7.0
高危
56 个模型检测该样本为恶意!
重新分析
更多

35b150d62d867c78b998721316d307a77d0d3625b5a314bfc1d16d8c2347bb22

00f1eca79a7182fa6b69d34bf81cdf07.exe

分析耗时

133s

最近分析

文件大小

874.0KB
静态报毒 动态报毒 100% 2GW@A8XM7YEI AI SCORE=100 ALI2000015 ATTRIBUTE CLASSIC CONFIDENCE DATASTEALER DELF DELFINJECT DELPHILESS EMTN EMVB FAREIT HIGH CONFIDENCE HIGHCONFIDENCE HPRCDN IGENERIC KCLOUD KRYPTIK LWXVO MALWARE@#2AZ8MFHWELY4U NANOCORE NANOCR R + TROJ R002C0DLA20 REDCAP SCORE TSCOPE UNSAFE WHEL X2094 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!00F1ECA79A71 20201227 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Tencent Win32.Trojan.Kryptik.Frt 20201228 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20201228 2017.9.26.565
Avast Win32:Malware-gen 20201228 21.1.5827.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (10 个事件)
Time & API Arguments Status Return Repeated
1619168323.879
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75157f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75154de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe9314ad
success 0 0
1619168337.20725
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7509e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7509ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7509b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7509b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7509ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7509aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75095511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7509559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75107f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75104de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe8c14ad
success 0 0
1619168347.87875
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751a4de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfea314ad
success 0 0
1619168355.87875
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7509e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7509ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7509b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7509b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7509ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7509aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75095511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7509559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75107f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75104de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe8d14ad
success 0 0
1619168362.7535
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75157f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75154de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd0314ad
success 0 0
1619168369.37875
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7509e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7509ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7509b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7509b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7509ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7509aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75095511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7509559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75107f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75104de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd1514ad
success 0 0
1619168375.16
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75157f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75154de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfea314ad
success 0 0
1619168382.55125
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x74fae97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x74faea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x74fab25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x74fab4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x74faac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x74faaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74fa5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x74fa559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75157f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75154de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe8f14ad
success 0 0
1619168390.863502
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x74fae97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x74faea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x74fab25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x74fab4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x74faac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x74faaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74fa5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x74fa559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75157f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75154de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe9814ad
