SmartHawk

10.0

0-day

57 个模型检测该样本为恶意！

重新分析

下载样本

775f508ce9aa128d16970e85f0b02f8f200c50dde94a1e345621069dd7042330

871b03e7a9ec6bebfcb55b5e4b913959.exe

分析耗时

62s

最近分析

文件大小

933.0KB

静态报毒动态报毒 100% 6GW@AWTILFII AGENTTESLA AI SCORE=81 AIDETECTVM ALI2000015 AOVKJ CLOUD COINMINERX CONFIDENCE DELF DELFINJECT DELPHILESS DYQD EMOY FAREIT GENETIC HIGH CONFIDENCE HNGRBE HPLOKI KRYPTIK MALWARE1 MALWARE@#1DF4UF9MDHBQL MODERATE SCORE SMBD SUSPICIOUS PE TSCOPE TSPY UNSAFE UROR X2085 ZELPHIF ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FVZ!871B03E7A9EC	20200722	6.0.6.653
Alibaba	Trojan:Win32/DelfInject.ali2000015	20190527	0.3.0.5
Avast	Win32:CoinminerX-gen [Trj]	20200722	18.4.3895.0
Tencent	Win32.Trojan.Kryptik.Dyqd	20200722	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20200722	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 个事件)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619685976.156125 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34406212 registers.edi: 0 registers.eax: 0 registers.ebp: 34406280 registers.edx: 28 registers.ebx: 0 registers.esi: 0 registers.ecx: 124 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: 871b03e7a9ec6bebfcb55b5e4b913959+0x8ddba exception.instruction: div eax exception.module: 871b03e7a9ec6bebfcb55b5e4b913959.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success	0	0
1619712525.029626 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73a4e97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73a4ea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73a4b25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73a4b4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73a4ac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73a4aed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73a45511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73a4559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74107f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74104de3 871b03e7a9ec6bebfcb55b5e4b913959+0x5aa4d @ 0x45aa4d 871b03e7a9ec6bebfcb55b5e4b913959+0x53254 @ 0x453254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfcdc14ad	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619685976.156125
__exception__

stacktrace:

BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34406212
registers.edi: 0
registers.eax: 0
registers.ebp: 34406280
registers.edx: 28
registers.ebx: 0
registers.esi: 0
registers.ecx: 124
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: 871b03e7a9ec6bebfcb55b5e4b913959+0x8ddba
exception.instruction: div eax
exception.module: 871b03e7a9ec6bebfcb55b5e4b913959.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba

success

1619712525.029626
__exception__

stacktrace:

CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73a4e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73a4ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73a4b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73a4b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73a4ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73a4aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73a45511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73a4559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74107f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74104de3
871b03e7a9ec6bebfcb55b5e4b913959+0x5aa4d @ 0x45aa4d
871b03e7a9ec6bebfcb55b5e4b913959+0x53254 @ 0x453254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcdc14ad

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (30 个事件)

Time & API	Arguments	Status
1619685976.015125 NtAllocateVirtualMemory	process_identifier: 196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01df0000	success
1619685976.156125 NtProtectVirtualMemory	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0048d000	success
1619685976.156125 NtAllocateVirtualMemory	process_identifier: 196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02e50000	success
1619712523.858626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619712523.889626 NtAllocateVirtualMemory	process_identifier: 2528 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01dd0000	success
1619712523.889626 NtAllocateVirtualMemory	process_identifier: 2528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f90000	success
1619712523.889626 NtAllocateVirtualMemory	process_identifier: 2528 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01dd0000	success
1619712523.889626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 307200 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01dd2000	success
1619712524.342626 NtAllocateVirtualMemory	process_identifier: 2528 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01fd0000	success
1619712524.342626 NtAllocateVirtualMemory	process_identifier: 2528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020b0000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005a2000	success
1619712524.998626 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmp.vbs

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.506602562255678

section

{'size_of_data': '0x00043a00', 'virtual_address': '0x000ab000', 'entropy': 7.506602562255678, 'name': '.rsrc', 'virtual_size': '0x0004388c'}

description

A section with a high entropy has been found

entropy

0.29023605150214593

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	113.108.239.196
host	172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686006.500125 NtAllocateVirtualMemory	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000100 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00130000	success	0	0

