SmartHawk

10.4

0-day

54 个模型检测该样本为恶意！

重新分析

下载样本

4670fe6f5313f9539870f640a3b232352201fea158b0ff267702b8e28a8ff0e0

a507f1ff127c123fc92948fa8a6e477c.exe

分析耗时

131s

最近分析

文件大小

1.8MB

静态报毒动态报毒 100% ACCPU AGENTTESLA AI SCORE=81 AIDETECTVM ARTEMIS AUTO AUTOIT AUTOITGEN BINTOSTR BTSRCZ CONFIDENCE ELDORADO GENERICKD GRAYWARE HIGH CONFIDENCE HJBFZY IGENT KTSE MALWARE1 MALWARE@#2PM14S1YX4S2R PREDATOR R + TROJ S1079 SCORE SIGGEN9 STEALE TROJANAITINJECT UNSAFE WACATAC WLDC YQRK1F ZXEHF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!A507F1FF127C	20210127	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210106	1.0
Alibaba	Trojan:Win32/AutoItGen.151	20190527	0.3.0.5
Avast	Script:SNH-gen [Trj]	20210126	21.1.5827.0
Tencent	Win32.Trojan.Autoit.Auto	20210127	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20210127	2017.9.26.565

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619802938.08025 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619802939.26825 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619802942.01825 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781448.4685 IsDebuggerPresent		failed	0	0
1619802934.58025 IsDebuggerPresent		failed	0	0

One or more processes crashed (7 个事件)

Time & API	Arguments	Status
1619802941.67425 __exception__	stacktrace: 0x4d223ed 0x4d218cc CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x738d1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x738e8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x738f6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x738f6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x738f6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73996a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x739969ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73996eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x739970b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73996fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x73e855ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3207480 registers.edi: 3207508 registers.eax: 0 registers.ebp: 3207524 registers.edx: 158 registers.ebx: 0 registers.esi: 46972252 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 74 95 72 35 e9 6a ff exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d227c5	success
1619802944.56425 __exception__	stacktrace: 0x4d24ec0 0x4d22195 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x738d1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x738e8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x738f6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x738f6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x738f6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73996a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x739969ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73996eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x739970b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73996fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x73e855ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3205988 registers.edi: 48783464 registers.eax: 48787916 registers.ebp: 3206056 registers.edx: 48787916 registers.ebx: 48785276 registers.esi: 0 registers.ecx: 1911774966 exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 34 5e 63 6c exception.instruction: cmp dword ptr [esi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5ace33c	success
1619802944.75225 __exception__	stacktrace: 0x4d252b9 0x4d22195 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x738d1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x738e8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x738f6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x738f6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x738f6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73996a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x739969ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73996eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x739970b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73996fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x73e855ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3205980 registers.edi: 0 registers.eax: 0 registers.ebp: 3206056 registers.edx: 3205948 registers.ebx: 1 registers.esi: 48854080 registers.ecx: 0 exception.instruction_r: 39 09 e8 90 2f 56 6c 89 45 b8 b8 1f de 3d 21 35 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b01891	success
1619802944.75225 __exception__	stacktrace: 0x4d25358 0x4d22195 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x738d1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x738e8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x738f6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x738f6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x738f6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73996a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x739969ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73996eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x739970b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73996fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x73e855ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3206000 registers.edi: 3206040 registers.eax: 69460170 registers.ebp: 3206056 registers.edx: 5 registers.ebx: 1 registers.esi: 764061875 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 69 c6 fa bc 16 cd exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b01e39	success
1619802944.83025 __exception__	stacktrace: 0x4d22195 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x738d1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x738e8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x738f6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x738f6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x738f6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73996a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x739969ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73996eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x739970b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73996fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x73e855ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3206064 registers.edi: 48895644 registers.eax: 0 registers.ebp: 3207572 registers.edx: 3 registers.ebx: 1 registers.esi: 10683299 registers.ecx: 13 exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 3c fa ff ff exception.instruction: cmp dword ptr [eax + 8], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d2580d	success
1619802944.86125 __exception__	stacktrace: 0x4d25b0d 0x4d22195 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x738d1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x738e8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x738f6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x738f6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x738f6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73996a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x739969ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73996eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x739970b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73996fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x73e855ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3205940 registers.edi: 48941244 registers.eax: 0 registers.ebp: 3206056 registers.edx: 3205908 registers.ebx: 0 registers.esi: 732232875 registers.ecx: 0 exception.instruction_r: 39 09 e8 4c 12 56 6c 83 78 04 00 0f 84 d2 03 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b035d5	success
1619802945.00225 __exception__	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31 IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141 OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db DllRegisterServerInternal+0x3df02 GetPrivateContextsPerfCounters-0x19797 mscorwks+0x94168 @ 0x73964168 0x5db452 system+0x7a24ea @ 0x713024ea system+0x7a30b4 @ 0x713030b4 system+0x7a2c0a @ 0x71302c0a system+0x7a0de4 @ 0x71300de4 system+0x79e6da @ 0x712fe6da system+0x79f065 @ 0x712ff065 microsoft+0x12fb46 @ 0x70aefb46 0x4d21451 system+0x1f84fa @ 0x70d584fa 0x8f0ebc gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a 0x5b0433c 0x4d221ba CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x738d1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x738e8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x738f6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x738f6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x738f6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73996a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x739969ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73996eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x739970b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73996fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x73e855ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3206156 registers.edi: 8323072 registers.eax: 4294967288 registers.ebp: 3206200 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8323072 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77da9e58	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 87 个事件)

