SmartHawk

12.8

0-day

58 个模型检测该样本为恶意！

重新分析

下载样本

f28117cacfadab566b4b8f7e27b23d25f9b7cdc1428bcde1a0d4e473340efe6a

49df10de56b437cc7c7f431d9c745974.exe

分析耗时

387s

最近分析

文件大小

950.0KB

静态报毒动态报毒 100% 7GW@A0JKB6GI AGENTTESLA AI SCORE=86 ALI2000015 CLASSIC COINMINERX CONFIDENCE DELF DELFINJECT DELPHILESS EMOY FAREIT HIGH CONFIDENCE HNGRBE HPLOKI IC7FPMYVIPM KCLOUD KRYPTIK LOKIBOT MALWARE@#22V0GGN45GGOS MUMOB PGDR SCORE SMBD STATIC AI SUSGEN SUSPICIOUS PE TSCOPE TSPY UNSAFE UROR X2085 ZELPHIF ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/DelfInject.ali2000015	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft	Win32.Troj.Undef.(kcloud)	20201228	2017.9.26.565
McAfee	Fareit-FVZ!49DF10DE56B4	20201228	6.0.6.653
Tencent	Win32.Trojan.Kryptik.Pgdr	20201228	1.0.0.1
Avast	Win32:CoinminerX-gen [Trj]	20201228	21.1.5827.0
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 个事件)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (50 out of 86 个事件)

