SmartHawk

6.8

高危

该样本未表现出任何异常！

重新分析

下载样本

3bb1bbf49c6e224032025dc7dacb3862e8b16c8b39e5cc19c5aceda4dbc917d9

ee4b41731722ad87f206d8a98f55a8d7.exe

分析耗时

89s

最近分析

文件大小

4.0MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

Queries for the computername (6 个事件)

Time & API	Arguments	Status	Return
1620026960.510875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620026962.790172 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620026964.188609 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620026966.524922 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620026971.149422 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620026972.400172 GetComputerNameW	computer_name: OSKAR-PC	success	1

Command line console output was observed (50 out of 90 个事件)

Time & API	Arguments	Status	Return
1620026950.85475 WriteConsoleW	buffer: 描述: 在注册表和服务数据库中修改服务项。用法: sc <server> config [service name] <option1> <option2>... 选项: 注意: 选项名称包括等号。等号和值之间需要一个空格。 type= <own\|share\|interact\|kernel\|filesys\|rec\|adapt> start= <boot\|system\|auto\|demand\|disabled\|delayed-auto> error= <normal\|severe\|critical\|ignore> binPath= <BinaryPathName> group= <LoadOrderGroup> tag= <yes\|no> depend= <依存关系(以 / (斜杠) 分隔)> obj= <AccountName\|ObjectName> DisplayName= <显示名称> password= <密码> console_handle: 0x00000007	success	1
1620026950.948502 WriteConsoleW	buffer: [SC] DeleteService 成功 console_handle: 0x00000007	success	1
1620026951.838375 WriteConsoleW	buffer: 发生系统错误 1726。 console_handle: 0x0000000b	success	1
1620026951.838375 WriteConsoleW	buffer: 远程过程调用失败。 console_handle: 0x0000000b	success	1
1620026951.83925 WriteConsoleW	buffer: [SC] OpenService 失败 1060: 指定的服务未安装。 console_handle: 0x00000007	success	1
1620026951.917 WriteConsoleW	buffer: 服务名无效。 console_handle: 0x0000000b	success	1
1620026951.949 WriteConsoleW	buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620026953.573502 WriteConsoleW	buffer: [SC] OpenService 失败 1060: 指定的服务未安装。 console_handle: 0x00000007	success	1
1620026955.058125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026955.058125 WriteConsoleW	buffer: sc console_handle: 0x00000007	success	1
1620026955.089125 WriteConsoleW	buffer: config Schedule start= auto console_handle: 0x00000007	success	1
1620026958.636125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026958.636125 WriteConsoleW	buffer: sc console_handle: 0x00000007	success	1
1620026958.636125 WriteConsoleW	buffer: start Schedule console_handle: 0x00000007	success	1
1620026959.683125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026959.683125 WriteConsoleW	buffer: schtasks console_handle: 0x00000007	success	1
1620026959.699125 WriteConsoleW	buffer: /delete /tn AutoKMSK /f console_handle: 0x00000007	success	1
1620026962.417125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026962.417125 WriteConsoleW	buffer: schtasks console_handle: 0x00000007	success	1
1620026962.417125 WriteConsoleW	buffer: /delete /tn AutoKMSKK /f console_handle: 0x00000007	success	1
1620026963.730125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026963.730125 WriteConsoleW	buffer: schtasks console_handle: 0x00000007	success	1
1620026963.730125 WriteConsoleW	buffer: /delete /tn "Adobe Flash Player Updaters" /f console_handle: 0x00000007	success	1
1620026965.808125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026965.824125 WriteConsoleW	buffer: schtasks console_handle: 0x00000007	success	1
1620026965.824125 WriteConsoleW	buffer: /create /sc minute /mo 10 /tn "\Microsoft\Windows\UPnP\AutoKMSK" /tr "C:\Windows\Installer\conhost.exe" /ru "system" /f console_handle: 0x00000007	success	1
1620026970.542125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026970.558125 WriteConsoleW	buffer: schtasks console_handle: 0x00000007	success	1
1620026970.558125 WriteConsoleW	buffer: /run /tn "\Microsoft\Windows\UPnP\AutoKMSK" console_handle: 0x00000007	success	1
1620026972.042125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026972.042125 WriteConsoleW	buffer: schtasks console_handle: 0x00000007	success	1
1620026972.042125 WriteConsoleW	buffer: /create /sc minute /mo 35 /tn "\Microsoft\Windows\UPnP\AutoKMSKK" /tr "C:\Windows\Installer\free.bat" /ru "system" /f console_handle: 0x00000007	success	1
1620026974.480125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026974.480125 WriteConsoleW	buffer: sc console_handle: 0x00000007	success	1
1620026974.480125 WriteConsoleW	buffer: start PolicyAgent console_handle: 0x00000007	success	1
1620026975.496125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026975.496125 WriteConsoleW	buffer: sc console_handle: 0x00000007	success	1
1620026975.496125 WriteConsoleW	buffer: config PolicyAgent start= AUTO console_handle: 0x00000007	success	1
1620026976.355125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026976.355125 WriteConsoleW	buffer: netsh console_handle: 0x00000007	success	1
1620026976.355125 WriteConsoleW	buffer: ipsec static add policy name=Aliyun console_handle: 0x00000007	success	1
1620026980.964125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026980.964125 WriteConsoleW	buffer: netsh console_handle: 0x00000007	success	1
1620026980.964125 WriteConsoleW	buffer: ipsec static add filterlist name=Allowlist console_handle: 0x00000007	success	1
1620026984.417125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026984.417125 WriteConsoleW	buffer: netsh console_handle: 0x00000007	success	1
1620026984.417125 WriteConsoleW	buffer: ipsec static add filterlist name=denylist console_handle: 0x00000007	success	1
1620026987.917125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1620026987.949125 WriteConsoleW	buffer: netsh console_handle: 0x00000007	success	1
1620026987.964125 WriteConsoleW	buffer: ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135 console_handle: 0x00000007	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620026955.417 GlobalMemoryStatusEx		success	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

