12.2
0-day
49 个模型检测该样本为恶意!
重新分析
更多

62e9e19f17768c81e004a926fa2cb6af6d388be696bdd0635d94e8066eee31b6

7504cf0b6d7db8fa52410e8f659ba8de.exe

分析耗时

122s

最近分析

文件大小

510.2KB
静态报毒 动态报毒 AGEN AI SCORE=85 AIDETECTVM ARTEMIS ATTRIBUTE BSCOPE CLASSIC CLIPBANKER CLIPSTEAL CONFIDENCE CRYPMOD ELDORADO GENERICKD GENERICRXKC HIGH CONFIDENCE HIGHCONFIDENCE HSPMLE IMW@AU8SJCM MALWARE2 MALWARE@#32NHUTHZUXN5 MULTIPLE DETECTIONS PASSWORDSTEALER PREDATOR PWSX SCORE TROJANPSW UNSAFE VIDAR VIDARSTEALER ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!7504CF0B6D7D 20201027 6.0.6.653
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
Avast Win32:PWSX-gen [Trj] 20201027 18.4.3895.0
Alibaba TrojanPSW:Win32/PasswordStealer.e3849417 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20201027 2013.8.14.323
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1620785859.511874
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620785432.373271
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620785436.983271
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620785436.998271
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (28 个事件)
Time & API Arguments Status Return Repeated
1620785856.277249
IsDebuggerPresent
failed 0 0
1620785450.983646
IsDebuggerPresent
failed 0 0
1620785451.123646
IsDebuggerPresent
failed 0 0
1620785461.061646
IsDebuggerPresent
failed 0 0
1620785461.186646
IsDebuggerPresent
failed 0 0
1620785461.186646
IsDebuggerPresent
failed 0 0
1620785461.311646
IsDebuggerPresent
failed 0 0
1620785461.436646
IsDebuggerPresent
failed 0 0
1620785461.483646
IsDebuggerPresent
failed 0 0
1620785461.498646
IsDebuggerPresent
failed 0 0
1620785461.608646
IsDebuggerPresent
failed 0 0
1620785463.123646
IsDebuggerPresent
failed 0 0
1620785465.639646
IsDebuggerPresent
failed 0 0
1620785473.889646
IsDebuggerPresent
failed 0 0
1620785474.795646
IsDebuggerPresent
failed 0 0
1620785474.842646
IsDebuggerPresent
failed 0 0
1620785475.561646
IsDebuggerPresent
failed 0 0
1620785478.202646
IsDebuggerPresent
failed 0 0
1620785478.545646
IsDebuggerPresent
failed 0 0
1620785483.998646
IsDebuggerPresent
failed 0 0
1620785486.717646
IsDebuggerPresent
failed 0 0
1620785486.858646
IsDebuggerPresent
failed 0 0
1620785492.795646
IsDebuggerPresent
failed 0 0
1620785431.217896
IsDebuggerPresent
failed 0 0
1620785431.342896
IsDebuggerPresent
failed 0 0
1620785431.655896
IsDebuggerPresent
failed 0 0
1620785448.624146
IsDebuggerPresent
failed 0 0
1620785448.640146
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620785857.667249
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620785498.014646
__exception__
stacktrace: 
0xb92e04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