Time & API	Arguments	Status
1619781454.2185 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 602112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00f00000	success
1619781456.4375 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 602112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x04500000	success
1619802934.17425 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e81000	success
1619802934.17425 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x008f0000	success
1619802934.17425 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008f0000	success
1619802934.43925 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x738d1000	success
1619802934.43925 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73894000	success
1619802934.47125 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x738d1000	success
1619802934.59625 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005da000	success
1619802934.59625 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x738d2000	success
1619802934.59625 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d2000	success
1619802934.86125 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00932000	success
1619802934.90825 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00933000	success
1619802934.93925 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0097b000	success
1619802934.93925 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00977000	success
1619802935.00225 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75061000	success
1619802935.01825 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00934000	success
1619802935.03325 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0093c000	success
1619802935.18925 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04d00000	success
1619802935.18925 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04d10000	success
1619802935.18925 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04d11000	success
1619802935.20525 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00936000	success
1619802936.33025 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00937000	success
1619802936.33025 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00939000	success
1619802936.39325 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04d21000	success
1619802936.47125 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00946000	success
1619802936.48625 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0095a000	success
1619802936.59625 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00952000	success
1619802936.65825 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73621000	success
1619802936.76825 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0094a000	success
1619802936.76825 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00947000	success
1619802937.64325 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008f1000	success
1619802937.67425 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04d22000	success
1619802937.75225 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75011000	success
1619802938.15825 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x707e1000	success
1619802938.97125 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04cf0000	success
1619802938.97125 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04cf1000	success
1619802938.97125 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0093a000	success
1619802938.97125 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0093b000	success
1619802938.97125 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005db000	success
1619802939.17425 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef40000	success
1619802939.17425 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1619802939.17425 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1619802939.17425 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef30000	success
1619802939.17425 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef30000	success
1619802939.23625 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x6a311000	success
1619802939.23625 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04eb0000	success
1619802939.23625 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04eb1000	success
1619802939.23625 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04eb2000	success
1619802939.23625 NtAllocateVirtualMemory	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04eb3000	success

Steals private information from local Internet browsers (7 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (2 个事件)

file	C:\Users\Administrator.Oskar-PC\CBDHSvc\CBDHSvc.vbs
file	C:\Users\Administrator.Oskar-PC\CBDHSvc\bootux.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.977600682909002

section

{'size_of_data': '0x000fae00', 'virtual_address': '0x000c7000', 'entropy': 7.977600682909002, 'name': '.rsrc', 'virtual_size': '0x000faccc'}

description

A section with a high entropy has been found

entropy

0.5561097256857855

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619802942.08025 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (2 个事件)

host	113.108.239.196
host	172.217.24.14

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619802944.78325 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

RegAsm.exe tried to sleep 2728257 seconds, actually delayed analysis time by 2728257 seconds

Installs itself for autorun at Windows startup (2 个事件)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\jVqvMZrl				reg_value	C:\Users\ADMINI~1.OSK\AppData\Local\Temp\DCQmgJC\PGoUX.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CBDHSvc.url

Harvests credentials from local FTP client softwares (6 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619802945.00225 SetWindowsHookExW	thread_identifier: 0 callback_function: 0x008f28a2 module_address: 0x00400000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	1048973	0

Harvests credentials from local email clients (6 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Attempts to remove evidence of file being downloaded from the Internet (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\DCQmgJC\PGoUX.exe:Zone.Identifier