Time & API	Arguments	Status
1619464071.093875 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 35258180 registers.edi: 0 registers.eax: 0 registers.ebp: 35258248 registers.edx: 7 registers.ebx: 0 registers.esi: 0 registers.ecx: 62 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: 49df10de56b437cc7c7f431d9c745974+0x8ddba exception.instruction: div eax exception.module: 49df10de56b437cc7c7f431d9c745974.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619464072.812625 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50003780 registers.edi: 0 registers.eax: 0 registers.ebp: 50003848 registers.edx: 7 registers.ebx: 0 registers.esi: 0 registers.ecx: 812 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619464088.421625 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73a4e97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73a4ea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73a4b25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73a4b4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73a4ac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73a4aed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73a45511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73a4559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74107f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74104de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 232 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 232 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe741485	success
1619464075.141125 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 49151812 registers.edi: 0 registers.eax: 0 registers.ebp: 49151880 registers.edx: 7 registers.ebx: 0 registers.esi: 0 registers.ecx: 140 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507557.865501 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50331460 registers.edi: 0 registers.eax: 0 registers.ebp: 50331528 registers.edx: 12 registers.ebx: 0 registers.esi: 0 registers.ecx: 866 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507560.193876 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x739fe97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x739fea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x739fb25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x739fb4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x739fac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x739faed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x739f5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x739f559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x740b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x740b4de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe651485	success
1619507560.226124 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 49610564 registers.edi: 0 registers.eax: 0 registers.ebp: 49610632 registers.edx: 12 registers.ebx: 0 registers.esi: 0 registers.ecx: 225 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507562.475876 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 35979076 registers.edi: 0 registers.eax: 0 registers.ebp: 35979144 registers.edx: 12 registers.ebx: 0 registers.esi: 0 registers.ecx: 475 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507563.381999 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe5d1485	success
1619507563.365626 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48824132 registers.edi: 0 registers.eax: 0 registers.ebp: 48824200 registers.edx: 12 registers.ebx: 0 registers.esi: 0 registers.ecx: 366 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507569.115374 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34930500 registers.edi: 0 registers.eax: 0 registers.ebp: 34930568 registers.edx: 12 registers.ebx: 0 registers.esi: 0 registers.ecx: 116 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507570.460124 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7405e97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7405ea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7405b25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7405b4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7405ac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7405aed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74055511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7405559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741b4de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe6e1485	success
1619507570.475626 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 35979076 registers.edi: 0 registers.eax: 0 registers.ebp: 35979144 registers.edx: 12 registers.ebx: 0 registers.esi: 0 registers.ecx: 475 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507574.601124 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 49020740 registers.edi: 0 registers.eax: 0 registers.ebp: 49020808 registers.edx: 12 registers.ebx: 0 registers.esi: 0 registers.ecx: 600 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507580.376436 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfcb81485	success
1619507580.114812 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 49938244 registers.edi: 0 registers.eax: 0 registers.ebp: 49938312 registers.edx: 13 registers.ebx: 0 registers.esi: 0 registers.ecx: 253 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507628.086427 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 35716932 registers.edi: 0 registers.eax: 0 registers.ebp: 35717000 registers.edx: 13 registers.ebx: 0 registers.esi: 0 registers.ecx: 64 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507635.447823 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe691485	success
1619507635.465443 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48955204 registers.edi: 0 registers.eax: 0 registers.ebp: 48955272 registers.edx: 13 registers.ebx: 0 registers.esi: 0 registers.ecx: 407 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507655.497619 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34799428 registers.edi: 0 registers.eax: 0 registers.ebp: 34799496 registers.edx: 14 registers.ebx: 0 registers.esi: 0 registers.ecx: 491 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507659.23034 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe761485	success
1619507659.15538 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48889668 registers.edi: 0 registers.eax: 0 registers.ebp: 48889736 registers.edx: 14 registers.ebx: 0 registers.esi: 0 registers.ecx: 164 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507677.190971 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34930500 registers.edi: 0 registers.eax: 0 registers.ebp: 34930568 registers.edx: 14 registers.ebx: 0 registers.esi: 0 registers.ecx: 213 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507678.469804 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe791485	success
1619507678.272126 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34996036 registers.edi: 0 registers.eax: 0 registers.ebp: 34996104 registers.edx: 14 registers.ebx: 0 registers.esi: 0 registers.ecx: 286 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507685.220941 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 35061572 registers.edi: 0 registers.eax: 0 registers.ebp: 35061640 registers.edx: 14 registers.ebx: 0 registers.esi: 0 registers.ecx: 238 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507689.72097 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe681485	success
1619507689.727856 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34930500 registers.edi: 0 registers.eax: 0 registers.ebp: 34930568 registers.edx: 14 registers.ebx: 0 registers.esi: 0 registers.ecx: 753 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507695.663068 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 49151812 registers.edi: 0 registers.eax: 0 registers.ebp: 49151880 registers.edx: 14 registers.ebx: 0 registers.esi: 0 registers.ecx: 688 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507697.796068 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfcb51485	success
1619507697.524968 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34275140 registers.edi: 0 registers.eax: 0 registers.ebp: 34275208 registers.edx: 14 registers.ebx: 0 registers.esi: 0 registers.ecx: 556 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507704.827643 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34275140 registers.edi: 0 registers.eax: 0 registers.ebp: 34275208 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 852 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507708.491743 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe6a1485	success
1619507708.233681 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34930500 registers.edi: 0 registers.eax: 0 registers.ebp: 34930568 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 280 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507716.921433 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48758596 registers.edi: 0 registers.eax: 0 registers.ebp: 48758664 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 952 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507720.444118 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfcd51485	success
1619507720.366743 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 49545028 registers.edi: 0 registers.eax: 0 registers.ebp: 49545096 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 397 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507727.608931 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34996036 registers.edi: 0 registers.eax: 0 registers.ebp: 34996104 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 639 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507730.928118 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe6d1485	success
1619507730.812431 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48824132 registers.edi: 0 registers.eax: 0 registers.ebp: 48824200 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 850 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507734.193993 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 35192644 registers.edi: 0 registers.eax: 0 registers.ebp: 35192712 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 249 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507736.390056 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe7d1485	success
1619507736.303495 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50069316 registers.edi: 0 registers.eax: 0 registers.ebp: 50069384 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 381 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507747.576806 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 49217348 registers.edi: 0 registers.eax: 0 registers.ebp: 49217416 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 631 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507748.857806 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe8c1485	success
1619507748.928618 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34537284 registers.edi: 0 registers.eax: 0 registers.ebp: 34537352 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 967 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507758.780431 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 34471748 registers.edi: 0 registers.eax: 0 registers.ebp: 34471816 registers.edx: 15 registers.ebx: 0 registers.esi: 0 registers.ecx: 928 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507761.976243 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3 skype+0x40a4d @ 0x440a4d skype+0x39254 @ 0x439254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfe731485	success
1619507760.350118 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 49610564 registers.edi: 0 registers.eax: 0 registers.ebp: 49610632 registers.edx: 16 registers.ebx: 0 registers.esi: 0 registers.ecx: 381 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success
1619507768.053743 __exception__	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 35454788 registers.edi: 0 registers.eax: 0 registers.ebp: 35454856 registers.edx: 16 registers.ebx: 0 registers.esi: 0 registers.ecx: 116 exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af exception.symbol: skype+0x8ddba exception.instruction: div eax exception.module: skype.exe exception.exception_code: 0xc0000094 exception.offset: 581050 exception.address: 0x48ddba	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 930 个事件)

