5.4
中危
2 个模型检测该样本为恶意!
重新分析
更多

a6d35cb7c29eee9c9d66371739a8d2262b514a7e6fae17c8c4ba711e5631f2db

d51232c9877e591c35c206d20d397fac.exe

分析耗时

101s

最近分析

文件大小

29.5MB
静态报毒 动态报毒 SCORE UNSAFE
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20191231 6.0.6.653
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20191231 18.4.3895.0
Kingsoft 20191231 2013.8.14.323
Tencent 20191231 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620985520.734625
IsDebuggerPresent
failed 0 0
This executable is signed
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .itext
One or more processes crashed (4 个事件)
Time & API Arguments Status Return Repeated
1621005943.537124
__exception__
stacktrace: 
jnzCLTCommit+0x1690 jnz2_0+0x88430 @ 0x10088430
jnzCLTCommit+0x187f jnz2_0+0x8861f @ 0x1008861f
jnzMidInfo+0x1cd jnzDataFree-0x7da3 jnz2_0+0x7ca8d @ 0x1007ca8d
jnzCLTCommit+0x9305 jnz2_0+0x900a5 @ 0x100900a5
jnzCLTCommit+0x9367 jnz2_0+0x90107 @ 0x10090107
jnzMidInfo-0x1e5d9 jnz2_0+0x5e2e7 @ 0x1005e2e7
jnzMidInfo-0x1e532 jnz2_0+0x5e38e @ 0x1005e38e

registers.esp: 1631612
registers.edi: 0
registers.eax: 1
registers.ebp: 1631668
registers.edx: 66
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec
exception.exception_code: 0xc000001d
exception.symbol: jnzCLTCommit+0x19d6 jnz2_0+0x88776
exception.address: 0x10088776
success 0 0
1621005943.537124
__exception__
stacktrace: 
jnzCLTCommit+0x169d jnz2_0+0x8843d @ 0x1008843d
jnzCLTCommit+0x187f jnz2_0+0x8861f @ 0x1008861f
jnzMidInfo+0x1cd jnzDataFree-0x7da3 jnz2_0+0x7ca8d @ 0x1007ca8d
jnzCLTCommit+0x9305 jnz2_0+0x900a5 @ 0x100900a5
jnzCLTCommit+0x9367 jnz2_0+0x90107 @ 0x10090107
jnzMidInfo-0x1e5d9 jnz2_0+0x5e2e7 @ 0x1005e2e7
jnzMidInfo-0x1e532 jnz2_0+0x5e38e @ 0x1005e38e

registers.esp: 1631612
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1631668
registers.edx: 22104
registers.ebx: 0
registers.esi: 0
registers.ecx: 10
exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45
exception.instruction: in eax, dx
exception.exception_code: 0xc0000096
exception.symbol: jnzCLTCommit+0x1915 jnz2_0+0x886b5
exception.address: 0x100886b5
success 0 0
1621005944.787124
__exception__
stacktrace: 
jnzCLTCommit+0x14b0 jnz2_0+0x88250 @ 0x10088250
jnzCLTCommit+0x17ff jnz2_0+0x8859f @ 0x1008859f
jnzMidInfo+0xa58 jnzDataFree-0x7518 jnz2_0+0x7d318 @ 0x1007d318
jnzCLTCommit+0x9305 jnz2_0+0x900a5 @ 0x100900a5
jnzCLTCommit+0x9367 jnz2_0+0x90107 @ 0x10090107
jnzMidInfo-0x1e5d9 jnz2_0+0x5e2e7 @ 0x1005e2e7
jnzMidInfo-0x1e532 jnz2_0+0x5e38e @ 0x1005e38e

registers.esp: 1631612
registers.edi: 0
registers.eax: 1
registers.ebp: 1631668
registers.edx: 0
registers.ebx: 0
registers.esi: 8
registers.ecx: 0
exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec
exception.exception_code: 0xc000001d
exception.symbol: jnzCLTCommit+0x19d6 jnz2_0+0x88776
exception.address: 0x10088776
success 0 0
1621005944.787124
__exception__
stacktrace: 
jnzCLTCommit+0x14bd jnz2_0+0x8825d @ 0x1008825d
jnzCLTCommit+0x17ff jnz2_0+0x8859f @ 0x1008859f
jnzMidInfo+0xa58 jnzDataFree-0x7518 jnz2_0+0x7d318 @ 0x1007d318
jnzCLTCommit+0x9305 jnz2_0+0x900a5 @ 0x100900a5
jnzCLTCommit+0x9367 jnz2_0+0x90107 @ 0x10090107
jnzMidInfo-0x1e5d9 jnz2_0+0x5e2e7 @ 0x1005e2e7
jnzMidInfo-0x1e532 jnz2_0+0x5e38e @ 0x1005e38e