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen9.30289
MicroWorld-eScan	Trojan.GenericKD.33581505
FireEye	Generic.mg.a507f1ff127c123f
CAT-QuickHeal	Trojan.Agent
McAfee	Artemis!A507F1FF127C
Cylance	Unsafe
Sangfor	Malware
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/AutoItGen.151
K7GW	Trojan ( 005638cc1 )
K7AntiVirus	Trojan ( 005638cc1 )
Arcabit	Trojan.Generic.D20069C1
Cyren	W32/AutoIt.OY.gen!Eldorado
Symantec	Trojan.Gen.MBT
APEX	Malicious
Avast	Script:SNH-gen [Trj]
ClamAV	Win.Packed.Autoit-7645667-1
Kaspersky	Trojan.Win32.Autoit.accpu
BitDefender	Trojan.GenericKD.33581505
NANO-Antivirus	Trojan.Win32.Autoit.hjbfzy
Tencent	Win32.Trojan.Autoit.Auto
Ad-Aware	Trojan.GenericKD.33581505
Emsisoft	Trojan.GenericKD.33581505 (B)
Comodo	Malware@#2pm14s1yx4s2r
F-Secure	Trojan.TR/BAS.Spy.zxehf
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.Win32.PREDATOR.WLDC
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.tc
Sophos	Mal/Generic-R + Troj/Steale-SH
Paloalto	generic.ml
Webroot	W32.Trojan.Gen
Avira	TR/BAS.Spy.zxehf
MAX	malware (ai score=81)
Antiy-AVL	GrayWare/Autoit.BinToStr.a
Microsoft	Trojan:Win32/Predator.BD!MTB
AegisLab	Trojan.Win32.Generic.4!e
ZoneAlarm	Trojan.Win32.Autoit.accpu
GData	Win32.Trojan-Stealer.AgentTesla.YQRK1F
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/AU3.Wacatac.S1079
VBA32	Trojan.Autoit
Malwarebytes	Spyware.AgentTesla
Zoner	Trojan.Win32.88989
ESET-NOD32	MSIL/Autorun.Spy.Agent.DF
TrendMicro-HouseCall	Trojan.Win32.PREDATOR.WLDC
Rising	Trojan.Obfus/Autoit!1.C045 (KTSE)
Yandex	Trojan.Igent.bTsRCz.6
Fortinet	W32/Injector.FES!tr

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-30 00:51:38

Imports

Library WSOCK32.dll:

• 0x48f7c8 WSACleanup

• 0x48f7cc socket

• 0x48f7d0 inet_ntoa

• 0x48f7d4 setsockopt

• 0x48f7d8 ntohs

• 0x48f7dc recvfrom

• 0x48f7e0 ioctlsocket

• 0x48f7e4 htons

• 0x48f7e8 WSAStartup

• 0x48f7ec __WSAFDIsSet

• 0x48f7f0 select

• 0x48f7f4 accept

• 0x48f7f8 listen

• 0x48f7fc bind

• 0x48f800 closesocket

• 0x48f804 WSAGetLastError

• 0x48f808 recv

• 0x48f80c sendto

• 0x48f810 send

• 0x48f814 inet_addr

• 0x48f818 gethostbyname

• 0x48f81c gethostname

• 0x48f820 connect

Library VERSION.dll:

• 0x48f76c GetFileVersionInfoW

• 0x48f770 GetFileVersionInfoSizeW

• 0x48f774 VerQueryValueW

Library WINMM.dll:

• 0x48f7b8 timeGetTime

• 0x48f7bc waveOutSetVolume

• 0x48f7c0 mciSendStringW

Library COMCTL32.dll:

• 0x48f088 ImageList_ReplaceIcon

• 0x48f08c ImageList_Destroy

• 0x48f090 ImageList_Remove

• 0x48f094 ImageList_SetDragCursorImage

• 0x48f098 ImageList_BeginDrag

• 0x48f09c ImageList_DragEnter

• 0x48f0a0 ImageList_DragLeave

• 0x48f0a4 ImageList_EndDrag

• 0x48f0a8 ImageList_DragMove

• 0x48f0ac InitCommonControlsEx

• 0x48f0b0 ImageList_Create

Library MPR.dll:

• 0x48f3f8 WNetUseConnectionW

• 0x48f3fc WNetCancelConnection2W

• 0x48f400 WNetGetConnectionW

• 0x48f404 WNetAddConnection2W

Library WININET.dll:

• 0x48f77c InternetQueryDataAvailable

• 0x48f780 InternetCloseHandle

• 0x48f784 InternetOpenW

• 0x48f788 InternetSetOptionW

• 0x48f78c InternetCrackUrlW

• 0x48f790 HttpQueryInfoW

• 0x48f794 InternetQueryOptionW

• 0x48f798 HttpOpenRequestW

• 0x48f79c HttpSendRequestW

• 0x48f7a0 FtpOpenFileW

• 0x48f7a4 FtpGetFileSize

• 0x48f7a8 InternetOpenUrlW

• 0x48f7ac InternetReadFile

• 0x48f7b0 InternetConnectW

Library PSAPI.DLL:

• 0x48f484 GetProcessMemoryInfo

Library IPHLPAPI.DLL:

• 0x48f154 IcmpCreateFile

• 0x48f158 IcmpCloseHandle

• 0x48f15c IcmpSendEcho

Library USERENV.dll:

• 0x48f750 DestroyEnvironmentBlock

• 0x48f754 UnloadUserProfile

• 0x48f758 CreateEnvironmentBlock

• 0x48f75c LoadUserProfileW

Library UxTheme.dll:

• 0x48f764 IsThemeActive

Library KERNEL32.dll:

• 0x48f164 DuplicateHandle

• 0x48f168 CreateThread

• 0x48f16c WaitForSingleObject

• 0x48f170 HeapAlloc

• 0x48f174 GetProcessHeap

• 0x48f178 HeapFree

• 0x48f17c Sleep

• 0x48f180 GetCurrentThreadId

• 0x48f184 MultiByteToWideChar

• 0x48f188 MulDiv

• 0x48f18c GetVersionExW

• 0x48f190 IsWow64Process

• 0x48f194 GetSystemInfo

• 0x48f198 FreeLibrary

• 0x48f19c LoadLibraryA

• 0x48f1a0 GetProcAddress

• 0x48f1a4 SetErrorMode

• 0x48f1a8 GetModuleFileNameW

• 0x48f1ac WideCharToMultiByte

• 0x48f1b0 lstrcpyW

• 0x48f1b4 lstrlenW

• 0x48f1b8 GetModuleHandleW

• 0x48f1bc QueryPerformanceCounter

• 0x48f1c0 VirtualFreeEx

• 0x48f1c4 OpenProcess

• 0x48f1c8 VirtualAllocEx

• 0x48f1cc WriteProcessMemory

• 0x48f1d0 ReadProcessMemory

• 0x48f1d4 CreateFileW

• 0x48f1d8 SetFilePointerEx

• 0x48f1dc SetEndOfFile

• 0x48f1e0 ReadFile

• 0x48f1e4 WriteFile

• 0x48f1e8 FlushFileBuffers

• 0x48f1ec TerminateProcess

• 0x48f1f0 CreateToolhelp32Snapshot

• 0x48f1f4 Process32FirstW

• 0x48f1f8 Process32NextW

• 0x48f1fc SetFileTime

• 0x48f200 GetFileAttributesW

• 0x48f204 FindFirstFileW

• 0x48f208 SetCurrentDirectoryW

• 0x48f20c GetLongPathNameW

• 0x48f210 GetShortPathNameW

• 0x48f214 DeleteFileW

• 0x48f218 FindNextFileW

• 0x48f21c CopyFileExW

• 0x48f220 MoveFileW

• 0x48f224 CreateDirectoryW

• 0x48f228 RemoveDirectoryW

• 0x48f22c SetSystemPowerState

• 0x48f230 QueryPerformanceFrequency

• 0x48f234 FindResourceW

• 0x48f238 LoadResource

• 0x48f23c LockResource

• 0x48f240 SizeofResource

• 0x48f244 EnumResourceNamesW

• 0x48f248 OutputDebugStringW

• 0x48f24c GetTempPathW

• 0x48f250 GetTempFileNameW

• 0x48f254 DeviceIoControl

• 0x48f258 GetLocalTime

• 0x48f25c CompareStringW

• 0x48f260 GetCurrentProcess

• 0x48f264 EnterCriticalSection

• 0x48f268 LeaveCriticalSection

• 0x48f26c GetStdHandle

• 0x48f270 CreatePipe

• 0x48f274 InterlockedExchange

• 0x48f278 TerminateThread

