11.8
0-day
58 个模型检测该样本为恶意!
重新分析
更多

56cdf2f0adffcc195d95801f4f61da727edf5e6fe6bbbf0ac71462f733df9de9

72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe

分析耗时

123s

最近分析

文件大小

837.5KB
静态报毒 动态报毒 0GW@AUEJ@VJI 100% AI SCORE=81 APDS AUTO BTI6S4 CONFIDENCE DELF DELPHILESS ELXR FAREIT FCMT GENERICKD HAWKEYE HIGH CONFIDENCE HKDNIH IGENT KRYPTIK MALWARE@#2IY3J3YZKVTV2 NETWIRE OJFNX SCORE SUSGEN THEBCBO TROJAN3 TSCOPE UNSAFE X2066 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FTC!72DD0F3D54F7 20200528 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Alibaba Trojan:Win32/Kryptik.19bef108 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20200528 2013.8.14.323
Tencent Win32.Trojan.Inject.Auto 20200528 1.0.0.1
Avast Win32:Trojan-gen 20200528 18.4.3895.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619617368.167875
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619617365.323502
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (16 个事件)
Time & API Arguments Status Return Repeated
1619617363.62025
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34799160
registers.edi: 0
registers.eax: 0
registers.ebp: 34799496
registers.edx: 42
registers.ebx: 0
registers.esi: 0
registers.ecx: 620
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617365.010625
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34274872
registers.edi: 0
registers.eax: 0
registers.ebp: 34275208
registers.edx: 42
registers.ebx: 0
registers.esi: 0
registers.ecx: 10
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617366.65175
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 51576376
registers.edi: 0
registers.eax: 0
registers.ebp: 51576712
registers.edx: 42
registers.ebx: 0
registers.esi: 0
registers.ecx: 651
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: host+0x836ec
exception.instruction: div eax
exception.module: Host.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617368.46375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 51904056
registers.edi: 0
registers.eax: 0
registers.ebp: 51904392
registers.edx: 42
registers.ebx: 0
registers.esi: 0
registers.ecx: 463
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: host+0x836ec
exception.instruction: div eax
exception.module: Host.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617377.557375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34733624
registers.edi: 0
registers.eax: 0
registers.ebp: 34733960
registers.edx: 42
registers.ebx: 0
registers.esi: 0
registers.ecx: 557
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617380.526875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 51969592
registers.edi: 0
registers.eax: 0
registers.ebp: 51969928
registers.edx: 43
registers.ebx: 0
registers.esi: 0
registers.ecx: 526
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617389.90125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34405944
registers.edi: 0
registers.eax: 0
registers.ebp: 34406280
registers.edx: 43
registers.ebx: 0
registers.esi: 0
registers.ecx: 870
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617393.292625
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34864696
registers.edi: 0
registers.eax: 0
registers.ebp: 34865032
registers.edx: 43
registers.ebx: 0
registers.esi: 0
registers.ecx: 292
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617403.18275
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35978808
registers.edi: 0
registers.eax: 0
registers.ebp: 35979144
registers.edx: 43
registers.ebx: 0
registers.esi: 0
registers.ecx: 182
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617406.229375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35192376
registers.edi: 0
registers.eax: 0
registers.ebp: 35192712
registers.edx: 43
registers.ebx: 0
registers.esi: 0
registers.ecx: 229
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617417.885125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34340408
registers.edi: 0
registers.eax: 0
registers.ebp: 34340744
registers.edx: 43
registers.ebx: 0
registers.esi: 0
registers.ecx: 885
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617421.27675
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35257912
registers.edi: 0
registers.eax: 0
registers.ebp: 35258248
registers.edx: 43
registers.ebx: 0
registers.esi: 0
registers.ecx: 276
