10.0
0-day
60 个模型检测该样本为恶意!
重新分析
更多

999b005ba933482d16ed50e10a24d19ebfc4252423b701b66712a256c5c5303f

9df9406096ebd563727f7bca2045f243.exe

分析耗时

72s

最近分析

文件大小

686.5KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=83 AIDETECTVM AVSARHER BTOMTW CONFIDENCE DELF DELPHILESS ELZG FAREIT FERT0M GENERICKD GHDYU HIGH CONFIDENCE HKZNRU HZDP KTSE LOKIBOT MALWARE1 MALWARE@#31FS1M72GYQYS S + MAL SCORE SIGGEN9 STATIC AI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE USXVPFR WACATAC X2066 YBBR ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Obfuscator.b4ba6bac 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Other:Malware-gen [Trj] 20201124 20.10.5736.0
Kingsoft 20201124 2017.9.26.565
McAfee Fareit-FTB!9DF9406096EB 20201120 6.0.6.653
Tencent Msil.Worm.Autorun.Hzdp 20201124 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619806129.566126
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 48889664
registers.edi: 0
registers.eax: 0
registers.ebp: 48889736
registers.edx: 8
registers.ebx: 1983206444
registers.esi: 0
registers.ecx: 0
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 c6 6d 00 00 e9
exception.symbol: 9df9406096ebd563727f7bca2045f243+0x5dc11
exception.instruction: div eax
exception.module: 9df9406096ebd563727f7bca2045f243.exe
exception.exception_code: 0xc0000094
exception.offset: 384017
exception.address: 0x45dc11
success 0 0
1619806151.473249
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73afe97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73afea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73afb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73afb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73afac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73afaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73af5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73af559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741b4de3
9df9406096ebd563727f7bca2045f243+0x5aa4d @ 0x45aa4d
9df9406096ebd563727f7bca2045f243+0x53254 @ 0x453254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 240
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 240
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd0c14ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (30 个事件)
Time & API Arguments Status Return Repeated
1619806129.488126
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c0000
success 0 0
1619806129.566126
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045d000
success 0 0
1619806129.566126
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ea0000
success 0 0
1619806130.426249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619806130.457249
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1619806130.457249
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020a0000
success 0 0
1619806130.457249
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1619806130.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 307200
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00882000
success 0 0
1619806136.941249
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01e20000
success 0 0
1619806136.941249
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e90000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00812000
success 0 0
1619806151.457249
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.vbs
