11.2
0-day
54 个模型检测该样本为恶意!
重新分析
更多

049a3258d1222a41415a8099d2b79c88ac64400543b9e8d83e450ca592593faf

8511a7a835eb8faf696e7ac96da0a438.exe

分析耗时

119s

最近分析

文件大小

1.0MB
静态报毒 动态报毒 AD0@AUEDZWMI AI SCORE=89 AIDETECTVM ANTIAV ATTRIBUTE AVEMARIA CONFIDENCE DQ0UBMGI ELDORADO EMOTET FEIDY GDSDA GENERICRXAA GRAYWARE HCXN HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK MALWARE2 MALWARE@#FM93P7MCR693 MARIA MORTYSTEALER QPO9RI6ZBDF R06EC0DIA20 RAZY SCORE SUSGEN TROJANPSW UNSAFE WACAPEW ZEXACO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXAA-AA!8511A7A835EB 20201211 6.0.6.653
Alibaba TrojanSpy:Win32/Obfuscator.e1305e05 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201210 21.1.5827.0
Kingsoft 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (12 个事件)
Time & API Arguments Status Return Repeated
1619719908.883751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719908.883751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719908.883751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719908.915751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719919.383751
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619719919.383751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719931.727751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719931.727751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719931.727751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719931.743751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619719932.008751
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619719932.008751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619719909.477751
IsDebuggerPresent
failed 0 0
1619719931.790751
IsDebuggerPresent
failed 0 0
Command line console output was observed (17 个事件)
Time & API Arguments Status Return Repeated
1619719920.555751
WriteConsoleW
buffer: 无法将“Add-MpPreference”项识别为 cmdlet、函数、脚本文件或可运行程序的名称。请
console_handle: 0x00000023
success 1 0
1619719920.571751
WriteConsoleW
buffer: 检查名称的拼写,如果包括路径,请确保路径正确,然后重试。
console_handle: 0x0000002f
success 1 0
1619719920.571751
WriteConsoleW
buffer: 所在位置 行:1 字符: 17
console_handle: 0x0000003b
success 1 0
1619719920.571751
WriteConsoleW
buffer: + Add-MpPreference <<<< -ExclusionPath C:\
console_handle: 0x00000047
success 1 0
1619719920.571751
WriteConsoleW
buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x00000053
success 1 0
1619719920.571751
WriteConsoleW
buffer: mmandNotFoundException
console_handle: 0x0000005f
success 1 0
1619719920.571751
WriteConsoleW
buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000006b
success 1 0
1619719932.118751
WriteConsoleW
buffer: 无法将“Add-MpPreference”项识别为 cmdlet、函数、脚本文件或可运行程序的名称。请
console_handle: 0x00000023
success 1 0
1619719932.118751
WriteConsoleW
buffer: 检查名称的拼写,如果包括路径,请确保路径正确,然后重试。
console_handle: 0x0000002f
success 1 0
1619719932.133751
WriteConsoleW
buffer: 所在位置 行:1 字符: 17
console_handle: 0x0000003b
success 1 0
1619719932.133751
WriteConsoleW
buffer: + Add-MpPreference <<<< -ExclusionPath C:\
console_handle: 0x00000047
success 1 0
1619719932.133751
WriteConsoleW
buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x00000053
success 1 0
1619719932.133751
WriteConsoleW
buffer: mmandNotFoundException
console_handle: 0x0000005f
success 1 0
1619719932.133751
WriteConsoleW
buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000006b
success 1 0
1619719931.524501
WriteConsoleW
buffer: Microsoft Windows [版本 6.1.7601]
console_handle: 0x00000007
success 1 0
1619719931.524501
WriteConsoleW
buffer: 版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
console_handle: 0x00000007
success 1 0
1619719931.524501
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 128 个事件)
Time & API Arguments Status Return Repeated
1619719913.071751
CryptExportKey
crypto_handle: 0x006b80a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719914.821751