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617438.760875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 52624952
registers.edi: 0
registers.eax: 0
registers.ebp: 52625288
registers.edx: 43
registers.ebx: 0
registers.esi: 0
registers.ecx: 760
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617443.432875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35061304
registers.edi: 0
registers.eax: 0
registers.ebp: 35061640
registers.edx: 44
registers.ebx: 0
registers.esi: 0
registers.ecx: 432
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617462.791082
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 52231736
registers.edi: 0
registers.eax: 0
registers.ebp: 52232072
registers.edx: 44
registers.ebx: 0
registers.esi: 0
registers.ecx: 774
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619617467.233614
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 52166200
registers.edi: 0
registers.eax: 0
registers.ebp: 52166536
registers.edx: 44
registers.ebx: 0
registers.esi: 0
registers.ecx: 192
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 72dd0f3d54f711e8f3c83a2f1b7ce6dc+0x836ec
exception.instruction: div eax
exception.module: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (48 个事件)
Time & API Arguments Status Return Repeated
1619617363.38525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619617363.62025
NtProtectVirtualMemory
process_identifier: 340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617363.62025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1619617364.995625
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619617365.026625
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617365.026625
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x020c0000
success 0 0
1619617366.52675
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619617366.65175
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617366.65175
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03140000
success 0 0
1619617368.38575
NtAllocateVirtualMemory
process_identifier: 3088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619617368.46375
NtProtectVirtualMemory
process_identifier: 3088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617368.47975
NtAllocateVirtualMemory
process_identifier: 3088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fc0000
success 0 0
1619617377.260375
NtAllocateVirtualMemory
process_identifier: 3208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619617377.557375
NtProtectVirtualMemory
process_identifier: 3208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617377.557375
NtAllocateVirtualMemory
process_identifier: 3208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1619617380.042875
NtAllocateVirtualMemory
process_identifier: 3352
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e20000
success 0 0
1619617380.526875
NtProtectVirtualMemory
process_identifier: 3352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617380.526875
NtAllocateVirtualMemory
process_identifier: 3352
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619617389.76025
NtAllocateVirtualMemory
process_identifier: 3476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ed0000
success 0 0
1619617389.93225
NtProtectVirtualMemory
process_identifier: 3476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617389.96325
NtAllocateVirtualMemory
process_identifier: 3476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03140000
success 0 0
1619617392.963625
NtAllocateVirtualMemory
process_identifier: 3620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619617393.292625
NtProtectVirtualMemory
process_identifier: 3620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617393.307625
NtAllocateVirtualMemory
process_identifier: 3620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01dd0000
success 0 0
1619617402.94875
NtAllocateVirtualMemory
process_identifier: 3940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619617403.19875
NtProtectVirtualMemory
process_identifier: 3940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617403.21375
NtAllocateVirtualMemory
process_identifier: 3940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005b0000
success 0 0
1619617406.026375
NtAllocateVirtualMemory
process_identifier: 4080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619617406.229375
NtProtectVirtualMemory
