11.0
0-day
60 个模型检测该样本为恶意!
重新分析
更多

eb301ee5bae45a4d93e8c88a0bfda61e962be4c5a5c00255ebdf5aa364f69341

099198d6cff5911ed2cb5d13c0887725.exe

分析耗时

101s

最近分析

文件大小

679.0KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=80 AIDETECTVM ALI2000015 AUTO AUTOG CLASSIC CONFIDENCE CYVTT DELF DELFINJECT DELPHILESS EMOY EMUW FAREIT HIGH CONFIDENCE HPCNXF KCLOUD KRYPTIK LOKIBOT MALREP MALWARE2 MALWARE@#UYVUNCUXXCQL NANOCORE PASSWORDSTEALER QGW@A08LQPGI QVM05 S + TROJ SCORE STATIC AI SUSPICIOUS PE THIABBO TSCOPE UNSAFE WPVI X2094 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201210 21.1.5827.0
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Tencent Win32.Trojan.Inject.Auto 20201211 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FVZ!099198D6CFF5 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (12 个事件)
Time & API Arguments Status Return Repeated
1619146230.753999
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750ae97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750aea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750ab25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750ab4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750aac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750aaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750a5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750a559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75117f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75114de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff42148d
success 0 0
1619146239.457124
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3f148d
success 0 0
1619146244.581999
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdaf148d
success 0 0
1619146250.268499
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff27148d
success 0 0
1619146256.909626
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfda6148d
success 0 0
1619146262.440499
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5a148d
success 0 0
1619146267.034626
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff41148d
success 0 0
1619146271.596876
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff42148d
success 0 0
1619146275.674999
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff65148d
success 0 0
1619146280.174876
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb3148d
success 0 0
1619146285.753374
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfda4148d
success 0 0
1619146290.565751
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
gtguihjky+0x40a4d @ 0x440a4d
gtguihjky+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff46148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 399 个事件)
Time & API Arguments Status Return Repeated
1619134512.482538
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619134512.638538
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619134512.638538
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619146227.628751
NtAllocateVirtualMemory
process_identifier: 2268
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01cb0000
success 0 0
1619146227.643751
NtProtectVirtualMemory
process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619146227.643751
NtAllocateVirtualMemory
process_identifier: 2268
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619146228.409999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619146228.503999
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ed0000
success 0 0
1619146228.503999
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fc0000
success 0 0
1619146228.503999
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004c0000
success 0 0
1619146228.503999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 118784
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c2000
success 0 0
1619146229.190999
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619146229.190999
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020f0000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ec2000
success 0 0
1619146230.643999
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619146228.503876
NtAllocateVirtualMemory
process_identifier: 3092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619146228.565876
NtProtectVirtualMemory
process_identifier: 3092
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619146228.596876
NtAllocateVirtualMemory
process_identifier: 3092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00660000
success 0 0
