13.0
0-day
56 个模型检测该样本为恶意!
重新分析
更多

eecaf5677c5c21d268261eef35a819549dda3c454e9b60e368070aa3bfd2f54c

a91492c67615ed6267a2a4e9969373ca.exe

分析耗时

85s

最近分析

文件大小

156.0KB
静态报毒 动态报毒 0NA103I320 AI SCORE=99 AIDETECTVM ATTRIBUTE BANKERX BSCOPE DRIDEX GENERICRXLW HIGH CONFIDENCE HIGHCONFIDENCE HLMPA7I1D04 HTTNMP JQW@AK70ADJ MALWARE1 MALWARE@#2N9BM6T3Z3FM7 NYMAIM RAZY SCORE SUSGEN SUSPICIOUS PE TGUK UNSAFE WACATAC XPACK Z8SXWTLPGEJ ZBOT ZEXAF ZLOADER 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXLW-CJ!A91492C67615 20201003 6.0.6.653
Alibaba TrojanSpy:Win32/Dridex.d2e9f60d 20190527 0.3.0.5
Avast Win32:BankerX-gen [Trj] 20201003 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20201003 2013.8.14.323
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619850004.583626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619850006.504626
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (8 个事件)
Time & API Arguments Status Return Repeated
1619850002.770626
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1619850002.770626
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1619850006.192626
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74fa1000
success 0 0
1619850007.301626
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74331000
success 0 0
1619850007.364626
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74311000
success 0 0
1619850007.379626
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x742d1000
success 0 0
1619850007.426626
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x742c1000
success 0 0
1619850007.895626
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x741c1000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ovlo\eqsa.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ovlo\eqsa.exe
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619826902.550081
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 16 (PAGE_EXECUTE)
process_handle: 0x000000fc
base_address: 0x000f0000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619850007.895626
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)
Time & API Arguments Status Return Repeated
1619826901.550081
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619850005.958626
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1619850006.004626
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 7c5357f32a0a3afe7cf840722a7968db8f82fc71
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619826902.550081
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 16 (PAGE_EXECUTE)
process_handle: 0x000000fc
base_address: 0x000f0000
success 0 0
1619826902.550081
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 180224
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
base_address: 0x000c0000
success 0 0
Manipulates memory of a non-child process indicative of process injection (5 个事件)
Process injection Process 2224 manipulating memory of non-child process 2240
Time & API Arguments Status Return Repeated
1619826902.487081
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 180224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619826902.534081
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619826902.550081
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 16 (PAGE_EXECUTE)
process_handle: 0x000000fc
base_address: 0x000f0000
success 0 0
1619826902.550081
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 180224
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
base_address: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Process injection Process 2224 injected into non-child 2240
Time & API Arguments Status Return Repeated
1619826902.534081
WriteProcessMemory
process_identifier: 2240