process_identifier: 4080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617406.260375
NtAllocateVirtualMemory
process_identifier: 4080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1619617417.385125
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619617417.885125
NtProtectVirtualMemory
process_identifier: 1880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617417.901125
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02100000
success 0 0
1619617420.72975
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b0000
success 0 0
1619617421.27675
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617421.27675
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1619617438.182875
NtAllocateVirtualMemory
process_identifier: 3988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
1619617438.760875
NtProtectVirtualMemory
process_identifier: 3988
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617438.776875
NtAllocateVirtualMemory
process_identifier: 3988
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00680000
success 0 0
1619617443.010875
NtAllocateVirtualMemory
process_identifier: 3836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619617443.432875
NtProtectVirtualMemory
process_identifier: 3836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617443.432875
NtAllocateVirtualMemory
process_identifier: 3836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fc0000
success 0 0
1619617461.729082
NtAllocateVirtualMemory
process_identifier: 936
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619617462.791082
NtProtectVirtualMemory
process_identifier: 936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617462.807082
NtAllocateVirtualMemory
process_identifier: 936
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fc0000
success 0 0
1619617467.155614
NtAllocateVirtualMemory
process_identifier: 3492
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619617467.233614
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619617467.233614
NtAllocateVirtualMemory
process_identifier: 3492
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007f0000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description Host.exe tried to sleep 132 seconds, actually delayed analysis time by 132 seconds
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (21 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.235031884761396 section {'size_of_data': '0x00039600', 'virtual_address': '0x0009e000', 'entropy': 7.235031884761396, 'name': '.rsrc', 'virtual_size': '0x00039534'} description A section with a high entropy has been found
entropy 0.2743574417214585 description Overall entropy of this PE file is high
Expresses interest in specific running processes (2 个事件)
process host.exe
process 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (22 个事件)
Time & API Arguments Status Return Repeated
1619617363.62025
Process32NextW
process_name: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
snapshot_handle: 0x00000100
process_identifier: 340
failed 0 0
1619617365.042625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 2228
failed 0 0
1619617376.463625
Process32NextW
process_name: Host.exe
snapshot_handle: 0x00000228
process_identifier: 3088
failed 0 0
1619617366.69875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 2536
failed 0 0
1619617368.49575
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3164
failed 0 0
1619617377.604375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3264
failed 0 0
1619617380.542875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3416
failed 0 0
1619617389.292875
Process32NextW
process_name: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
snapshot_handle: 0x00000218
process_identifier: 3352
failed 0 0
1619617390.02625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3532
failed 0 0
1619617393.323625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3684
failed 0 0
1619617402.495625
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000200
process_identifier: 3864
failed 0 0
1619617403.74575
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3996
failed 0 0
1619617406.354375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3148
failed 0 0
1619617416.635375
Process32NextW
process_name: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
snapshot_handle: 0x0000023c