success 0 0
1619168399.081875
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x74fae97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x74faea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x74fab25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x74fab4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x74faac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x74faaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74fa5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x74fa559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75157f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75154de3
00f1eca79a7182fa6b69d34bf81cdf07+0x40a4d @ 0x440a4d
00f1eca79a7182fa6b69d34bf81cdf07+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd0f14ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 330 个事件)
Time & API Arguments Status Return Repeated
1619168319.972625
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b10000
success 0 0
1619168320.175625
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00b20000
success 0 0
1619168320.175625
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00b50000
success 0 0
1619168321.754
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619168321.801
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01d60000
success 0 0
1619168321.801
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01dc0000
success 0 0
1619168321.801
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d60000
success 0 0
1619168321.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 118784
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d62000
success 0 0
1619168322.41
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1619168322.41
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ec0000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.801
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619168323.817
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.817
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619168323.817
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.817
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619168323.817
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.817
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619168323.817
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e22000
success 0 0
1619168323.817
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619168322.14475
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004f0000
success 0 0
1619168322.26975
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619168322.28475
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00570000
success 0 0
1619168334.534375
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e0000
success 0 0
1619168334.581375
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005f0000
success 0 0
1619168334.628375
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00620000
success 0 0
1619168336.77025
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619168336.78525
NtAllocateVirtualMemory
process_identifier: 192
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01d20000
success 0 0
1619168336.78525
NtAllocateVirtualMemory
process_identifier: 192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d20000
success 0 0
1619168336.78525
NtAllocateVirtualMemory
process_identifier: 192
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d60000
success 0 0
1619168336.78525
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 118784
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d62000
success 0 0
1619168336.95725
NtAllocateVirtualMemory
process_identifier: 192
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02050000
success 0 0
1619168336.95725
NtAllocateVirtualMemory
process_identifier: 192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x021f0000
success 0 0
1619168337.16025
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01db2000
success 0 0
1619168337.16025
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619168337.16025
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01db2000
success 0 0
1619168337.16025
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619168337.16025
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01db2000
success 0 0
1619168337.16025
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619168337.16025
NtProtectVirtualMemory
