13.0
0-day
该样本未表现出任何异常!
重新分析
更多

e8adeee1736ee068f79284077ec905137051eaed11f0be53cc1977f30edb3102

40832b4f4baf8eeec5461044c71357f0.exe

分析耗时

99s

最近分析

文件大小

555.0KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (9 个事件)
Time & API Arguments Status Return Repeated
1619402157.89925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619402159.32125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619402159.78925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619402159.78925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619402159.78925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619402159.78925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619402161.44625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619402162.27425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619402162.44625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619402154.30525
IsDebuggerPresent
failed 0 0
1619402154.30525
IsDebuggerPresent
failed 0 0
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619402129.352125
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .ndata
One or more processes crashed (50 out of 33315 个事件)
Time & API Arguments Status Return Repeated
1619402130.055125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9538408
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.055125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9486104
registers.eax: 9486104
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.055125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9553840
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.055125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9554872
registers.eax: 9554872
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.055125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9554872
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.071125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9486104
registers.eax: 9486104
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.071125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9462704
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.071125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9486104
registers.eax: 9486104
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.071125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9463736
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.071125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9486104
registers.eax: 9486104
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.071125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9486104
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.071125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9334680
registers.eax: 9334680
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.071125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9387944
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9334680
registers.eax: 9334680
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9388976
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9334680
registers.eax: 9334680
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9334680
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9390008
registers.eax: 9390008
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9424832
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9425864
registers.eax: 9425864
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9425864
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9432056
registers.eax: 9432056
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9432056
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9433088
registers.eax: 9433088
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9433088
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9434120
registers.eax: 9434120
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9434120
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.086125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9435152
registers.eax: 9435152
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9435152
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9436184
registers.eax: 9436184
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9436184
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9437216
registers.eax: 9437216
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9437216
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9438248
registers.eax: 9438248
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9438248
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9439280
registers.eax: 9439280
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9439280
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9440312
registers.eax: 9440312
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9440312
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9441344
registers.eax: 9441344
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9441344
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9442376
registers.eax: 9442376
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9442376
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9443408
registers.eax: 9443408
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9443408
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9444440
registers.eax: 9444440
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9444440
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9445472
registers.eax: 9445472
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Store+0x15a Free-0x39b system+0x123a @ 0x7451123a

registers.esp: 1637024
registers.edi: 9519120
registers.eax: 9445472
registers.ebp: 1637072
registers.edx: 0
registers.ebx: 0
registers.esi: 9519112
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
1619402130.102125
__exception__
stacktrace: 
Int64Op+0xcfb system+0x2536 @ 0x74512536