1619146237.612876
NtAllocateVirtualMemory
process_identifier: 3228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619146237.737876
NtProtectVirtualMemory
process_identifier: 3228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619146237.753876
NtAllocateVirtualMemory
process_identifier: 3228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619146238.894124
NtProtectVirtualMemory
process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619146238.910124
NtAllocateVirtualMemory
process_identifier: 3308
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ea0000
success 0 0
1619146238.910124
NtAllocateVirtualMemory
process_identifier: 3308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f20000
success 0 0
1619146238.910124
NtAllocateVirtualMemory
process_identifier: 3308
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00610000
success 0 0
1619146238.910124
NtProtectVirtualMemory
process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 118784
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619146238.988124
NtAllocateVirtualMemory
process_identifier: 3308
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02130000
success 0 0
1619146238.988124
NtAllocateVirtualMemory
process_identifier: 3308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022d0000
success 0 0
1619146239.207124
NtProtectVirtualMemory
process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e92000
success 0 0
1619146239.207124
NtProtectVirtualMemory
process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619146239.207124
NtProtectVirtualMemory
process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e92000
success 0 0
1619146239.207124
NtProtectVirtualMemory
process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 60 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.52454617238726 section {'size_of_data': '0x0003ba00', 'virtual_address': '0x00074000', 'entropy': 7.52454617238726, 'name': '.rsrc', 'virtual_size': '0x0003b8ac'} description A section with a high entropy has been found
entropy 0.35176991150442477 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process gtguihjky.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (25 个事件)
Time & API Arguments Status Return Repeated
1619134512.654538
Process32NextW
process_name: 099198d6cff5911ed2cb5d13c0887725.exe
snapshot_handle: 0x000000f8
process_identifier: 2196
failed 0 0
1619146227.674751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 472
failed 0 0
1619146237.034876
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x000001bc
process_identifier: 3092
failed 0 0
1619146237.768876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3288
failed 0 0
1619146242.299626
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x0000013c
process_identifier: 3372
failed 0 0
1619146243.081876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3548
failed 0 0
1619146247.799751
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x0000014c
process_identifier: 3624
failed 0 0
1619146248.643626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 3792
failed 0 0
1619146253.612751
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000148
process_identifier: 3868
failed 0 0
1619146254.722249
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x000000f8
process_identifier: 3996
failed 0 0
1619146259.957124
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000144
process_identifier: 3128
failed 0 0
1619146260.471501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3004
failed 0 0
1619146265.112499
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000012c
process_identifier: 3452
failed 0 0
1619146265.816124
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3664
failed 0 0
1619146269.503626
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000124
process_identifier: 3752
failed 0 0
1619146270.065751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2412
failed 0 0
1619146274.315751
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000134
process_identifier: 3872
failed 0 0
1619146274.815374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 1320
failed 0 0
1619146277.816124
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x00000120
process_identifier: 2448
failed 0 0
1619146278.768501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3560
failed 0 0
1619146283.879124
Process32NextW
process_name: gtguihjky.exe
snapshot_handle: 0x0000015c
process_identifier: 3864
failed 0 0
