12.6
0-day
57 个模型检测该样本为恶意!
重新分析
更多

b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4

b95219bcaa42d45a467dddb752dde333.exe

分析耗时

33s

最近分析

文件大小

505.0KB
静态报毒 动态报毒 AGEN AI SCORE=83 AIDETECTVM ATTRIBUTE CLASSIC CONFIDENCE DELPHILESS ELUM ELZG FAREIT FG0@AUBBVIMI GENETIC GGPR HIGH CONFIDENCE HIGHCONFIDENCE HLGHGV KRYPTIK LOKIBOT MALWARE2 MALWARE@#PSIT1ED66830 NANOCORE PFSS R + MAL R066C0DIK20 RATX SCORE SIMDA STATIC AI SUSGEN SUSPICIOUS PE UNSAFE WACATAC X2059 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FSK!B95219BCAA42 20201228 6.0.6.653
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:RATX-gen [Trj] 20201228 21.1.5827.0
Alibaba Trojan:Win32/Nanocore.f92cc055 20190527 0.3.0.5
Tencent Win32.Trojan.Kryptik.Pfss 20201228 1.0.0.1
Kingsoft 20201228 2017.9.26.565
静态指标
Command line console output was observed (50 out of 522 个事件)
Time & API Arguments Status Return Repeated
1619879539.330375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.330375
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619879539.330375
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.439375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe
console_handle: 0x00000007
success 1 0
1619879539.455375
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619879539.471375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.471375
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619879539.471375
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.486375
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619879539.486375
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
1619879539.502375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.502375
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619879539.502375
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.533375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe
console_handle: 0x00000007
success 1 0
1619879539.533375
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619879539.549375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.549375
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619879539.549375
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.549375
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619879539.549375
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
1619879539.549375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.549375
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619879539.549375
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.596375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe
console_handle: 0x00000007
success 1 0
1619879539.596375
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619879539.611375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.611375
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619879539.611375
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.611375
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619879539.627375
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
1619879539.643375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.643375
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619879539.643375
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.689375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe
console_handle: 0x00000007
success 1 0
1619879539.689375
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619879539.689375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.689375
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619879539.689375
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.689375
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619879539.689375
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
1619879539.721375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.721375
WriteConsoleW
buffer: del
console_handle: 0x00000007
success 1 0
1619879539.736375
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.783375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe
console_handle: 0x00000007
success 1 0
1619879539.783375
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619879539.799375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619879539.799375
WriteConsoleW
buffer: if
console_handle: 0x00000007
success 1 0
1619879539.799375
WriteConsoleW
buffer: exist "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
console_handle: 0x00000007
success 1 0
1619879539.799375
WriteConsoleW
buffer: goto
console_handle: 0x00000007
success 1 0
1619879539.799375
WriteConsoleW
buffer: ktk