registers.esp: 1636952
registers.edi: 9446504
registers.eax: 9446504
registers.ebp: 1637000
registers.edx: 3
registers.ebx: 0
registers.esi: 9519120
registers.ecx: 0
exception.instruction_r: 8a 11 3a d3 74 0f 88 10 40 89 45 e4 41 89 4d e0
exception.symbol: lstrcpyn+0x27 lstrlen-0x59 kernelbase+0xa2d7
exception.instruction: mov dl, byte ptr [ecx]
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 41687
exception.address: 0x778ea2d7
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 203 个事件)
Time & API Arguments Status Return Repeated
1619402130.039125
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74514000
success 0 0
1619402149.071125
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02130000
success 0 0
1619402149.086125
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 86016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02fc0000
success 0 0
1619402151.055125
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02180000
success 0 0
1619402153.83625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01e20000
success 0 0
1619402153.83625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f60000
success 0 0
1619402154.16425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02050000
success 0 0
1619402154.16425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02190000
success 0 0
1619402154.19625
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73971000
success 0 0
1619402154.30525
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1619402154.30525
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ec0000
success 0 0
1619402154.30525
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0049a000
success 0 0
1619402154.30525
NtProtectVirtualMemory
process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73972000
success 0 0
1619402154.30525
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00492000
success 0 0
1619402154.69625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a2000
success 0 0
1619402154.75825
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c5000
success 0 0
1619402154.77425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004cb000
success 0 0
1619402154.77425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c7000
success 0 0
1619402154.94625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02191000
success 0 0
1619402154.97725
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02192000
success 0 0
1619402155.07125
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0049c000
success 0 0
1619402155.08625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a3000
success 0 0
1619402155.08625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a4000
success 0 0
1619402155.10225
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02193000
success 0 0
1619402155.19625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ac000
success 0 0
1619402155.19625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a5000
success 0 0
1619402155.19625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02194000
success 0 0
1619402155.19625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02195000
success 0 0
1619402155.19625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02196000
success 0 0
1619402155.28925
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ad0000
success 0 0
1619402155.28925
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ad1000
success 0 0
1619402155.32125
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ad3000
success 0 0
1619402155.33625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a6000
success 0 0
1619402155.33625
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ad5000
success 0 0
1619402155.35225
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ad6000
success 0 0
1619402155.35225
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ad7000
success 0 0
1619402155.41425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ad8000
success 0 0
1619402155.49225
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a7000
success 0 0
1619402155.49225
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ad9000
success 0 0
1619402155.49225
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ada000
success 0 0
1619402155.49225
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04adb000
success 0 0
1619402155.50825
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a8000
success 0 0
1619402155.50825
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04adc000
success 0 0
1619402155.52425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04add000
success 0 0
1619402155.52425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ade000
success 0 0
1619402155.52425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04adf000
success 0 0
1619402155.52425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04280000
success 0 0
1619402155.52425
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a9000
success 0 0
1619402155.53925
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04281000
success 0 0
1619402156.21125
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04250000
success 0 0
Steals private information from local Internet browsers (8 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies.bak
