10.4
0-day
62 个模型检测该样本为恶意!
重新分析
更多

99b8af6a588d533f5db198d141d5909149f6f34c8a9535c09353f1a8a813600f

e5e2b8c0146db42bd9ae242db8ec2f74.exe

分析耗时

131s

最近分析

文件大小

826.5KB
静态报毒 动态报毒 100% AGENSLA AI SCORE=83 ALI2000015 AMLU ATTRIBUTE CLASSIC CONFIDENCE DELFINJECT DELPHILESS EESQ ELJN FAREIT FPVXC G4EPXOMWQPE GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HIKGJJ KPOT LOKI MALICIOUS PE MALWARE@#2I905WD4KA46R MODERATE QBUB QQPASS QQROB QVM05 RNNS SAGONAIRE SCORE SIGGEN2 SMDF SUSGEN TROJAN2 UNSAFE WACATAC X2059 ZELPHIF ZGX@A4VME9DI 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FRQ!E5E2B8C0146D 20200505 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20200505 18.4.3895.0
Kingsoft 20200505 2013.8.14.323
Tencent Win32.Trojan-qqpass.Qqrob.Amlu 20200505 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 129 个事件)
Time & API Arguments Status Return Repeated
1619954726.633626
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619954727.008626
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1619954727.008626
NtAllocateVirtualMemory
process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619954733.633499
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619954733.805499
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00620000
success 0 0
1619954733.805499
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619954734.914374
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008f0000
success 0 0
1619954734.898626
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619954735.086626
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619954735.086626
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f80000
success 0 0
1619954735.570499
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619954735.742499
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619954735.742499
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619954736.351499
NtAllocateVirtualMemory
process_identifier: 2948
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00910000
success 0 0
1619954736.337124
NtAllocateVirtualMemory
process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619954736.602124
NtAllocateVirtualMemory
process_identifier: 1108
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00610000
success 0 0
1619954736.602124
NtAllocateVirtualMemory
process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f40000
success 0 0
1619954736.883999
NtAllocateVirtualMemory
process_identifier: 3088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619954738.039999
NtAllocateVirtualMemory
process_identifier: 3088
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e70000
success 0 0
1619954738.039999
NtAllocateVirtualMemory
process_identifier: 3088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fc0000
success 0 0
1619954738.243124
NtAllocateVirtualMemory
process_identifier: 3164
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1619954738.226751
NtAllocateVirtualMemory
process_identifier: 3224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619954739.726751
NtAllocateVirtualMemory
process_identifier: 3224
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005f0000
success 0 0
1619954739.726751
NtAllocateVirtualMemory
process_identifier: 3224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00630000
success 0 0
1619954739.867374
NtAllocateVirtualMemory
process_identifier: 3340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619954740.086374
NtAllocateVirtualMemory
process_identifier: 3340
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619954740.086374
NtAllocateVirtualMemory
process_identifier: 3340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619954740.305999
NtAllocateVirtualMemory
process_identifier: 3408
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00820000
success 0 0
1619954740.273626
NtAllocateVirtualMemory
process_identifier: 3468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619954740.430626
NtAllocateVirtualMemory
process_identifier: 3468
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00510000
success 0 0
1619954740.430626
NtAllocateVirtualMemory
process_identifier: 3468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00540000
success 0 0
1619954740.820499
NtAllocateVirtualMemory
process_identifier: 3568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01df0000
success 0 0
1619954740.961499
NtAllocateVirtualMemory
process_identifier: 3568
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619954740.961499
NtAllocateVirtualMemory
process_identifier: 3568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619954741.242876
