11.0
0-day
59 个模型检测该样本为恶意!
重新分析
更多

96a55e86b6b4d7ddfe80b096de08f57f7e8c417b2cb7dcf65a0c83aa32ed29dc

8208efff87339c95a7c0780dcb9f6533.exe

分析耗时

87s

最近分析

文件大小

1009.5KB
静态报毒 动态报毒 100% @GW@A8MO4YKI AGEN AGENERIC AI SCORE=86 CLOUD CONFIDENCE CRIDEX DELF DELPHILESS ELWH ELZG FAREIT GDSDA GENERICKD HIGH CONFIDENCE HIRFRZGE0B4 HKCAOJ HPLOKI LOKIBOT MALWARE@#L2VQGJOOO1SD MWDV NETWIRE NOON SMBD STRICTOR SUSGEN SUSPICIOUS PE TSCOPE TSPY UNSAFE X2066 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FTB!8208EFFF8733 20200527 6.0.6.653
Alibaba TrojanSpy:Win32/Cridex.d2fecf7d 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200527 18.4.3895.0
Tencent 20200527 1.0.0.1
Kingsoft 20200527 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619695925.602501
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619695918.336626
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (10 个事件)
Time & API Arguments Status Return Repeated
1619695917.679999
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35782468
registers.edi: 0
registers.eax: 0
registers.ebp: 35782536
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: 8208efff87339c95a7c0780dcb9f6533+0x585a4
exception.instruction: div eax
exception.module: 8208efff87339c95a7c0780dcb9f6533.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695918.008249
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49610564
registers.edi: 0
registers.eax: 0
registers.ebp: 49610632
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: 8208efff87339c95a7c0780dcb9f6533+0x585a4
exception.instruction: div eax
exception.module: 8208efff87339c95a7c0780dcb9f6533.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695924.523499
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34668356
registers.edi: 0
registers.eax: 0
registers.ebp: 34668424
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: host+0x585a4
exception.instruction: div eax
exception.module: Host.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695924.867501
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 48955204
registers.edi: 0
registers.eax: 0
registers.ebp: 48955272
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: host+0x585a4
exception.instruction: div eax
exception.module: Host.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695950.352501
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34471748
registers.edi: 0
registers.eax: 0
registers.ebp: 34471816
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: 8208efff87339c95a7c0780dcb9f6533+0x585a4
exception.instruction: div eax
exception.module: 8208efff87339c95a7c0780dcb9f6533.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695950.602874
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49479492
registers.edi: 0
registers.eax: 0
registers.ebp: 49479560
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: 8208efff87339c95a7c0780dcb9f6533+0x585a4
exception.instruction: div eax
exception.module: 8208efff87339c95a7c0780dcb9f6533.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695959.758751
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49282884
registers.edi: 0
registers.eax: 0
registers.ebp: 49282952
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: 8208efff87339c95a7c0780dcb9f6533+0x585a4
exception.instruction: div eax
exception.module: 8208efff87339c95a7c0780dcb9f6533.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695959.992499
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49020740
registers.edi: 0
registers.eax: 0
registers.ebp: 49020808
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: 8208efff87339c95a7c0780dcb9f6533+0x585a4
exception.instruction: div eax
exception.module: 8208efff87339c95a7c0780dcb9f6533.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695968.492499
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34930500
registers.edi: 0
registers.eax: 0
registers.ebp: 34930568
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: 8208efff87339c95a7c0780dcb9f6533+0x585a4