buffer: ¾ ¹À¸…S¨‰ƒùt 0FÁÀIëòéNzýÿ
process_handle: 0x000000fc
base_address: 0x000f0000
success 1 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619850010.520626
RegSetValueExA
key_handle: 0x000003e0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619850010.520626
RegSetValueExA
key_handle: 0x000003e0
value: €áܯ;>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619850010.520626
RegSetValueExA
key_handle: 0x000003e0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619850010.520626
RegSetValueExW
key_handle: 0x000003e0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619850010.520626
RegSetValueExA
key_handle: 0x000003f8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619850010.520626
RegSetValueExA
key_handle: 0x000003f8
value: €áܯ;>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619850010.520626
RegSetValueExA
key_handle: 0x000003f8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619850010.645626
RegSetValueExW
key_handle: 0x000003dc
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2224 called NtSetContextThread to modify thread in remote process 2240
Time & API Arguments Status Return Repeated
1619826902.550081
NtSetContextThread
thread_handle: 0x000000a4
registers.eip: 983040
registers.esp: 1507304
registers.edi: 0
registers.eax: 0
registers.ebp: 0
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
process_identifier: 2240
success 0 0
Exhibits behavior characteristic of Nymaim malware (6 个事件)
Time & API Arguments Status Return Repeated
1619850006.067626
NtCreateKey
index: 0
key_handle: 0x00000250
desired_access: 0x00000003 ()
class:
regkey: HKEY_CURRENT_USER\Software\Microsoft\Vookbeob
disposition: 1
options: 0
success 0 0
1619850006.098626
NtCreateKey
index: 0
key_handle: 0x0000024c
desired_access: 0x00000002 ()
class:
regkey: HKEY_CURRENT_USER\Software\Microsoft\toxm
disposition: 1
options: 0
success 0 0
1619850006.114626
NtSetValueKey
index: 0
key_handle: 0x0000024c
value: þUû@͓"¹8Œ4:Ã@ÍÞM—žwÑowë"y3ã Ë\ëâùŒ÷¤£Ôè­óˆ‚❹#ç§Aa˜Ït.~‚Å‹cýÚ"’Û«JǂÓX ™VJÄ\XÉýëzú‚Ú´²Šìø¶ÆЖ ÝN³ÝÌ{Âà™D 5¾ÿ‘¯šw•ý… ¤ÚØG°O`·›bär«ÊM7Ѿ¡Qé·`@ØbC?“·dcCº0o¬mÕò€;LÆw‡ë;Í'ãȞâÈ˽|à‡dÝ9j’b¶¯j™8$¿€—Æþ¥´èÝ éµAý梩}ˆMÜeýîMKxž,ÒOÿG>ßÔ·c3%ù-UÌ)¤pív䂧ƒRq€/ñ2ýøí°³Íš€JCâŽÿôzÄ)͇kx'Zt+×F¥‚šˆ@ Íu®MëA#£]OH^¤éu‘þ„ –Å(Æ+~Çì?ý8Öy²âЙüý*S‹&þË·ÏXÿæÊ`óÈkYþY-FMÛñuy |C},#‰râÐA«ô_¼†ÅKùÚ«"à`•Ú΋ÿÞ1ÿbñí¯ãâ%ºL ^e€Œ¼ÂÛß&ð¹6ºY>/Éã©}69ó¥Ùÿä0þzú›«Çyô% e»±tf𬏪aP:üËò UržÉZÖpoûݬÂuµ8Š?]ÄbÁ2wàóà&ф…ü¯9h´+ò\‹º¼2¬pP§‰òP¼UKW-ý 7æ‚8ÝóF¤•<Ír×ï–ÛÊ9þü“굍'b=O£tIZMìD†LöŽú› ïm— OŽªî>À–¿±°5Ùnpèԁ܍}Ô•÷«h–uA;¶pù¨dH‰¾1»˜¼5€ž;MÓþSë¥û1nZäÂ@®."^ ´û.ñe+Ao1ŒuöH‰éýÎîŠøë€å}£\7ÞQfíJ)CŒ°ùSÕìLð«üƒ‡;$^œd¦â:^¾JË×#«ÚL°âÑP5”|wÑalœiènk ŠÇÀéÔÀÒH¸Àoz_òÊŽ±üöþ[AàŎ U”Á«fó­H5¿N=(C¼0õ5KqY–vÇîCŽØ*TAãÚ|l±5Ò ?n6LȄ3UMs¦) zÅ¢øTÉm£E£ãm©{ }ÄK œxOmžkL³Çþ74ê}tƒU]~…ƒQ~µm}çnWö ®n*Ž¼ã±UÐË¡ÝÃD½Ë°?Ôøk©T©`:›JŸÁ}uÇe¿'rHË9)Ø/µ½¶[’‡ AR¯òëD ‘«0‹çx8 ÉBóu~É:h¿™Ç_þJ_Ø'µza[̊^Ö3fE¢÷¢}Ir¦ó[
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\toxm\ugba
success 0 0
1619850006.333626
NtCreateKey
index: 0
key_handle: 0x00000250
desired_access: 0x00000002 ()
class:
regkey: HKEY_CURRENT_USER\Software\Microsoft\Vookbeob
disposition: 2
options: 0
success 0 0
1619850006.411626
NtCreateKey
index: 0
key_handle: 0x00000250
desired_access: 0x00000002 ()
class:
regkey: HKEY_CURRENT_USER\Software\Microsoft\Vookbeob
disposition: 2
options: 0
success 0 0
1619850006.411626
NtCreateKey
index: 0
key_handle: 0x00000250
desired_access: 0x00000002 ()
class:
regkey: HKEY_CURRENT_USER\Software\Microsoft\Vookbeob
disposition: 2
options: 0
success 0 0
Expresses interest in specific running processes (1 个事件)
process: potential process injection target explorer.exe
A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (4 个事件)
Time & API Arguments Status Return Repeated