NtAllocateVirtualMemory
process_identifier: 3636
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007c0000
success 0 0
1619954741.195501
NtAllocateVirtualMemory
process_identifier: 3696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ce0000
success 0 0
1619954741.336501
NtAllocateVirtualMemory
process_identifier: 3696
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d30000
success 0 0
1619954741.336501
NtAllocateVirtualMemory
process_identifier: 3696
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d60000
success 0 0
1619954742.962124
NtAllocateVirtualMemory
process_identifier: 3800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00370000
success 0 0
1619954743.071124
NtAllocateVirtualMemory
process_identifier: 3800
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619954743.071124
NtAllocateVirtualMemory
process_identifier: 3800
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619954744.320374
NtAllocateVirtualMemory
process_identifier: 3876
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00920000
success 0 0
1619954744.273999
NtAllocateVirtualMemory
process_identifier: 3940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619954744.367999
NtAllocateVirtualMemory
process_identifier: 3940
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00610000
success 0 0
1619954744.383999
NtAllocateVirtualMemory
process_identifier: 3940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00820000
success 0 0
1619954753.758374
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619954753.992374
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1619954753.992374
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00810000
success 0 0
1619954755.556124
NtAllocateVirtualMemory
process_identifier: 3552
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00870000
success 0 0
1619954755.726751
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chlz.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 86 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.307810119245324 section {'size_of_data': '0x00037e00', 'virtual_address': '0x0009c000', 'entropy': 7.307810119245324, 'name': '.rsrc', 'virtual_size': '0x00037d80'} description A section with a high entropy has been found
entropy 0.27090909090909093 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process chlz.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 54 个事件)
Time & API Arguments Status Return Repeated
1619954727.008626
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x00000104
process_identifier: 1824
failed 0 0
1619954733.805499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 2368
failed 0 0
1619954735.086626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 2196
failed 0 0
1619954735.414626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000110
process_identifier: 2196
failed 0 0
1619954735.742499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 368
failed 0 0
1619954736.618124
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x00000104
process_identifier: 2868
failed 0 0
1619954736.727124
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000108
process_identifier: 1948
failed 0 0
1619954738.039999
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3144
failed 0 0
1619954739.726751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3284
failed 0 0
1619954739.726751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 3284
failed 0 0
1619954740.086374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3392
failed 0 0
1619954740.430626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3528
failed 0 0
1619954740.648626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3528
failed 0 0
1619954740.961499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3624
failed 0 0
1619954741.336501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3756
failed 0 0
1619954741.555501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3756
failed 0 0
1619954743.087124
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3856
failed 0 0
1619954744.383999
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 4000
failed 0 0
1619954752.508999
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000022c
process_identifier: 3292
failed 0 0
1619954753.992374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 1272
failed 0 0
1619954755.851751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3796
failed 0 0
1619954757.539751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000140
process_identifier: 3748
failed 0 0
