SmartHawk

6.6

高危

36 个模型检测该样本为恶意！

重新分析

下载样本

653271c4d6dc73c57e4c11e0cf0dd70e1812dcbac542c7dd319dfc776ed603e1

b9b0bca3a38df515798508b49403dc35.exe

分析耗时

110s

最近分析

文件大小

4.8MB

静态报毒动态报毒 2EXPQ4FESIQ @FX@A0@BUYKO ARTEMIS ASMALWS ATTRIBUTE BUNDLEINSTALLER CLOUD CONFIDENCE DOWNLOADER27 FILEREPMALWARE FTKBRM GENASA GENERIC PUA KE HIGHCONFIDENCE INSTALLUNION R002H0CDO21 REDCAP SAVE SCORE TECHSNAB UNSAFE XMAXL YMACCO ZEXAF ZPEVDO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
CrowdStrike	win/malicious_confidence_90% (D)	20210203	1.0
Avast	FileRepMalware	20210512	21.1.5827.0
Alibaba	AdWare:Win32/InstallUnion.29883905	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20210512	2017.9.26.565
McAfee	Artemis!B9B0BCA3A38D	20210504	6.0.6.653

Checks if process is being debugged by a debugger (6 个事件)

Time & API	Arguments	Status	Return	Repeated
1620916511.833375 IsDebuggerPresent		failed	0	0
1620916511.989375 IsDebuggerPresent		failed	0	0
1620916512.083375 IsDebuggerPresent		failed	0	0
1620916512.489375 IsDebuggerPresent		failed	0	0
1620916512.599375 IsDebuggerPresent		failed	0	0
1620916512.755375 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620916512.271375 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.gfids

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)

suspicious_features	POST method with no referer header				suspicious_request	POST http://dlsft.com/callback/geo/geo.php
suspicious_features	POST method with no referer header				suspicious_request	POST http://dlsft.com/callback/?channel=Wrd&action=started

Performs some HTTP requests (8 个事件)

request	GET http://dlsft.com/callback/offers.php
request	POST http://dlsft.com/callback/geo/geo.php
request	POST http://dlsft.com/callback/?channel=Wrd&action=started
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D
request	GET http://x.ss2.us/x.cer
request	GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request	GET http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
request	GET https://i.gyazo.com/e36cc2d4c53e6e6e03145a15402dfb5c.png

Sends data using the HTTP POST Method (2 个事件)

request	POST http://dlsft.com/callback/geo/geo.php
request	POST http://dlsft.com/callback/?channel=Wrd&action=started

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620916514.568375 NtProtectVirtualMemory	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x7ef70000	success	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620916515.130375 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Communicates with host for which no DNS query was performed (3 个事件)

host	151.139.128.14
host	172.217.24.14
host	52.218.85.60

Attempts to create or modify system certificates (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620916517.708375 RegSetValueExA	key_handle: 0x0000051c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620916517.708375 RegSetValueExA	key_handle: 0x0000051c value: ÀØ7ÿG× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620916517.708375 RegSetValueExA	key_handle: 0x0000051c value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620916517.708375 RegSetValueExW	key_handle: 0x0000051c value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620916517.708375 RegSetValueExA	key_handle: 0x00000534 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620916517.708375 RegSetValueExA	key_handle: 0x00000534 value: ÀØ7ÿG× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620916517.708375 RegSetValueExA	key_handle: 0x00000534 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620916517.786375 RegSetValueExW	key_handle: 0x00000518 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620916522.068375 RegSetValueExA	key_handle: 0x0000060c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620916522.068375 RegSetValueExA	key_handle: 0x0000060c value: @!ÑÿG× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620916522.068375 RegSetValueExA	key_handle: 0x0000060c value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620916522.068375 RegSetValueExW	key_handle: 0x0000060c value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620916522.068375 RegSetValueExA	key_handle: 0x00000618 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620916522.068375 RegSetValueExA	key_handle: 0x00000618 value: @!ÑÿG× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620916522.068375 RegSetValueExA	key_handle: 0x00000618 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Generates some ICMP traffic

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 个事件)