registers.r14: 2535201361408
registers.r9: 0
registers.rcx: 1328
registers.rsi: -6148914691236517206
registers.r10: 0
registers.rbx: 269544784
registers.rdi: 17302540
registers.r11: 269548704
registers.r8: 2009563532
registers.rdx: 1412
registers.rbp: 269544640
registers.r15: 269545144
registers.r12: 269545544
registers.rsp: 269544504
registers.rax: 12135936
registers.r13: 2535202357248
exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb92e04
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 167 个事件)
Time & API Arguments Status Return Repeated
1620785430.406146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000000860000
success 0 0
1620785430.406146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000008b0000
success 0 0
1620785439.484146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000002150000
success 0 0
1620785439.484146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000002220000
success 0 0
1620785445.124146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a71000
success 0 0
1620785445.124146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a71000
success 0 0
1620785445.421146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef20f0000
success 0 0
1620785448.624146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00000000022a0000
success 0 0
1620785448.624146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000023b0000
success 0 0
1620785448.828146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.828146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.843146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.843146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.843146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.843146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a73000
success 0 0
1620785448.843146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a73000
success 0 0
1620785448.843146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a73000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a73000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a73000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a73000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a73000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a71000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.859146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785448.906146
NtProtectVirtualMemory
process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1a72000
success 0 0
1620785451.562146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00032000
success 0 0
1620785451.890146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00022000
success 0 0
1620785452.296146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1620785452.296146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1620785452.296146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1620785452.296146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1620785452.296146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007ffffef0000
success 0 0
1620785452.296146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ffffef0000
success 0 0
1620785452.312146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002a000
success 0 0
1620785453.468146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00033000
success 0 0
1620785453.468146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000dc000
success 0 0
1620785453.484146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00106000
success 0 0
1620785453.484146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000e0000
success 0 0
1620785453.968146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00034000
success 0 0
1620785454.156146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002b000
success 0 0
1620785454.203146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003c000
success 0 0
1620785455.562146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00035000
success 0 0
1620785455.718146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00150000
success 0 0
1620785455.796146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003a000
success 0 0
1620785455.812146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0004b000
success 0 0
1620785456.437146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00200000
success 0 0
1620785456.437146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00205000
success 0 0
1620785456.499146
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00209000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
An application raised an exception which may be indicative of an exploit crash (2 个事件)
Application Crash Process chrome.exe with pid 340 crashed
Time & API Arguments Status Return Repeated
1620785498.014646
__exception__
stacktrace: 
0xb92e04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