1619954757.898751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3936
failed 0 0
1619954758.789501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 4008
failed 0 0
1619954759.570501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000120
process_identifier: 4008
failed 0 0
1619954760.055626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3580
failed 0 0
1619954762.976499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3424
failed 0 0
1619954766.148499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000178
process_identifier: 3424
failed 0 0
1619954766.759124
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 2168
failed 0 0
1619954768.211751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3388
failed 0 0
1619954774.289751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000001dc
process_identifier: 3388
failed 0 0
1619954774.648999
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3312
failed 0 0
1619954778.836374
Process32NextW
process_name: chlz.exe
snapshot_handle: 0x00000104
process_identifier: 4088
failed 0 0
1619954779.711374
Process32NextW
process_name: chlz.exe
snapshot_handle: 0x00000124
process_identifier: 4088
failed 0 0
1619954780.023999
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3512
failed 0 0
1619954785.867626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3836
failed 0 0
1619954787.945626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000150
process_identifier: 3836
failed 0 0
1619954788.243124
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 2900
failed 0 0
1619954794.461499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3060
failed 0 0
1619954800.055499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000001d0
process_identifier: 3060
failed 0 0
1619954800.367374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 1168
failed 0 0
1619954801.774249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 2520
failed 0 0
1619954804.759249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000170
process_identifier: 176
failed 0 0
1619954805.523999
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 3628
failed 0 0
1619954809.149124
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 2344
failed 0 0
1619954809.149124
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000100
process_identifier: 2344
failed 0 0
1619954809.914999
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 2012
failed 0 0
1619954812.555501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 1760
failed 0 0
1619954815.633501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000174
process_identifier: 1484
failed 0 0
1619954815.961876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000104
process_identifier: 4024
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe:ZoneIdentifier
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chlz.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (36 个事件)
Process injection Process 2120 called NtSetContextThread to modify thread in remote process 2440
Process injection Process 1812 called NtSetContextThread to modify thread in remote process 2948
Process injection Process 3088 called NtSetContextThread to modify thread in remote process 3164
Process injection Process 3340 called NtSetContextThread to modify thread in remote process 3408
Process injection Process 3568 called NtSetContextThread to modify thread in remote process 3636
Process injection Process 3800 called NtSetContextThread to modify thread in remote process 3876
Process injection Process 3440 called NtSetContextThread to modify thread in remote process 3552
Process injection Process 3812 called NtSetContextThread to modify thread in remote process 3952
Process injection Process 3372 called NtSetContextThread to modify thread in remote process 3600
Process injection Process 2144 called NtSetContextThread to modify thread in remote process 3668
Process injection Process 3984 called NtSetContextThread to modify thread in remote process 3780
Process injection Process 3288 called NtSetContextThread to modify thread in remote process 3824
Process injection Process 4012 called NtSetContextThread to modify thread in remote process 4040
Process injection Process 664 called NtSetContextThread to modify thread in remote process 1876
Process injection Process 3956 called NtSetContextThread to modify thread in remote process 2840
Process injection Process 1904 called NtSetContextThread to modify thread in remote process 520
Process injection Process 2128 called NtSetContextThread to modify thread in remote process 2336