Time & API	Arguments	Status
1619464070.249875 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01d00000	success
1619464071.093875 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0048d000	success
1619464071.109875 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01fb0000	success
1619464072.702625 NtAllocateVirtualMemory	process_identifier: 1320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00360000	success
1619464072.812625 NtProtectVirtualMemory	process_identifier: 1320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0048d000	success
1619464072.812625 NtAllocateVirtualMemory	process_identifier: 1320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003f0000	success
1619464075.062625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619464075.312625 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01f30000	success
1619464075.312625 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02040000	success
1619464075.312625 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x004c0000	success
1619464075.312625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 118784 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004c2000	success
1619464084.062625 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01e10000	success
1619464084.062625 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01ed0000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f22000	success
1619464088.406625 NtProtectVirtualMemory	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619464075.125125 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d0000	success
1619464075.141125 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0048d000	success
1619464075.141125 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ed0000	success
1619507557.865501 NtAllocateVirtualMemory	process_identifier: 3172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d0000	success
1619507557.865501 NtProtectVirtualMemory	process_identifier: 3172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0048d000	success
1619507557.881501 NtAllocateVirtualMemory	process_identifier: 3172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00790000	success
1619507560.100876 NtProtectVirtualMemory	process_identifier: 3244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619507560.100876 NtAllocateVirtualMemory	process_identifier: 3244 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01e40000	success
1619507560.100876 NtAllocateVirtualMemory	process_identifier: 3244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01ef0000	success
1619507560.100876 NtAllocateVirtualMemory	process_identifier: 3244 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003c0000	success
1619507560.100876 NtProtectVirtualMemory	process_identifier: 3244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 118784 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003c2000	success
1619507560.115876 NtAllocateVirtualMemory	process_identifier: 3244 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01d60000	success
1619507560.115876 NtAllocateVirtualMemory	process_identifier: 3244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01db0000	success
1619507560.162876 NtProtectVirtualMemory	process_identifier: 3244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e32000	success
1619507560.162876 NtProtectVirtualMemory	process_identifier: 3244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619507560.162876 NtProtectVirtualMemory	process_identifier: 3244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e32000	success
1619507560.162876 NtProtectVirtualMemory	process_identifier: 3244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success

A process attempted to delay the analysis task. (1 个事件)

description

skype.exe tried to sleep 165 seconds, actually delayed analysis time by 165 seconds

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.exe.vbs

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 104 个事件)

Time & API	Arguments	Status	Return
1619507557.881501 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3172	success	1
1619507557.881501 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3224	success	1
1619507560.226124 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3244	success	1
1619507560.226124 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3304	success	1
1619507560.226124 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3364	success	1
1619507560.226124 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x000000f8 process_identifier: 3388	success	1
1619507562.490876 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3420	success	1
1619507562.490876 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3476	success	1
1619507563.381626 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3492	success	1
1619507563.381626 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3552	success	1
1619507563.381626 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3612	success	1
1619507563.381626 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x000000f8 process_identifier: 3632	success	1
1619507569.115374 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3664	success	1
1619507569.115374 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3720	success	1
1619507570.490626 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3736	success	1
1619507570.490626 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3804	success	1
1619507570.490626 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3864	success	1
1619507570.490626 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3896	success	1
1619507574.601124 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3908	success	1
1619507574.601124 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3964	success	1
1619507580.129812 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3980	success	1
1619507580.129812 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 4052	success	1
1619507625.582812 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x00000644 process_identifier: 3464	success	1
1619507625.582812 Process32NextW	process_name: sppsvc.exe snapshot_handle: 0x00000644 process_identifier: 3568	success	1
1619507625.582812 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x00000644 process_identifier: 3488	success	1
1619507628.102427 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3680	success	1
1619507635.481443 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3800	success	1
1619507635.481443 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 1072	success	1
1619507659.17138 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 1708	success	1
1619507677.190971 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3384	success	1
1619507678.272126 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3424	success	1
1619507678.272126 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3748	success	1
1619507689.742856 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3604	success	1
1619507697.524968 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3708	success	1
1619507697.524968 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3920	success	1
1619507702.556968 Process32NextW	process_name: WMIADAP.exe snapshot_handle: 0x000001a8 process_identifier: 3684	success	1
1619507704.827643 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 4056	success	1
1619507708.233681 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3096	success	1
1619507708.233681 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 1252	success	1
1619507716.937433 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3840	success	1
1619507716.937433 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 2052	success	1
1619507720.366743 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3876	success	1
1619507720.366743 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3820	success	1
1619507727.624931 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 664	success	1
1619507727.624931 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3972	success	1
1619507730.827431 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 936	success	1
1619507730.827431 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 1268	success	1
1619507734.224993 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 2800	success	1
1619507734.224993 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 2108	success	1
1619507736.303495 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 728	success	1

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.267500802015553

section

{'size_of_data': '0x00047e00', 'virtual_address': '0x000ab000', 'entropy': 7.267500802015553, 'name': '.rsrc', 'virtual_size': '0x00047d50'}

description

A section with a high entropy has been found

entropy

0.3029504741833509

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

skype.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 58 个事件)

