SmartHawk

7.0

高危

54 个模型检测该样本为恶意！

重新分析

下载样本

6ed0051747d0d5fbf4273b02e7267a257a82217c4b474117ea853014218b2b18

992749a4c864e4fa32d075c997902e5a.exe

分析耗时

84s

最近分析

文件大小

4.2MB

静态报毒动态报毒 100% 4SOWS3PTGZN @F2@ACEKY1BB A + MAL AI SCORE=81 AIDETECTVM BSCOPE CE@1FHKGA CHINAD CONFIDENCE ELDORADO FLYSTUDIO FUERBOOS GEN1 GENASA GENERICKD GENERICRXKJ HACKTOOL HIGH CONFIDENCE KAZY MALICIOUS PE MALWARE1 OCCAMY PUPSTUDIO SCORE SDBOT STATIC AI TIGGRE TRICKBOT TROJANX UNSAFE VIGUA VIRUT VMPBAD VMPROTBAD VMPROTECT XBM1HBSE1YK ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKJ-WF!992749A4C864	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Alibaba	VirTool:Win32/VMProtect.2a01dc60	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
Tencent		20201211	1.0.0.1

Checks if process is being debugged by a debugger (21 个事件)

Time & API	Arguments	Status	Return	Repeated
1619802977.468499 IsDebuggerPresent		failed	0	0
1619802978.374499 IsDebuggerPresent		failed	0	0
1619802978.530499 IsDebuggerPresent		failed	0	0
1619802978.624499 IsDebuggerPresent		failed	0	0
1619802978.687499 IsDebuggerPresent		failed	0	0
1619802978.687499 IsDebuggerPresent		failed	0	0
1619802978.780499 IsDebuggerPresent		failed	0	0
1619802979.124499 IsDebuggerPresent		failed	0	0
1619802979.437499 IsDebuggerPresent		failed	0	0
1619802981.155499 IsDebuggerPresent		failed	0	0
1619802981.234499 IsDebuggerPresent		failed	0	0
1619802986.984499 IsDebuggerPresent		failed	0	0
1619802987.030499 IsDebuggerPresent		failed	0	0
1619802987.171499 IsDebuggerPresent		failed	0	0
1619802992.671499 IsDebuggerPresent		failed	0	0
1619802998.093499 IsDebuggerPresent		failed	0	0
1619803004.234499 IsDebuggerPresent		failed	0	0
1619803005.171499 IsDebuggerPresent		failed	0	0
1619803006.859499 IsDebuggerPresent		failed	0	0
1619803010.499499 IsDebuggerPresent		failed	0	0
1619803016.374499 IsDebuggerPresent		failed	0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.vmp0
section	.vmp1

The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)

resource name	TEXTINCLUDE
resource name	WAVE

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619802977.484499 __exception__	stacktrace: registers.esp: 1636176 registers.edi: 3221244493 registers.eax: 0 registers.ebp: 1638240 registers.edx: 8996659 registers.ebx: 0 registers.esi: 3221243463 registers.ecx: 10724678 exception.instruction_r: cc 9d 9c c7 04 24 b0 3e a0 ed 9c c7 04 24 8c 9f exception.instruction: int3 exception.module: 992749a4c864e4fa32d075c997902e5a.exe exception.exception_code: 0x80000003 exception.offset: 4784185 exception.address: 0x890039	success	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 个事件)

request	GET http://secure.globalsign.com/cacert/root-r3.crt
request	GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Foreign language identified in PE resource (50 out of 57 个事件)

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x00429dc0

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x00429dc0

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x00429dc0

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

WAVE

language

LANG_CHINESE

offset

0x00429f14

filetype

RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00001448

name

RT_CURSOR

language

LANG_CHINESE

offset

0x0042b8e0

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x0042b8e0

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x0042b8e0

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x0042b8e0

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x0042b8e0

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x0042b8e0

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x0042d1d4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

offset

0x0043195c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

offset

0x0043195c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00432ba4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x004335ec

