8.2
高危
57 个模型检测该样本为恶意!
重新分析
更多

f771b277221c7b1f569e44b18537b50f406f236412f57e04a9a5cc54f072e519

72bb8e802c14c18dc8822db3b15d6e38.exe

分析耗时

99s

最近分析

文件大小

573.5KB
静态报毒 动态报毒 AHOT AI SCORE=84 AIDETECTVM ALI2000015 AUTOIT AVEMARIA CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS DKTZ EMOY FAREIT HIGH CONFIDENCE HNWLWG HPLOKI INJECT3 JBU4YMXL+V8 JGW@AYGFLXHI KCLOUD KRYPTIK MALWARE2 MALWARE@#21VV8579SYDT7 OLSWV PWSX SCORE SMBD STATIC AI SUSPICIOUS PE TSCOPE TSPY UNSAFE X2094 YIWK ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FTB!72BB8E802C14 20201211 6.0.6.653
Tencent Win32.Adware.Generic.Ahot 20201211 1.0.0.1
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619616526.92925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616527.08525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616527.21025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616527.28825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616534.21025
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616534.21025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619616528.53825
IsDebuggerPresent
failed 0 0
Uses Windows APIs to generate a cryptographic key (50 out of 60 个事件)
Time & API Arguments Status Return Repeated
1619616530.44425
CryptExportKey
crypto_handle: 0x00337628
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.72525
CryptExportKey
crypto_handle: 0x003374e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.72525
CryptExportKey
crypto_handle: 0x003374e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.72525
CryptExportKey
crypto_handle: 0x003374e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.83525
CryptExportKey
crypto_handle: 0x003374e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.83525
CryptExportKey
crypto_handle: 0x003374e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.83525
CryptExportKey
crypto_handle: 0x003374e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.89725
CryptExportKey
crypto_handle: 0x003374e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.97525
CryptExportKey
crypto_handle: 0x00336a28
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616531.97525
CryptExportKey
crypto_handle: 0x00336a28
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.02225
CryptExportKey
crypto_handle: 0x00336a28
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.02225
CryptExportKey
crypto_handle: 0x00336a28
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.02225
CryptExportKey
crypto_handle: 0x00336a28
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.02225
CryptExportKey
crypto_handle: 0x00336a28
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.55425
CryptExportKey
crypto_handle: 0x00336f68
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.55425
CryptExportKey
crypto_handle: 0x00336f68
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.55425
CryptExportKey
crypto_handle: 0x00336f68
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.55425
CryptExportKey
crypto_handle: 0x00336f68
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.55425
CryptExportKey
crypto_handle: 0x00336f68
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.56925
CryptExportKey
crypto_handle: 0x00336f68
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616532.60025
CryptExportKey
crypto_handle: 0x00336f68
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.46025
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.46025
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.47525
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.47525
CryptExportKey
crypto_handle: 0x00336e68
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.49125
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.49125
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.49125
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.49125
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.49125
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.50725