• 0x48f27c LoadLibraryExW

• 0x48f280 FindResourceExW

• 0x48f284 CopyFileW

• 0x48f288 VirtualFree

• 0x48f28c FormatMessageW

• 0x48f290 GetExitCodeProcess

• 0x48f294 GetPrivateProfileStringW

• 0x48f298 WritePrivateProfileStringW

• 0x48f29c GetPrivateProfileSectionW

• 0x48f2a0 WritePrivateProfileSectionW

• 0x48f2a4 GetPrivateProfileSectionNamesW

• 0x48f2a8 FileTimeToLocalFileTime

• 0x48f2ac FileTimeToSystemTime

• 0x48f2b0 SystemTimeToFileTime

• 0x48f2b4 LocalFileTimeToFileTime

• 0x48f2b8 GetDriveTypeW

• 0x48f2bc GetDiskFreeSpaceExW

• 0x48f2c0 GetDiskFreeSpaceW

• 0x48f2c4 GetVolumeInformationW

• 0x48f2c8 SetVolumeLabelW

• 0x48f2cc CreateHardLinkW

• 0x48f2d0 SetFileAttributesW

• 0x48f2d4 CreateEventW

• 0x48f2d8 SetEvent

• 0x48f2dc GetEnvironmentVariableW

• 0x48f2e0 SetEnvironmentVariableW

• 0x48f2e4 GlobalLock

• 0x48f2e8 GlobalUnlock

• 0x48f2ec GlobalAlloc

• 0x48f2f0 GetFileSize

• 0x48f2f4 GlobalFree

• 0x48f2f8 GlobalMemoryStatusEx

• 0x48f2fc Beep

• 0x48f300 GetSystemDirectoryW

• 0x48f304 HeapReAlloc

• 0x48f308 HeapSize

• 0x48f30c GetComputerNameW

• 0x48f310 GetWindowsDirectoryW

• 0x48f314 GetCurrentProcessId

• 0x48f318 GetProcessIoCounters

• 0x48f31c CreateProcessW

• 0x48f320 GetProcessId

• 0x48f324 SetPriorityClass

• 0x48f328 LoadLibraryW

• 0x48f32c VirtualAlloc

• 0x48f330 IsDebuggerPresent

• 0x48f334 GetCurrentDirectoryW

• 0x48f338 lstrcmpiW

• 0x48f33c DecodePointer

• 0x48f340 GetLastError

• 0x48f344 RaiseException

• 0x48f348 InitializeCriticalSectionAndSpinCount

• 0x48f34c DeleteCriticalSection

• 0x48f350 InterlockedDecrement

• 0x48f354 InterlockedIncrement

• 0x48f358 GetCurrentThread

• 0x48f35c CloseHandle

• 0x48f360 GetFullPathNameW

• 0x48f364 EncodePointer

• 0x48f368 ExitProcess

• 0x48f36c GetModuleHandleExW

• 0x48f370 ExitThread

• 0x48f374 GetSystemTimeAsFileTime

• 0x48f378 ResumeThread

• 0x48f37c GetCommandLineW

• 0x48f380 IsProcessorFeaturePresent

• 0x48f384 IsValidCodePage

• 0x48f388 GetACP

• 0x48f38c GetOEMCP

• 0x48f390 GetCPInfo

• 0x48f394 SetLastError

• 0x48f398 UnhandledExceptionFilter

• 0x48f39c SetUnhandledExceptionFilter

• 0x48f3a0 TlsAlloc

• 0x48f3a4 TlsGetValue

• 0x48f3a8 TlsSetValue

• 0x48f3ac TlsFree

• 0x48f3b0 GetStartupInfoW

• 0x48f3b4 GetStringTypeW

• 0x48f3b8 SetStdHandle

• 0x48f3bc GetFileType

• 0x48f3c0 GetConsoleCP

• 0x48f3c4 GetConsoleMode

• 0x48f3c8 RtlUnwind

• 0x48f3cc ReadConsoleW

• 0x48f3d0 GetTimeZoneInformation

• 0x48f3d4 GetDateFormatW

• 0x48f3d8 GetTimeFormatW

• 0x48f3dc LCMapStringW

• 0x48f3e0 GetEnvironmentStringsW

• 0x48f3e4 FreeEnvironmentStringsW

• 0x48f3e8 WriteConsoleW

• 0x48f3ec FindClose

• 0x48f3f0 SetEnvironmentVariableA

Library USER32.dll:

• 0x48f4cc AdjustWindowRectEx

• 0x48f4d0 CopyImage

• 0x48f4d4 SetWindowPos

• 0x48f4d8 GetCursorInfo

• 0x48f4dc RegisterHotKey

• 0x48f4e0 ClientToScreen

• 0x48f4e4 GetKeyboardLayoutNameW

• 0x48f4e8 IsCharAlphaW

• 0x48f4ec IsCharAlphaNumericW

• 0x48f4f0 IsCharLowerW

• 0x48f4f4 IsCharUpperW

• 0x48f4f8 GetMenuStringW

• 0x48f4fc GetSubMenu

• 0x48f500 GetCaretPos

• 0x48f504 IsZoomed

• 0x48f508 MonitorFromPoint

• 0x48f50c GetMonitorInfoW

• 0x48f510 SetWindowLongW

• 0x48f514 SetLayeredWindowAttributes

• 0x48f518 FlashWindow

• 0x48f51c GetClassLongW

• 0x48f520 TranslateAcceleratorW

• 0x48f524 IsDialogMessageW

• 0x48f528 GetSysColor

• 0x48f52c InflateRect

• 0x48f530 DrawFocusRect

• 0x48f534 DrawTextW

• 0x48f538 FrameRect

• 0x48f53c DrawFrameControl

• 0x48f540 FillRect

• 0x48f544 PtInRect

• 0x48f548 DestroyAcceleratorTable

• 0x48f54c CreateAcceleratorTableW

• 0x48f550 SetCursor

• 0x48f554 GetWindowDC

• 0x48f558 GetSystemMetrics

• 0x48f55c GetActiveWindow

• 0x48f560 CharNextW

• 0x48f564 wsprintfW

• 0x48f568 RedrawWindow

• 0x48f56c DrawMenuBar

• 0x48f570 DestroyMenu

• 0x48f574 SetMenu

• 0x48f578 GetWindowTextLengthW

• 0x48f57c CreateMenu

• 0x48f580 IsDlgButtonChecked

• 0x48f584 DefDlgProcW

• 0x48f588 CallWindowProcW

• 0x48f58c ReleaseCapture

• 0x48f590 SetCapture

• 0x48f594 CreateIconFromResourceEx

• 0x48f598 mouse_event

• 0x48f59c ExitWindowsEx

• 0x48f5a0 SetActiveWindow

• 0x48f5a4 FindWindowExW

• 0x48f5a8 EnumThreadWindows

• 0x48f5ac SetMenuDefaultItem

• 0x48f5b0 InsertMenuItemW

• 0x48f5b4 IsMenu

• 0x48f5b8 TrackPopupMenuEx

• 0x48f5bc GetCursorPos

• 0x48f5c0 DeleteMenu

• 0x48f5c4 SetRect

• 0x48f5c8 GetMenuItemID

• 0x48f5cc GetMenuItemCount

• 0x48f5d0 SetMenuItemInfoW

• 0x48f5d4 GetMenuItemInfoW

• 0x48f5d8 SetForegroundWindow

• 0x48f5dc IsIconic

• 0x48f5e0 FindWindowW

• 0x48f5e4 MonitorFromRect

• 0x48f5e8 keybd_event

• 0x48f5ec SendInput

• 0x48f5f0 GetAsyncKeyState

• 0x48f5f4 SetKeyboardState

• 0x48f5f8 GetKeyboardState

• 0x48f5fc GetKeyState

• 0x48f600 VkKeyScanW

• 0x48f604 LoadStringW

• 0x48f608 DialogBoxParamW

• 0x48f60c MessageBeep

• 0x48f610 EndDialog

• 0x48f614 SendDlgItemMessageW

• 0x48f618 GetDlgItem

• 0x48f61c SetWindowTextW

• 0x48f620 CopyRect

• 0x48f624 ReleaseDC

• 0x48f628 GetDC

• 0x48f62c EndPaint

• 0x48f630 BeginPaint

• 0x48f634 GetClientRect

• 0x48f638 GetMenu

• 0x48f63c DestroyWindow

• 0x48f640 EnumWindows

• 0x48f644 GetDesktopWindow

• 0x48f648 IsWindow

• 0x48f64c IsWindowEnabled

• 0x48f650 IsWindowVisible

• 0x48f654 EnableWindow

• 0x48f658 InvalidateRect

• 0x48f65c GetWindowLongW

