14.6
0-day
55 个模型检测该样本为恶意!
重新分析
更多

e1b4622454cead31c14bd55cf1985eb6b5e93483989b183cf32e79e07ee4dc13

ce75a0293f703092ac30a4b69b809edf.exe

分析耗时

94s

最近分析

文件大小

786.0KB
静态报毒 动态报毒 AI SCORE=82 APDR CKGENERIC CLOUD CONFIDENCE DELF DELPHILESS DGOD ELXR ELZG FAREIT GENERICKD HIGH CONFIDENCE HKCRJL KILLPROC2 LOKI LOKIBOT MALWARE@#2DW603JG2BDIM NANOCORE SCORE SMAD1 SUSGEN TBIJ TROJAN3 TSCOPE UNSAFE WACATAC WU6PHEPEJIW X2066 XGW@AGSXVSJI ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FTB!CE75A0293F70 20200526 6.0.6.653
Alibaba Trojan:Win32/NanoCore.fb22ec4c 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200526 18.4.3895.0
Kingsoft 20200526 2013.8.14.323
Tencent Win32.Trojan.Crypt.Tbij 20200526 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (8 个事件)
Time & API Arguments Status Return Repeated
1619925770.395124
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34340676
registers.edi: 0
registers.eax: 0
registers.ebp: 34340744
registers.edx: 2
registers.ebx: 0
registers.esi: 0
registers.ecx: 395
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 23 5c 00 00 e9
exception.symbol: ce75a0293f703092ac30a4b69b809edf+0x761ab
exception.instruction: div eax
exception.module: ce75a0293f703092ac30a4b69b809edf.exe
exception.exception_code: 0xc0000094
exception.offset: 483755
exception.address: 0x4761ab
success 0 0
1619925781.035874
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 53018436
registers.edi: 0
registers.eax: 0
registers.ebp: 53018504
registers.edx: 3
registers.ebx: 0
registers.esi: 0
registers.ecx: 35
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 23 5c 00 00 e9
exception.symbol: ce75a0293f703092ac30a4b69b809edf+0x761ab
exception.instruction: div eax
exception.module: ce75a0293f703092ac30a4b69b809edf.exe
exception.exception_code: 0xc0000094
exception.offset: 483755
exception.address: 0x4761ab
success 0 0
1619925787.456751
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 36044612
registers.edi: 0
registers.eax: 0
registers.ebp: 36044680
registers.edx: 3
registers.ebx: 0
registers.esi: 0
registers.ecx: 457
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 23 5c 00 00 e9
exception.symbol: remcos+0x761ab
exception.instruction: div eax
exception.module: remcos.exe
exception.exception_code: 0xc0000094
exception.offset: 483755
exception.address: 0x4761ab
success 0 0
1619925791.285999
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 52166468
registers.edi: 0
registers.eax: 0
registers.ebp: 52166536
registers.edx: 3
registers.ebx: 0
registers.esi: 0
registers.ecx: 270
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 23 5c 00 00 e9
exception.symbol: ce75a0293f703092ac30a4b69b809edf+0x761ab
exception.instruction: div eax
exception.module: ce75a0293f703092ac30a4b69b809edf.exe
exception.exception_code: 0xc0000094
exception.offset: 483755
exception.address: 0x4761ab
success 0 0
1619925798.363874
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35454788
registers.edi: 0
registers.eax: 0
registers.ebp: 35454856
registers.edx: 3
registers.ebx: 0
registers.esi: 0
registers.ecx: 363
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 23 5c 00 00 e9
exception.symbol: remcos+0x761ab
exception.instruction: div eax
exception.module: remcos.exe
exception.exception_code: 0xc0000094
exception.offset: 483755
exception.address: 0x4761ab
success 0 0
1619925799.239626
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 31783068
registers.edi: 0
registers.eax: 0
registers.ebp: 31783136
registers.edx: 3
registers.ebx: 0
registers.esi: 0
registers.ecx: 238
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 23 5c 00 00 e9
exception.symbol: svchost+0x761ab
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 483755
exception.address: 0x4761ab
success 0 0
1619925802.770501
