SmartHawk

2.2

中危

该样本未表现出任何异常！

重新分析

下载样本

6b26f36281fdf1684a732e2dbe756316fa9b3c180bd72c8cac1a242f585c12f8

8d6d1654d80f634286e5b5079dc9e546.exe

分析耗时

27s

最近分析

文件大小

979.0KB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

Command line console output was observed (50 out of 1165 个事件)

Time & API	Arguments	Status	Return
1620976825.78702 WriteConsoleW	buffer: P console_handle: 0x000000000000000f	success	1
1620976825.78702 WriteConsoleW	buffer: r console_handle: 0x000000000000000f	success	1
1620976825.78702 WriteConsoleW	buffer: i console_handle: 0x000000000000000f	success	1
1620976825.78702 WriteConsoleW	buffer: v console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: i console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: l console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: e console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: g console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: e console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: O console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: K console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: U console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: s console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: i console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: n console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: g console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: m console_handle: 0x000000000000000f	success	1
1620976825.80302 WriteConsoleW	buffer: z console_handle: 0x000000000000000f	success	1
1620976825.81802 WriteConsoleW	buffer: l console_handle: 0x000000000000000f	success	1
1620976825.81802 WriteConsoleW	buffer: o console_handle: 0x000000000000000f	success	1
1620976825.81802 WriteConsoleW	buffer: g console_handle: 0x000000000000000f	success	1
1620976825.81802 WriteConsoleW	buffer: f console_handle: 0x000000000000000f	success	1
1620976825.83402 WriteConsoleW	buffer: o console_handle: 0x000000000000000f	success	1
1620976825.83402 WriteConsoleW	buffer: r console_handle: 0x000000000000000f	success	1
1620976825.83402 WriteConsoleW	buffer: l console_handle: 0x000000000000000f	success	1
1620976825.84902 WriteConsoleW	buffer: o console_handle: 0x000000000000000f	success	1
1620976825.84902 WriteConsoleW	buffer: g console_handle: 0x000000000000000f	success	1
1620976825.84902 WriteConsoleW	buffer: f console_handle: 0x000000000000000f	success	1
1620976825.84902 WriteConsoleW	buffer: i console_handle: 0x000000000000000f	success	1
1620976825.86502 WriteConsoleW	buffer: l console_handle: 0x000000000000000f	success	1
1620976825.86502 WriteConsoleW	buffer: e console_handle: 0x000000000000000f	success	1
1620976825.86502 WriteConsoleW	buffer: O console_handle: 0x000000000000000f	success	1
1620976825.86502 WriteConsoleW	buffer: K console_handle: 0x000000000000000f	success	1
1620976826.25602 WriteConsoleW	buffer: A console_handle: 0x000000000000000f	success	1
1620976826.25602 WriteConsoleW	buffer: u console_handle: 0x000000000000000f	success	1
1620976826.25602 WriteConsoleW	buffer: t console_handle: 0x000000000000000f	success	1
1620976826.27102 WriteConsoleW	buffer: h console_handle: 0x000000000000000f	success	1
1620976826.27102 WriteConsoleW	buffer: e console_handle: 0x000000000000000f	success	1
1620976826.27102 WriteConsoleW	buffer: n console_handle: 0x000000000000000f	success	1
1620976826.27102 WriteConsoleW	buffer: t console_handle: 0x000000000000000f	success	1
1620976826.27102 WriteConsoleW	buffer: i console_handle: 0x000000000000000f	success	1
1620976826.28702 WriteConsoleW	buffer: c console_handle: 0x000000000000000f	success	1
1620976826.28702 WriteConsoleW	buffer: a console_handle: 0x000000000000000f	success	1
1620976826.30302 WriteConsoleW	buffer: t console_handle: 0x000000000000000f	success	1
1620976826.30302 WriteConsoleW	buffer: i console_handle: 0x000000000000000f	success	1
1620976826.30302 WriteConsoleW	buffer: o console_handle: 0x000000000000000f	success	1
1620976826.30302 WriteConsoleW	buffer: n console_handle: 0x000000000000000f	success	1
1620976826.30302 WriteConsoleW	buffer: I console_handle: 0x000000000000000f	success	1
1620976826.30302 WriteConsoleW	buffer: d console_handle: 0x000000000000000f	success	1
1620976826.33402 WriteConsoleW	buffer: e console_handle: 0x000000000000000f	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620976825.61502 GlobalMemoryStatusEx		success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Locates and dumps memory from the lsass.exe process indicative of credential dumping (50 out of 529 个事件)