process_identifier: 192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01db2000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.537394123871727 section {'size_of_data': '0x0003e800', 'virtual_address': '0x000a2000', 'entropy': 7.537394123871727, 'name': '.rsrc', 'virtual_size': '0x0003e6b4'} description A section with a high entropy has been found
entropy 0.286368843069874 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process 00f1eca79a7182fa6b69d34bf81cdf07.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (19 个事件)
Time & API Arguments Status Return Repeated
1619168320.206625
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x0000010c
process_identifier: 3048
failed 0 0
1619168333.92575
Process32NextW
process_name: 00f1eca79a7182fa6b69d34bf81cdf07.exe
snapshot_handle: 0x00000258
process_identifier: 2864
failed 0 0
1619168334.644375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 2032
failed 0 0
1619168342.878875
Process32NextW
process_name: 00f1eca79a7182fa6b69d34bf81cdf07.exe
snapshot_handle: 0x00000184
process_identifier: 2292
failed 0 0
1619168344.253375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 2116
failed 0 0
1619168352.2695
Process32NextW
process_name: 00f1eca79a7182fa6b69d34bf81cdf07.exe
snapshot_handle: 0x0000014c
process_identifier: 3044
failed 0 0
1619168353.066625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3128
failed 0 0
1619168360.83225
Process32NextW
process_name: 00f1eca79a7182fa6b69d34bf81cdf07.exe
snapshot_handle: 0x00000178
process_identifier: 3252
failed 0 0
1619168361.223
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3428
failed 0 0
1619168367.488375
Process32NextW
process_name: 00f1eca79a7182fa6b69d34bf81cdf07.exe
snapshot_handle: 0x00000174
process_identifier: 3496
failed 0 0
1619168368.035
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3664
failed 0 0
1619168372.972375
Process32NextW
process_name: 00f1eca79a7182fa6b69d34bf81cdf07.exe
snapshot_handle: 0x00000144
process_identifier: 3732
failed 0 0
1619168373.87925
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3900
failed 0 0
1619168380.004125
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000168
process_identifier: 4076
failed 0 0
1619168381.02025
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3188
failed 0 0
1619168385.909502
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000014c
process_identifier: 3688
failed 0 0
1619168386.957125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3608
failed 0 0
1619168394.941875
Process32NextW
process_name: 00f1eca79a7182fa6b69d34bf81cdf07.exe
snapshot_handle: 0x00000134
process_identifier: 4064
failed 0 0
1619168397.097875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3424
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (20 个事件)
Process injection Process 2240 called NtSetContextThread to modify thread in remote process 2452
Process injection Process 2248 called NtSetContextThread to modify thread in remote process 192
Process injection Process 1272 called NtSetContextThread to modify thread in remote process 2604
Process injection Process 1664 called NtSetContextThread to modify thread in remote process 3156
Process injection Process 3368 called NtSetContextThread to modify thread in remote process 3436
Process injection Process 3604 called NtSetContextThread to modify thread in remote process 3672
Process injection Process 3840 called NtSetContextThread to modify thread in remote process 3908
Process injection Process 4084 called NtSetContextThread to modify thread in remote process 3200
Process injection Process 3712 called NtSetContextThread to modify thread in remote process 3888
Process injection Process 3312 called NtSetContextThread to modify thread in remote process 3456
Time & API Arguments Status Return Repeated
1619168320.847625
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2452
success 0 0
1619168335.081375
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 192
success 0 0
1619168345.066375
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2604
success 0 0
1619168353.925625
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3156
success 0 0
1619168361.629
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3436
success 0 0
1619168368.285
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3672
success 0 0
1619168374.05125
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3908
success 0 0
1619168381.36425
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3200
success 0 0
1619168387.504125
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3888
success 0 0
1619168397.613875
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3456
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (20 个事件)
Process injection Process 2240 resumed a thread in remote process 2452
Process injection Process 2248 resumed a thread in remote process 192
Process injection Process 1272 resumed a thread in remote process 2604