1619850006.458626
CryptHashData
buffer: -'/'nathan'OSKAR-PC_2EBFF1F466E22867&''ù§`òÀ"SæPô.q‡Ë+î+
flags: 0
hash_handle: 0x006a01d0
success 1 0
1619850006.629626
CryptHashData
buffer: -'/'nathan'OSKAR-PC_2EBFF1F466E22867&''äoÝ‘Æ9‹OFu'
flags: 0
hash_handle: 0x006a01d0
success 1 0
1619850022.989626
CryptHashData
buffer: -'/'nathan'OSKAR-PC_2EBFF1F466E22867&''HÔçr ™Ï¦ '
flags: 0
hash_handle: 0x006a01d0
success 1 0
1619850047.614626
CryptHashData
buffer: -'/'nathan'OSKAR-PC_2EBFF1F466E22867&''G]½7†©„&Íîõ='A'
flags: 0
hash_handle: 0x006a01d0
success 1 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2224 resumed a thread in remote process 2240
Time & API Arguments Status Return Repeated
1619826903.378081
NtResumeThread
thread_handle: 0x000000a4
suspend_count: 1
process_identifier: 2240
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (8 个事件)
Time & API Arguments Status Return Repeated
1619826902.472081
CreateProcessInternalW
thread_identifier: 2452
thread_handle: 0x000000a4
process_identifier: 2240
current_directory:
filepath:
track: 1
command_line: msiexec.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524292 (CREATE_SUSPENDED|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619826902.487081
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 180224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619826902.503081
WriteProcessMemory
process_identifier: 2240
buffer:
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
1619826902.534081
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619826902.534081
WriteProcessMemory
process_identifier: 2240
buffer: ¾ ¹À¸…S¨‰ƒùt 0FÁÀIëòéNzýÿ
process_handle: 0x000000fc
base_address: 0x000f0000
success 1 0
1619826902.534081
NtGetContextThread
thread_handle: 0x000000a4
success 0 0
1619826902.550081
NtSetContextThread
thread_handle: 0x000000a4
registers.eip: 983040
registers.esp: 1507304
registers.edi: 0
registers.eax: 0
registers.ebp: 0
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
process_identifier: 2240
success 0 0
1619826903.378081
NtResumeThread
thread_handle: 0x000000a4
suspend_count: 1
process_identifier: 2240
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.593882
FireEye Generic.mg.a91492c67615ed62
CAT-QuickHeal Backdoor.Dridex
McAfee GenericRXLW-CJ!A91492C67615
Cylance Unsafe
Zillya Trojan.Zbot.Win32.212598
Sangfor Malware
K7AntiVirus Spyware ( 005612b41 )
Alibaba TrojanSpy:Win32/Dridex.d2e9f60d
K7GW Spyware ( 005612b41 )
Arcabit Trojan.Razy.D90FDA
Invincea Mal/Generic-S
BitDefenderTheta Gen:NN.ZexaF.34282.jqW@aK70adj
Cyren W32/Trojan.TGUK-2562
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.Win32.Dridex.vho
BitDefender Gen:Variant.Razy.593882
NANO-Antivirus Trojan.Win32.Dridex.httnmp
ViRobot Trojan.Win32.Z.Razy.159744.SH
Avast Win32:BankerX-gen [Trj]
Ad-Aware Gen:Variant.Razy.593882
Emsisoft Trojan-Spy.Agent (A)
Comodo Malware@#2n9bm6t3z3fm7
F-Secure Trojan.TR/Crypt.XPACK.Gen
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_FRS.0NA103I320
McAfee-GW-Edition BehavesLike.Win32.Generic.ch
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Jiangmin Backdoor.Dridex.ng
Webroot W32.Malware.Gen
Avira TR/Crypt.XPACK.Gen
Antiy-AVL Trojan[Spy]/Win32.Zbot
Microsoft Trojan:Win32/Dridex.VAM!MSR
AegisLab Trojan.Win32.Dridex.m!c
ZoneAlarm HEUR:Backdoor.Win32.Dridex.vho
GData Win32.Malware.ZLoader.B
Cynet Malicious (score: 100)
VBA32 BScope.Trojan.Wacatac
ALYac Trojan.Agent.ZLoader
MAX malware (ai score=99)
Malwarebytes Trojan.ZLoader
ESET-NOD32 a variant of Win32/Spy.Zbot.ADI
TrendMicro-HouseCall TROJ_FRS.0NA103I320
Rising Backdoor.Dridex!8.3226 (TFE:4:z8SxWTLpgEJ)
Yandex TrojanSpy.Zbot!HLMpA7I1d04
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-13 23:30:17