process_identifier: 4080
failed 0 0
1619617417.932125
Process32NextW
process_name: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
snapshot_handle: 0x00000100
process_identifier: 1880
failed 0 0
1619617421.27675
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3304
failed 0 0
1619617437.35475
Process32NextW
process_name: GoogleUpdate.exe
snapshot_handle: 0x00000284
process_identifier: 3536
failed 0 0
1619617438.823875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 4060
failed 0 0
1619617443.604875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 1056
failed 0 0
1619617459.573875
Process32NextW
process_name: 72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
snapshot_handle: 0x000001ec
process_identifier: 3836
failed 0 0
1619617462.807082
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 1988
failed 0 0
1619617467.233614
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 620
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 194.5.97.76
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NetWire reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
Creates known Netwire files, registry keys and/or mutexes (1 个事件)
regkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NetWire
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (16 个事件)
Process injection Process 340 called NtSetContextThread to modify thread in remote process 472
Process injection Process 2712 called NtSetContextThread to modify thread in remote process 2128
Process injection Process 3208 called NtSetContextThread to modify thread in remote process 3284
Process injection Process 3476 called NtSetContextThread to modify thread in remote process 3560
Process injection Process 3940 called NtSetContextThread to modify thread in remote process 4020
Process injection Process 1880 called NtSetContextThread to modify thread in remote process 2620
Process injection Process 3988 called NtSetContextThread to modify thread in remote process 4076
Process injection Process 936 called NtSetContextThread to modify thread in remote process 2964
Time & API Arguments Status Return Repeated
1619617363.99525
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 472
success 0 0
1619617367.54275
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2128
success 0 0
1619617378.198375
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3284
success 0 0
1619617391.65125
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3560
success 0 0
1619617404.54275
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4020
success 0 0
1619617419.307125
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2620
success 0 0
1619617440.057875
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4076
success 0 0
1619617464.963082
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2964
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (16 个事件)
Process injection Process 340 resumed a thread in remote process 472
Process injection Process 2712 resumed a thread in remote process 2128
Process injection Process 3208 resumed a thread in remote process 3284
Process injection Process 3476 resumed a thread in remote process 3560
Process injection Process 3940 resumed a thread in remote process 4020
Process injection Process 1880 resumed a thread in remote process 2620
Process injection Process 3988 resumed a thread in remote process 4076
Process injection Process 936 resumed a thread in remote process 2964
Time & API Arguments Status Return Repeated
1619617364.40125
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 472
success 0 0
1619617367.87075
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2128
success 0 0
1619617379.042375
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3284
success 0 0
1619617392.24525
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3560
success 0 0
1619617405.19875
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4020
success 0 0
1619617419.729125
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2620
success 0 0
1619617441.604875
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4076
success 0 0
1619617466.104082
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2964
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 63 个事件)
Time & API Arguments Status Return Repeated
1619617363.97925
CreateProcessInternalW
thread_identifier: 580