Time & API	Arguments	Status
1619464071.109875 Process32NextW	process_name: conhost.exe snapshot_handle: 0x000000f8 process_identifier: 2196	failed
1619464072.827625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3044	failed
1619464099.282125 Process32NextW	process_name: skype.exe snapshot_handle: 0x0000043c process_identifier: 284	failed
1619507557.881501 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3224	failed
1619507562.335124 Process32NextW	process_name: skype.exe snapshot_handle: 0x00000148 process_identifier: 3304	failed
1619507562.490876 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3476	failed
1619507568.865626 Process32NextW	process_name: skype.exe snapshot_handle: 0x000001bc process_identifier: 3552	failed
1619507569.115374 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3720	failed
1619507574.365626 Process32NextW	process_name: skype.exe snapshot_handle: 0x00000184 process_identifier: 3804	failed
1619507574.601124 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3964	failed
1619507625.582812 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x00000644 process_identifier: 3488	failed
1619507628.102427 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3680	failed
1619507657.153443 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000390 process_identifier: 1896	failed
1619507655.497619 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 192	failed
1619507675.07738 Process32NextW	process_name: skype.exe snapshot_handle: 0x0000025c process_identifier: 2140	failed
1619507677.190971 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3384	failed
1619507683.569126 Process32NextW	process_name: skype.exe snapshot_handle: 0x000001b0 process_identifier: 3748	failed
1619507685.220941 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 2212	failed
1619507693.883856 Process32NextW	process_name: skype.exe snapshot_handle: 0x0000018c process_identifier: 1892	failed
1619507695.663068 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 2984	failed
1619507702.556968 Process32NextW	process_name: WMIADAP.exe snapshot_handle: 0x000001a8 process_identifier: 3684	failed
1619507704.827643 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 4056	failed
1619507713.873681 Process32NextW	process_name: skype.exe snapshot_handle: 0x000001c8 process_identifier: 1252	failed
1619507716.937433 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 2052	failed
1619507724.991743 Process32NextW	process_name: skype.exe snapshot_handle: 0x000001a0 process_identifier: 3820	failed
1619507727.624931 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 3972	failed
1619507732.858431 Process32NextW	process_name: skype.exe snapshot_handle: 0x00000144 process_identifier: 1268	failed
1619507734.224993 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 2108	failed
1619507743.616495 Process32NextW	process_name: skype.exe snapshot_handle: 0x000001f8 process_identifier: 728	failed
1619507747.576806 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 4200	failed
1619507755.162618 Process32NextW	process_name: skype.exe snapshot_handle: 0x000001d4 process_identifier: 4276	failed
1619507758.796431 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 4488	failed
1619507765.256118 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x000001a8 process_identifier: 4684	failed
1619507768.053743 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 4692	failed
1619507774.889681 Process32NextW	process_name: skype.exe snapshot_handle: 0x00000150 process_identifier: 4840	failed
1619507776.413368 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f8 process_identifier: 5000	failed
1619507781.436306 Process32NextW	process_name: skype.exe snapshot_handle: 0x00000178 process_identifier: 5076	failed
1619507783.663118 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 4192	failed
1619507786.866118 Process32NextW	process_name: skype.exe snapshot_handle: 0x00000140 process_identifier: 2344	failed
1619507788.272868 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3128	failed
1619507797.366368 Process32NextW	process_name: skype.exe snapshot_handle: 0x000001bc process_identifier: 3320	failed
1619507800.498681 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 4724	failed
1619507805.959993 Process32NextW	process_name: skype.exe snapshot_handle: 0x0000017c process_identifier: 4924	failed
1619507808.249931 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 4100	failed
1619507815.499931 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x000001ac process_identifier: 4492	failed
1619507818.693618 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 4572	failed
1619507827.171431 Process32NextW	process_name: skype.exe snapshot_handle: 0x000001b8 process_identifier: 4884	failed
1619507830.365618 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 2436	failed
1619507834.443618 Process32NextW	process_name: skype.exe snapshot_handle: 0x00000154 process_identifier: 376	failed
1619507836.076681 Process32NextW	process_name: skype.exe snapshot_handle: 0x000000f8 process_identifier: 3596	failed

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.40.66

Creates an Alternate Data Stream (ADS) (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe:ZoneIdentifier

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619464071.921875 NtAllocateVirtualMemory	process_identifier: 1476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000100 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000f0000	success	0	0

