8.4
高危
56 个模型检测该样本为恶意!
重新分析
更多

b87a9b02a9b5c530c304b308629f06128051a80021b61ae19b6829aabf984d20

291ad2060f3efd883f4e79ef1074026c.exe

分析耗时

151s

最近分析

文件大小

872.0KB
静态报毒 动态报毒 100% 2GW@A8NCVVOI AI SCORE=80 AIDETECTVM ALI2000015 CLASSIC CONFIDENCE DELF DELFINJECT EMWV EMZL FAREIT FORMBOOK HPSC HQTMLO KCLOUD KRYPTIK KTUZ MALWARE1 MALWARE@#3BVOCWUKJA8RN OLFVQ R002C0DH620 SCORE STATIC AI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!291AD2060F3E 20201231 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Avast Win32:Malware-gen 20201231 21.1.5827.0
Tencent Win32.Trojan.Kryptik.Hpsc 20210101 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Undef.(kcloud) 20210101 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (14 个事件)
Time & API Arguments Status Return Repeated
1619373866.802
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f34b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f35d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe1e14ad
success 0 0
1619373882.130125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfc6514ad
success 0 0
1619373883.239375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfc8414ad
success 0 0
1619373886.614375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe0914ad
success 0 0
1619373889.786875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfc6814ad
success 0 0
1619373893.38075
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe1914ad
success 0 0
1619373895.864375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfca914ad
success 0 0
1619373898.817125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfc6a14ad
success 0 0
1619373901.364375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe0914ad
success 0 0
1619373903.75525
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfc7b14ad
success 0 0
1619373913.427875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfc8a14ad
success 0 0
1619373917.286875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe0914ad
success 0 0
1619373920.286875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe1a14ad
success 0 0
1619373926.083125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7400d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
291ad2060f3efd883f4e79ef1074026c+0x543f8 @ 0x4543f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f84b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f85d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfc8a14ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 465 个事件)
Time & API Arguments Status Return Repeated
1619373865.958625
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d0000
success 0 0
1619373866.005625
NtProtectVirtualMemory
process_identifier: 1632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 61440
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0047f000
success 0 0
1619373866.021625
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00610000
success 0 0
1619373866.239
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619373866.271
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619373866.271
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00510000
success 0 0
1619373866.271
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01dd0000
success 0 0
1619373866.271
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 282624
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619373866.739
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.739
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f22000
success 0 0
1619373866.755
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619373866.30225
NtAllocateVirtualMemory
process_identifier: 1396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00380000
success 0 0
1619373866.31725
NtProtectVirtualMemory
process_identifier: 1396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 61440
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0047f000
success 0 0
1619373866.31725
NtAllocateVirtualMemory
process_identifier: 1396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619373881.364625
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e0000
success 0 0
1619373881.364625
NtProtectVirtualMemory
process_identifier: 1124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 61440
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0047f000
success 0 0
1619373881.364625