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.50725
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.67925
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.67925
CryptExportKey
crypto_handle: 0x00337328
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.85025
CryptExportKey
crypto_handle: 0x00337268
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.85025
CryptExportKey
crypto_handle: 0x00337268
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.86625
CryptExportKey
crypto_handle: 0x00337268
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.88225
CryptExportKey
crypto_handle: 0x00337268
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.88225
CryptExportKey
crypto_handle: 0x00337268
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.88225
CryptExportKey
crypto_handle: 0x00337268
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616533.92925
CryptExportKey
crypto_handle: 0x00337268
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.06925
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.06925
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.31925
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.31925
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.31925
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.31925
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.31925
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.35025
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619616534.35025
CryptExportKey
crypto_handle: 0x003368e8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619616523.03825
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (3 个事件)
Time & API Arguments Status Return Repeated
1619616510.085375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34275140
registers.edi: 0
registers.eax: 0
registers.ebp: 34275208
registers.edx: 8
registers.ebx: 0
registers.esi: 0
registers.ecx: 69
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: 72bb8e802c14c18dc8822db3b15d6e38+0x5bd87
exception.instruction: div eax
exception.module: 72bb8e802c14c18dc8822db3b15d6e38.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619616525.32
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1637180
registers.edi: 8681056
registers.eax: 1637180
registers.ebp: 1637260
registers.edx: 0
registers.ebx: 8681056
registers.esi: 8681056
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619616525.32
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
ProcCallEngine+0x4ce7 __vbaUdtVar-0x1bcd msvbvm60+0x101d44 @ 0x72a41d44
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
72bb8e802c14c18dc8822db3b15d6e38+0x11be @ 0x4011be
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637220
registers.edi: 8680936
registers.eax: 1637220
registers.ebp: 1637300
registers.edx: 0
registers.ebx: 4278556
registers.esi: 1637588
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 133 个事件)
Time & API Arguments Status Return Repeated
1619616509.929375
NtAllocateVirtualMemory
process_identifier: 1564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619616510.085375
NtProtectVirtualMemory
process_identifier: 1564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045b000
success 0 0
1619616510.085375
NtAllocateVirtualMemory
process_identifier: 1564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619616527.80425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02960000
success 0 0
1619616527.80425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a70000
success 0 0
1619616528.36625
NtProtectVirtualMemory
process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619616528.55425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027fa000
success 0 0
1619616528.55425
NtProtectVirtualMemory
process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619616528.55425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027f2000
success 0 0
1619616528.86625
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02802000
success 0 0
1619616528.99125
