SmartHawk

2.8

中危

51 个模型检测该样本为恶意！

重新分析

下载样本

65b02e97697c264d7ee58c9ef07d8800cb502b757adea9284d3f85a701532f88

aa93425497c45b30d577df3fc44e74cc.exe

分析耗时

17s

最近分析

文件大小

466.1KB

静态报毒动态报毒 100% AI SCORE=80 CONFIDENCE EMOTET FSQP GENCIRC HIGH CONFIDENCE HRRCQV JPCV8LDC9J8 KCLOUD KRYPTIK MALWARE@#OXFSFEHVVE5N MANSABO R011C0WHD20 REDCAP SCORE SUSGEN TRICKBOT UGUW ULISE UNSAFE YYFBA 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Trickbot-FSQP!AA93425497C4	20201231	6.0.6.653
Alibaba	Trojan:Win64/Mansabo.f49c2f9a	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win64:Malware-gen	20201231	21.1.5827.0
Tencent	Malware.Win32.Gencirc.11ac1878	20210101	1.0.0.1
Kingsoft	Win32.Troj.Mansabo.f.(kcloud)	20210101	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826881.258465 __exception__	stacktrace: registers.r14: 6162769 registers.r9: 818 registers.rcx: 8791764828160 registers.rsi: 8 registers.r10: 3221225715 registers.rbx: 8791764828160 registers.rdi: 14 registers.r11: 0 registers.r8: 260 registers.rdx: 1240336 registers.rbp: 1240352 registers.r15: 32022400 registers.r12: 2008686432 registers.rsp: 1240088 registers.rax: 0 registers.r13: 0 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0	success	0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 69 个事件)

Time & API	Arguments	Status
1619826880.164465 NtAllocateVirtualMemory	process_identifier: 364 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00000000005e0000	success
1619826880.570465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff1e6000	success
1619826880.570465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff1e7000	success
1619826880.617465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff183000	success
1619826880.617465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff183000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff165000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff1cf000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff173000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff165000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff183000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff183000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff1b0000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff15c000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff15f000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff1aa000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff15f000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff169000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff16b000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff1b2000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff181000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff15e000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff163000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff15f000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff182000	success
1619826880.633465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff185000	success
1619826880.898465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffb1b000	success
1619826880.898465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffb03000	success
1619826880.898465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffae8000	success
1619826880.898465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffaed000	success
1619826880.898465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffaed000	success
1619826880.898465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffb1b000	success
1619826880.898465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffb1b000	success
1619826880.898465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffae8000	success
1619826880.914465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffb2d000	success
1619826880.914465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffb2d000	success
1619826880.914465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffaed000	success
1619826880.914465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffaf1000	success
1619826880.914465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffafb000	success
1619826880.914465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffafb000	success
1619826880.961465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffae3000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffb00000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffaf1000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffafb000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffb06000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffaf1000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffaf1000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffafc000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffafb000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffaed000	success
1619826880.976465 NtProtectVirtualMemory	process_identifier: 364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feffafc000	success

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.842463722545585

section

{'size_of_data': '0x0002ec00', 'virtual_address': '0x0004e000', 'entropy': 7.842463722545585, 'name': '.rsrc', 'virtual_size': '0x0002ebc8'}