CryptExportKey
crypto_handle: 0x006b7f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719914.821751
CryptExportKey
crypto_handle: 0x006b7f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719914.821751
CryptExportKey
crypto_handle: 0x006b7f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.087751
CryptExportKey
crypto_handle: 0x006b7f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.087751
CryptExportKey
crypto_handle: 0x006b7f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.087751
CryptExportKey
crypto_handle: 0x006b7f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.133751
CryptExportKey
crypto_handle: 0x006b7f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.165751
CryptExportKey
crypto_handle: 0x006b74a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.165751
CryptExportKey
crypto_handle: 0x006b74a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.212751
CryptExportKey
crypto_handle: 0x006b74a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.212751
CryptExportKey
crypto_handle: 0x006b74a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.212751
CryptExportKey
crypto_handle: 0x006b74a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.212751
CryptExportKey
crypto_handle: 0x006b74a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.571751
CryptExportKey
crypto_handle: 0x006b79e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.571751
CryptExportKey
crypto_handle: 0x006b79e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.571751
CryptExportKey
crypto_handle: 0x006b79e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.571751
CryptExportKey
crypto_handle: 0x006b79e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.571751
CryptExportKey
crypto_handle: 0x006b79e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.571751
CryptExportKey
crypto_handle: 0x006b79e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719915.602751
CryptExportKey
crypto_handle: 0x006b79e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.055751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.055751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.055751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.180751
CryptExportKey
crypto_handle: 0x006b78e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.180751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.180751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.180751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.180751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.196751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.243751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.243751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.602751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719918.602751
CryptExportKey
crypto_handle: 0x006b7da0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.055751
CryptExportKey
crypto_handle: 0x006b7ce0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.055751
CryptExportKey
crypto_handle: 0x006b7ce0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.055751
CryptExportKey
crypto_handle: 0x006b7ce0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.055751
CryptExportKey
crypto_handle: 0x006b7ce0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.055751
CryptExportKey
crypto_handle: 0x006b7ce0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.055751
CryptExportKey
crypto_handle: 0x006b7ce0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.118751
CryptExportKey
crypto_handle: 0x006b7ce0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.305751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.305751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.680751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.680751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.696751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.696751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.696751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.712751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619719919.712751