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmp.vbs

Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 196 created a thread in remote process 1160
1619686006.500125 NtQueueApcThread	thread_handle: 0x000000fc process_identifier: 1160 function_address: 0x001305c0 parameter: 0x00140000	success	0	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686006.500125 WriteProcessMemory	process_identifier: 1160 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x00000100 base_address: 0x00130000	success	1	0
1619686006.500125 WriteProcessMemory	process_identifier: 1160 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\871b03e7a9ec6bebfcb55b5e4b913959.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\871b03e7a9ec6bebfcb55b5e4b913959.exe" nmpset vukcajbVv = CrEaTEoBJECt("WsCRipt.shell") vUKcaJBVV.run """%ls""", 0, False process_handle: 0x00000100 base_address: 0x00140000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 196 called NtSetContextThread to modify thread in remote process 2528
1619686006.546125 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4905792 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2528	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 196 resumed a thread in remote process 2528
1619686006.718125 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2528	success	0	0

Executed a process and injected code into it, probably while unpacking (11 个事件)

Time & API	Arguments	Status	Return
1619686006.500125 CreateProcessInternalW	thread_identifier: 2236 thread_handle: 0x000000fc process_identifier: 1160 current_directory: filepath: C:\Windows\System32\notepad.exe track: 1 command_line: filepath_r: C:\Windows\system32\notepad.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000100 inherit_handles: 0	success	1
1619686006.500125 NtAllocateVirtualMemory	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000100 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00130000	success	0
1619686006.500125 NtAllocateVirtualMemory	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000100 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00140000	success	0
1619686006.500125 WriteProcessMemory	process_identifier: 1160 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x00000100 base_address: 0x00130000	success	1
1619686006.500125 WriteProcessMemory	process_identifier: 1160 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\871b03e7a9ec6bebfcb55b5e4b913959.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\871b03e7a9ec6bebfcb55b5e4b913959.exe" nmpset vukcajbVv = CrEaTEoBJECt("WsCRipt.shell") vUKcaJBVV.run """%ls""", 0, False process_handle: 0x00000100 base_address: 0x00140000	success	1
1619686006.531125 CreateProcessInternalW	thread_identifier: 1948 thread_handle: 0x00000108 process_identifier: 2528 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\871b03e7a9ec6bebfcb55b5e4b913959.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000104 inherit_handles: 0	success	1
1619686006.531125 NtUnmapViewOfSection	process_identifier: 2528 region_size: 4096 process_handle: 0x00000104 base_address: 0x00400000	success	0
1619686006.531125 NtMapViewOfSection	section_handle: 0x00000110 process_identifier: 2528 commit_size: 716800 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000104 allocation_type: 0 () section_offset: 0 view_size: 716800 base_address: 0x00400000	success	0
1619686006.546125 NtGetContextThread	thread_handle: 0x00000108	success	0
1619686006.546125 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4905792 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2528	success	0
1619686006.718125 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2528	success	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware1
DrWeb	Trojan.PWS.Stealer.28804
MicroWorld-eScan	Gen:Variant.Zusy.308908
FireEye	Generic.mg.871b03e7a9ec6beb
McAfee	Fareit-FVZ!871B03E7A9EC
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 0056a4951 )
Alibaba	Trojan:Win32/DelfInject.ali2000015
K7GW	Trojan ( 0056a4951 )
Cybereason	malicious.69209c
Arcabit	Trojan.Zusy.D4B6AC
Invincea	heuristic
BitDefenderTheta	Gen:NN.ZelphiF.34136.6GW@aWtIlfii
F-Prot	W32/Injector.JFL
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win32/Injector.EMOY
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Kryptik.gen
BitDefender	Gen:Variant.Zusy.308908
NANO-Antivirus	Trojan.Win32.Kryptik.hngrbe
Paloalto	generic.ml
AegisLab	Trojan.Win32.Kryptik.4!c
Tencent	Win32.Trojan.Kryptik.Dyqd
Endgame	malicious (high confidence)
Sophos	Mal/Generic-S
Comodo	Malware@#1df4uf9mdhbql
F-Secure	Trojan.TR/Injector.aovkj
Zillya	Trojan.Injector.Win32.749210
TrendMicro	TSPY_HPLOKI.SMBD
Trapmine	malicious.moderate.ml.score
Emsisoft	Gen:Variant.Zusy.308908 (B)
SentinelOne	DFI - Suspicious PE
Cyren	W32/Injector.UROR-2273
Jiangmin	Trojan.Kryptik.btv
Avira	TR/Injector.aovkj
Antiy-AVL	Trojan/Win32.Kryptik
Microsoft	PWS:Win32/Fareit.AQ!MTB
ZoneAlarm	HEUR:Trojan.Win32.Kryptik.gen
GData	Gen:Variant.Zusy.308908
Cynet	Malicious (score: 100)
AhnLab-V3	Suspicious/Win.Delphiless.X2085
VBA32	TScope.Trojan.Delf
MAX	malware (ai score=81)
Ad-Aware	Gen:Variant.Zusy.308908
Malwarebytes	Spyware.AgentTesla
TrendMicro-HouseCall	TSPY_HPLOKI.SMBD
Rising	Trojan.Injector!1.C898 (CLOUD)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x49b154 DeleteCriticalSection