Process injection Process 1664 resumed a thread in remote process 3156
Process injection Process 3368 resumed a thread in remote process 3436
Process injection Process 3604 resumed a thread in remote process 3672
Process injection Process 3840 resumed a thread in remote process 3908
Process injection Process 4084 resumed a thread in remote process 3200
Process injection Process 3712 resumed a thread in remote process 3888
Process injection Process 3312 resumed a thread in remote process 3456
Time & API Arguments Status Return Repeated
1619168321.534625
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2452
success 0 0
1619168336.003375
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 192
success 0 0
1619168347.206375
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2604
success 0 0
1619168354.800625
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3156
success 0 0
1619168361.989
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3436
success 0 0
1619168368.629
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3672
success 0 0
1619168374.41025
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3908
success 0 0
1619168381.81725
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3200
success 0 0
1619168389.051125
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3888
success 0 0
1619168398.097875
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3456
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 79 个事件)
Time & API Arguments Status Return Repeated
1619168320.800625
CreateProcessInternalW
thread_identifier: 2064
thread_handle: 0x00000110
process_identifier: 2452
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619168320.800625
NtUnmapViewOfSection
process_identifier: 2452
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619168320.800625
NtMapViewOfSection
section_handle: 0x0000011c
process_identifier: 2452
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619168320.847625
NtGetContextThread
thread_handle: 0x00000110
success 0 0
1619168320.847625
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2452
success 0 0
1619168321.534625
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2452
success 0 0
1619168321.644625
CreateProcessInternalW
thread_identifier: 2984
thread_handle: 0x00000118
process_identifier: 2864
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe" 2 2452 9689296
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619168334.23875
CreateProcessInternalW
thread_identifier: 2668
thread_handle: 0x0000025c
process_identifier: 2248
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000260
inherit_handles: 0
success 1 0
1619168335.003375
CreateProcessInternalW
thread_identifier: 2996
thread_handle: 0x00000110
process_identifier: 192
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619168335.003375
NtUnmapViewOfSection
process_identifier: 192
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619168335.003375
NtMapViewOfSection
section_handle: 0x0000011c
process_identifier: 192
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619168335.081375
NtGetContextThread
thread_handle: 0x00000110
success 0 0
1619168335.081375
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 192
success 0 0
1619168336.003375
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 192
success 0 0
1619168336.581375
CreateProcessInternalW
thread_identifier: 1912
thread_handle: 0x00000118
process_identifier: 2292
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe" 2 192 9703765
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619168343.191875
CreateProcessInternalW
thread_identifier: 1824
thread_handle: 0x00000188
process_identifier: 1272
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000018c
inherit_handles: 0
success 1 0
1619168344.628375
CreateProcessInternalW
thread_identifier: 2964
thread_handle: 0x00000110
process_identifier: 2604
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619168344.628375
NtUnmapViewOfSection
process_identifier: 2604
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619168344.644375
NtMapViewOfSection
section_handle: 0x0000011c
process_identifier: 2604
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619168345.050375
NtGetContextThread
thread_handle: 0x00000110
success 0 0
1619168345.066375
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2604
success 0 0
1619168347.206375
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2604
success 0 0
1619168347.519375
CreateProcessInternalW
thread_identifier: 2648
thread_handle: 0x00000118
process_identifier: 3044
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe" 2 2604 9714968
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619168352.4885
CreateProcessInternalW
thread_identifier: 2840
thread_handle: 0x00000150