TEXTINCLUDE

Foreign language identified in PE resource (50 out of 51 个事件)

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x00490c50

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x00490c50

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x00490c50

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

offset

0x00491140

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

offset

0x00491140

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

offset

0x00491140

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

offset

0x00491140

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x00492848

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

offset

0x004971e8

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

offset

0x004971e8

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x00498430

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00498e78

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

offset

0x00498ec4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

offset

0x00498ec4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

offset

0x00498ec4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

offset

0x00498f3c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

offset

0x00498f3c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

offset

0x00498f3c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000014

Creates executable files on the filesystem (4 个事件)

file	C:\Windows\Installer\free.bat
file	c:\Windows\IME\demo.bat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tem.vbs
file	C:\Windows\Installer\conhost.exe

Creates hidden or system file (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620026952.277 SetFileAttributesW	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tem.vbs filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tem.vbs	success	1	0

Creates a suspicious process (6 个事件)

cmdline	schtasks /delete /tn "Adobe Flash Player Updaters" /f
cmdline	schtasks /delete /tn AutoKMSKK /f
cmdline	schtasks /delete /tn AutoKMSK /f
cmdline	schtasks /create /sc minute /mo 35 /tn "\Microsoft\Windows\UPnP\AutoKMSKK" /tr "C:\Windows\Installer\free.bat" /ru "system" /f
cmdline	schtasks /create /sc minute /mo 10 /tn "\Microsoft\Windows\UPnP\AutoKMSK" /tr "C:\Windows\Installer\conhost.exe" /ru "system" /f
cmdline	schtasks /run /tn "\Microsoft\Windows\UPnP\AutoKMSK"