• 0x49b158 LeaveCriticalSection

• 0x49b15c EnterCriticalSection

• 0x49b160 InitializeCriticalSection

• 0x49b164 VirtualFree

• 0x49b168 VirtualAlloc

• 0x49b16c LocalFree

• 0x49b170 LocalAlloc

• 0x49b174 GetVersion

• 0x49b178 GetCurrentThreadId

• 0x49b17c InterlockedDecrement

• 0x49b180 InterlockedIncrement

• 0x49b184 VirtualQuery

• 0x49b188 WideCharToMultiByte

• 0x49b18c MultiByteToWideChar

• 0x49b190 lstrlenA

• 0x49b194 lstrcpynA

• 0x49b198 LoadLibraryExA

• 0x49b19c GetThreadLocale

• 0x49b1a0 GetStartupInfoA

• 0x49b1a4 GetProcAddress

• 0x49b1a8 GetModuleHandleA

• 0x49b1ac GetModuleFileNameA

• 0x49b1b0 GetLocaleInfoA

• 0x49b1b4 GetCommandLineA

• 0x49b1b8 FreeLibrary

• 0x49b1bc FindFirstFileA

• 0x49b1c0 FindClose

• 0x49b1c4 ExitProcess

• 0x49b1c8 WriteFile

• 0x49b1cc UnhandledExceptionFilter

• 0x49b1d0 RtlUnwind

• 0x49b1d4 RaiseException

• 0x49b1d8 GetStdHandle

Library user32.dll:

• 0x49b1e0 GetKeyboardType

• 0x49b1e4 LoadStringA

• 0x49b1e8 MessageBoxA

• 0x49b1ec CharNextA

Library advapi32.dll:

• 0x49b1f4 RegQueryValueExA

• 0x49b1f8 RegOpenKeyExA

• 0x49b1fc RegCloseKey

Library oleaut32.dll:

• 0x49b204 SysFreeString

• 0x49b208 SysReAllocStringLen

• 0x49b20c SysAllocStringLen

Library kernel32.dll:

• 0x49b214 TlsSetValue

• 0x49b218 TlsGetValue

• 0x49b21c LocalAlloc

• 0x49b220 GetModuleHandleA

Library advapi32.dll:

• 0x49b228 RegQueryValueExA

• 0x49b22c RegOpenKeyExA

• 0x49b230 RegCloseKey

Library kernel32.dll:

• 0x49b238 lstrcpyA

• 0x49b23c WriteFile

• 0x49b240 WaitForSingleObject

• 0x49b244 VirtualQuery

• 0x49b248 VirtualProtectEx

• 0x49b24c VirtualAlloc

• 0x49b250 Sleep

• 0x49b254 SizeofResource

• 0x49b258 SetThreadLocale

• 0x49b25c SetFilePointer

• 0x49b260 SetEvent

• 0x49b264 SetErrorMode

• 0x49b268 SetEndOfFile

• 0x49b26c ResetEvent

• 0x49b270 ReadFile

• 0x49b274 MultiByteToWideChar

• 0x49b278 MulDiv

• 0x49b27c LockResource

• 0x49b280 LoadResource

• 0x49b284 LoadLibraryA

• 0x49b288 LeaveCriticalSection

• 0x49b28c InitializeCriticalSection

• 0x49b290 GlobalUnlock

• 0x49b294 GlobalSize

• 0x49b298 GlobalReAlloc

• 0x49b29c GlobalHandle

• 0x49b2a0 GlobalLock

• 0x49b2a4 GlobalFree

• 0x49b2a8 GlobalFindAtomA

• 0x49b2ac GlobalDeleteAtom

• 0x49b2b0 GlobalAlloc

• 0x49b2b4 GlobalAddAtomA

• 0x49b2b8 GetVersionExA

• 0x49b2bc GetVersion

• 0x49b2c0 GetUserDefaultLCID

• 0x49b2c4 GetTickCount

• 0x49b2c8 GetThreadLocale

• 0x49b2cc GetSystemInfo

• 0x49b2d0 GetStringTypeExA

• 0x49b2d4 GetStdHandle

• 0x49b2d8 GetProcAddress

• 0x49b2dc GetModuleHandleA

• 0x49b2e0 GetModuleFileNameA

• 0x49b2e4 GetLocaleInfoA

• 0x49b2e8 GetLocalTime

• 0x49b2ec GetLastError

• 0x49b2f0 GetFullPathNameA

• 0x49b2f4 GetFileAttributesA

• 0x49b2f8 GetDiskFreeSpaceA

• 0x49b2fc GetDateFormatA

• 0x49b300 GetCurrentThreadId

• 0x49b304 GetCurrentProcessId

• 0x49b308 GetCurrentProcess

• 0x49b30c GetComputerNameA

• 0x49b310 GetCPInfo

• 0x49b314 GetACP

• 0x49b318 FreeResource

• 0x49b31c InterlockedIncrement

• 0x49b320 InterlockedExchange

• 0x49b324 InterlockedDecrement

• 0x49b328 FreeLibrary

• 0x49b32c FormatMessageA

• 0x49b330 FindResourceA

• 0x49b334 FindFirstFileA

• 0x49b338 FindClose

• 0x49b33c FileTimeToLocalFileTime

• 0x49b340 FileTimeToDosDateTime

• 0x49b344 EnumCalendarInfoA

• 0x49b348 EnterCriticalSection

• 0x49b34c DeleteCriticalSection

• 0x49b350 CreateThread

• 0x49b354 CreateFileA

• 0x49b358 CreateEventA

• 0x49b35c CompareStringA

• 0x49b360 CloseHandle

Library version.dll:

• 0x49b368 VerQueryValueA

• 0x49b36c GetFileVersionInfoSizeA

• 0x49b370 GetFileVersionInfoA

Library gdi32.dll:

• 0x49b378 UnrealizeObject

• 0x49b37c StretchBlt

• 0x49b380 SetWindowOrgEx

• 0x49b384 SetWinMetaFileBits

• 0x49b388 SetViewportOrgEx

• 0x49b38c SetTextColor

• 0x49b390 SetStretchBltMode

• 0x49b394 SetROP2

• 0x49b398 SetPixel

• 0x49b39c SetMapMode

• 0x49b3a0 SetEnhMetaFileBits

• 0x49b3a4 SetDIBColorTable

• 0x49b3a8 SetColorSpace

• 0x49b3ac SetBrushOrgEx

• 0x49b3b0 SetBkMode

• 0x49b3b4 SetBkColor

• 0x49b3b8 SelectPalette

• 0x49b3bc SelectObject

• 0x49b3c0 SelectClipRgn

• 0x49b3c4 SaveDC

• 0x49b3c8 RestoreDC

• 0x49b3cc Rectangle

• 0x49b3d0 RectVisible

• 0x49b3d4 RealizePalette

• 0x49b3d8 Polyline

• 0x49b3dc Polygon

• 0x49b3e0 PlayEnhMetaFile

• 0x49b3e4 PatBlt

• 0x49b3e8 MoveToEx

• 0x49b3ec MaskBlt

• 0x49b3f0 LineTo

• 0x49b3f4 LPtoDP

• 0x49b3f8 IntersectClipRect

• 0x49b3fc GetWindowOrgEx

• 0x49b400 GetWinMetaFileBits

• 0x49b404 GetTextMetricsA

• 0x49b408 GetTextExtentPoint32A

• 0x49b40c GetSystemPaletteEntries

• 0x49b410 GetStockObject

• 0x49b414 GetPixel

• 0x49b418 GetPaletteEntries

• 0x49b41c GetObjectA

• 0x49b420 GetEnhMetaFilePaletteEntries

• 0x49b424 GetEnhMetaFileHeader

• 0x49b428 GetEnhMetaFileDescriptionA

• 0x49b42c GetEnhMetaFileBits

• 0x49b430 GetDeviceCaps

• 0x49b434 GetDIBits

• 0x49b438 GetDIBColorTable

• 0x49b43c GetDCOrgEx

• 0x49b440 GetCurrentPositionEx

• 0x49b444 GetClipBox

• 0x49b448 GetBrushOrgEx

• 0x49b44c GetBitmapBits

• 0x49b450 ExtTextOutA

• 0x49b454 ExcludeClipRect

• 0x49b458 DeleteObject

• 0x49b45c DeleteEnhMetaFile

• 0x49b460 DeleteDC

• 0x49b464 CreateSolidBrush

• 0x49b468 CreatePenIndirect

• 0x49b46c CreatePalette

• 0x49b470 CreateHalftonePalette

• 0x49b474 CreateFontIndirectA

• 0x49b478 CreateEnhMetaFileA

• 0x49b47c CreateDIBitmap

• 0x49b480 CreateDIBSection

• 0x49b484 CreateCompatibleDC

• 0x49b488 CreateCompatibleBitmap

• 0x49b48c CreateBrushIndirect

• 0x49b490 CreateBitmap

• 0x49b494 CopyEnhMetaFileA

• 0x49b498 CloseEnhMetaFile

• 0x49b49c BitBlt

Library user32.dll:

• 0x49b4a4 CreateWindowExA

• 0x49b4a8 WindowFromPoint

• 0x49b4ac WinHelpA

• 0x49b4b0 WaitMessage

• 0x49b4b4 UpdateWindow

• 0x49b4b8 UnregisterClassA

• 0x49b4bc UnhookWindowsHookEx

• 0x49b4c0 TranslateMessage

• 0x49b4c4 TranslateMDISysAccel

• 0x49b4c8 TrackPopupMenu

• 0x49b4cc SystemParametersInfoA

• 0x49b4d0 ShowWindow

• 0x49b4d4 ShowScrollBar

• 0x49b4d8 ShowOwnedPopups

• 0x49b4dc ShowCursor

• 0x49b4e0 SetWindowsHookExA

• 0x49b4e4 SetWindowTextA

• 0x49b4e8 SetWindowPos

• 0x49b4ec SetWindowPlacement

• 0x49b4f0 SetWindowLongA

• 0x49b4f4 SetTimer

• 0x49b4f8 SetScrollRange

• 0x49b4fc SetScrollPos

• 0x49b500 SetScrollInfo

• 0x49b504 SetRect

• 0x49b508 SetPropA

• 0x49b50c SetParent

• 0x49b510 SetMenuItemInfoA

• 0x49b514 SetMenu

• 0x49b518 SetForegroundWindow

• 0x49b51c SetFocus

• 0x49b520 SetCursor

• 0x49b524 SetClassLongA

• 0x49b528 SetCapture

• 0x49b52c SetActiveWindow

• 0x49b530 SendMessageA

• 0x49b534 ScrollWindow

• 0x49b538 ScreenToClient

• 0x49b53c RemovePropA

• 0x49b540 RemoveMenu

• 0x49b544 ReleaseDC

• 0x49b548 ReleaseCapture

• 0x49b54c RegisterWindowMessageA

• 0x49b550 RegisterClipboardFormatA

• 0x49b554 RegisterClassA

• 0x49b558 RedrawWindow

• 0x49b55c PtInRect

• 0x49b560 PostQuitMessage

• 0x49b564 PostMessageA

• 0x49b568 PeekMessageA

• 0x49b56c OffsetRect

• 0x49b570 OemToCharA

• 0x49b574 MessageBoxA

• 0x49b578 MapWindowPoints

• 0x49b57c MapVirtualKeyA

• 0x49b580 LoadStringA

• 0x49b584 LoadKeyboardLayoutA

• 0x49b588 LoadIconA

• 0x49b58c LoadCursorA

• 0x49b590 LoadBitmapA

• 0x49b594 KillTimer

• 0x49b598 IsZoomed

• 0x49b59c IsWindowVisible

• 0x49b5a0 IsWindowEnabled

• 0x49b5a4 IsWindow

• 0x49b5a8 IsRectEmpty

• 0x49b5ac IsIconic

• 0x49b5b0 IsDialogMessageA

• 0x49b5b4 IsChild

• 0x49b5b8 InvalidateRect

• 0x49b5bc IntersectRect

• 0x49b5c0 InsertMenuItemA

• 0x49b5c4 InsertMenuA

• 0x49b5c8 InflateRect

• 0x49b5cc GetWindowThreadProcessId

• 0x49b5d0 GetWindowTextA

• 0x49b5d4 GetWindowRect

• 0x49b5d8 GetWindowPlacement

• 0x49b5dc GetWindowLongA

• 0x49b5e0 GetWindowDC

• 0x49b5e4 GetTopWindow

• 0x49b5e8 GetSystemMetrics

• 0x49b5ec GetSystemMenu

• 0x49b5f0 GetSysColorBrush

• 0x49b5f4 GetSysColor

• 0x49b5f8 GetSubMenu

• 0x49b5fc GetScrollRange

• 0x49b600 GetScrollPos

• 0x49b604 GetScrollInfo

• 0x49b608 GetPropA

• 0x49b60c GetParent

• 0x49b610 GetWindow

• 0x49b614 GetMessageTime

• 0x49b618 GetMenuStringA

• 0x49b61c GetMenuState

• 0x49b620 GetMenuItemInfoA

• 0x49b624 GetMenuItemID

• 0x49b628 GetMenuItemCount

• 0x49b62c GetMenu

• 0x49b630 GetLastActivePopup

• 0x49b634 GetKeyboardState

• 0x49b638 GetKeyboardLayoutList

• 0x49b63c GetKeyboardLayout

• 0x49b640 GetKeyState

• 0x49b644 GetKeyNameTextA

• 0x49b648 GetIconInfo

• 0x49b64c GetForegroundWindow

• 0x49b650 GetFocus

• 0x49b654 GetDlgItem

• 0x49b658 GetDesktopWindow

• 0x49b65c GetDCEx

• 0x49b660 GetDC

• 0x49b664 GetCursorPos

• 0x49b668 GetCursor

• 0x49b66c GetClipboardData

• 0x49b670 GetClientRect

• 0x49b674 GetClassNameA