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00520000
success 0 0
1619373882.052125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619373882.052125
NtAllocateVirtualMemory
process_identifier: 1168
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01d90000
success 0 0
1619373882.052125
NtAllocateVirtualMemory
process_identifier: 1168
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01da0000
success 0 0
1619373882.052125
NtAllocateVirtualMemory
process_identifier: 1168
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01de0000
success 0 0
1619373882.052125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 282624
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01de2000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00392000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00392000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00392000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00392000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00392000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619373882.130125
NtProtectVirtualMemory
process_identifier: 1168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00392000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (49 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.499611923137804 section {'size_of_data': '0x0003ec00', 'virtual_address': '0x000a1000', 'entropy': 7.499611923137804, 'name': '.rsrc', 'virtual_size': '0x0003ea24'} description A section with a high entropy has been found
entropy 0.2881745120551091 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process 291ad2060f3efd883f4e79ef1074026c.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (44 个事件)
Time & API Arguments Status Return Repeated
1619373866.021625
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x0000011c
process_identifier: 2648
failed 0 0
1619373866.31725
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3040
failed 0 0
1619373881.19225
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000340
process_identifier: 2964
failed 0 0
1619373881.364625
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x0000011c
process_identifier: 2308
failed 0 0
1619373882.099375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 176
failed 0 0
1619373882.333375
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000128
process_identifier: 1364
failed 0 0
1619373882.505625
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x0000011c
process_identifier: 1344
failed 0 0
1619373883.255
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3092
failed 0 0
1619373885.224
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000168
process_identifier: 1856
failed 0 0
1619373885.4425
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3204
failed 0 0
1619373886.64625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3368
failed 0 0
1619373888.17725
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000158
process_identifier: 3276
failed 0 0
1619373888.802125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3436
failed 0 0
1619373889.817125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3604
failed 0 0
1619373891.349125
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000158
process_identifier: 3512
failed 0 0
1619373891.50525
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3672
failed 0 0
1619373893.364375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3808
failed 0 0
1619373894.567375
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x0000014c
process_identifier: 3744
failed 0 0
1619373895.22425
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x0000011c
process_identifier: 3852
failed 0 0
1619373895.849625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 4048
failed 0 0
1619373896.849625
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000144
process_identifier: 3980
failed 0 0
1619373897.0365
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 1208
failed 0 0
1619373898.896375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3360
failed 0 0
1619373900.099375
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x0000014c
process_identifier: 3192
failed 0 0
1619373900.27125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3424
failed 0 0
1619373901.349625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3568
failed 0 0
1619373902.661625
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000150