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34537284
registers.edi: 0
registers.eax: 0
registers.ebp: 34537352
registers.edx: 3
registers.ebx: 0
registers.esi: 0
registers.ecx: 754
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 23 5c 00 00 e9
exception.symbol: ce75a0293f703092ac30a4b69b809edf+0x761ab
exception.instruction: div eax
exception.module: ce75a0293f703092ac30a4b69b809edf.exe
exception.exception_code: 0xc0000094
exception.offset: 483755
exception.address: 0x4761ab
success 0 0
1619925809.848499
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1309536
registers.edi: 0
registers.eax: 1309736
registers.ebp: 1309676
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (21 个事件)
Time & API Arguments Status Return Repeated
1619925770.207124
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01df0000
success 0 0
1619925770.395124
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619925770.395124
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03140000
success 0 0
1619925781.003874
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d0000
success 0 0
1619925781.035874
NtProtectVirtualMemory
process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619925781.035874
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fc0000
success 0 0
1619925787.316751
NtAllocateVirtualMemory
process_identifier: 2032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619925787.456751
NtProtectVirtualMemory
process_identifier: 2032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619925787.472751
NtAllocateVirtualMemory
process_identifier: 2032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007a0000
success 0 0
1619925791.097999
NtAllocateVirtualMemory
process_identifier: 920
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e0000
success 0 0
1619925791.285999
NtProtectVirtualMemory
process_identifier: 920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619925791.300999
NtAllocateVirtualMemory
process_identifier: 920
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619925798.269874
NtAllocateVirtualMemory
process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619925798.363874
NtProtectVirtualMemory
process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619925798.378874
NtAllocateVirtualMemory
process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007b0000
success 0 0
1619925799.176626
NtAllocateVirtualMemory
process_identifier: 2844
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00320000
success 0 0
1619925799.239626
NtProtectVirtualMemory
process_identifier: 2844
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619925799.254626
NtAllocateVirtualMemory
process_identifier: 2844
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003e0000
success 0 0
1619925802.676501
NtAllocateVirtualMemory
process_identifier: 3172
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619925802.770501
NtProtectVirtualMemory
process_identifier: 3172
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619925802.801501
NtAllocateVirtualMemory
process_identifier: 3172
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fb0000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description remcos.exe tried to sleep 263 seconds, actually delayed analysis time by 263 seconds
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
Creates a suspicious process (3 个事件)
cmdline "C:\Windows\SysWOW64\svchost.exe" 2 3348 27727406
cmdline "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
cmdline C:\Windows\SysWOW64\svchost.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619925782.020124
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619925785.426124
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 个事件)
Expresses interest in specific running processes (2 个事件)