Process injection Process 2536 called NtSetContextThread to modify thread in remote process 3564
Time & API Arguments Status Return Repeated
1619954733.992499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2440
success 0 0
1619954736.148499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2948
success 0 0
1619954738.070999
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3164
success 0 0
1619954740.101374
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3408
success 0 0
1619954740.976499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3636
success 0 0
1619954743.509124
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3876
success 0 0
1619954754.164374
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3552
success 0 0
1619954758.211751
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3952
success 0 0
1619954760.211626
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3600
success 0 0
1619954767.306124
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3668
success 0 0
1619954776.086999
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3780
success 0 0
1619954784.476999
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3824
success 0 0
1619954791.571124
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4040
success 0 0
1619954800.601374
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1876
success 0 0
1619954806.273999
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2840
success 0 0
1619954810.508999
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 520
success 0 0
1619954816.055876
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2336
success 0 0
1619954818.196124
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3564
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (36 个事件)
Process injection Process 2120 resumed a thread in remote process 2440
Process injection Process 1812 resumed a thread in remote process 2948
Process injection Process 3088 resumed a thread in remote process 3164
Process injection Process 3340 resumed a thread in remote process 3408
Process injection Process 3568 resumed a thread in remote process 3636
Process injection Process 3800 resumed a thread in remote process 3876
Process injection Process 3440 resumed a thread in remote process 3552
Process injection Process 3812 resumed a thread in remote process 3952
Process injection Process 3372 resumed a thread in remote process 3600
Process injection Process 2144 resumed a thread in remote process 3668
Process injection Process 3984 resumed a thread in remote process 3780
Process injection Process 3288 resumed a thread in remote process 3824
Process injection Process 4012 resumed a thread in remote process 4040
Process injection Process 664 resumed a thread in remote process 1876
Process injection Process 3956 resumed a thread in remote process 2840
Process injection Process 1904 resumed a thread in remote process 520
Process injection Process 2128 resumed a thread in remote process 2336
Process injection Process 2536 resumed a thread in remote process 3564
Time & API Arguments Status Return Repeated
1619954734.742499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2440
success 0 0
1619954736.195499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2948
success 0 0
1619954738.086999
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3164
success 0 0
1619954740.133374
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3408
success 0 0
1619954741.039499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3636
success 0 0
1619954744.118124
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3876
success 0 0
1619954755.320374
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3552
success 0 0
1619954758.383751
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3952
success 0 0
1619954761.945626
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3600
success 0 0
1619954767.962124
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3668
success 0 0
1619954778.570999
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3780
success 0 0
1619954785.601999
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3824
success 0 0
1619954793.243124
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 4040
success 0 0
1619954801.476374
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 1876
success 0 0
1619954807.148999
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2840
success 0 0
1619954812.070999
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 520
success 0 0
1619954816.617876
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2336