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

offset

0x00433660

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

offset

0x00433660

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000022

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\992749a4c864e4fa32d075c997902e5a.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\992749a4c864e4fa32d075c997902e5a.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619802979.390499 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)

entropy

7.2127017888664575

section

{'size_of_data': '0x00242000', 'virtual_address': '0x0014f000', 'entropy': 7.2127017888664575, 'name': '.rdata', 'virtual_size': '0x00241098'}

description

A section with a high entropy has been found

entropy

7.892027884436268

section

{'size_of_data': '0x00058000', 'virtual_address': '0x00434000', 'entropy': 7.892027884436268, 'name': '.vmp0', 'virtual_size': '0x00057454'}

description

A section with a high entropy has been found

entropy

7.19584585546573

section

{'size_of_data': '0x0000e000', 'virtual_address': '0x0048d000', 'entropy': 7.19584585546573, 'name': '.vmp1', 'virtual_size': '0x0000d153'}

description

A section with a high entropy has been found

entropy

0.6355140186915887

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 个事件)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: c7047cf9ed6e4f43281af522d2c9c79755be4e49

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619802981.952499 RegSetValueExA	key_handle: 0x00000434 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619802981.968499 RegSetValueExA	key_handle: 0x00000434 value: üùò=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619802981.968499 RegSetValueExA	key_handle: 0x00000434 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619802981.968499 RegSetValueExW	key_handle: 0x00000434 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619802981.968499 RegSetValueExA	key_handle: 0x000004a4 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619802981.968499 RegSetValueExA	key_handle: 0x000004a4 value: üùò=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619802981.968499 RegSetValueExA	key_handle: 0x000004a4 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619802981.999499 RegSetValueExW	key_handle: 0x00000430 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34048181
FireEye	Generic.mg.992749a4c864e4fa
CAT-QuickHeal	Trojan.Generic
Qihoo-360	Win32/VirTool.VirTool.64c
McAfee	GenericRXKJ-WF!992749A4C864
Cylance	Unsafe
Zillya	Trojan.Generic.Win32.962220
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	VirTool:Win32/VMProtect.2a01dc60
K7GW	Trojan ( 0056341d1 )
K7AntiVirus	Trojan ( 0056341d1 )
Arcabit	Trojan.Generic.D20788B5
BitDefenderTheta	Gen:NN.ZexaF.34670.@F2@aCEKY1bb
Cyren	W32/Agent.EW.gen!Eldorado
Symantec	Packed.Vmpbad!gen1
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Trojan.Kazy-6878
Kaspersky	HEUR:VirTool.Win32.Generic
BitDefender	Trojan.GenericKD.34048181
Paloalto	generic.ml
AegisLab	Hacktool.Win32.Generic.3!c
Rising	Trojan.Fuerboos!8.EFC8 (TFE:2:4sOWS3ptgzN)
Ad-Aware	Trojan.GenericKD.34048181
Sophos	ML/PE-A + Mal/VMProtBad-A
Comodo	Virus.Win32.Virut.CE@1fhkga
F-Secure	Trojan.TR/Crypt.CFI.Gen
DrWeb	BackDoor.IRC.Sdbot.35027
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
SentinelOne	Static AI - Malicious PE
Emsisoft	Trojan.GenericKD.34048181 (B)
APEX	Malicious
Jiangmin	VirTool.Generic.ggy
Avira	TR/Crypt.CFI.Gen
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Win32.Occamy
Microsoft	PUA:Win32/Vigua.A
ZoneAlarm	HEUR:VirTool.Win32.Generic
GData	Win32.Application.PUPStudio.A
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.Generic.C2975773
Acronis	suspicious
VBA32	BScope.Trojan.Tiggre
ALYac	Trojan.GenericKD.34048181
Malwarebytes	PUP.Optional.ChinAd
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
Yandex	Trojan.GenAsa!xBM1HbSe1Yk
Ikarus	Trojan.Win32.Agent