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a71000
success 0 0
1619616529.05425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a72000
success 0 0
1619616529.25725
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0288a000
success 0 0
1619616529.66325
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02803000
success 0 0
1619616529.96025
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02804000
success 0 0
1619616529.99125
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0289b000
success 0 0
1619616529.99125
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02897000
success 0 0
1619616530.22525
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027fb000
success 0 0
1619616530.38225
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02882000
success 0 0
1619616530.39725
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02895000
success 0 0
1619616530.86625
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02805000
success 0 0
1619616531.61625
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0288c000
success 0 0
1619616531.89725
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02883000
success 0 0
1619616531.96025
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05400000
success 0 0
1619616532.39725
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02806000
success 0 0
1619616532.53825
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0289c000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02884000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02885000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02886000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02887000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02888000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02889000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a0000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a1000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a2000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a3000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a4000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a5000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a6000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a7000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a8000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054a9000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054aa000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ab000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ac000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ad000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054ae000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054af000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b0000
success 0 0
1619616532.94425
NtAllocateVirtualMemory
process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x054b1000
success 0 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (1 个事件)
cmdline powershell Copy-Item -Path 'C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72bb8e802c14c18dc8822db3b15d6e38.exe' -Destination 'C:\Users\Administrator.Oskar-PC\AppData\Local\xxdatie\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Administrator.Oskar-PC\AppData\Local\xxdatie\atiedxx.exe'
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619616511.711
NtProtectVirtualMemory
process_identifier: 2424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00760000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.144419036838581 section {'size_of_data': '0x00020a00', 'virtual_address': '0x00075000', 'entropy': 7.144419036838581, 'name': '.rsrc', 'virtual_size': '0x00020850'} description A section with a high entropy has been found
entropy 0.2279475982532751 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619616530.19425
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1564 called NtSetContextThread to modify thread in remote process 2424
Time & API Arguments Status Return Repeated