process_identifier: 3544
failed 0 0
1619373902.864375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3764
failed 0 0
1619373903.771875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3964
failed 0 0
1619373912.630875
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000264
process_identifier: 3872
failed 0 0
1619373912.83375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3104
failed 0 0
1619373913.4425
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3364
failed 0 0
1619373915.6465
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000170
process_identifier: 3196
failed 0 0
1619373915.849
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3504
failed 0 0
1619373917.302125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3904
failed 0 0
1619373918.833125
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000158
process_identifier: 3452
failed 0 0
1619373919.0525
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 2144
failed 0 0
1619373920.3025
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3256
failed 0 0
1619373922.1615
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000164
process_identifier: 1900
failed 0 0
1619373922.364
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3432
failed 0 0
1619373926.114
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 1708
failed 0 0
1619373927.208
Process32NextW
process_name: 291ad2060f3efd883f4e79ef1074026c.exe
snapshot_handle: 0x00000148
process_identifier: 3308
failed 0 0
1619373927.380625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3748
failed 0 0
1619373932.771875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3716
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (30 个事件)
Process injection Process 1632 called NtSetContextThread to modify thread in remote process 2452
Process injection Process 1124 called NtSetContextThread to modify thread in remote process 1168
Process injection Process 1344 called NtSetContextThread to modify thread in remote process 1068
Process injection Process 3148 called NtSetContextThread to modify thread in remote process 3216
Process injection Process 3380 called NtSetContextThread to modify thread in remote process 3448
Process injection Process 3616 called NtSetContextThread to modify thread in remote process 3684
Process injection Process 3852 called NtSetContextThread to modify thread in remote process 3920
Process injection Process 4080 called NtSetContextThread to modify thread in remote process 2116
Process injection Process 3372 called NtSetContextThread to modify thread in remote process 3468
Process injection Process 3660 called NtSetContextThread to modify thread in remote process 3776
Process injection Process 4060 called NtSetContextThread to modify thread in remote process 2484
Process injection Process 3292 called NtSetContextThread to modify thread in remote process 3528
Process injection Process 2652 called NtSetContextThread to modify thread in remote process 2028
Process injection Process 2808 called NtSetContextThread to modify thread in remote process 3508
Process injection Process 2104 called NtSetContextThread to modify thread in remote process 1484
Time & API Arguments Status Return Repeated
1619373866.036625
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2452
success 0 0
1619373881.536625
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1168
success 0 0
1619373882.942625
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1068
success 0 0
1619373885.4585
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3216
success 0 0
1619373888.849125
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3448
success 0 0
1619373891.55225
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3684
success 0 0
1619373895.55225
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3920
success 0 0
1619373897.7085
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2116
success 0 0
1619373900.44225
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3468
success 0 0
1619373903.208375
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3776
success 0 0
1619373913.16175
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2484
success 0 0
1619373916.302
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3528
success 0 0
1619373919.9585
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2028
success 0 0