process remcos.exe
process ce75a0293f703092ac30a4b69b809edf.exe
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 185.227.82.54
host 172.217.24.14
host 194.5.97.48
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619925798.238874
NtAllocateVirtualMemory
process_identifier: 2844
region_size: 835584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000015c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Installs itself for autorun at Windows startup (18 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619925798.238874
WriteProcessMemory
process_identifier: 2844
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ²’èÀÐ@À @ %àÌÐP4€@CODE0±² `DATAèж@ÀBSS5 ðÌÀ.idata %&Ì@À.tls0òÀ.rdata@ò@P.reloc4€P‚ô@P.rsrcÌÐàÒv@PP à@P
process_handle: 0x0000015c
base_address: 0x00400000
success 1 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer: 0H0HœÐG@H
process_handle: 0x0000015c
base_address: 0x00484000
success 1 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer: @
process_handle: 0x0000015c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619925798.238874
WriteProcessMemory
process_identifier: 2844
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ²’èÀÐ@À @ %àÌÐP4€@CODE0±² `DATAèж@ÀBSS5 ðÌÀ.idata %&Ì@À.tls0òÀ.rdata@ò@P.reloc4€P‚ô@P.rsrcÌÐàÒv@PP à@P
process_handle: 0x0000015c
base_address: 0x00400000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619925797.956874
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x004051ae
module_address: 0x00000000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 131583 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (10 个事件)
Process injection Process 912 called NtSetContextThread to modify thread in remote process 2852
Process injection Process 2032 called NtSetContextThread to modify thread in remote process 2040
Process injection Process 920 called NtSetContextThread to modify thread in remote process 3112
Process injection Process 2040 called NtSetContextThread to modify thread in remote process 2844
Process injection Process 2844 called NtSetContextThread to modify thread in remote process 3348
Time & API Arguments Status Return Repeated
1619925780.536124
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2852
success 0 0
1619925797.628751
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2040
success 0 0
1619925801.738999
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3112
success 0 0
1619925798.269874
NtSetContextThread
thread_handle: 0x00000158
registers.eip: 2010382788
registers.esp: 1702368
registers.edi: 0
registers.eax: 4702440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2844
success 0 0
1619925809.442626
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3348
success 0 0
One or more non-safelisted processes were created (2 个事件)
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
Resumed a suspended thread in a remote process potentially indicative of process injection (10 个事件)
Process injection Process 912 resumed a thread in remote process 2852
Process injection Process 2032 resumed a thread in remote process 2040
Process injection Process 920 resumed a thread in remote process 3112
Process injection Process 2040 resumed a thread in remote process 2844
Process injection Process 2844 resumed a thread in remote process 3348
Time & API Arguments Status Return Repeated
1619925780.739124
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2852
success 0 0
1619925797.800751
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2040
success 0 0
1619925801.972999
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 3112
success 0 0
1619925798.660874
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2844
success 0 0
1619925809.692626
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3348