1619616510.960375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4198836
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2424
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1564 resumed a thread in remote process 2424
Time & API Arguments Status Return Repeated
1619616511.319375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2424
success 0 0
Executed a process and injected code into it, probably while unpacking (10 个事件)
Time & API Arguments Status Return Repeated
1619616510.960375
CreateProcessInternalW
thread_identifier: 200
thread_handle: 0x000000fc
process_identifier: 2424
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72bb8e802c14c18dc8822db3b15d6e38.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619616510.960375
NtUnmapViewOfSection
process_identifier: 2424
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619616510.960375
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2424
commit_size: 106496
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 106496
base_address: 0x00400000
success 0 0
1619616510.960375
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619616510.960375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4198836
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2424
success 0 0
1619616511.319375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2424
success 0 0
1619616522.32
CreateProcessInternalW
thread_identifier: 368
thread_handle: 0x000000c0
process_identifier: 2224
current_directory:
filepath:
track: 1
command_line: powershell Copy-Item -Path 'C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72bb8e802c14c18dc8822db3b15d6e38.exe' -Destination 'C:\Users\Administrator.Oskar-PC\AppData\Local\xxdatie\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Administrator.Oskar-PC\AppData\Local\xxdatie\atiedxx.exe'
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619616528.53825
NtResumeThread
thread_handle: 0x00000294
suspend_count: 1
process_identifier: 2224
success 0 0
1619616528.63225
NtResumeThread
thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 2224
success 0 0
1619616535.28825
NtResumeThread
thread_handle: 0x00000454
suspend_count: 1
process_identifier: 2224
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Delf.FareIt.Gen.7
FireEye Generic.mg.72bb8e802c14c18d
ALYac Trojan.Delf.FareIt.Gen.7
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 005690671 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 005690671 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Delf.FareIt.Gen.7
Cyren W32/Trojan.YIWK-2138
Symantec Trojan.Gen.2
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-Spy.Win32.AveMaria.gen
BitDefender Trojan.Delf.FareIt.Gen.7
NANO-Antivirus Riskware.Win32.Delf.hnwlwg
Paloalto generic.ml
AegisLab Adware.Win32.Generic.2!c
Rising Trojan.Injector!1.C99D (CLASSIC)
Ad-Aware Trojan.Delf.FareIt.Gen.7
Emsisoft Trojan.Delf.FareIt.Gen.7 (B)
Comodo Malware@#21vv8579sydt7
F-Secure Trojan.TR/Injector.olswv
DrWeb Trojan.Inject3.51259
Zillya Trojan.Injector.Win32.750366
TrendMicro TSPY_HPLOKI.SMBD
McAfee-GW-Edition BehavesLike.Win32.Fareit.hh
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin Backdoor.MSIL.dktz
Avira TR/Injector.olswv
MAX malware (ai score=84)
Antiy-AVL Trojan[Spy]/Win32.AveMaria
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft PWS:Win32/Fareit.AQ!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.Delf.FareIt.Gen.7
AhnLab-V3 Suspicious/Win.Delphiless.X2094
McAfee Fareit-FTB!72BB8E802C14
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
ESET-NOD32 a variant of Win32/Injector.EMOY
TrendMicro-HouseCall TSPY_HPLOKI.SMBD
Tencent Win32.Adware.Generic.Ahot
Yandex Trojan.Injector!jbU4YmxL+V8
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46913c VirtualFree
0x469140 VirtualAlloc
0x469144 LocalFree
0x469148 LocalAlloc
0x46914c GetVersion
0x469150 GetCurrentThreadId
0x46915c VirtualQuery
0x469160 WideCharToMultiByte
0x469164 MultiByteToWideChar
0x469168 lstrlenA
