SmartHawk

13.2

0-day

该样本未表现出任何异常！

重新分析

下载样本

2f02252363a7f372edd004c7add17a9cf575abf38045b25c5e2e21fe16cad7cf

3eb616b0d2bacfc55f7fbd3ccac93cc1.exe

分析耗时

184s

最近分析

文件大小

1.2MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 个事件)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (41 个事件)

Time & API	Arguments	Status
1619384503.59375 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 41418568 registers.edi: 0 registers.eax: 4 registers.ebp: 41418632 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 412942336 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: 3eb616b0d2bacfc55f7fbd3ccac93cc1+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: 3eb616b0d2bacfc55f7fbd3ccac93cc1.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399072.256874 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50397000 registers.edi: 0 registers.eax: 4 registers.ebp: 50397064 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 1040646144 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399085.474626 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73ef4b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73ef5d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 184 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfc7c1485	success
1619399077.178874 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 41287496 registers.edi: 0 registers.eax: 4 registers.ebp: 41287560 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 1376518144 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399095.756374 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 51248968 registers.edi: 0 registers.eax: 4 registers.ebp: 51249032 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 2593062912 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399099.053626 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe161485	success
1619399099.068249 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 41418568 registers.edi: 0 registers.eax: 4 registers.ebp: 41418632 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 2305818624 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399099.724501 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40238920 registers.edi: 0 registers.eax: 4 registers.ebp: 40238984 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 2316304384 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399102.959501 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73ea4b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73ea5d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfcab1485	success
1619399102.974124 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 41287496 registers.edi: 0 registers.eax: 4 registers.ebp: 41287560 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3066167296 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399103.912249 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40304456 registers.edi: 0 registers.eax: 4 registers.ebp: 40304520 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3128623104 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399108.896249 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe161485	success
1619399108.928874 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 52100936 registers.edi: 0 registers.eax: 4 registers.ebp: 52101000 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 2921463808 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399109.678874 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50331464 registers.edi: 0 registers.eax: 4 registers.ebp: 50331528 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3539992576 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399112.912249 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfc601485	success
1619399112.928874 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40501064 registers.edi: 0 registers.eax: 4 registers.ebp: 40501128 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3754033152 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399113.896626 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40763208 registers.edi: 0 registers.eax: 4 registers.ebp: 40763272 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3279618048 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399117.145999 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfc5b1485	success
1619399117.162626 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 41156424 registers.edi: 0 registers.eax: 4 registers.ebp: 41156488 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3460104192 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399119.349749 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40238920 registers.edi: 0 registers.eax: 4 registers.ebp: 40238984 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 4140302336 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399126.428626 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfc7b1485	success
1619399126.428249 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 39845704 registers.edi: 0 registers.eax: 4 registers.ebp: 39845768 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 309198848 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399135.928874 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 41680712 registers.edi: 0 registers.eax: 4 registers.ebp: 41680776 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 965345280 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399144.428874 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfc5f1485	success
1619399144.443124 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40894280 registers.edi: 0 registers.eax: 4 registers.ebp: 40894344 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 1490944000 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399152.717437 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 51707720 registers.edi: 0 registers.eax: 4 registers.ebp: 51707784 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 1991639040 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399158.434875 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe091485	success
1619399158.439436 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50659144 registers.edi: 0 registers.eax: 4 registers.ebp: 50659208 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 1815216128 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399167.519105 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50659144 registers.edi: 0 registers.eax: 4 registers.ebp: 50659208 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 2348482560 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399175.110698 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfc851485	success
1619399175.11373 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 39976776 registers.edi: 0 registers.eax: 4 registers.ebp: 39976840 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 2778595328 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399178.857161 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50331464 registers.edi: 0 registers.eax: 4 registers.ebp: 50331528 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3540713472 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399183.581753 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe0f1485	success
1619399183.550065 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40632136 registers.edi: 0 registers.eax: 4 registers.ebp: 40632200 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3254976512 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399186.6122 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40828744 registers.edi: 0 registers.eax: 4 registers.ebp: 40828808 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3461808128 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399193.043649 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfca11485	success
1619399193.025214 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40369992 registers.edi: 0 registers.eax: 4 registers.ebp: 40370056 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 3925475328 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399196.364061 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40435528 registers.edi: 0 registers.eax: 4 registers.ebp: 40435592 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 379584512 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399199.783389 __exception__	stacktrace: RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x73fad4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a abyhu2+0x583f8 @ 0x4583f8 _CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x73f44b0f _CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x73f45d3d 0x57005c registers.esp: 1633872 registers.edi: 0 registers.eax: 0 registers.ebp: 1633912 registers.edx: 582600 registers.ebx: 0 registers.esi: 1634116 registers.ecx: 176 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe2f1485	success
1619399199.766171 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 40173384 registers.edi: 0 registers.eax: 4 registers.ebp: 40173448 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 130220032 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success
1619399203.331765 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50855752 registers.edi: 0 registers.eax: 4 registers.ebp: 50855816 registers.edx: 2130553844 registers.ebx: 1983198136 registers.esi: 0 registers.ecx: 912064512 exception.instruction_r: 66 89 03 33 c0 5a 59 59 64 89 10 68 21 b8 4a 00 exception.symbol: abyhu2+0xab801 exception.instruction: mov word ptr [ebx], ax exception.module: Abyhu2.exe exception.exception_code: 0xc0000005 exception.offset: 702465 exception.address: 0x4ab801	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:3922326175&cup2hreq=11dda50e95b2ff85340dafb0a541c5e4899c9216489f963bb0008ad56a655c30

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d8598f06905cfa57&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:3922326175&cup2hreq=11dda50e95b2ff85340dafb0a541c5e4899c9216489f963bb0008ad56a655c30