success 0 0
Executed a process and injected code into it, probably while unpacking (48 个事件)
Time & API Arguments Status Return Repeated
1619925780.520124
CreateProcessInternalW
thread_identifier: 152
thread_handle: 0x00000124
process_identifier: 2852
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ce75a0293f703092ac30a4b69b809edf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619925780.520124
NtUnmapViewOfSection
process_identifier: 2852
region_size: 4096
process_handle: 0x00000128
base_address: 0x00400000
success 0 0
1619925780.520124
NtMapViewOfSection
section_handle: 0x00000130
process_identifier: 2852
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000128
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619925780.536124
NtGetContextThread
thread_handle: 0x00000124
success 0 0
1619925780.536124
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2852
success 0 0
1619925780.739124
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2852
success 0 0
1619925780.786124
CreateProcessInternalW
thread_identifier: 2620
thread_handle: 0x0000012c
process_identifier: 2216
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ce75a0293f703092ac30a4b69b809edf.exe" 2 2852 27698453
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000013c
inherit_handles: 0
success 1 0
1619925790.738874
CreateProcessInternalW
thread_identifier: 1060
thread_handle: 0x0000024c
process_identifier: 920
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ce75a0293f703092ac30a4b69b809edf.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ce75a0293f703092ac30a4b69b809edf.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000250
inherit_handles: 0
success 1 0
1619925781.645124
NtResumeThread
thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 2852
success 0 0
1619925782.020124
CreateProcessInternalW
thread_identifier: 1888
thread_handle: 0x00000188
process_identifier: 1948
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000174
inherit_handles: 0
success 1 0
1619925785.426124
CreateProcessInternalW
thread_identifier: 2340
thread_handle: 0x000002ac
process_identifier: 3056
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002f4
inherit_handles: 0
success 1 0
1619925787.067501
CreateProcessInternalW
thread_identifier: 1688
thread_handle: 0x00000080
process_identifier: 2032
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619925797.613751
CreateProcessInternalW
thread_identifier: 1108
thread_handle: 0x00000124
process_identifier: 2040
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619925797.613751
NtUnmapViewOfSection
process_identifier: 2040
region_size: 4096
process_handle: 0x00000128
base_address: 0x00400000
success 0 0
1619925797.613751
NtMapViewOfSection
section_handle: 0x00000130
process_identifier: 2040
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000128
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619925797.628751
NtGetContextThread
thread_handle: 0x00000124
success 0 0
1619925797.628751
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2040
success 0 0
1619925797.800751
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2040
success 0 0
1619925797.847751
CreateProcessInternalW
thread_identifier: 2200
thread_handle: 0x0000012c
process_identifier: 2548
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe" 2 2040 27715515
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000013c
inherit_handles: 0
success 1 0
1619925801.691999
CreateProcessInternalW
thread_identifier: 3116
thread_handle: 0x00000124
process_identifier: 3112
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ce75a0293f703092ac30a4b69b809edf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619925801.691999
NtUnmapViewOfSection
process_identifier: 3112