Time & API	Arguments	Status	Return
1620976825.95902 NtOpenProcess	desired_access: 0x00001010 () process_identifier: 536 process_handle: 0x000000000000014c	success	0
1620976825.95902 ReadProcessMemory	buffer: ÿÿÿÿÿÿÿÿ¹ÿ@&Èw base_address: 0x000007fffffd9000 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: X0%1à@9@%1ð@9@&1A9 base_address: 0x0000000077c82640 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: &1P&Èw0&1`&Èw¹ÿP¹ÿÀ:<¤#1Ì#1 base_address: 0x0000000000312530 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: lsass.exe base_address: 0x00000000003123cc process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: MZÿÿ¸@ð base_address: 0x00000000ffb90000 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: PEdUÁ[Jð" base_address: 0x00000000ffb900f0 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: PEdUÁ[Jð" (RP¹ÿÀÜQ@Àjklj@ ä°Ô`68èl@X base_address: 0x00000000ffb900f0 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: )10%1°)1@%10+1p&Èwµw:< $1øSÆw base_address: 0x0000000000312620 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: ntdll.dll base_address: 0x0000000077c653f8 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: MZÿÿ¸@à base_address: 0x0000000077b50000 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: PEdùÈçLð" base_address: 0x0000000077b500e0 process_handle: 0x000000000000014c	success	1
1620976825.97402 ReadProcessMemory	buffer: PEdùÈçLð" D µwêU@pb\|ñØ`à$/*`Cà8 base_address: 0x0000000077b500e0 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: +1 &1 +10&1810+1£w ^¤wð@BP)1x)1 base_address: 0x00000000003129a0 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: kernel32.dll base_address: 0x0000000000312978 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: MZÿÿ¸@è base_address: 0x0000000077a30000 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: PEdÇçLð" base_address: 0x0000000077a300e8 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: PEdÇçLð" ¬ ^£wðCz@< @«Üô`(À p¸z\º 8àÀ base_address: 0x0000000077a300e8 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: ð71 )181°)1À)1@&1Åýþà0Åýþ°DFÀ1è1 base_address: 0x0000000000312b10 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: KERNELBASE.dll base_address: 0x0000000000312ae8 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: MZÿÿ¸@ð base_address: 0x000007fefdc50000 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: PEdÇçLð" base_address: 0x000007fefdc500f0 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: PEdÇçLð" Úà0Åýþ°@Ø¬QN¤S(0 @b 8\8è Ø base_address: 0x000007fefdc500f0 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: :1+10:1 +1@:1À)1Þþþ %Þþþð <> 71È71 base_address: 0x00000000003137f0 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: msvcrt.dll base_address: 0x00000000003137c8 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: MZÿÿ¸@è base_address: 0x000007fefede0000 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: PEd¾ß[Jð" base_address: 0x000007fefede00e8 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: PEd¾ß[Jð" , %Þþþð 2F @Ô³ñjD¯ÌÐ ðp \à ¼¸8àÈ base_address: 0x000007fefede00e8 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: 0?1ð71@?181P?181ðýþPíôýþÐ<>þÐ91ø91 base_address: 0x0000000000313a20 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: RPCRT4.dll base_address: 0x00000000003139f8 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: MZÿÿ¸@ð base_address: 0x000007fefdf00000 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: PEdnÉçLð" base_address: 0x000007fefdf000f0 process_handle: 0x000000000000014c	success	1
1620976825.99002 ReadProcessMemory	buffer: PEdnÉçLð" PíðýþÐO÷@®E¦ÌpP<HV° 88Ü0Ð À base_address: 0x000007fefdf000f0 process_handle: 0x000000000000014c	success	1
1620976826.00602 ReadProcessMemory	buffer: 3 :130:13@:1ýþýþ°>@þà>1?1 base_address: 0x0000000000313f30 process_handle: 0x000000000000014c	success	1
1620976826.00602 ReadProcessMemory	buffer: SspiSrv.dll base_address: 0x0000000000313f08 process_handle: 0x000000000000014c	success	1
1620976826.00602 ReadProcessMemory	buffer: MZÿÿ¸@ð base_address: 0x000007fefd8d0000 process_handle: 0x000000000000014c	success	1
1620976826.00602 ReadProcessMemory	buffer: PEdðÉçLð" base_address: 0x000007fefd8d00f0 process_handle: 0x000000000000014c	success	1
1620976826.00602 ReadProcessMemory	buffer: PEdðÉçLð" Lýþ°.@ÈYp8Z´´ /8è40H base_address: 0x000007fefd8d00f0 process_handle: 0x000000000000014c	success	1
1620976826.00602 ReadProcessMemory	buffer: ð30?13@?1À3 ¾3sýþäHsýþp<>ÿ°3Ø3 base_address: 0x0000000000339900 process_handle: 0x000000000000014c	success	1
1620976826.00602 ReadProcessMemory	buffer: lsasrv.dll base_address: 0x00000000003398d8 process_handle: 0x000000000000014c	success	1
1620976826.00602 ReadProcessMemory	buffer: MZÿÿ¸@è base_address: 0x000007fefd730000 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: PEd)ÇçLð" base_address: 0x000007fefd7300e8 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: PEd)ÇçLð" ZÖäHsýþpTÍ@@¯_Tð¸O0±@à øg8àÜp@ÜDÀ base_address: 0x000007fefd7300e8 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: Ð33à33ð3P?1>ÿþè`>ÿþð>@`33 base_address: 0x00000000003399f0 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: sechost.dll base_address: 0x0000000000339888 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: MZÿÿ¸@è base_address: 0x000007feff3e0000 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: PEd^à[Jð" base_address: 0x000007feff3e00e8 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: PEd^à[Jð" >è`>ÿþð:´@ÀË r@Ð Àhà¤p¸phr@ base_address: 0x000007feff3e00e8 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: à3ð3ð3333ýþXýþP>@þ3¨3 base_address: 0x00000000003396d0 process_handle: 0x000000000000014c	success	1
1620976826.02102 ReadProcessMemory	buffer: SspiCli.dll base_address: 0x00000000003396a8 process_handle: 0x000000000000014c	success	1