exception.instruction: div eax
exception.module: 8208efff87339c95a7c0780dcb9f6533.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
1619695968.773874
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34537284
registers.edi: 0
registers.eax: 0
registers.ebp: 34537352
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1950559753
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b1 93 00 00 e9
exception.symbol: 8208efff87339c95a7c0780dcb9f6533+0x585a4
exception.instruction: div eax
exception.module: 8208efff87339c95a7c0780dcb9f6533.exe
exception.exception_code: 0xc0000094
exception.offset: 361892
exception.address: 0x4585a4
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (30 个事件)
Time & API Arguments Status Return Repeated
1619695917.366999
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619695917.679999
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695917.679999
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003f0000
success 0 0
1619695917.992249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619695918.008249
NtProtectVirtualMemory
process_identifier: 1632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695918.008249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00600000
success 0 0
1619695924.523499
NtAllocateVirtualMemory
process_identifier: 616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e0000
success 0 0
1619695924.523499
NtProtectVirtualMemory
process_identifier: 616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695924.523499
NtAllocateVirtualMemory
process_identifier: 616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006b0000
success 0 0
1619695924.852501
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d10000
success 0 0
1619695924.867501
NtProtectVirtualMemory
process_identifier: 2424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695924.867501
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619695950.352501
NtAllocateVirtualMemory
process_identifier: 3460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619695950.352501
NtProtectVirtualMemory
process_identifier: 3460
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695950.367501
NtAllocateVirtualMemory
process_identifier: 3460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02100000
success 0 0
1619695950.586874
NtAllocateVirtualMemory
process_identifier: 3600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e10000
success 0 0
1619695950.602874
NtProtectVirtualMemory
process_identifier: 3600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695950.602874
NtAllocateVirtualMemory
process_identifier: 3600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619695959.758751
NtAllocateVirtualMemory
process_identifier: 3736
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00810000
success 0 0
1619695959.758751
NtProtectVirtualMemory
process_identifier: 3736
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695959.773751
NtAllocateVirtualMemory
process_identifier: 3736
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619695959.977499
NtAllocateVirtualMemory
process_identifier: 3872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619695959.992499
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695959.992499
NtAllocateVirtualMemory
process_identifier: 3872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619695968.477499
NtAllocateVirtualMemory
process_identifier: 3984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e0000
success 0 0
1619695968.492499
NtProtectVirtualMemory
process_identifier: 3984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695968.492499
NtAllocateVirtualMemory
process_identifier: 3984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ed0000
success 0 0
1619695968.742874
NtAllocateVirtualMemory
process_identifier: 2008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d10000
success 0 0
1619695968.773874
NtProtectVirtualMemory
process_identifier: 2008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619695968.773874