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.exe.vbs

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe

Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2116 created a thread in remote process 1476
1619464071.921875 NtQueueApcThread	thread_handle: 0x00000108 process_identifier: 1476 function_address: 0x000f05c0 parameter: 0x00140000	success	0	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619464071.921875 WriteProcessMemory	process_identifier: 1476 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x00000100 base_address: 0x000f0000	success	1	0
1619464071.921875 WriteProcessMemory	process_identifier: 1476 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\49df10de56b437cc7c7f431d9c745974.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\49df10de56b437cc7c7f431d9c745974.exe" skype.exeSET EolfRCqMLh = CREAteoBJecT("WscrIPt.Shell") EolfRcQMLh.RUn """%ls""", 0, False process_handle: 0x00000100 base_address: 0x00140000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (50 out of 56 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1320 called NtSetContextThread to modify thread in remote process 2060
Process injection	Process 3172 called NtSetContextThread to modify thread in remote process 3244
Process injection	Process 3420 called NtSetContextThread to modify thread in remote process 3492
Process injection	Process 3664 called NtSetContextThread to modify thread in remote process 3736
Process injection	Process 3908 called NtSetContextThread to modify thread in remote process 3980
Process injection	Process 3680 called NtSetContextThread to modify thread in remote process 3800
Process injection	Process 192 called NtSetContextThread to modify thread in remote process 2656
Process injection	Process 3384 called NtSetContextThread to modify thread in remote process 3424
Process injection	Process 2212 called NtSetContextThread to modify thread in remote process 3604
Process injection	Process 2984 called NtSetContextThread to modify thread in remote process 2864
Process injection	Process 4056 called NtSetContextThread to modify thread in remote process 3096
Process injection	Process 3840 called NtSetContextThread to modify thread in remote process 3876
Process injection	Process 664 called NtSetContextThread to modify thread in remote process 936
Process injection	Process 2800 called NtSetContextThread to modify thread in remote process 1304
Process injection	Process 4144 called NtSetContextThread to modify thread in remote process 4216
Process injection	Process 4404 called NtSetContextThread to modify thread in remote process 4500
Process injection	Process 4692 called NtSetContextThread to modify thread in remote process 4764
Process injection	Process 4944 called NtSetContextThread to modify thread in remote process 5016
Process injection	Process 4192 called NtSetContextThread to modify thread in remote process 1120
Process injection	Process 3128 called NtSetContextThread to modify thread in remote process 4480
Process injection	Process 4724 called NtSetContextThread to modify thread in remote process 3256
Process injection	Process 4100 called NtSetContextThread to modify thread in remote process 4236
Process injection	Process 4572 called NtSetContextThread to modify thread in remote process 4596
Process injection	Process 2436 called NtSetContextThread to modify thread in remote process 4264
Process injection	Process 3596 called NtSetContextThread to modify thread in remote process 984
1619464073.421625 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2060	success	0	0
1619507558.412501 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3244	success	0	0
1619507562.912876 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3492	success	0	0
1619507569.631374 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3736	success	0	0
1619507575.851124 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3980	success	0	0
1619507629.883427 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3800	success	0	0
1619507656.856619 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2656	success	0	0
1619507677.503971 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3424	success	0	0
1619507685.611941 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3604	success	0	0
1619507695.851068 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2864	success	0	0
1619507705.811643 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3096	success	0	0
1619507717.608433 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3876	success	0	0
1619507727.686931 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 936	success	0	0
1619507734.365993 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1304	success	0	0
1619507747.935806 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4216	success	0	0
1619507758.999431 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4500	success	0	0
1619507768.444743 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4764	success	0	0
1619507776.522368 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 5016	success	0	0
1619507783.866118 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1120	success	0	0
1619507789.428868 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4480	success	0	0
1619507800.576681 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3256	success	0	0
1619507808.405931 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4236	success	0	0
1619507819.037618 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4596	success	0	0
1619507830.475618 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4264	success	0	0
1619507836.389681 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 984	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 56 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1320 resumed a thread in remote process 2060
Process injection	Process 3172 resumed a thread in remote process 3244
Process injection	Process 3420 resumed a thread in remote process 3492
Process injection	Process 3664 resumed a thread in remote process 3736
Process injection	Process 3908 resumed a thread in remote process 3980
Process injection	Process 3680 resumed a thread in remote process 3800
Process injection	Process 192 resumed a thread in remote process 2656
Process injection	Process 3384 resumed a thread in remote process 3424
Process injection	Process 2212 resumed a thread in remote process 3604
Process injection	Process 2984 resumed a thread in remote process 2864
Process injection	Process 4056 resumed a thread in remote process 3096
Process injection	Process 3840 resumed a thread in remote process 3876
Process injection	Process 664 resumed a thread in remote process 936
Process injection	Process 2800 resumed a thread in remote process 1304
Process injection	Process 4144 resumed a thread in remote process 4216
Process injection	Process 4404 resumed a thread in remote process 4500
Process injection	Process 4692 resumed a thread in remote process 4764
Process injection	Process 4944 resumed a thread in remote process 5016
Process injection	Process 4192 resumed a thread in remote process 1120
Process injection	Process 3128 resumed a thread in remote process 4480
Process injection	Process 4724 resumed a thread in remote process 3256
Process injection	Process 4100 resumed a thread in remote process 4236
Process injection	Process 4572 resumed a thread in remote process 4596
Process injection	Process 2436 resumed a thread in remote process 4264
Process injection	Process 3596 resumed a thread in remote process 984
1619464074.562625 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2060	success	0	0
1619507559.053501 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3244	success	0	0
1619507563.162876 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3492	success	0	0
1619507570.115374 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3736	success	0	0
1619507578.319124 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3980	success	0	0
1619507636.930427 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3800	success	0	0
1619507658.747619 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2656	success	0	0
1619507677.862971 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3424	success	0	0
1619507687.408941 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3604	success	0	0
1619507696.757068 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2864	success	0	0
1619507706.827643 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3096	success	0	0
1619507718.983433 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3876	success	0	0
1619507729.561931 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 936	success	0	0
1619507735.381993 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 1304	success	0	0
1619507748.139806 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 4216	success	0	0
1619507759.593431 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 4500	success	0	0
1619507770.694743 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 4764	success	0	0
1619507776.960368 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 5016	success	0	0
1619507784.163118 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 1120	success	0	0
1619507790.303868 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 4480	success	0	0
1619507801.342681 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3256	success	0	0
1619507809.108931 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 4236	success	0	0
1619507820.365618 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 4596	success	0	0
1619507831.068618 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 4264	success	0	0
1619507836.795681 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 984	success	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 230 个事件)