region_size: 4096
process_handle: 0x00000128
base_address: 0x00400000
success 0 0
1619925801.691999
NtMapViewOfSection
section_handle: 0x00000130
process_identifier: 3112
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000128
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619925801.722999
NtGetContextThread
thread_handle: 0x00000124
success 0 0
1619925801.738999
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3112
success 0 0
1619925801.972999
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 3112
success 0 0
1619925802.222999
CreateProcessInternalW
thread_identifier: 3176
thread_handle: 0x0000012c
process_identifier: 3172
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ce75a0293f703092ac30a4b69b809edf.exe" 2 3112 27719687
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000013c
inherit_handles: 0
success 1 0
1619925798.238874
CreateProcessInternalW
thread_identifier: 2840
thread_handle: 0x00000158
process_identifier: 2844
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000015c
inherit_handles: 0
success 1 0
1619925798.238874
NtGetContextThread
thread_handle: 0x00000158
success 0 0
1619925798.238874
NtAllocateVirtualMemory
process_identifier: 2844
region_size: 835584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000015c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619925798.238874
WriteProcessMemory
process_identifier: 2844
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ²’èÀÐ@À @ %àÌÐP4€@CODE0±² `DATAèж@ÀBSS5 ðÌÀ.idata %&Ì@À.tls0òÀ.rdata@ò@P.reloc4€P‚ô@P.rsrcÌÐàÒv@PP à@P
process_handle: 0x0000015c
base_address: 0x00400000
success 1 0
1619925798.238874
WriteProcessMemory
process_identifier: 2844
buffer:
process_handle: 0x0000015c
base_address: 0x00401000
success 1 0
1619925798.253874
WriteProcessMemory
process_identifier: 2844
buffer:
process_handle: 0x0000015c
base_address: 0x0047d000
success 1 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer:
process_handle: 0x0000015c
base_address: 0x0047f000
failed 0 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer:
process_handle: 0x0000015c
base_address: 0x00480000
success 1 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer:
process_handle: 0x0000015c
base_address: 0x00483000
failed 0 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer: 0H0HœÐG@H
process_handle: 0x0000015c
base_address: 0x00484000
success 1 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer:
process_handle: 0x0000015c
base_address: 0x00485000
success 1 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer:
process_handle: 0x0000015c
base_address: 0x0048e000
success 1 0
1619925798.269874
WriteProcessMemory
process_identifier: 2844
buffer: @
process_handle: 0x0000015c
base_address: 0x7efde008
success 1 0
1619925798.269874
NtSetContextThread
thread_handle: 0x00000158
registers.eip: 2010382788
registers.esp: 1702368
registers.edi: 0
registers.eax: 4702440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2844
success 0 0
1619925798.660874
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2844
success 0 0
1619925809.426626
CreateProcessInternalW
thread_identifier: 3352
thread_handle: 0x00000100
process_identifier: 3348
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619925809.426626
NtUnmapViewOfSection
process_identifier: 3348
region_size: 2004156416
process_handle: 0x00000104
base_address: 0x00400000
failed 3221225497 0
1619925809.426626
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3348
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619925809.442626
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619925809.442626
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3348
success 0 0
1619925809.692626
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3348
success 0 0
1619925809.754626
