SmartHawk

15.2

0-day

51 个模型检测该样本为恶意！

重新分析

下载样本

17c7aa7df0ffa47ac142bcf82edb465eedabcc7a307e8726eb12c92698302e16

7b87763ef937ee2af677b34930a4f47b.exe

分析耗时

80s

最近分析

文件大小

851.5KB

静态报毒动态报毒 1M0@ACGX0VF AGENSLA AI SCORE=88 AJVR ATTRIBUTE AVSARHER BUBVUR ELDORADO FAREIT GDSDA GENERICKD GOLROTED HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK MALICIOUS PE MALWARE@#2KZ0KW7CK2U4 MALWAREX NANOCORE PACKEDNET QQPASS QQROB R345359 SCORE STATIC AI TCYBP TROJANPSW TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FUQ!7B87763EF937	20201211	6.0.6.653
Alibaba	TrojanPSW:MSIL/NanoCore.db8fa737	20190527	0.3.0.5
CrowdStrike		20180202	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
Tencent	Msil.Trojan-qqpass.Qqrob.Ajvr	20201211	1.0.0.1

Queries for the computername (13 个事件)

Time & API	Arguments	Status	Return
1619674487.225 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674491.662373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674505.693373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674505.959373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674505.975373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674506.021373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674506.037373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674506.053373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674506.084373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674506.209373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674507.209373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674507.225373 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619674515.709 GetComputerNameA	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (50 out of 78 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649228.556822 IsDebuggerPresent		failed	0	0
1619649229.525822 IsDebuggerPresent		failed	0	0
1619649230.009822 IsDebuggerPresent		failed	0	0
1619649230.603822 IsDebuggerPresent		failed	0	0
1619649231.009822 IsDebuggerPresent		failed	0	0
1619649231.603822 IsDebuggerPresent		failed	0	0
1619649232.009822 IsDebuggerPresent		failed	0	0
1619649232.603822 IsDebuggerPresent		failed	0	0
1619649233.009822 IsDebuggerPresent		failed	0	0
1619649233.603822 IsDebuggerPresent		failed	0	0
1619649234.009822 IsDebuggerPresent		failed	0	0
1619649234.603822 IsDebuggerPresent		failed	0	0
1619649235.009822 IsDebuggerPresent		failed	0	0
1619649235.603822 IsDebuggerPresent		failed	0	0
1619649236.009822 IsDebuggerPresent		failed	0	0
1619649236.603822 IsDebuggerPresent		failed	0	0
1619649237.009822 IsDebuggerPresent		failed	0	0
1619649237.603822 IsDebuggerPresent		failed	0	0
1619649238.009822 IsDebuggerPresent		failed	0	0
1619649238.603822 IsDebuggerPresent		failed	0	0
1619649239.009822 IsDebuggerPresent		failed	0	0
1619649239.603822 IsDebuggerPresent		failed	0	0
1619649240.009822 IsDebuggerPresent		failed	0	0
1619649240.603822 IsDebuggerPresent		failed	0	0
1619649241.009822 IsDebuggerPresent		failed	0	0
1619649241.603822 IsDebuggerPresent		failed	0	0
1619649242.009822 IsDebuggerPresent		failed	0	0
1619649242.603822 IsDebuggerPresent		failed	0	0
1619649243.009822 IsDebuggerPresent		failed	0	0
1619649243.603822 IsDebuggerPresent		failed	0	0
1619649244.009822 IsDebuggerPresent		failed	0	0
1619649244.603822 IsDebuggerPresent		failed	0	0
1619649245.009822 IsDebuggerPresent		failed	0	0
1619649245.603822 IsDebuggerPresent		failed	0	0
1619649246.009822 IsDebuggerPresent		failed	0	0
1619649246.603822 IsDebuggerPresent		failed	0	0
1619649247.009822 IsDebuggerPresent		failed	0	0
1619649247.603822 IsDebuggerPresent		failed	0	0
1619649248.009822 IsDebuggerPresent		failed	0	0
1619649248.603822 IsDebuggerPresent		failed	0	0
1619649249.009822 IsDebuggerPresent		failed	0	0
1619649249.603822 IsDebuggerPresent		failed	0	0
1619649250.009822 IsDebuggerPresent		failed	0	0
1619649250.603822 IsDebuggerPresent		failed	0	0
1619649251.009822 IsDebuggerPresent		failed	0	0
1619649251.603822 IsDebuggerPresent		failed	0	0
1619649252.009822 IsDebuggerPresent		failed	0	0
1619649252.603822 IsDebuggerPresent		failed	0	0
1619649253.009822 IsDebuggerPresent		failed	0	0
1619649253.603822 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619674488.115 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\Xgnyhy"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649228.931822 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619674508.646373 __exception__	stacktrace: 0x795505 mscorlib+0x216e76 @ 0x720f6e76 mscorlib+0x2357b1 @ 0x721157b1 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d GetMetaDataInternalInterface+0x492d _CorDllMain-0x8fa8 mscorwks+0x15fa60 @ 0x7408fa60 GetMetaDataInternalInterface+0x4a83 _CorDllMain-0x8e52 mscorwks+0x15fbb6 @ 0x7408fbb6 mscorlib+0x2356a7 @ 0x721156a7 mscorlib+0x2202d5 @ 0x721002d5 mscorlib+0x216df4 @ 0x720f6df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73fd3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73f8192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73f818cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73f817f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73f8197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73fd2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73fd303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x7409805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 110357340 registers.edi: 110357428 registers.eax: 0 registers.ebp: 110357444 registers.edx: 158 registers.ebx: 110357948 registers.esi: 40109216 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 98 8b 45 98 89 45 cc 90 90 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7977fd	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619674508.646373
__exception__