DrWeb	Trojan.DownLoader27.25083
Cylance	Unsafe
Zillya	Adware.InstallUnion.Win32.165
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_90% (D)
BitDefenderTheta	Gen:NN.ZexaF.34688.@FX@a0@BuYkO
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Adware.InstallUnion.A
TrendMicro-HouseCall	TROJ_GEN.R002H0CDO21
Avast	FileRepMalware
Kaspersky	not-a-virus:HEUR:AdWare.Win32.Generic
Alibaba	AdWare:Win32/InstallUnion.29883905
NANO-Antivirus	Riskware.Win32.InstallUnion.ftkbrm
AegisLab	Adware.Win32.Generic.2!c
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Dropper.rh
FireEye	Generic.mg.b9b0bca3a38df515
Sophos	Generic PUA KE (PUA)
Jiangmin	AdWare.Techsnab.aqm
Webroot	W32.Malware.Gen
Avira	ADWARE/Redcap.xmaxl
Antiy-AVL	Trojan/Generic.ASMalwS.2A77706
Microsoft	Program:Win32/Ymacco.AA65
Gridinsoft	Adware.Win32.Downloader.vb!s1
Cynet	Malicious (score: 99)
McAfee	Artemis!B9B0BCA3A38D
VBA32	Trojan.Downloader
Malwarebytes	PUP.Optional.BundleInstaller
Panda	Trj/CI.A
APEX	Malicious
Rising	Trojan.Zpevdo!8.F912 (CLOUD)
Yandex	Trojan.GenAsa!2exPQ4fEsIQ
AVG	FileRepMalware
Paloalto	generic.ml

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-01-29 03:25:44

Imports

Library KERNEL32.dll:

• 0x76b0e8 ExitThread

• 0x76b0ec FreeLibraryAndExitThread

• 0x76b0f0 SetFileAttributesW

• 0x76b0f4 DeleteFileW

• 0x76b0f8 GetVolumeInformationW

• 0x76b0fc GetLogicalDriveStringsW

• 0x76b100 CloseHandle

• 0x76b104 Process32FirstW

• 0x76b108 Process32NextW

• 0x76b10c GetLastError

• 0x76b110 Sleep

• 0x76b114 CreateToolhelp32Snapshot

• 0x76b118 GetFileAttributesW

• 0x76b11c GetTempPathW

• 0x76b120 GetModuleFileNameW

• 0x76b124 CreateDirectoryW

• 0x76b128 InterlockedIncrement

• 0x76b12c LocalFree

• 0x76b130 FindResourceW

• 0x76b134 LoadResource

• 0x76b138 LockResource

• 0x76b13c InterlockedDecrement

• 0x76b140 UnregisterWaitEx

• 0x76b144 CreateJobObjectW

• 0x76b148 AssignProcessToJobObject

• 0x76b14c SetInformationJobObject

• 0x76b150 GetCommandLineW

• 0x76b154 SizeofResource

• 0x76b158 ReadDirectoryChangesW

• 0x76b15c GetCurrentDirectoryW

• 0x76b160 GetShortPathNameW

• 0x76b164 GetLongPathNameW

• 0x76b168 SetConsoleCursorPosition

• 0x76b16c GetNumberOfConsoleInputEvents

• 0x76b170 FillConsoleOutputAttribute

• 0x76b174 WriteConsoleInputW

• 0x76b178 CreateFileA

• 0x76b17c FormatMessageW

• 0x76b180 WideCharToMultiByte

• 0x76b184 EnterCriticalSection

• 0x76b188 LeaveCriticalSection

• 0x76b18c DeleteCriticalSection

• 0x76b190 EncodePointer

• 0x76b194 DecodePointer

• 0x76b198 MultiByteToWideChar

• 0x76b19c SetLastError

• 0x76b1a0 InitializeCriticalSectionAndSpinCount

• 0x76b1a4 CreateEventW

• 0x76b1a8 TlsAlloc

• 0x76b1ac TlsGetValue

• 0x76b1b0 TlsSetValue

• 0x76b1b4 TlsFree

• 0x76b1b8 GetSystemTimeAsFileTime

• 0x76b1bc GetTickCount

• 0x76b1c0 GetModuleHandleW

• 0x76b1c4 GetProcAddress

• 0x76b1c8 CompareStringW

• 0x76b1cc LCMapStringW

• 0x76b1d0 GetLocaleInfoW

• 0x76b1d4 GetStringTypeW

• 0x76b1d8 GetCPInfo

• 0x76b1dc SetEvent

• 0x76b1e0 ResetEvent

• 0x76b1e4 WaitForSingleObjectEx

• 0x76b1e8 UnhandledExceptionFilter

• 0x76b1ec SetUnhandledExceptionFilter

• 0x76b1f0 GetCurrentProcess

• 0x76b1f4 TerminateProcess

• 0x76b1f8 IsProcessorFeaturePresent

• 0x76b1fc IsDebuggerPresent

• 0x76b200 GetStartupInfoW

• 0x76b204 QueryPerformanceCounter

• 0x76b208 GetCurrentProcessId

• 0x76b20c GetCurrentThreadId

• 0x76b210 InitializeSListHead

• 0x76b214 RaiseException

• 0x76b218 RtlUnwind

• 0x76b21c FreeLibrary

• 0x76b220 LoadLibraryExW

• 0x76b224 HeapAlloc

• 0x76b228 HeapReAlloc

• 0x76b22c HeapFree

• 0x76b230 ExitProcess

• 0x76b234 GetModuleHandleExW

• 0x76b238 GetModuleFileNameA

• 0x76b23c GetStdHandle

• 0x76b240 WriteFile

• 0x76b244 GetACP

• 0x76b248 GetCurrentThread

• 0x76b24c GetFileType

• 0x76b250 FlushFileBuffers

• 0x76b254 GetConsoleCP

• 0x76b258 GetConsoleMode

• 0x76b25c WaitForSingleObject

• 0x76b260 GetExitCodeProcess

• 0x76b264 CreateProcessW

• 0x76b268 GetFileAttributesExW

• 0x76b26c GetDateFormatW

• 0x76b270 GetTimeFormatW

• 0x76b274 IsValidLocale

• 0x76b278 GetUserDefaultLCID

• 0x76b27c EnumSystemLocalesW