0x46916c lstrcpynA
0x469170 LoadLibraryExA
0x469174 GetThreadLocale
0x469178 GetStartupInfoA
0x46917c GetProcAddress
0x469180 GetModuleHandleA
0x469184 GetModuleFileNameA
0x469188 GetLocaleInfoA
0x46918c GetCommandLineA
0x469190 FreeLibrary
0x469194 FindFirstFileA
0x469198 FindClose
0x46919c ExitProcess
0x4691a0 WriteFile
0x4691a8 RtlUnwind
0x4691ac RaiseException
0x4691b0 GetStdHandle
Library user32.dll:
0x4691b8 GetKeyboardType
0x4691bc LoadStringA
0x4691c0 MessageBoxA
0x4691c4 CharNextA
Library advapi32.dll:
0x4691cc RegQueryValueExA
0x4691d0 RegOpenKeyExA
0x4691d4 RegCloseKey
Library oleaut32.dll:
0x4691dc SysFreeString
0x4691e0 SysReAllocStringLen
0x4691e4 SysAllocStringLen
Library kernel32.dll:
0x4691ec TlsSetValue
0x4691f0 TlsGetValue
0x4691f4 LocalAlloc
0x4691f8 GetModuleHandleA
Library advapi32.dll:
0x469200 RegQueryValueExA
0x469204 RegOpenKeyExA
0x469208 RegCloseKey
Library kernel32.dll:
0x469210 lstrcpyA
0x469214 WriteFile
0x469218 WaitForSingleObject
0x46921c VirtualQuery
0x469220 VirtualProtectEx
0x469224 VirtualAlloc
0x469228 Sleep
0x46922c SizeofResource
0x469230 SetThreadLocale
0x469234 SetFilePointer
0x469238 SetEvent
0x46923c SetErrorMode
0x469240 SetEndOfFile
0x469244 ResetEvent
0x469248 ReadFile
0x46924c MulDiv
0x469250 LockResource
0x469254 LoadResource
0x469258 LoadLibraryA
0x469264 GlobalUnlock
0x469268 GlobalReAlloc
0x46926c GlobalHandle
0x469270 GlobalLock
0x469274 GlobalFree
0x469278 GlobalFindAtomA
0x46927c GlobalDeleteAtom
0x469280 GlobalAlloc
0x469284 GlobalAddAtomA
0x469288 GetVersionExA
0x46928c GetVersion
0x469290 GetTickCount
0x469294 GetThreadLocale
0x469298 GetSystemInfo
0x46929c GetStringTypeExA
0x4692a0 GetStdHandle
0x4692a4 GetProcAddress
0x4692a8 GetModuleHandleA
0x4692ac GetModuleFileNameA
0x4692b0 GetLocaleInfoA
0x4692b4 GetLocalTime
0x4692b8 GetLastError
0x4692bc GetFullPathNameA
0x4692c0 GetFileAttributesA
0x4692c4 GetDiskFreeSpaceA
0x4692c8 GetDateFormatA
0x4692cc GetCurrentThreadId
0x4692d0 GetCurrentProcessId
0x4692d4 GetCurrentProcess
0x4692d8 GetCPInfo
0x4692dc GetACP
0x4692e0 FreeResource
0x4692e4 InterlockedExchange
0x4692e8 FreeLibrary
0x4692ec FormatMessageA
0x4692f0 FindResourceA
0x4692f4 FindFirstFileA
0x4692f8 FindClose
0x469304 EnumCalendarInfoA
0x469310 CreateThread
0x469314 CreateFileA
0x469318 CreateEventA
0x46931c CompareStringA
0x469320 CloseHandle
Library version.dll:
0x469328 VerQueryValueA
0x469330 GetFileVersionInfoA
Library gdi32.dll:
0x469338 UnrealizeObject
0x46933c StretchBlt
0x469340 SetWindowOrgEx
0x469344 SetWinMetaFileBits
0x469348 SetViewportOrgEx
0x46934c SetTextColor
0x469350 SetStretchBltMode
0x469354 SetROP2
0x469358 SetPixel
0x46935c SetEnhMetaFileBits
0x469360 SetDIBColorTable
0x469364 SetBrushOrgEx
0x469368 SetBkMode
0x46936c SetBkColor
0x469370 SelectPalette
0x469374 SelectObject
0x469378 SaveDC
0x46937c RestoreDC
0x469380 Rectangle
0x469384 RectVisible
0x469388 RealizePalette
0x46938c Polyline
0x469390 PlayEnhMetaFile
0x469394 PatBlt
0x469398 MoveToEx
0x46939c MaskBlt
0x4693a0 LineTo
0x4693a4 IntersectClipRect
0x4693a8 GetWindowOrgEx
0x4693ac GetWinMetaFileBits
0x4693b0 GetTextMetricsA
0x4693bc GetStockObject
0x4693c0 GetPixel
0x4693c4 GetPaletteEntries
0x4693c8 GetObjectA
0x4693d4 GetEnhMetaFileBits
0x4693d8 GetDeviceCaps
0x4693dc GetDIBits
0x4693e0 GetDIBColorTable
0x4693e4 GetDCOrgEx
0x4693ec GetClipBox
0x4693f0 GetBrushOrgEx
0x4693f4 GetBitmapBits
0x4693f8 ExcludeClipRect
0x4693fc DeleteObject
0x469400 DeleteEnhMetaFile
0x469404 DeleteDC
0x469408 CreateSolidBrush
0x46940c CreatePenIndirect
0x469410 CreatePen
0x469414 CreatePalette
0x46941c CreateFontIndirectA
0x469420 CreateDIBitmap
0x469424 CreateDIBSection
0x469428 CreateCompatibleDC
0x469430 CreateBrushIndirect
0x469434 CreateBitmap
0x469438 CopyEnhMetaFileA
0x46943c BitBlt
Library user32.dll:
0x469444 CreateWindowExA
0x469448 WindowFromPoint
0x46944c WinHelpA
0x469450 WaitMessage
0x469454 ValidateRect
0x469458 UpdateWindow
0x46945c UnregisterClassA
0x469460 UnhookWindowsHookEx