1619146284.674876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3688
failed 0 0
1619146288.424999
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x0000013c
process_identifier: 2236
failed 0 0
1619146289.206876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3296
failed 0 0
1619146294.174876
Process32NextW
process_name: GoogleUpdate.exe
snapshot_handle: 0x00000144
process_identifier: 3124
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 37.139.21.175
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619134513.498538
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2196 created a thread in remote process 2340
Time & API Arguments Status Return Repeated
1619134513.498538
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 2340
function_address: 0x000f05c0
parameter: 0x00100000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619134513.498538
WriteProcessMemory
process_identifier: 2340
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000f0000
success 1 0
1619134513.498538
WriteProcessMemory
process_identifier: 2340
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\099198d6cff5911ed2cb5d13c0887725.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\099198d6cff5911ed2cb5d13c0887725.exe" webSET AxsEWxFCeVFx = CREatEoBjecT("WscrIpT.shELl") AXSEWxfCeVFx.RuN """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x00100000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (24 个事件)
Process injection Process 2268 called NtSetContextThread to modify thread in remote process 2244
Process injection Process 3228 called NtSetContextThread to modify thread in remote process 3308
Process injection Process 3488 called NtSetContextThread to modify thread in remote process 3564
Process injection Process 3736 called NtSetContextThread to modify thread in remote process 3808
Process injection Process 3996 called NtSetContextThread to modify thread in remote process 4068
Process injection Process 3272 called NtSetContextThread to modify thread in remote process 3060
Process injection Process 3576 called NtSetContextThread to modify thread in remote process 3672
Process injection Process 3908 called NtSetContextThread to modify thread in remote process 3804
Process injection Process 1060 called NtSetContextThread to modify thread in remote process 3328
Process injection Process 3596 called NtSetContextThread to modify thread in remote process 3764
Process injection Process 3812 called NtSetContextThread to modify thread in remote process 2772
Process injection Process 3636 called NtSetContextThread to modify thread in remote process 3008
Time & API Arguments Status Return Repeated
1619146227.815751
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2244
success 0 0
1619146238.081876
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3308
success 0 0
1619146243.440876
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3564
success 0 0
1619146248.909626
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3808
success 0 0
1619146255.144249
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4068
success 0 0
1619146261.190501
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3060
success 0 0
1619146266.129124
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3672
success 0 0
1619146270.456751
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3804
success 0 0
1619146274.971374
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3328
success 0 0
1619146279.237501
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3764
success 0 0
1619146284.862876
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2772
success 0 0
1619146289.456876
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3008
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (24 个事件)
Process injection Process 2268 resumed a thread in remote process 2244
Process injection Process 3228 resumed a thread in remote process 3308
Process injection Process 3488 resumed a thread in remote process 3564
Process injection Process 3736 resumed a thread in remote process 3808
Process injection Process 3996 resumed a thread in remote process 4068
Process injection Process 3272 resumed a thread in remote process 3060
Process injection Process 3576 resumed a thread in remote process 3672
Process injection Process 3908 resumed a thread in remote process 3804
Process injection Process 1060 resumed a thread in remote process 3328
Process injection Process 3596 resumed a thread in remote process 3764