1619373922.958
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3508
success 0 0
1619373930.099625
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1484
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (30 个事件)
Process injection Process 1632 resumed a thread in remote process 2452
Process injection Process 1124 resumed a thread in remote process 1168
Process injection Process 1344 resumed a thread in remote process 1068
Process injection Process 3148 resumed a thread in remote process 3216
Process injection Process 3380 resumed a thread in remote process 3448
Process injection Process 3616 resumed a thread in remote process 3684
Process injection Process 3852 resumed a thread in remote process 3920
Process injection Process 4080 resumed a thread in remote process 2116
Process injection Process 3372 resumed a thread in remote process 3468
Process injection Process 3660 resumed a thread in remote process 3776
Process injection Process 4060 resumed a thread in remote process 2484
Process injection Process 3292 resumed a thread in remote process 3528
Process injection Process 2652 resumed a thread in remote process 2028
Process injection Process 2808 resumed a thread in remote process 3508
Process injection Process 2104 resumed a thread in remote process 1484
Time & API Arguments Status Return Repeated
1619373866.083625
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2452
success 0 0
1619373881.896625
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1168
success 0 0
1619373883.052625
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1068
success 0 0
1619373886.4425
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3216
success 0 0
1619373889.614125
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3448
success 0 0
1619373893.16125
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3684
success 0 0
1619373895.67725
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3920
success 0 0
1619373898.6465
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2116
success 0 0
1619373901.17725
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3468
success 0 0
1619373903.599375
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3776
success 0 0
1619373913.23975
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2484
success 0 0
1619373917.114
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3528
success 0 0
1619373920.1305
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2028
success 0 0
1619373925.677
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3508
success 0 0
1619373932.614625
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1484
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 119 个事件)
Time & API Arguments Status Return Repeated
1619373866.036625
CreateProcessInternalW
thread_identifier: 2864
thread_handle: 0x00000120
process_identifier: 2452
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000124
inherit_handles: 0
success 1 0
1619373866.036625
NtUnmapViewOfSection
process_identifier: 2452
region_size: 4096
process_handle: 0x00000124
base_address: 0x00400000
success 0 0
1619373866.036625
NtMapViewOfSection
section_handle: 0x0000012c
process_identifier: 2452
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000124
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619373866.036625
NtGetContextThread
thread_handle: 0x00000120
success 0 0
1619373866.036625
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2452
success 0 0
1619373866.083625
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2452
success 0 0
1619373866.099625
CreateProcessInternalW
thread_identifier: 2032
thread_handle: 0x00000128
process_identifier: 1396
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe" 2 2452 20534062
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619373881.22425
CreateProcessInternalW
thread_identifier: 2604
thread_handle: 0x00000344
process_identifier: 1124
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000348
inherit_handles: 0
success 1 0
1619373881.536625
CreateProcessInternalW
thread_identifier: 2140
thread_handle: 0x00000120
process_identifier: 1168
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000124
inherit_handles: 0
success 1 0
1619373881.536625
NtUnmapViewOfSection
process_identifier: 1168
region_size: 4096
process_handle: 0x00000124
base_address: 0x00400000
success 0 0
1619373881.536625
