0x48d528 OffsetRect
0x48d52c OemToCharA
0x48d534 MessageBoxA
0x48d538 MessageBeep
0x48d53c MapWindowPoints
0x48d540 MapVirtualKeyA
0x48d544 LoadStringA
0x48d548 LoadKeyboardLayoutA
0x48d54c LoadIconA
0x48d550 LoadCursorA
0x48d554 LoadBitmapA
0x48d558 KillTimer
0x48d55c IsZoomed
0x48d560 IsWindowVisible
0x48d564 IsWindowEnabled
0x48d568 IsWindow
0x48d56c IsRectEmpty
0x48d570 IsIconic
0x48d574 IsDialogMessageA
0x48d578 IsChild
0x48d57c InvalidateRect
0x48d580 IntersectRect
0x48d584 InsertMenuItemA
0x48d588 InsertMenuA
0x48d58c InflateRect
0x48d594 GetWindowTextA
0x48d598 GetWindowRect
0x48d59c GetWindowPlacement
0x48d5a0 GetWindowLongA
0x48d5a4 GetWindowDC
0x48d5a8 GetTopWindow
0x48d5ac GetSystemMetrics
0x48d5b0 GetSystemMenu
0x48d5b4 GetSysColorBrush
0x48d5b8 GetSysColor
0x48d5bc GetSubMenu
0x48d5c0 GetScrollRange
0x48d5c4 GetScrollPos
0x48d5c8 GetScrollInfo
0x48d5cc GetPropA
0x48d5d0 GetParent
0x48d5d4 GetWindow
0x48d5d8 GetMessageTime
0x48d5dc GetMenuStringA
0x48d5e0 GetMenuState
0x48d5e4 GetMenuItemInfoA
0x48d5e8 GetMenuItemID
0x48d5ec GetMenuItemCount
0x48d5f0 GetMenu
0x48d5f4 GetLastActivePopup
0x48d5f8 GetKeyboardState
0x48d600 GetKeyboardLayout
0x48d604 GetKeyState
0x48d608 GetKeyNameTextA
0x48d60c GetIconInfo
0x48d610 GetForegroundWindow
0x48d614 GetFocus
0x48d618 GetDlgItem
0x48d61c GetDesktopWindow
0x48d620 GetDCEx
0x48d624 GetDC
0x48d628 GetCursorPos
0x48d62c GetCursor
0x48d630 GetClientRect
0x48d634 GetClassNameA
0x48d638 GetClassInfoA
0x48d63c GetCapture
0x48d640 GetActiveWindow
0x48d644 FrameRect
0x48d648 FindWindowA
0x48d64c FillRect
0x48d650 EqualRect
0x48d654 EnumWindows
0x48d658 EnumThreadWindows
0x48d65c EndPaint
0x48d660 EnableWindow
0x48d664 EnableScrollBar
0x48d668 EnableMenuItem
0x48d66c DrawTextA
0x48d670 DrawMenuBar
0x48d674 DrawIconEx
0x48d678 DrawIcon
0x48d67c DrawFrameControl
0x48d680 DrawFocusRect
0x48d684 DrawEdge
0x48d688 DispatchMessageA
0x48d68c DestroyWindow
0x48d690 DestroyMenu
0x48d694 DestroyIcon
0x48d698 DestroyCursor
0x48d69c DeleteMenu
0x48d6a0 DefWindowProcA
0x48d6a4 DefMDIChildProcA
0x48d6a8 DefFrameProcA
0x48d6ac CreatePopupMenu
0x48d6b0 CreateMenu
0x48d6b4 CreateIcon
0x48d6b8 ClientToScreen
0x48d6bc CheckMenuItem
0x48d6c0 CallWindowProcA
0x48d6c4 CallNextHookEx
0x48d6c8 BeginPaint
0x48d6cc CharNextA
0x48d6d0 CharLowerBuffA
0x48d6d4 CharLowerA
0x48d6d8 CharUpperBuffA
0x48d6dc CharToOemA
0x48d6e0 AdjustWindowRectEx
Library kernel32.dll:
0x48d6ec Sleep
Library oleaut32.dll:
0x48d6f4 SafeArrayPtrOfIndex
0x48d6f8 SafeArrayGetUBound
0x48d6fc SafeArrayGetLBound
0x48d700 SafeArrayCreate
0x48d704 VariantChangeType
0x48d708 VariantCopy
0x48d70c VariantClear
0x48d710 VariantInit
Library comctl32.dll:
0x48d720 ImageList_Write
0x48d724 ImageList_Read
0x48d734 ImageList_DragMove
0x48d738 ImageList_DragLeave
0x48d73c ImageList_DragEnter
0x48d740 ImageList_EndDrag
0x48d744 ImageList_BeginDrag
0x48d748 ImageList_Remove
0x48d74c ImageList_DrawEx
0x48d750 ImageList_Replace
0x48d754 ImageList_Draw
0x48d764 ImageList_Add
0x48d76c ImageList_Destroy
0x48d770 ImageList_Create
0x48d774 InitCommonControls
Library comdlg32.dll:
0x48d77c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.