Time & API	Arguments	Status	Return
1619464071.921875 CreateProcessInternalW	thread_identifier: 2468 thread_handle: 0x00000108 process_identifier: 1476 current_directory: filepath: C:\Windows\System32\notepad.exe track: 1 command_line: filepath_r: C:\Windows\system32\notepad.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000100 inherit_handles: 0	success	1
1619464071.921875 NtAllocateVirtualMemory	process_identifier: 1476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000100 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000f0000	success	0
1619464071.921875 NtAllocateVirtualMemory	process_identifier: 1476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000100 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00140000	success	0
1619464071.921875 WriteProcessMemory	process_identifier: 1476 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x00000100 base_address: 0x000f0000	success	1
1619464071.921875 WriteProcessMemory	process_identifier: 1476 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\49df10de56b437cc7c7f431d9c745974.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\49df10de56b437cc7c7f431d9c745974.exe" skype.exeSET EolfRCqMLh = CREAteoBJecT("WscrIPt.Shell") EolfRcQMLh.RUn """%ls""", 0, False process_handle: 0x00000100 base_address: 0x00140000	success	1
1619464072.578125 CreateProcessInternalW	thread_identifier: 2144 thread_handle: 0x000000d0 process_identifier: 1320 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x000000cc inherit_handles: 0	success	1
1619464073.312625 CreateProcessInternalW	thread_identifier: 420 thread_handle: 0x00000108 process_identifier: 2060 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000100 inherit_handles: 0	success	1
1619464073.343625 NtUnmapViewOfSection	process_identifier: 2060 region_size: 4096 process_handle: 0x00000100 base_address: 0x00400000	success	0
1619464073.406625 NtMapViewOfSection	section_handle: 0x00000110 process_identifier: 2060 commit_size: 520192 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000100 allocation_type: 0 () section_offset: 0 view_size: 520192 base_address: 0x00400000	success	0
1619464073.421625 NtGetContextThread	thread_handle: 0x00000108	success	0
1619464073.421625 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2060	success	0
1619464074.562625 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2060	success	0
1619464074.656625 CreateProcessInternalW	thread_identifier: 2064 thread_handle: 0x0000010c process_identifier: 284 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" 2 2060 14505156 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000011c inherit_handles: 0	success	1
1619464099.297125 CreateProcessInternalW	thread_identifier: 3176 thread_handle: 0x00000440 process_identifier: 3172 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000444 inherit_handles: 0	success	1
1619507557.959501 CreateProcessInternalW	thread_identifier: 3248 thread_handle: 0x00000108 process_identifier: 3244 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000100 inherit_handles: 0	success	1
1619507557.959501 NtUnmapViewOfSection	process_identifier: 3244 region_size: 4096 process_handle: 0x00000100 base_address: 0x00400000	success	0
1619507557.959501 NtMapViewOfSection	section_handle: 0x00000110 process_identifier: 3244 commit_size: 520192 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000100 allocation_type: 0 () section_offset: 0 view_size: 520192 base_address: 0x00400000	success	0
1619507558.412501 NtGetContextThread	thread_handle: 0x00000108	success	0
1619507558.412501 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3244	success	0
1619507559.053501 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3244	success	0
1619507559.990501 CreateProcessInternalW	thread_identifier: 3308 thread_handle: 0x0000010c process_identifier: 3304 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" 2 3244 14531203 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000011c inherit_handles: 0	success	1
1619507562.351124 CreateProcessInternalW	thread_identifier: 3424 thread_handle: 0x0000014c process_identifier: 3420 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000150 inherit_handles: 0	success	1
1619507562.584876 CreateProcessInternalW	thread_identifier: 3496 thread_handle: 0x00000108 process_identifier: 3492 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000100 inherit_handles: 0	success	1
1619507562.584876 NtUnmapViewOfSection	process_identifier: 3492 region_size: 4096 process_handle: 0x00000100 base_address: 0x00400000	success	0
1619507562.584876 NtMapViewOfSection	section_handle: 0x00000110 process_identifier: 3492 commit_size: 520192 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000100 allocation_type: 0 () section_offset: 0 view_size: 520192 base_address: 0x00400000	success	0
1619507562.912876 NtGetContextThread	thread_handle: 0x00000108	success	0
1619507562.912876 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3492	success	0
1619507563.162876 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3492	success	0
1619507563.193876 CreateProcessInternalW	thread_identifier: 3556 thread_handle: 0x0000010c process_identifier: 3552 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" 2 3492 14535312 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000011c inherit_handles: 0	success	1