NtMapViewOfSection
section_handle: 0x0000012c
process_identifier: 1168
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000124
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619373881.536625
NtGetContextThread
thread_handle: 0x00000120
success 0 0
1619373881.536625
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1168
success 0 0
1619373881.896625
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1168
success 0 0
1619373881.927625
CreateProcessInternalW
thread_identifier: 2168
thread_handle: 0x00000128
process_identifier: 1364
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe" 2 1168 20549875
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619373882.333375
CreateProcessInternalW
thread_identifier: 1484
thread_handle: 0x0000012c
process_identifier: 1344
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619373882.536625
CreateProcessInternalW
thread_identifier: 2648
thread_handle: 0x00000120
process_identifier: 1068
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000124
inherit_handles: 0
success 1 0
1619373882.536625
NtUnmapViewOfSection
process_identifier: 1068
region_size: 4096
process_handle: 0x00000124
base_address: 0x00400000
success 0 0
1619373882.536625
NtMapViewOfSection
section_handle: 0x0000012c
process_identifier: 1068
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000124
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619373882.942625
NtGetContextThread
thread_handle: 0x00000120
success 0 0
1619373882.942625
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1068
success 0 0
1619373883.052625
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1068
success 0 0
1619373883.083625
CreateProcessInternalW
thread_identifier: 1072
thread_handle: 0x00000128
process_identifier: 1856
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe" 2 1068 20551031
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619373885.271
CreateProcessInternalW
thread_identifier: 3152
thread_handle: 0x0000016c
process_identifier: 3148
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000170
inherit_handles: 0
success 1 0
1619373885.4585
CreateProcessInternalW
thread_identifier: 3220
thread_handle: 0x00000120
process_identifier: 3216
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000124
inherit_handles: 0
success 1 0
1619373885.4585
NtUnmapViewOfSection
process_identifier: 3216
region_size: 4096
process_handle: 0x00000124
base_address: 0x00400000
success 0 0
1619373885.4585
NtMapViewOfSection
section_handle: 0x0000012c
process_identifier: 3216
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000124
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619373885.4585
NtGetContextThread
thread_handle: 0x00000120
success 0 0
1619373885.4585
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3216
success 0 0
1619373886.4425
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3216
success 0 0
1619373886.4745
CreateProcessInternalW
thread_identifier: 3280
thread_handle: 0x00000128
process_identifier: 3276
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe" 2 3216 20554421
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619373888.64625
CreateProcessInternalW
thread_identifier: 3384
thread_handle: 0x0000015c
process_identifier: 3380
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000160
inherit_handles: 0
success 1 0
1619373888.833125
CreateProcessInternalW
thread_identifier: 3452
thread_handle: 0x00000120
process_identifier: 3448
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000124
inherit_handles: 0
success 1 0
1619373888.833125
NtUnmapViewOfSection
process_identifier: 3448
region_size: 4096
process_handle: 0x00000124
base_address: 0x00400000
success 0 0
1619373888.833125
NtMapViewOfSection
section_handle: 0x0000012c
process_identifier: 3448
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000124
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619373888.849125
NtGetContextThread
thread_handle: 0x00000120
success 0 0
1619373888.849125
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3448
success 0 0
1619373889.614125
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3448
success 0 0
1619373889.646125
CreateProcessInternalW
thread_identifier: 3516
thread_handle: 0x00000128
process_identifier: 3512
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe" 2 3448 20557593
