SmartHawk

4.3

中危

56 个模型检测该样本为恶意！

重新分析

下载样本

033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26

033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe

分析耗时

73s

最近分析

393天前

文件大小

773.1KB

静态报毒动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER UNRUY

DACN 0.15

FACILE 1.00

IMCLNet 0.69

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.15	Unknown	0.06s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.69	Unknown	0.18s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	None	20190527	0.3.0.5
Avast	Win32:Unruy-AA [Trj]	20190830	18.4.3895.0
Baidu	Win32.Trojan-Clicker.Cycler.a	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20190830	2013.8.14.323
McAfee	Downloader-BPA.j.b	20190830	6.0.6.653
Tencent	None	20190830	1.0.0.1

查询计算机名称 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545313.25 GetComputerNameA	computer_name: TU-PC	success	1	0

可执行文件包含未知的 PE 段名称，可能指示打包器（可能是误报） (1 个事件)

section

.imports

一个或多个进程崩溃 (12 个事件)

Time & API	Arguments	Status
1727545289.046 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2948 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 5188945 registers.edi: 0 stacktrace: abcgh+0x47 @ 0x10001b25 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x1428 @ 0x401428 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x17d2 @ 0x4017d2 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545289.046 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5188945 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x1428 @ 0x401428 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x17d2 @ 0x4017d2 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545290.281 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2060 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 5582385 registers.edi: 0 stacktrace: abcgh+0x47 @ 0x10001b25 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x1428 @ 0x401428 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x17d2 @ 0x4017d2 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545290.281 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5582385 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x1428 @ 0x401428 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x17d2 @ 0x4017d2 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545312.6095 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2404 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 3026041 registers.edi: 0 stacktrace: abcgh+0x47 @ 0x10001b25 acrotray+0x1428 @ 0x401428 acrotray+0x17d2 @ 0x4017d2 acrotray+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545312.6095 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 3026041 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 acrotray+0x1428 @ 0x401428 acrotray+0x17d2 @ 0x4017d2 acrotray+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.125 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2124 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 4795601 registers.edi: 0 stacktrace: abcgh+0x47 @ 0x10001b25 acrotray+0x1428 @ 0x401428 acrotray+0x17d2 @ 0x4017d2 acrotray+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.125 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 4795601 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 acrotray+0x1428 @ 0x401428 acrotray+0x17d2 @ 0x4017d2 acrotray+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.203125 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2368 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 5582033 registers.edi: 0 stacktrace: abcgh+0x47 @ 0x10001b25 acrotray +0x1428 @ 0x401428 acrotray +0x17d2 @ 0x4017d2 acrotray +0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.203125 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5582033 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 acrotray +0x1428 @ 0x401428 acrotray +0x17d2 @ 0x4017d2 acrotray +0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.687625 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 696 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 4926761 registers.edi: 0 stacktrace: abcgh+0x47 @ 0x10001b25 acrotray +0x1428 @ 0x401428 acrotray +0x17d2 @ 0x4017d2 acrotray +0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.687625 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 4926761 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 acrotray +0x1428 @ 0x401428 acrotray +0x17d2 @ 0x4017d2 acrotray +0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success

一个进程试图延迟分析任务。 (1 个事件)

description

033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe 试图睡眠 147.0 秒，实际延迟分析时间 147.0 秒

在文件系统上创建可执行文件 (4 个事件)

file	c:\program files (x86)\360\360drvmgr\360drvmgr.exe
file	c:\program files (x86)\360\360tptmon\360tptmon.exe
file	C:\Program Files (x86)\Adobe\acrotray.exe
file	C:\Program Files (x86)\Adobe\acrotray .exe

投放一个二进制文件并执行它 (2 个事件)

file	C:\Program Files (x86)\Adobe\acrotray.exe
file	C:\Program Files (x86)\Adobe\acrotray .exe

一个进程创建了一个隐藏窗口 (7 个事件)