process_identifier: 1664
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000154
inherit_handles: 0
success 1 0
1619168353.831625
CreateProcessInternalW
thread_identifier: 3160
thread_handle: 0x00000110
process_identifier: 3156
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619168353.831625
NtUnmapViewOfSection
process_identifier: 3156
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619168353.831625
NtMapViewOfSection
section_handle: 0x0000011c
process_identifier: 3156
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619168353.909625
NtGetContextThread
thread_handle: 0x00000110
success 0 0
1619168353.925625
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3156
success 0 0
1619168354.800625
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3156
success 0 0
1619168355.519625
CreateProcessInternalW
thread_identifier: 3256
thread_handle: 0x00000118
process_identifier: 3252
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe" 2 3156 9722562
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619168360.92625
CreateProcessInternalW
thread_identifier: 3372
thread_handle: 0x0000017c
process_identifier: 3368
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000180
inherit_handles: 0
success 1 0
1619168361.52
CreateProcessInternalW
thread_identifier: 3440
thread_handle: 0x00000110
process_identifier: 3436
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619168361.52
NtUnmapViewOfSection
process_identifier: 3436
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619168361.52
NtMapViewOfSection
section_handle: 0x0000011c
process_identifier: 3436
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619168361.614
NtGetContextThread
thread_handle: 0x00000110
success 0 0
1619168361.629
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3436
success 0 0
1619168361.989
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3436
success 0 0
1619168362.207
CreateProcessInternalW
thread_identifier: 3500
thread_handle: 0x00000118
process_identifier: 3496
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe" 2 3436 9729750
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619168367.675375
CreateProcessInternalW
thread_identifier: 3608
thread_handle: 0x00000178
process_identifier: 3604
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000017c
inherit_handles: 0
success 1 0
1619168368.223
CreateProcessInternalW
thread_identifier: 3676
thread_handle: 0x00000110
process_identifier: 3672
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619168368.223
NtUnmapViewOfSection
process_identifier: 3672
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619168368.239
NtMapViewOfSection
section_handle: 0x0000011c
process_identifier: 3672
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619168368.285
NtGetContextThread
thread_handle: 0x00000110
success 0 0
1619168368.285
NtSetContextThread
thread_handle: 0x00000110
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708144
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3672
success 0 0
1619168368.629
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 3672
success 0 0
1619168369.442
CreateProcessInternalW
thread_identifier: 3736
thread_handle: 0x00000118
process_identifier: 3732
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe" 2 3672 9736390
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619168373.472375
CreateProcessInternalW
thread_identifier: 3844
thread_handle: 0x00000148
process_identifier: 3840
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000014c
inherit_handles: 0
success 1 0
1619168373.98925
CreateProcessInternalW
thread_identifier: 3912
thread_handle: 0x00000110
process_identifier: 3908
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\00f1eca79a7182fa6b69d34bf81cdf07.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619168373.98925
NtUnmapViewOfSection
process_identifier: 3908
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.310200
FireEye Generic.mg.00f1eca79a7182fa
CAT-QuickHeal Trojan.IGENERIC
Qihoo-360 Win32/Trojan.469
McAfee Fareit-FPQ!00F1ECA79A71
Cylance Unsafe
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Trojan.Zusy.D4BBB8
BitDefenderTheta Gen:NN.ZelphiF.34700.2GW@a8XM7Yei
Cyren W32/Injector.WHEL-0962
Symantec ML.Attribute.HighConfidence
TrendMicro-HouseCall TROJ_GEN.R002C0DLA20
Paloalto generic.ml
ClamAV Win.Dropper.Nanocore-9168858-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Gen:Variant.Zusy.310200
NANO-Antivirus Trojan.Win32.Kryptik.hprcdn
APEX Malicious
Tencent Win32.Trojan.Kryptik.Frt
Ad-Aware Gen:Variant.Zusy.310200
Sophos Mal/Generic-R + Troj/NanoCr-JI
Comodo Malware@#2az8mfhwely4u
F-Secure Trojan.TR/Redcap.lwxvo
DrWeb Trojan.PWS.Stealer.28996
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DLA20
McAfee-GW-Edition BehavesLike.Win32.Fareit.ch