stacktrace:

0x795505
mscorlib+0x216e76 @ 0x720f6e76
mscorlib+0x2357b1 @ 0x721157b1
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0x492d _CorDllMain-0x8fa8 mscorwks+0x15fa60 @ 0x7408fa60
GetMetaDataInternalInterface+0x4a83 _CorDllMain-0x8e52 mscorwks+0x15fbb6 @ 0x7408fbb6
mscorlib+0x2356a7 @ 0x721156a7
mscorlib+0x2202d5 @ 0x721002d5
mscorlib+0x216df4 @ 0x720f6df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x73fd3191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73f8192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73f818cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73f817f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73f8197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x73fd2f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x73fd303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x7409805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 110357340
registers.edi: 110357428
registers.eax: 0
registers.ebp: 110357444
registers.edx: 158
registers.ebx: 110357948
registers.esi: 40109216
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 98 8b 45 98 89 45 cc 90 90
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7977fd

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 个事件)

Time & API	Arguments	Status	Return
1619674491.787373 bind	ip_address: 127.0.0.1 socket: 616 port: 0	success	0
1619674491.787373 listen	socket: 616 backlog: 2147483647	success	0
1619674491.787373 accept	ip_address: 127.0.0.1 socket: 616 port: 0	failed	4294967295

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://whatismyipaddress.com/

Performs some HTTP requests (1 个事件)

request

GET http://whatismyipaddress.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 111 个事件)

Time & API	Arguments	Status
1619649227.916822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00740000	success
1619649227.916822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007e0000	success
1619649228.431822 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619649228.556822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056a000	success
1619649228.556822 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619649228.556822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00562000	success
1619649228.744822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00572000	success
1619649228.791822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00573000	success
1619649228.806822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ab000	success
1619649228.806822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a7000	success
1619649228.822822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057c000	success
1619649228.884822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00790000	success
1619649228.916822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00791000	success
1619649228.916822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00574000	success
1619649228.916822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00792000	success
1619649228.916822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00793000	success
1619649228.947822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00794000	success
1619649228.947822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00795000	success
1619649229.166822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057a000	success
1619649229.166822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00796000	success
1619649229.244822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0069a000	success
1619649229.291822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00692000	success
1619649229.322822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00575000	success
1619649229.338822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a5000	success
1619649229.650822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00576000	success
1619649229.681822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00578000	success
1619649229.697822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00579000	success
1619649229.697822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00797000	success
1619649229.728822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00798000	success
1619649229.728822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04520000	success
1619649262.791822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056b000	success
1619649262.947822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00799000	success
1619649263.103822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04521000	success
1619649263.197822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success
1619649263.197822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00587000	success
1619649263.244822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x05930000	success
1619649263.244822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a20000	success
1619649263.244822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a21000	success
1619649263.275822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a22000	success
1619649263.291822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a23000	success
1619649263.291822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a24000	success
1619649263.291822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a25000	success
1619649263.291822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a26000	success
1619649263.291822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a2a000	success
1619649263.291822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a3b000	success
1619649263.291822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04522000	success
1619649263.306822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00586000	success
1619649263.306822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079a000	success
1619649263.322822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a3c000	success
1619649263.322822 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05a3d000	success