console_handle: 0x00000007
success 1 0
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619861118.600474
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34733888
registers.edi: 0
registers.eax: 0
registers.ebp: 34733960
registers.edx: 5
registers.ebx: 0
registers.esi: 0
registers.ecx: 551
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 51 e9 7f 4b fb
exception.symbol: b95219bcaa42d45a467dddb752dde333+0x4e9e8
exception.instruction: div eax
exception.module: b95219bcaa42d45a467dddb752dde333.exe
exception.exception_code: 0xc0000094
exception.offset: 322024
exception.address: 0x44e9e8
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619861118.428474
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619861118.600474
NtAllocateVirtualMemory
process_identifier: 472
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00840000
success 0 0
1619861118.647474
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
Steals private information from local Internet browsers (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
registry HKEY_CURRENT_USER\Software\Opera Software
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\34899140.bat
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\34899140.bat
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619879538.955
ShellExecuteExW
parameters: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\34899140.bat
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\34899140.bat
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.7291149922072915 section {'size_of_data': '0x00009400', 'virtual_address': '0x0004f000', 'entropy': 7.7291149922072915, 'name': 'DATA', 'virtual_size': '0x000092d8'} description A section with a high entropy has been found
entropy 7.340351277076309 section {'size_of_data': '0x0001f200', 'virtual_address': '0x00064000', 'entropy': 7.340351277076309, 'name': '.rsrc', 'virtual_size': '0x0001f14c'} description A section with a high entropy has been found
entropy 0.32043650793650796 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (20 个事件)
Time & API Arguments Status Return Repeated
1619879530.252
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619879530.252
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619879530.252
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619879530.252
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619879530.252
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1619879538.205
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619879538.205
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619879538.205
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619879538.205
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619879538.205
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1619879538.502
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619879538.502
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619879538.502
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619879538.502
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619879538.502
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1619879538.783
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619879538.783
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619879538.783
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619879538.783
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619879538.783
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
Queries for potentially installed applications (36 个事件)
Time & API Arguments Status Return Repeated
1619879530.268
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x00000134
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
options: 0
success 0 0
1619879530.268
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
options: 0
success 0 0
1619879530.283
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
options: 0
success 0 0
1619879530.283
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
options: 0
success 0 0
1619879530.283
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
options: 0
success 0 0
1619879530.283
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
options: 0
success 0 0
1619879530.299
RegOpenKeyExA
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000138
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
options: 0
success 0 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\34899140.bat "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe
Harvests credentials from local FTP client softwares (50 out of 120 个事件)