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.6197376444091 section {'size_of_data': '0x0003d000', 'virtual_address': '0x00074000', 'entropy': 7.6197376444091, 'name': '.rsrc', 'virtual_size': '0x0003ceb8'} description A section with a high entropy has been found
entropy 0.3559445660102115 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619806130.191126
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.vbs
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 708 created a thread in remote process 1824
Time & API Arguments Status Return Repeated
1619806130.191126
NtQueueApcThread
thread_handle: 0x00000104
process_identifier: 1824
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619806130.191126
WriteProcessMemory
process_identifier: 1824
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000108
base_address: 0x000b0000
success 1 0
1619806130.191126
WriteProcessMemory
process_identifier: 1824
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9df9406096ebd563727f7bca2045f243.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9df9406096ebd563727f7bca2045f243.exe" appseT mHrFJumjWT = creAteobject("wSCrIpt.shElL") mHrfJumjwT.Run """%ls""", 0, False
process_handle: 0x00000108
base_address: 0x000c0000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 708 called NtSetContextThread to modify thread in remote process 2860
Time & API Arguments Status Return Repeated
1619806130.238126
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4911056
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2860
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 708 resumed a thread in remote process 2860
Time & API Arguments Status Return Repeated
1619806130.301126
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2860
success 0 0
Executed a process and injected code into it, probably while unpacking (11 个事件)
Time & API Arguments Status Return Repeated
1619806130.191126
CreateProcessInternalW
thread_identifier: 1208
thread_handle: 0x00000104
process_identifier: 1824
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619806130.191126
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619806130.191126
NtAllocateVirtualMemory
process_identifier: 1824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619806130.191126
WriteProcessMemory
process_identifier: 1824
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000108
base_address: 0x000b0000
success 1 0
1619806130.191126
WriteProcessMemory
process_identifier: 1824
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9df9406096ebd563727f7bca2045f243.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9df9406096ebd563727f7bca2045f243.exe" appseT mHrFJumjWT = creAteobject("wSCrIpt.shElL") mHrfJumjwT.Run """%ls""", 0, False
process_handle: 0x00000108
base_address: 0x000c0000
success 1 0
1619806130.223126
CreateProcessInternalW
thread_identifier: 2308
thread_handle: 0x00000110
process_identifier: 2860
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9df9406096ebd563727f7bca2045f243.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619806130.223126
NtUnmapViewOfSection
process_identifier: 2860
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619806130.223126
NtMapViewOfSection
section_handle: 0x00000118
process_identifier: 2860
commit_size: 724992
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 724992
base_address: 0x00400000
success 0 0
1619806130.238126
NtGetContextThread