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:3922326175&cup2hreq=11dda50e95b2ff85340dafb0a541c5e4899c9216489f963bb0008ad56a655c30

Allocates read-write-execute memory (usually to unpack itself) (50 out of 396 个事件)

Time & API	Arguments	Status
1619384503.34375 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00540000	success
1619384503.59375 NtAllocateVirtualMemory	process_identifier: 580 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005d0000	success
1619384503.60975 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00820000	success
1619399072.053874 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00640000	success
1619399072.256874 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x023f0000	success
1619399072.271874 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02560000	success
1619399077.881626 NtAllocateVirtualMemory	process_identifier: 1036 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01f90000	success
1619399077.881626 NtAllocateVirtualMemory	process_identifier: 1036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02130000	success
1619399077.881626 NtAllocateVirtualMemory	process_identifier: 1036 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00500000	success
1619399077.881626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 299008 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00502000	success
1619399085.334626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.334626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619399085.334626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.334626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619399085.334626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.334626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619399085.334626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.334626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00562000	success
1619399085.349626 NtProtectVirtualMemory	process_identifier: 1036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619399077.178874 NtAllocateVirtualMemory	process_identifier: 1176 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00640000	success
1619399077.178874 NtAllocateVirtualMemory	process_identifier: 1176 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00690000	success
1619399077.178874 NtAllocateVirtualMemory	process_identifier: 1176 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02440000	success
1619399095.756374 NtAllocateVirtualMemory	process_identifier: 3224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00540000	success
1619399095.756374 NtAllocateVirtualMemory	process_identifier: 3224 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00580000	success
1619399095.771374 NtAllocateVirtualMemory	process_identifier: 3224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02530000	success
1619399099.037626 NtAllocateVirtualMemory	process_identifier: 3300 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00500000	success
1619399099.037626 NtAllocateVirtualMemory	process_identifier: 3300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00530000	success
1619399099.037626 NtAllocateVirtualMemory	process_identifier: 3300 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01dc0000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 299008 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01dc2000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f02000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f02000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f02000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f02000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f02000	success
1619399099.037626 NtProtectVirtualMemory	process_identifier: 3300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cr45.vbs

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (28 个事件)

Time & API	Arguments	Status	Return
1619399095.771374 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3280	success	1
1619399102.974124 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 3536	success	1
1619399102.974124 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 3596	success	1
1619399103.928249 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 3708	success	1
1619399108.928874 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 3784	success	1
1619399108.928874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3912	success	1
1619399109.693874 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 3952	success	1
1619399109.693874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 4008	success	1
1619399112.928874 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000011c process_identifier: 4028	success	1
1619399112.928874 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 4052	success	1
1619399113.912626 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3268	success	1
1619399117.178626 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x00000120 process_identifier: 3396	success	1
1619399117.178626 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000120 process_identifier: 3484	success	1
1619399126.428249 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 3740	success	1
1619399126.428249 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000011c process_identifier: 3844	success	1
1619399126.428249 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000011c process_identifier: 3712	success	1
1619399126.428249 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x0000011c process_identifier: 3140	success	1
1619399135.943874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 1896	success	1
1619399144.459124 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3796	success	1
1619399158.454436 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3700	success	1
1619399175.11373 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 2696	success	1
1619399178.857161 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 2756	success	1
1619399186.6122 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 4064	success	1
1619399186.6122 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 2816	success	1
1619399193.025214 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 2092	success	1
1619399193.025214 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3736	success	1
1619399196.364061 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 1928	success	1
1619399199.782171 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x0000011c process_identifier: 4072	success	1

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.623853351995816

section

{'size_of_data': '0x00012000', 'virtual_address': '0x000ac000', 'entropy': 7.623853351995816, 'name': 'DATA', 'virtual_size': '0x00011ff4'}

description

A section with a high entropy has been found

entropy

7.524104399192132

section

{'size_of_data': '0x0006ba00', 'virtual_address': '0x000d2000', 'entropy': 7.524104399192132, 'name': '.rsrc', 'virtual_size': '0x0006b9cc'}

description

A section with a high entropy has been found

entropy

0.4013578274760383

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

abyhu2.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (41 个事件)

Time & API	Arguments	Status
1619384503.62475 Process32NextW	process_name: conhost.exe snapshot_handle: 0x0000011c process_identifier: 1176	failed
1619399072.271874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 2604	failed
1619399077.193874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 1056	failed
1619399095.584874 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x000003c0 process_identifier: 1176	failed
1619399095.771374 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3280	failed
1619399099.068249 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3452	failed
1619399099.506249 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x00000130 process_identifier: 3360	failed
1619399099.724501 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3520	failed
1619399102.974124 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x0000011c process_identifier: 3672	failed
1619399103.756124 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000013c process_identifier: 3596	failed
1619399103.928249 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3764	failed
1619399108.928874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3940	failed
1619399109.474874 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x00000134 process_identifier: 3848	failed
1619399109.693874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 4008	failed
1619399112.928874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3168	failed
1619399113.693874 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000013c process_identifier: 1416	failed
1619399113.912626 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3268	failed
1619399117.178626 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000120 process_identifier: 3516	failed
1619399119.146626 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000016c process_identifier: 3396	failed
1619399119.365749 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3652	failed
1619399126.428249 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x0000011c process_identifier: 3140	failed
1619399135.740249 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x00000274 process_identifier: 2452	failed
1619399135.943874 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 1896	failed
1619399144.459124 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3796	failed
1619399151.943124 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000228 process_identifier: 2200	failed
1619399152.733437 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 200	failed
1619399158.454436 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x0000011c process_identifier: 3364	failed
1619399165.892436 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x00000208 process_identifier: 984	failed
1619399167.519105 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3064	failed
1619399175.11373 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 2080	failed
1619399178.39573 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x00000198 process_identifier: 2696	failed
1619399178.857161 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 2756	failed
1619399183.550065 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 628	failed
1619399186.503065 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x0000018c process_identifier: 3012	failed
1619399186.6122 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 2816	failed
1619399193.025214 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 3736	failed
1619399196.634214 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x000001a4 process_identifier: 2092	failed
1619399196.364061 Process32NextW	process_name: abyhu2.exe snapshot_handle: 0x0000011c process_identifier: 1928	failed
1619399199.782171 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x0000011c process_identifier: 4072	failed
1619399203.829171 Process32NextW	process_name: Abyhu2.exe snapshot_handle: 0x000001b4 process_identifier: 3284	failed
1619399203.331765 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000011c process_identifier: 952	failed