1619507568.912626 CreateProcessInternalW	thread_identifier: 3668 thread_handle: 0x000001c0 process_identifier: 3664 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x000001c4 inherit_handles: 0	success	1
1619507569.162374 CreateProcessInternalW	thread_identifier: 3740 thread_handle: 0x00000108 process_identifier: 3736 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000100 inherit_handles: 0	success	1
1619507569.162374 NtUnmapViewOfSection	process_identifier: 3736 region_size: 4096 process_handle: 0x00000100 base_address: 0x00400000	success	0
1619507569.443374 NtMapViewOfSection	section_handle: 0x00000110 process_identifier: 3736 commit_size: 520192 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000100 allocation_type: 0 () section_offset: 0 view_size: 520192 base_address: 0x00400000	success	0
1619507569.631374 NtGetContextThread	thread_handle: 0x00000108	success	0
1619507569.631374 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3736	success	0
1619507570.115374 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3736	success	0
1619507570.162374 CreateProcessInternalW	thread_identifier: 3808 thread_handle: 0x0000010c process_identifier: 3804 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" 2 3736 14542265 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000011c inherit_handles: 0	success	1
1619507574.381626 CreateProcessInternalW	thread_identifier: 3912 thread_handle: 0x00000188 process_identifier: 3908 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000018c inherit_handles: 0	success	1
1619507575.538124 CreateProcessInternalW	thread_identifier: 3984 thread_handle: 0x00000108 process_identifier: 3980 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000100 inherit_handles: 0	success	1
1619507575.538124 NtUnmapViewOfSection	process_identifier: 3980 region_size: 4096 process_handle: 0x00000100 base_address: 0x00400000	success	0
1619507575.538124 NtMapViewOfSection	section_handle: 0x00000110 process_identifier: 3980 commit_size: 520192 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000100 allocation_type: 0 () section_offset: 0 view_size: 520192 base_address: 0x00400000	success	0
1619507575.851124 NtGetContextThread	thread_handle: 0x00000108	success	0
1619507575.851124 NtSetContextThread	thread_handle: 0x00000108 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4707504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3980	success	0
1619507578.319124 NtResumeThread	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 3980	success	0
1619507578.335124 CreateProcessInternalW	thread_identifier: 4056 thread_handle: 0x0000010c process_identifier: 4052 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" 2 3980 14550468 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000011c inherit_handles: 0	success	1
1619507625.614812 CreateProcessInternalW	thread_identifier: 3684 thread_handle: 0x00000648 process_identifier: 3680 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000064c inherit_handles: 0	success	1
1619507628.164427 CreateProcessInternalW	thread_identifier: 3820 thread_handle: 0x00000108 process_identifier: 3800 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\startup\skype.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000100 inherit_handles: 0	success	1
1619507628.164427 NtUnmapViewOfSection	process_identifier: 3800 region_size: 4096 process_handle: 0x00000100 base_address: 0x00400000	success	0
1619507628.164427 NtMapViewOfSection	section_handle: 0x00000110 process_identifier: 3800 commit_size: 520192 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000100 allocation_type: 0 () section_offset: 0 view_size: 520192 base_address: 0x00400000	success	0
1619507629.883427 NtGetContextThread	thread_handle: 0x00000108	success	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.309339
FireEye	Generic.mg.49df10de56b437cc
ALYac	Gen:Variant.Zusy.309339
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0056a4951 )
Alibaba	Trojan:Win32/DelfInject.ali2000015
K7GW	Trojan ( 0056a4951 )
Cybereason	malicious.e56b43
Arcabit	Trojan.Zusy.D4B85B
BitDefenderTheta	Gen:NN.ZelphiF.34700.7GW@a0jkB6gi
Cyren	W32/Injector.UROR-2273
Symantec	Infostealer.Lokibot!43
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.LokiBot-9024602-0
Kaspersky	HEUR:Trojan.Win32.Kryptik.gen
BitDefender	Gen:Variant.Zusy.309339
NANO-Antivirus	Trojan.Win32.Kryptik.hngrbe
Rising	Trojan.Injector!1.C99D (CLASSIC)
Ad-Aware	Gen:Variant.Zusy.309339
Emsisoft	Gen:Variant.Zusy.309339 (B)
Comodo	Malware@#22v0ggn45ggos
F-Secure	Trojan.TR/Injector.mumob
DrWeb	Trojan.PWS.Stealer.28804
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TSPY_HPLOKI.SMBD
McAfee-GW-Edition	BehavesLike.Win32.Fareit.dc
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
Avira	TR/Injector.mumob
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa!s1
Microsoft	PWS:Win32/Fareit.AQ!MTB
AegisLab	Trojan.Win32.Kryptik.4!c
ZoneAlarm	HEUR:Trojan.Win32.Kryptik.gen
GData	Gen:Variant.Zusy.309339
Cynet	Malicious (score: 100)
AhnLab-V3	Suspicious/Win.Delphiless.X2085
McAfee	Fareit-FVZ!49DF10DE56B4
MAX	malware (ai score=86)
VBA32	TScope.Trojan.Delf
Malwarebytes	Spyware.AgentTesla
Panda	Trj/CI.A
Zoner	Trojan.Win32.94561
ESET-NOD32	a variant of Win32/Injector.EMOY
TrendMicro-HouseCall	TSPY_HPLOKI.SMBD
Tencent	Win32.Trojan.Kryptik.Pgdr