description

A section with a high entropy has been found

entropy

0.4021505376344086

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ulise.115745
McAfee	Trickbot-FSQP!AA93425497C4
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win64/Mansabo.f49c2f9a
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.497c45
Arcabit	Trojan.Ulise.D1C421
Cyren	W64/Trojan.UGUW-8250
Symantec	Trojan.Gen.MBT
APEX	Malicious
Avast	Win64:Malware-gen
Kaspersky	Trojan.Win32.Mansabo.fno
BitDefender	Gen:Variant.Ulise.115745
NANO-Antivirus	Trojan.Win64.Mansabo.hrrcqv
AegisLab	Trojan.Win32.Mansabo.4!c
Tencent	Malware.Win32.Gencirc.11ac1878
Ad-Aware	Gen:Variant.Ulise.115745
Sophos	Mal/Generic-S
Comodo	Malware@#oxfsfehvve5n
F-Secure	Trojan.TR/Redcap.yyfba
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R011C0WHD20
McAfee-GW-Edition	BehavesLike.Win64.Emotet.gh
FireEye	Generic.mg.aa93425497c45b30
Emsisoft	Gen:Variant.Ulise.115745 (B)
Jiangmin	Trojan.Mansabo.bty
Avira	TR/Redcap.yyfba
Antiy-AVL	Trojan/Win32.Mansabo
Kingsoft	Win32.Troj.Mansabo.f.(kcloud)
Gridinsoft	Trojan.Win64.Kryptik.oa
Microsoft	Trojan:Win64/TrickBot.DB!MTB
ZoneAlarm	Trojan.Win32.Mansabo.fno
GData	Gen:Variant.Ulise.115745
Cynet	Malicious (score: 85)
ALYac	Gen:Variant.Ulise.115745
MAX	malware (ai score=80)
VBA32	Trojan.Mansabo
Malwarebytes	Trojan.TrickBot
ESET-NOD32	a variant of Win64/Kryptik.BZE
TrendMicro-HouseCall	TROJ_GEN.R011C0WHD20
Yandex	Trojan.Kryptik!JPCV8ldC9j8
Ikarus	Trojan.Win64.Crypt
Fortinet	W64/Kryptik.BZE!tr
MaxSecure	Trojan.Malware.74067699.susgen
AVG	Win64:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-30 17:41:03

Imports

Library KERNEL32.dll:

• 0x430118 RtlLookupFunctionEntry

• 0x430120 RtlUnwindEx

• 0x430128 RaiseException

• 0x430130 RtlPcToFileHeader

• 0x430138 HeapAlloc

• 0x430140 HeapFree

• 0x430148 HeapReAlloc

• 0x430150 GetCommandLineA

• 0x430158 GetProcessHeap

• 0x430160 GetStartupInfoA

• 0x430168 ExitProcess

• 0x430170 HeapSize

• 0x430178 FlsGetValue

• 0x430180 FlsSetValue

• 0x430188 FlsFree

• 0x430190 FlsAlloc

• 0x430198 Sleep

• 0x4301a0 TerminateProcess

• 0x4301a8 UnhandledExceptionFilter

• 0x4301b0 SetUnhandledExceptionFilter

• 0x4301b8 IsDebuggerPresent

• 0x4301c0 RtlCaptureContext

• 0x4301c8 RtlVirtualUnwind

• 0x4301d0 GetStdHandle

• 0x4301d8 HeapCreate

• 0x4301e0 FreeEnvironmentStringsA

• 0x4301e8 GetEnvironmentStrings

• 0x4301f0 FreeEnvironmentStringsW

• 0x4301f8 GetEnvironmentStringsW

• 0x430200 SetHandleCount

• 0x430208 GetFileType

• 0x430210 QueryPerformanceCounter

• 0x430218 GetTickCount

• 0x430220 GetSystemTimeAsFileTime

• 0x430228 GetACP

• 0x430230 GetConsoleCP

• 0x430238 GetConsoleMode

• 0x430240 LCMapStringA

• 0x430248 LCMapStringW

• 0x430250 GetStringTypeA

• 0x430258 GetStringTypeW

• 0x430260 SetStdHandle

• 0x430268 WriteConsoleA

• 0x430270 GetConsoleOutputCP

• 0x430278 WriteConsoleW

• 0x430280 SetErrorMode

• 0x430288 GetOEMCP

• 0x430290 GetCPInfo

• 0x430298 CreateFileA

• 0x4302a0 GetThreadLocale

• 0x4302a8 FlushFileBuffers

• 0x4302b0 SetFilePointer

• 0x4302b8 WriteFile

• 0x4302c0 ReadFile

• 0x4302c8 TlsFree

• 0x4302d0 DeleteCriticalSection

• 0x4302d8 LocalReAlloc

• 0x4302e0 TlsSetValue

• 0x4302e8 GlobalHandle

• 0x4302f0 GlobalReAlloc

• 0x4302f8 TlsAlloc

• 0x430300 InitializeCriticalSection

• 0x430308 EnterCriticalSection

• 0x430310 TlsGetValue

• 0x430318 LeaveCriticalSection

• 0x430320 LocalAlloc

• 0x430328 GlobalFlags

• 0x430330 WritePrivateProfileStringA

• 0x430338 GlobalGetAtomNameA

• 0x430340 GlobalFindAtomA

• 0x430348 lstrcmpW

• 0x430350 GetVersionExA

• 0x430358 GetModuleFileNameW

• 0x430360 FormatMessageA

• 0x430368 LocalFree

• 0x430370 MulDiv

• 0x430378 GlobalUnlock

• 0x430380 GlobalFree

• 0x430388 FreeResource

• 0x430390 GetCurrentProcessId

• 0x430398 SetLastError

• 0x4303a0 GlobalAddAtomA

• 0x4303a8 CloseHandle

• 0x4303b0 GetCurrentThread

• 0x4303b8 GetCurrentThreadId

• 0x4303c0 ConvertDefaultLocale

• 0x4303c8 EnumResourceLanguagesA

• 0x4303d0 GetModuleFileNameA

• 0x4303d8 GetLocaleInfoA

• 0x4303e0 LoadLibraryA

• 0x4303e8 LockResource

• 0x4303f0 GlobalLock

• 0x4303f8 lstrcmpA

• 0x430400 GlobalAlloc

• 0x430408 FreeLibrary

• 0x430410 GlobalDeleteAtom

• 0x430418 GetModuleHandleA

• 0x430420 lstrlenA

• 0x430428 CompareStringA

• 0x430430 GetVersion

• 0x430438 GetLastError

• 0x430440 WideCharToMultiByte

• 0x430448 MultiByteToWideChar

• 0x430450 LoadLibraryExW

• 0x430458 LoadLibraryExA

• 0x430460 GetProcAddress

• 0x430468 FindResourceA

• 0x430470 LoadResource

• 0x430478 SizeofResource

• 0x430480 HeapSetInformation

• 0x430488 GetCurrentProcess

Library USER32.dll:

• 0x4304e8 LoadCursorA

• 0x4304f0 ShowWindow

• 0x4304f8 SetWindowTextA

• 0x430500 IsDialogMessageA

• 0x430508 RegisterWindowMessageA

• 0x430510 SendDlgItemMessageA

• 0x430518 WinHelpA

• 0x430520 GetCapture

• 0x430528 GetClassLongA

• 0x430530 GetClassNameA

• 0x430538 GetClassLongPtrA

• 0x430540 SetPropA

• 0x430548 GetPropA

• 0x430550 RemovePropA

• 0x430558 GetForegroundWindow

• 0x430560 GetTopWindow

• 0x430568 GetWindowLongPtrA

• 0x430570 SetWindowLongPtrA

• 0x430578 GetMessageTime

• 0x430580 GetMessagePos

• 0x430588 MapWindowPoints

• 0x430590 SetForegroundWindow

• 0x430598 GetMenu

• 0x4305a0 CreateWindowExA

• 0x4305a8 GetClassInfoExA

• 0x4305b0 GetClassInfoA

• 0x4305b8 RegisterClassA

• 0x4305c0 CopyRect

• 0x4305c8 PtInRect

• 0x4305d0 GetDlgCtrlID

• 0x4305d8 DefWindowProcA

• 0x4305e0 CallWindowProcA

• 0x4305e8 SetWindowPos

• 0x4305f0 SystemParametersInfoA

• 0x4305f8 GetWindowPlacement

• 0x430600 GetWindowRect

• 0x430608 GetSysColor

• 0x430610 EndPaint

• 0x430618 BeginPaint

• 0x430620 ReleaseDC

• 0x430628 GetDC

• 0x430630 ClientToScreen

• 0x430638 GrayStringA

• 0x430640 DrawTextExA

• 0x430648 DrawTextA

• 0x430650 TabbedTextOutA

• 0x430658 GetWindowTextLengthA

• 0x430660 GetWindowTextA

• 0x430668 GetWindow

• 0x430670 SetFocus

• 0x430678 UnhookWindowsHookEx

• 0x430680 DrawIcon

• 0x430688 SendMessageA

• 0x430690 IsIconic

• 0x430698 GetClientRect

• 0x4306a0 LoadIconA

• 0x4306a8 GetSystemMetrics

• 0x4306b0 GetMenuItemID

• 0x4306b8 GetMenuItemCount

• 0x4306c0 GetSubMenu

• 0x4306c8 GetDesktopWindow

• 0x4306d0 SetActiveWindow

• 0x4306d8 CreateDialogIndirectParamA

• 0x4306e0 DestroyWindow

• 0x4306e8 IsWindow

• 0x4306f0 GetDlgItem

• 0x4306f8 GetNextDlgTabItem

• 0x430700 EndDialog

• 0x430708 GetWindowThreadProcessId

• 0x430710 DestroyMenu

• 0x430718 UnregisterClassA

• 0x430720 GetSysColorBrush

• 0x430728 UpdateWindow

• 0x430730 EnableWindow

• 0x430738 PostQuitMessage

• 0x430740 PostMessageA

• 0x430748 CheckMenuItem

• 0x430750 EnableMenuItem

• 0x430758 GetMenuState

• 0x430760 ModifyMenuA

• 0x430768 GetParent

• 0x430770 GetFocus

• 0x430778 LoadBitmapA

• 0x430780 GetMenuCheckMarkDimensions

• 0x430788 SetMenuItemBitmaps

• 0x430790 ValidateRect

• 0x430798 GetCursorPos

• 0x4307a0 PeekMessageA

• 0x4307a8 GetKeyState

• 0x4307b0 IsWindowVisible

• 0x4307b8 GetWindowLongA

• 0x4307c0 GetLastActivePopup

• 0x4307c8 IsWindowEnabled

• 0x4307d0 MessageBoxA

• 0x4307d8 SetCursor

• 0x4307e0 SetWindowsHookExA

• 0x4307e8 CallNextHookEx

• 0x4307f0 GetMessageA

• 0x4307f8 TranslateMessage

• 0x430800 DispatchMessageA

• 0x430808 GetActiveWindow

• 0x430810 AdjustWindowRectEx

Library GDI32.dll:

• 0x430050 DeleteDC

• 0x430058 GetStockObject

• 0x430060 ScaleWindowExtEx

• 0x430068 SetWindowExtEx

• 0x430070 RectVisible

• 0x430078 ScaleViewportExtEx

• 0x430080 SetViewportExtEx

• 0x430088 OffsetViewportOrgEx

• 0x430090 SetViewportOrgEx

• 0x430098 SelectObject

• 0x4300a0 Escape

• 0x4300a8 ExtTextOutA

• 0x4300b0 CreateBitmap

• 0x4300b8 PtVisible

• 0x4300c0 GetObjectA

• 0x4300c8 DeleteObject

• 0x4300d0 GetClipBox

• 0x4300d8 SetMapMode

• 0x4300e0 SetTextColor

• 0x4300e8 SetBkColor

• 0x4300f0 RestoreDC

• 0x4300f8 SaveDC

• 0x430100 GetDeviceCaps

• 0x430108 TextOutA

Library WINSPOOL.DRV:

• 0x430820 ClosePrinter

• 0x430828 DocumentPropertiesA

• 0x430830 OpenPrinterA

Library ADVAPI32.dll:

• 0x430000 RegSetValueExA

• 0x430008 RegCreateKeyExA

• 0x430010 RegQueryValueA

• 0x430018 RegOpenKeyA

• 0x430020 RegEnumKeyA

• 0x430028 RegDeleteKeyA

• 0x430030 RegOpenKeyExA

• 0x430038 RegQueryValueExA

• 0x430040 RegCloseKey

Library SHLWAPI.dll:

• 0x4304d0 PathFindFileNameA

• 0x4304d8 PathFindExtensionA

Library ole32.dll:

• 0x430840 CLSIDFromString

• 0x430848 CLSIDFromProgID

• 0x430850 CoCreateInstance

• 0x430858 OleRun

• 0x430860 CoInitialize

Library OLEAUT32.dll:

• 0x430498 VariantChangeType

• 0x4304a0 SysFreeString

• 0x4304a8 SysStringLen

• 0x4304b0 VariantClear

• 0x4304b8 SysAllocString

• 0x4304c0 VariantInit

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	53658	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	53657	8.8.8.8	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.