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History.bak
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nso8D68.tmp\System.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\leanto.dll
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\leanto.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nso8D68.tmp\System.dll
Executes one or more WMI queries (6 个事件)
wmi select * from Win32_VideoController
wmi associators of {Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where AssocClass = Win32_LogicalDiskToPartition
wmi associators of {Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where AssocClass = Win32_LogicalDiskToPartition
wmi associators of {Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where AssocClass = Win32_DiskDriveToDiskPartition
wmi select * from Win32_DiskDrive
wmi select * from Win32_Processor
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619402161.00825
GetAdaptersAddresses
flags: 1158
family: 0
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619402158.22725
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Queries for potentially installed applications (13 个事件)
Time & API Arguments Status Return Repeated
1619402157.91425
RegOpenKeyExW
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x0000029c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
options: 0
success 0 0
1619402157.91425
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: AddressBook
options: 0
success 0 0
1619402157.96125
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: Connection Manager
options: 0
success 0 0
1619402157.96125
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: DirectDrawEx
options: 0
success 0 0
1619402157.96125
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: Fontcore
options: 0
success 0 0
1619402157.96125
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Google Chrome
options: 0
success 0 0
1619402158.00825
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: IE40
options: 0
success 0 0
1619402158.00825
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: IE4Data
options: 0
success 0 0
1619402158.00825
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: IE5BAKEX
options: 0
success 0 0
1619402158.00825
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: IEData
options: 0
success 0 0
1619402158.00825
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: MobileOptionPack
options: 0
success 0 0
1619402158.00825
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SchedulingAgent
options: 0
success 0 0
1619402158.00825
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000029c
key_handle: 0x000002bc
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: WIC
options: 0
success 0 0
Executes one or more WMI queries which can be used to identify virtual machines (4 个事件)
wmi select * from Win32_Processor
wmi associators of {Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where AssocClass = Win32_LogicalDiskToPartition
wmi associators of {Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where AssocClass = Win32_LogicalDiskToPartition
wmi associators of {Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where AssocClass = Win32_DiskDriveToDiskPartition
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 203.208.41.98
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619402153.586125
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 360448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001f0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $Zr6ŒXßXßXßÚ֕ßXßÚ֖ßxXßÚ֗ß8XßAËßXßYßBXßâdáßXß9ՋßXß9ՑßXß9ՔßXßRichXßPEL7Z…\à  ´š«Ð@€@pød@àPü ò@Ð,.textj²´ `.rdata/Ð0¸@@.data8:è@À.rsrcà@@@.reloc*+P,@B
process_handle: 0x000001f0
base_address: 0x00400000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $Zr6ŒXßXßXßÚ֕ßXßÚ֖ßxXßÚ֗ß8XßAËßXßYßBXßâdáßXß9ՋßXß9ՑßXß9ՔßXßRichXßPEL7Z…\
process_handle: 0x000001f0
base_address: 0x00400000
failed 0 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: €0€ H`@}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000001f0
base_address: 0x00454000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: @
process_handle: 0x000001f0
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $Zr6ŒXßXßXßÚ֕ßXßÚ֖ßxXßÚ֗ß8XßAËßXßYßBXßâdáßXß9ՋßXß9ՑßXß9ՔßXßRichXßPEL7Z…\à  ´š«Ð@€@pød@àPü ò@Ð,.textj²´ `.rdata/Ð0¸@@.data8:è@À.rsrcà@@@.reloc*+P,@B
process_handle: 0x000001f0
base_address: 0x00400000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $Zr6ŒXßXßXßÚ֕ßXßÚ֖ßxXßÚ֗ß8XßAËßXßYßBXßâdáßXß9ՋßXß9ՑßXß9ՔßXßRichXßPEL7Z…\
process_handle: 0x000001f0
base_address: 0x00400000
failed 0 0
Collects information about installed applications (1 个事件)
Time & API Arguments Status Return Repeated
1619402157.96125
RegQueryValueExW
key_handle: 0x000002bc
value: Google Chrome
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
success 0 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1804 called NtSetContextThread to modify thread in remote process 2248
Time & API Arguments Status Return Repeated
1619402153.586125
NtSetContextThread
thread_handle: 0x000001e8
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4201387
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2248
success 0 0
Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Exodus\exodus.wallet
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1804 resumed a thread in remote process 2248
Time & API Arguments Status Return Repeated
1619402153.617125
NtResumeThread
thread_handle: 0x000001e8
suspend_count: 1
process_identifier: 2248
success 0 0
Executed a process and injected code into it, probably while unpacking (39 个事件)
Time & API Arguments Status Return Repeated
1619402153.586125
CreateProcessInternalW
thread_identifier: 2268
thread_handle: 0x000001e8
process_identifier: 2248
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\40832b4f4baf8eeec5461044c71357f0.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001f0
inherit_handles: 1
success 1 0
1619402153.586125
NtGetContextThread
thread_handle: 0x000001e8
success 0 0
1619402153.586125
NtUnmapViewOfSection
process_identifier: 2248
region_size: 4096
process_handle: 0x000001f0
base_address: 0x00400000
success 0 0
1619402153.586125
NtAllocateVirtualMemory
process_identifier: 2248
region_size: 360448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001f0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $Zr6ŒXßXßXßÚ֕ßXßÚ֖ßxXßÚ֗ß8XßAËßXßYßBXßâdáßXß9ՋßXß9ՑßXß9ՔßXßRichXßPEL7Z…\à  ´š«Ð@€@pød@àPü ò@Ð,.textj²´ `.rdata/Ð0¸@@.data8:è@À.rsrcà@@@.reloc*+P,@B
process_handle: 0x000001f0
base_address: 0x00400000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $Zr6ŒXßXßXßÚ֕ßXßÚ֖ßxXßÚ֗ß8XßAËßXßYßBXßâdáßXß9ՋßXß9ՑßXß9ՔßXßRichXßPEL7Z…\
process_handle: 0x000001f0
base_address: 0x00400000
failed 0 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer:
process_handle: 0x000001f0
base_address: 0x00455000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: €0€ H`@}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000001f0
base_address: 0x00454000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer:
process_handle: 0x000001f0
base_address: 0x00410000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer:
process_handle: 0x000001f0
base_address: 0x0040d000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer:
process_handle: 0x000001f0
base_address: 0x00401000
success 1 0
1619402153.586125
WriteProcessMemory
process_identifier: 2248
buffer: @
process_handle: 0x000001f0
base_address: 0x7efde008
success 1 0
1619402153.586125
NtSetContextThread
thread_handle: 0x000001e8
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4201387
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2248
success 0 0
1619402153.617125
NtResumeThread
thread_handle: 0x000001e8
suspend_count: 1
process_identifier: 2248
success 0 0
1619402154.30525
NtResumeThread
thread_handle: 0x00000114
suspend_count: 1
process_identifier: 2248
success 0 0
1619402154.32125
NtResumeThread
thread_handle: 0x00000164
suspend_count: 1
process_identifier: 2248
success 0 0
1619402154.33625
NtResumeThread
thread_handle: 0x000001a8
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.88325
NtResumeThread
thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.88325
NtResumeThread
thread_handle: 0x00000210
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.89925
NtResumeThread
thread_handle: 0x00000248
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.89925
NtResumeThread
thread_handle: 0x00000270
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.91425
NtResumeThread
thread_handle: 0x00000294
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.91425
NtResumeThread
thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.91425
NtResumeThread
thread_handle: 0x000002d0
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.93025
NtResumeThread
thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.93025
NtResumeThread
thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.93025
NtResumeThread
thread_handle: 0x00000310
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.93025
NtResumeThread
thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.94625
NtResumeThread
thread_handle: 0x00000338
suspend_count: 1
process_identifier: 2248
success 0 0
1619402157.94625
NtResumeThread
thread_handle: 0x0000034c
suspend_count: 1
process_identifier: 2248
success 0 0
1619402159.10225
NtResumeThread
thread_handle: 0x000003c8
suspend_count: 1
process_identifier: 2248
success 0 0
1619402159.11725
NtResumeThread
thread_handle: 0x000003d4
suspend_count: 1
process_identifier: 2248
success 0 0
1619402159.13325
NtResumeThread
thread_handle: 0x000003f0
suspend_count: 1
process_identifier: 2248
success 0 0
1619402159.19625
NtResumeThread
thread_handle: 0x00000440
suspend_count: 1
process_identifier: 2248
success 0 0
1619402159.30525
NtResumeThread
thread_handle: 0x00000464
suspend_count: 1
process_identifier: 2248
success 0 0
1619402159.32125
NtResumeThread
thread_handle: 0x00000478
suspend_count: 1
process_identifier: 2248
success 0 0
1619402159.57125
NtResumeThread
thread_handle: 0x000004a0
suspend_count: 1
process_identifier: 2248
success 0 0
1619402159.68025
NtResumeThread
thread_handle: 0x000004bc
suspend_count: 1
process_identifier: 2248
success 0 0
1619402167.22725
NtResumeThread
thread_handle: 0x000005b4
suspend_count: 1
process_identifier: 2248
success 0 0
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-04-04 04:20:49