file C:\Program Files (x86)\CuteFTP\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CuteFTP\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\CuteFTP\sm.dat
file C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat
file C:\ProgramData\CuteFTP\sm.dat
file C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat
file C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat
file C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat
file C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat
file C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\History.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\History.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\History.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\Quick.dat
file C:\ProgramData\FlashFXP\3\History.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\Quick.dat
file C:\ProgramData\FlashFXP\4\History.dat
file C:\ProgramData\FlashFXP\3\Sites.dat
file C:\ProgramData\FlashFXP\4\Quick.dat
file C:\ProgramData\FlashFXP\4\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\Quick.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\Quick.dat
file C:\ProgramData\FlashFXP\3\Quick.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\Sites.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\History.dat
file C:\ProgramData\GHISLER\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Local\GHISLER\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite
file C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings.ccs
file C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite
file C:\ProgramData\CoffeeCup Software\SharedSettings.ccs
file C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings.sqlite
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite
Collects information about installed applications (1 个事件)
Time & API Arguments Status Return Repeated
1619879530.268
RegQueryValueExA
key_handle: 0x00000138
value: Google Chrome
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
success 0 0
Harvests credentials from local email clients (7 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Salt
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry HKEY_LOCAL_MACHINE\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Poco Systems Inc
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 472 called NtSetContextThread to modify thread in remote process 2136
Time & API Arguments Status Return Repeated
1619861118.788474
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4260331
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2136
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 472 resumed a thread in remote process 2136
Time & API Arguments Status Return Repeated
1619861120.147474
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2136
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (7 个事件)
Time & API Arguments Status Return Repeated
1619861118.772474
CreateProcessInternalW
thread_identifier: 2364
thread_handle: 0x000000ec
process_identifier: 2136
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000f0
inherit_handles: 0
success 1 0
1619861118.772474
NtUnmapViewOfSection
process_identifier: 2136
region_size: 4096
process_handle: 0x000000f0
base_address: 0x00400000
success 0 0
1619861118.772474
NtMapViewOfSection
section_handle: 0x000000f8
process_identifier: 2136
commit_size: 102400
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000f0
allocation_type: 0 ()
section_offset: 0
view_size: 102400
base_address: 0x00400000
success 0 0
1619861118.788474
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
1619861118.788474
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4260331
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2136
success 0 0
1619861120.147474
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2136
success 0 0
1619879538.955
CreateProcessInternalW
thread_identifier: 2316
thread_handle: 0x000002a0
process_identifier: 2528
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\34899140.bat" "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95219bcaa42d45a467dddb752dde333.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002f8
inherit_handles: 0
success 1 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.302971
FireEye Generic.mg.b95219bcaa42d45a
McAfee Fareit-FSK!B95219BCAA42
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 005685ec1 )
BitDefender Gen:Variant.Zusy.302971
K7GW Trojan ( 005685ec1 )
CrowdStrike win/malicious_confidence_80% (W)
Cyren W32/Trojan.GGPR-4124