thread_handle: 0x00000110
success 0 0
1619806130.238126
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4911056
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2860
success 0 0
1619806130.301126
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2860
success 0 0
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.33982420
FireEye Generic.mg.9df9406096ebd563
CAT-QuickHeal Trojan.Multi
ALYac Trojan.GenericKD.33982420
Cylance Unsafe
Zillya Trojan.Injector.Win32.741478
Sangfor Malware
K7AntiVirus Trojan ( 005680341 )
Alibaba Trojan:Win32/Obfuscator.b4ba6bac
K7GW Trojan ( 005680341 )
Cybereason malicious.f23413
Arcabit Trojan.Generic.D20687D4
Cyren W32/Agent.YBBR-8730
Symantec Infostealer.Lokibot!43
APEX Malicious
Avast Other:Malware-gen [Trj]
Kaspersky HEUR:Trojan.Win32.Crypt.gen
BitDefender Trojan.GenericKD.33982420
NANO-Antivirus Trojan.Win32.Zusy.hkznru
Paloalto generic.ml
AegisLab Trojan.Win32.Malicious.4!c
Rising Trojan.Injector!1.C77F (KTSE)
Ad-Aware Trojan.GenericKD.33982420
Sophos Mal/Generic-S + Mal/Generic-L
Comodo Malware@#31fs1m72gyqys
F-Secure Trojan.TR/Agent.ghdyu
DrWeb Trojan.Siggen9.52416
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.Win32.WACATAC.USXVPFR
McAfee-GW-Edition BehavesLike.Win32.Fareit.jc
Emsisoft Trojan.GenericKD.33982420 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Crypt.diw
Avira TR/Agent.ghdyu
eGambit Unsafe.AI_Score_99%
Antiy-AVL Trojan/Win32.Crypt
Microsoft Trojan:Win32/Obfuscator.KI!MTB
ZoneAlarm HEUR:Trojan.Win32.Crypt.gen
GData Win32.Trojan-Stealer.AgentTesla.FERT0M
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2066
McAfee Fareit-FTB!9DF9406096EB
MAX malware (ai score=83)
VBA32 TScope.Trojan.Delf
Malwarebytes Spyware.AgentTesla
Zoner Trojan.Win32.94395
ESET-NOD32 MSIL/Autorun.Spy.Agent.DF
TrendMicro-HouseCall Trojan.Win32.WACATAC.USXVPFR
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x468150 VirtualFree
0x468154 VirtualAlloc
0x468158 LocalFree
0x46815c LocalAlloc
0x468160 GetVersion
0x468164 GetCurrentThreadId
0x468170 VirtualQuery
0x468174 WideCharToMultiByte
0x468178 MultiByteToWideChar
0x46817c lstrlenA
0x468180 lstrcpynA
0x468184 LoadLibraryExA
0x468188 GetThreadLocale
0x46818c GetStartupInfoA
0x468190 GetProcAddress
0x468194 GetModuleHandleA
0x468198 GetModuleFileNameA
0x46819c GetLocaleInfoA
0x4681a0 GetCommandLineA
0x4681a4 FreeLibrary
0x4681a8 FindFirstFileA
0x4681ac FindClose
0x4681b0 ExitProcess
0x4681b4 WriteFile
0x4681bc RtlUnwind
0x4681c0 RaiseException
0x4681c4 GetStdHandle
Library user32.dll:
0x4681cc GetKeyboardType
0x4681d0 LoadStringA
0x4681d4 MessageBoxA
0x4681d8 CharNextA
Library advapi32.dll:
0x4681e0 RegQueryValueExA
0x4681e4 RegOpenKeyExA
0x4681e8 RegCloseKey
Library oleaut32.dll:
0x4681f0 SysFreeString
0x4681f4 SysReAllocStringLen
0x4681f8 SysAllocStringLen
Library kernel32.dll:
0x468200 TlsSetValue
0x468204 TlsGetValue
0x468208 LocalAlloc
0x46820c GetModuleHandleA
Library advapi32.dll:
0x468214 RegQueryValueExA
0x468218 RegOpenKeyExA
0x46821c RegCloseKey
Library kernel32.dll:
0x468224 lstrcpyA
0x468228 lstrcmpA
0x46822c WriteFile
0x468234 WaitForSingleObject
0x468238 VirtualQuery
0x46823c VirtualAlloc
0x468240 Sleep
0x468244 SizeofResource
0x468248 SetThreadLocale
0x46824c SetFilePointer
0x468250 SetEvent
0x468254 SetErrorMode
0x468258 SetEndOfFile
0x46825c ResetEvent
0x468260 ReadFile
0x468264 MulDiv
0x468268 LockResource