success 0 0
1619954820.040124
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3564
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 144 个事件)
Time & API Arguments Status Return Repeated
1619954733.445626
CreateProcessInternalW
thread_identifier: 2288
thread_handle: 0x00000108
process_identifier: 2120
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619954733.976499
CreateProcessInternalW
thread_identifier: 472
thread_handle: 0x00000100
process_identifier: 2440
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619954733.976499
NtUnmapViewOfSection
process_identifier: 2440
region_size: 4096
process_handle: 0x00000108
base_address: 0x00400000
success 0 0
1619954733.976499
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 2440
commit_size: 172032
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000108
allocation_type: 0 ()
section_offset: 0
view_size: 172032
base_address: 0x00400000
success 0 0
1619954733.992499
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619954733.992499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2440
success 0 0
1619954734.742499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2440
success 0 0
1619954734.758499
CreateProcessInternalW
thread_identifier: 2952
thread_handle: 0x0000010c
process_identifier: 2956
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe" 2 2440 25308312
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619954735.430626
CreateProcessInternalW
thread_identifier: 2900
thread_handle: 0x00000114
process_identifier: 1812
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619954736.133499
CreateProcessInternalW
thread_identifier: 2960
thread_handle: 0x00000100
process_identifier: 2948
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619954736.133499
NtUnmapViewOfSection
process_identifier: 2948
region_size: 4096
process_handle: 0x00000108
base_address: 0x00400000
success 0 0
1619954736.133499
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 2948
commit_size: 172032
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000108
allocation_type: 0 ()
section_offset: 0
view_size: 172032
base_address: 0x00400000
success 0 0
1619954736.148499
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619954736.148499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2948
success 0 0
1619954736.195499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2948
success 0 0
1619954736.211499
CreateProcessInternalW
thread_identifier: 1804
thread_handle: 0x0000010c
process_identifier: 1108
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe" 2 2948 25309765
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619954736.743124
CreateProcessInternalW
thread_identifier: 3092
thread_handle: 0x0000010c
process_identifier: 3088
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619954738.055999
CreateProcessInternalW
thread_identifier: 3168
thread_handle: 0x00000100
process_identifier: 3164
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619954738.055999
NtUnmapViewOfSection
process_identifier: 3164
region_size: 4096
process_handle: 0x00000108
base_address: 0x00400000
success 0 0
1619954738.055999
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3164
commit_size: 172032
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000108
allocation_type: 0 ()
section_offset: 0
view_size: 172032
base_address: 0x00400000
success 0 0
1619954738.070999
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619954738.070999
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3164
success 0 0
1619954738.086999
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3164
success 0 0
1619954738.101999
CreateProcessInternalW
thread_identifier: 3228
thread_handle: 0x0000010c
process_identifier: 3224
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe" 2 3164 25311656
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619954739.742751
CreateProcessInternalW
thread_identifier: 3344
thread_handle: 0x00000108
process_identifier: 3340
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619954740.101374
CreateProcessInternalW
thread_identifier: 3412
thread_handle: 0x00000100
process_identifier: 3408
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619954740.101374
NtUnmapViewOfSection
process_identifier: 3408
region_size: 4096
process_handle: 0x00000108
base_address: 0x00400000
success 0 0
1619954740.101374
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3408
commit_size: 172032
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000108
allocation_type: 0 ()
section_offset: 0
view_size: 172032