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619373891.349125
CreateProcessInternalW
thread_identifier: 3620
thread_handle: 0x0000015c
process_identifier: 3616
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000160
inherit_handles: 0
success 1 0
1619373891.53625
CreateProcessInternalW
thread_identifier: 3688
thread_handle: 0x00000120
process_identifier: 3684
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000124
inherit_handles: 0
success 1 0
1619373891.53625
NtUnmapViewOfSection
process_identifier: 3684
region_size: 4096
process_handle: 0x00000124
base_address: 0x00400000
success 0 0
1619373891.53625
NtMapViewOfSection
section_handle: 0x0000012c
process_identifier: 3684
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000124
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619373891.55225
NtGetContextThread
thread_handle: 0x00000120
success 0 0
1619373891.55225
NtSetContextThread
thread_handle: 0x00000120
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3684
success 0 0
1619373893.16125
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3684
success 0 0
1619373893.19225
CreateProcessInternalW
thread_identifier: 3748
thread_handle: 0x00000128
process_identifier: 3744
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe" 2 3684 20561140
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619373894.599375
CreateProcessInternalW
thread_identifier: 3856
thread_handle: 0x00000150
process_identifier: 3852
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000154
inherit_handles: 0
success 1 0
1619373895.23925
CreateProcessInternalW
thread_identifier: 3924
thread_handle: 0x00000120
process_identifier: 3920
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\291ad2060f3efd883f4e79ef1074026c.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000124
inherit_handles: 0
success 1 0
1619373895.23925
NtUnmapViewOfSection
process_identifier: 3920
region_size: 4096
process_handle: 0x00000124
base_address: 0x00400000
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
DrWeb Trojan.PWS.Stealer.29054
MicroWorld-eScan Gen:Variant.Zusy.310751
FireEye Generic.mg.291ad2060f3efd88
McAfee Fareit-FPQ!291AD2060F3E
Cylance Unsafe
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Riskware ( 0040eff71 )
Cybereason malicious.60f3ef
Arcabit Trojan.Zusy.D4BDDF
BitDefenderTheta Gen:NN.ZelphiF.34700.2GW@a8NCVvoi
Cyren W32/Trojan.KTUZ-6205
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/Injector.EMWV
APEX Malicious
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Gen:Variant.Zusy.310751
NANO-Antivirus Trojan.Win32.Kryptik.hqtmlo
Paloalto generic.ml
Tencent Win32.Trojan.Kryptik.Hpsc
Ad-Aware Gen:Variant.Zusy.310751
Emsisoft Gen:Variant.Zusy.310751 (B)
Comodo Malware@#3bvocwukja8rn
F-Secure Trojan.TR/Injector.olfvq
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DH620
McAfee-GW-Edition BehavesLike.Win32.Fareit.cc
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Kryptik.cat
MaxSecure Trojan.Malware.300983.susgen
Avira TR/Injector.olfvq
Antiy-AVL Trojan/Win32.Generic
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Agent.oa
Microsoft Trojan:Win32/FormBook.GD!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Gen:Variant.Zusy.310751
Cynet Malicious (score: 100)
VBA32 TScope.Trojan.Delf
ALYac Gen:Variant.Zusy.310751
MAX malware (ai score=80)
Malwarebytes Trojan.MalPack.DLF
TrendMicro-HouseCall TROJ_GEN.R002C0DH620
Rising Trojan.Injector!1.C99D (CLASSIC)
Ikarus Trojan.Inject
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x4921a0 VirtualFree
0x4921a4 VirtualAlloc
0x4921a8 LocalFree
0x4921ac LocalAlloc
0x4921b0 GetVersion
0x4921b4 GetCurrentThreadId
0x4921c0 VirtualQuery
0x4921c4 WideCharToMultiByte
0x4921cc MultiByteToWideChar
0x4921d0 lstrlenA
0x4921d4 lstrcpynA
0x4921d8 LoadLibraryExA
0x4921dc GetThreadLocale
0x4921e0 GetStartupInfoA
0x4921e4 GetProcAddress
0x4921e8 GetModuleHandleA
0x4921ec GetModuleFileNameA
0x4921f0 GetLocaleInfoA
0x4921f4 GetLastError
0x4921fc GetCommandLineA
0x492200 FreeLibrary
0x492204 FindFirstFileA
0x492208 FindClose
0x49220c ExitProcess
0x492210 WriteFile
0x492218 RtlUnwind
0x49221c RaiseException
0x492220 GetStdHandle
Library user32.dll:
0x492228 GetKeyboardType
0x49222c LoadStringA
0x492230 MessageBoxA
0x492234 CharNextA
Library advapi32.dll:
0x49223c RegQueryValueExA
0x492240 RegOpenKeyExA
0x492244 RegCloseKey
Library oleaut32.dll:
0x49224c SysFreeString
0x492250 SysReAllocStringLen
0x492254 SysAllocStringLen
Library kernel32.dll:
0x49225c TlsSetValue
0x492260 TlsGetValue
0x492264 LocalAlloc
0x492268 GetModuleHandleA
Library advapi32.dll:
0x492270 RegQueryValueExA
0x492274 RegOpenKeyExA
0x492278 RegCloseKey
Library kernel32.dll:
0x492280 lstrcpyA
0x492284 WriteFile
0x492288 WinExec
0x49228c WaitForSingleObject
0x492290 VirtualQuery
0x492294 VirtualProtect
0x492298 VirtualAlloc
0x49229c Sleep
0x4922a0 SizeofResource
0x4922a4 SetThreadLocale
0x4922a8 SetFilePointer
0x4922ac SetEvent
0x4922b0 SetErrorMode
0x4922b4 SetEndOfFile
0x4922b8 ResetEvent
0x4922bc ReadFile
0x4922c0 MultiByteToWideChar
0x4922c4 MulDiv
0x4922c8 LockResource
0x4922cc LoadResource
0x4922d0 LoadLibraryA
0x4922dc GlobalUnlock
0x4922e0 GlobalSize
0x4922e4 GlobalReAlloc
0x4922e8 GlobalHandle
0x4922ec GlobalLock
0x4922f0 GlobalFree
0x4922f4 GlobalFindAtomA
0x4922f8 GlobalDeleteAtom
0x4922fc GlobalAlloc
0x492300 GlobalAddAtomA
0x492308 GetVersionExA
0x49230c GetVersion
0x492310 GetUserDefaultLCID
0x492314 GetTickCount
0x492318 GetThreadLocale
0x492320 GetSystemInfo
0x492324 GetStringTypeExA
0x492328 GetStdHandle
0x49232c GetProcAddress
0x492330 GetModuleHandleA
0x492334 GetModuleFileNameA
0x492338 GetLogicalDrives
0x49233c GetLocaleInfoA
0x492340 GetLocalTime
0x492344 GetLastError
0x492348 GetFullPathNameA
0x49234c GetFileAttributesA
0x492350 GetDriveTypeA
0x492354 GetDiskFreeSpaceA
0x492358 GetDateFormatA
0x49235c GetCurrentThreadId
0x492360 GetCurrentProcessId
0x492364 GetComputerNameA
0x492368 GetCPInfo
0x49236c GetACP
0x492370 FreeResource
0x492374 InterlockedExchange
0x492378 FreeLibrary
0x49237c FormatMessageA
0x492380 FindResourceA
0x492384 FindNextFileA
0x492388 FindFirstFileA
0x49238c FindClose
0x49239c EnumCalendarInfoA
0x4923a8 CreateThread
0x4923ac CreateFileA
0x4923b0 CreateEventA
0x4923b4 CompareStringA
0x4923b8 CloseHandle
Library mpr.dll:
0x4923c0 WNetGetConnectionA
Library version.dll:
0x4923c8 VerQueryValueA
0x4923d0 GetFileVersionInfoA
Library gdi32.dll:
0x4923d8 UnrealizeObject
0x4923dc StretchBlt
0x4923e0 SetWindowOrgEx
0x4923e4 SetWinMetaFileBits
0x4923e8 SetViewportOrgEx
0x4923ec SetTextColor
0x4923f0 SetStretchBltMode
0x4923f4 SetROP2
0x4923f8 SetPixel
0x4923fc SetMapMode
0x492400 SetEnhMetaFileBits
0x492404 SetDIBColorTable
0x492408 SetBrushOrgEx
0x49240c SetBkMode
0x492410 SetBkColor
0x492414 SelectPalette
0x492418 SelectObject
0x49241c SelectClipRgn
0x492420 SaveDC
0x492424 RestoreDC
0x492428 Rectangle
0x49242c RectVisible
0x492430 RealizePalette
0x492434 Polyline
0x492438 PlayEnhMetaFile
0x49243c PatBlt
0x492440 MoveToEx
0x492444 MaskBlt
0x492448 LineTo
0x49244c LPtoDP
0x492450 IntersectClipRect
0x492454 GetWindowOrgEx
0x492458 GetWinMetaFileBits
0x49245c GetTextMetricsA
0x492468 GetStockObject
0x49246c GetPixel
0x492470 GetPaletteEntries
0x492474 GetObjectA
0x492484 GetEnhMetaFileBits
0x492488 GetDeviceCaps
0x49248c GetDIBits
0x492490 GetDIBColorTable
0x492494 GetDCOrgEx
0x49249c GetClipBox
0x4924a0 GetBrushOrgEx
0x4924a4 GetBitmapBits
0x4924a8 ExtTextOutA
0x4924ac ExcludeClipRect
0x4924b0 DeleteObject
0x4924b4 DeleteEnhMetaFile
0x4924b8 DeleteDC
0x4924bc CreateSolidBrush
0x4924c0 CreatePenIndirect
0x4924c4 CreatePen
0x4924c8 CreatePalette
0x4924d0 CreateFontIndirectA
0x4924d4 CreateEnhMetaFileA
0x4924d8 CreateDIBitmap
0x4924dc CreateDIBSection
0x4924e0 CreateCompatibleDC
0x4924e8 CreateBrushIndirect
0x4924ec CreateBitmap
0x4924f0 CopyEnhMetaFileA
0x4924f4 CloseEnhMetaFile
0x4924f8 BitBlt
Library opengl32.dll:
0x492500 wglCreateContext
Library user32.dll:
0x492508 CreateWindowExA
0x49250c WindowFromPoint
0x492510 WinHelpA
0x492514 WaitMessage
0x492518 ValidateRect
0x49251c UpdateWindow
0x492520 UnregisterClassA
0x492524 UnhookWindowsHookEx
0x492528 TranslateMessage
0x492530 TrackPopupMenu
0x492538 ShowWindow
0x49253c ShowScrollBar
0x492540 ShowOwnedPopups
0x492544 ShowCursor
0x492548 SetWindowsHookExA
0x49254c SetWindowTextA
0x492550 SetWindowPos
0x492554 SetWindowPlacement
0x492558 SetWindowLongA
0x49255c SetTimer
0x492560 SetScrollRange
0x492564 SetScrollPos
0x492568 SetScrollInfo
0x49256c SetRect
0x492570 SetPropA
0x492574 SetParent
0x492578 SetMenuItemInfoA
0x49257c SetMenu
0x492580 SetForegroundWindow
0x492584 SetFocus
0x492588 SetCursor
0x49258c SetClassLongA
0x492590 SetCapture
0x492594 SetActiveWindow
0x492598 SendMessageA