Imports

Library KERNEL32.dll:
0x408070 GetCurrentProcess
0x408074 SetFileAttributesA
0x408078 Sleep
0x40807c GetTickCount
0x408080 CreateFileA
0x408084 GetFileSize
0x408088 GetModuleFileNameA
0x408090 GetFileAttributesA
0x408094 CopyFileA
0x408098 ExitProcess
0x4080a4 GetTempPathA
0x4080a8 GetCommandLineA
0x4080ac lstrlenA
0x4080b0 ReadFile
0x4080b4 GetLastError
0x4080b8 lstrcpynA
0x4080bc GetDiskFreeSpaceA
0x4080c0 GlobalUnlock
0x4080c4 GlobalLock
0x4080c8 CreateThread
0x4080cc CreateDirectoryA
0x4080d0 CreateProcessA
0x4080d4 RemoveDirectoryA
0x4080d8 GetTempFileNameA
0x4080dc WriteFile
0x4080e0 lstrcpyA
0x4080e4 MoveFileExA
0x4080e8 lstrcatA
0x4080ec GetSystemDirectoryA
0x4080f0 GetProcAddress
0x4080f4 CloseHandle
0x4080f8 lstrcmpiA
0x4080fc MoveFileA
0x408100 GetFullPathNameA
0x408104 GetShortPathNameA
0x408108 SearchPathA
0x40810c CompareFileTime
0x408110 SetFileTime
0x408114 lstrcmpA
0x40811c SetErrorMode
0x408120 GetVersion
0x408124 GlobalFree
0x408128 DeleteFileA
0x40812c FindFirstFileA
0x408130 FindNextFileA
0x408134 FindClose
0x408138 SetFilePointer
0x408144 MultiByteToWideChar
0x408148 FreeLibrary
0x40814c MulDiv
0x408150 LoadLibraryExA
0x408154 GetModuleHandleA
0x408158 GetExitCodeProcess
0x40815c WaitForSingleObject
0x408160 GlobalAlloc
Library USER32.dll:
0x408184 GetSystemMenu
0x408188 SetClassLongA
0x40818c IsWindowEnabled
0x408190 EnableMenuItem
0x408194 SetWindowPos
0x408198 GetSysColor
0x40819c GetWindowLongA
0x4081a0 SetCursor
0x4081a4 LoadCursorA
0x4081a8 CheckDlgButton
0x4081ac GetAsyncKeyState
0x4081b0 IsDlgButtonChecked
0x4081b4 GetMessagePos
0x4081b8 LoadBitmapA
0x4081bc CallWindowProcA
0x4081c0 IsWindowVisible
0x4081c4 CloseClipboard
0x4081c8 SetClipboardData
0x4081cc EmptyClipboard
0x4081d0 ScreenToClient
0x4081d4 GetWindowRect
0x4081d8 GetDlgItem
0x4081dc CreatePopupMenu
0x4081e0 GetSystemMetrics
0x4081e4 SetDlgItemTextA
0x4081e8 GetDlgItemTextA
0x4081ec MessageBoxIndirectA
0x4081f0 CharPrevA
0x4081f4 wvsprintfA
0x4081f8 DispatchMessageA
0x4081fc PeekMessageA
0x408200 GetDC
0x408204 ReleaseDC
0x408208 EnableWindow
0x40820c InvalidateRect
0x408210 SendMessageA
0x408214 DefWindowProcA
0x408218 BeginPaint
0x40821c GetClientRect
0x408220 FillRect
0x408224 EndDialog
0x408228 RegisterClassA
0x408230 CreateWindowExA
0x408234 GetClassInfoA
0x408238 DialogBoxParamA
0x40823c LoadImageA
0x408240 ExitWindowsEx
0x408244 DestroyWindow
0x408248 CreateDialogParamA
0x40824c SetWindowTextA
0x408250 PostQuitMessage
0x408254 SetWindowLongA
0x408258 ShowWindow
0x40825c wsprintfA
0x408260 SendMessageTimeoutA
0x408264 FindWindowExA
0x408268 IsWindow
0x40826c TrackPopupMenu
0x408270 OpenClipboard
0x408274 AppendMenuA
0x408278 DrawTextA
0x40827c EndPaint
0x408280 CharNextA
0x408284 SetForegroundWindow
0x408288 SetTimer
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
Library SHELL32.dll:
0x408170 SHBrowseForFolderA
0x408174 SHGetFileInfoA
0x408178 ShellExecuteA
0x40817c SHFileOperationA
Library ADVAPI32.dll:
0x408000 RegDeleteKeyA
0x408004 SetFileSecurityA
0x408008 OpenProcessToken
0x408014 RegOpenKeyExA
0x408018 RegEnumValueA
0x40801c RegDeleteValueA
0x408020 RegCloseKey
0x408024 RegCreateKeyExA
0x408028 RegSetValueExA
0x40802c RegQueryValueExA
0x408030 RegEnumKeyA
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040
0x408044 ImageList_Destroy
Library ole32.dll:
0x408290 OleUninitialize
0x408294 OleInitialize
0x408298 CoTaskMemFree
0x40829c CoCreateInstance

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.