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.41.34

Creates an Alternate Data Stream (ADS) (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe:ZoneIdentifier

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619384511.37475 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000124 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000f0000	success	0	0

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cr45.vbs

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe

Manipulates memory of a non-child process indicative of process injection (3 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1252 manipulating memory of non-child process 692
1619399206.456765 NtUnmapViewOfSection	process_identifier: 692 region_size: 4096 process_handle: 0x00000124 base_address: 0x00400000	success	0	0
1619399206.472765 NtMapViewOfSection	section_handle: 0x00000134 process_identifier: 692 commit_size: 692224 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000124 allocation_type: 0 () section_offset: 0 view_size: 692224 base_address: 0x00400000	success	0	0

Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 580 created a thread in remote process 944
1619384511.37475 NtQueueApcThread	thread_handle: 0x0000012c process_identifier: 944 function_address: 0x000f05c0 parameter: 0x00100000	success	0	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619384511.37475 WriteProcessMemory	process_identifier: 944 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x00000124 base_address: 0x000f0000	success	1	0
1619384511.37475 WriteProcessMemory	process_identifier: 944 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3eb616b0d2bacfc55f7fbd3ccac93cc1.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3eb616b0d2bacfc55f7fbd3ccac93cc1.exe" Cr45set FXEclPFZzxzl = cReaTEOBJEct("wSCript.shEll") FxeClPfZZxzl.RuN """%ls""", 0, False process_handle: 0x00000124 base_address: 0x00100000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (28 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1208 called NtSetContextThread to modify thread in remote process 1036
Process injection	Process 3224 called NtSetContextThread to modify thread in remote process 3300
Process injection	Process 3464 called NtSetContextThread to modify thread in remote process 3536
Process injection	Process 3708 called NtSetContextThread to modify thread in remote process 3784
Process injection	Process 3952 called NtSetContextThread to modify thread in remote process 4052
Process injection	Process 2840 called NtSetContextThread to modify thread in remote process 284
Process injection	Process 3568 called NtSetContextThread to modify thread in remote process 3740
Process injection	Process 3428 called NtSetContextThread to modify thread in remote process 3304
Process injection	Process 624 called NtSetContextThread to modify thread in remote process 2236
Process injection	Process 1604 called NtSetContextThread to modify thread in remote process 3216
Process injection	Process 3192 called NtSetContextThread to modify thread in remote process 4084
Process injection	Process 4064 called NtSetContextThread to modify thread in remote process 2808
Process injection	Process 1928 called NtSetContextThread to modify thread in remote process 1688
Process injection	Process 1252 called NtSetContextThread to modify thread in remote process 692
1619399075.349874 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1036	success	0	0
1619399098.849374 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3300	success	0	0
1619399102.771501 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3536	success	0	0
1619399108.740249 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3784	success	0	0
1619399112.756874 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4052	success	0	0
1619399116.974626 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 284	success	0	0
1619399122.756749 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3740	success	0	0
1619399139.303874 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3304	success	0	0
1619399157.170437 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2236	success	0	0
1619399171.113105 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3216	success	0	0
1619399182.044161 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4084	success	0	0
1619399190.8152 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2808	success	0	0
1619399199.895061 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1688	success	0	0
1619399206.769765 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 692	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (28 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1208 resumed a thread in remote process 1036
Process injection	Process 3224 resumed a thread in remote process 3300
Process injection	Process 3464 resumed a thread in remote process 3536
Process injection	Process 3708 resumed a thread in remote process 3784
Process injection	Process 3952 resumed a thread in remote process 4052
Process injection	Process 2840 resumed a thread in remote process 284
Process injection	Process 3568 resumed a thread in remote process 3740
Process injection	Process 3428 resumed a thread in remote process 3304
Process injection	Process 624 resumed a thread in remote process 2236
Process injection	Process 1604 resumed a thread in remote process 3216
Process injection	Process 3192 resumed a thread in remote process 4084
Process injection	Process 4064 resumed a thread in remote process 2808
Process injection	Process 1928 resumed a thread in remote process 1688
Process injection	Process 1252 resumed a thread in remote process 692
1619399077.006874 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 1036	success	0	0
1619399098.881374 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3300	success	0	0
1619399102.803501 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3536	success	0	0
1619399108.771249 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3784	success	0	0
1619399112.771874 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 4052	success	0	0
1619399116.990626 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 284	success	0	0
1619399126.240749 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3740	success	0	0
1619399144.271874 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3304	success	0	0
1619399157.701437 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2236	success	0	0
1619399173.879105 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3216	success	0	0
1619399183.044161 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 4084	success	0	0
1619399193.0032 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2808	success	0	0
1619399200.051061 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 1688	success	0	0
1619399207.988765 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 692	success	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 116 个事件)