0x46826c LoadResource
0x468270 LoadLibraryA
0x46827c GlobalUnlock
0x468280 GlobalReAlloc
0x468284 GlobalHandle
0x468288 GlobalLock
0x46828c GlobalFree
0x468290 GlobalFindAtomA
0x468294 GlobalDeleteAtom
0x468298 GlobalAlloc
0x46829c GlobalAddAtomA
0x4682a0 GetVersionExA
0x4682a4 GetVersion
0x4682a8 GetTickCount
0x4682ac GetThreadLocale
0x4682b4 GetSystemTime
0x4682b8 GetSystemInfo
0x4682bc GetStringTypeExA
0x4682c0 GetStdHandle
0x4682c4 GetProcAddress
0x4682c8 GetModuleHandleA
0x4682cc GetModuleFileNameA
0x4682d0 GetLocaleInfoA
0x4682d4 GetLocalTime
0x4682d8 GetLastError
0x4682dc GetFullPathNameA
0x4682e0 GetFileAttributesA
0x4682e4 GetDiskFreeSpaceA
0x4682e8 GetDateFormatA
0x4682ec GetCurrentThreadId
0x4682f0 GetCurrentProcessId
0x4682f4 GetCPInfo
0x4682f8 GetACP
0x4682fc FreeResource
0x468300 InterlockedExchange
0x468304 FreeLibrary
0x468308 FormatMessageA
0x46830c FindResourceA
0x468310 FindFirstFileA
0x468314 FindClose
0x468320 ExitThread
0x468324 EnumCalendarInfoA
0x468330 CreateThread
0x468334 CreateFileA
0x468338 CreateEventA
0x46833c CompareStringA
0x468340 CloseHandle
Library version.dll:
0x468348 VerQueryValueA
0x468350 GetFileVersionInfoA
Library gdi32.dll:
0x468358 UnrealizeObject
0x46835c StretchBlt
0x468360 SetWindowOrgEx
0x468364 SetWinMetaFileBits
0x468368 SetViewportOrgEx
0x46836c SetTextColor
0x468370 SetStretchBltMode
0x468374 SetROP2
0x468378 SetPixel
0x46837c SetEnhMetaFileBits
0x468380 SetDIBColorTable
0x468384 SetBrushOrgEx
0x468388 SetBkMode
0x46838c SetBkColor
0x468390 SelectPalette
0x468394 SelectObject
0x468398 SaveDC
0x46839c RestoreDC
0x4683a0 Rectangle
0x4683a4 RectVisible
0x4683a8 RealizePalette
0x4683ac Polyline
0x4683b0 PlayEnhMetaFile
0x4683b4 PatBlt
0x4683b8 MoveToEx
0x4683bc MaskBlt
0x4683c0 LineTo
0x4683c4 IntersectClipRect
0x4683c8 GetWindowOrgEx
0x4683cc GetWinMetaFileBits
0x4683d0 GetTextMetricsA
0x4683dc GetStockObject
0x4683e0 GetPixel
0x4683e4 GetPaletteEntries
0x4683e8 GetObjectA
0x4683f4 GetEnhMetaFileBits
0x4683f8 GetDeviceCaps
0x4683fc GetDIBits
0x468400 GetDIBColorTable
0x468404 GetDCOrgEx
0x46840c GetClipBox
0x468410 GetBrushOrgEx
0x468414 GetBitmapBits
0x468418 ExcludeClipRect
0x46841c DeleteObject
0x468420 DeleteEnhMetaFile
0x468424 DeleteDC
0x468428 CreateSolidBrush
0x46842c CreatePenIndirect
0x468430 CreatePalette
0x468438 CreateFontIndirectA
0x46843c CreateDIBitmap
0x468440 CreateDIBSection
0x468444 CreateCompatibleDC
0x46844c CreateBrushIndirect
0x468450 CreateBitmap
0x468454 CopyEnhMetaFileA
0x468458 BitBlt
Library user32.dll:
0x468460 CreateWindowExA
0x468464 WindowFromPoint
0x468468 WinHelpA
0x46846c WaitMessage
0x468470 UpdateWindow
0x468474 UnregisterClassA
0x468478 UnhookWindowsHookEx
0x46847c TranslateMessage
0x468484 TrackPopupMenu
0x46848c ShowWindow
0x468490 ShowScrollBar
0x468494 ShowOwnedPopups
0x468498 ShowCursor
0x46849c SetWindowsHookExA
0x4684a0 SetWindowTextA
0x4684a4 SetWindowPos
0x4684a8 SetWindowPlacement
0x4684ac SetWindowLongA
0x4684b0 SetTimer
0x4684b4 SetScrollRange
0x4684b8 SetScrollPos
0x4684bc SetScrollInfo
0x4684c0 SetRect
0x4684c4 SetPropA
0x4684c8 SetParent
0x4684cc SetMenuItemInfoA
0x4684d0 SetMenu
0x4684d4 SetForegroundWindow
0x4684d8 SetFocus
0x4684dc SetCursor
0x4684e0 SetClassLongA
0x4684e4 SetCapture
0x4684e8 SetActiveWindow
0x4684ec SendMessageA
0x4684f0 ScrollWindow
0x4684f4 ScreenToClient
0x4684f8 RemovePropA
0x4684fc RemoveMenu