base_address: 0x00400000
success 0 0
1619954740.101374
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619954740.101374
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3408
success 0 0
1619954740.133374
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3408
success 0 0
1619954740.133374
CreateProcessInternalW
thread_identifier: 3472
thread_handle: 0x0000010c
process_identifier: 3468
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe" 2 3408 25313703
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619954740.680626
CreateProcessInternalW
thread_identifier: 3572
thread_handle: 0x00000110
process_identifier: 3568
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619954740.976499
CreateProcessInternalW
thread_identifier: 3640
thread_handle: 0x00000100
process_identifier: 3636
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619954740.976499
NtUnmapViewOfSection
process_identifier: 3636
region_size: 4096
process_handle: 0x00000108
base_address: 0x00400000
success 0 0
1619954740.976499
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3636
commit_size: 172032
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000108
allocation_type: 0 ()
section_offset: 0
view_size: 172032
base_address: 0x00400000
success 0 0
1619954740.976499
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619954740.976499
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3636
success 0 0
1619954741.039499
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3636
success 0 0
1619954741.055499
CreateProcessInternalW
thread_identifier: 3700
thread_handle: 0x0000010c
process_identifier: 3696
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe" 2 3636 25314609
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619954742.836501
CreateProcessInternalW
thread_identifier: 3804
thread_handle: 0x00000110
process_identifier: 3800
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619954743.493124
CreateProcessInternalW
thread_identifier: 3880
thread_handle: 0x00000100
process_identifier: 3876
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619954743.493124
NtUnmapViewOfSection
process_identifier: 3876
region_size: 4096
process_handle: 0x00000108
base_address: 0x00400000
success 0 0
1619954743.493124
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3876
commit_size: 172032
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000108
allocation_type: 0 ()
section_offset: 0
view_size: 172032
base_address: 0x00400000
success 0 0
1619954743.509124
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619954743.509124
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4306512
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3876
success 0 0
1619954744.118124
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3876
success 0 0
1619954744.134124
CreateProcessInternalW
thread_identifier: 3944
thread_handle: 0x0000010c
process_identifier: 3940
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe" 2 3876 25317687
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619954753.617999
CreateProcessInternalW
thread_identifier: 3436
thread_handle: 0x00000230
process_identifier: 3440
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000234
inherit_handles: 0
success 1 0
1619954754.164374
CreateProcessInternalW
thread_identifier: 3556
thread_handle: 0x00000100
process_identifier: 3552
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\chlz\chlz.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 个事件)
MicroWorld-eScan Trojan.GenericKD.33618942
FireEye Generic.mg.e5e2b8c0146db42b
CAT-QuickHeal Trojan.Wacatac
Qihoo-360 Generic/HEUR/QVM05.1.64A3.Malware.Gen
McAfee Fareit-FRQ!E5E2B8C0146D
Cylance Unsafe
Zillya Trojan.Injector.Win32.697670
Sangfor Malware
K7AntiVirus Trojan ( 005640bd1 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 005640bd1 )
Cybereason malicious.55b0c8
Invincea heuristic
F-Prot W32/Trojan2.QBUB
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky HEUR:Trojan-PSW.Win32.Agensla.gen
BitDefender Trojan.GenericKD.33618942
NANO-Antivirus Trojan.Win32.Agensla.hikgjj
Paloalto generic.ml
AegisLab Trojan.Win32.Agensla.i!c
Rising Trojan.Injector!1.AFE3 (CLASSIC)
Endgame malicious (high confidence)
Sophos Mal/Fareit-V
Comodo Malware@#2i905wd4ka46r
F-Secure Trojan.TR/AD.Sagonaire.fpvxc
DrWeb Trojan.PWS.Siggen2.46371
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.LOKI.SMDF.hp
McAfee-GW-Edition BehavesLike.Win32.Fareit.ch
Trapmine malicious.moderate.ml.score
Emsisoft Trojan.GenericKD.33618942 (B)
SentinelOne DFI - Malicious PE
Cyren W32/Trojan.RNNS-5963