Process injection Process 3812 resumed a thread in remote process 2772
Process injection Process 3636 resumed a thread in remote process 3008
Time & API Arguments Status Return Repeated
1619146228.190751
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2244
success 0 0
1619146238.549876
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3308
success 0 0
1619146243.987876
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3564
success 0 0
1619146249.565626
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3808
success 0 0
1619146255.550249
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4068
success 0 0
1619146261.690501
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3060
success 0 0
1619146266.566124
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3672
success 0 0
1619146270.846751
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3804
success 0 0
1619146275.159374
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3328
success 0 0
1619146279.581501
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3764
success 0 0
1619146285.253876
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2772
success 0 0
1619146289.956876
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3008
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 102 个事件)
Time & API Arguments Status Return Repeated
1619134513.498538
CreateProcessInternalW
thread_identifier: 648
thread_handle: 0x00000108
process_identifier: 2340
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619134513.498538
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619134513.498538
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1619134513.498538
WriteProcessMemory
process_identifier: 2340
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000f0000
success 1 0
1619134513.498538
WriteProcessMemory
process_identifier: 2340
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\099198d6cff5911ed2cb5d13c0887725.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\099198d6cff5911ed2cb5d13c0887725.exe" webSET AxsEWxFCeVFx = CREatEoBjecT("WscrIpT.shELl") AXSEWxfCeVFx.RuN """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x00100000
success 1 0
1619146227.393499
CreateProcessInternalW
thread_identifier: 2064
thread_handle: 0x000000d0
process_identifier: 2268
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619146227.768751
CreateProcessInternalW
thread_identifier: 3068
thread_handle: 0x00000108
process_identifier: 2244
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619146227.768751
NtUnmapViewOfSection
process_identifier: 2244
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619146227.784751
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 2244
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619146227.815751
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619146227.815751
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2244
success 0 0
1619146228.190751
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2244
success 0 0
1619146228.221751
CreateProcessInternalW
thread_identifier: 3096
thread_handle: 0x0000010c
process_identifier: 3092
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 2244 20488687
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619146237.237876
CreateProcessInternalW
thread_identifier: 3232
thread_handle: 0x000001c0
process_identifier: 3228
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001c4
inherit_handles: 0
success 1 0
1619146238.049876
CreateProcessInternalW
thread_identifier: 3312
thread_handle: 0x00000108
process_identifier: 3308
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619146238.049876
NtUnmapViewOfSection
process_identifier: 3308
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619146238.049876
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3308
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619146238.081876
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619146238.081876
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3308
success 0 0
1619146238.549876
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3308
success 0 0
1619146239.049876
CreateProcessInternalW
thread_identifier: 3376
thread_handle: 0x0000010c
process_identifier: 3372
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 3308 20499046
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619146242.471626
CreateProcessInternalW
thread_identifier: 3492
thread_handle: 0x00000140
process_identifier: 3488
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000144