• 0x76b280 ReadFile

• 0x76b284 SetFilePointerEx

• 0x76b288 GetProcessHeap

• 0x76b28c SetConsoleCtrlHandler

• 0x76b290 GetTimeZoneInformation

• 0x76b294 FindClose

• 0x76b298 FindFirstFileExW

• 0x76b29c FindNextFileW

• 0x76b2a0 IsValidCodePage

• 0x76b2a4 GetOEMCP

• 0x76b2a8 GetCommandLineA

• 0x76b2ac GetEnvironmentStringsW

• 0x76b2b0 FreeEnvironmentStringsW

• 0x76b2b4 SetEnvironmentVariableA

• 0x76b2b8 SetEnvironmentVariableW

• 0x76b2bc OutputDebugStringW

• 0x76b2c0 CreateThread

• 0x76b2c4 SetStdHandle

• 0x76b2c8 WriteConsoleW

• 0x76b2cc ReadConsoleW

• 0x76b2d0 CreateFileW

• 0x76b2d4 HeapSize

• 0x76b2d8 SetEndOfFile

• 0x76b2dc GlobalUnlock

• 0x76b2e0 GlobalLock

• 0x76b2e4 GlobalSize

• 0x76b2e8 MulDiv

• 0x76b2ec QueryPerformanceFrequency

• 0x76b2f0 GlobalFree

• 0x76b2f4 GlobalAlloc

• 0x76b2f8 LocalAlloc

• 0x76b2fc lstrlenW

• 0x76b300 LocalSize

• 0x76b304 LoadLibraryExA

• 0x76b308 GetEnvironmentVariableW

• 0x76b30c GetTempPathA

• 0x76b310 GetTempFileNameA

• 0x76b314 CompareStringA

• 0x76b318 GetNumberFormatW

• 0x76b31c GetCurrencyFormatW

• 0x76b320 VerSetConditionMask

• 0x76b324 GetComputerNameW

• 0x76b328 VerifyVersionInfoW

• 0x76b32c FindFirstFileW

• 0x76b330 FileTimeToSystemTime

• 0x76b334 SystemTimeToFileTime

• 0x76b338 GetSystemTime

• 0x76b33c SetFilePointer

• 0x76b340 UnmapViewOfFile

• 0x76b344 FlushViewOfFile

• 0x76b348 GetFileSize

• 0x76b34c CreateFileMappingW

• 0x76b350 MapViewOfFile

• 0x76b354 AllocConsole

• 0x76b358 lstrcmpW

• 0x76b35c InitializeCriticalSection

• 0x76b360 DuplicateHandle

• 0x76b364 WaitForMultipleObjects

• 0x76b368 ReleaseSemaphore

• 0x76b36c VirtualAlloc

• 0x76b370 VirtualFree

• 0x76b374 LoadLibraryW

• 0x76b378 GetThreadPriority

• 0x76b37c SetThreadPriority

• 0x76b380 GetVersionExW

• 0x76b384 ResumeThread

• 0x76b388 CreateSemaphoreA

• 0x76b38c CreateEventA

• 0x76b390 SetErrorMode

• 0x76b394 GetQueuedCompletionStatus

• 0x76b398 PostQueuedCompletionStatus

• 0x76b39c CreateIoCompletionPort

• 0x76b3a0 CancelIo

• 0x76b3a4 SetHandleInformation

• 0x76b3a8 RegisterWaitForSingleObject

• 0x76b3ac UnregisterWait

• 0x76b3b0 SetNamedPipeHandleState

• 0x76b3b4 CreateNamedPipeA

• 0x76b3b8 CreateNamedPipeW

• 0x76b3bc PeekNamedPipe

• 0x76b3c0 QueueUserWorkItem

• 0x76b3c4 GetNamedPipeHandleStateA

• 0x76b3c8 SwitchToThread

• 0x76b3cc WaitNamedPipeW

• 0x76b3d0 ConnectNamedPipe

• 0x76b3d4 DeviceIoControl

• 0x76b3d8 RemoveDirectoryW

• 0x76b3dc SetFileTime

• 0x76b3e0 CreateHardLinkW

• 0x76b3e4 GetFileInformationByHandle

• 0x76b3e8 MoveFileExW

• 0x76b3ec CopyFileW

• 0x76b3f0 GetModuleHandleA

• 0x76b3f4 LoadLibraryA

• 0x76b3f8 FormatMessageA

• 0x76b3fc DebugBreak

• 0x76b400 GetConsoleScreenBufferInfo

• 0x76b404 SetConsoleTextAttribute

• 0x76b408 GetConsoleCursorInfo

• 0x76b40c SetConsoleCursorInfo

• 0x76b410 FillConsoleOutputCharacterW

• 0x76b414 ReadConsoleInputW

Library USER32.dll:

• 0x76b46c GetWindowPlacement

• 0x76b470 IsWindowVisible

• 0x76b474 AnimateWindow

• 0x76b478 SetWindowPos

• 0x76b47c GetWindowRect

• 0x76b480 SetWindowLongW

• 0x76b484 GetWindowLongW

• 0x76b488 SetCursor

• 0x76b48c MapWindowPoints

• 0x76b490 UpdateWindow

• 0x76b494 SetFocus

• 0x76b498 GetFocus

• 0x76b49c EndPaint

• 0x76b4a0 BeginPaint

• 0x76b4a4 SetForegroundWindow

• 0x76b4a8 GetForegroundWindow

• 0x76b4ac DestroyIcon

• 0x76b4b0 KillTimer

• 0x76b4b4 GetParent

• 0x76b4b8 IsWindow

• 0x76b4bc SendMessageW

• 0x76b4c0 InvalidateRect

• 0x76b4c4 GetClientRect

• 0x76b4c8 GetSystemMetrics

• 0x76b4cc AdjustWindowRectEx

• 0x76b4d0 CreateWindowExW

• 0x76b4d4 MessageBoxW

• 0x76b4d8 DestroyWindow

• 0x76b4dc GetWindow

• 0x76b4e0 EnableWindow

• 0x76b4e4 SetActiveWindow

• 0x76b4e8 LoadIconW

• 0x76b4ec LoadCursorW

• 0x76b4f0 RegisterClassExW

• 0x76b4f4 PostQuitMessage

• 0x76b4f8 DefWindowProcW

• 0x76b4fc GetCursorPos

• 0x76b500 GetDesktopWindow

• 0x76b504 MoveWindow

• 0x76b508 IsWindowEnabled

• 0x76b50c RegisterClassW

• 0x76b510 RedrawWindow

• 0x76b514 WindowFromPoint

• 0x76b518 GetWindowThreadProcessId

• 0x76b51c GetWindowTextW

• 0x76b520 ReleaseDC

• 0x76b524 ReleaseCapture

• 0x76b528 RegisterWindowMessageW

• 0x76b52c IsWindowUnicode

• 0x76b530 GetMessageW

• 0x76b534 GetClassLongW

• 0x76b538 SetWindowsHookExW

• 0x76b53c EnumThreadWindows

• 0x76b540 EndDeferWindowPos

• 0x76b544 SetCapture

• 0x76b548 GetUpdateRect

• 0x76b54c IsRectEmpty

• 0x76b550 GetMessageTime

• 0x76b554 UnhookWindowsHookEx

• 0x76b558 GetSysColor

• 0x76b55c GetDoubleClickTime

• 0x76b560 CallMsgFilterW

• 0x76b564 IsChild

• 0x76b568 ClientToScreen

• 0x76b56c GetMonitorInfoW

• 0x76b570 SetTimer

• 0x76b574 GetCapture

• 0x76b578 GetAsyncKeyState

• 0x76b57c BeginDeferWindowPos

• 0x76b580 SetClassLongW

• 0x76b584 GetActiveWindow

• 0x76b588 GetScrollInfo

• 0x76b58c NotifyWinEvent

• 0x76b590 SetWindowTextW

• 0x76b594 CallNextHookEx

• 0x76b598 ScreenToClient

• 0x76b59c MonitorFromWindow

• 0x76b5a0 GetDC

• 0x76b5a4 MonitorFromPoint

• 0x76b5a8 GetKeyState

• 0x76b5ac DeferWindowPos

• 0x76b5b0 SetScrollInfo

• 0x76b5b4 EnumDisplayDevicesW

• 0x76b5b8 EnumDisplayMonitors

• 0x76b5bc DestroyCaret

• 0x76b5c0 FindWindowW

• 0x76b5c4 GetKeyboardLayout

• 0x76b5c8 CreateCaret

• 0x76b5cc SetCaretPos

• 0x76b5d0 RegisterClipboardFormatW

• 0x76b5d4 OpenClipboard

• 0x76b5d8 EmptyClipboard

• 0x76b5dc CloseClipboard

• 0x76b5e0 CountClipboardFormats

• 0x76b5e4 EnumClipboardFormats

• 0x76b5e8 SetClipboardData

• 0x76b5ec IsClipboardFormatAvailable

• 0x76b5f0 GetClipboardData

• 0x76b5f4 GetClipboardSequenceNumber

• 0x76b5f8 LoadStringW

• 0x76b5fc MessageBeep

• 0x76b600 DestroyCursor

• 0x76b604 LoadCursorFromFileA

• 0x76b608 CreateIconIndirect

• 0x76b60c GetIconInfo

• 0x76b610 DrawIconEx

• 0x76b614 MessageBoxA

• 0x76b618 GetQueueStatus

• 0x76b61c PostThreadMessageW

• 0x76b620 MsgWaitForMultipleObjects

• 0x76b624 SetWinEventHook

• 0x76b628 DispatchMessageA

• 0x76b62c MapVirtualKeyW

• 0x76b630 GetMessageA

• 0x76b634 PostMessageW

• 0x76b638 ShowWindow

• 0x76b63c DispatchMessageW

• 0x76b640 PeekMessageW

• 0x76b644 TranslateMessage

• 0x76b648 SystemParametersInfoW

• 0x76b64c UpdateLayeredWindow

Library ADVAPI32.dll:

• 0x76b000 RegGetValueW

• 0x76b004 SystemFunction036

• 0x76b008 RegQueryValueExW

• 0x76b00c RegOpenKeyExW

• 0x76b010 GetUserNameW

• 0x76b014 CryptReleaseContext

• 0x76b018 CryptGenRandom

• 0x76b01c CryptAcquireContextA

• 0x76b020 RegSetValueExW

• 0x76b024 RegCloseKey

• 0x76b028 RegCreateKeyExW

Library SHELL32.dll:

• 0x76b440 SHBrowseForFolderW

• 0x76b444

• 0x76b448 SHGetSpecialFolderPathW

• 0x76b44c

• 0x76b450 DragQueryFileW

• 0x76b454 SHGetPathFromIDListW

• 0x76b458 CommandLineToArgvW

• 0x76b45c ShellExecuteW

• 0x76b460 ShellExecuteExW

• 0x76b464 SHGetFileInfoW

Library ole32.dll:

• 0x76b914 CoTaskMemAlloc

• 0x76b918 CoUninitialize

• 0x76b91c CoFreeUnusedLibraries

• 0x76b920 CoInitialize

• 0x76b924 CoCreateGuid

• 0x76b928 CoTaskMemFree

• 0x76b92c CoCreateInstance

• 0x76b930 CreateStreamOnHGlobal

• 0x76b934 RegisterDragDrop

• 0x76b938 RevokeDragDrop

• 0x76b93c DoDragDrop

• 0x76b940 ReleaseStgMedium

• 0x76b944 OleUninitialize

• 0x76b948 OleInitialize

Library urlmon.dll:

• 0x76b950 FindMimeFromData

• 0x76b954 URLDownloadToFileW

Library OLEACC.dll:

• 0x76b41c AccessibleObjectFromWindow

• 0x76b420 LresultFromObject

Library UxTheme.dll:

• 0x76b670 SetWindowTheme

• 0x76b674 CloseThemeData

• 0x76b678 DrawThemeBackground

• 0x76b67c GetThemePartSize

• 0x76b680 IsThemeBackgroundPartiallyTransparent

• 0x76b684 OpenThemeData

Library IMM32.dll:

• 0x76b0c8 ImmIsIME

• 0x76b0cc ImmNotifyIME

• 0x76b0d0 ImmAssociateContextEx

• 0x76b0d4 ImmSetCandidateWindow

• 0x76b0d8 ImmGetCompositionStringW

• 0x76b0dc ImmReleaseContext

• 0x76b0e0 ImmGetContext

Library COMCTL32.dll:

• 0x76b030 ImageList_Destroy

• 0x76b034 ImageList_DrawEx

• 0x76b038 ImageList_GetIconSize

Library WS2_32.dll:

• 0x76b6e0 shutdown

• 0x76b6e4 WSASend

• 0x76b6e8 WSAIoctl

• 0x76b6ec bind

• 0x76b6f0 select

• 0x76b6f4 socket

• 0x76b6f8 WSARecv

• 0x76b6fc ioctlsocket

• 0x76b700 htons

• 0x76b704 WSASocketW

• 0x76b708 WSARecvFrom

• 0x76b70c FreeAddrInfoW

• 0x76b710 WSAGetLastError

• 0x76b714 setsockopt

• 0x76b718 getsockopt

• 0x76b71c closesocket

• 0x76b720 WSAStartup

• 0x76b724 WSASetLastError

• 0x76b728 listen

• 0x76b72c GetAddrInfoW

Library WINMM.dll:

• 0x76b6bc timeGetTime

• 0x76b6c0 timeEndPeriod

• 0x76b6c4 timeBeginPeriod

• 0x76b6c8 timeSetEvent

• 0x76b6cc timeKillEvent

• 0x76b6d0 PlaySoundW

Library USP10.dll:

• 0x76b654 ScriptItemize

• 0x76b658 ScriptFreeCache

• 0x76b65c ScriptShape

• 0x76b660 ScriptPlace

• 0x76b664 ScriptBreak

• 0x76b668 ScriptApplyDigitSubstitution

Library GDI32.dll:

• 0x76b054 GetObjectW

• 0x76b058 StartDocW

• 0x76b05c EndPage

• 0x76b060 GetDeviceCaps

• 0x76b064 GetStockObject

• 0x76b068 BitBlt

• 0x76b06c RestoreDC

• 0x76b070 SetViewportOrgEx

• 0x76b074 AddFontMemResourceEx

• 0x76b078 GetClipBox

• 0x76b07c SetLayout

• 0x76b080 CreateCompatibleDC

• 0x76b084 CreateDIBSection

• 0x76b088 SelectObject

• 0x76b08c DeleteDC

• 0x76b090 DeleteObject

• 0x76b094 StartPage

• 0x76b098 SetMapMode

• 0x76b09c EndDoc

• 0x76b0a0 CreateDCW

• 0x76b0a4 SaveDC

• 0x76b0a8 GetFontUnicodeRanges

• 0x76b0ac EnumFontFamiliesExW

• 0x76b0b0 GetDIBits

• 0x76b0b4 GetObjectA

• 0x76b0b8 GetGlyphIndicesW

• 0x76b0bc CreateBitmap

• 0x76b0c0 CreateFontW

Library WINSPOOL.DRV:

• 0x76b6d8

Library COMDLG32.dll:

• 0x76b040 CommDlgExtendedError

• 0x76b044 GetOpenFileNameW

• 0x76b048 PrintDlgW

• 0x76b04c GetSaveFileNameW

Library OLEAUT32.dll:

• 0x76b428 SafeArrayPutElement

• 0x76b42c SafeArrayDestroy

• 0x76b430 SysFreeString

• 0x76b434 SysAllocStringLen

• 0x76b438 SafeArrayCreateVector

Library gdiplus.dll:

• 0x76b734 GdipBitmapUnlockBits

• 0x76b738 GdipAlloc

• 0x76b73c GdipFree

• 0x76b740 GdipCreateBitmapFromScan0

• 0x76b744 GdipCloneImage

• 0x76b748 GdipDisposeImage

• 0x76b74c GdipCreateSolidFill

• 0x76b750 GdipDeleteBrush

• 0x76b754 GdipCloneBrush

• 0x76b758 GdipFillRectangleI

• 0x76b75c GdipCreatePath

• 0x76b760 GdipDeletePath

• 0x76b764 GdipAddPathArcI

• 0x76b768 GdipAddPathLineI

• 0x76b76c GdipFillPath

• 0x76b770 GdipGetClipBoundsI

• 0x76b774 GdipCreateLineBrush

• 0x76b778 GdipMultiplyLineTransform

• 0x76b77c GdipCreateMatrix2

• 0x76b780 GdipSetLinePresetBlend

• 0x76b784 GdipSetLineWrapMode

• 0x76b788 GdipAddPathEllipse

• 0x76b78c GdipCreatePathGradientFromPath

• 0x76b790 GdipSetPathGradientPresetBlend

• 0x76b794 GdipSetPathGradientWrapMode

• 0x76b798 GdipSetPathGradientCenterPoint

• 0x76b79c GdipSetPathGradientTransform

• 0x76b7a0 GdipCreatePen1

• 0x76b7a4 GdipDeletePen

• 0x76b7a8 GdipDrawPath

• 0x76b7ac GdipFillRectanglesI

• 0x76b7b0 GdipDrawLine

• 0x76b7b4 GdipSetClipRectI

• 0x76b7b8 GdipBitmapLockBits

• 0x76b7bc GdipGetSmoothingMode

• 0x76b7c0 GdipSaveGraphics

• 0x76b7c4 GdipRestoreGraphics

• 0x76b7c8 GdipBeginContainer2

• 0x76b7cc GdipGetImageGraphicsContext

• 0x76b7d0 GdipGraphicsClear

• 0x76b7d4 GdipGetPathWorldBounds

• 0x76b7d8 GdipClonePath

• 0x76b7dc GdipSetClipRect

• 0x76b7e0 GdipAddPathRectangleI

• 0x76b7e4 GdipGetImageHeight

• 0x76b7e8 GdipGetImageWidth

• 0x76b7ec GdipDeleteGraphics

• 0x76b7f0 GdipSetSmoothingMode

• 0x76b7f4 GdipEndContainer

• 0x76b7f8 GdipCreateImageAttributes

• 0x76b7fc GdipDisposeImageAttributes

• 0x76b800 GdipSetImageAttributesColorMatrix

• 0x76b804 GdipDrawImageRectRect

• 0x76b808 GdipTransformPoints

• 0x76b80c GdipMultiplyWorldTransform

• 0x76b810 GdipCreateMatrix

• 0x76b814 GdipDeleteMatrix

• 0x76b818 GdipTranslateMatrix

• 0x76b81c GdipRotateMatrix

• 0x76b820 GdipScaleMatrix

• 0x76b824 GdipShearMatrix

• 0x76b828 GdipCreateTexture

• 0x76b82c GdipFillEllipse

• 0x76b830 GdipDrawEllipse

• 0x76b834 GdipFillPie

• 0x76b838 GdipDrawPie

• 0x76b83c GdipDrawArc

• 0x76b840 GdipFillRectangle

• 0x76b844 GdipDrawRectangle

• 0x76b848 GdipResetPath

• 0x76b84c GdipIsVisiblePathPoint

• 0x76b850 GdipStartPathFigure

• 0x76b854 GdipAddPathLine

• 0x76b858 GdipClosePathFigure

• 0x76b85c GdipSetPathFillMode

• 0x76b860

• 0x76b864 GdipAddPathBezier

• 0x76b868 GdipSetPageUnit

• 0x76b86c GdipSetCompositingQuality

• 0x76b870 GdipSetPixelOffsetMode

• 0x76b874 GdipSetInterpolationMode

• 0x76b878 GdipSetTextRenderingHint

• 0x76b87c GdipCreateFromHWND

• 0x76b880 GdipCreateFromHDC

• 0x76b884 GdipCreateStringFormat

• 0x76b888 GdipDeleteStringFormat

• 0x76b88c GdipSetStringFormatAlign

• 0x76b890 GdipSetStringFormatLineAlign

• 0x76b894 GdipSetStringFormatTrimming

• 0x76b898 GdipGetFontHeightGivenDPI

• 0x76b89c GdipMeasureString

• 0x76b8a0 GdipDeleteFontFamily

• 0x76b8a4 GdipGetFamily

• 0x76b8a8 GdipGetCellAscent

• 0x76b8ac GdipGetFontSize

• 0x76b8b0 GdipGetEmHeight

• 0x76b8b4 GdipGetCellDescent

• 0x76b8b8 GdipDrawString

• 0x76b8bc GdipAddPathString

• 0x76b8c0 GdipGetFontStyle

• 0x76b8c4 GdipCreatePen2

• 0x76b8c8 GdipSetPenEndCap

• 0x76b8cc GdipSetPenStartCap

• 0x76b8d0 GdipSetPenLineJoin

• 0x76b8d4 GdipSetPenMiterLimit

• 0x76b8d8 GdipSetPenDashStyle

• 0x76b8dc GdipSetPenDashArray

• 0x76b8e0 GdipSetPenDashOffset

• 0x76b8e4 GdipDeleteFont

• 0x76b8e8 GdipCreateFontFromDC

• 0x76b8ec GdipGetLineSpacing

• 0x76b8f0 GdipCreateFontFromLogfontA

• 0x76b8f4 GdiplusShutdown

• 0x76b8f8 GdiplusStartup

• 0x76b8fc GdipCreateBitmapFromGraphics