CreateProcessInternalW
thread_identifier: 3412
thread_handle: 0x00000108
process_identifier: 3408
current_directory:
filepath:
track: 1
command_line: "C:\Windows\SysWOW64\svchost.exe" 2 3348 27727406
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
MicroWorld-eScan Trojan.GenericKD.33824395
CAT-QuickHeal Trojan.CKGENERIC
McAfee Fareit-FTB!CE75A0293F70
Cylance Unsafe
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/NanoCore.fb22ec4c
K7GW Riskware ( 0040eff71 )
Cybereason malicious.d358ce
Arcabit Trojan.Generic.D2041E8B
Invincea heuristic
F-Prot W32/Trojan3.APDR
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Packed.LokiBot-7784611-0
Kaspersky HEUR:Trojan.Win32.Crypt.gen
BitDefender Trojan.GenericKD.33824395
NANO-Antivirus Trojan.Win32.KillProc2.hkcrjl
Paloalto generic.ml
Rising Trojan.Crypt!8.2E3 (CLOUD)
Endgame malicious (high confidence)
Sophos Mal/Fareit-AA
Comodo Malware@#2dw603jg2bdim
DrWeb Trojan.Nanocore.427
Zillya Dropper.Agent.Win32.427808
TrendMicro TrojanSpy.Win32.LOKI.SMAD1.hp
McAfee-GW-Edition BehavesLike.Win32.Fareit.bh
FireEye Generic.mg.ce75a0293f703092
Emsisoft Trojan.GenericKD.33824395 (B)
Cyren W32/Trojan.DGOD-4205
Webroot W32.Trojan.Gen
eGambit Unsafe.AI_Score_91%
Antiy-AVL Trojan/Win32.Wacatac
Microsoft Trojan:Win32/NanoCore.VD!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Crypt.gen
GData Win32.Trojan.Injector.PA
AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious
BitDefenderTheta Gen:NN.ZelphiF.34122.XGW@aGSxVsji
ALYac Trojan.GenericKD.33824395
MAX malware (ai score=82)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.Injector
ESET-NOD32 a variant of Win32/Injector.ELXR
TrendMicro-HouseCall TrojanSpy.Win32.LOKI.SMAD1.hp
Tencent Win32.Trojan.Crypt.Tbij
Yandex Trojan.Injector!WU6phEpeJiw
Ikarus Trojan.Inject
MaxSecure Trojan.Malware.10374761.susgen
Fortinet W32/Injector.ELZG!tr
The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 个事件)
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\cmd.exe
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 个事件)
dead_host 192.168.56.101:49213
dead_host 192.168.56.101:49190
dead_host 192.168.56.101:49199
dead_host 192.168.56.101:49211
dead_host 192.168.56.101:49207
dead_host 192.168.56.101:49208
dead_host 194.5.97.48:2404
dead_host 192.168.56.101:49216
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x4801a0 VirtualFree
0x4801a4 VirtualAlloc
0x4801a8 LocalFree
0x4801ac LocalAlloc
0x4801b0 GetVersion
0x4801b4 GetCurrentThreadId
0x4801c0 VirtualQuery
0x4801c4 WideCharToMultiByte
0x4801c8 MultiByteToWideChar
0x4801cc lstrlenA
0x4801d0 lstrcpynA
0x4801d4 LoadLibraryExA
0x4801d8 GetThreadLocale
0x4801dc GetStartupInfoA
0x4801e0 GetProcAddress
0x4801e4 GetModuleHandleA
0x4801e8 GetModuleFileNameA
0x4801ec GetLocaleInfoA
0x4801f0 GetCommandLineA
0x4801f4 FreeLibrary
0x4801f8 FindFirstFileA
0x4801fc FindClose
0x480200 ExitProcess
0x480204 ExitThread
0x480208 CreateThread
0x48020c WriteFile
0x480214 RtlUnwind
0x480218 RaiseException
0x48021c GetStdHandle
Library user32.dll:
0x480224 GetKeyboardType
0x480228 LoadStringA
0x48022c MessageBoxA
0x480230 CharNextA
Library advapi32.dll:
0x480238 RegQueryValueExA
0x48023c RegOpenKeyExA
0x480240 RegCloseKey
Library oleaut32.dll:
0x480248 SysFreeString
0x48024c SysReAllocStringLen
0x480250 SysAllocStringLen
Library kernel32.dll:
0x480258 TlsSetValue
0x48025c TlsGetValue
0x480260 LocalAlloc
0x480264 GetModuleHandleA
Library advapi32.dll:
0x48026c RegQueryValueExA
0x480270 RegOpenKeyExA
0x480274 RegCloseKey
Library kernel32.dll:
0x48027c lstrlenA
0x480280 lstrcpyA
0x480284 lstrcmpA
0x480288 WriteFile
0x48028c WaitForSingleObject
0x480294 VirtualQuery
0x480298 VirtualProtect
0x48029c VirtualAlloc
0x4802a0 Sleep
0x4802a4 SizeofResource
0x4802a8 SetThreadLocale