registers.r14: 2535201361408
registers.r9: 0
registers.rcx: 1328
registers.rsi: -6148914691236517206
registers.r10: 0
registers.rbx: 269544784
registers.rdi: 17302540
registers.r11: 269548704
registers.r8: 2009563532
registers.rdx: 1412
registers.rbp: 269544640
registers.r15: 269545144
registers.r12: 269545544
registers.rsp: 269544504
registers.rax: 12135936
registers.r13: 2535202357248
exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb92e04
success 0 0
Steals private information from local Internet browsers (26 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF126a477.TMP
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\First Run
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-609B1560-154.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Last Version
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Preferences
Creates executable files on the filesystem (4 个事件)
file C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe
file C:\Windows\wotsuper.reg
file C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
file C:\Program Files (x86)\wotsuper\wotsuper\wotsuper11.exe
Creates a shortcut to an executable file (11 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file C:\Users\Public\Desktop\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
Drops a binary and executes it (2 个事件)
file C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
file C:\Program Files (x86)\wotsuper\wotsuper\wotsuper11.exe
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1620785858.730249
ShellExecuteExW
parameters:
filepath: https://iplogger.org/1lTHd.html
filepath_r: https://iplogger.org/1lTHd.html
show_type: 0
success 1 0
1620785858.761249
ShellExecuteExW
parameters:
filepath: https://iplogger.org/1lTHd.html
filepath_r: https://iplogger.org/1lTHd.html
show_type: 0
success 1 0
1620785859.527249
ShellExecuteExW
parameters: \s C:\Windows\wotsuper.reg
filepath: regedit.exe
filepath_r: regedit.exe
show_type: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620785874.105874
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)
Time & API Arguments Status Return Repeated
1620785455.843146
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620785441.045271
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620785441.061271
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Steam reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\NVIDIA\dllhost.exe
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620785877.370874
RegSetValueExA
key_handle: 0x00000354
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620785877.370874
RegSetValueExA
key_handle: 0x00000354
value: `öÝ«¾F×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620785877.370874
RegSetValueExA
key_handle: 0x00000354
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620785877.370874
RegSetValueExW
key_handle: 0x00000354
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620785877.370874
RegSetValueExA
key_handle: 0x0000036c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620785877.370874
RegSetValueExA
key_handle: 0x0000036c
value: `öÝ«¾F×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620785877.370874
RegSetValueExA
key_handle: 0x0000036c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620785877.386874
RegSetValueExW
key_handle: 0x00000350
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
One or more non-safelisted processes were created (2 个事件)
parent_process chrome.exe martian_process "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef24e4f50,0x7fef24e4f60,0x7fef24e4f70
parent_process chrome.exe martian_process "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1004,10972296968976093827,6866342465443070254,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1080 /prefetch:2
Resumed a suspended thread in a remote process potentially indicative of process injection (5 个事件)