Time & API	Arguments	Status	Return
1619384511.37475 CreateProcessInternalW	thread_identifier: 1916 thread_handle: 0x0000012c process_identifier: 944 current_directory: filepath: C:\Windows\System32\notepad.exe track: 1 command_line: filepath_r: C:\Windows\system32\notepad.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000124 inherit_handles: 0	success	1
1619384511.37475 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000124 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000f0000	success	0
1619384511.37475 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000124 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00100000	success	0
1619384511.37475 WriteProcessMemory	process_identifier: 944 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x00000124 base_address: 0x000f0000	success	1
1619384511.37475 WriteProcessMemory	process_identifier: 944 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3eb616b0d2bacfc55f7fbd3ccac93cc1.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3eb616b0d2bacfc55f7fbd3ccac93cc1.exe" Cr45set FXEclPFZzxzl = cReaTEOBJEct("wSCript.shEll") FxeClPfZZxzl.RuN """%ls""", 0, False process_handle: 0x00000124 base_address: 0x00100000	success	1
1619399071.880999 CreateProcessInternalW	thread_identifier: 2288 thread_handle: 0x000000d0 process_identifier: 1208 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x000000cc inherit_handles: 0	success	1
1619399075.349874 CreateProcessInternalW	thread_identifier: 2940 thread_handle: 0x0000012c process_identifier: 1036 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000124 inherit_handles: 0	success	1
1619399075.349874 NtUnmapViewOfSection	process_identifier: 1036 region_size: 4096 process_handle: 0x00000124 base_address: 0x00400000	success	0
1619399075.349874 NtMapViewOfSection	section_handle: 0x00000134 process_identifier: 1036 commit_size: 692224 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000124 allocation_type: 0 () section_offset: 0 view_size: 692224 base_address: 0x00400000	success	0
1619399075.349874 NtGetContextThread	thread_handle: 0x0000012c	success	0
1619399075.349874 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1036	success	0
1619399077.006874 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 1036	success	0
1619399077.021874 CreateProcessInternalW	thread_identifier: 3036 thread_handle: 0x00000130 process_identifier: 1176 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" 2 1036 15715453 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000140 inherit_handles: 0	success	1
1619399095.584874 CreateProcessInternalW	thread_identifier: 3228 thread_handle: 0x000003c4 process_identifier: 3224 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x000003c8 inherit_handles: 0	success	1
1619399098.849374 CreateProcessInternalW	thread_identifier: 3304 thread_handle: 0x0000012c process_identifier: 3300 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000124 inherit_handles: 0	success	1
1619399098.849374 NtUnmapViewOfSection	process_identifier: 3300 region_size: 4096 process_handle: 0x00000124 base_address: 0x00400000	success	0
1619399098.849374 NtMapViewOfSection	section_handle: 0x00000134 process_identifier: 3300 commit_size: 692224 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000124 allocation_type: 0 () section_offset: 0 view_size: 692224 base_address: 0x00400000	success	0
1619399098.849374 NtGetContextThread	thread_handle: 0x0000012c	success	0
1619399098.849374 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3300	success	0
1619399098.881374 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3300	success	0
1619399098.881374 CreateProcessInternalW	thread_identifier: 3364 thread_handle: 0x00000130 process_identifier: 3360 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" 2 3300 15737328 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000140 inherit_handles: 0	success	1
1619399099.553249 CreateProcessInternalW	thread_identifier: 3468 thread_handle: 0x00000134 process_identifier: 3464 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000138 inherit_handles: 0	success	1
1619399102.756501 CreateProcessInternalW	thread_identifier: 3540 thread_handle: 0x0000012c process_identifier: 3536 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000124 inherit_handles: 0	success	1
1619399102.756501 NtUnmapViewOfSection	process_identifier: 3536 region_size: 4096 process_handle: 0x00000124 base_address: 0x00400000	success	0
1619399102.771501 NtMapViewOfSection	section_handle: 0x00000134 process_identifier: 3536 commit_size: 692224 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000124 allocation_type: 0 () section_offset: 0 view_size: 692224 base_address: 0x00400000	success	0
1619399102.771501 NtGetContextThread	thread_handle: 0x0000012c	success	0
1619399102.771501 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3536	success	0
1619399102.803501 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3536	success	0
1619399102.803501 CreateProcessInternalW	thread_identifier: 3600 thread_handle: 0x00000130 process_identifier: 3596 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" 2 3536 15741250 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000140 inherit_handles: 0	success	1
1619399103.756124 CreateProcessInternalW	thread_identifier: 3712 thread_handle: 0x00000140 process_identifier: 3708 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000144 inherit_handles: 0	success	1
1619399108.740249 CreateProcessInternalW	thread_identifier: 3788 thread_handle: 0x0000012c process_identifier: 3784 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000124 inherit_handles: 0	success	1
1619399108.740249 NtUnmapViewOfSection	process_identifier: 3784 region_size: 4096 process_handle: 0x00000124 base_address: 0x00400000	success	0
1619399108.740249 NtMapViewOfSection	section_handle: 0x00000134 process_identifier: 3784 commit_size: 692224 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000124 allocation_type: 0 () section_offset: 0 view_size: 692224 base_address: 0x00400000	success	0
1619399108.740249 NtGetContextThread	thread_handle: 0x0000012c	success	0
1619399108.740249 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3784	success	0
1619399108.771249 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 3784	success	0
1619399108.787249 CreateProcessInternalW	thread_identifier: 3852 thread_handle: 0x00000130 process_identifier: 3848 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" 2 3784 15747218 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000140 inherit_handles: 0	success	1
1619399109.521874 CreateProcessInternalW	thread_identifier: 3956 thread_handle: 0x00000138 process_identifier: 3952 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000013c inherit_handles: 0	success	1
1619399112.740874 CreateProcessInternalW	thread_identifier: 4056 thread_handle: 0x0000012c process_identifier: 4052 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000124 inherit_handles: 0	success	1
1619399112.740874 NtUnmapViewOfSection	process_identifier: 4052 region_size: 4096 process_handle: 0x00000124 base_address: 0x00400000	success	0
1619399112.740874 NtMapViewOfSection	section_handle: 0x00000134 process_identifier: 4052 commit_size: 692224 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000124 allocation_type: 0 () section_offset: 0 view_size: 692224 base_address: 0x00400000	success	0
1619399112.756874 NtGetContextThread	thread_handle: 0x0000012c	success	0
1619399112.756874 NtSetContextThread	thread_handle: 0x0000012c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4526783 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4052	success	0
1619399112.771874 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 4052	success	0
1619399112.787874 CreateProcessInternalW	thread_identifier: 3156 thread_handle: 0x00000130 process_identifier: 1416 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" 2 4052 15751218 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000140 inherit_handles: 0	success	1
1619399113.724874 CreateProcessInternalW	thread_identifier: 2548 thread_handle: 0x00000140 process_identifier: 2840 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000144 inherit_handles: 0	success	1
1619399116.959626 CreateProcessInternalW	thread_identifier: 3172 thread_handle: 0x0000012c process_identifier: 284 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\Abyhu2.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000124 inherit_handles: 0	success	1
1619399116.959626 NtUnmapViewOfSection	process_identifier: 284 region_size: 4096 process_handle: 0x00000124 base_address: 0x00400000	success	0
1619399116.959626 NtMapViewOfSection	section_handle: 0x00000134 process_identifier: 284 commit_size: 692224 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000124 allocation_type: 0 () section_offset: 0 view_size: 692224 base_address: 0x00400000	success	0
1619399116.974626 NtGetContextThread	thread_handle: 0x0000012c	success	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)