Requests access to read memory contents of lsass.exe potentially indicative of credential dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620976825.95902 NtOpenProcess	desired_access: 0x00001010 () process_identifier: 536 process_handle: 0x000000000000014c	success	0	0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-01-30 16:04:17

Imports

Library ADVAPI32.dll:

• 0x140095000 CryptSetHashParam

• 0x140095008 CryptGetHashParam

• 0x140095010 CryptExportKey

• 0x140095018 CryptAcquireContextW

• 0x140095020 CryptSetKeyParam

• 0x140095028 CryptGetKeyParam

• 0x140095030 CryptReleaseContext

• 0x140095038 CryptDuplicateKey

• 0x140095040 CryptAcquireContextA

• 0x140095048 CryptGetProvParam

• 0x140095050 CryptImportKey

• 0x140095058 SystemFunction007

• 0x140095060 CryptEncrypt

• 0x140095068 CryptCreateHash

• 0x140095070 CryptGenKey

• 0x140095078 CryptDestroyKey

• 0x140095080 CryptDecrypt

• 0x140095088 CryptDestroyHash

• 0x140095090 CryptHashData

• 0x140095098 CopySid

• 0x1400950a0 GetLengthSid

• 0x1400950a8 LsaQueryInformationPolicy

• 0x1400950b0 LsaOpenPolicy

• 0x1400950b8 LsaClose

• 0x1400950c0 CreateWellKnownSid

• 0x1400950c8 CreateProcessWithLogonW

• 0x1400950d0 CreateProcessAsUserW

• 0x1400950d8 RegQueryValueExW

• 0x1400950e0 RegQueryInfoKeyW

• 0x1400950e8 RegEnumValueW

• 0x1400950f0 RegOpenKeyExW

• 0x1400950f8 RegEnumKeyExW

• 0x140095100 RegCloseKey

• 0x140095108 RegSetValueExW

• 0x140095110 SystemFunction032

• 0x140095118 ConvertSidToStringSidW

• 0x140095120 CreateServiceW

• 0x140095128 CloseServiceHandle

• 0x140095130 DeleteService

• 0x140095138 OpenSCManagerW

• 0x140095140 SetServiceObjectSecurity

• 0x140095148 OpenServiceW

• 0x140095150 BuildSecurityDescriptorW

• 0x140095158 QueryServiceObjectSecurity

• 0x140095160 StartServiceW

• 0x140095168 AllocateAndInitializeSid

• 0x140095170 QueryServiceStatusEx

• 0x140095178 FreeSid

• 0x140095180 ControlService

• 0x140095188 IsTextUnicode

• 0x140095190 OpenProcessToken

• 0x140095198 GetTokenInformation

• 0x1400951a0 LookupAccountNameW

• 0x1400951a8 LookupAccountSidW

• 0x1400951b0 DuplicateTokenEx

• 0x1400951b8 CheckTokenMembership

• 0x1400951c0 CryptEnumProvidersW

• 0x1400951c8 ConvertStringSidToSidW

• 0x1400951d0 LsaFreeMemory

• 0x1400951d8 SetThreadToken

• 0x1400951e0 CryptSetProvParam

• 0x1400951e8 CryptEnumProviderTypesW

• 0x1400951f0 SystemFunction006

• 0x1400951f8 CryptGetUserKey

• 0x140095200 OpenEventLogW

• 0x140095208 GetNumberOfEventLogRecords

• 0x140095210 ClearEventLogW

• 0x140095218 SystemFunction001

• 0x140095220 CryptDeriveKey

• 0x140095228 SystemFunction005

• 0x140095230 LsaQueryTrustedDomainInfoByName

• 0x140095238 CryptSignHashW

• 0x140095240 LsaOpenSecret

• 0x140095248 LsaQuerySecret

• 0x140095250 SystemFunction013

• 0x140095258 LsaRetrievePrivateData

• 0x140095260 LsaEnumerateTrustedDomainsEx

• 0x140095268 LookupPrivilegeValueW

• 0x140095270 StartServiceCtrlDispatcherW

• 0x140095278 SetServiceStatus

• 0x140095280 RegisterServiceCtrlHandlerW

• 0x140095288 IsValidSid

• 0x140095290 LookupPrivilegeNameW

• 0x140095298 OpenThreadToken

• 0x1400952a0 CredFree

• 0x1400952a8 CredEnumerateW

• 0x1400952b0 GetSidSubAuthority

• 0x1400952b8 GetSidSubAuthorityCount

• 0x1400952c0 SystemFunction025

• 0x1400952c8 ConvertStringSecurityDescriptorToSecurityDescriptorW

• 0x1400952d0 SystemFunction024

Library Cabinet.dll:

• 0x140095390

• 0x140095398

• 0x1400953a0

• 0x1400953a8

Library CRYPT32.dll:

• 0x1400952e0 CertGetNameStringW

• 0x1400952e8 CryptEncodeObject

• 0x1400952f0 CertEnumSystemStore

• 0x1400952f8 CryptSignAndEncodeCertificate

• 0x140095300 CertEnumCertificatesInStore

• 0x140095308 CertAddEncodedCertificateToStore

• 0x140095310 CertOpenStore

• 0x140095318 CertFreeCertificateContext

• 0x140095320 CertCloseStore

• 0x140095328 CertSetCertificateContextProperty

• 0x140095330 PFXExportCertStoreEx

• 0x140095338 CryptUnprotectData

• 0x140095340 CryptBinaryToStringW

• 0x140095348 CryptStringToBinaryW

• 0x140095350 CryptProtectData

• 0x140095358 CryptExportPublicKeyInfo

• 0x140095360 CryptAcquireCertificatePrivateKey

• 0x140095368 CertNameToStrW

• 0x140095370 CertGetCertificateContextProperty

• 0x140095378 CertAddCertificateContextToStore

• 0x140095380 CertFindCertificateInStore

Library cryptdll.dll:

• 0x140095f40 CDLocateCSystem

• 0x140095f48 MD5Update

• 0x140095f50 MD5Final

• 0x140095f58 CDGenerateRandomBits

• 0x140095f60 CDLocateCheckSum

• 0x140095f68 MD5Init

Library FLTLIB.DLL:

• 0x1400953b8 FilterFindFirst

• 0x1400953c0 FilterFindNext

Library NETAPI32.dll:

• 0x140095968 DsGetDcNameW

• 0x140095970 NetRemoteTOD

• 0x140095978 NetSessionEnum

• 0x140095980 NetServerGetInfo

• 0x140095988 NetWkstaUserEnum

• 0x140095990 NetStatisticsGet

• 0x140095998 NetShareEnum

• 0x1400959a0 NetApiBufferFree

Library ole32.dll:

• 0x1400960e8 CoInitializeEx

• 0x1400960f0 CoUninitialize

• 0x1400960f8 CoCreateInstance

Library OLEAUT32.dll:

• 0x1400959b0 SysFreeString

• 0x1400959b8 VariantInit

• 0x1400959c0 SysAllocString

Library RPCRT4.dll:

• 0x1400959d0 RpcBindingVectorFree

• 0x1400959d8 UuidToStringW

• 0x1400959e0 RpcServerUseProtseqEpW

• 0x1400959e8 NdrServerCall2

• 0x1400959f0 NdrClientCall2

• 0x1400959f8 UuidCreate

• 0x140095a00 RpcEpResolveBinding

• 0x140095a08 RpcMgmtEpEltInqDone

• 0x140095a10 RpcMgmtEpEltInqNextW

• 0x140095a18 RpcMgmtEpEltInqBegin

• 0x140095a20 I_RpcGetCurrentCallHandle

• 0x140095a28 RpcEpUnregister

• 0x140095a30 RpcBindingFromStringBindingW

• 0x140095a38 RpcStringBindingComposeW

• 0x140095a40 MesEncodeIncrementalHandleCreate

• 0x140095a48 RpcBindingSetAuthInfoExW

• 0x140095a50 RpcBindingInqAuthClientW

• 0x140095a58 RpcBindingSetOption

• 0x140095a60 RpcImpersonateClient

• 0x140095a68 RpcBindingFree

• 0x140095a70 RpcStringFreeW

• 0x140095a78 RpcRevertToSelf

• 0x140095a80 MesDecodeIncrementalHandleCreate

• 0x140095a88 MesHandleFree

• 0x140095a90 MesIncrementalHandleReset

• 0x140095a98 NdrMesTypeDecode2

• 0x140095aa0 NdrMesTypeAlignSize2

• 0x140095aa8 NdrMesTypeFree2

• 0x140095ab0 NdrMesTypeEncode2

• 0x140095ab8 RpcServerUnregisterIfEx

• 0x140095ac0 I_RpcBindingInqSecurityContext

• 0x140095ac8 RpcServerInqBindings

• 0x140095ad0 RpcServerListen

• 0x140095ad8 RpcMgmtWaitServerListen

• 0x140095ae0 RpcEpRegisterW

• 0x140095ae8 RpcMgmtStopServerListening

• 0x140095af0 RpcBindingToStringBindingW

• 0x140095af8 RpcServerRegisterIf2

• 0x140095b00 RpcServerRegisterAuthInfoW

Library SHLWAPI.dll:

• 0x140095c00 PathCombineW

• 0x140095c08 PathIsDirectoryW

• 0x140095c10 PathCanonicalizeW

• 0x140095c18 PathIsRelativeW

• 0x140095c20 PathFindFileNameW

Library SAMLIB.dll:

• 0x140095b10 SamGetMembersInGroup

• 0x140095b18 SamGetGroupsForUser

• 0x140095b20 SamOpenUser

• 0x140095b28 SamEnumerateGroupsInDomain

• 0x140095b30 SamiChangePasswordUser

• 0x140095b38 SamSetInformationUser

• 0x140095b40 SamConnect

• 0x140095b48 SamOpenDomain

• 0x140095b50 SamLookupIdsInDomain

• 0x140095b58 SamLookupNamesInDomain

• 0x140095b60 SamLookupDomainInSamServer

• 0x140095b68 SamRidToSid

• 0x140095b70 SamGetMembersInAlias

• 0x140095b78 SamEnumerateAliasesInDomain

• 0x140095b80 SamGetAliasMembership

• 0x140095b88 SamOpenGroup

• 0x140095b90 SamOpenAlias

• 0x140095b98 SamEnumerateUsersInDomain

• 0x140095ba0 SamFreeMemory

• 0x140095ba8 SamEnumerateDomainsInSamServer

• 0x140095bb0 SamCloseHandle

• 0x140095bb8 SamQueryInformationUser

Library Secur32.dll:

• 0x140095c30 LsaCallAuthenticationPackage

• 0x140095c38 DeleteSecurityContext

• 0x140095c40 FreeContextBuffer

• 0x140095c48 LsaLookupAuthenticationPackage

• 0x140095c50 LsaConnectUntrusted

• 0x140095c58 LsaFreeReturnBuffer

• 0x140095c60 FreeCredentialsHandle

• 0x140095c68 EnumerateSecurityPackagesW

• 0x140095c70 InitializeSecurityContextW

• 0x140095c78 QueryContextAttributesW

• 0x140095c80 AcquireCredentialsHandleW

• 0x140095c88 LsaDeregisterLogonProcess

Library SHELL32.dll:

• 0x140095bf0 CommandLineToArgvW

Library USER32.dll:

• 0x140095c98 GetClipboardSequenceNumber

• 0x140095ca0 SetClipboardViewer

• 0x140095ca8 DefWindowProcW

• 0x140095cb0 DispatchMessageW

• 0x140095cb8 GetKeyboardLayout

• 0x140095cc0 IsCharAlphaNumericW

• 0x140095cc8 EnumClipboardFormats

• 0x140095cd0 SendMessageW

• 0x140095cd8 OpenClipboard

• 0x140095ce0 CreateWindowExW

• 0x140095ce8 ChangeClipboardChain

• 0x140095cf0 GetClipboardData

• 0x140095cf8 RegisterClassExW

• 0x140095d00 TranslateMessage

• 0x140095d08 PostMessageW

• 0x140095d10 DestroyWindow

• 0x140095d18 CloseClipboard

• 0x140095d20 GetMessageW

• 0x140095d28 UnregisterClassW

Library USERENV.dll:

• 0x140095d38 DestroyEnvironmentBlock

• 0x140095d40 CreateEnvironmentBlock

Library VERSION.dll:

• 0x140095d50 GetFileVersionInfoW

• 0x140095d58 VerQueryValueW

• 0x140095d60 GetFileVersionInfoSizeW

Library HID.DLL:

• 0x1400953d0 HidD_GetPreparsedData

• 0x1400953d8 HidD_FreePreparsedData

• 0x1400953e0 HidP_GetCaps

• 0x1400953e8 HidD_GetFeature

• 0x1400953f0 HidD_GetAttributes

• 0x1400953f8 HidD_GetHidGuid

• 0x140095400 HidD_SetFeature

Library SETUPAPI.dll:

• 0x140095bc8 SetupDiDestroyDeviceInfoList

• 0x140095bd0 SetupDiGetDeviceInterfaceDetailW

• 0x140095bd8 SetupDiEnumDeviceInterfaces

• 0x140095be0 SetupDiGetClassDevsW

Library WinSCard.dll:

• 0x140095ec0 SCardControl

• 0x140095ec8 SCardConnectW

• 0x140095ed0 SCardTransmit

• 0x140095ed8 SCardDisconnect

• 0x140095ee0 SCardGetAttrib

• 0x140095ee8 SCardEstablishContext

• 0x140095ef0 SCardFreeMemory

• 0x140095ef8 SCardListReadersW

• 0x140095f00 SCardReleaseContext

• 0x140095f08 SCardListCardsW

• 0x140095f10 SCardGetCardTypeProviderNameW

Library WINSTA.dll:

• 0x140095d70 WinStationCloseServer

• 0x140095d78 WinStationEnumerateW

• 0x140095d80 WinStationOpenServerW

• 0x140095d88 WinStationFreeMemory

• 0x140095d90 WinStationConnectW

• 0x140095d98 WinStationQueryInformationW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.