Time & API	Arguments	Status	Return
1727545290.062 ShellExecuteExW	filepath: C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe filepath_r: C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe parameters: C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe" show_type: 0	success	1
1727545290.078 ShellExecuteExW	filepath: C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26 .exe filepath_r: C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26 .exe parameters: C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe" show_type: 0	failed	0
1727545312.359 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray.exe filepath_r: C:\Program Files (x86)\Adobe\acrotray.exe parameters: C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe" show_type: 0	success	1
1727545312.9215 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray.exe filepath_r: C:\Program Files (x86)\Adobe\acrotray.exe parameters: C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe" show_type: 0	success	1
1727545313.0005 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray .exe filepath_r: C:\Program Files (x86)\Adobe\acrotray .exe parameters: C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe" show_type: 0	success	1
1727545313.453125 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray .exe filepath_r: C:\Program Files (x86)\Adobe\acrotray .exe parameters: C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe" show_type: 0	success	1
1727545313.453125 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray .exe filepath_r: C:\Program Files (x86)\Adobe\acrotray .exe parameters: C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe" show_type: 0	failed	0

搜索运行中的进程，可能用于识别沙箱规避、代码注入或内存转储的进程 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545330.296 Process32NextW	snapshot_handle: 0x000000f8 process_name: acrotray.exe process_identifier: 2100	success	1	0

将读写内存保护更改为可读执行（可能是为了避免在同时设置所有 RWX 标志时被检测） (6 个事件)

Time & API	Arguments	Status
1727545288.937 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 3012	success
1727545290.281 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 2064	success
1727545312.6095 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 1428	success
1727545313.125 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 2100	success
1727545313.203125 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 1012	success
1727545313.671625 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 2388	success

检查系统上可疑权限的本地唯一标识符 (6 个事件)

Time & API	Arguments	Status	Return
1727545289.046 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545290.296 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545312.6255 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545313.125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545313.218125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545313.687625 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1

重复搜索未找到的进程，您可能希望在分析期间运行一个网络浏览器 (16 个事件)

Time & API	Arguments	Status
1727545289.062 Process32NextW	snapshot_handle: 0x0000013c process_name: 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe process_identifier: 3012	failed
1727545289.062 Process32NextW	snapshot_handle: 0x0000013c process_name: 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe process_identifier: 3012	failed
1727545290.296 Process32NextW	snapshot_handle: 0x0000013c process_name: 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe process_identifier: 2064	failed
1727545290.296 Process32NextW	snapshot_handle: 0x0000013c process_name: 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe process_identifier: 2064	failed
1727545310.296 Process32NextW	snapshot_handle: 0x0000013c process_name: 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe process_identifier: 2064	failed
1727545330.296 Process32NextW	snapshot_handle: 0x000000f8 process_name: acrotray .exe process_identifier: 2388	failed
1727545312.6255 Process32NextW	snapshot_handle: 0x0000013c process_name: iexplore.exe process_identifier: 2016	failed
1727545312.6405 Process32NextW	snapshot_handle: 0x0000013c process_name: iexplore.exe process_identifier: 2016	failed
1727545313.14 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 1012	failed
1727545313.14 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 1012	failed
1727545333.14 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2388	failed
1727545313.234125 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 1012	failed
1727545313.234125 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 1012	failed
1727545313.687625 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2388	failed
1727545313.703625 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2388	failed
1727545333.703625 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2388	failed

可执行文件使用UPX压缩 (3 个事件)

section	UPX0	description	节名称指示UPX
section	UPX1	description	节名称指示UPX
section	UPX2	description	节名称指示UPX

与未执行 DNS 查询的主机进行通信 (1 个事件)

host

114.114.114.114

在 Windows 启动时自我安装以实现自动运行 (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader

reg_value

C:\Program Files (x86)\Adobe\acrotray.exe

通过 in 指令特性检测 VMWare (6 个事件)

Time & API	Arguments	Status
1727545289.046 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5188945 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x1428 @ 0x401428 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x17d2 @ 0x4017d2 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545290.281 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5582385 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x1428 @ 0x401428 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x17d2 @ 0x4017d2 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545312.6095 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 3026041 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 acrotray+0x1428 @ 0x401428 acrotray+0x17d2 @ 0x4017d2 acrotray+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.125 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 4795601 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 acrotray+0x1428 @ 0x401428 acrotray+0x17d2 @ 0x4017d2 acrotray+0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.203125 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5582033 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 acrotray +0x1428 @ 0x401428 acrotray +0x17d2 @ 0x4017d2 acrotray +0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.687625 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 4926761 registers.edi: 0 stacktrace: abcgh+0x5b @ 0x10001b39 acrotray +0x1428 @ 0x401428 acrotray +0x17d2 @ 0x4017d2 acrotray +0x3815 @ 0x403815 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success

文件已被 VirusTotal 上 56 个反病毒引擎识别为恶意 (50 out of 56 个事件)