0x4802ac SetFilePointer
0x4802b0 SetEvent
0x4802b4 SetErrorMode
0x4802b8 SetEndOfFile
0x4802c0 ResumeThread
0x4802c4 ResetEvent
0x4802c8 ReleaseMutex
0x4802cc ReadFile
0x4802d0 MultiByteToWideChar
0x4802d4 MulDiv
0x4802d8 LockResource
0x4802dc LoadResource
0x4802e0 LoadLibraryA
0x4802ec GlobalUnlock
0x4802f0 GlobalSize
0x4802f4 GlobalReAlloc
0x4802f8 GlobalHandle
0x4802fc GlobalLock
0x480300 GlobalFree
0x480304 GlobalFindAtomA
0x480308 GlobalDeleteAtom
0x48030c GlobalAlloc
0x480310 GlobalAddAtomA
0x480314 GetVersionExA
0x480318 GetVersion
0x48031c GetTickCount
0x480320 GetThreadLocale
0x480328 GetSystemTime
0x48032c GetSystemInfo
0x480330 GetStringTypeExA
0x480334 GetStdHandle
0x480338 GetProfileStringA
0x48033c GetProcAddress
0x480340 GetModuleHandleA
0x480344 GetModuleFileNameA
0x480348 GetLocaleInfoA
0x48034c GetLocalTime
0x480350 GetLastError
0x480354 GetFullPathNameA
0x480358 GetExitCodeThread
0x48035c GetDiskFreeSpaceA
0x480360 GetDateFormatA
0x480364 GetCurrentThreadId
0x480368 GetCurrentProcessId
0x480370 GetCPInfo
0x480374 GetACP
0x480378 FreeResource
0x480380 InterlockedExchange
0x480388 FreeLibrary
0x48038c FormatMessageA
0x480390 FindResourceA
0x480398 FindFirstFileA
0x4803a4 FindClose
0x4803b4 ExitThread
0x4803b8 ExitProcess
0x4803bc EnumCalendarInfoA
0x4803c8 CreateThread
0x4803cc CreateMutexA
0x4803d0 CreateFileA
0x4803d4 CreateEventA
0x4803d8 CompareStringA
0x4803dc CloseHandle
Library version.dll:
0x4803e4 VerQueryValueA
0x4803ec GetFileVersionInfoA
Library gdi32.dll:
0x4803f4 UnrealizeObject
0x4803f8 StretchBlt
0x4803fc SetWindowOrgEx
0x480400 SetViewportOrgEx
0x480404 SetTextColor
0x480408 SetStretchBltMode
0x48040c SetROP2
0x480410 SetPixel
0x480414 SetDIBColorTable
0x480418 SetBrushOrgEx
0x48041c SetBkMode
0x480420 SetBkColor
0x480424 SelectPalette
0x480428 SelectObject
0x48042c SaveDC
0x480430 RestoreDC
0x480434 Rectangle
0x480438 RectVisible
0x48043c RealizePalette
0x480440 PatBlt
0x480444 MoveToEx
0x480448 MaskBlt
0x48044c LineTo
0x480450 IntersectClipRect
0x480454 GetWindowOrgEx
0x480458 GetTextMetricsA
0x480464 GetStockObject
0x480468 GetPixel
0x48046c GetPaletteEntries
0x480470 GetObjectA
0x480474 GetDeviceCaps
0x480478 GetDIBits
0x48047c GetDIBColorTable
0x480480 GetDCOrgEx
0x480488 GetClipBox
0x48048c GetBrushOrgEx
0x480490 GetBkMode
0x480494 GetBitmapBits
0x480498 ExtTextOutA
0x48049c ExcludeClipRect
0x4804a0 EndPage
0x4804a4 EndDoc
0x4804a8 DeleteObject
0x4804ac DeleteDC
0x4804b0 CreateSolidBrush
0x4804b4 CreatePenIndirect
0x4804b8 CreatePen
0x4804bc CreatePalette
0x4804c0 CreateICA
0x4804c8 CreateFontIndirectA
0x4804cc CreateDIBitmap
0x4804d0 CreateDIBSection
0x4804d4 CreateDCA
0x4804d8 CreateCompatibleDC
0x4804e0 CreateBrushIndirect
0x4804e4 CreateBitmap
0x4804e8 BitBlt
Library user32.dll:
0x4804f0 CreateWindowExA
0x4804f4 WindowFromPoint
0x4804f8 WinHelpA
0x4804fc WaitMessage
0x480500 ValidateRect
0x480504 UpdateWindow
0x480508 UnregisterClassA
0x48050c UnhookWindowsHookEx
0x480510 TranslateMessage
0x480518 TrackPopupMenu
0x480520 ShowWindow
0x480524 ShowScrollBar
0x480528 ShowOwnedPopups
0x48052c ShowCursor
0x480530 SetWindowsHookExA
0x480534 SetWindowTextA
0x480538 SetWindowPos
0x48053c SetWindowPlacement
0x480540 SetWindowLongA
0x480544 SetTimer
0x480548 SetScrollRange
0x48054c SetScrollPos
0x480550 SetScrollInfo
0x480554 SetRect
0x480558 SetPropA
0x48055c SetParent
0x480560 SetMenuItemInfoA
0x480564 SetMenu
0x480568 SetForegroundWindow
0x48056c SetFocus
0x480570 SetCursor
0x480574 SetClassLongA
0x480578 SetCapture
0x48057c SetActiveWindow
0x480580 SendMessageA
0x480584 ScrollWindow
0x480588 ScreenToClient
0x48058c RemovePropA
0x480590 RemoveMenu
0x480594 ReleaseDC
0x480598 ReleaseCapture
0x4805a4 RegisterClassA
0x4805a8 RedrawWindow
0x4805ac PtInRect