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:RATX-gen [Trj]
ClamAV Win.Dropper.LokiBot-7768036-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
Alibaba Trojan:Win32/Nanocore.f92cc055
NANO-Antivirus Trojan.Win32.Nanocore.hlghgv
AegisLab Trojan.Win32.Kryptik.4!c
Tencent Win32.Trojan.Kryptik.Pfss
Ad-Aware Gen:Variant.Zusy.302971
Emsisoft Gen:Variant.Zusy.302971 (B)
Comodo Malware@#psit1ed66830
F-Secure Heuristic.HEUR/AGEN.1136310
DrWeb Trojan.Nanocore.23
VIPRE Trojan.Win32.Simda.ba (v)
TrendMicro TROJ_GEN.R066C0DIK20
McAfee-GW-Edition BehavesLike.Win32.Fareit.hc
Sophos Mal/Generic-R + Mal/Fareit-AA
SentinelOne Static AI - Suspicious PE
GData Gen:Variant.Zusy.302971
Jiangmin Trojan.Kryptik.arf
Avira HEUR/AGEN.1136310
Antiy-AVL Trojan/Win32.Wacatac
Arcabit Trojan.Zusy.D49F7B
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
Microsoft Trojan:Win32/Nanocore.B!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2059
BitDefenderTheta Gen:NN.ZelphiF.34700.FG0@aubbVImi
ALYac Gen:Variant.Zusy.302971
MAX malware (ai score=83)
VBA32 Trojan.Kryptik
Malwarebytes Trojan.MalPack
Panda Trj/Genetic.gen
Zoner Trojan.Win32.91688
ESET-NOD32 a variant of Win32/Injector.ELUM
TrendMicro-HouseCall TROJ_GEN.R066C0DIK20
Rising Trojan.Kryptik!1.C625 (CLASSIC)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x45a128 VirtualFree
0x45a12c VirtualAlloc
0x45a130 LocalFree
0x45a134 LocalAlloc
0x45a138 GetVersion
0x45a13c GetCurrentThreadId
0x45a148 VirtualQuery
0x45a14c WideCharToMultiByte
0x45a150 MultiByteToWideChar
0x45a154 lstrlenA
0x45a158 lstrcpynA
0x45a15c LoadLibraryExA
0x45a160 GetThreadLocale
0x45a164 GetStartupInfoA
0x45a168 GetProcAddress
0x45a16c GetModuleHandleA
0x45a170 GetModuleFileNameA
0x45a174 GetLocaleInfoA
0x45a178 GetCommandLineA
0x45a17c FreeLibrary
0x45a180 FindFirstFileA
0x45a184 FindClose
0x45a188 ExitProcess
0x45a18c WriteFile
0x45a194 RtlUnwind
0x45a198 RaiseException
0x45a19c GetStdHandle
Library user32.dll:
0x45a1a4 GetKeyboardType
0x45a1a8 LoadStringA
0x45a1ac MessageBoxA
0x45a1b0 CharNextA
Library advapi32.dll:
0x45a1b8 RegQueryValueExA
0x45a1bc RegOpenKeyExA
0x45a1c0 RegCloseKey
Library oleaut32.dll:
0x45a1c8 SysFreeString
0x45a1cc SysReAllocStringLen
0x45a1d0 SysAllocStringLen
Library kernel32.dll:
0x45a1d8 TlsSetValue
0x45a1dc TlsGetValue
0x45a1e0 LocalAlloc
0x45a1e4 GetModuleHandleA
Library advapi32.dll:
0x45a1ec RegQueryValueExA
0x45a1f0 RegOpenKeyExA
0x45a1f4 RegCloseKey
Library kernel32.dll:
0x45a1fc lstrcpyA
0x45a200 WriteFile
0x45a208 WaitForSingleObject
0x45a20c VirtualQuery
0x45a210 VirtualAlloc
0x45a214 Sleep
0x45a218 SizeofResource
0x45a21c SetThreadLocale
0x45a220 SetFilePointer
0x45a224 SetEvent
0x45a228 SetErrorMode
0x45a22c SetEndOfFile
0x45a230 ResetEvent
0x45a234 ReadFile
0x45a238 MulDiv
0x45a23c LockResource
0x45a240 LoadResource
0x45a244 LoadLibraryA
0x45a250 GlobalUnlock
0x45a254 GlobalReAlloc
0x45a258 GlobalHandle
0x45a25c GlobalLock
0x45a260 GlobalFree
0x45a264 GlobalFindAtomA
0x45a268 GlobalDeleteAtom
0x45a26c GlobalAlloc
0x45a270 GlobalAddAtomA
0x45a274 GetVersionExA
0x45a278 GetVersion
0x45a27c GetTickCount
0x45a280 GetThreadLocale
0x45a288 GetSystemTime
0x45a28c GetSystemInfo
0x45a290 GetStringTypeExA
0x45a294 GetStdHandle
0x45a298 GetProcAddress
0x45a29c GetModuleHandleA
0x45a2a0 GetModuleFileNameA
0x45a2a4 GetLocaleInfoA
0x45a2a8 GetLocalTime
0x45a2ac GetLastError
0x45a2b0 GetFullPathNameA
0x45a2b4 GetDiskFreeSpaceA
0x45a2b8 GetDateFormatA
0x45a2bc GetCurrentThreadId
0x45a2c0 GetCurrentProcessId
0x45a2c4 GetCPInfo
0x45a2c8 GetACP
0x45a2cc FreeResource
0x45a2d0 InterlockedExchange
0x45a2d4 FreeLibrary
0x45a2d8 FormatMessageA
0x45a2dc FindResourceA
0x45a2e4 ExitThread
0x45a2e8 ExitProcess
0x45a2ec EnumCalendarInfoA
0x45a2f8 CreateThread
0x45a2fc CreateFileA
0x45a300 CreateEventA
0x45a304 CompareStringA
0x45a308 CloseHandle
Library version.dll:
0x45a310 VerQueryValueA
0x45a318 GetFileVersionInfoA
Library gdi32.dll:
0x45a320 UnrealizeObject
0x45a324 StretchBlt
0x45a328 SetWindowOrgEx
0x45a32c SetViewportOrgEx
0x45a330 SetTextColor
0x45a334 SetStretchBltMode
0x45a338 SetROP2
0x45a33c SetPixel
0x45a340 SetDIBColorTable
0x45a344 SetBrushOrgEx
0x45a348 SetBkMode
0x45a34c SetBkColor
0x45a350 SelectPalette
0x45a354 SelectObject
0x45a358 SaveDC
0x45a35c RestoreDC
0x45a360 Rectangle
0x45a364 RectVisible
0x45a368 RealizePalette
0x45a36c PatBlt
0x45a370 MoveToEx
0x45a374 MaskBlt
0x45a378 LineTo
0x45a37c IntersectClipRect
0x45a380 GetWindowOrgEx
0x45a384 GetTextMetricsA
0x45a390 GetStockObject
0x45a394 GetPixel