inherit_handles: 0
success 1 0
1619146243.393876
CreateProcessInternalW
thread_identifier: 3568
thread_handle: 0x00000108
process_identifier: 3564
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619146243.393876
NtUnmapViewOfSection
process_identifier: 3564
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619146243.393876
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3564
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619146243.440876
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619146243.440876
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3564
success 0 0
1619146243.987876
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3564
success 0 0
1619146244.221876
CreateProcessInternalW
thread_identifier: 3628
thread_handle: 0x0000010c
process_identifier: 3624
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 3564 20504484
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619146247.956751
CreateProcessInternalW
thread_identifier: 3740
thread_handle: 0x00000150
process_identifier: 3736
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000154
inherit_handles: 0
success 1 0
1619146248.831626
CreateProcessInternalW
thread_identifier: 3812
thread_handle: 0x0000010c
process_identifier: 3808
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619146248.831626
NtUnmapViewOfSection
process_identifier: 3808
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619146248.846626
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 3808
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619146248.909626
NtGetContextThread
thread_handle: 0x0000010c
success 0 0
1619146248.909626
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3808
success 0 0
1619146249.565626
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3808
success 0 0
1619146249.784626
CreateProcessInternalW
thread_identifier: 3872
thread_handle: 0x00000110
process_identifier: 3868
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 3808 20510062
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619146253.815751
CreateProcessInternalW
thread_identifier: 4000
thread_handle: 0x0000014c
process_identifier: 3996
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
1619146255.082249
CreateProcessInternalW
thread_identifier: 4072
thread_handle: 0x00000108
process_identifier: 4068
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619146255.082249
NtUnmapViewOfSection
process_identifier: 4068
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619146255.113249
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 4068
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619146255.144249
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619146255.144249
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4707520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4068
success 0 0
1619146255.550249
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4068
success 0 0
1619146255.644249
CreateProcessInternalW
thread_identifier: 3136
thread_handle: 0x0000010c
process_identifier: 3128
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe" 2 4068 20516046
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619146260.004124
CreateProcessInternalW
thread_identifier: 3276
thread_handle: 0x00000148
process_identifier: 3272
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000014c
inherit_handles: 0
success 1 0
1619146261.174501
CreateProcessInternalW
thread_identifier: 3056
thread_handle: 0x00000108
process_identifier: 3060
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\gtguihjky.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619146261.174501
NtUnmapViewOfSection
process_identifier: 3060
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619146261.174501
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3060
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619146261.190501
NtGetContextThread
thread_handle: 0x00000108
success 0 0
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Delf.FareIt.Gen.7
FireEye Generic.mg.099198d6cff5911e
ALYac Trojan.Delf.FareIt.Gen.7
Cylance Unsafe
Zillya Trojan.Injector.Win32.753781
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Trojan.Delf.FareIt.Gen.7
K7GW Riskware ( 0040eff71 )
Cybereason malicious.db69cc
BitDefenderTheta Gen:NN.ZelphiF.34670.QGW@a08Lqpgi
Cyren W32/Injector.WPVI-5619
Symantec Infostealer.Lokibot!43
ESET-NOD32 a variant of Win32/Injector.EMUW
APEX Malicious
Avast Win32:Trojan-gen
ClamAV Win.Dropper.AgentTesla-9122548-1