• 0x49b678 GetClassInfoA

• 0x49b67c GetCapture

• 0x49b680 GetActiveWindow

• 0x49b684 FrameRect

• 0x49b688 FindWindowA

• 0x49b68c FillRect

• 0x49b690 EqualRect

• 0x49b694 EnumWindows

• 0x49b698 EnumThreadWindows

• 0x49b69c EndPaint

• 0x49b6a0 EnableWindow

• 0x49b6a4 EnableScrollBar

• 0x49b6a8 EnableMenuItem

• 0x49b6ac DrawTextA

• 0x49b6b0 DrawMenuBar

• 0x49b6b4 DrawIconEx

• 0x49b6b8 DrawIcon

• 0x49b6bc DrawFrameControl

• 0x49b6c0 DrawFocusRect

• 0x49b6c4 DrawEdge

• 0x49b6c8 DispatchMessageA

• 0x49b6cc DestroyWindow

• 0x49b6d0 DestroyMenu

• 0x49b6d4 DestroyIcon

• 0x49b6d8 DestroyCursor

• 0x49b6dc DeleteMenu

• 0x49b6e0 DefWindowProcA

• 0x49b6e4 DefMDIChildProcA

• 0x49b6e8 DefFrameProcA

• 0x49b6ec CreatePopupMenu

• 0x49b6f0 CreateMenu

• 0x49b6f4 CreateIcon

• 0x49b6f8 ClientToScreen

• 0x49b6fc CheckMenuItem

• 0x49b700 CallWindowProcA

• 0x49b704 CallNextHookEx

• 0x49b708 BeginPaint

• 0x49b70c CharNextA

• 0x49b710 CharLowerBuffA

• 0x49b714 CharLowerA

• 0x49b718 CharUpperBuffA

• 0x49b71c CharToOemA

• 0x49b720 AdjustWindowRectEx

• 0x49b724 ActivateKeyboardLayout

Library kernel32.dll:

• 0x49b72c Sleep

Library oleaut32.dll:

• 0x49b734 SafeArrayPtrOfIndex

• 0x49b738 SafeArrayPutElement

• 0x49b73c SafeArrayGetElement

• 0x49b740 SafeArrayUnaccessData

• 0x49b744 SafeArrayAccessData

• 0x49b748 SafeArrayGetUBound

• 0x49b74c SafeArrayGetLBound

• 0x49b750 SafeArrayCreate

• 0x49b754 VariantChangeType

• 0x49b758 VariantCopyInd

• 0x49b75c VariantCopy

• 0x49b760 VariantClear

• 0x49b764 VariantInit

Library ole32.dll:

• 0x49b76c CreateStreamOnHGlobal

• 0x49b770 IsAccelerator

• 0x49b774 OleDraw

• 0x49b778 OleSetMenuDescriptor

• 0x49b77c CoTaskMemFree

• 0x49b780 ProgIDFromCLSID

• 0x49b784 StringFromCLSID

• 0x49b788 CoCreateInstance

• 0x49b78c CoGetClassObject

• 0x49b790 CoUninitialize

• 0x49b794 CoInitialize

• 0x49b798 IsEqualGUID

Library oleaut32.dll:

• 0x49b7a0 CreateErrorInfo

• 0x49b7a4 GetErrorInfo

• 0x49b7a8 SetErrorInfo

• 0x49b7ac GetActiveObject

• 0x49b7b0 SysFreeString

Library comctl32.dll:

• 0x49b7b8 ImageList_SetIconSize

• 0x49b7bc ImageList_GetIconSize

• 0x49b7c0 ImageList_Write

• 0x49b7c4 ImageList_Read

• 0x49b7c8 ImageList_GetDragImage

• 0x49b7cc ImageList_DragShowNolock

• 0x49b7d0 ImageList_SetDragCursorImage

• 0x49b7d4 ImageList_DragMove

• 0x49b7d8 ImageList_DragLeave

• 0x49b7dc ImageList_DragEnter

• 0x49b7e0 ImageList_EndDrag

• 0x49b7e4 ImageList_BeginDrag

• 0x49b7e8 ImageList_Remove

• 0x49b7ec ImageList_DrawEx

• 0x49b7f0 ImageList_Replace

• 0x49b7f4 ImageList_Draw

• 0x49b7f8 ImageList_GetBkColor

• 0x49b7fc ImageList_SetBkColor

• 0x49b800 ImageList_ReplaceIcon

• 0x49b804 ImageList_Add

• 0x49b808 ImageList_GetImageCount

• 0x49b80c ImageList_Destroy

• 0x49b810 ImageList_Create

• 0x49b814 InitCommonControls

Library comdlg32.dll:

• 0x49b81c GetSaveFileNameA

• 0x49b820 GetOpenFileNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702
192.168.56.101	55369	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.