registers.esp: 1631612
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1631668
registers.edx: 22104
registers.ebx: 0
registers.esi: 8
registers.ecx: 10
exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45
exception.instruction: in eax, dx
exception.exception_code: 0xc0000096
exception.symbol: jnzCLTCommit+0x1915 jnz2_0+0x886b5
exception.address: 0x100886b5
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (25 个事件)
Time & API Arguments Status Return Repeated
1620985520.078625
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620985520.078625
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 90112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620985520.078625
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00420000
success 0 0
1621005941.005124
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ff0000
success 0 0
1621005942.568124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 3231744
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x100d1000
success 0 0
1621005942.568124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 634880
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10001000
success 0 0
1621005943.458124
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03fa0000
success 0 0
1621005944.849124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03fb1000
success 0 0
1621005944.849124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03fbc000
success 0 0
1621005944.849124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03fbd000
success 0 0
1621005944.849124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03fbe000
success 0 0
1621005944.927124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03fc1000
success 0 0
1621005944.927124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03fd0000
success 0 0
1621005944.927124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03fd1000
success 0 0
1621005944.927124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03fd3000
success 0 0
1621005946.474124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.490124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.521124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.568124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.583124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.599124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.615124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.646124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.677124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
1621005946.849124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x040e0000
success 0 0
Creates executable files on the filesystem (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-N32RS.tmp\botva2.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-N32RS.tmp\innocallback.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-N32RS.tmp\_isetup\_shfoldr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-N32RS.tmp\Jnz2_0.dll
Drops an executable to the user AppData folder (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-N32RS.tmp\Jnz2_0.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-N32RS.tmp\botva2.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-N32RS.tmp\innocallback.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-N32RS.tmp\_isetup\_shfoldr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-BI9N1.tmp\d51232c9877e591c35c206d20d397fac.tmp
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
Paloalto generic.ml
eGambit Unsafe.AI_Score_69%
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1621005943.474124
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x03fa0000
success 0 0
Queries for potentially installed applications (3 个事件)
Time & API Arguments Status Return Repeated
1621005944.958124
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{81C048DD-73B6-41CB-82F0-88297C1E09B8}_is1
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{81C048DD-73B6-41CB-82F0-88297C1E09B8}_is1
options: 0
failed 2 0
1621005946.068124
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81C048DD-73B6-41CB-82F0-88297C1E09B8}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81C048DD-73B6-41CB-82F0-88297C1E09B8}_is1
options: 0
failed 2 0
1621005946.068124
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81C048DD-73B6-41CB-82F0-88297C1E09B8}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81C048DD-73B6-41CB-82F0-88297C1E09B8}_is1
options: 0
failed 2 0
网络通信
Queries information on disks, possibly for anti-virtualization (3 个事件)
Time & API Arguments Status Return Repeated
1621005943.552124
NtCreateFile
create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000158
filepath: \??\PhysicalDrive0
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 1 (FILE_OPENED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
success 0 0
1621005944.802124
NtCreateFile
create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000174
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
success 0 0
1621005944.802124
DeviceIoControl
input_buffer:
device_handle: 0x00000174
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566434623363626138662d3764623238312037
success 1 0
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1621005943.537124
__exception__
stacktrace: 
jnzCLTCommit+0x169d jnz2_0+0x8843d @ 0x1008843d
jnzCLTCommit+0x187f jnz2_0+0x8861f @ 0x1008861f
jnzMidInfo+0x1cd jnzDataFree-0x7da3 jnz2_0+0x7ca8d @ 0x1007ca8d
jnzCLTCommit+0x9305 jnz2_0+0x900a5 @ 0x100900a5
jnzCLTCommit+0x9367 jnz2_0+0x90107 @ 0x10090107
jnzMidInfo-0x1e5d9 jnz2_0+0x5e2e7 @ 0x1005e2e7
jnzMidInfo-0x1e532 jnz2_0+0x5e38e @ 0x1005e38e

registers.esp: 1631612
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1631668
registers.edx: 22104
registers.ebx: 0
registers.esi: 0
registers.ecx: 10
exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45
exception.instruction: in eax, dx
exception.exception_code: 0xc0000096
exception.symbol: jnzCLTCommit+0x1915 jnz2_0+0x886b5
exception.address: 0x100886b5
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-10-02 13:04:04