Imports

Library KERNEL32.dll:
0x427214 ExitProcess
0x427218 FormatMessageW
0x42721c GetCurrentProcess
0x427220 GetCurrentProcessId
0x427224 GetDateFormatW
0x427228 GetFileAttributesW
0x42722c GetFileType
0x427230 GetLastError
0x427234 GetLocalTime
0x427238 GetModuleHandleA
0x42723c GetModuleHandleW
0x427240 GetOEMCP
0x427244 GetStringTypeW
0x42724c GetUserDefaultLCID
0x427250 GlobalAlloc
0x427254 HeapAlloc
0x427258 HeapReAlloc
0x427260 LocalReAlloc
0x427264 MultiByteToWideChar
0x427268 SetEndOfFile
0x42726c SetLastError
0x427274 VirtualFree
0x427278 WriteFile
Library ADVAPI32.dll:
0x427280 GetTokenInformation
Library SHELL32.dll:
0x427288 CommandLineToArgvW
Library USER32.dll:
0x427290 CheckMenuItem
0x427294 CheckRadioButton
0x427298 CopyRect
0x42729c CreateDialogParamW
0x4272a0 DefWindowProcW
0x4272a4 DestroyIcon
0x4272a8 DispatchMessageW
0x4272ac DrawMenuBar
0x4272b0 EnableWindow
0x4272b4 EndDialog
0x4272b8 GetClassWord
0x4272bc GetMenu
0x4272c0 GetMessageA
0x4272c4 GetNextDlgTabItem
0x4272c8 GetSubMenu
0x4272cc GetSysColorBrush
0x4272d0 GetSystemMetrics
0x4272d4 GetWindowPlacement
0x4272dc InflateRect
0x4272e0 IntersectRect
0x4272e4 KillTimer
0x4272e8 LoadCursorW
0x4272ec LoadIconA
0x4272f0 LoadImageW
0x4272f4 LoadMenuA
0x4272f8 LoadStringW
0x4272fc MapWindowPoints
0x427300 MessageBeep
0x427304 MessageBoxW
0x427308 RegisterClassA
0x42730c RegisterClassExW
0x427310 RemoveMenu
0x427314 ScreenToClient
0x427318 SendDlgItemMessageW
0x42731c SetCapture
0x427320 SetDlgItemInt
0x427324 SetFocus
0x427328 SetMenuItemInfoW
0x42732c SetWindowPlacement
0x427334 UnregisterClassW
Library GDI32.dll:
0x427340 CreateCompatibleDC
0x427344 CreateRectRgn
0x42734c CreateSolidBrush
0x427350 DeleteDC
0x427354 DeleteObject
0x427358 ExtCreatePen
0x42735c GetBkColor
0x427360 GetObjectA
0x427364 GetStockObject
0x427368 GetTextExtentPointW
0x42736c GetTextMetricsA
0x427370 LineTo
0x427374 MoveToEx
0x427378 SelectObject
0x42737c SetBkColor
0x427380 SetTextColor
0x427384 StartDocA
Library ole32.dll:
0x42738c CoCreateInstance

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 53657 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.