Process injection Process 1056 resumed a thread in remote process 340
Time & API Arguments Status Return Repeated
1620785498.358896
NtResumeThread
thread_handle: 0x000000000000013c
suspend_count: 2
process_identifier: 340
success 0 0
1620785498.498896
NtResumeThread
thread_handle: 0x000000000000013c
suspend_count: 2
process_identifier: 340
success 0 0
1620785498.623896
NtResumeThread
thread_handle: 0x000000000000013c
suspend_count: 2
process_identifier: 340
success 0 0
1620785498.702896
NtResumeThread
thread_handle: 0x000000000000013c
suspend_count: 2
process_identifier: 340
success 0 0
Generates some ICMP traffic
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Stealer.29176
MicroWorld-eScan Trojan.GenericKD.34393671
FireEye Generic.mg.7504cf0b6d7db8fa
CAT-QuickHeal Trojan.MSIL
Qihoo-360 Win32/Trojan.PSW.44f
McAfee Artemis!7504CF0B6D7D
Cylance Unsafe
CrowdStrike win/malicious_confidence_60% (W)
BitDefender Trojan.GenericKD.34393671
K7GW Password-Stealer ( 00569ede1 )
K7AntiVirus Password-Stealer ( 00569ede1 )
BitDefenderTheta Gen:NN.ZexaF.34590.ImW@au8sJcm
Cyren W32/Vidar.A.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Dropper.Vidar-9182565-0
Kaspersky HEUR:Trojan-PSW.Win32.Vidar.vho
Alibaba TrojanPSW:Win32/PasswordStealer.e3849417
NANO-Antivirus Trojan.Win32.Vidar.hspmle
AegisLab Trojan.Win32.Vidar.i!c
Ad-Aware Trojan.GenericKD.34393671
Sophos Mal/Generic-S
Comodo Malware@#32nhuthzuxn5
F-Secure Heuristic.HEUR/AGEN.1101072
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
McAfee-GW-Edition GenericRXKC-TC!DD9FD63078BF
Emsisoft Trojan-Dropper.Agent (A)
GData Trojan.GenericKD.34393671
Jiangmin Trojan.PSW.Vidar.ko
Webroot W32.Trojan.Gen
Avira TR/AD.VidarStealer.FL
Arcabit Trojan.Generic.D20CCE47
ZoneAlarm HEUR:Trojan-PSW.Win32.Vidar.vho
Microsoft PWS:MSIL/ClipSteal.YA!MTB
AhnLab-V3 Malware/Win32.Generic.C3733562
VBA32 BScope.Backdoor.Predator
ALYac Trojan.GenericKD.34393671
MAX malware (ai score=85)
ESET-NOD32 multiple detections
Rising Spyware.ClipBanker!1.B839 (CLASSIC)
eGambit Unsafe.AI_Score_99%
Fortinet W32/Agent.OKD!tr
AVG Win32:PWSX-gen [Trj]
Paloalto generic.ml
MaxSecure Trojan-Ransom.Win32.Crypmod.zfq
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
dead_host 216.58.200.46:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x42b1dc VirtualFree
0x42b1e0 VirtualAlloc
0x42b1e4 LocalFree
0x42b1e8 LocalAlloc
0x42b1ec GetVersion
0x42b1f0 GetCurrentThreadId
0x42b1f4 WideCharToMultiByte
0x42b1f8 GetThreadLocale
0x42b1fc GetStartupInfoA
0x42b200 GetLocaleInfoA
0x42b204 GetCommandLineA
0x42b208 FreeLibrary
0x42b20c ExitProcess
0x42b210 WriteFile
0x42b218 RtlUnwind
0x42b21c RaiseException
0x42b220 GetStdHandle
Library user32.dll:
0x42b228 GetKeyboardType
0x42b22c MessageBoxA
Library advapi32.dll:
0x42b234 RegQueryValueExA
0x42b238 RegOpenKeyExA
0x42b23c RegCloseKey
Library oleaut32.dll:
0x42b244 SysFreeString
0x42b248 SysReAllocStringLen
Library kernel32.dll:
0x42b250 TlsSetValue
0x42b254 TlsGetValue
0x42b258 LocalAlloc
0x42b25c GetModuleHandleA
Library advapi32.dll:
0x42b264 RegCloseKey
0x42b268 OpenThreadToken
0x42b26c OpenProcessToken
0x42b270 GetTokenInformation
0x42b274 FreeSid
0x42b278 EqualSid
Library kernel32.dll:
0x42b288 WriteFile
0x42b28c WinExec
0x42b290 WaitForSingleObject
0x42b294 TerminateProcess
0x42b29c Sleep
0x42b2a0 SetFileTime
0x42b2a4 SetFilePointer
0x42b2a8 SetErrorMode
0x42b2ac SetEndOfFile
0x42b2b0 ReadFile
0x42b2b4 OpenProcess
0x42b2b8 MultiByteToWideChar
0x42b2c0 LoadLibraryA
0x42b2c4 GlobalFree
0x42b2c8 GlobalAlloc
0x42b2cc GetVersion
0x42b2d4 GetProcAddress
0x42b2d8 GetModuleHandleA
0x42b2dc GetLocalTime
0x42b2e0 GetLastError
0x42b2e4 GetFileTime
0x42b2e8 GetFileSize
0x42b2ec GetExitCodeProcess
0x42b2f0 GetCurrentThread
0x42b2f4 GetCurrentProcess
0x42b2f8 FreeLibrary
0x42b2fc FindClose
0x42b30c CompareFileTime
0x42b310 CloseHandle
Library gdi32.dll:
0x42b318 StretchDIBits
0x42b31c StretchBlt