ALYac	Gen:Variant.Ulise.22573
APEX	Malicious
AVG	Win32:Unruy-AA [Trj]
Acronis	suspicious
Ad-Aware	Gen:Variant.Ulise.22573
AhnLab-V3	Trojan/Win32.Unruy.R270623
Antiy-AVL	Trojan[Clicker]/Win32.Cycler
Arcabit	Trojan.Ulise.D582D
Avast	Win32:Unruy-AA [Trj]
Avira	TR/Dldr.Agent.39446
Baidu	Win32.Trojan-Clicker.Cycler.a
BitDefender	Gen:Variant.Ulise.22573
CAT-QuickHeal	Trojan.Mauvaise.SL1
ClamAV	Win.Malware.Unruy-6935051-0
Comodo	Packed.Win32.MUPX.Gen@24tbus
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.3991e9
Cylance	Unsafe
Cyren	W32/Unruy.FDGB-0083
DrWeb	Trojan.MulDrop1.1929
ESET-NOD32	Win32/TrojanDownloader.Unruy.AT
Emsisoft	Gen:Variant.Ulise.22573 (B)
Endgame	malicious (high confidence)
F-Prot	W32/Unruy.R
F-Secure	Trojan.TR/Dldr.Agent.39446
FireEye	Generic.mg.2cf56d63991e9436
Fortinet	W32/Unruy.BK!tr.dldr
GData	Gen:Variant.Ulise.22573
Ikarus	Trojan-Downloader.Win32.Unruy
Invincea	heuristic
K7AntiVirus	Trojan-Downloader ( 001730931 )
K7GW	Trojan-Downloader ( 001730931 )
Kaspersky	HEUR:Trojan.Win32.Generic
Lionic	Trojan.Win32.Cycler.l2bS
MAX	malware (ai score=81)
McAfee	Downloader-BPA.j.b
McAfee-GW-Edition	BehavesLike.Win32.Generic.bt
MicroWorld-eScan	Gen:Variant.Ulise.22573
Microsoft	TrojanDownloader:Win32/Unruy.C
NANO-Antivirus	Trojan.Win32.Cycler.vvftm
Panda	Trj/Genetic.gen
Qihoo-360	HEUR/QVM07.1.8DAB.Malware.Gen
Rising	Trojan.Unruy!1.AE5E (CLASSIC)
SentinelOne	DFI - Malicious PE
Sophos	Mal/Mdrop-T
Symantec	ML.Attribute.HighConfidence
Trapmine	malicious.high.ml.score
TrendMicro	TROJ_UNRUY.SMT
TrendMicro-HouseCall	TROJ_UNRUY.SMT
VBA32	TrojanClicker.Cycler

连接到不再响应请求的 IP 地址（合法服务通常会保持运行） (2 个事件)

dead_host	45.56.79.23:80
dead_host	45.33.18.44:80

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2009-11-13 08:33:06

PE Imphash

de6c7cb6a3205debfc6ae490248ff623

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
UPX0	0x00001000	0x00015000	0x0000a800	6.48365216271457
UPX1	0x00016000	0x00007000	0x00006a00	2.478272870505067
UPX2	0x0001d000	0x00001000	0x00000200	2.2809806513308724
.imports	0x0001e000	0x00001000	0x00000200	4.199760105138974

Imports

Library KERNEL32.DLL:

• 0x404000 GetFileAttributesExA

• 0x404004 HeapDestroy

• 0x404008 HeapFree

• 0x40400c HeapCreate

• 0x404010 Sleep

• 0x404014 HeapAlloc

• 0x404018 GetProcessHeap

• 0x40401c CloseHandle

• 0x404020 ReadFile

• 0x404024 SetFilePointer

• 0x404028 QueryPerformanceCounter

• 0x40402c CreateFileA

• 0x404030 ExitProcess

• 0x404034 GetModuleFileNameA

• 0x404038 GetProcAddress

• 0x40403c LoadLibraryA

• 0x404040 VirtualAlloc

• 0x404044 VirtualFree

• 0x404048 IsBadReadPtr

• 0x40404c lstrcmpiA

• 0x404050 FreeLibrary

• 0x404054 GetStartupInfoA

• 0x404058 GetModuleHandleA

• 0x40405c HeapReAlloc

• 0x404060 GetCommandLineA

Library USER32.dll:

• 0x404068 wvsprintfA

L!This program cannot be run in DOS mode.
nynynyLrnyqjnynxny)qonyRichny
.imports
E@EE;E}
E@EEUQ}
E@EE;E
E@EE;E
E@EE;E}
uYYEU<
;u^;Ms
EEMM?}
;ujM+M;Us
EpPEp4
ATPuui
EM+H4M
E@EE(EE
E@EE(EE
E@EE@@EE@
EE@@EEM;H
E@EEM;H
%d %d %d %d
i=;1<UP
ippp78{+I+J
incJy{
t9t=;1
psi{d$R
iZ"2t,|
iWdmiet,[
iWdmmc
t-cs;R
&mmNc/$F
tw~d+G
u<-t,0
t<Js{JJ
u{jd-j
tcmd-m
tcudj{G
gW=;=;:
t$MUt;
QNd;{N
tGiN5im
8d@tN/i
tR='fJB
$s{$d-$-
t}-{<\
tdj{<r
d-meW=
d-;efmdm
tU%]ys
NyNd3;
{Nyd-G
t[d-Gt,$
Gd,i{G,V
NGc5;y
tf-mHi;#
tC%mmeN@3
tnyc$;
tycN$(
tTd!i3
isi7ld
[i{[is
sssZa9K
k5/q[up4N781'+
v}b(0d
8kuV%%
t([o+k
ig+q+&k
L+u2%++e
ss'kuak1ukN
ZZs'kuk1
ZZs'k1uk1
&+ssNks1
|K7+e#4
deV+%o+
ee+VZVV
UAAAVo+A+Vo
eL=/A+A+
=++2+e
Ute2oe
ii[+A+%&
cAAAV%+Vo
zGsu#%o&{
FJKKKKKK'KoKK\KK@KK
ZZZcZZZZmZ
MjaaaaKa#aaa
aJaa9999999&9{9x9
9 9gK[=
KK~KKKK
KhKKEKK
ZVZdZZmZ
a9999$9)9999G9i
^,r;KKTK
E6_^aa5a[aaaaaaaa^ajaaGa
999V99Z9999%9
999l999;
K{K|KxKKKfKHKKKKyKKt
aaAaaa
p+$K~KKPKKKKK K
ZnZZqZpZ&ZZ
aaaaqa#aoaMa)a
aaaaJaa9W999/99%9-9|99>9@9
99G9tD
fQjlnX-
ZZZ6Z,Z
aaaaawa|a a9V949
999 99
d'K~KKoKKKKBKKK*KKlKKg8
WaacaRazajaa
e}zJXvRBVW7
4;x:upS2(M=*
n% qIG0L`O
kernel32.dll
VirtualProtect
GetFileAttributesExA
HeapDestroy
HeapFree
HeapCreate
HeapAlloc
GetProcessHeap
CloseHandle
ReadFile
SetFilePointer
QueryPerformanceCounter
CreateFileA
ExitProcess
GetModuleFileNameA
GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree
IsBadReadPtr
lstrcmpiA
FreeLibrary
GetStartupInfoA
GetModuleHandleA
HeapReAlloc
GetCommandLineA
wvsprintfA
`.rdata
@.data
"e%/,S']ak1N
uu[u([kML
T(ehUP&k*q
mKtnj;\
74%-/_
c/%.+Z[
dK`Pr;
#8vse#n|K78#4
&^ J4$
+aoZ[
b#?+5K(
tVaS+
$O|VAK4k4@iaC
oIFj&7
nUL826ZAde
Z-gq-'
5/ou8Z4p@
_/D[3uf+e
7XQKao
+W2A}dK2
biZP[#VMLox
LeCptU
%e2oI.
A/A[Cas
:YuJ!
jJKvWLM
eAFk]E:+ugBBv
2wu1k3J8
R]iUQ8Qh
lhL<>OU
Eq6}s=
6fYF%.+Cp
>71VZk7
zGs%u#%
KKKKK'KoKK\KK@KK
KKrK%^K3:X2q5
ZZYhZcZZZZmZr?K
M7ljaa
aJaa99R9999&9{9x9
9 9g\K[=o
KhKKEKK
aa1P=A
ZdZ<(`*?d(
;^G$er)z
a9999$9)9999G9i
gvM~^,r;KKTK
?6_^aa5a[aaaaaaaa^ajaaG/`
999V99Z9999%
999l999;
K{KxXKfKHKKKKyKKt
ftwX%
aDpa999
KPKKKKK K
ZnZZqZpZ&ZZ
oaMa)a
a9W999/9u-9|99>9@~{t
t'=k7br
yfQjlnX-
XZ6Z,O
wa|a a}49
RKBTK*KKlg8
Waac{aRazassGNi
o}zJXvRBVW7
P,-.^Zb
4;x[:upS2(=*
[+|3C=]-oT/
n% qIG0L`O
D![okernel32.dllVirtualProtecit
GetFileAttributes[ExAHeapD
S4ep6g
AllocJP0c6sm{
seHandl.R
m?sodh8qPoinGr[v
form,>C{ou
a]iModul
 }Addr#LopL*nra\
)Pttlcmpi3=
A^Sta6pIn 
qmhwvspr?
pJ<.@HWp
.textr(*
a}l#.jkv@.&4UP'h
XPTPSWXaD$j
KERNEL32.DLL
USER32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
wvsprintfA
KERNEL32.DLL
GetFileAttributesExA
HeapDestroy
HeapFree
HeapCreate
HeapAlloc
GetProcessHeap
CloseHandle
ReadFile
SetFilePointer
QueryPerformanceCounter
CreateFileA
ExitProcess
GetModuleFileNameA
GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree
IsBadReadPtr
lstrcmpiA
FreeLibrary
GetStartupInfoA
GetModuleHandleA
HeapReAlloc
GetCommandLineA
USER32.dll
wvsprintfA