NtAllocateVirtualMemory
process_identifier: 2008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02100000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (16 个事件)
Expresses interest in specific running processes (2 个事件)
process 8208efff87339c95a7c0780dcb9f6533.exe
process host.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (14 个事件)
Time & API Arguments Status Return Repeated
1619695917.694999
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x000000fc
process_identifier: 2368
failed 0 0
1619695918.008249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 1688
failed 0 0
1619695950.180249
Process32NextW
process_name: Host.exe
snapshot_handle: 0x0000059c
process_identifier: 2424
failed 0 0
1619695924.523499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 1812
failed 0 0
1619695924.867501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 3112
failed 0 0
1619695950.367501
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x000000fc
process_identifier: 3460
failed 0 0
1619695950.602874
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x000000fc
process_identifier: 3600
failed 0 0
1619695959.586874
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x00000248
process_identifier: 3600
failed 0 0
1619695959.773751
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x000000fc
process_identifier: 3736
failed 0 0
1619695959.992499
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x00000100
process_identifier: 3872
failed 0 0
1619695968.305499
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x00000234
process_identifier: 3872
failed 0 0
1619695968.492499
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x000000fc
process_identifier: 3984
failed 0 0
1619695968.773874
Process32NextW
process_name: 8208efff87339c95a7c0780dcb9f6533.exe
snapshot_handle: 0x000000fc
process_identifier: 2008
failed 0 0
1619695977.305874
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000238
process_identifier: 3512
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 194.5.97.76
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NetWire reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
Creates known Netwire files, registry keys and/or mutexes (1 个事件)
regkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NetWire
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (10 个事件)
Process injection Process 2368 called NtSetContextThread to modify thread in remote process 1432
Process injection Process 616 called NtSetContextThread to modify thread in remote process 1380
Process injection Process 3460 called NtSetContextThread to modify thread in remote process 3540
Process injection Process 3736 called NtSetContextThread to modify thread in remote process 3808
Process injection Process 3984 called NtSetContextThread to modify thread in remote process 4056
Time & API Arguments Status Return Repeated
1619695917.741999
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1432
success 0 0
1619695924.680499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1380
success 0 0
1619695950.430501
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3540
success 0 0
1619695959.805751
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3808
success 0 0
1619695968.539499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4056
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (10 个事件)
Process injection Process 2368 resumed a thread in remote process 1432
Process injection Process 616 resumed a thread in remote process 1380
Process injection Process 3460 resumed a thread in remote process 3540
Process injection Process 3736 resumed a thread in remote process 3808
Process injection Process 3984 resumed a thread in remote process 4056
Time & API Arguments Status Return Repeated
1619695917.788999
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 1432
success 0 0
1619695924.711499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 1380
success 0 0
1619695950.445501