thread_handle: 0x00000108
process_identifier: 472
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619617363.97925
NtUnmapViewOfSection
process_identifier: 472
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619617363.99525
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 472
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619617363.99525
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619617363.99525
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 472
success 0 0
1619617364.40125
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 472
success 0 0
1619617364.55725
CreateProcessInternalW
thread_identifier: 428
thread_handle: 0x00000110
process_identifier: 2240
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe" 2 472 14488609
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619617366.135502
CreateProcessInternalW
thread_identifier: 2824
thread_handle: 0x00000220
process_identifier: 2712
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" -m "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002a0
inherit_handles: 0
success 1 0
1619617376.682625
CreateProcessInternalW
thread_identifier: 3212
thread_handle: 0x0000022c
process_identifier: 3208
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000230
inherit_handles: 0
success 1 0
1619617367.52675
CreateProcessInternalW
thread_identifier: 3060
thread_handle: 0x00000108
process_identifier: 2128
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" -m "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619617367.52675
NtUnmapViewOfSection
process_identifier: 2128
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619617367.52675
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 2128
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619617367.54275
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619617367.54275
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2128
success 0 0
1619617367.87075
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2128
success 0 0
1619617368.04275
CreateProcessInternalW
thread_identifier: 3092
thread_handle: 0x00000110
process_identifier: 3088
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" 2 2128 14492078
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619617378.120375
CreateProcessInternalW
thread_identifier: 3288
thread_handle: 0x00000108
process_identifier: 3284
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619617378.135375
NtUnmapViewOfSection
process_identifier: 3284
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619617378.167375
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 3284
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619617378.198375
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619617378.198375
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3284
success 0 0
1619617379.042375
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3284
success 0 0
1619617379.479375
CreateProcessInternalW
thread_identifier: 3356
thread_handle: 0x00000110
process_identifier: 3352
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe" 2 3284 14503250
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619617389.479875
CreateProcessInternalW
thread_identifier: 3480
thread_handle: 0x0000021c
process_identifier: 3476
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000220
inherit_handles: 0
success 1 0
1619617391.54225
CreateProcessInternalW
thread_identifier: 3564
thread_handle: 0x00000108
process_identifier: 3560
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619617391.54225
NtUnmapViewOfSection
process_identifier: 3560
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619617391.57325
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 3560
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619617391.63525
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619617391.65125
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3560
success 0 0
1619617392.24525
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3560
success 0 0
1619617392.37025
CreateProcessInternalW
thread_identifier: 3624
thread_handle: 0x00000110
process_identifier: 3620
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe" 2 3560 14516453
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619617402.557625
CreateProcessInternalW
thread_identifier: 3944
thread_handle: 0x00000204