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
Alibaba Trojan:Win32/DelfInject.ali2000015
NANO-Antivirus Trojan.Win32.Kryptik.hpcnxf
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.Delf.FareIt.Gen.7
Sophos Mal/Generic-S + Troj/AutoG-IO
Comodo Malware@#uyvuncuxxcql
F-Secure Trojan.TR/Injector.cyvtt
DrWeb Trojan.PWS.Stealer.28999
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.Win32.MALREP.THIABBO
McAfee-GW-Edition BehavesLike.Win32.Fareit.jc
Emsisoft Trojan.Delf.FareIt.Gen.7 (B)
SentinelOne Static AI - Suspicious PE
GData Trojan.Delf.FareIt.Gen.7
Jiangmin Trojan.Kryptik.byb
Webroot W32.Trojan.Gen
Avira TR/Injector.cyvtt
MAX malware (ai score=80)
Antiy-AVL Trojan/Win32.Kryptik
Kingsoft Win32.Troj.Undef.(kcloud)
Arcabit Trojan.Delf.FareIt.Gen.7
AhnLab-V3 Suspicious/Win.Delphiless.X2094
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
Microsoft Trojan:Win32/NanoCore.VD!MTB
Cynet Malicious (score: 100)
Acronis suspicious
McAfee Fareit-FVZ!099198D6CFF5
VBA32 TScope.Trojan.Delf
Malwarebytes Spyware.PasswordStealer
Panda Trj/CI.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46813c VirtualFree
0x468140 VirtualAlloc
0x468144 LocalFree
0x468148 LocalAlloc
0x46814c GetVersion
0x468150 GetCurrentThreadId
0x46815c VirtualQuery
0x468160 WideCharToMultiByte
0x468164 MultiByteToWideChar
0x468168 lstrlenA
0x46816c lstrcpynA
0x468170 LoadLibraryExA
0x468174 GetThreadLocale
0x468178 GetStartupInfoA
0x46817c GetProcAddress
0x468180 GetModuleHandleA
0x468184 GetModuleFileNameA
0x468188 GetLocaleInfoA
0x46818c GetCommandLineA
0x468190 FreeLibrary
0x468194 FindFirstFileA
0x468198 FindClose
0x46819c ExitProcess
0x4681a0 WriteFile
0x4681a8 RtlUnwind
0x4681ac RaiseException
0x4681b0 GetStdHandle
Library user32.dll:
0x4681b8 GetKeyboardType
0x4681bc LoadStringA
0x4681c0 MessageBoxA
0x4681c4 CharNextA
Library advapi32.dll:
0x4681cc RegQueryValueExA
0x4681d0 RegOpenKeyExA
0x4681d4 RegCloseKey
Library oleaut32.dll:
0x4681dc SysFreeString
0x4681e0 SysReAllocStringLen
0x4681e4 SysAllocStringLen
Library kernel32.dll:
0x4681ec TlsSetValue
0x4681f0 TlsGetValue
0x4681f4 LocalAlloc
0x4681f8 GetModuleHandleA
Library advapi32.dll:
0x468200 RegQueryValueExA
0x468204 RegOpenKeyExA
0x468208 RegCloseKey
Library kernel32.dll:
0x468210 lstrcpyA
0x468214 WriteFile
0x468218 WaitForSingleObject
0x46821c VirtualQuery
0x468220 VirtualAlloc
0x468224 Sleep
0x468228 SizeofResource
0x46822c SetThreadLocale
0x468230 SetFilePointer
0x468234 SetEvent
0x468238 SetErrorMode
0x46823c SetEndOfFile
0x468240 ResetEvent
0x468244 ReadFile
0x468248 MulDiv
0x46824c LockResource
0x468250 LoadResource
0x468254 LoadLibraryA
0x468260 GlobalUnlock
0x468264 GlobalReAlloc
0x468268 GlobalHandle
0x46826c GlobalLock
0x468270 GlobalFree
0x468274 GlobalFindAtomA
0x468278 GlobalDeleteAtom
0x46827c GlobalAlloc
0x468280 GlobalAddAtomA
0x468284 GetVersionExA
0x468288 GetVersion
0x46828c GetTickCount
0x468290 GetThreadLocale
0x468294 GetSystemInfo
0x468298 GetStringTypeExA
0x46829c GetStdHandle
0x4682a0 GetProcAddress
0x4682a4 GetModuleHandleA
0x4682a8 GetModuleFileNameA
0x4682ac GetLocaleInfoA
0x4682b0 GetLocalTime
0x4682b4 GetLastError
0x4682b8 GetFullPathNameA
0x4682bc GetDiskFreeSpaceA
0x4682c0 GetDateFormatA
0x4682c4 GetCurrentThreadId
0x4682c8 GetCurrentProcessId
0x4682cc GetCPInfo
0x4682d0 GetACP
0x4682d4 FreeResource
0x4682d8 InterlockedExchange
0x4682dc FreeLibrary
0x4682e0 FormatMessageA
0x4682e4 FindResourceA
0x4682e8 EnumCalendarInfoA
0x4682f4 CreateThread
0x4682f8 CreateFileA
0x4682fc CreateEventA
0x468300 CompareStringA
0x468304 CloseHandle
Library version.dll:
0x46830c VerQueryValueA
0x468314 GetFileVersionInfoA
Library gdi32.dll:
0x46831c UnrealizeObject
0x468320 StretchBlt
0x468324 SetWindowOrgEx
0x468328 SetViewportOrgEx
0x46832c SetTextColor
0x468330 SetStretchBltMode
0x468334 SetROP2
0x468338 SetPixel
0x46833c SetDIBColorTable
0x468340 SetBrushOrgEx
0x468344 SetBkMode
0x468348 SetBkColor
0x46834c SelectPalette
0x468350 SelectObject
0x468354 SaveDC
0x468358 RestoreDC
0x46835c Rectangle
0x468360 RectVisible
0x468364 RealizePalette
0x468368 Polyline
0x46836c PatBlt
0x468370 MoveToEx
0x468374 MaskBlt
0x468378 LineTo
0x46837c IntersectClipRect
0x468380 GetWindowOrgEx
0x468384 GetTextMetricsA
0x468390 GetStockObject
0x468394 GetPixel
0x468398 GetPaletteEntries
0x46839c GetObjectA
0x4683a0 GetDeviceCaps
0x4683a4 GetDIBits
0x4683a8 GetDIBColorTable
0x4683ac GetDCOrgEx
0x4683b4 GetClipBox
0x4683b8 GetBrushOrgEx