Imports

Library oleaut32.dll:
0x41e350 SysFreeString
0x41e354 SysReAllocStringLen
0x41e358 SysAllocStringLen
Library advapi32.dll:
0x41e360 RegQueryValueExW
0x41e364 RegOpenKeyExW
0x41e368 RegCloseKey
Library user32.dll:
0x41e370 GetKeyboardType
0x41e374 LoadStringW
0x41e378 MessageBoxA
0x41e37c CharNextW
Library kernel32.dll:
0x41e384 GetACP
0x41e388 Sleep
0x41e38c VirtualFree
0x41e390 VirtualAlloc
0x41e394 GetSystemInfo
0x41e398 GetTickCount
0x41e3a0 GetVersion
0x41e3a4 GetCurrentThreadId
0x41e3a8 VirtualQuery
0x41e3ac WideCharToMultiByte
0x41e3b0 MultiByteToWideChar
0x41e3b4 lstrlenW
0x41e3b8 lstrcpynW
0x41e3bc LoadLibraryExW
0x41e3c0 GetThreadLocale
0x41e3c4 GetStartupInfoA
0x41e3c8 GetProcAddress
0x41e3cc GetModuleHandleW
0x41e3d0 GetModuleFileNameW
0x41e3d4 GetLocaleInfoW
0x41e3d8 GetCommandLineW
0x41e3dc FreeLibrary
0x41e3e0 FindFirstFileW
0x41e3e4 FindClose
0x41e3e8 ExitProcess
0x41e3ec WriteFile
0x41e3f4 RtlUnwind
0x41e3f8 RaiseException
0x41e3fc GetStdHandle
0x41e400 CloseHandle
Library kernel32.dll:
0x41e408 TlsSetValue
0x41e40c TlsGetValue
0x41e410 LocalAlloc
0x41e414 GetModuleHandleW
Library user32.dll:
0x41e41c CreateWindowExW
0x41e420 TranslateMessage
0x41e424 SetWindowLongW
0x41e428 PeekMessageW
0x41e430 MessageBoxW
0x41e434 LoadStringW
0x41e438 GetSystemMetrics
0x41e43c ExitWindowsEx
0x41e440 DispatchMessageW
0x41e444 DestroyWindow
0x41e448 CharUpperBuffW
0x41e44c CallWindowProcW
Library kernel32.dll:
0x41e454 WriteFile
0x41e458 WideCharToMultiByte
0x41e45c WaitForSingleObject
0x41e460 VirtualQuery
0x41e464 VirtualProtect
0x41e468 VirtualFree
0x41e46c VirtualAlloc
0x41e470 SizeofResource
0x41e474 SignalObjectAndWait
0x41e478 SetLastError
0x41e47c SetFilePointer
0x41e480 SetEvent
0x41e484 SetErrorMode
0x41e488 SetEndOfFile
0x41e48c ResetEvent
0x41e490 RemoveDirectoryW
0x41e494 ReadFile
0x41e498 MultiByteToWideChar
0x41e49c LockResource
0x41e4a0 LoadResource
0x41e4a4 LoadLibraryW
0x41e4b4 GetVersionExW
0x41e4bc GetThreadLocale
0x41e4c0 GetSystemInfo
0x41e4c4 GetStdHandle
0x41e4c8 GetProcAddress
0x41e4cc GetModuleHandleW
0x41e4d0 GetModuleFileNameW
0x41e4d4 GetLocaleInfoW
0x41e4d8 GetLocalTime
0x41e4dc GetLastError
0x41e4e0 GetFullPathNameW
0x41e4e4 GetFileSize
0x41e4e8 GetFileAttributesW
0x41e4ec GetExitCodeProcess
0x41e4f4 GetDiskFreeSpaceW
0x41e4f8 GetDateFormatW
0x41e4fc GetCurrentProcess
0x41e500 GetCommandLineW
0x41e504 GetCPInfo
0x41e508 InterlockedExchange
0x41e510 FreeLibrary
0x41e514 FormatMessageW
0x41e518 FindResourceW
0x41e51c EnumCalendarInfoW
0x41e524 DeleteFileW
0x41e52c CreateProcessW
0x41e530 CreateFileW
0x41e534 CreateEventW
0x41e538 CreateDirectoryW
0x41e53c CompareStringW
0x41e540 CloseHandle
Library advapi32.dll:
0x41e548 RegQueryValueExW
0x41e54c RegOpenKeyExW
0x41e550 RegCloseKey
0x41e554 OpenProcessToken
Library comctl32.dll:
0x41e560 InitCommonControls
Library kernel32.dll:
0x41e568 Sleep
Library advapi32.dll:
Library oleaut32.dll:
0x41e578 SafeArrayPtrOfIndex
0x41e57c SafeArrayGetUBound
0x41e580 SafeArrayGetLBound
0x41e584 SafeArrayCreate
0x41e588 VariantChangeType
0x41e58c VariantCopy
0x41e590 VariantClear
0x41e594 VariantInit

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.