CryptExportKey
crypto_handle: 0x006b7360
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
This executable has a PDB path (1 个事件)
pdb_path C:\Users\W7H64\Desktop\VCSamples-master\VC2008Samples\International\satdll\Main\Debug\Main.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619719899.118626
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .00cfg
The executable uses a known packer (1 个事件)
packer Microsoft Visual C++ V8.0 (Debug)
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 284 个事件)
Time & API Arguments Status Return Repeated
1619719871.087626
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00a90000
success 0 0
1619719930.838249
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004200000
success 0 0
1619719901.322001
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00830000
success 0 0
1619719931.244001
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03510000
success 0 0
1619719909.024751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x03070000
success 0 0
1619719909.024751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x031d0000
success 0 0
1619719909.430751
NtProtectVirtualMemory
process_identifier: 1124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73731000
success 0 0
1619719909.477751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0208a000
success 0 0
1619719909.477751
NtProtectVirtualMemory
process_identifier: 1124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73732000
success 0 0
1619719909.477751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02082000
success 0 0
1619719911.274751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02092000
success 0 0
1619719911.962751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x031d1000
success 0 0
1619719912.008751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x031d2000
success 0 0
1619719912.118751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020ba000
success 0 0
1619719912.524751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02093000
success 0 0
1619719912.805751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02094000
success 0 0
1619719912.821751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020cb000
success 0 0
1619719912.821751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c7000
success 0 0
1619719912.883751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0208b000
success 0 0
1619719913.024751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b2000
success 0 0
1619719913.024751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c5000
success 0 0
1619719913.337751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02095000
success 0 0
1619719913.915751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020bc000
success 0 0
1619719915.133751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b3000
success 0 0
1619719915.165751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c70000
success 0 0
1619719915.508751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02096000
success 0 0