process_identifier: 3940
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000208
inherit_handles: 0
success 1 0
1619617404.51075
CreateProcessInternalW
thread_identifier: 4024
thread_handle: 0x00000108
process_identifier: 4020
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619617404.51075
NtUnmapViewOfSection
process_identifier: 4020
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619617404.52675
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 4020
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619617404.54275
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619617404.54275
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4020
success 0 0
1619617405.19875
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4020
success 0 0
1619617405.68275
CreateProcessInternalW
thread_identifier: 4084
thread_handle: 0x00000110
process_identifier: 4080
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe" 2 4020 14529406
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619617416.792375
CreateProcessInternalW
thread_identifier: 1908
thread_handle: 0x00000240
process_identifier: 1880
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000244
inherit_handles: 0
success 1 0
1619617419.167125
CreateProcessInternalW
thread_identifier: 2060
thread_handle: 0x00000108
process_identifier: 2620
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619617419.167125
NtUnmapViewOfSection
process_identifier: 2620
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619617419.198125
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 2620
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619617419.307125
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619617419.307125
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2620
success 0 0
1619617419.729125
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2620
success 0 0
1619617419.885125
CreateProcessInternalW
thread_identifier: 2208
thread_handle: 0x00000110
process_identifier: 580
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe" 2 2620 14543937
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619617437.79275
CreateProcessInternalW
thread_identifier: 3900
thread_handle: 0x00000288
process_identifier: 3988
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000028c
inherit_handles: 0
success 1 0
1619617440.010875
CreateProcessInternalW
thread_identifier: 3048
thread_handle: 0x00000108
process_identifier: 4076
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\72dd0f3d54f711e8f3c83a2f1b7ce6dc.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619617440.026875
NtUnmapViewOfSection
process_identifier: 4076
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
MicroWorld-eScan Trojan.GenericKD.33835627
CAT-QuickHeal Trojan.Kryptik
Qihoo-360 Win32/Trojan.469
McAfee Fareit-FTC!72DD0F3D54F7
Cylance Unsafe
AegisLab Trojan.Win32.Kryptik.4!c
CrowdStrike win/malicious_confidence_90% (W)
Alibaba Trojan:Win32/Kryptik.19bef108
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
TrendMicro TrojanSpy.Win32.FAREIT.THEBCBO
BitDefenderTheta Gen:NN.ZelphiF.34122.0GW@auEj@Vji
Cyren W32/Trojan.FCMT-6763
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/Injector.ELXR
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.HawkEye-7789014-0
GData Win32.Trojan.Injector.PA
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKD.33835627
NANO-Antivirus Trojan.Win32.Stealer.hkdnih
Endgame malicious (high confidence)
Sophos Mal/Fareit-AA
Comodo Malware@#2iy3j3yzkvtv2
F-Secure Trojan.TR/Injector.ojfnx
DrWeb Trojan.PWS.Stealer.28485
Zillya Trojan.Fareit.Win32.35890
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Trojan.cc
FireEye Generic.mg.72dd0f3d54f711e8
Emsisoft Trojan.GenericKD.33835627 (B)
Ikarus Trojan.Inject
F-Prot W32/Trojan3.APDS
Webroot W32.Trojan.Gen
Avira TR/Injector.ojfnx
Antiy-AVL Trojan/Win32.Kryptik
Microsoft PWS:Win32/Fareit.JK!MTB
Arcabit Trojan.Generic.D2044A6B
ViRobot Trojan.Win32.Z.Kryptik.857600.J
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious
VBA32 TScope.Trojan.Delf
ALYac Trojan.Kryptik.gen
MAX malware (ai score=81)
Ad-Aware Trojan.GenericKD.33835627
Malwarebytes Spyware.Agent
Panda Trj/CI.A
TrendMicro-HouseCall TrojanSpy.Win32.FAREIT.THEBCBO
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.160.78:443
dead_host 194.5.97.76:1591
dead_host 192.168.56.101:49180