Jiangmin Trojan.PSW.Agensla.fp
Webroot W32.Trojan.Gen
Avira TR/AD.Sagonaire.fpvxc
Fortinet W32/Injector.EESQ!tr
Antiy-AVL Trojan[PSW]/Win32.Agensla
Microsoft Trojan:Win32/Kpot.PA!MTB
Arcabit Trojan.Generic.D200FBFE
ZoneAlarm HEUR:Trojan-PSW.Win32.Agensla.gen
GData Trojan.GenericKD.33618942
AhnLab-V3 Suspicious/Win.Delphiless.X2059
Acronis suspicious
ALYac Trojan.Agent.Wacatac
MAX malware (ai score=83)
VBA32 Trojan.Wacatac
Malwarebytes Trojan.MalPack.DLF
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x48e178 VirtualFree
0x48e17c VirtualAlloc
0x48e180 LocalFree
0x48e184 LocalAlloc
0x48e188 GetVersion
0x48e18c GetCurrentThreadId
0x48e198 VirtualQuery
0x48e19c WideCharToMultiByte
0x48e1a0 MultiByteToWideChar
0x48e1a4 lstrlenA
0x48e1a8 lstrcpynA
0x48e1ac LoadLibraryExA
0x48e1b0 GetThreadLocale
0x48e1b4 GetStartupInfoA
0x48e1b8 GetProcAddress
0x48e1bc GetModuleHandleA
0x48e1c0 GetModuleFileNameA
0x48e1c4 GetLocaleInfoA
0x48e1c8 GetCommandLineA
0x48e1cc FreeLibrary
0x48e1d0 FindFirstFileA
0x48e1d4 FindClose
0x48e1d8 ExitProcess
0x48e1dc ExitThread
0x48e1e0 CreateThread
0x48e1e4 WriteFile
0x48e1ec RtlUnwind
0x48e1f0 RaiseException
0x48e1f4 GetStdHandle
Library user32.dll:
0x48e1fc GetKeyboardType
0x48e200 LoadStringA
0x48e204 MessageBoxA
0x48e208 CharNextA
Library advapi32.dll:
0x48e210 RegQueryValueExA
0x48e214 RegOpenKeyExA
0x48e218 RegCloseKey
Library oleaut32.dll:
0x48e220 SysFreeString
0x48e224 SysReAllocStringLen
0x48e228 SysAllocStringLen
Library kernel32.dll:
0x48e230 TlsSetValue
0x48e234 TlsGetValue
0x48e238 LocalAlloc
0x48e23c GetModuleHandleA
Library advapi32.dll:
0x48e244 RegQueryValueExA
0x48e248 RegOpenKeyExA
0x48e24c RegCloseKey
Library kernel32.dll:
0x48e254 lstrlenA
0x48e258 lstrcpyA
0x48e25c lstrcmpA
0x48e260 WriteFile
0x48e264 WaitForSingleObject
0x48e26c VirtualQuery
0x48e270 VirtualFree
0x48e274 VirtualAllocEx
0x48e278 VirtualAlloc
0x48e27c Sleep
0x48e280 SizeofResource
0x48e284 SetThreadLocale
0x48e288 SetFilePointer
0x48e28c SetEvent
0x48e290 SetErrorMode
0x48e294 SetEndOfFile
0x48e29c ResumeThread
0x48e2a0 ResetEvent
0x48e2a4 ReleaseMutex
0x48e2a8 ReadFile
0x48e2ac MultiByteToWideChar
0x48e2b0 MulDiv
0x48e2b4 LockResource
0x48e2b8 LoadResource
0x48e2bc LoadLibraryA
0x48e2c8 GlobalUnlock
0x48e2cc GlobalReAlloc
0x48e2d0 GlobalHandle
0x48e2d4 GlobalLock
0x48e2d8 GlobalFree
0x48e2dc GlobalFindAtomA
0x48e2e0 GlobalDeleteAtom
0x48e2e4 GlobalAlloc
0x48e2e8 GlobalAddAtomA
0x48e2ec GetVersionExA
0x48e2f0 GetVersion
0x48e2f4 GetTickCount
0x48e2f8 GetThreadLocale
0x48e2fc GetSystemInfo
0x48e300 GetStringTypeExA
0x48e304 GetStdHandle
0x48e308 GetProcAddress
0x48e30c GetModuleHandleA
0x48e310 GetModuleFileNameA
0x48e314 GetLocaleInfoA
0x48e318 GetLocalTime
0x48e31c GetLastError
0x48e320 GetFullPathNameA
0x48e324 GetExitCodeThread
0x48e328 GetDiskFreeSpaceA
0x48e32c GetDateFormatA
0x48e330 GetCurrentThreadId
0x48e334 GetCurrentProcessId
0x48e338 GetCurrentProcess
0x48e340 GetCPInfo
0x48e344 GetACP
0x48e348 FreeResource
0x48e350 InterlockedExchange
0x48e358 FreeLibrary
0x48e35c FormatMessageA
0x48e360 FindResourceA
0x48e368 FindFirstFileA
0x48e374 FindClose
0x48e380 EnumCalendarInfoA
0x48e38c CreateThread
0x48e390 CreateMutexA
0x48e394 CreateFileA
0x48e398 CreateEventA
0x48e39c CompareStringA
0x48e3a0 CloseHandle
Library version.dll:
0x48e3a8 VerQueryValueA
0x48e3b0 GetFileVersionInfoA
Library gdi32.dll:
0x48e3b8 UnrealizeObject
0x48e3bc StretchBlt
0x48e3c0 SetWindowOrgEx
0x48e3c4 SetViewportOrgEx
0x48e3c8 SetTextColor
0x48e3cc SetStretchBltMode
0x48e3d0 SetROP2
0x48e3d4 SetPixel
0x48e3d8 SetDIBColorTable
0x48e3dc SetBrushOrgEx
0x48e3e0 SetBkMode
0x48e3e4 SetBkColor
0x48e3e8 SelectPalette
0x48e3ec SelectObject
0x48e3f0 SaveDC
0x48e3f4 RestoreDC
0x48e3f8 Rectangle
0x48e3fc RectVisible
0x48e400 RealizePalette
0x48e404 PatBlt
0x48e408 MoveToEx
0x48e40c MaskBlt
0x48e410 LineTo
0x48e414 IntersectClipRect
0x48e418 GetWindowOrgEx
0x48e41c GetTextMetricsA
0x48e428 GetStockObject
0x48e42c GetPixel
0x48e430 GetPaletteEntries
0x48e434 GetObjectA
0x48e438 GetDeviceCaps
0x48e43c GetDIBits
0x48e440 GetDIBColorTable
0x48e444 GetDCOrgEx
0x48e44c GetClipBox
0x48e450 GetBrushOrgEx
0x48e454 GetBitmapBits
0x48e458 ExtTextOutA
0x48e45c ExcludeClipRect
0x48e460 DeleteObject
0x48e464 DeleteDC
0x48e468 CreateSolidBrush
0x48e46c CreatePenIndirect
0x48e470 CreatePalette
0x48e478 CreateFontIndirectA
0x48e47c CreateDIBitmap
0x48e480 CreateDIBSection
0x48e484 CreateCompatibleDC
0x48e48c CreateBrushIndirect
0x48e490 CreateBitmap
0x48e494 BitBlt
Library user32.dll:
0x48e49c CreateWindowExA
0x48e4a0 WindowFromPoint