0x42b320 SetWindowOrgEx
0x42b324 SetTextColor
0x42b328 SetStretchBltMode
0x42b32c SetRectRgn
0x42b330 SetROP2
0x42b334 SetPixel
0x42b338 SetDIBits
0x42b33c SetBrushOrgEx
0x42b340 SetBkMode
0x42b344 SetBkColor
0x42b348 SelectObject
0x42b34c SaveDC
0x42b350 RestoreDC
0x42b354 OffsetRgn
0x42b358 MoveToEx
0x42b35c IntersectClipRect
0x42b360 GetStockObject
0x42b364 GetPixel
0x42b368 GetDIBits
0x42b36c ExtSelectClipRgn
0x42b370 ExcludeClipRect
0x42b374 DeleteObject
0x42b378 DeleteDC
0x42b37c CreateSolidBrush
0x42b380 CreateRectRgn
0x42b384 CreateDIBitmap
0x42b388 CreateDIBSection
0x42b38c CreateCompatibleDC
0x42b394 CreateBrushIndirect
0x42b398 CreateBitmap
0x42b39c CombineRgn
0x42b3a0 BitBlt
Library user32.dll:
0x42b3a8 WaitMessage
0x42b3ac ValidateRect
0x42b3b0 TranslateMessage
0x42b3b4 ShowWindow
0x42b3b8 SetWindowPos
0x42b3bc SetTimer
0x42b3c0 SetParent
0x42b3c4 SetForegroundWindow
0x42b3c8 SetFocus
0x42b3cc SetCursor
0x42b3d0 SendMessageA
0x42b3d4 ScreenToClient
0x42b3d8 ReleaseDC
0x42b3dc PostQuitMessage
0x42b3e0 OffsetRect
0x42b3e4 KillTimer
0x42b3e8 IsZoomed
0x42b3ec IsWindowVisible
0x42b3f0 IsWindowEnabled
0x42b3f4 IsWindow
0x42b3f8 IsIconic
0x42b3fc InvalidateRect
0x42b400 GetWindowRgn
0x42b404 GetWindowRect
0x42b408 GetWindowDC
0x42b40c GetUpdateRgn
0x42b410 GetSystemMetrics
0x42b414 GetSystemMenu
0x42b418 GetSysColor
0x42b41c GetParent
0x42b420 GetWindow
0x42b424 GetKeyState
0x42b428 GetFocus
0x42b42c GetDCEx
0x42b430 GetDC
0x42b434 GetCursorPos
0x42b438 GetClientRect
0x42b43c GetCapture
0x42b440 FillRect
0x42b444 ExitWindowsEx
0x42b448 EnumWindows
0x42b44c EndPaint
0x42b450 EnableWindow
0x42b454 EnableMenuItem
0x42b458 DrawIcon
0x42b45c DestroyWindow
0x42b460 DestroyIcon
0x42b464 DeleteMenu
0x42b468 CopyImage
0x42b46c ClientToScreen
0x42b470 BeginPaint
0x42b474 CharLowerBuffA
Library winmm.dll:
0x42b47c timeKillEvent
0x42b480 timeSetEvent
Library oleaut32.dll:
0x42b488 SysAllocStringLen
Library ole32.dll:
0x42b490 OleInitialize
Library comctl32.dll:
0x42b498 ImageList_Draw
0x42b4a0 ImageList_Create
0x42b4a4 InitCommonControls
Library shell32.dll:
0x42b4ac SHGetFileInfoA
Library user32.dll:
0x42b4b4 wvsprintfA
0x42b4b8 SetWindowLongA
0x42b4bc SetPropA
0x42b4c0 SendMessageA
0x42b4c4 RemovePropA
0x42b4c8 RegisterClassA
0x42b4cc PostMessageA
0x42b4d0 PeekMessageA
0x42b4d4 MessageBoxA
0x42b4d8 LoadIconA
0x42b4dc LoadCursorA
0x42b4e4 GetWindowTextA
0x42b4e8 GetWindowLongA
0x42b4ec GetPropA
0x42b4f0 GetClassLongA
0x42b4f4 GetClassInfoA
0x42b4f8 FindWindowA
0x42b4fc DrawTextA
0x42b500 DispatchMessageA
0x42b504 DefWindowProcA
0x42b508 CreateWindowExA
0x42b50c CallWindowProcA
Library gdi32.dll:
0x42b518 GetObjectA
0x42b51c CreateFontIndirectA
0x42b520 AddFontResourceA
Library kernel32.dll:
0x42b52c SetFileAttributesA
0x42b534 RemoveDirectoryA
0x42b538 LoadLibraryA
0x42b540 GetVersionExA
0x42b544 GetTimeFormatA
0x42b548 GetTempPathA
0x42b54c GetSystemDirectoryA
0x42b550 GetShortPathNameA
0x42b558 GetModuleHandleA
0x42b55c GetModuleFileNameA
0x42b560 GetFullPathNameA
0x42b564 GetFileAttributesA
0x42b568 GetDiskFreeSpaceA
0x42b56c GetDateFormatA
0x42b570 GetComputerNameA
0x42b574 GetCommandLineA
0x42b578 FindNextFileA
0x42b57c FindFirstFileA
0x42b584 DeleteFileA
0x42b588 CreateFileA
0x42b58c CreateDirectoryA
0x42b590 CompareStringA
Library advapi32.dll:
0x42b598 RegSetValueExA
0x42b59c RegQueryValueExA
0x42b5a0 RegQueryInfoKeyA
0x42b5a4 RegOpenKeyExA
0x42b5a8 RegEnumKeyExA
0x42b5ac RegCreateKeyExA
0x42b5b4 GetUserNameA
Library shell32.dll:
0x42b5bc ShellExecuteExA
0x42b5c0 ShellExecuteA
Library cabinet.dll:
0x42b5c8 FDIDestroy
0x42b5cc FDICopy
0x42b5d0 FDICreate

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49194 88.99.66.31 iplogger.org 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55169 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 57367 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.