0x468500 ReleaseDC
0x468504 ReleaseCapture
0x468510 RegisterClassA
0x468514 RedrawWindow
0x468518 PtInRect
0x46851c PostQuitMessage
0x468520 PostMessageA
0x468524 PeekMessageA
0x468528 OffsetRect
0x46852c OemToCharA
0x468530 MessageBoxA
0x468534 MapWindowPoints
0x468538 MapVirtualKeyA
0x46853c LoadStringA
0x468540 LoadKeyboardLayoutA
0x468544 LoadIconA
0x468548 LoadCursorA
0x46854c LoadBitmapA
0x468550 KillTimer
0x468554 IsZoomed
0x468558 IsWindowVisible
0x46855c IsWindowEnabled
0x468560 IsWindow
0x468564 IsRectEmpty
0x468568 IsIconic
0x46856c IsDialogMessageA
0x468570 IsChild
0x468574 InvalidateRect
0x468578 IntersectRect
0x46857c InsertMenuItemA
0x468580 InsertMenuA
0x468584 InflateRect
0x46858c GetWindowTextA
0x468590 GetWindowRect
0x468594 GetWindowPlacement
0x468598 GetWindowLongA
0x46859c GetWindowDC
0x4685a0 GetTopWindow
0x4685a4 GetSystemMetrics
0x4685a8 GetSystemMenu
0x4685ac GetSysColorBrush
0x4685b0 GetSysColor
0x4685b4 GetSubMenu
0x4685b8 GetScrollRange
0x4685bc GetScrollPos
0x4685c0 GetScrollInfo
0x4685c4 GetPropA
0x4685c8 GetParent
0x4685cc GetWindow
0x4685d0 GetMenuStringA
0x4685d4 GetMenuState
0x4685d8 GetMenuItemInfoA
0x4685dc GetMenuItemID
0x4685e0 GetMenuItemCount
0x4685e4 GetMenu
0x4685e8 GetLastActivePopup
0x4685ec GetKeyboardState
0x4685f4 GetKeyboardLayout
0x4685f8 GetKeyState
0x4685fc GetKeyNameTextA
0x468600 GetIconInfo
0x468604 GetForegroundWindow
0x468608 GetFocus
0x46860c GetDlgItem
0x468610 GetDesktopWindow
0x468614 GetDCEx
0x468618 GetDC
0x46861c GetCursorPos
0x468620 GetCursor
0x468624 GetClipboardData
0x468628 GetClientRect
0x46862c GetClassNameA
0x468630 GetClassInfoA
0x468634 GetCapture
0x468638 GetActiveWindow
0x46863c FrameRect
0x468640 FindWindowA
0x468644 FillRect
0x468648 EqualRect
0x46864c EnumWindows
0x468650 EnumThreadWindows
0x468654 EndPaint
0x468658 EnableWindow
0x46865c EnableScrollBar
0x468660 EnableMenuItem
0x468664 DrawTextA
0x468668 DrawMenuBar
0x46866c DrawIconEx
0x468670 DrawIcon
0x468674 DrawFrameControl
0x468678 DrawEdge
0x46867c DispatchMessageA
0x468680 DestroyWindow
0x468684 DestroyMenu
0x468688 DestroyIcon
0x46868c DestroyCursor
0x468690 DeleteMenu
0x468694 DefWindowProcA
0x468698 DefMDIChildProcA
0x46869c DefFrameProcA
0x4686a0 CreatePopupMenu
0x4686a4 CreateMenu
0x4686a8 CreateIcon
0x4686ac ClientToScreen
0x4686b0 CheckMenuItem
0x4686b4 CallWindowProcA
0x4686b8 CallNextHookEx
0x4686bc BeginPaint
0x4686c0 CharNextA
0x4686c4 CharLowerBuffA
0x4686c8 CharLowerA
0x4686cc CharToOemA
0x4686d0 AdjustWindowRectEx
Library kernel32.dll:
0x4686dc Sleep
Library oleaut32.dll:
0x4686e4 SafeArrayPtrOfIndex
0x4686e8 SafeArrayGetUBound
0x4686ec SafeArrayGetLBound
0x4686f0 SafeArrayCreate
0x4686f4 VariantChangeType
0x4686f8 VariantCopy
0x4686fc VariantClear
0x468700 VariantInit
Library ole32.dll:
0x468708 CoTaskMemAlloc
0x46870c CoCreateInstance
0x468710 CoUninitialize
0x468714 CoInitialize
Library comctl32.dll:
0x468724 ImageList_Write
0x468728 ImageList_Read
0x468738 ImageList_DragMove
0x46873c ImageList_DragLeave
0x468740 ImageList_DragEnter
0x468744 ImageList_EndDrag
0x468748 ImageList_BeginDrag
0x46874c ImageList_Remove
0x468750 ImageList_DrawEx
0x468754 ImageList_Replace
0x468758 ImageList_Draw
0x468768 ImageList_Add
0x468770 ImageList_Destroy
0x468774 ImageList_Create
0x468778 InitCommonControls
Library comdlg32.dll:
0x468780 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.