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-01-13 17:59:14

Imports

Library MSVFW32.dll:

• 0x897178 DrawDibDraw

Library AVIFIL32.dll:

• 0x897180 AVIStreamGetFrame

• 0x897184 AVIStreamInfoA

Library iphlpapi.dll:

• 0x89718c GetAdaptersInfo

Library WINMM.dll:

• 0x897194 midiStreamRestart

• 0x897198 midiStreamClose

• 0x89719c midiOutReset

• 0x8971a0 midiStreamStop

• 0x8971a4 midiStreamOut

• 0x8971a8 midiOutPrepareHeader

• 0x8971ac midiStreamProperty

• 0x8971b0 midiStreamOpen

• 0x8971b4 midiOutUnprepareHeader

• 0x8971b8 waveOutOpen

• 0x8971bc waveOutGetNumDevs

• 0x8971c0 waveOutClose

• 0x8971c4 waveOutReset

• 0x8971c8 waveOutPause

• 0x8971cc waveOutWrite

• 0x8971d0 waveOutPrepareHeader

• 0x8971d4 waveOutUnprepareHeader

• 0x8971d8 PlaySoundA

• 0x8971dc waveOutRestart

Library WS2_32.dll:

• 0x8971e4 recvfrom

• 0x8971e8 ioctlsocket

• 0x8971ec getpeername

• 0x8971f0 accept

• 0x8971f4 ntohl

• 0x8971f8 closesocket

• 0x8971fc send

• 0x897200 select

• 0x897204 WSACleanup

• 0x897208 WSAStartup

• 0x89720c gethostbyname

• 0x897210 inet_ntoa

• 0x897214 recv

• 0x897218 WSAAsyncSelect

Library RASAPI32.dll:

• 0x897220 RasHangUpA

• 0x897224 RasGetConnectStatusA

Library KERNEL32.dll:

• 0x89722c GetCurrentProcess

• 0x897230 SystemTimeToFileTime

• 0x897234 GetLocalTime

• 0x897238 DosDateTimeToFileTime

• 0x89723c SetFileTime

• 0x897240 TerminateProcess

• 0x897244 DuplicateHandle

• 0x897248 GetWindowsDirectoryA

• 0x89724c LoadLibraryExA

• 0x897250 GetSystemDirectoryA

• 0x897254 MultiByteToWideChar

• 0x897258 SetLastError

• 0x89725c QueryPerformanceFrequency

• 0x897260 QueryPerformanceCounter

• 0x897264 GetTimeZoneInformation

• 0x897268 GetVersion

• 0x89726c TerminateThread

• 0x897270 WideCharToMultiByte

• 0x897274 Beep

• 0x897278 InterlockedDecrement

• 0x89727c InterlockedIncrement

• 0x897280 CreateMutexA

• 0x897284 ReleaseMutex

• 0x897288 SuspendThread

• 0x89728c LocalFree

• 0x897290 FlushFileBuffers

• 0x897294 LockFile

• 0x897298 UnlockFile

• 0x89729c SetEndOfFile

• 0x8972a0 GlobalDeleteAtom

• 0x8972a4 GlobalFindAtomA

• 0x8972a8 GlobalAddAtomA

• 0x8972ac GlobalGetAtomNameA

• 0x8972b0 LocalAlloc

• 0x8972b4 TlsAlloc

• 0x8972b8 GlobalHandle

• 0x8972bc TlsFree

• 0x8972c0 TlsSetValue

• 0x8972c4 LocalReAlloc

• 0x8972c8 TlsGetValue

• 0x8972cc GetFileTime

• 0x8972d0 GetCurrentThread

• 0x8972d4 GlobalFlags

• 0x8972d8 SetErrorMode

• 0x8972dc GetProcessVersion

• 0x8972e0 GetCPInfo

• 0x8972e4 GetOEMCP

• 0x8972e8 GetStartupInfoA

• 0x8972ec RtlUnwind

• 0x8972f0 GetSystemTime

• 0x8972f4 RaiseException

• 0x8972f8 HeapSize

• 0x8972fc GetACP

• 0x897300 SetStdHandle

• 0x897304 UnhandledExceptionFilter

• 0x897308 FreeEnvironmentStringsA

• 0x89730c FreeEnvironmentStringsW

• 0x897310 GetEnvironmentStrings

• 0x897314 GetEnvironmentStringsW

• 0x897318 SetHandleCount

• 0x89731c GetStdHandle

• 0x897320 GetEnvironmentVariableA

• 0x897324 HeapDestroy

• 0x897328 HeapCreate

• 0x89732c VirtualFree

• 0x897330 SetEnvironmentVariableA

• 0x897334 LCMapStringA

• 0x897338 LCMapStringW

• 0x89733c VirtualAlloc

• 0x897340 IsBadWritePtr

• 0x897344 SetUnhandledExceptionFilter

• 0x897348 GetStringTypeA

• 0x89734c GetStringTypeW

• 0x897350 CompareStringA

• 0x897354 CompareStringW

• 0x897358 IsBadReadPtr

• 0x89735c IsBadCodePtr

• 0x897360 GetSystemInfo

• 0x897364 IsProcessorFeaturePresent

• 0x897368 GetFileType

• 0x89736c GetFileSize

• 0x897370 SetFilePointer

• 0x897374 FileTimeToLocalFileTime

• 0x897378 FileTimeToSystemTime

• 0x89737c lstrcpynA

• 0x897380 lstrcmpiA

• 0x897384 lstrcmpA

• 0x897388 IsDBCSLeadByte

• 0x89738c CreateSemaphoreA

• 0x897390 ResumeThread

• 0x897394 ReleaseSemaphore

• 0x897398 EnterCriticalSection

• 0x89739c LeaveCriticalSection

• 0x8973a0 GetProfileStringA

• 0x8973a4 WriteFile

• 0x8973a8 WaitForMultipleObjects

• 0x8973ac CreateFileA

• 0x8973b0 DeviceIoControl

• 0x8973b4 SetEvent

• 0x8973b8 FindResourceA

• 0x8973bc LoadResource

• 0x8973c0 LockResource

• 0x8973c4 ReadFile

• 0x8973c8 lstrlenW

• 0x8973cc RemoveDirectoryA

• 0x8973d0 GetModuleFileNameA

• 0x8973d4 GetCurrentThreadId

• 0x8973d8 ExitProcess

• 0x8973dc GlobalSize

• 0x8973e0 GlobalFree

• 0x8973e4 DeleteCriticalSection

• 0x8973e8 InitializeCriticalSection

• 0x8973ec lstrcatA

• 0x8973f0 lstrlenA

• 0x8973f4 WinExec

• 0x8973f8 lstrcpyA

• 0x8973fc FindNextFileA

• 0x897400 GlobalReAlloc

• 0x897404 HeapFree

• 0x897408 HeapReAlloc

• 0x89740c GetProcessHeap

• 0x897410 HeapAlloc

• 0x897414 GetUserDefaultLCID

• 0x897418 GetFullPathNameA

• 0x89741c FreeLibrary

• 0x897420 LoadLibraryA

• 0x897424 GetLastError

• 0x897428 GetVersionExA

• 0x89742c WritePrivateProfileStringA

• 0x897430 GetPrivateProfileStringA

• 0x897434 CreateThread

• 0x897438 CreateEventA

• 0x89743c Sleep

• 0x897440 GlobalAlloc

• 0x897444 GlobalLock

• 0x897448 GlobalUnlock

• 0x89744c GetTempPathA

• 0x897450 FindFirstFileA

• 0x897454 FindClose

• 0x897458 SetFileAttributesA

• 0x89745c GetFileAttributesA

• 0x897460 MoveFileA

• 0x897464 DeleteFileA

• 0x897468 CreateDirectoryA

• 0x89746c GetCurrentDirectoryA

• 0x897470 SetCurrentDirectoryA

• 0x897474 GetVolumeInformationA

• 0x897478 GetModuleHandleA

• 0x89747c GetProcAddress

• 0x897480 MulDiv

• 0x897484 GetCommandLineA

• 0x897488 GetTickCount

• 0x89748c CreateProcessA

• 0x897490 WaitForSingleObject

• 0x897494 CloseHandle

• 0x897498 InterlockedExchange

Library USER32.dll:

• 0x8974a0 GetSysColorBrush

• 0x8974a4 CreateWindowExA

• 0x8974a8 GetClassLongA

• 0x8974ac SetPropA

• 0x8974b0 GetPropA

• 0x8974b4 CallWindowProcA

• 0x8974b8 RemovePropA

• 0x8974bc GetMessageTime

• 0x8974c0 GetLastActivePopup

• 0x8974c4 RegisterWindowMessageA

• 0x8974c8 GetWindowPlacement

• 0x8974cc EndDialog

• 0x8974d0 CreateDialogIndirectParamA

• 0x8974d4 DestroyWindow

• 0x8974d8 GrayStringA

• 0x8974dc DrawTextA

• 0x8974e0 TabbedTextOutA

• 0x8974e4 EndPaint

• 0x8974e8 BeginPaint

• 0x8974ec GetWindowDC

• 0x8974f0 GetWindowTextLengthA

• 0x8974f4 CreateIconIndirect

• 0x8974f8 GetIconInfo

• 0x8974fc CopyIcon

• 0x897500 LoadStringA

• 0x897504 UnhookWindowsHookEx

• 0x897508 SetWindowsHookExA

• 0x89750c CallNextHookEx

• 0x897510 GetMenuItemCount

• 0x897514 GetMenuItemID

• 0x897518 GetMenuState

• 0x89751c GetForegroundWindow

• 0x897520 SetWindowTextA

• 0x897524 GetWindowTextA

• 0x897528 FindWindowExA

• 0x89752c GetDlgItem

• 0x897530 GetDesktopWindow

• 0x897534 CharUpperA

• 0x897538 DrawStateA

• 0x89753c FrameRect

• 0x897540 GetNextDlgTabItem

• 0x897544 LoadIconA

• 0x897548 TranslateMessage

• 0x89754c DrawFrameControl

• 0x897550 DrawEdge

• 0x897554 DrawFocusRect

• 0x897558 WindowFromPoint

• 0x89755c DispatchMessageA

• 0x897560 SetRectEmpty

• 0x897564 RegisterClipboardFormatA

• 0x897568 CreateIconFromResourceEx

• 0x89756c CreateIconFromResource

• 0x897570 DrawIconEx

• 0x897574 CreatePopupMenu

• 0x897578 AppendMenuA

• 0x89757c ModifyMenuA

• 0x897580 CreateMenu

• 0x897584 CreateAcceleratorTableA

• 0x897588 GetDlgCtrlID

• 0x89758c GetSubMenu

• 0x897590 EnableMenuItem

• 0x897594 MoveWindow

• 0x897598 EnumDisplaySettingsA

• 0x89759c LoadImageA

• 0x8975a0 SystemParametersInfoA

• 0x8975a4 ShowWindow

• 0x8975a8 IsWindowEnabled

• 0x8975ac TranslateAcceleratorA

• 0x8975b0 GetKeyState

• 0x8975b4 CopyAcceleratorTableA

• 0x8975b8 PostQuitMessage

• 0x8975bc IsZoomed

• 0x8975c0 GetClassInfoA

• 0x8975c4 DefWindowProcA

• 0x8975c8 GetSystemMenu

• 0x8975cc DeleteMenu

• 0x8975d0 GetMenu

• 0x8975d4 SetMenu

• 0x8975d8 PeekMessageA