0x49259c ScrollWindow
0x4925a0 ScreenToClient
0x4925a4 RemovePropA
0x4925a8 RemoveMenu
0x4925ac ReleaseDC
0x4925b0 ReleaseCapture
0x4925bc RegisterClassA
0x4925c0 RedrawWindow
0x4925c4 PtInRect
0x4925c8 PostQuitMessage
0x4925cc PostMessageA
0x4925d0 PeekMessageA
0x4925d4 OffsetRect
0x4925d8 OemToCharA
0x4925dc MessageBoxA
0x4925e0 MessageBeep
0x4925e4 MapWindowPoints
0x4925e8 MapVirtualKeyA
0x4925ec LoadStringA
0x4925f0 LoadKeyboardLayoutA
0x4925f4 LoadIconA
0x4925f8 LoadCursorA
0x4925fc LoadBitmapA
0x492600 KillTimer
0x492604 IsZoomed
0x492608 IsWindowVisible
0x49260c IsWindowEnabled
0x492610 IsWindow
0x492614 IsRectEmpty
0x492618 IsIconic
0x49261c IsDialogMessageA
0x492620 IsChild
0x492624 InvalidateRect
0x492628 IntersectRect
0x49262c InsertMenuItemA
0x492630 InsertMenuA
0x492634 InflateRect
0x49263c GetWindowTextA
0x492640 GetWindowRect
0x492644 GetWindowPlacement
0x492648 GetWindowLongA
0x49264c GetWindowDC
0x492650 GetTopWindow
0x492654 GetSystemMetrics
0x492658 GetSystemMenu
0x49265c GetSysColorBrush
0x492660 GetSysColor
0x492664 GetSubMenu
0x492668 GetScrollRange
0x49266c GetScrollPos
0x492670 GetScrollInfo
0x492674 GetPropA
0x492678 GetParent
0x49267c GetWindow
0x492680 GetMessageTime
0x492684 GetMenuStringA
0x492688 GetMenuState
0x49268c GetMenuItemInfoA
0x492690 GetMenuItemID
0x492694 GetMenuItemCount
0x492698 GetMenu
0x49269c GetLastActivePopup
0x4926a0 GetKeyboardState
0x4926a8 GetKeyboardLayout
0x4926ac GetKeyState
0x4926b0 GetKeyNameTextA
0x4926b4 GetIconInfo
0x4926b8 GetForegroundWindow
0x4926bc GetFocus
0x4926c0 GetDlgItem
0x4926c4 GetDesktopWindow
0x4926c8 GetDCEx
0x4926cc GetDC
0x4926d0 GetCursorPos
0x4926d4 GetCursor
0x4926d8 GetClipboardData
0x4926dc GetClientRect
0x4926e0 GetClassNameA
0x4926e4 GetClassInfoA
0x4926e8 GetCapture
0x4926ec GetActiveWindow
0x4926f0 FrameRect
0x4926f4 FindWindowA
0x4926f8 FillRect
0x4926fc EqualRect
0x492700 EnumWindows
0x492704 EnumThreadWindows
0x492708 EndPaint
0x49270c EnableWindow
0x492710 EnableScrollBar
0x492714 EnableMenuItem
0x492718 DrawTextA
0x49271c DrawMenuBar
0x492720 DrawIconEx
0x492724 DrawIcon
0x492728 DrawFrameControl
0x49272c DrawFocusRect
0x492730 DrawEdge
0x492734 DispatchMessageA
0x492738 DestroyWindow
0x49273c DestroyMenu
0x492740 DestroyIcon
0x492744 DestroyCursor
0x492748 DeleteMenu
0x49274c DefWindowProcA
0x492750 DefMDIChildProcA
0x492754 DefFrameProcA
0x492758 CreatePopupMenu
0x49275c CreateMenu
0x492760 CreateIcon
0x492764 ClientToScreen
0x492768 CheckMenuItem
0x49276c CallWindowProcA
0x492770 CallNextHookEx
0x492774 BeginPaint
0x492778 CharNextA
0x49277c CharLowerBuffA
0x492780 CharLowerA
0x492784 CharUpperBuffA
0x492788 CharToOemA
0x49278c AdjustWindowRectEx
Library kernel32.dll:
0x492798 Sleep
Library oleaut32.dll:
0x4927a0 SafeArrayPtrOfIndex
0x4927a4 SafeArrayPutElement
0x4927a8 SafeArrayGetElement
0x4927b0 SafeArrayAccessData
0x4927b4 SafeArrayGetUBound
0x4927b8 SafeArrayGetLBound
0x4927bc SafeArrayCreate
0x4927c0 VariantChangeType
0x4927c4 VariantCopyInd
0x4927c8 VariantCopy
0x4927cc VariantClear
0x4927d0 VariantInit
Library ole32.dll:
0x4927dc IsAccelerator
0x4927e0 OleDraw
0x4927e8 CoTaskMemFree
0x4927ec ProgIDFromCLSID
0x4927f0 StringFromCLSID
0x4927f4 CoCreateInstance
0x4927f8 CoGetClassObject
0x4927fc CoUninitialize
0x492800 CoInitialize
0x492804 IsEqualGUID
Library oleaut32.dll:
0x49280c GetErrorInfo
0x492810 GetActiveObject
0x492814 SysFreeString
Library comctl32.dll:
0x492824 ImageList_Write
0x492828 ImageList_Read
0x492838 ImageList_DragMove
0x49283c ImageList_DragLeave
0x492840 ImageList_DragEnter
0x492844 ImageList_EndDrag
0x492848 ImageList_BeginDrag
0x49284c ImageList_Remove
0x492850 ImageList_DrawEx
0x492854 ImageList_Replace
0x492858 ImageList_Draw
0x492868 ImageList_Add
0x492870 ImageList_Destroy
0x492874 ImageList_Create
0x492878 InitCommonControls
Library comdlg32.dll:
0x492880 GetOpenFileNameA
Library user32.dll:
0x492888 DdeCmpStringHandles
0x49288c DdeFreeStringHandle
0x492890 DdeQueryStringA
0x492898 DdeGetLastError
0x49289c DdeFreeDataHandle
0x4928a0 DdeUnaccessData
0x4928a4 DdeAccessData
0x4928a8 DdeCreateDataHandle
0x4928b0 DdeNameService
0x4928b4 DdePostAdvise
0x4928b8 DdeSetUserHandle
0x4928bc DdeQueryConvInfo
0x4928c0 DdeDisconnect
0x4928c4 DdeConnect
0x4928c8 DdeUninitialize
0x4928cc DdeInitializeA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.