0x48e4a4 WinHelpA
0x48e4a8 WaitMessage
0x48e4ac UpdateWindow
0x48e4b0 UnregisterClassA
0x48e4b4 UnhookWindowsHookEx
0x48e4b8 TranslateMessage
0x48e4c0 TrackPopupMenu
0x48e4c8 ShowWindow
0x48e4cc ShowScrollBar
0x48e4d0 ShowOwnedPopups
0x48e4d4 ShowCursor
0x48e4d8 SetWindowsHookExA
0x48e4dc SetWindowTextA
0x48e4e0 SetWindowPos
0x48e4e4 SetWindowPlacement
0x48e4e8 SetWindowLongA
0x48e4ec SetTimer
0x48e4f0 SetScrollRange
0x48e4f4 SetScrollPos
0x48e4f8 SetScrollInfo
0x48e4fc SetRect
0x48e500 SetPropA
0x48e504 SetParent
0x48e508 SetMenuItemInfoA
0x48e50c SetMenu
0x48e510 SetForegroundWindow
0x48e514 SetFocus
0x48e518 SetCursor
0x48e51c SetClassLongA
0x48e520 SetCapture
0x48e524 SetActiveWindow
0x48e528 SendMessageA
0x48e52c ScrollWindow
0x48e530 ScreenToClient
0x48e534 RemovePropA
0x48e538 RemoveMenu
0x48e53c ReleaseDC
0x48e540 ReleaseCapture
0x48e54c RegisterClassA
0x48e550 RedrawWindow
0x48e554 PtInRect
0x48e558 PostQuitMessage
0x48e55c PostMessageA
0x48e560 PeekMessageA
0x48e564 OffsetRect
0x48e568 OemToCharA
0x48e570 MessageBoxA
0x48e574 MapWindowPoints
0x48e578 MapVirtualKeyA
0x48e57c LoadStringA
0x48e580 LoadKeyboardLayoutA
0x48e584 LoadIconA
0x48e588 LoadCursorA
0x48e58c LoadBitmapA
0x48e590 KillTimer
0x48e594 IsZoomed
0x48e598 IsWindowVisible
0x48e59c IsWindowEnabled
0x48e5a0 IsWindow
0x48e5a4 IsRectEmpty
0x48e5a8 IsIconic
0x48e5ac IsDialogMessageA
0x48e5b0 IsChild
0x48e5b4 InvalidateRect
0x48e5b8 IntersectRect
0x48e5bc InsertMenuItemA
0x48e5c0 InsertMenuA
0x48e5c4 InflateRect
0x48e5cc GetWindowTextA
0x48e5d0 GetWindowRect
0x48e5d4 GetWindowPlacement
0x48e5d8 GetWindowLongA
0x48e5dc GetWindowDC
0x48e5e0 GetTopWindow
0x48e5e4 GetSystemMetrics
0x48e5e8 GetSystemMenu
0x48e5ec GetSysColorBrush
0x48e5f0 GetSysColor
0x48e5f4 GetSubMenu
0x48e5f8 GetScrollRange
0x48e5fc GetScrollPos
0x48e600 GetScrollInfo
0x48e604 GetPropA
0x48e608 GetParent
0x48e60c GetWindow
0x48e610 GetMessagePos
0x48e614 GetMenuStringA
0x48e618 GetMenuState
0x48e61c GetMenuItemInfoA
0x48e620 GetMenuItemID
0x48e624 GetMenuItemCount
0x48e628 GetMenu
0x48e62c GetLastActivePopup
0x48e630 GetKeyboardState
0x48e638 GetKeyboardLayout
0x48e63c GetKeyState
0x48e640 GetKeyNameTextA
0x48e644 GetIconInfo
0x48e648 GetForegroundWindow
0x48e64c GetFocus
0x48e650 GetDesktopWindow
0x48e654 GetDCEx
0x48e658 GetDC
0x48e65c GetCursorPos
0x48e660 GetCursor
0x48e664 GetClientRect
0x48e668 GetClassNameA
0x48e66c GetClassInfoA
0x48e670 GetCapture
0x48e674 GetActiveWindow
0x48e678 FrameRect
0x48e67c FindWindowA
0x48e680 FillRect
0x48e684 EqualRect
0x48e688 EnumWindows
0x48e68c EnumThreadWindows
0x48e690 EndPaint
0x48e694 EnableWindow
0x48e698 EnableScrollBar
0x48e69c EnableMenuItem
0x48e6a0 DrawTextA
0x48e6a4 DrawMenuBar
0x48e6a8 DrawIconEx
0x48e6ac DrawIcon
0x48e6b0 DrawFrameControl
0x48e6b4 DrawEdge
0x48e6b8 DispatchMessageA
0x48e6bc DestroyWindow
0x48e6c0 DestroyMenu
0x48e6c4 DestroyIcon
0x48e6c8 DestroyCursor
0x48e6cc DeleteMenu
0x48e6d0 DefWindowProcA
0x48e6d4 DefMDIChildProcA
0x48e6d8 DefFrameProcA
0x48e6dc CreatePopupMenu
0x48e6e0 CreateMenu
0x48e6e4 CreateIcon
0x48e6e8 ClientToScreen
0x48e6f0 CheckMenuItem
0x48e6f4 CallWindowProcA
0x48e6f8 CallNextHookEx
0x48e6fc BeginPaint
0x48e700 CharNextA
0x48e704 CharLowerA
0x48e708 CharUpperBuffA
0x48e70c CharToOemA
0x48e710 AdjustWindowRectEx
Library kernel32.dll:
0x48e71c Sleep
Library oleaut32.dll:
0x48e724 SafeArrayPtrOfIndex
0x48e728 SafeArrayPutElement
0x48e72c SafeArrayGetElement
0x48e734 SafeArrayAccessData
0x48e738 SafeArrayGetUBound
0x48e73c SafeArrayGetLBound
0x48e740 SafeArrayCreate
0x48e744 VariantChangeType
0x48e748 VariantCopyInd
0x48e74c VariantCopy
0x48e750 VariantClear
0x48e754 VariantInit
Library ole32.dll:
0x48e75c OleUninitialize
0x48e760 OleInitialize
0x48e764 CoTaskMemAlloc
0x48e768 CoCreateInstance
0x48e76c CoUninitialize
0x48e770 CoInitialize
Library oleaut32.dll:
0x48e778 CreateErrorInfo
0x48e77c GetErrorInfo
0x48e780 SetErrorInfo
0x48e784 SysFreeString
Library comctl32.dll:
0x48e794 ImageList_Write
0x48e798 ImageList_Read
0x48e7a8 ImageList_DragMove
0x48e7ac ImageList_DragLeave
0x48e7b0 ImageList_DragEnter
0x48e7b4 ImageList_EndDrag
0x48e7b8 ImageList_BeginDrag
0x48e7bc ImageList_Remove
0x48e7c0 ImageList_DrawEx
0x48e7c4 ImageList_Draw
0x48e7d4 ImageList_Add
0x48e7dc ImageList_Destroy
0x48e7e0 ImageList_Create
0x48e7e4 InitCommonControls
Library shell32.dll:
0x48e7ec ShellExecuteExA
0x48e7f0 ShellExecuteA
0x48e7f4 SHGetFileInfoA
Library shell32.dll:
0x48e800 SHGetMalloc
0x48e804 SHGetDesktopFolder

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.