• 0x8975dc IsIconic

• 0x8975e0 SetFocus

• 0x8975e4 GetActiveWindow

• 0x8975e8 GetWindow

• 0x8975ec DestroyAcceleratorTable

• 0x8975f0 SetWindowRgn

• 0x8975f4 GetMessagePos

• 0x8975f8 ScreenToClient

• 0x8975fc ChildWindowFromPointEx

• 0x897600 CopyRect

• 0x897604 LoadBitmapA

• 0x897608 WinHelpA

• 0x89760c KillTimer

• 0x897610 SetTimer

• 0x897614 ReleaseCapture

• 0x897618 GetCapture

• 0x89761c SetCapture

• 0x897620 GetScrollRange

• 0x897624 SetScrollRange

• 0x897628 SetScrollPos

• 0x89762c SetRect

• 0x897630 InflateRect

• 0x897634 IntersectRect

• 0x897638 DestroyIcon

• 0x89763c PtInRect

• 0x897640 OffsetRect

• 0x897644 IsWindowVisible

• 0x897648 EnableWindow

• 0x89764c RedrawWindow

• 0x897650 GetWindowLongA

• 0x897654 SetWindowLongA

• 0x897658 GetSysColor

• 0x89765c SetActiveWindow

• 0x897660 SetCursorPos

• 0x897664 LoadCursorA

• 0x897668 SetCursor

• 0x89766c GetDC

• 0x897670 FillRect

• 0x897674 IsRectEmpty

• 0x897678 ReleaseDC

• 0x89767c IsChild

• 0x897680 UnregisterClassA

• 0x897684 GetMenuCheckMarkDimensions

• 0x897688 SetMenuItemBitmaps

• 0x89768c GetMessageA

• 0x897690 CheckMenuItem

• 0x897694 IsDialogMessageA

• 0x897698 ScrollWindowEx

• 0x89769c SendDlgItemMessageA

• 0x8976a0 GetClassNameA

• 0x8976a4 MapWindowPoints

• 0x8976a8 AdjustWindowRectEx

• 0x8976ac DestroyMenu

• 0x8976b0 SetForegroundWindow

• 0x8976b4 GetWindowRect

• 0x8976b8 EqualRect

• 0x8976bc UpdateWindow

• 0x8976c0 ValidateRect

• 0x8976c4 InvalidateRect

• 0x8976c8 GetClientRect

• 0x8976cc GetFocus

• 0x8976d0 GetParent

• 0x8976d4 GetTopWindow

• 0x8976d8 PostMessageA

• 0x8976dc IsWindow

• 0x8976e0 SetParent

• 0x8976e4 DestroyCursor

• 0x8976e8 SendMessageA

• 0x8976ec SetWindowPos

• 0x8976f0 MessageBoxA

• 0x8976f4 GetCursorPos

• 0x8976f8 GetSystemMetrics

• 0x8976fc EmptyClipboard

• 0x897700 SetClipboardData

• 0x897704 OpenClipboard

• 0x897708 GetClipboardData

• 0x89770c CloseClipboard

• 0x897710 wsprintfA

• 0x897714 WaitForInputIdle

• 0x897718 GetScrollPos

• 0x89771c ClientToScreen

• 0x897720 RegisterClassA

Library GDI32.dll:

• 0x897728 CreateRectRgn

• 0x89772c CombineRgn

• 0x897730 PatBlt

• 0x897734 CreatePen

• 0x897738 SelectObject

• 0x89773c CreatePatternBrush

• 0x897740 CreateBitmap

• 0x897744 CreateDCA

• 0x897748 CreateCompatibleBitmap

• 0x89774c GetPolyFillMode

• 0x897750 GetStretchBltMode

• 0x897754 GetROP2

• 0x897758 GetBkColor

• 0x89775c GetBkMode

• 0x897760 GetTextColor

• 0x897764 CreateRoundRectRgn

• 0x897768 CreateEllipticRgn

• 0x89776c PathToRegion

• 0x897770 EndPath

• 0x897774 BeginPath

• 0x897778 GetWindowOrgEx

• 0x89777c GetViewportOrgEx

• 0x897780 GetWindowExtEx

• 0x897784 GetDIBits

• 0x897788 RealizePalette

• 0x89778c SelectPalette

• 0x897790 StretchBlt

• 0x897794 CreatePalette

• 0x897798 FillRgn

• 0x89779c CreateSolidBrush

• 0x8977a0 SetPixel

• 0x8977a4 CreateDIBSection

• 0x8977a8 CreateRectRgnIndirect

• 0x8977ac SetBkColor

• 0x8977b0 ExtCreateRegion

• 0x8977b4 SetBkMode

• 0x8977b8 SetTextColor

• 0x8977bc SetDIBitsToDevice

• 0x8977c0 CreateFontIndirectA

• 0x8977c4 FrameRgn

• 0x8977c8 OffsetRgn

• 0x8977cc GetTextMetricsA

• 0x8977d0 LineTo

• 0x8977d4 MoveToEx

• 0x8977d8 SaveDC

• 0x8977dc RestoreDC

• 0x8977e0 SetPolyFillMode

• 0x8977e4 SetROP2

• 0x8977e8 SetMapMode

• 0x8977ec SetViewportOrgEx

• 0x8977f0 OffsetViewportOrgEx

• 0x8977f4 SetViewportExtEx

• 0x8977f8 ScaleViewportExtEx

• 0x8977fc SetWindowOrgEx

• 0x897800 SetWindowExtEx

• 0x897804 ScaleWindowExtEx

• 0x897808 GetClipBox

• 0x89780c ExcludeClipRect

• 0x897810 ExtSelectClipRgn

• 0x897814 GetViewportExtEx

• 0x897818 PtVisible

• 0x89781c RectVisible

• 0x897820 ExtTextOutA

• 0x897824 Escape

• 0x897828 Ellipse

• 0x89782c Rectangle

• 0x897830 LPtoDP

• 0x897834 DPtoLP

• 0x897838 GetCurrentObject

• 0x89783c RoundRect

• 0x897840 SetStretchBltMode

• 0x897844 GetClipRgn

• 0x897848 CreatePolygonRgn

• 0x89784c SelectClipRgn

• 0x897850 DeleteObject

• 0x897854 CreateDIBitmap

• 0x897858 GetStockObject

• 0x89785c GetObjectA

• 0x897860 EndPage

• 0x897864 EndDoc

• 0x897868 DeleteDC

• 0x89786c StartDocA

• 0x897870 StartPage

• 0x897874 BitBlt

• 0x897878 GetPixel

• 0x89787c CreateCompatibleDC

• 0x897880 GetTextExtentPoint32A

• 0x897884 TextOutA

• 0x897888 GetDeviceCaps

• 0x89788c GetSystemPaletteEntries

Library WINSPOOL.DRV:

• 0x897894 DocumentPropertiesA

• 0x897898 OpenPrinterA

• 0x89789c ClosePrinter

Library comdlg32.dll:

• 0x8978a4 GetFileTitleA

• 0x8978a8 GetSaveFileNameA

• 0x8978ac ChooseColorA

• 0x8978b0 GetOpenFileNameA

Library ADVAPI32.dll:

• 0x8978b8 RegCreateKeyExA

• 0x8978bc RegOpenKeyA

• 0x8978c0 RegQueryValueA

• 0x8978c4 RegSetValueExA

• 0x8978c8 RegOpenKeyExA

• 0x8978cc RegQueryValueExA

• 0x8978d0 RegCloseKey

Library SHELL32.dll:

• 0x8978d8 ShellExecuteA

• 0x8978dc SHGetSpecialFolderPathA

• 0x8978e0 Shell_NotifyIconA

Library ole32.dll:

• 0x8978e8 CLSIDFromProgID

• 0x8978ec OleInitialize

• 0x8978f0 OleUninitialize

• 0x8978f4 CLSIDFromString

• 0x8978f8 CreateStreamOnHGlobal

• 0x8978fc CoCreateInstance

• 0x897900 OleRun

Library OLEAUT32.dll:

• 0x897908 VariantInit

• 0x89790c SysAllocString

• 0x897910 SafeArrayDestroy

• 0x897914 SafeArrayCreate

• 0x897918 SafeArrayPutElement

• 0x89791c RegisterTypeLib

• 0x897920 LHashValOfNameSys

• 0x897924 LoadTypeLib

• 0x897928 OleCreatePictureIndirect

• 0x89792c UnRegisterTypeLib

• 0x897930 VariantCopyInd

• 0x897934 SafeArrayGetElement

• 0x897938 SafeArrayAccessData

• 0x89793c SafeArrayUnaccessData

• 0x897940 SafeArrayGetDim

• 0x897944 SafeArrayGetLBound

• 0x897948 SafeArrayGetUBound

• 0x89794c VariantChangeType

• 0x897950 VariantClear

• 0x897954 VariantCopy

Library COMCTL32.dll:

• 0x89795c ImageList_GetImageCount

• 0x897960 ImageList_GetImageInfo

• 0x897964 _TrackMouseEvent

• 0x897968

• 0x89796c ImageList_Destroy

• 0x897970 ImageList_Read

• 0x897974 ImageList_GetIcon

• 0x897978 ImageList_Duplicate

Library WININET.dll:

• 0x897980 InternetCrackUrlA

• 0x897984 HttpOpenRequestA

• 0x897988 HttpSendRequestA

• 0x89798c HttpQueryInfoA

• 0x897990 InternetReadFile

• 0x897994 InternetCanonicalizeUrlA

• 0x897998 InternetConnectA

• 0x89799c InternetSetOptionA

• 0x8979a0 InternetOpenA

• 0x8979a4 InternetCloseHandle

Library KERNEL32.dll:

• 0x8979ac GetModuleHandleA

• 0x8979b0 LoadLibraryA

• 0x8979b4 LocalAlloc

• 0x8979b8 LocalFree

• 0x8979bc GetModuleFileNameA

• 0x8979c0 ExitProcess

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
w.eydata.net	CNAME e56128a093377e88.waf-jiasu.yhui-cloud.com A 45.248.9.53 CNAME cc7f3fa9bc6c480e.waf-jiasu.yhui-cloud.com	45.248.9.53
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
www.download.windowsupdate.com	A 124.225.105.97 CNAME 2-01-3cf7-0009.cdx.cedexis.net CNAME www.download.windowsupdate.com.cdn.dnsv1.com CNAME windowsupdate.sched.s11.tdnsv5.com CNAME 3573033.pack.cdntip.com CNAME wu-fg-shim.trafficmanager.net	121.32.228.35
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
secure.globalsign.com	A 124.225.167.209 CNAME global.prd.cdn.globalsign.com CNAME globalsign.com.w.kunlunar.com	124.225.167.209
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49178	124.225.105.97 www.download.windowsupdate.com	80
192.168.56.101	49177	124.225.167.209 secure.globalsign.com	80
192.168.56.101	49175	45.248.9.53 w.eydata.net	443
192.168.56.101	49179	45.248.9.53 w.eydata.net	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	54260	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62144	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	50849	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53500	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: / If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT If-None-Match: "0d8f4f3f6fd71:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 3600 Connection: Keep-Alive Accept: / If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT If-None-Match: "0d8f4f3f6fd71:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
http://secure.globalsign.com/cacert/root-r3.crt	GET /cacert/root-r3.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: secure.globalsign.com

URI

Data

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://secure.globalsign.com/cacert/root-r3.crt

GET /cacert/root-r3.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: secure.globalsign.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.