0x469464 TranslateMessage
0x46946c TrackPopupMenu
0x469474 ShowWindow
0x469478 ShowScrollBar
0x46947c ShowOwnedPopups
0x469480 ShowCursor
0x469484 SetWindowsHookExA
0x469488 SetWindowPos
0x46948c SetWindowPlacement
0x469490 SetWindowLongA
0x469494 SetTimer
0x469498 SetScrollRange
0x46949c SetScrollPos
0x4694a0 SetScrollInfo
0x4694a4 SetRect
0x4694a8 SetPropA
0x4694ac SetParent
0x4694b0 SetMenuItemInfoA
0x4694b4 SetMenu
0x4694b8 SetForegroundWindow
0x4694bc SetFocus
0x4694c0 SetCursor
0x4694c4 SetClassLongA
0x4694c8 SetCapture
0x4694cc SetActiveWindow
0x4694d0 SendMessageA
0x4694d4 ScrollWindow
0x4694d8 ScreenToClient
0x4694dc RemovePropA
0x4694e0 RemoveMenu
0x4694e4 ReleaseDC
0x4694e8 ReleaseCapture
0x4694f4 RegisterClassA
0x4694f8 RedrawWindow
0x4694fc PtInRect
0x469500 PostQuitMessage
0x469504 PostMessageA
0x469508 PeekMessageA
0x46950c OffsetRect
0x469510 OemToCharA
0x469514 MessageBoxA
0x469518 MapWindowPoints
0x46951c MapVirtualKeyA
0x469520 LoadStringA
0x469524 LoadKeyboardLayoutA
0x469528 LoadIconA
0x46952c LoadCursorA
0x469530 LoadBitmapA
0x469534 KillTimer
0x469538 IsZoomed
0x46953c IsWindowVisible
0x469540 IsWindowEnabled
0x469544 IsWindow
0x469548 IsRectEmpty
0x46954c IsIconic
0x469550 IsDialogMessageA
0x469554 IsChild
0x469558 InvalidateRect
0x46955c IntersectRect
0x469560 InsertMenuItemA
0x469564 InsertMenuA
0x469568 InflateRect
0x469570 GetWindowTextA
0x469574 GetWindowRect
0x469578 GetWindowPlacement
0x46957c GetWindowLongA
0x469580 GetWindowDC
0x469584 GetTopWindow
0x469588 GetSystemMetrics
0x46958c GetSystemMenu
0x469590 GetSysColorBrush
0x469594 GetSysColor
0x469598 GetSubMenu
0x46959c GetScrollRange
0x4695a0 GetScrollPos
0x4695a4 GetScrollInfo
0x4695a8 GetPropA
0x4695ac GetParent
0x4695b0 GetWindow
0x4695b4 GetMenuStringA
0x4695b8 GetMenuState
0x4695bc GetMenuItemInfoA
0x4695c0 GetMenuItemID
0x4695c4 GetMenuItemCount
0x4695c8 GetMenu
0x4695cc GetLastActivePopup
0x4695d0 GetKeyboardState
0x4695d8 GetKeyboardLayout
0x4695dc GetKeyState
0x4695e0 GetKeyNameTextA
0x4695e4 GetIconInfo
0x4695e8 GetForegroundWindow
0x4695ec GetFocus
0x4695f0 GetDlgItem
0x4695f4 GetDesktopWindow
0x4695f8 GetDCEx
0x4695fc GetDC
0x469600 GetCursorPos
0x469604 GetCursor
0x469608 GetClipboardData
0x46960c GetClientRect
0x469610 GetClassNameA
0x469614 GetClassInfoA
0x469618 GetCapture
0x46961c GetActiveWindow
0x469620 FrameRect
0x469624 FindWindowA
0x469628 FillRect
0x46962c EqualRect
0x469630 EnumWindows
0x469634 EnumThreadWindows
0x469638 EndPaint
0x46963c EnableWindow
0x469640 EnableScrollBar
0x469644 EnableMenuItem
0x469648 DrawTextA
0x46964c DrawMenuBar
0x469650 DrawIconEx
0x469654 DrawIcon
0x469658 DrawFrameControl
0x46965c DrawEdge
0x469660 DispatchMessageA
0x469664 DestroyWindow
0x469668 DestroyMenu
0x46966c DestroyIcon
0x469670 DestroyCursor
0x469674 DeleteMenu
0x469678 DefWindowProcA
0x46967c DefMDIChildProcA
0x469680 DefFrameProcA
0x469684 CreatePopupMenu
0x469688 CreateMenu
0x46968c CreateIcon
0x469690 ClientToScreen
0x469694 CheckMenuItem
0x469698 CallWindowProcA
0x46969c CallNextHookEx
0x4696a0 BeginPaint
0x4696a4 CharNextA
0x4696a8 CharLowerBuffA
0x4696ac CharLowerA
0x4696b0 CharToOemA
0x4696b4 AdjustWindowRectEx
Library kernel32.dll:
0x4696c0 Sleep
Library oleaut32.dll:
0x4696c8 SafeArrayPtrOfIndex
0x4696cc SafeArrayGetUBound
0x4696d0 SafeArrayGetLBound
0x4696d4 SafeArrayCreate
0x4696d8 VariantChangeType
0x4696dc VariantCopy
0x4696e0 VariantClear
0x4696e4 VariantInit
Library comctl32.dll:
0x4696f4 ImageList_Write
0x4696f8 ImageList_Read
0x469708 ImageList_DragMove
0x46970c ImageList_DragLeave
0x469710 ImageList_DragEnter
0x469714 ImageList_EndDrag
0x469718 ImageList_BeginDrag
0x46971c ImageList_Remove
0x469720 ImageList_DrawEx
0x469724 ImageList_Replace
0x469728 ImageList_Draw
0x469738 ImageList_Add
0x469740 ImageList_Destroy
0x469744 ImageList_Create
0x469748 InitCommonControls
Library comdlg32.dll:
0x469750 GetSaveFileNameA
0x469754 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.