0x4805b0 PostQuitMessage
0x4805b4 PostMessageA
0x4805b8 PeekMessageA
0x4805bc OffsetRect
0x4805c0 OemToCharA
0x4805c8 MessageBoxA
0x4805cc MapWindowPoints
0x4805d0 MapVirtualKeyA
0x4805d4 LoadStringA
0x4805d8 LoadKeyboardLayoutA
0x4805dc LoadIconA
0x4805e0 LoadCursorA
0x4805e4 LoadBitmapA
0x4805e8 KillTimer
0x4805ec IsZoomed
0x4805f0 IsWindowVisible
0x4805f4 IsWindowEnabled
0x4805f8 IsWindow
0x4805fc IsRectEmpty
0x480600 IsIconic
0x480604 IsDialogMessageA
0x480608 IsChild
0x48060c InvalidateRect
0x480610 IntersectRect
0x480614 InsertMenuItemA
0x480618 InsertMenuA
0x48061c InflateRect
0x480624 GetWindowTextA
0x480628 GetWindowRect
0x48062c GetWindowPlacement
0x480630 GetWindowLongA
0x480634 GetWindowDC
0x480638 GetTopWindow
0x48063c GetSystemMetrics
0x480640 GetSystemMenu
0x480644 GetSysColorBrush
0x480648 GetSysColor
0x48064c GetSubMenu
0x480650 GetScrollRange
0x480654 GetScrollPos
0x480658 GetScrollInfo
0x48065c GetPropA
0x480660 GetParent
0x480664 GetWindow
0x480668 GetMessagePos
0x48066c GetMenuStringA
0x480670 GetMenuState
0x480674 GetMenuItemInfoA
0x480678 GetMenuItemID
0x48067c GetMenuItemCount
0x480680 GetMenu
0x480684 GetLastActivePopup
0x480688 GetKeyboardState
0x480690 GetKeyboardLayout
0x480694 GetKeyState
0x480698 GetKeyNameTextA
0x48069c GetIconInfo
0x4806a0 GetForegroundWindow
0x4806a4 GetFocus
0x4806a8 GetDesktopWindow
0x4806ac GetDCEx
0x4806b0 GetDC
0x4806b4 GetCursorPos
0x4806b8 GetCursor
0x4806bc GetClientRect
0x4806c0 GetClassNameA
0x4806c4 GetClassInfoA
0x4806c8 GetCapture
0x4806cc GetActiveWindow
0x4806d0 FrameRect
0x4806d4 FindWindowA
0x4806d8 FillRect
0x4806dc EqualRect
0x4806e0 EnumWindows
0x4806e4 EnumThreadWindows
0x4806e8 EndPaint
0x4806ec EnableWindow
0x4806f0 EnableScrollBar
0x4806f4 EnableMenuItem
0x4806f8 DrawTextA
0x4806fc DrawMenuBar
0x480700 DrawIconEx
0x480704 DrawIcon
0x480708 DrawFrameControl
0x48070c DrawFocusRect
0x480710 DrawEdge
0x480714 DispatchMessageA
0x480718 DestroyWindow
0x48071c DestroyMenu
0x480720 DestroyIcon
0x480724 DestroyCursor
0x480728 DeleteMenu
0x48072c DefWindowProcA
0x480730 DefMDIChildProcA
0x480734 DefFrameProcA
0x480738 CreatePopupMenu
0x48073c CreateMenu
0x480740 CreateIcon
0x480744 ClientToScreen
0x48074c CheckMenuItem
0x480750 CallWindowProcA
0x480754 CallNextHookEx
0x480758 BeginPaint
0x48075c CharNextA
0x480760 CharLowerA
0x480764 CharUpperBuffA
0x480768 CharToOemA
0x48076c AdjustWindowRectEx
Library kernel32.dll:
0x480778 Sleep
Library oleaut32.dll:
0x480780 SafeArrayPtrOfIndex
0x480784 SafeArrayGetUBound
0x480788 SafeArrayGetLBound
0x48078c SafeArrayCreate
0x480790 VariantChangeType
0x480794 VariantCopy
0x480798 VariantClear
0x48079c VariantInit
Library ole32.dll:
0x4807a4 OleUninitialize
0x4807a8 OleInitialize
0x4807ac CoTaskMemAlloc
0x4807b0 CoCreateInstance
0x4807b4 CoUninitialize
0x4807b8 CoInitialize
Library oleaut32.dll:
0x4807c0 GetErrorInfo
0x4807c4 SysFreeString
Library comctl32.dll:
0x4807d4 ImageList_Write
0x4807d8 ImageList_Read
0x4807e8 ImageList_DragMove
0x4807ec ImageList_DragLeave
0x4807f0 ImageList_DragEnter
0x4807f4 ImageList_EndDrag
0x4807f8 ImageList_BeginDrag
0x4807fc ImageList_Remove
0x480800 ImageList_DrawEx
0x480804 ImageList_Draw
0x480814 ImageList_Add
0x48081c ImageList_Destroy
0x480820 ImageList_Create
0x480824 InitCommonControls
Library winspool.drv:
0x48082c OpenPrinterA
0x480830 EnumPrintersA
0x480834 DocumentPropertiesA
0x480838 ClosePrinter
Library shell32.dll:
0x480840 ShellExecuteExA
0x480844 ShellExecuteA
0x480848 SHGetFileInfoA
Library shell32.dll:
0x480854 SHGetMalloc
0x480858 SHGetDesktopFolder
Library comdlg32.dll:
0x480860 PageSetupDlgA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
185.227.82.54 80 192.168.56.101 49178

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.