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3540
success 0 0
1619695959.836751
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3808
success 0 0
1619695968.570499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 4056
success 0 0
Executed a process and injected code into it, probably while unpacking (40 个事件)
Time & API Arguments Status Return Repeated
1619695917.741999
CreateProcessInternalW
thread_identifier: 1436
thread_handle: 0x00000100
process_identifier: 1432
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619695917.741999
NtUnmapViewOfSection
process_identifier: 1432
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619695917.741999
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 1432
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619695917.741999
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619695917.741999
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1432
success 0 0
1619695917.788999
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 1432
success 0 0
1619695917.804999
CreateProcessInternalW
thread_identifier: 708
thread_handle: 0x00000108
process_identifier: 1632
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe" 2 1432 28896312
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619695924.352626
CreateProcessInternalW
thread_identifier: 2008
thread_handle: 0x00000220
process_identifier: 616
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" -m "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002a0
inherit_handles: 0
success 1 0
1619695950.211249
CreateProcessInternalW
thread_identifier: 3464
thread_handle: 0x000005a0
process_identifier: 3460
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000005a4
inherit_handles: 0
success 1 0
1619695924.664499
CreateProcessInternalW
thread_identifier: 1208
thread_handle: 0x00000100
process_identifier: 1380
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" -m "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619695924.664499
NtUnmapViewOfSection
process_identifier: 1380
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619695924.664499
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 1380
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619695924.680499
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619695924.680499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1380
success 0 0
1619695924.711499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 1380
success 0 0
1619695924.727499
CreateProcessInternalW
thread_identifier: 1816
thread_handle: 0x00000108
process_identifier: 2424
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" 2 1380 28903234
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619695950.430501
CreateProcessInternalW
thread_identifier: 3544
thread_handle: 0x00000100
process_identifier: 3540
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619695950.430501
NtUnmapViewOfSection
process_identifier: 3540
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619695950.430501
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3540
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619695950.430501
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619695950.430501
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3540
success 0 0
1619695950.445501
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3540
success 0 0
1619695950.461501
CreateProcessInternalW
thread_identifier: 3604
thread_handle: 0x00000108
process_identifier: 3600
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe" 2 3540 28928968
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619695959.617874
CreateProcessInternalW
thread_identifier: 3740
thread_handle: 0x0000024c
process_identifier: 3736
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000250
inherit_handles: 0
success 1 0
1619695959.805751
CreateProcessInternalW
thread_identifier: 3812
thread_handle: 0x00000100
process_identifier: 3808
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619695959.805751
NtUnmapViewOfSection