• 0x48f660 GetWindowThreadProcessId

• 0x48f664 AttachThreadInput

• 0x48f668 GetFocus

• 0x48f66c GetWindowTextW

• 0x48f670 ScreenToClient

• 0x48f674 SendMessageTimeoutW

• 0x48f678 EnumChildWindows

• 0x48f67c CharUpperBuffW

• 0x48f680 GetParent

• 0x48f684 GetDlgCtrlID

• 0x48f688 SendMessageW

• 0x48f68c MapVirtualKeyW

• 0x48f690 PostMessageW

• 0x48f694 GetWindowRect

• 0x48f698 SetUserObjectSecurity

• 0x48f69c CloseDesktop

• 0x48f6a0 CloseWindowStation

• 0x48f6a4 OpenDesktopW

• 0x48f6a8 SetProcessWindowStation

• 0x48f6ac GetProcessWindowStation

• 0x48f6b0 OpenWindowStationW

• 0x48f6b4 GetUserObjectSecurity

• 0x48f6b8 MessageBoxW

• 0x48f6bc DefWindowProcW

• 0x48f6c0 SetClipboardData

• 0x48f6c4 EmptyClipboard

• 0x48f6c8 CountClipboardFormats

• 0x48f6cc CloseClipboard

• 0x48f6d0 GetClipboardData

• 0x48f6d4 IsClipboardFormatAvailable

• 0x48f6d8 OpenClipboard

• 0x48f6dc BlockInput

• 0x48f6e0 GetMessageW

• 0x48f6e4 LockWindowUpdate

• 0x48f6e8 DispatchMessageW

• 0x48f6ec TranslateMessage

• 0x48f6f0 PeekMessageW

• 0x48f6f4 UnregisterHotKey

• 0x48f6f8 CheckMenuRadioItem

• 0x48f6fc CharLowerBuffW

• 0x48f700 MoveWindow

• 0x48f704 SetFocus

• 0x48f708 PostQuitMessage

• 0x48f70c KillTimer

• 0x48f710 CreatePopupMenu

• 0x48f714 RegisterWindowMessageW

• 0x48f718 SetTimer

• 0x48f71c ShowWindow

• 0x48f720 CreateWindowExW

• 0x48f724 RegisterClassExW

• 0x48f728 LoadIconW

• 0x48f72c LoadCursorW

• 0x48f730 GetSysColorBrush

• 0x48f734 GetForegroundWindow

• 0x48f738 MessageBoxA

• 0x48f73c DestroyIcon

• 0x48f740 SystemParametersInfoW

• 0x48f744 LoadImageW

• 0x48f748 GetClassNameW

Library GDI32.dll:

• 0x48f0c4 StrokePath

• 0x48f0c8 DeleteObject

• 0x48f0cc GetTextExtentPoint32W

• 0x48f0d0 ExtCreatePen

• 0x48f0d4 GetDeviceCaps

• 0x48f0d8 EndPath

• 0x48f0dc SetPixel

• 0x48f0e0 CloseFigure

• 0x48f0e4 CreateCompatibleBitmap

• 0x48f0e8 CreateCompatibleDC

• 0x48f0ec SelectObject

• 0x48f0f0 StretchBlt

• 0x48f0f4 GetDIBits

• 0x48f0f8 LineTo

• 0x48f0fc AngleArc

• 0x48f100 MoveToEx

• 0x48f104 Ellipse

• 0x48f108 DeleteDC

• 0x48f10c GetPixel

• 0x48f110 CreateDCW

• 0x48f114 GetStockObject

• 0x48f118 GetTextFaceW

• 0x48f11c CreateFontW

• 0x48f120 SetTextColor

• 0x48f124 PolyDraw

• 0x48f128 BeginPath

• 0x48f12c Rectangle

• 0x48f130 SetViewportOrgEx

• 0x48f134 GetObjectW

• 0x48f138 SetBkMode

• 0x48f13c RoundRect

• 0x48f140 SetBkColor

• 0x48f144 CreatePen

• 0x48f148 CreateSolidBrush

• 0x48f14c StrokeAndFillPath

Library COMDLG32.dll:

• 0x48f0b8 GetOpenFileNameW

• 0x48f0bc GetSaveFileNameW

Library ADVAPI32.dll:

• 0x48f000 GetAce

• 0x48f004 RegEnumValueW

• 0x48f008 RegDeleteValueW

• 0x48f00c RegDeleteKeyW

• 0x48f010 RegEnumKeyExW

• 0x48f014 RegSetValueExW

• 0x48f018 RegOpenKeyExW

• 0x48f01c RegCloseKey

• 0x48f020 RegQueryValueExW

• 0x48f024 RegConnectRegistryW

• 0x48f028 InitializeSecurityDescriptor

• 0x48f02c InitializeAcl

• 0x48f030 AdjustTokenPrivileges

• 0x48f034 OpenThreadToken

• 0x48f038 OpenProcessToken

• 0x48f03c LookupPrivilegeValueW

• 0x48f040 DuplicateTokenEx

• 0x48f044 CreateProcessAsUserW

• 0x48f048 CreateProcessWithLogonW

• 0x48f04c GetLengthSid

• 0x48f050 CopySid

• 0x48f054 LogonUserW

• 0x48f058 AllocateAndInitializeSid

• 0x48f05c CheckTokenMembership

• 0x48f060 RegCreateKeyExW

• 0x48f064 FreeSid

• 0x48f068 GetTokenInformation

• 0x48f06c GetSecurityDescriptorDacl

• 0x48f070 GetAclInformation

• 0x48f074 AddAce

• 0x48f078 SetSecurityDescriptorDacl

• 0x48f07c GetUserNameW

• 0x48f080 InitiateSystemShutdownExW

Library SHELL32.dll:

• 0x48f48c DragQueryPoint

• 0x48f490 ShellExecuteExW

• 0x48f494 DragQueryFileW

• 0x48f498 SHEmptyRecycleBinW

• 0x48f49c SHGetPathFromIDListW

• 0x48f4a0 SHBrowseForFolderW

• 0x48f4a4 SHCreateShellItem

• 0x48f4a8 SHGetDesktopFolder

• 0x48f4ac SHGetSpecialFolderLocation

• 0x48f4b0 SHGetFolderPathW

• 0x48f4b4 SHFileOperationW

• 0x48f4b8 ExtractIconExW

• 0x48f4bc Shell_NotifyIconW

• 0x48f4c0 ShellExecuteW

• 0x48f4c4 DragFinish

Library ole32.dll:

• 0x48f828 CoTaskMemAlloc

• 0x48f82c CoTaskMemFree

• 0x48f830 CLSIDFromString

• 0x48f834 ProgIDFromCLSID

• 0x48f838 CLSIDFromProgID

• 0x48f83c OleSetMenuDescriptor

• 0x48f840 MkParseDisplayName

• 0x48f844 OleSetContainedObject

• 0x48f848 CoCreateInstance

• 0x48f84c IIDFromString

• 0x48f850 StringFromGUID2

• 0x48f854 CreateStreamOnHGlobal

• 0x48f858 OleInitialize

• 0x48f85c OleUninitialize

• 0x48f860 CoInitialize

• 0x48f864 CoUninitialize

• 0x48f868 GetRunningObjectTable

• 0x48f86c CoGetInstanceFromFile

• 0x48f870 CoGetObject

• 0x48f874 CoSetProxyBlanket

• 0x48f878 CoCreateInstanceEx

• 0x48f87c CoInitializeSecurity

Library OLEAUT32.dll:

• 0x48f40c LoadTypeLibEx

• 0x48f410 VariantCopyInd

• 0x48f414 SysReAllocString

• 0x48f418 SysFreeString

• 0x48f41c SafeArrayDestroyDescriptor

• 0x48f420 SafeArrayDestroyData

• 0x48f424 SafeArrayUnaccessData

• 0x48f428 SafeArrayAccessData

• 0x48f42c SafeArrayAllocData

• 0x48f430 SafeArrayAllocDescriptorEx

• 0x48f434 SafeArrayCreateVector

• 0x48f438 RegisterTypeLib

• 0x48f43c CreateStdDispatch

• 0x48f440 DispCallFunc

• 0x48f444 VariantChangeType

• 0x48f448 SysStringLen

• 0x48f44c VariantTimeToSystemTime

• 0x48f450 VarR8FromDec

• 0x48f454 SafeArrayGetVartype

• 0x48f458 VariantCopy

• 0x48f45c VariantClear

• 0x48f460 OleLoadPicture

• 0x48f464 QueryPathOfRegTypeLib

• 0x48f468 RegisterTypeLibForUser

• 0x48f46c UnRegisterTypeLibForUser

• 0x48f470 UnRegisterTypeLib

• 0x48f474 CreateDispTypeInfo

• 0x48f478 SysAllocString

• 0x48f47c VariantInit

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62191	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62912	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.