Looks up the external IP address (1 个事件)

domain

whatismyipaddress.com

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xgnyhy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpDEB2.tmp"
cmdline	schtasks.exe /Create /TN "Updates\Xgnyhy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpDEB2.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649264.088822 ShellExecuteExW	parameters: /Create /TN "Updates\Xgnyhy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpDEB2.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619674501.365373 GetAdaptersAddresses	flags: 1158 family: 0	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.848083234721034

section

{'size_of_data': '0x000ba600', 'virtual_address': '0x00002000', 'entropy': 7.848083234721034, 'name': '.text', 'virtual_size': '0x000ba5b4'}

description

A section with a high entropy has been found

entropy

0.8760282021151586

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649229.197822 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xgnyhy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpDEB2.tmp"
cmdline	schtasks.exe /Create /TN "Updates\Xgnyhy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpDEB2.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649267.009822 NtAllocateVirtualMemory	process_identifier: 3036 region_size: 557056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0
1619674509.584373 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000654 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

RegSvcs.exe tried to sleep 2728176 seconds, actually delayed analysis time by 2728176 seconds

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\holdermail.txt

Executes one or more WMI queries (3 个事件)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM FirewallProduct
wmi	select * from Win32_OperatingSystem

Harvests information related to installed instant messenger clients (1 个事件)

registry

HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Potential code injection by writing to the memory of another process (3 个事件)

Time & API	Arguments	Status	Return
1619649267.009822 WriteProcessMemory	process_identifier: 3036 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÖ¶ß^àî4 @ @¼O 2` H.textì î `.rsrc2 2ð@@.reloc`"@B process_handle: 0x000002cc base_address: 0x00400000	success	1
1619649267.025822 WriteProcessMemory	process_identifier: 3036 buffer: < process_handle: 0x000002cc base_address: 0x00486000	success	1
1619649267.025822 WriteProcessMemory	process_identifier: 3036 buffer: @ process_handle: 0x000002cc base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649267.009822 WriteProcessMemory	process_identifier: 3036 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÖ¶ß^àî4 @ @¼O 2` H.textì î `.rsrc2 2ð@@.reloc`"@B process_handle: 0x000002cc base_address: 0x00400000	success	1	0

Harvests credentials from local email clients (6 个事件)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry	HKEY_CURRENT_USER\Identities\{586FBF3B-F35E-46E2-9DB8-9E15DC75E9A1}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 called NtSetContextThread to modify thread in remote process 3036
Process injection	Process 3036 called NtSetContextThread to modify thread in remote process 1056
1619649267.025822 NtSetContextThread	thread_handle: 0x000003a8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4721678 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3036	success	0	0
1619674509.600373 NtSetContextThread	thread_handle: 0x00000650 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4265556 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1056	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 resumed a thread in remote process 3036
Process injection	Process 3036 resumed a thread in remote process 1056
1619649267.228822 NtResumeThread	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 3036	success	0	0
1619674509.959373 NtResumeThread	thread_handle: 0x00000650 suspend_count: 1 process_identifier: 1056	success	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 个事件)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Executed a process and injected code into it, probably while unpacking (41 个事件)