0x4683bc GetBitmapBits
0x4683c0 ExcludeClipRect
0x4683c4 DeleteObject
0x4683c8 DeleteDC
0x4683cc CreateSolidBrush
0x4683d0 CreatePenIndirect
0x4683d4 CreatePalette
0x4683dc CreateFontIndirectA
0x4683e0 CreateDIBitmap
0x4683e4 CreateDIBSection
0x4683e8 CreateCompatibleDC
0x4683f0 CreateBrushIndirect
0x4683f4 CreateBitmap
0x4683f8 BitBlt
Library user32.dll:
0x468400 CreateWindowExA
0x468404 WindowFromPoint
0x468408 WinHelpA
0x46840c WaitMessage
0x468410 UpdateWindow
0x468414 UnregisterClassA
0x468418 UnhookWindowsHookEx
0x46841c TranslateMessage
0x468424 TrackPopupMenu
0x46842c ShowWindow
0x468430 ShowScrollBar
0x468434 ShowOwnedPopups
0x468438 ShowCursor
0x46843c SetWindowsHookExA
0x468440 SetWindowTextA
0x468444 SetWindowPos
0x468448 SetWindowPlacement
0x46844c SetWindowLongA
0x468450 SetTimer
0x468454 SetScrollRange
0x468458 SetScrollPos
0x46845c SetScrollInfo
0x468460 SetRect
0x468464 SetPropA
0x468468 SetParent
0x46846c SetMenuItemInfoA
0x468470 SetMenu
0x468474 SetForegroundWindow
0x468478 SetFocus
0x46847c SetCursor
0x468480 SetClassLongA
0x468484 SetCapture
0x468488 SetActiveWindow
0x46848c SendMessageA
0x468490 ScrollWindow
0x468494 ScreenToClient
0x468498 RemovePropA
0x46849c RemoveMenu
0x4684a0 ReleaseDC
0x4684a4 ReleaseCapture
0x4684b0 RegisterClassA
0x4684b4 RedrawWindow
0x4684b8 PtInRect
0x4684bc PostQuitMessage
0x4684c0 PostMessageA
0x4684c4 PeekMessageA
0x4684c8 OffsetRect
0x4684cc OemToCharA
0x4684d0 MessageBoxA
0x4684d4 MessageBeep
0x4684d8 MapWindowPoints
0x4684dc MapVirtualKeyA
0x4684e0 LoadStringA
0x4684e4 LoadKeyboardLayoutA
0x4684e8 LoadIconA
0x4684ec LoadCursorA
0x4684f0 LoadBitmapA
0x4684f4 KillTimer
0x4684f8 IsZoomed
0x4684fc IsWindowVisible
0x468500 IsWindowEnabled
0x468504 IsWindow
0x468508 IsRectEmpty
0x46850c IsIconic
0x468510 IsDialogMessageA
0x468514 IsChild
0x468518 InvalidateRect
0x46851c IntersectRect
0x468520 InsertMenuItemA
0x468524 InsertMenuA
0x468528 InflateRect
0x468530 GetWindowTextA
0x468534 GetWindowRect
0x468538 GetWindowPlacement
0x46853c GetWindowLongA
0x468540 GetWindowDC
0x468544 GetTopWindow
0x468548 GetSystemMetrics
0x46854c GetSystemMenu
0x468550 GetSysColorBrush
0x468554 GetSysColor
0x468558 GetSubMenu
0x46855c GetScrollRange
0x468560 GetScrollPos
0x468564 GetScrollInfo
0x468568 GetPropA
0x46856c GetParent
0x468570 GetWindow
0x468574 GetMenuStringA
0x468578 GetMenuState
0x46857c GetMenuItemInfoA
0x468580 GetMenuItemID
0x468584 GetMenuItemCount
0x468588 GetMenu
0x46858c GetLastActivePopup
0x468590 GetKeyboardState
0x468598 GetKeyboardLayout
0x46859c GetKeyState
0x4685a0 GetKeyNameTextA
0x4685a4 GetIconInfo
0x4685a8 GetForegroundWindow
0x4685ac GetFocus
0x4685b0 GetDlgItem
0x4685b4 GetDesktopWindow
0x4685b8 GetDCEx
0x4685bc GetDC
0x4685c0 GetCursorPos
0x4685c4 GetCursor
0x4685c8 GetClientRect
0x4685cc GetClassNameA
0x4685d0 GetClassInfoA
0x4685d4 GetCapture
0x4685d8 GetActiveWindow
0x4685dc FrameRect
0x4685e0 FindWindowA
0x4685e4 FillRect
0x4685e8 EqualRect
0x4685ec EnumWindows
0x4685f0 EnumThreadWindows
0x4685f4 EndPaint
0x4685f8 EnableWindow
0x4685fc EnableScrollBar
0x468600 EnableMenuItem
0x468604 DrawTextA
0x468608 DrawMenuBar
0x46860c DrawIconEx
0x468610 DrawIcon
0x468614 DrawFrameControl
0x468618 DrawFocusRect
0x46861c DrawEdge
0x468620 DispatchMessageA
0x468624 DestroyWindow
0x468628 DestroyMenu
0x46862c DestroyIcon
0x468630 DestroyCursor
0x468634 DeleteMenu
0x468638 DefWindowProcA
0x46863c DefMDIChildProcA
0x468640 DefFrameProcA
0x468644 CreatePopupMenu
0x468648 CreateMenu
0x46864c CreateIcon
0x468650 ClientToScreen
0x468654 CheckMenuItem
0x468658 CallWindowProcA
0x46865c CallNextHookEx
0x468660 BeginPaint
0x468664 CharNextA
0x468668 CharLowerA
0x46866c CharToOemA
0x468670 AdjustWindowRectEx
Library kernel32.dll:
0x46867c Sleep
Library oleaut32.dll:
0x468684 SafeArrayPtrOfIndex
0x468688 SafeArrayGetUBound
0x46868c SafeArrayGetLBound
0x468690 SafeArrayCreate
0x468694 VariantChangeType
0x468698 VariantCopy
0x46869c VariantClear
0x4686a0 VariantInit
Library comctl32.dll:
0x4686b0 ImageList_Write
0x4686b4 ImageList_Read
0x4686c4 ImageList_DragMove
0x4686c8 ImageList_DragLeave
0x4686cc ImageList_DragEnter
0x4686d0 ImageList_EndDrag
0x4686d4 ImageList_BeginDrag
0x4686d8 ImageList_Remove
0x4686dc ImageList_DrawEx
0x4686e0 ImageList_Replace
0x4686e4 ImageList_Draw
0x4686f4 ImageList_Add
0x4686fc ImageList_Destroy
0x468700 ImageList_Create
0x468704 InitCommonControls
Library comdlg32.dll:
0x46870c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.