1619719915.571751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020cc000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b4000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b5000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b6000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b7000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b8000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b9000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc0000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc1000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc2000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc3000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc4000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc5000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc6000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc7000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc8000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc9000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cca000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ccb000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ccc000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ccd000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cce000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ccf000
success 0 0
1619719917.305751
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cd0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (2 个事件)
cmdline powershell Add-MpPreference -ExclusionPath C:\
cmdline C:\Windows\System32\cmd.exe
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619719931.306001
CreateProcessInternalW
thread_identifier: 600
thread_handle: 0x000001f4
process_identifier: 2616
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line:
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000001ec
inherit_handles: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 6.900223993058455 section {'size_of_data': '0x00040e00', 'virtual_address': '0x000b9000', 'entropy': 6.900223993058455, 'name': '.data', 'virtual_size': '0x0004264c'} description A section with a high entropy has been found
entropy 0.251453488372093 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619719912.883751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619719931.821751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 79.134.225.34
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619719932.306001
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001f8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619719932.306001
NtProtectVirtualMemory
process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001f8
base_address: 0x003a0000
success 0 0
Installs itself for autorun at Windows startup (3 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images reg_value C:\ProgramData\images.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619719932.306001
WriteProcessMemory
process_identifier: 2616
buffer: U‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃì[ždm+Þ
process_handle: 0x000001f8
base_address: 0x003a0000
success 1 0
1619719932.306001
WriteProcessMemory
process_identifier: 2616
buffer: xC:\ProgramData\images.exe¤öZè€}è<÷Z<÷ZP,w|,w ¾‘]Ä÷ZQ$€igÿÿÿÿÿäöZÈ÷ZÀþZà^‘wÎ1Z(þÿÿÿ|,w 5wè
process_handle: 0x000001f8
base_address: 0x003b0000
success 1 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\ProgramData\images.exe:Zone.Identifier
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.671037
FireEye Generic.mg.8511a7a835eb8faf
Qihoo-360 Generic/Trojan.a99
McAfee GenericRXAA-AA!8511A7A835EB
Cylance Unsafe
Zillya Trojan.AveMaria.Win32.520
Sangfor Malware
K7AntiVirus Trojan ( 005670491 )
Alibaba TrojanSpy:Win32/Obfuscator.e1305e05
K7GW Trojan ( 005670491 )
Arcabit Trojan.Razy.DA3D3D
Cyren W32/Kryptik.BKJ.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky HEUR:Trojan-Spy.Win32.AveMaria.vho
BitDefender Gen:Variant.Razy.671037
Paloalto generic.ml
Ad-Aware Gen:Variant.Razy.671037
TACHYON Trojan-Spy/W32.AveMaria.1057792
Sophos Mal/Generic-S
Comodo Malware@#fm93p7mcr693
F-Secure Trojan.TR/AD.MortyStealer.feidy
DrWeb Trojan.PWS.Maria.4
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition BehavesLike.Win32.Dropper.th
Emsisoft Gen:Variant.Razy.671037 (B)
Jiangmin TrojanSpy.AveMaria.iz
Webroot W32.Trojan.Emotet