Process Tree

033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe (3012) "C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe"
- 033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe (2064) "C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe"
- acrotray.exe (1428) "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe"
  - acrotray .exe (1012) "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe"
    - acrotray .exe (2388) "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe"
  - acrotray.exe (2100) "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe"

033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe, PID: 3012, Parent PID: 2236

default registry file network process services synchronisation iexplore office pdf

033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe, PID: 2064, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

acrotray.exe, PID: 1428, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

acrotray.exe, PID: 2100, Parent PID: 1428

default registry file network process services synchronisation iexplore office pdf

acrotray .exe, PID: 1012, Parent PID: 1428

default registry file network process services synchronisation iexplore office pdf

acrotray .exe, PID: 2388, Parent PID: 1012

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114
45.56.79.23
45.33.18.44

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
www2.megawebfind.com	A 45.33.18.44 A 45.56.79.23 A 45.33.2.79	45.33.18.44

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	56933	114.114.114.114	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	d1a7598d4e70ec6e_acrotray .exe
Filepath	C:\Program Files (x86)\Adobe\acrotray .exe
Size	783.8KB
Processes	3012 (033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe)
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`5078e19ad324e9c53452b2b915f4694b`
SHA1	`275f990a8be9c6be2c83b1289a735c0fcbe9fc29`
SHA256	`d1a7598d4e70ec6e3f778e81c2754823ac6adb1000972d8aabd346a8f2ea92dd`
CRC32	`A010C9DB`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	0a09bf3dfb729e2e_acrotray.exe
Filepath	C:\Program Files (x86)\Adobe\acrotray.exe
Size	775.9KB
Processes	3012 (033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe)
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`47159ee6c5dc36ab923059cacb7b38a6`
SHA1	`11581651937a5e95c80be107a862af546999663d`
SHA256	`0a09bf3dfb729e2e7ccec2136e6a64fd84c6d0625154ce3dd9e2497a3564158a`
CRC32	`ED7FE309`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	beb1dca3308a58f6_360tptmon.exe
Filepath	C:\Program Files (x86)\360\360TptMon\360tptmon.exe
Size	775.1KB
Processes	3012 (033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe)
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`3e71a2488f2dff4f23adde2ae55af384`
SHA1	`9aa66e9cb6c2ac7c237368611e56173976b61366`
SHA256	`beb1dca3308a58f6cc80668ddff9b1a9404f12ff80190eda13a506e02990d459`
CRC32	`B5915FE7`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	56e19b1e05a01ecc_360drvmgr.exe
Filepath	C:\Program Files (x86)\360\360DrvMgr\360drvmgr.exe
Size	776.8KB
Processes	3012 (033fcda42e0d5b036a5abf0319f66d8e7b18982d49c1e45598538ae7bf0a9b26.exe)
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`645400e6a5f732a4b544ce4c148ecab7`
SHA1	`7924fda0ead82a6426283f42862c14084b7553ab`
SHA256	`56e19b1e05a01ecc00b8337427b8600e1e28b7c776d4a122ee208a49d3f70061`
CRC32	`AE676ACC`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.