dead_host 192.168.56.101:49227
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x48f178 VirtualFree
0x48f17c VirtualAlloc
0x48f180 LocalFree
0x48f184 LocalAlloc
0x48f188 GetVersion
0x48f18c GetCurrentThreadId
0x48f198 VirtualQuery
0x48f19c WideCharToMultiByte
0x48f1a0 MultiByteToWideChar
0x48f1a4 lstrlenA
0x48f1a8 lstrcpynA
0x48f1ac LoadLibraryExA
0x48f1b0 GetThreadLocale
0x48f1b4 GetStartupInfoA
0x48f1b8 GetProcAddress
0x48f1bc GetModuleHandleA
0x48f1c0 GetModuleFileNameA
0x48f1c4 GetLocaleInfoA
0x48f1c8 GetCommandLineA
0x48f1cc FreeLibrary
0x48f1d0 FindFirstFileA
0x48f1d4 FindClose
0x48f1d8 ExitProcess
0x48f1dc ExitThread
0x48f1e0 CreateThread
0x48f1e4 WriteFile
0x48f1ec RtlUnwind
0x48f1f0 RaiseException
0x48f1f4 GetStdHandle
Library user32.dll:
0x48f1fc GetKeyboardType
0x48f200 LoadStringA
0x48f204 MessageBoxA
0x48f208 CharNextA
Library advapi32.dll:
0x48f210 RegQueryValueExA
0x48f214 RegOpenKeyExA
0x48f218 RegCloseKey
Library oleaut32.dll:
0x48f220 SysFreeString
0x48f224 SysReAllocStringLen
0x48f228 SysAllocStringLen
Library kernel32.dll:
0x48f230 TlsSetValue
0x48f234 TlsGetValue
0x48f238 LocalAlloc
0x48f23c GetModuleHandleA
Library advapi32.dll:
0x48f244 RegQueryValueExA
0x48f248 RegOpenKeyExA
0x48f24c RegCloseKey
Library kernel32.dll:
0x48f254 lstrlenA
0x48f258 lstrcpyA
0x48f25c lstrcmpA
0x48f260 WriteFile
0x48f264 WaitForSingleObject
0x48f26c VirtualQuery
0x48f270 VirtualProtect
0x48f274 VirtualAlloc
0x48f278 Sleep
0x48f27c SizeofResource
0x48f280 SetThreadLocale
0x48f284 SetFilePointer
0x48f288 SetEvent
0x48f28c SetErrorMode
0x48f290 SetEndOfFile
0x48f298 ResumeThread
0x48f29c ResetEvent
0x48f2a0 ReleaseMutex
0x48f2a4 ReadFile
0x48f2a8 MultiByteToWideChar
0x48f2ac MulDiv
0x48f2b0 LockResource
0x48f2b4 LoadResource
0x48f2b8 LoadLibraryA
0x48f2c4 GlobalUnlock
0x48f2c8 GlobalReAlloc
0x48f2cc GlobalHandle
0x48f2d0 GlobalLock
0x48f2d4 GlobalFree
0x48f2d8 GlobalFindAtomA
0x48f2dc GlobalDeleteAtom
0x48f2e0 GlobalAlloc
0x48f2e4 GlobalAddAtomA
0x48f2e8 GetVersionExA
0x48f2ec GetVersion
0x48f2f0 GetTickCount
0x48f2f4 GetThreadLocale
0x48f2f8 GetTempPathA
0x48f300 GetSystemTime
0x48f304 GetSystemInfo
0x48f308 GetStringTypeExA
0x48f30c GetStdHandle
0x48f310 GetProcAddress
0x48f314 GetModuleHandleA
0x48f318 GetModuleFileNameA
0x48f31c GetLocaleInfoA
0x48f320 GetLocalTime
0x48f324 GetLastError
0x48f328 GetFullPathNameA
0x48f32c GetFileSize
0x48f330 GetExitCodeThread
0x48f334 GetDiskFreeSpaceA
0x48f338 GetDateFormatA
0x48f33c GetCurrentThreadId
0x48f340 GetCurrentProcessId
0x48f348 GetCPInfo
0x48f34c GetACP
0x48f350 FreeResource
0x48f358 InterlockedExchange
0x48f360 FreeLibrary
0x48f364 FormatMessageA
0x48f368 FindResourceA
0x48f370 FindFirstFileA
0x48f37c FindClose
0x48f38c ExitThread
0x48f390 ExitProcess
0x48f394 EnumCalendarInfoA
0x48f39c DeleteFileA
0x48f3a4 CreateThread
0x48f3a8 CreateMutexA
0x48f3ac CreateFileA
0x48f3b0 CreateEventA
0x48f3b4 CompareStringA
0x48f3b8 CloseHandle
Library version.dll:
0x48f3c0 VerQueryValueA
0x48f3c8 GetFileVersionInfoA
Library gdi32.dll:
0x48f3d0 UnrealizeObject
0x48f3d4 StretchBlt
0x48f3d8 SetWindowOrgEx
0x48f3dc SetViewportOrgEx
0x48f3e0 SetTextColor
0x48f3e4 SetStretchBltMode
0x48f3e8 SetROP2
0x48f3ec SetPixel
0x48f3f0 SetDIBColorTable
0x48f3f4 SetColorSpace
0x48f3f8 SetBrushOrgEx
0x48f3fc SetBkMode
0x48f400 SetBkColor
0x48f404 SelectPalette
0x48f408 SelectObject
0x48f40c SaveDC
0x48f410 RestoreDC
0x48f414 Rectangle
0x48f418 RectVisible
0x48f41c RealizePalette
0x48f420 PatBlt
0x48f424 MoveToEx
0x48f428 MaskBlt
0x48f42c LineTo
0x48f430 IntersectClipRect
0x48f434 GetWindowOrgEx
0x48f438 GetTextMetricsA
0x48f444 GetStockObject
0x48f448 GetPixel
0x48f44c GetPaletteEntries
0x48f450 GetObjectA
0x48f454 GetDeviceCaps
0x48f458 GetDIBits
0x48f45c GetDIBColorTable
0x48f460 GetDCOrgEx
0x48f468 GetClipBox
0x48f46c GetBrushOrgEx
0x48f470 GetBitmapBits
0x48f474 ExtTextOutA
0x48f478 ExcludeClipRect
0x48f47c DeleteObject
0x48f480 DeleteDC
0x48f484 CreateSolidBrush
0x48f488 CreatePenIndirect
0x48f48c CreatePalette
0x48f494 CreateFontIndirectA
0x48f498 CreateDIBitmap
0x48f49c CreateDIBSection
0x48f4a0 CreateCompatibleDC
0x48f4a8 CreateBrushIndirect
0x48f4ac CreateBitmap
0x48f4b0 BitBlt
Library user32.dll:
0x48f4b8 CreateWindowExA
0x48f4bc WindowFromPoint
0x48f4c0 WinHelpA
0x48f4c4 WaitMessage
0x48f4c8 UpdateWindow
0x48f4cc UnregisterClassA