dead_host	172.217.24.14:443
dead_host	216.58.200.238:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x4bf190 DeleteCriticalSection

• 0x4bf194 LeaveCriticalSection

• 0x4bf198 EnterCriticalSection

• 0x4bf19c InitializeCriticalSection

• 0x4bf1a0 VirtualFree

• 0x4bf1a4 VirtualAlloc

• 0x4bf1a8 LocalFree

• 0x4bf1ac LocalAlloc

• 0x4bf1b0 GetVersion

• 0x4bf1b4 GetCurrentThreadId

• 0x4bf1b8 InterlockedDecrement

• 0x4bf1bc InterlockedIncrement

• 0x4bf1c0 VirtualQuery

• 0x4bf1c4 WideCharToMultiByte

• 0x4bf1c8 MultiByteToWideChar

• 0x4bf1cc lstrlenA

• 0x4bf1d0 lstrcpynA

• 0x4bf1d4 LoadLibraryExA

• 0x4bf1d8 GetThreadLocale

• 0x4bf1dc GetStartupInfoA

• 0x4bf1e0 GetProcAddress

• 0x4bf1e4 GetModuleHandleA

• 0x4bf1e8 GetModuleFileNameA

• 0x4bf1ec GetLocaleInfoA

• 0x4bf1f0 GetCommandLineA

• 0x4bf1f4 FreeLibrary

• 0x4bf1f8 FindFirstFileA

• 0x4bf1fc FindClose

• 0x4bf200 ExitProcess

• 0x4bf204 ExitThread

• 0x4bf208 CreateThread

• 0x4bf20c WriteFile

• 0x4bf210 UnhandledExceptionFilter

• 0x4bf214 RtlUnwind

• 0x4bf218 RaiseException

• 0x4bf21c GetStdHandle

Library user32.dll:

• 0x4bf224 GetKeyboardType

• 0x4bf228 LoadStringA

• 0x4bf22c MessageBoxA

• 0x4bf230 CharNextA

Library advapi32.dll:

• 0x4bf238 RegQueryValueExA

• 0x4bf23c RegOpenKeyExA

• 0x4bf240 RegCloseKey

Library oleaut32.dll:

• 0x4bf248 SysFreeString

• 0x4bf24c SysReAllocStringLen

• 0x4bf250 SysAllocStringLen

Library kernel32.dll:

• 0x4bf258 TlsSetValue

• 0x4bf25c TlsGetValue

• 0x4bf260 LocalAlloc

• 0x4bf264 GetModuleHandleA

Library advapi32.dll:

• 0x4bf26c RegQueryValueExA

• 0x4bf270 RegOpenKeyExA

• 0x4bf274 RegCloseKey

Library kernel32.dll:

• 0x4bf27c lstrcpyA

• 0x4bf280 WriteFile

• 0x4bf284 WinExec

• 0x4bf288 WaitForSingleObject

• 0x4bf28c VirtualQuery

• 0x4bf290 VirtualAlloc

• 0x4bf294 Sleep

• 0x4bf298 SizeofResource

• 0x4bf29c SetUnhandledExceptionFilter

• 0x4bf2a0 SetThreadLocale

• 0x4bf2a4 SetFilePointer

• 0x4bf2a8 SetEvent

• 0x4bf2ac SetErrorMode

• 0x4bf2b0 SetEndOfFile

• 0x4bf2b4 ResumeThread

• 0x4bf2b8 ResetEvent

• 0x4bf2bc ReadFile

• 0x4bf2c0 MultiByteToWideChar

• 0x4bf2c4 MulDiv

• 0x4bf2c8 LockResource

• 0x4bf2cc LoadResource

• 0x4bf2d0 LoadLibraryA

• 0x4bf2d4 LeaveCriticalSection

• 0x4bf2d8 InitializeCriticalSection

• 0x4bf2dc GlobalUnlock

• 0x4bf2e0 GlobalSize

• 0x4bf2e4 GlobalReAlloc

• 0x4bf2e8 GlobalHandle

• 0x4bf2ec GlobalLock

• 0x4bf2f0 GlobalFree

• 0x4bf2f4 GlobalFindAtomA

• 0x4bf2f8 GlobalDeleteAtom

• 0x4bf2fc GlobalAlloc

• 0x4bf300 GlobalAddAtomA

• 0x4bf304 GetVersionExA

• 0x4bf308 GetVersion

• 0x4bf30c GetTimeZoneInformation

• 0x4bf310 GetTickCount

• 0x4bf314 GetThreadLocale

• 0x4bf318 GetTempPathA

• 0x4bf31c GetSystemTimeAsFileTime

• 0x4bf320 GetSystemTime

• 0x4bf324 GetSystemInfo

• 0x4bf328 GetStringTypeExA

• 0x4bf32c GetStdHandle

• 0x4bf330 GetProfileStringA

• 0x4bf334 GetProcAddress

• 0x4bf338 GetModuleHandleA

• 0x4bf33c GetModuleFileNameA

• 0x4bf340 GetLocaleInfoA

• 0x4bf344 GetLocalTime

• 0x4bf348 GetLastError

• 0x4bf34c GetFullPathNameA

• 0x4bf350 GetFileSize

• 0x4bf354 GetFileAttributesA

• 0x4bf358 GetExitCodeThread

• 0x4bf35c GetDiskFreeSpaceA

• 0x4bf360 GetDateFormatA

• 0x4bf364 GetCurrentThreadId

• 0x4bf368 GetCurrentProcessId

• 0x4bf36c GetCPInfo

• 0x4bf370 GetACP

• 0x4bf374 FreeResource

• 0x4bf378 InterlockedIncrement

• 0x4bf37c InterlockedExchange

• 0x4bf380 InterlockedDecrement

• 0x4bf384 FreeLibrary

• 0x4bf388 FormatMessageA

• 0x4bf38c FindResourceA

• 0x4bf390 FindFirstFileA

• 0x4bf394 FindClose

• 0x4bf398 FileTimeToSystemTime

• 0x4bf39c FileTimeToLocalFileTime

• 0x4bf3a0 FileTimeToDosDateTime

• 0x4bf3a4 ExitThread

• 0x4bf3a8 EnumCalendarInfoA

• 0x4bf3ac EnterCriticalSection

• 0x4bf3b0 DeleteCriticalSection

• 0x4bf3b4 CreateThread

• 0x4bf3b8 CreateFileA

• 0x4bf3bc CreateEventA

• 0x4bf3c0 CompareStringA

• 0x4bf3c4 CloseHandle

Library version.dll:

• 0x4bf3cc VerQueryValueA

• 0x4bf3d0 GetFileVersionInfoSizeA

• 0x4bf3d4 GetFileVersionInfoA

Library gdi32.dll:

• 0x4bf3dc UnrealizeObject

• 0x4bf3e0 StretchBlt

• 0x4bf3e4 SetWindowOrgEx

• 0x4bf3e8 SetWinMetaFileBits

• 0x4bf3ec SetViewportOrgEx

• 0x4bf3f0 SetTextColor

• 0x4bf3f4 SetStretchBltMode

• 0x4bf3f8 SetROP2

• 0x4bf3fc SetPixel

• 0x4bf400 SetEnhMetaFileBits

• 0x4bf404 SetDIBColorTable

• 0x4bf408 SetBrushOrgEx

• 0x4bf40c SetBkMode

• 0x4bf410 SetBkColor

• 0x4bf414 SelectPalette

• 0x4bf418 SelectObject

• 0x4bf41c SelectClipRgn

• 0x4bf420 SaveDC

• 0x4bf424 RestoreDC

• 0x4bf428 Rectangle

• 0x4bf42c RectVisible

• 0x4bf430 RealizePalette

• 0x4bf434 Polyline

• 0x4bf438 PlayEnhMetaFile

• 0x4bf43c PatBlt

• 0x4bf440 MoveToEx

• 0x4bf444 MaskBlt

• 0x4bf448 LineTo

• 0x4bf44c IntersectClipRect

• 0x4bf450 GetWindowOrgEx

• 0x4bf454 GetWinMetaFileBits

• 0x4bf458 GetTextMetricsA

• 0x4bf45c GetTextExtentPoint32A

• 0x4bf460 GetSystemPaletteEntries

• 0x4bf464 GetStockObject

• 0x4bf468 GetRgnBox

• 0x4bf46c GetPixel

• 0x4bf470 GetPaletteEntries

• 0x4bf474 GetObjectA

• 0x4bf478 GetEnhMetaFilePaletteEntries

• 0x4bf47c GetEnhMetaFileHeader

• 0x4bf480 GetEnhMetaFileBits

• 0x4bf484 GetDeviceCaps

• 0x4bf488 GetDIBits

• 0x4bf48c GetDIBColorTable

• 0x4bf490 GetDCOrgEx

• 0x4bf494 GetCurrentPositionEx

• 0x4bf498 GetClipBox

• 0x4bf49c GetBrushOrgEx

• 0x4bf4a0 GetBitmapBits

• 0x4bf4a4 ExcludeClipRect

• 0x4bf4a8 EndPage

• 0x4bf4ac EndDoc

• 0x4bf4b0 DeleteObject

• 0x4bf4b4 DeleteEnhMetaFile

• 0x4bf4b8 DeleteDC

• 0x4bf4bc CreateSolidBrush

• 0x4bf4c0 CreateRectRgn

• 0x4bf4c4 CreatePenIndirect

• 0x4bf4c8 CreatePen

• 0x4bf4cc CreatePalette

• 0x4bf4d0 CreateICA

• 0x4bf4d4 CreateHalftonePalette

• 0x4bf4d8 CreateFontIndirectA

• 0x4bf4dc CreateDIBitmap

• 0x4bf4e0 CreateDIBSection

• 0x4bf4e4 CreateDCA

• 0x4bf4e8 CreateCompatibleDC

• 0x4bf4ec CreateCompatibleBitmap

• 0x4bf4f0 CreateBrushIndirect

• 0x4bf4f4 CreateBitmap

• 0x4bf4f8 CopyEnhMetaFileA

• 0x4bf4fc CombineRgn

• 0x4bf500 BitBlt

Library opengl32.dll:

• 0x4bf508 wglDeleteContext

Library user32.dll:

• 0x4bf510 CreateWindowExA

• 0x4bf514 WindowFromPoint

• 0x4bf518 WinHelpA

• 0x4bf51c WaitMessage

• 0x4bf520 ValidateRect

• 0x4bf524 UpdateWindow

• 0x4bf528 UnregisterClassA

• 0x4bf52c UnhookWindowsHookEx

• 0x4bf530 TranslateMessage

• 0x4bf534 TranslateMDISysAccel

• 0x4bf538 TrackPopupMenu

• 0x4bf53c SystemParametersInfoA

• 0x4bf540 ShowWindow

• 0x4bf544 ShowScrollBar

• 0x4bf548 ShowOwnedPopups

• 0x4bf54c ShowCursor

• 0x4bf550 SetWindowsHookExA

• 0x4bf554 SetWindowTextA

• 0x4bf558 SetWindowPos

• 0x4bf55c SetWindowPlacement

• 0x4bf560 SetWindowLongA

• 0x4bf564 SetTimer

• 0x4bf568 SetScrollRange

• 0x4bf56c SetScrollPos

• 0x4bf570 SetScrollInfo

• 0x4bf574 SetRect

• 0x4bf578 SetPropA

• 0x4bf57c SetParent

• 0x4bf580 SetMenuItemInfoA

• 0x4bf584 SetMenu

• 0x4bf588 SetForegroundWindow

• 0x4bf58c SetFocus

• 0x4bf590 SetCursor

• 0x4bf594 SetClassLongA

• 0x4bf598 SetCapture

• 0x4bf59c SetActiveWindow

• 0x4bf5a0 SendMessageA

• 0x4bf5a4 ScrollWindow

• 0x4bf5a8 ScreenToClient

• 0x4bf5ac RemovePropA

• 0x4bf5b0 RemoveMenu

• 0x4bf5b4 ReleaseDC

• 0x4bf5b8 ReleaseCapture

• 0x4bf5bc RegisterWindowMessageA

• 0x4bf5c0 RegisterClipboardFormatA

• 0x4bf5c4 RegisterClassA

• 0x4bf5c8 RedrawWindow

• 0x4bf5cc PtInRect

• 0x4bf5d0 PostQuitMessage

• 0x4bf5d4 PostMessageA

• 0x4bf5d8 PeekMessageA

• 0x4bf5dc OffsetRect

• 0x4bf5e0 OemToCharA

• 0x4bf5e4 MsgWaitForMultipleObjects

• 0x4bf5e8 MessageBoxA

• 0x4bf5ec MapWindowPoints

• 0x4bf5f0 MapVirtualKeyA

• 0x4bf5f4 LoadStringA

• 0x4bf5f8 LoadKeyboardLayoutA

• 0x4bf5fc LoadIconA

• 0x4bf600 LoadCursorA

• 0x4bf604 LoadBitmapA

• 0x4bf608 KillTimer

• 0x4bf60c IsZoomed

• 0x4bf610 IsWindowVisible

• 0x4bf614 IsWindowEnabled

• 0x4bf618 IsWindow

• 0x4bf61c IsRectEmpty

• 0x4bf620 IsIconic

• 0x4bf624 IsDialogMessageA

• 0x4bf628 IsChild

• 0x4bf62c InvalidateRect

• 0x4bf630 IntersectRect

• 0x4bf634 InsertMenuItemA

• 0x4bf638 InsertMenuA

• 0x4bf63c InflateRect

• 0x4bf640 GetWindowThreadProcessId

• 0x4bf644 GetWindowTextA

• 0x4bf648 GetWindowRect

• 0x4bf64c GetWindowPlacement

• 0x4bf650 GetWindowLongA

• 0x4bf654 GetWindowDC

• 0x4bf658 GetTopWindow

• 0x4bf65c GetSystemMetrics

• 0x4bf660 GetSystemMenu

• 0x4bf664 GetSysColorBrush

• 0x4bf668 GetSysColor

• 0x4bf66c GetSubMenu

• 0x4bf670 GetScrollRange

• 0x4bf674 GetScrollPos

• 0x4bf678 GetScrollInfo

• 0x4bf67c GetPropA

• 0x4bf680 GetParent

• 0x4bf684 GetWindow

• 0x4bf688 GetMenuStringA

• 0x4bf68c GetMenuState

• 0x4bf690 GetMenuItemInfoA

• 0x4bf694 GetMenuItemID

• 0x4bf698 GetMenuItemCount

• 0x4bf69c GetMenu

• 0x4bf6a0 GetLastActivePopup

• 0x4bf6a4 GetKeyboardState

• 0x4bf6a8 GetKeyboardLayoutList

• 0x4bf6ac GetKeyboardLayout

• 0x4bf6b0 GetKeyState

• 0x4bf6b4 GetKeyNameTextA

• 0x4bf6b8 GetIconInfo

• 0x4bf6bc GetForegroundWindow

• 0x4bf6c0 GetFocus

• 0x4bf6c4 GetDlgItem

• 0x4bf6c8 GetDesktopWindow

• 0x4bf6cc GetDCEx

• 0x4bf6d0 GetDC

• 0x4bf6d4 GetCursorPos

• 0x4bf6d8 GetCursor

• 0x4bf6dc GetClipboardData

• 0x4bf6e0 GetClientRect

• 0x4bf6e4 GetClassNameA

• 0x4bf6e8 GetClassInfoA

• 0x4bf6ec GetCapture

• 0x4bf6f0 GetActiveWindow

• 0x4bf6f4 FrameRect

• 0x4bf6f8 FindWindowA

• 0x4bf6fc FillRect

• 0x4bf700 EqualRect

• 0x4bf704 EnumWindows

• 0x4bf708 EnumThreadWindows

• 0x4bf70c EndPaint

• 0x4bf710 EndDeferWindowPos

• 0x4bf714 EnableWindow

• 0x4bf718 EnableScrollBar

• 0x4bf71c EnableMenuItem

• 0x4bf720 DrawTextA

• 0x4bf724 DrawMenuBar

• 0x4bf728 DrawIconEx

• 0x4bf72c DrawIcon

• 0x4bf730 DrawFrameControl

• 0x4bf734 DrawEdge

• 0x4bf738 DispatchMessageA

• 0x4bf73c DestroyWindow

• 0x4bf740 DestroyMenu