Avira TR/AD.MortyStealer.feidy
Antiy-AVL GrayWare/Win32.Wacapew
Gridinsoft Trojan.Win32.Emotet.dd!n
Microsoft TrojanSpy:Win32/Obfuscator.KG!MTB
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm HEUR:Trojan-Spy.Win32.AveMaria.vho
GData Gen:Variant.Razy.671037
Cynet Malicious (score: 100)
BitDefenderTheta Gen:NN.ZexaCO.34670.aD0@auedZWmi
MAX malware (ai score=89)
VBA32 TrojanPSW.Maria
Malwarebytes Backdoor.AveMaria
ESET-NOD32 Win32/Agent.TJS
TrendMicro-HouseCall TROJ_GEN.R06EC0DIA20
Rising Trojan.Kryptik!8.8 (TFE:5:qPo9RI6zBDF)
Yandex Trojan.AntiAV!0U/dQ0UBMgI
Ikarus Trojan.Inject
Fortinet W32/Kryptik.HCXN!tr
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 个事件)
dead_host 172.217.24.14:443
dead_host 192.168.56.101:49194
dead_host 172.217.160.110:443
dead_host 192.168.56.101:49197
dead_host 79.134.225.34:5200
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-19 04:11:24

Imports

Library KERNEL32.dll:
0x4fc164 MultiByteToWideChar
0x4fc168 GetLocalTime
0x4fc16c GetDateFormatW
0x4fc17c lstrcmpiW
0x4fc180 GetLocaleInfoEx
0x4fc18c LoadLibraryExA
0x4fc190 HeapFree
0x4fc194 HeapAlloc
0x4fc198 GetProcessHeap
0x4fc19c InterlockedExchange
0x4fc1a4 GetFileAttributesW
0x4fc1b0 IsWow64Process
0x4fc1b4 GetCurrentProcess
0x4fc1b8 GetModuleFileNameW
0x4fc1bc LocalFree
0x4fc1c0 LocalReAlloc
0x4fc1c4 LocalAlloc
0x4fc1c8 GetProfileStringW
0x4fc1cc lstrlenW
0x4fc1d0 CompareStringW
0x4fc1e4 CompareFileTime
0x4fc1ec GetTempFileNameW
0x4fc1f4 DeleteFileW
0x4fc1f8 CreateFileW
0x4fc200 TerminateProcess
0x4fc208 HeapDestroy
0x4fc20c HeapReAlloc
0x4fc210 HeapSize
0x4fc214 RaiseException
0x4fc218 SetFilePointerEx
0x4fc21c GetConsoleMode
0x4fc220 GetConsoleCP
0x4fc224 GlobalFindAtomW
0x4fc228 WriteConsoleW
0x4fc234 GetFileType
0x4fc238 SetStdHandle
0x4fc23c EnumSystemLocalesW
0x4fc240 GetUserDefaultLCID
0x4fc244 IsValidLocale
0x4fc248 LCMapStringW
0x4fc24c GetTimeFormatW
0x4fc260 GetCommandLineW
0x4fc264 GetCommandLineA
0x4fc268 GetCPInfo
0x4fc26c GetOEMCP
0x4fc270 IsValidCodePage
0x4fc274 FindNextFileA
0x4fc278 FindFirstFileExW
0x4fc27c FindFirstFileExA
0x4fc284 OutputDebugStringW
0x4fc288 GetCurrentThread
0x4fc28c GetStringTypeW
0x4fc290 GetSystemInfo
0x4fc294 HeapValidate
0x4fc298 GetACP
0x4fc29c GetModuleHandleExW
0x4fc2a0 ExitProcess
0x4fc2a4 GetModuleFileNameA
0x4fc2a8 WriteFile
0x4fc2ac GetStdHandle
0x4fc2b0 EncodePointer
0x4fc2b4 LoadLibraryExW
0x4fc2b8 TlsFree
0x4fc2bc TlsSetValue
0x4fc2c0 TlsGetValue
0x4fc2c4 TlsAlloc
0x4fc2cc SetLastError
0x4fc2d0 RtlUnwind
0x4fc2dc GetStartupInfoW
0x4fc2e0 IsDebuggerPresent
0x4fc2e4 InitializeSListHead
0x4fc2ec MulDiv
0x4fc2f0 GlobalSize
0x4fc2f4 GlobalLock
0x4fc2f8 GlobalUnlock
0x4fc2fc GlobalAlloc
0x4fc300 lstrcmpW
0x4fc304 ResetEvent
0x4fc308 CreateEventW
0x4fc30c CreateThread
0x4fc310 WaitForSingleObject
0x4fc314 CloseHandle
0x4fc318 SetEvent
0x4fc31c GetSystemTime
0x4fc320 FindResourceExW
0x4fc324 FindResourceW
0x4fc328 LoadResource
0x4fc32c LockResource
0x4fc330 SizeofResource
0x4fc334 GetCurrentProcessId
0x4fc344 GetLastError
0x4fc34c GetVersionExA
0x4fc350 DecodePointer
0x4fc354 GetCurrentThreadId
0x4fc358 GetTickCount
0x4fc360 GetModuleHandleA
0x4fc368 OutputDebugStringA
0x4fc36c GetStartupInfoA
0x4fc370 WideCharToMultiByte
0x4fc374 lstrlenA
0x4fc380 GetLocaleInfoW
0x4fc384 GetVersionExW
0x4fc388 FindNextFileW
0x4fc38c FindFirstFileW
0x4fc398 GetModuleHandleW
0x4fc39c LoadLibraryW
0x4fc3a0 FindClose
0x4fc3a4 Sleep
0x4fc3a8 VirtualAlloc
0x4fc3ac GetProcAddress
0x4fc3b0 FlushFileBuffers
0x4fc3b4 FreeLibrary
Library USER32.dll:
0x4fc4d4 GetWindowTextW
0x4fc4dc IsDialogMessageW
0x4fc4e0 GetKeyState
0x4fc4e4 SetCursor
0x4fc4e8 SetWindowPos
0x4fc4ec GetWindowRect
0x4fc4f0 GetClassNameW
0x4fc4f4 MapWindowPoints
0x4fc4f8 EnableMenuItem
0x4fc4fc FindWindowW
0x4fc500 GetAncestor
0x4fc504 CreatePopupMenu
0x4fc508 TrackPopupMenu