Emsisoft Gen:Variant.Zusy.310200 (B)
Ikarus Trojan.Inject
Jiangmin Trojan.Kryptik.bzn
Webroot W32.Trojan.Gen
Avira TR/Redcap.lwxvo
Antiy-AVL Trojan/Win32.Kryptik
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Trojan:Win32/DataStealer.VD!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Gen:Variant.Zusy.310200
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
VBA32 TScope.Trojan.Delf
ALYac Gen:Variant.Zusy.310200
MAX malware (ai score=100)
Malwarebytes Trojan.MalPack.DLF
Avast Win32:Malware-gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x493178 VirtualFree
0x49317c VirtualAlloc
0x493180 LocalFree
0x493184 LocalAlloc
0x493188 GetVersion
0x49318c GetCurrentThreadId
0x493198 VirtualQuery
0x49319c WideCharToMultiByte
0x4931a0 MultiByteToWideChar
0x4931a4 lstrlenA
0x4931a8 lstrcpynA
0x4931ac LoadLibraryExA
0x4931b0 GetThreadLocale
0x4931b4 GetStartupInfoA
0x4931b8 GetProcAddress
0x4931bc GetModuleHandleA
0x4931c0 GetModuleFileNameA
0x4931c4 GetLocaleInfoA
0x4931c8 GetCommandLineA
0x4931cc FreeLibrary
0x4931d0 FindFirstFileA
0x4931d4 FindClose
0x4931d8 ExitProcess
0x4931dc WriteFile
0x4931e4 RtlUnwind
0x4931e8 RaiseException
0x4931ec GetStdHandle
Library user32.dll:
0x4931f4 GetKeyboardType
0x4931f8 LoadStringA
0x4931fc MessageBoxA
0x493200 CharNextA
Library advapi32.dll:
0x493208 RegQueryValueExA
0x49320c RegOpenKeyExA
0x493210 RegCloseKey
Library oleaut32.dll:
0x493218 SysFreeString
0x49321c SysReAllocStringLen
0x493220 SysAllocStringLen
Library kernel32.dll:
0x493228 TlsSetValue
0x49322c TlsGetValue
0x493230 LocalAlloc
0x493234 GetModuleHandleA
Library advapi32.dll:
0x49323c RegQueryValueExA
0x493240 RegOpenKeyExA
0x493244 RegCloseKey
Library kernel32.dll:
0x49324c lstrcpyA
0x493250 WriteFile
0x493254 WaitForSingleObject
0x493258 VirtualQuery
0x49325c VirtualAlloc
0x493260 Sleep
0x493264 SizeofResource
0x493268 SetThreadLocale
0x49326c SetFilePointer
0x493270 SetEvent
0x493274 SetErrorMode
0x493278 SetEndOfFile
0x49327c ResetEvent
0x493280 ReadFile
0x493284 MultiByteToWideChar
0x493288 MulDiv
0x49328c LockResource
0x493290 LoadResource
0x493294 LoadLibraryA
0x4932a0 GlobalUnlock
0x4932a4 GlobalSize
0x4932a8 GlobalReAlloc
0x4932ac GlobalHandle
0x4932b0 GlobalLock
0x4932b4 GlobalFree
0x4932b8 GlobalFindAtomA
0x4932bc GlobalDeleteAtom
0x4932c0 GlobalAlloc
0x4932c4 GlobalAddAtomA
0x4932c8 GetVersionExA
0x4932cc GetVersion
0x4932d0 GetUserDefaultLCID
0x4932d4 GetTickCount
0x4932d8 GetThreadLocale
0x4932dc GetSystemInfo
0x4932e0 GetStringTypeExA
0x4932e4 GetStdHandle
0x4932e8 GetProcAddress
0x4932ec GetModuleHandleA
0x4932f0 GetModuleFileNameA
0x4932f4 GetLocaleInfoA
0x4932f8 GetLocalTime
0x4932fc GetLastError
0x493300 GetFullPathNameA
0x493304 GetDiskFreeSpaceA
0x493308 GetDateFormatA
0x49330c GetCurrentThreadId
0x493310 GetCurrentProcessId
0x493314 GetComputerNameA
0x493318 GetCPInfo
0x49331c GetACP
0x493320 FreeResource
0x493324 InterlockedExchange
0x493328 FreeLibrary
0x49332c FormatMessageA
0x493330 FindResourceA
0x493334 EnumCalendarInfoA
0x493340 CreateThread
0x493344 CreateFileA
0x493348 CreateEventA
0x49334c CompareStringA
0x493350 CloseHandle
Library version.dll:
0x493358 VerQueryValueA
0x493360 GetFileVersionInfoA
Library gdi32.dll:
0x493368 UnrealizeObject
0x49336c StretchBlt
0x493370 SetWindowOrgEx
0x493374 SetWinMetaFileBits
0x493378 SetViewportOrgEx
0x49337c SetTextColor
0x493380 SetStretchBltMode
0x493384 SetROP2
0x493388 SetPixel
0x49338c SetMapMode
0x493390 SetEnhMetaFileBits
0x493394 SetDIBColorTable
0x493398 SetBrushOrgEx
0x49339c SetBkMode
0x4933a0 SetBkColor
0x4933a4 SelectPalette
0x4933a8 SelectObject
0x4933ac SelectClipRgn
0x4933b0 SaveDC
0x4933b4 RestoreDC
0x4933b8 Rectangle
0x4933bc RectVisible
0x4933c0 RealizePalette
0x4933c4 Polyline
0x4933c8 PlayEnhMetaFile
0x4933cc PatBlt
0x4933d0 MoveToEx
0x4933d4 MaskBlt
0x4933d8 LineTo
0x4933dc LPtoDP
0x4933e0 IntersectClipRect
0x4933e4 GetWindowOrgEx
0x4933e8 GetWinMetaFileBits
0x4933ec GetTextMetricsA
0x4933f8 GetStockObject
0x4933fc GetPixel
0x493400 GetPaletteEntries
0x493404 GetObjectA
0x493414 GetEnhMetaFileBits
0x493418 GetDeviceCaps
0x49341c GetDIBits
0x493420 GetDIBColorTable
0x493424 GetDCOrgEx
0x49342c GetClipRgn
0x493430 GetClipBox
0x493434 GetBrushOrgEx
0x493438 GetBitmapBits
0x49343c ExtTextOutA
0x493440 ExcludeClipRect
0x493444 DeleteObject
0x493448 DeleteEnhMetaFile
0x49344c DeleteDC
0x493450 CreateSolidBrush
0x493454 CreateRectRgn
0x493458 CreatePenIndirect
0x49345c CreatePen
0x493460 CreatePalette
0x493468 CreateFontIndirectA
0x49346c CreateEnhMetaFileA
0x493470 CreateDIBitmap
0x493474 CreateDIBSection
0x493478 CreateCompatibleDC
0x493480 CreateBrushIndirect
0x493484 CreateBitmap
0x493488 CopyEnhMetaFileA
0x49348c CloseEnhMetaFile
0x493490 BitBlt
Library opengl32.dll:
0x493498 wglDeleteContext
Library user32.dll:
0x4934a0 CreateWindowExA
0x4934a4 WindowFromPoint
0x4934a8 WinHelpA
0x4934ac WaitMessage
0x4934b0 ValidateRect
0x4934b4 UpdateWindow
0x4934b8 UnregisterClassA
0x4934bc UnhookWindowsHookEx
0x4934c0 TranslateMessage
0x4934c8 TrackPopupMenu
0x4934d0 ShowWindow
0x4934d4 ShowScrollBar
0x4934d8 ShowOwnedPopups
0x4934dc ShowCursor
0x4934e0 SetWindowsHookExA
0x4934e4 SetWindowTextA
0x4934e8 SetWindowPos
0x4934ec SetWindowPlacement
0x4934f0 SetWindowLongA
0x4934f4 SetTimer
0x4934f8 SetScrollRange
0x4934fc SetScrollPos
0x493500 SetScrollInfo
0x493504 SetRect
0x493508 SetPropA
0x49350c SetParent
0x493510 SetMenuItemInfoA
0x493514 SetMenu
0x493518 SetForegroundWindow
0x49351c SetFocus
0x493520 SetCursor
0x493524 SetClassLongA
0x493528 SetCapture
0x49352c SetActiveWindow
0x493530 SendMessageA
0x493534 ScrollWindow
0x493538 ScreenToClient
0x49353c RemovePropA
0x493540 RemoveMenu
0x493544 ReleaseDC
0x493548 ReleaseCapture
0x493554 RegisterClassA
0x493558 RedrawWindow
0x49355c PtInRect
0x493560 PostQuitMessage
0x493564 PostMessageA
0x493568 PeekMessageA
0x49356c OffsetRect
0x493570 OemToCharA
0x493574 MessageBoxA
0x493578 MapWindowPoints
0x49357c MapVirtualKeyA
0x493580 LoadStringA
0x493584 LoadKeyboardLayoutA
0x493588 LoadIconA
0x49358c LoadCursorA
0x493590 LoadBitmapA
0x493594 KillTimer
0x493598 IsZoomed
0x49359c IsWindowVisible
0x4935a0 IsWindowEnabled
0x4935a4 IsWindow
0x4935a8 IsRectEmpty
0x4935ac IsIconic
0x4935b0 IsDialogMessageA
0x4935b4 IsChild
0x4935b8 InvalidateRect
0x4935bc IntersectRect
0x4935c0 InsertMenuItemA
0x4935c4 InsertMenuA
0x4935c8 InflateRect
0x4935d0 GetWindowTextA
0x4935d4 GetWindowRect
0x4935d8 GetWindowPlacement
0x4935dc GetWindowLongA
0x4935e0 GetWindowDC
0x4935e4 GetTopWindow
0x4935e8 GetSystemMetrics
0x4935ec GetSystemMenu
0x4935f0 GetSysColorBrush
0x4935f4 GetSysColor
0x4935f8 GetSubMenu
0x4935fc GetScrollRange
0x493600 GetScrollPos
0x493604 GetScrollInfo
0x493608 GetPropA
0x49360c GetParent
0x493610 GetWindow
0x493614 GetMessageTime
0x493618 GetMenuStringA
0x49361c GetMenuState
0x493620 GetMenuItemInfoA
0x493624 GetMenuItemID
0x493628 GetMenuItemCount
0x49362c GetMenu
0x493630 GetLastActivePopup
0x493634 GetKeyboardState
0x49363c GetKeyboardLayout
0x493640 GetKeyState
0x493644 GetKeyNameTextA
0x493648 GetIconInfo
0x49364c GetForegroundWindow
0x493650 GetFocus
0x493654 GetDlgItem
0x493658 GetDesktopWindow
0x49365c GetDCEx
0x493660 GetDC
0x493664 GetCursorPos
0x493668 GetCursor
0x49366c GetClipboardData
0x493670 GetClientRect
0x493674 GetClassNameA
0x493678 GetClassInfoA
0x49367c GetCapture
0x493680 GetActiveWindow
0x493684 FrameRect
0x493688 FindWindowA
0x49368c FillRect
0x493690 EqualRect
0x493694 EnumWindows
0x493698 EnumThreadWindows
0x49369c EndPaint
0x4936a0 EnableWindow
0x4936a4 EnableScrollBar
0x4936a8 EnableMenuItem
0x4936ac DrawTextA
0x4936b0 DrawMenuBar
0x4936b4 DrawIconEx
0x4936b8 DrawIcon
0x4936bc DrawFrameControl
0x4936c0 DrawFocusRect
0x4936c4 DrawEdge
0x4936c8 DispatchMessageA
0x4936cc DestroyWindow
0x4936d0 DestroyMenu
0x4936d4 DestroyIcon
0x4936d8 DestroyCursor
0x4936dc DeleteMenu
0x4936e0 DefWindowProcA
0x4936e4 DefMDIChildProcA
0x4936e8 DefFrameProcA
0x4936ec CreatePopupMenu
0x4936f0 CreateMenu
0x4936f4 CreateIcon
0x4936f8 ClientToScreen
0x4936fc CheckMenuItem
0x493700 CallWindowProcA
0x493704 CallNextHookEx
0x493708 BeginPaint
0x49370c CharNextA
0x493710 CharLowerBuffA
0x493714 CharLowerA
0x493718 CharUpperBuffA
0x49371c CharToOemA
0x493720 AdjustWindowRectEx
Library kernel32.dll:
0x49372c Sleep
Library oleaut32.dll:
0x493734 SafeArrayPtrOfIndex
0x493738 SafeArrayPutElement
0x49373c SafeArrayGetElement
0x493744 SafeArrayAccessData
0x493748 SafeArrayGetUBound
0x49374c SafeArrayGetLBound
0x493750 SafeArrayCreate
0x493754 VariantChangeType
0x493758 VariantCopyInd
0x49375c VariantCopy
0x493760 VariantClear
0x493764 VariantInit
Library ole32.dll:
0x493770 IsAccelerator
0x493774 OleDraw
0x49377c CoTaskMemFree
0x493780 ProgIDFromCLSID
0x493784 StringFromCLSID
0x493788 CoCreateInstance
0x49378c CoGetClassObject
0x493790 CoUninitialize
0x493794 CoInitialize
0x493798 IsEqualGUID
Library oleaut32.dll:
0x4937a0 GetErrorInfo
0x4937a4 GetActiveObject
0x4937a8 SysFreeString
Library comctl32.dll:
0x4937b8 ImageList_Write
0x4937bc ImageList_Read
0x4937cc ImageList_DragMove
0x4937d0 ImageList_DragLeave
0x4937d4 ImageList_DragEnter
0x4937d8 ImageList_EndDrag
0x4937dc ImageList_BeginDrag
0x4937e0 ImageList_Remove
0x4937e4 ImageList_DrawEx
0x4937e8 ImageList_Replace
0x4937ec ImageList_Draw
0x4937fc ImageList_Add
0x493804 ImageList_Destroy
0x493808 ImageList_Create
0x49380c InitCommonControls
Library comdlg32.dll:
0x493814 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51966 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.