• 0x4bf744 DestroyIcon

• 0x4bf748 DestroyCursor

• 0x4bf74c DeleteMenu

• 0x4bf750 DeferWindowPos

• 0x4bf754 DefWindowProcA

• 0x4bf758 DefMDIChildProcA

• 0x4bf75c DefFrameProcA

• 0x4bf760 CreatePopupMenu

• 0x4bf764 CreateMenu

• 0x4bf768 CreateIcon

• 0x4bf76c ClientToScreen

• 0x4bf770 CheckMenuItem

• 0x4bf774 CallWindowProcA

• 0x4bf778 CallNextHookEx

• 0x4bf77c BeginPaint

• 0x4bf780 BeginDeferWindowPos

• 0x4bf784 CharNextA

• 0x4bf788 CharLowerBuffA

• 0x4bf78c CharLowerA

• 0x4bf790 CharUpperBuffA

• 0x4bf794 CharToOemA

• 0x4bf798 AdjustWindowRectEx

• 0x4bf79c ActivateKeyboardLayout

Library kernel32.dll:

• 0x4bf7a4 Sleep

Library oleaut32.dll:

• 0x4bf7ac SafeArrayPtrOfIndex

• 0x4bf7b0 SafeArrayPutElement

• 0x4bf7b4 SafeArrayGetElement

• 0x4bf7b8 SafeArrayUnaccessData

• 0x4bf7bc SafeArrayAccessData

• 0x4bf7c0 SafeArrayGetUBound

• 0x4bf7c4 SafeArrayGetLBound

• 0x4bf7c8 SafeArrayCreate

• 0x4bf7cc VariantChangeType

• 0x4bf7d0 VariantCopyInd

• 0x4bf7d4 VariantCopy

• 0x4bf7d8 VariantClear

• 0x4bf7dc VariantInit

Library ole32.dll:

• 0x4bf7e4 CoUninitialize

• 0x4bf7e8 CoInitialize

Library oleaut32.dll:

• 0x4bf7f0 GetErrorInfo

• 0x4bf7f4 SysFreeString

Library comctl32.dll:

• 0x4bf7fc ImageList_SetIconSize

• 0x4bf800 ImageList_GetIconSize

• 0x4bf804 ImageList_Write

• 0x4bf808 ImageList_Read

• 0x4bf80c ImageList_GetDragImage

• 0x4bf810 ImageList_DragShowNolock

• 0x4bf814 ImageList_SetDragCursorImage

• 0x4bf818 ImageList_DragMove

• 0x4bf81c ImageList_DragLeave

• 0x4bf820 ImageList_DragEnter

• 0x4bf824 ImageList_EndDrag

• 0x4bf828 ImageList_BeginDrag

• 0x4bf82c ImageList_Remove

• 0x4bf830 ImageList_DrawEx

• 0x4bf834 ImageList_Replace

• 0x4bf838 ImageList_Draw

• 0x4bf83c ImageList_GetBkColor

• 0x4bf840 ImageList_SetBkColor

• 0x4bf844 ImageList_ReplaceIcon

• 0x4bf848 ImageList_Add

• 0x4bf84c ImageList_GetImageCount

• 0x4bf850 ImageList_Destroy

• 0x4bf854 ImageList_Create

• 0x4bf858 InitCommonControls

Library winspool.drv:

• 0x4bf860 OpenPrinterA

• 0x4bf864 EnumPrintersA

• 0x4bf868 DocumentPropertiesA

• 0x4bf86c ClosePrinter

Library comdlg32.dll:

• 0x4bf874 PrintDlgA

• 0x4bf878 GetSaveFileNameA

• 0x4bf87c GetOpenFileNameA

Library user32.dll:

• 0x4bf884 DdeCmpStringHandles

• 0x4bf888 DdeFreeStringHandle

• 0x4bf88c DdeQueryStringA

• 0x4bf890 DdeCreateStringHandleA

• 0x4bf894 DdeGetLastError

• 0x4bf898 DdeFreeDataHandle

• 0x4bf89c DdeUnaccessData

• 0x4bf8a0 DdeAccessData

• 0x4bf8a4 DdeCreateDataHandle

• 0x4bf8a8 DdeClientTransaction

• 0x4bf8ac DdeNameService

• 0x4bf8b0 DdePostAdvise

• 0x4bf8b4 DdeSetUserHandle

• 0x4bf8b8 DdeQueryConvInfo

• 0x4bf8bc DdeDisconnect

• 0x4bf8c0 DdeConnect

• 0x4bf8c4 DdeUninitialize

• 0x4bf8c8 DdeInitializeA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 216.58.200.238	172.217.24.14
redirector.gvt1.com	A 203.208.41.33	203.208.41.97
update.googleapis.com	A 203.208.41.98	203.208.41.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49257	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49258	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49256	203.208.41.33 redirector.gvt1.com	80
192.168.56.101	49244	203.208.41.98 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	54260	114.114.114.114	53
192.168.56.101	54991	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d8598f06905cfa57&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d8598f06905cfa57&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d8598f06905cfa57&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d8598f06905cfa57&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619370015&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.