process_identifier: 3808
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619695959.805751
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3808
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619695959.805751
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619695959.805751
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3808
success 0 0
1619695959.836751
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3808
success 0 0
1619695959.852751
CreateProcessInternalW
thread_identifier: 3876
thread_handle: 0x00000108
process_identifier: 3872
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe" 2 3808 28938359
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619695968.352499
CreateProcessInternalW
thread_identifier: 3988
thread_handle: 0x00000238
process_identifier: 3984
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000023c
inherit_handles: 0
success 1 0
1619695968.539499
CreateProcessInternalW
thread_identifier: 4060
thread_handle: 0x00000100
process_identifier: 4056
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619695968.539499
NtUnmapViewOfSection
process_identifier: 4056
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619695968.539499
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 4056
commit_size: 208896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 208896
base_address: 0x00400000
success 0 0
1619695968.539499
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619695968.539499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4056
success 0 0
1619695968.570499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 4056
success 0 0
1619695968.586499
CreateProcessInternalW
thread_identifier: 3108
thread_handle: 0x00000108
process_identifier: 2008
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe" 2 4056 28947093
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619695977.320874
CreateProcessInternalW
thread_identifier: 2080
thread_handle: 0x0000023c
process_identifier: 3228
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8208efff87339c95a7c0780dcb9f6533.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000240
inherit_handles: 0
success 1 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
MicroWorld-eScan Trojan.GenericKD.33821666
FireEye Generic.mg.8208efff87339c95
McAfee Fareit-FTB!8208EFFF8733
Cylance Unsafe
Zillya Trojan.Injector.Win32.734706
Sangfor Malware
K7AntiVirus Trojan ( 005668161 )
Alibaba TrojanSpy:Win32/Cridex.d2fecf7d
K7GW Trojan ( 005668161 )
Cybereason malicious.243bf9
Arcabit Trojan.Generic.D20413E2
Invincea heuristic
F-Prot W32/Injector.JCF
Symantec Trojan Horse
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Dropper.LokiBot-7788949-0
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.GenericKD.33821666
NANO-Antivirus Trojan.Win32.Strictor.hkcaoj
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Ad-Aware Trojan.GenericKD.33821666
Emsisoft Trojan.GenericKD.33821666 (B)
Comodo Malware@#l2vqgjooo1sd
F-Secure Heuristic.HEUR/AGEN.1133569
DrWeb Trojan.PWS.Stealer.28487
VIPRE Trojan.Win32.Generic!BT
TrendMicro TSPY_HPLOKI.SMBD
McAfee-GW-Edition BehavesLike.Win32.Fareit.fh
Sophos Mal/Fareit-AA
SentinelOne DFI - Suspicious PE
Cyren W32/Injector.MWDV-0392
Jiangmin TrojanSpy.Noon.pel
Avira HEUR/AGEN.1133569
Antiy-AVL Trojan/MSIL.AGeneric
Microsoft Trojan:Win32/Cridex.VD!MTB
Endgame malicious (high confidence)
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.gen
GData Win32.Trojan.Injector.PA
AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious
BitDefenderTheta Gen:NN.ZelphiF.34122.@GW@a8Mo4Yki
ALYac Spyware.LokiBot
MAX malware (ai score=86)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
Zoner Trojan.Win32.68253
ESET-NOD32 a variant of Win32/Injector.ELWH
TrendMicro-HouseCall TSPY_HPLOKI.SMBD
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
dead_host 194.5.97.76:1591
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x465150 VirtualFree
0x465154 VirtualAlloc
0x465158 LocalFree