0x45a398 GetPaletteEntries
0x45a39c GetObjectA
0x45a3a0 GetDeviceCaps
0x45a3a4 GetDIBits
0x45a3a8 GetDIBColorTable
0x45a3ac GetDCOrgEx
0x45a3b4 GetClipBox
0x45a3b8 GetBrushOrgEx
0x45a3bc GetBitmapBits
0x45a3c0 ExcludeClipRect
0x45a3c4 DeleteObject
0x45a3c8 DeleteDC
0x45a3cc CreateSolidBrush
0x45a3d0 CreatePenIndirect
0x45a3d4 CreatePalette
0x45a3dc CreateFontIndirectA
0x45a3e0 CreateDIBitmap
0x45a3e4 CreateDIBSection
0x45a3e8 CreateCompatibleDC
0x45a3f0 CreateBrushIndirect
0x45a3f4 CreateBitmap
0x45a3f8 BitBlt
Library user32.dll:
0x45a400 CreateWindowExA
0x45a404 WindowFromPoint
0x45a408 WinHelpA
0x45a40c WaitMessage
0x45a410 UpdateWindow
0x45a414 UnregisterClassA
0x45a418 UnhookWindowsHookEx
0x45a41c TranslateMessage
0x45a424 TrackPopupMenu
0x45a42c ShowWindow
0x45a430 ShowScrollBar
0x45a434 ShowOwnedPopups
0x45a438 ShowCursor
0x45a43c SetWindowsHookExA
0x45a440 SetWindowPos
0x45a444 SetWindowPlacement
0x45a448 SetWindowLongA
0x45a44c SetTimer
0x45a450 SetScrollRange
0x45a454 SetScrollPos
0x45a458 SetScrollInfo
0x45a45c SetRect
0x45a460 SetPropA
0x45a464 SetParent
0x45a468 SetMenuItemInfoA
0x45a46c SetMenu
0x45a470 SetForegroundWindow
0x45a474 SetFocus
0x45a478 SetCursor
0x45a47c SetClassLongA
0x45a480 SetCapture
0x45a484 SetActiveWindow
0x45a488 SendMessageA
0x45a48c ScrollWindow
0x45a490 ScreenToClient
0x45a494 RemovePropA
0x45a498 RemoveMenu
0x45a49c ReleaseDC
0x45a4a0 ReleaseCapture
0x45a4ac RegisterClassA
0x45a4b0 RedrawWindow
0x45a4b4 PtInRect
0x45a4b8 PostQuitMessage
0x45a4bc PostMessageA
0x45a4c0 PeekMessageA
0x45a4c4 OffsetRect
0x45a4c8 OemToCharA
0x45a4cc MessageBoxA
0x45a4d0 MapWindowPoints
0x45a4d4 MapVirtualKeyA
0x45a4d8 LoadStringA
0x45a4dc LoadKeyboardLayoutA
0x45a4e0 LoadIconA
0x45a4e4 LoadCursorA
0x45a4e8 LoadBitmapA
0x45a4ec KillTimer
0x45a4f0 IsZoomed
0x45a4f4 IsWindowVisible
0x45a4f8 IsWindowEnabled
0x45a4fc IsWindow
0x45a500 IsRectEmpty
0x45a504 IsIconic
0x45a508 IsDialogMessageA
0x45a50c IsChild
0x45a510 InvalidateRect
0x45a514 IntersectRect
0x45a518 InsertMenuItemA
0x45a51c InsertMenuA
0x45a520 InflateRect
0x45a528 GetWindowTextA
0x45a52c GetWindowRect
0x45a530 GetWindowPlacement
0x45a534 GetWindowLongA
0x45a538 GetWindowDC
0x45a53c GetTopWindow
0x45a540 GetSystemMetrics
0x45a544 GetSystemMenu
0x45a548 GetSysColorBrush
0x45a54c GetSysColor
0x45a550 GetSubMenu
0x45a554 GetScrollRange
0x45a558 GetScrollPos
0x45a55c GetScrollInfo
0x45a560 GetPropA
0x45a564 GetParent
0x45a568 GetWindow
0x45a56c GetMenuStringA
0x45a570 GetMenuState
0x45a574 GetMenuItemInfoA
0x45a578 GetMenuItemID
0x45a57c GetMenuItemCount
0x45a580 GetMenu
0x45a584 GetLastActivePopup
0x45a588 GetKeyboardState
0x45a590 GetKeyboardLayout
0x45a594 GetKeyState
0x45a598 GetKeyNameTextA
0x45a59c GetIconInfo
0x45a5a0 GetForegroundWindow
0x45a5a4 GetFocus
0x45a5a8 GetDesktopWindow
0x45a5ac GetDCEx
0x45a5b0 GetDC
0x45a5b4 GetCursorPos
0x45a5b8 GetCursor
0x45a5bc GetClientRect
0x45a5c0 GetClassNameA
0x45a5c4 GetClassInfoA
0x45a5c8 GetCapture
0x45a5cc GetActiveWindow
0x45a5d0 FrameRect
0x45a5d4 FindWindowA
0x45a5d8 FillRect
0x45a5dc EqualRect
0x45a5e0 EnumWindows
0x45a5e4 EnumThreadWindows
0x45a5e8 EndPaint
0x45a5ec EnableWindow
0x45a5f0 EnableScrollBar
0x45a5f4 EnableMenuItem
0x45a5f8 DrawTextA
0x45a5fc DrawMenuBar
0x45a600 DrawIconEx
0x45a604 DrawIcon
0x45a608 DrawFrameControl
0x45a60c DrawEdge
0x45a610 DispatchMessageA
0x45a614 DestroyWindow
0x45a618 DestroyMenu
0x45a61c DestroyIcon
0x45a620 DestroyCursor
0x45a624 DeleteMenu
0x45a628 DefWindowProcA
0x45a62c DefMDIChildProcA
0x45a630 DefFrameProcA
0x45a634 CreatePopupMenu
0x45a638 CreateMenu
0x45a63c CreateIcon
0x45a640 ClientToScreen
0x45a644 CheckMenuItem
0x45a648 CallWindowProcA
0x45a64c CallNextHookEx
0x45a650 BeginPaint
0x45a654 CharNextA
0x45a658 CharLowerA
0x45a65c CharToOemA
0x45a660 AdjustWindowRectEx
Library kernel32.dll:
0x45a66c Sleep
Library oleaut32.dll:
0x45a674 SafeArrayPtrOfIndex
0x45a678 SafeArrayGetUBound
0x45a67c SafeArrayGetLBound
0x45a680 SafeArrayCreate
0x45a684 VariantChangeType
0x45a688 VariantCopy
0x45a68c VariantClear
0x45a690 VariantInit
Library comctl32.dll:
0x45a6a0 ImageList_Write
0x45a6a4 ImageList_Read
0x45a6b4 ImageList_DragMove
0x45a6b8 ImageList_DragLeave
0x45a6bc ImageList_DragEnter
0x45a6c0 ImageList_EndDrag
0x45a6c4 ImageList_BeginDrag
0x45a6c8 ImageList_Remove
0x45a6cc ImageList_DrawEx
0x45a6d0 ImageList_Draw
0x45a6e0 ImageList_Add
0x45a6e8 ImageList_Destroy
0x45a6ec ImageList_Create
0x45a6f0 InitCommonControls

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.