• 0x76b900 GdipDrawImageI

• 0x76b904 GdipCreateHBITMAPFromBitmap

• 0x76b908 GdipDrawDriverString

• 0x76b90c GdipTranslateWorldTransform

Library WININET.dll:

• 0x76b68c HttpSendRequestA

• 0x76b690 InternetSetOptionW

• 0x76b694 InternetOpenA

• 0x76b698 InternetCloseHandle

• 0x76b69c InternetErrorDlg

• 0x76b6a0 InternetQueryOptionW

• 0x76b6a4 HttpQueryInfoA

• 0x76b6a8 InternetConnectA

• 0x76b6ac HttpOpenRequestA

• 0x76b6b0 HttpQueryInfoW

• 0x76b6b4 InternetReadFile

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dlsft.com	A 35.190.60.70	35.190.60.70
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
x.ss2.us	A 13.227.250.204 A 13.227.250.142 A 13.227.250.15 A 13.227.250.143	52.85.56.131
www.download.windowsupdate.com	A 124.225.105.97 CNAME 2-01-3cf7-0009.cdx.cedexis.net CNAME www.download.windowsupdate.com.cdn.dnsv1.com CNAME windowsupdate.sched.s11.tdnsv5.com CNAME 3573033.pack.cdntip.com CNAME wu-fg-shim.trafficmanager.net	124.225.105.97
clients2.google.com	A 216.58.200.46 CNAME clients.l.google.com A 216.58.200.78	172.217.160.110
dpd.securestudies.com	A 54.192.147.89 CNAME dm7o9revlbq0c.cloudfront.net A 54.192.147.62 A 54.192.147.56 A 54.192.147.26 A 13.224.249.52 A 13.224.249.15 A 13.224.249.123 A 13.224.249.45
www.microsoft.com	CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME e13678.ca2.s.tl88.net CNAME www.microsoft.com-c-3.edgekey.net A 27.148.139.88 A 104.99.234.13 CNAME e13678.dscb.akamaiedge.net	27.148.139.88
i.gyazo.com	A 104.19.142.111 A 104.19.143.111	104.19.142.111
ocsp.digicert.com	A 93.184.220.29 CNAME cs9.wac.phicdn.net	117.18.237.29
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49177	104.19.143.111 i.gyazo.com	443
192.168.56.101	49183	124.225.105.97 www.download.windowsupdate.com	80
192.168.56.101	49180	13.227.250.204 x.ss2.us	80
192.168.56.101	49186	27.148.139.88 www.microsoft.com	80
192.168.56.101	49175	35.190.60.70 dlsft.com	80
192.168.56.101	49176	35.190.60.70 dlsft.com	80
192.168.56.101	49178	54.192.147.89 dpd.securestudies.com	443
192.168.56.101	49179	93.184.220.29 ocsp.digicert.com	80
52.218.85.60	80	192.168.56.101	49188

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	54260	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 3600 Connection: Keep-Alive Accept: / If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT If-None-Match: "0d8f4f3f6fd71:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com
http://x.ss2.us/x.cer	GET /x.cer HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: x.ss2.us
http://dlsft.com/callback/?channel=Wrd&action=started	POST /callback/?channel=Wrd&action=started HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded;charset=utf-8 User-Agent: sciter 4.2.6.8; Windows-7.1; www.sciter.com) Host: dlsft.com Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt	GET /pki/certs/MicRooCerAut_2010-06-23.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: www.microsoft.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: / If-Modified-Since: Mon, 19 Apr 2021 20:17:25 GMT If-None-Match: "80f8835935d71:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
http://dlsft.com/callback/geo/geo.php	POST /callback/geo/geo.php HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded;charset=utf-8 User-Agent: sciter 4.2.6.8; Windows-7.1; www.sciter.com) Host: dlsft.com Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
http://dlsft.com/callback/offers.php	GET /callback/offers.php HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: sciter 4.2.6.8; Windows-7.1; www.sciter.com) Host: dlsft.com Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.