0x46515c LocalAlloc
0x465160 GetVersion
0x465164 GetCurrentThreadId
0x465170 VirtualQuery
0x465174 WideCharToMultiByte
0x465178 MultiByteToWideChar
0x46517c lstrlenA
0x465180 lstrcpynA
0x465184 LoadLibraryExA
0x465188 GetThreadLocale
0x46518c GetStartupInfoA
0x465190 GetProcAddress
0x465194 GetModuleHandleA
0x465198 GetModuleFileNameA
0x46519c GetLocaleInfoA
0x4651a0 GetCommandLineA
0x4651a4 FreeLibrary
0x4651a8 FindFirstFileA
0x4651ac FindClose
0x4651b0 ExitProcess
0x4651b4 WriteFile
0x4651bc RtlUnwind
0x4651c0 RaiseException
0x4651c4 GetStdHandle
Library user32.dll:
0x4651cc GetKeyboardType
0x4651d0 LoadStringA
0x4651d4 MessageBoxA
0x4651d8 CharNextA
Library advapi32.dll:
0x4651e0 RegQueryValueExA
0x4651e4 RegOpenKeyExA
0x4651e8 RegCloseKey
Library oleaut32.dll:
0x4651f0 SysFreeString
0x4651f4 SysReAllocStringLen
0x4651f8 SysAllocStringLen
Library kernel32.dll:
0x465200 TlsSetValue
0x465204 TlsGetValue
0x465208 LocalAlloc
0x46520c GetModuleHandleA
Library advapi32.dll:
0x465214 RegQueryValueExA
0x465218 RegOpenKeyExA
0x46521c RegCloseKey
Library kernel32.dll:
0x465224 lstrcpyA
0x465228 lstrcmpA
0x46522c WriteFile
0x465230 WaitForSingleObject
0x465234 VirtualQuery
0x465238 VirtualProtect
0x46523c VirtualAlloc
0x465240 Sleep
0x465244 SizeofResource
0x465248 SetThreadLocale
0x46524c SetFilePointer
0x465250 SetEvent
0x465254 SetErrorMode
0x465258 SetEndOfFile
0x46525c ResetEvent
0x465260 ReadFile
0x465264 MulDiv
0x465268 LockResource
0x46526c LoadResource
0x465270 LoadLibraryA
0x46527c GlobalUnlock
0x465280 GlobalReAlloc
0x465284 GlobalHandle
0x465288 GlobalLock
0x46528c GlobalFree
0x465290 GlobalFindAtomA
0x465294 GlobalDeleteAtom
0x465298 GlobalAlloc
0x46529c GlobalAddAtomA
0x4652a0 GetVersionExA
0x4652a4 GetVersion
0x4652a8 GetTickCount
0x4652ac GetThreadLocale
0x4652b4 GetSystemTime
0x4652b8 GetSystemInfo
0x4652bc GetStringTypeExA
0x4652c0 GetStdHandle
0x4652c4 GetProcAddress
0x4652c8 GetModuleHandleA
0x4652cc GetModuleFileNameA
0x4652d0 GetLocaleInfoA
0x4652d4 GetLocalTime
0x4652d8 GetLastError
0x4652dc GetFullPathNameA
0x4652e0 GetDiskFreeSpaceA
0x4652e4 GetDateFormatA
0x4652e8 GetCurrentThreadId
0x4652ec GetCurrentProcessId
0x4652f0 GetCPInfo
0x4652f4 GetACP
0x4652f8 FreeResource
0x4652fc InterlockedExchange
0x465300 FreeLibrary
0x465304 FormatMessageA
0x465308 FindResourceA
0x465310 ExitThread
0x465314 EnumCalendarInfoA
0x465320 CreateThread
0x465324 CreateFileA
0x465328 CreateEventA
0x46532c CompareStringA
0x465330 CloseHandle
Library version.dll:
0x465338 VerQueryValueA
0x465340 GetFileVersionInfoA
Library gdi32.dll:
0x465348 UnrealizeObject
0x46534c StretchBlt
0x465350 SetWindowOrgEx
0x465354 SetViewportOrgEx
0x465358 SetTextColor
0x46535c SetStretchBltMode
0x465360 SetROP2
0x465364 SetPixel
0x465368 SetDIBColorTable
0x46536c SetBrushOrgEx
0x465370 SetBkMode
0x465374 SetBkColor
0x465378 SelectPalette
0x46537c SelectObject
0x465380 SaveDC
0x465384 RoundRect
0x465388 RestoreDC
0x46538c Rectangle
0x465390 RectVisible
0x465394 RealizePalette
0x465398 PatBlt
0x46539c MoveToEx
0x4653a0 MaskBlt
0x4653a4 LineTo
0x4653a8 IntersectClipRect
0x4653ac GetWindowOrgEx
0x4653b0 GetTextMetricsA
0x4653bc GetStockObject
0x4653c0 GetPixel
0x4653c4 GetPaletteEntries
0x4653c8 GetObjectA
0x4653cc GetDeviceCaps
0x4653d0 GetDIBits
0x4653d4 GetDIBColorTable
0x4653d8 GetDCOrgEx
0x4653e0 GetClipBox
0x4653e4 GetBrushOrgEx
0x4653e8 GetBitmapBits
0x4653ec ExtTextOutA
0x4653f0 ExcludeClipRect
0x4653f4 Ellipse
0x4653f8 DeleteObject
0x4653fc DeleteDC
0x465400 CreateSolidBrush
0x465404 CreatePenIndirect
0x465408 CreatePalette
0x465410 CreateFontIndirectA
0x465414 CreateDIBitmap
0x465418 CreateDIBSection
0x46541c CreateCompatibleDC
0x465424 CreateBrushIndirect
0x465428 CreateBitmap
0x46542c BitBlt
Library user32.dll:
0x465434 CreateWindowExA
0x465438 WindowFromPoint
0x46543c WinHelpA
0x465440 WaitMessage
0x465444 UpdateWindow
0x465448 UnregisterClassA
0x46544c UnhookWindowsHookEx
0x465450 TranslateMessage
0x465458 TrackPopupMenu