Time & API	Arguments	Status	Return
1619649228.556822 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 784	success	0
1619649228.603822 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 784	success	0
1619649229.447822 NtResumeThread	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 784	success	0
1619649229.447822 NtResumeThread	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 784	success	0
1619649263.666822 NtResumeThread	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 784	success	0
1619649264.088822 CreateProcessInternalW	thread_identifier: 1812 thread_handle: 0x00000390 process_identifier: 360 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xgnyhy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpDEB2.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000003d0 inherit_handles: 0	success	1
1619649266.994822 CreateProcessInternalW	thread_identifier: 2940 thread_handle: 0x000003a8 process_identifier: 3036 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000002cc inherit_handles: 0	success	1
1619649266.994822 NtGetContextThread	thread_handle: 0x000003a8	success	0
1619649267.009822 NtAllocateVirtualMemory	process_identifier: 3036 region_size: 557056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619649267.009822 WriteProcessMemory	process_identifier: 3036 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÖ¶ß^àî4 @ @¼O 2` H.textì î `.rsrc2 2ð@@.reloc`"@B process_handle: 0x000002cc base_address: 0x00400000	success	1
1619649267.009822 WriteProcessMemory	process_identifier: 3036 buffer: process_handle: 0x000002cc base_address: 0x00402000	success	1
1619649267.025822 WriteProcessMemory	process_identifier: 3036 buffer: process_handle: 0x000002cc base_address: 0x00482000	success	1
1619649267.025822 WriteProcessMemory	process_identifier: 3036 buffer: < process_handle: 0x000002cc base_address: 0x00486000	success	1
1619649267.025822 WriteProcessMemory	process_identifier: 3036 buffer: @ process_handle: 0x000002cc base_address: 0x7efde008	success	1
1619649267.025822 NtSetContextThread	thread_handle: 0x000003a8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4721678 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3036	success	0
1619649267.228822 NtResumeThread	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 3036	success	0
1619674490.568373 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 3036	success	0
1619674490.709373 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 3036	success	0
1619674491.303373 NtResumeThread	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 3036	success	0
1619674491.787373 NtResumeThread	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 3036	success	0
1619674501.959373 NtResumeThread	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 3036	success	0
1619674505.693373 NtResumeThread	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 3036	success	0
1619674505.787373 NtResumeThread	thread_handle: 0x000004d8 suspend_count: 1 process_identifier: 3036	success	0
1619674506.021373 NtResumeThread	thread_handle: 0x0000053c suspend_count: 1 process_identifier: 3036	success	0
1619674506.068373 NtResumeThread	thread_handle: 0x00000558 suspend_count: 1 process_identifier: 3036	success	0
1619674506.068373 NtResumeThread	thread_handle: 0x0000056c suspend_count: 1 process_identifier: 3036	success	0
1619674506.068373 NtResumeThread	thread_handle: 0x00000580 suspend_count: 1 process_identifier: 3036	success	0
1619674506.115373 NtResumeThread	thread_handle: 0x000005bc suspend_count: 1 process_identifier: 3036	success	0
1619674506.412373 NtResumeThread	thread_handle: 0x000005c0 suspend_count: 1 process_identifier: 3036	success	0
1619674506.412373 NtResumeThread	thread_handle: 0x000005e0 suspend_count: 1 process_identifier: 3036	success	0
1619674506.428373 NtResumeThread	thread_handle: 0x000005f4 suspend_count: 1 process_identifier: 3036	success	0
1619674506.428373 NtResumeThread	thread_handle: 0x00000608 suspend_count: 1 process_identifier: 3036	success	0
1619674507.209373 NtResumeThread	thread_handle: 0x00000634 suspend_count: 1 process_identifier: 3036	success	0
1619674509.428373 NtResumeThread	thread_handle: 0x00000640 suspend_count: 1 process_identifier: 3036	success	0
1619674509.584373 CreateProcessInternalW	thread_identifier: 624 thread_handle: 0x00000650 process_identifier: 1056 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\holdermail.txt" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000654 inherit_handles: 0	success	1
1619674509.584373 NtUnmapViewOfSection	process_identifier: 1056 region_size: 4096 process_handle: 0x00000654 base_address: 0x00400000	success	0
1619674509.584373 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000654 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619674509.600373 NtGetContextThread	thread_handle: 0x00000650	success	0
1619674509.600373 NtSetContextThread	thread_handle: 0x00000650 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4265556 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1056	success	0
1619674509.959373 NtResumeThread	thread_handle: 0x00000650 suspend_count: 1 process_identifier: 1056	success	0
1619674515.443 NtResumeThread	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 1056	success	0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2091-10-14 21:58:44

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
whatismyipaddress.com	A 104.16.154.36 A 104.16.155.36	104.16.154.36
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49192	104.16.154.36 whatismyipaddress.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://whatismyipaddress.com/	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.