0x48f4d0 UnhookWindowsHookEx
0x48f4d4 TranslateMessage
0x48f4dc TrackPopupMenu
0x48f4e4 ShowWindow
0x48f4e8 ShowScrollBar
0x48f4ec ShowOwnedPopups
0x48f4f0 ShowCursor
0x48f4f4 SetWindowsHookExA
0x48f4f8 SetWindowTextA
0x48f4fc SetWindowPos
0x48f500 SetWindowPlacement
0x48f504 SetWindowLongA
0x48f508 SetTimer
0x48f50c SetScrollRange
0x48f510 SetScrollPos
0x48f514 SetScrollInfo
0x48f518 SetRect
0x48f51c SetPropA
0x48f520 SetParent
0x48f524 SetMenuItemInfoA
0x48f528 SetMenu
0x48f52c SetForegroundWindow
0x48f530 SetFocus
0x48f534 SetCursor
0x48f538 SetClassLongA
0x48f53c SetCapture
0x48f540 SetActiveWindow
0x48f544 SendMessageA
0x48f548 ScrollWindow
0x48f54c ScreenToClient
0x48f550 RemovePropA
0x48f554 RemoveMenu
0x48f558 ReleaseDC
0x48f55c ReleaseCapture
0x48f568 RegisterClassA
0x48f56c RedrawWindow
0x48f570 PtInRect
0x48f574 PostQuitMessage
0x48f578 PostMessageA
0x48f57c PeekMessageA
0x48f580 OffsetRect
0x48f584 OemToCharA
0x48f58c MessageBoxA
0x48f590 MapWindowPoints
0x48f594 MapVirtualKeyA
0x48f598 LoadStringA
0x48f59c LoadKeyboardLayoutA
0x48f5a0 LoadIconA
0x48f5a4 LoadCursorA
0x48f5a8 LoadBitmapA
0x48f5ac KillTimer
0x48f5b0 IsZoomed
0x48f5b4 IsWindowVisible
0x48f5b8 IsWindowEnabled
0x48f5bc IsWindow
0x48f5c0 IsRectEmpty
0x48f5c4 IsIconic
0x48f5c8 IsDialogMessageA
0x48f5cc IsChild
0x48f5d0 InvalidateRect
0x48f5d4 IntersectRect
0x48f5d8 InsertMenuItemA
0x48f5dc InsertMenuA
0x48f5e0 InflateRect
0x48f5e8 GetWindowTextA
0x48f5ec GetWindowRect
0x48f5f0 GetWindowPlacement
0x48f5f4 GetWindowLongA
0x48f5f8 GetWindowDC
0x48f5fc GetTopWindow
0x48f600 GetSystemMetrics
0x48f604 GetSystemMenu
0x48f608 GetSysColorBrush
0x48f60c GetSysColor
0x48f610 GetSubMenu
0x48f614 GetScrollRange
0x48f618 GetScrollPos
0x48f61c GetScrollInfo
0x48f620 GetPropA
0x48f624 GetParent
0x48f628 GetWindow
0x48f62c GetMessagePos
0x48f630 GetMenuStringA
0x48f634 GetMenuState
0x48f638 GetMenuItemInfoA
0x48f63c GetMenuItemID
0x48f640 GetMenuItemCount
0x48f644 GetMenu
0x48f648 GetLastActivePopup
0x48f64c GetKeyboardState
0x48f654 GetKeyboardLayout
0x48f658 GetKeyState
0x48f65c GetKeyNameTextA
0x48f660 GetIconInfo
0x48f664 GetForegroundWindow
0x48f668 GetFocus
0x48f66c GetDesktopWindow
0x48f670 GetDCEx
0x48f674 GetDC
0x48f678 GetCursorPos
0x48f67c GetCursor
0x48f680 GetClientRect
0x48f684 GetClassNameA
0x48f688 GetClassInfoA
0x48f68c GetCapture
0x48f690 GetActiveWindow
0x48f694 FrameRect
0x48f698 FindWindowA
0x48f69c FillRect
0x48f6a0 EqualRect
0x48f6a4 EnumWindows
0x48f6a8 EnumThreadWindows
0x48f6ac EndPaint
0x48f6b0 EnableWindow
0x48f6b4 EnableScrollBar
0x48f6b8 EnableMenuItem
0x48f6bc DrawTextA
0x48f6c0 DrawMenuBar
0x48f6c4 DrawIconEx
0x48f6c8 DrawIcon
0x48f6cc DrawFrameControl
0x48f6d0 DrawFocusRect
0x48f6d4 DrawEdge
0x48f6d8 DispatchMessageA
0x48f6dc DestroyWindow
0x48f6e0 DestroyMenu
0x48f6e4 DestroyIcon
0x48f6e8 DestroyCursor
0x48f6ec DeleteMenu
0x48f6f0 DefWindowProcA
0x48f6f4 DefMDIChildProcA
0x48f6f8 DefFrameProcA
0x48f6fc CreatePopupMenu
0x48f700 CreateMenu
0x48f704 CreateIcon
0x48f708 ClientToScreen
0x48f710 CheckMenuItem
0x48f714 CallWindowProcA
0x48f718 CallNextHookEx
0x48f71c BeginPaint
0x48f720 CharNextA
0x48f724 CharLowerA
0x48f728 CharUpperBuffA
0x48f72c CharToOemA
0x48f730 AdjustWindowRectEx
Library kernel32.dll:
0x48f73c Sleep
Library oleaut32.dll:
0x48f744 SafeArrayPtrOfIndex
0x48f748 SafeArrayGetUBound
0x48f74c SafeArrayGetLBound
0x48f750 SafeArrayCreate
0x48f754 VariantChangeType
0x48f758 VariantCopy
0x48f75c VariantClear
0x48f760 VariantInit
Library ole32.dll:
0x48f768 OleUninitialize
0x48f76c OleInitialize
0x48f770 CoTaskMemAlloc
0x48f774 CoCreateInstance
0x48f778 CoUninitialize
0x48f77c CoInitialize
Library oleaut32.dll:
0x48f784 GetErrorInfo
0x48f788 SysFreeString
Library comctl32.dll:
0x48f798 ImageList_Write
0x48f79c ImageList_Read
0x48f7ac ImageList_DragMove
0x48f7b0 ImageList_DragLeave
0x48f7b4 ImageList_DragEnter
0x48f7b8 ImageList_EndDrag
0x48f7bc ImageList_BeginDrag
0x48f7c0 ImageList_Remove
0x48f7c4 ImageList_DrawEx
0x48f7c8 ImageList_Draw
0x48f7d8 ImageList_Add
0x48f7e0 ImageList_Destroy
0x48f7e4 ImageList_Create
0x48f7e8 InitCommonControls
Library shell32.dll:
0x48f7f0 ShellExecuteExA
0x48f7f4 ShellExecuteA
0x48f7f8 SHGetFileInfoA
Library shell32.dll:
0x48f804 SHGetMalloc
0x48f808 SHGetDesktopFolder

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.