0x465460 ShowWindow
0x465464 ShowScrollBar
0x465468 ShowOwnedPopups
0x46546c ShowCursor
0x465470 SetWindowsHookExA
0x465474 SetWindowTextA
0x465478 SetWindowPos
0x46547c SetWindowPlacement
0x465480 SetWindowLongA
0x465484 SetTimer
0x465488 SetScrollRange
0x46548c SetScrollPos
0x465490 SetScrollInfo
0x465494 SetRect
0x465498 SetPropA
0x46549c SetParent
0x4654a0 SetMenuItemInfoA
0x4654a4 SetMenu
0x4654a8 SetForegroundWindow
0x4654ac SetFocus
0x4654b0 SetCursor
0x4654b4 SetClassLongA
0x4654b8 SetCapture
0x4654bc SetActiveWindow
0x4654c0 SendMessageA
0x4654c4 ScrollWindow
0x4654c8 ScreenToClient
0x4654cc RemovePropA
0x4654d0 RemoveMenu
0x4654d4 ReleaseDC
0x4654d8 ReleaseCapture
0x4654e4 RegisterClassA
0x4654e8 RedrawWindow
0x4654ec PtInRect
0x4654f0 PostQuitMessage
0x4654f4 PostMessageA
0x4654f8 PeekMessageA
0x4654fc OffsetRect
0x465500 OemToCharA
0x465504 MessageBoxA
0x465508 MapWindowPoints
0x46550c MapVirtualKeyA
0x465510 LoadStringA
0x465514 LoadKeyboardLayoutA
0x465518 LoadIconA
0x46551c LoadCursorA
0x465520 LoadBitmapA
0x465524 KillTimer
0x465528 IsZoomed
0x46552c IsWindowVisible
0x465530 IsWindowEnabled
0x465534 IsWindow
0x465538 IsRectEmpty
0x46553c IsIconic
0x465540 IsDialogMessageA
0x465544 IsChild
0x465548 InvalidateRect
0x46554c IntersectRect
0x465550 InsertMenuItemA
0x465554 InsertMenuA
0x465558 InflateRect
0x465560 GetWindowTextA
0x465564 GetWindowRect
0x465568 GetWindowPlacement
0x46556c GetWindowLongA
0x465570 GetWindowDC
0x465574 GetTopWindow
0x465578 GetSystemMetrics
0x46557c GetSystemMenu
0x465580 GetSysColorBrush
0x465584 GetSysColor
0x465588 GetSubMenu
0x46558c GetScrollRange
0x465590 GetScrollPos
0x465594 GetScrollInfo
0x465598 GetPropA
0x46559c GetParent
0x4655a0 GetWindow
0x4655a4 GetMessageTime
0x4655a8 GetMenuStringA
0x4655ac GetMenuState
0x4655b0 GetMenuItemInfoA
0x4655b4 GetMenuItemID
0x4655b8 GetMenuItemCount
0x4655bc GetMenu
0x4655c0 GetLastActivePopup
0x4655c4 GetKeyboardState
0x4655cc GetKeyboardLayout
0x4655d0 GetKeyState
0x4655d4 GetKeyNameTextA
0x4655d8 GetIconInfo
0x4655dc GetForegroundWindow
0x4655e0 GetFocus
0x4655e4 GetDesktopWindow
0x4655e8 GetDCEx
0x4655ec GetDC
0x4655f0 GetCursorPos
0x4655f4 GetCursor
0x4655f8 GetClientRect
0x4655fc GetClassNameA
0x465600 GetClassInfoA
0x465604 GetCapture
0x465608 GetActiveWindow
0x46560c FrameRect
0x465610 FindWindowA
0x465614 FillRect
0x465618 EqualRect
0x46561c EnumWindows
0x465620 EnumThreadWindows
0x465624 EndPaint
0x465628 EnableWindow
0x46562c EnableScrollBar
0x465630 EnableMenuItem
0x465634 DrawTextA
0x465638 DrawMenuBar
0x46563c DrawIconEx
0x465640 DrawIcon
0x465644 DrawFrameControl
0x465648 DrawFocusRect
0x46564c DrawEdge
0x465650 DispatchMessageA
0x465654 DestroyWindow
0x465658 DestroyMenu
0x46565c DestroyIcon
0x465660 DestroyCursor
0x465664 DeleteMenu
0x465668 DefWindowProcA
0x46566c DefMDIChildProcA
0x465670 DefFrameProcA
0x465674 CreatePopupMenu
0x465678 CreateMenu
0x46567c CreateIcon
0x465680 ClientToScreen
0x465684 CheckMenuItem
0x465688 CallWindowProcA
0x46568c CallNextHookEx
0x465690 BeginPaint
0x465694 CharNextA
0x465698 CharLowerA
0x46569c CharToOemA
0x4656a0 AdjustWindowRectEx
Library kernel32.dll:
0x4656ac Sleep
Library oleaut32.dll:
0x4656b4 SafeArrayPtrOfIndex
0x4656b8 SafeArrayGetUBound
0x4656bc SafeArrayGetLBound
0x4656c0 SafeArrayCreate
0x4656c4 VariantChangeType
0x4656c8 VariantCopy
0x4656cc VariantClear
0x4656d0 VariantInit
Library ole32.dll:
0x4656d8 CoTaskMemAlloc
0x4656dc CoCreateInstance
0x4656e0 CoUninitialize
0x4656e4 CoInitialize
Library comctl32.dll:
0x4656f4 ImageList_Write
0x4656f8 ImageList_Read
0x465708 ImageList_DragMove
0x46570c ImageList_DragLeave
0x465710 ImageList_DragEnter
0x465714 ImageList_EndDrag
0x465718 ImageList_BeginDrag
0x46571c ImageList_Remove
0x465720 ImageList_DrawEx
0x465724 ImageList_Draw
0x465734 ImageList_Add
0x46573c ImageList_Destroy
0x465740 ImageList_Create
0x465744 InitCommonControls
Library comdlg32.dll:
0x46574c ChooseColorA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.