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tem.vbs

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ee4b41731722ad87f206d8a98f55a8d7.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.999948643341441

section

{'size_of_data': '0x003edc00', 'virtual_address': '0x000b0000', 'entropy': 7.999948643341441, 'name': 'UPX1', 'virtual_size': '0x003ee000'}

description

A section with a high entropy has been found

entropy

0.9945611866501854

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (30 个事件)

cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
cmdline	sc stop COMSysCts
cmdline	sc config Schedule start= auto
cmdline	net stop lanmanserver /y
cmdline	net stop mssecsvc2.0
cmdline	net stop mssecsvc2.1
cmdline	sc delete lanmanserver
cmdline	sc delete mssecsvc2.1
cmdline	sc delete mssecsvc2.0
cmdline	schtasks /delete /tn "Adobe Flash Player Updaters" /f
cmdline	schtasks /delete /tn AutoKMSKK /f
cmdline	netsh ipsec static add filteraction name=Allow action=permit
cmdline	schtasks /delete /tn AutoKMSK /f
cmdline	netsh ipsec static add policy name=Aliyun
cmdline	netsh ipsec static add filterlist name=Allowlist
cmdline	netsh ipsec static add filteraction name=deny action=block
cmdline	schtasks /create /sc minute /mo 35 /tn "\Microsoft\Windows\UPnP\AutoKMSKK" /tr "C:\Windows\Installer\free.bat" /ru "system" /f
cmdline	sc start PolicyAgent
cmdline	sc start Schedule
cmdline	sc config PolicyAgent start= AUTO
cmdline	schtasks /create /sc minute /mo 10 /tn "\Microsoft\Windows\UPnP\AutoKMSK" /tr "C:\Windows\Installer\conhost.exe" /ru "system" /f
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
cmdline	netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
cmdline	netsh ipsec static set policy name=Aliyun assign=y
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
cmdline	sc config lanmanserver start= DISABLED 2>nul
cmdline	schtasks /run /tn "\Microsoft\Windows\UPnP\AutoKMSK"
cmdline	netsh ipsec static add filterlist name=denylist

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Installs itself for autorun at Windows startup (2 个事件)

cmdline	schtasks /create /sc minute /mo 35 /tn "\Microsoft\Windows\UPnP\AutoKMSKK" /tr "C:\Windows\Installer\free.bat" /ru "system" /f
cmdline	schtasks /create /sc minute /mo 10 /tn "\Microsoft\Windows\UPnP\AutoKMSK" /tr "C:\Windows\Installer\conhost.exe" /ru "system" /f

The process wscript.exe wrote an executable file to disk (1 个事件)

file	C:\Windows\SysWOW64\wscript.exe

Uses Sysinternals tools in order to add additional command line functionality (2 个事件)

cmdline	schtasks /create /sc minute /mo 35 /tn "\Microsoft\Windows\UPnP\AutoKMSKK" /tr "C:\Windows\Installer\free.bat" /ru "system" /f
cmdline	schtasks /create /sc minute /mo 10 /tn "\Microsoft\Windows\UPnP\AutoKMSK" /tr "C:\Windows\Installer\conhost.exe" /ru "system" /f

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-24 17:48:34

Imports

Library ADVAPI32.dll:

• 0x8a3614 RegCloseKey

Library COMCTL32.dll:

• 0x8a361c

Library comdlg32.dll:

• 0x8a3624 ChooseColorA

Library GDI32.dll:

• 0x8a362c PatBlt

Library KERNEL32.DLL:

• 0x8a3634 LoadLibraryA

• 0x8a3638 ExitProcess

• 0x8a363c GetProcAddress

• 0x8a3640 VirtualProtect

Library ole32.dll:

• 0x8a3648 OleInitialize

Library OLEAUT32.dll:

• 0x8a3650 LoadTypeLib

Library SHELL32.dll:

• 0x8a3658 ShellExecuteA

Library USER32.dll:

• 0x8a3660 GetDC

Library WINMM.dll:

• 0x8a3668 waveOutOpen

Library WINSPOOL.DRV:

• 0x8a3670 ClosePrinter

Library WS2_32.dll:

• 0x8a3678 inet_ntoa

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702
192.168.56.101	51809	239.255.255.250	3702
192.168.56.101	51811	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.