0x4fc50c CreateDialogParamW
0x4fc510 EnumDesktopWindows
0x4fc514 GetClassWord
0x4fc518 EnableWindow
0x4fc51c EqualRect
0x4fc520 EnumDisplayMonitors
0x4fc524 IntersectRect
0x4fc528 CopyRect
0x4fc52c MonitorFromWindow
0x4fc530 GetMonitorInfoW
0x4fc534 OffsetRect
0x4fc538 GetNextDlgTabItem
0x4fc53c CheckMenuItem
0x4fc540 SetDlgItemInt
0x4fc544 GetDlgItemInt
0x4fc548 MoveWindow
0x4fc54c IsDlgButtonChecked
0x4fc550 SendDlgItemMessageW
0x4fc554 UnregisterClassA
0x4fc558 SetPropW
0x4fc55c EnumChildWindows
0x4fc560 GetSystemMetrics
0x4fc564 SetFocus
0x4fc568 SetWindowTextW
0x4fc56c GetWindowPlacement
0x4fc570 MonitorFromRect
0x4fc574 LoadImageW
0x4fc578 GetDC
0x4fc57c ReleaseDC
0x4fc580 SetWindowPlacement
0x4fc584 SetForegroundWindow
0x4fc588 FillRect
0x4fc58c GetMessageW
0x4fc590 TranslateMessage
0x4fc594 DispatchMessageW
0x4fc598 SendMessageW
0x4fc59c DefWindowProcW
0x4fc5a0 PostQuitMessage
0x4fc5a4 RegisterClassExW
0x4fc5a8 CreateWindowExW
0x4fc5ac DestroyWindow
0x4fc5b0 ShowWindow
0x4fc5b4 DialogBoxParamW
0x4fc5b8 EndDialog
0x4fc5bc GetDlgItem
0x4fc5c0 LoadAcceleratorsW
0x4fc5c8 LoadMenuW
0x4fc5cc GetMenu
0x4fc5d0 SetMenuItemInfoW
0x4fc5d4 SetMenu
0x4fc5d8 DrawMenuBar
0x4fc5dc DestroyMenu
0x4fc5e0 DrawTextW
0x4fc5e4 UpdateWindow
0x4fc5e8 BeginPaint
0x4fc5ec EndPaint
0x4fc5f0 CheckMenuRadioItem
0x4fc5f4 MessageBeep
0x4fc5fc CheckRadioButton
0x4fc604 InvalidateRect
0x4fc608 GetClientRect
0x4fc60c GetParent
0x4fc610 LoadCursorW
0x4fc614 LoadIconW
0x4fc618 LoadStringW
0x4fc61c GetSysColor
0x4fc620 SetClassLongW
0x4fc624 GetMessageExtraInfo
0x4fc628 GetFocus
0x4fc630 GetMenuState
0x4fc634 OpenClipboard
0x4fc638 GetClipboardData
0x4fc63c CloseClipboard
0x4fc640 EmptyClipboard
0x4fc644 SetClipboardData
0x4fc648 CharNextA
0x4fc64c PostMessageW
0x4fc650 IsWindowEnabled
0x4fc654 SetWindowLongW
0x4fc658 InsertMenuItemW
0x4fc65c GetWindowLongW
0x4fc660 GetSubMenu
0x4fc664 RemoveMenu
0x4fc668 AppendMenuW
0x4fc66c GetClassLongW
Library GDI32.dll:
0x4fc0b4 SetTextColor
0x4fc0b8 CreatePatternBrush
0x4fc0bc GetStockObject
0x4fc0c0 SetBkColor
0x4fc0c4 CombineRgn
0x4fc0c8 SetRectRgn
0x4fc0d0 CreateRectRgn
0x4fc0d8 ExtCreatePen
0x4fc0dc MoveToEx
0x4fc0e0 LineTo
0x4fc0e4 GetObjectW
0x4fc0ec GetTextMetricsW
0x4fc0f0 CreateSolidBrush
0x4fc0f4 GetRgnBox
0x4fc0f8 GetDeviceCaps
0x4fc0fc CreateCompatibleDC
0x4fc100 GetTextExtentPointW
0x4fc104 DeleteDC
0x4fc108 DeleteObject
0x4fc10c CreateDIBSection
0x4fc110 EqualRgn
0x4fc114 SetBkMode
0x4fc118 CreateFontIndirectW
0x4fc11c SelectObject
Library ADVAPI32.dll:
0x4fc000 OpenServiceW
0x4fc004 RegOpenKeyExW
0x4fc008 RegQueryValueExW
0x4fc00c RegEnumKeyExW
0x4fc010 EventRegister
0x4fc014 EventUnregister
0x4fc018 EventWrite
0x4fc01c RegCreateKeyExW
0x4fc020 CloseServiceHandle
0x4fc024 QueryServiceConfigW
0x4fc028 RegCloseKey
0x4fc02c OpenSCManagerW
0x4fc030 RegSetValueExW
0x4fc034 RegDeleteKeyW
0x4fc038 RegEnumValueW
0x4fc03c RegGetValueW
0x4fc040 RegQueryInfoKeyW
Library SHELL32.dll:
0x4fc498 ShellAboutW
0x4fc49c SHGetFolderPathW
0x4fc4a4 ShellExecuteExW
Library COMCTL32.dll:
0x4fc084 PropertySheetW
Library gdiplus.dll:
0x4fc784 GdipDrawLineI
0x4fc798 GdiplusShutdown
0x4fc79c GdiplusStartup
0x4fc7a0 GdipAlloc
0x4fc7a4 GdipDeleteBrush
0x4fc7a8 GdipCreatePen1
0x4fc7ac GdipDeletePen
0x4fc7b0 GdipDeleteGraphics
0x4fc7b4 GdipDisposeImage
0x4fc7bc GdipCreateSolidFill
0x4fc7c0 GdipSetPageUnit
0x4fc7c8 GdipDrawImageRectI
0x4fc7cc GdipCreateFromHDC
0x4fc7d4 GdipCloneImage
0x4fc7d8 GdipCloneBrush
0x4fc7dc GdipFillRectangleI
0x4fc7e0 GdipDrawArcI
0x4fc7e4 GdipFree
Library RPCRT4.dll:
0x4fc45c UuidCreate
0x4fc460 I_UuidCreate
0x4fc464 UuidToStringW
0x4fc468 RpcStringFreeW
Library UxTheme.dll:
0x4fc6ec IsThemeActive
Library VERSION.dll:
0x4fc71c VerQueryValueW
Library WINMM.dll:
0x4fc754 timeGetTime

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.