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x49b154 DeleteCriticalSection

• 0x49b158 LeaveCriticalSection

• 0x49b15c EnterCriticalSection

• 0x49b160 InitializeCriticalSection

• 0x49b164 VirtualFree

• 0x49b168 VirtualAlloc

• 0x49b16c LocalFree

• 0x49b170 LocalAlloc

• 0x49b174 GetVersion

• 0x49b178 GetCurrentThreadId

• 0x49b17c InterlockedDecrement

• 0x49b180 InterlockedIncrement

• 0x49b184 VirtualQuery

• 0x49b188 WideCharToMultiByte

• 0x49b18c MultiByteToWideChar

• 0x49b190 lstrlenA

• 0x49b194 lstrcpynA

• 0x49b198 LoadLibraryExA

• 0x49b19c GetThreadLocale

• 0x49b1a0 GetStartupInfoA

• 0x49b1a4 GetProcAddress

• 0x49b1a8 GetModuleHandleA

• 0x49b1ac GetModuleFileNameA

• 0x49b1b0 GetLocaleInfoA

• 0x49b1b4 GetCommandLineA

• 0x49b1b8 FreeLibrary

• 0x49b1bc FindFirstFileA

• 0x49b1c0 FindClose

• 0x49b1c4 ExitProcess

• 0x49b1c8 WriteFile

• 0x49b1cc UnhandledExceptionFilter

• 0x49b1d0 RtlUnwind

• 0x49b1d4 RaiseException

• 0x49b1d8 GetStdHandle

Library user32.dll:

• 0x49b1e0 GetKeyboardType

• 0x49b1e4 LoadStringA

• 0x49b1e8 MessageBoxA

• 0x49b1ec CharNextA

Library advapi32.dll:

• 0x49b1f4 RegQueryValueExA

• 0x49b1f8 RegOpenKeyExA

• 0x49b1fc RegCloseKey

Library oleaut32.dll:

• 0x49b204 SysFreeString

• 0x49b208 SysReAllocStringLen

• 0x49b20c SysAllocStringLen

Library kernel32.dll:

• 0x49b214 TlsSetValue

• 0x49b218 TlsGetValue

• 0x49b21c LocalAlloc

• 0x49b220 GetModuleHandleA

Library advapi32.dll:

• 0x49b228 RegQueryValueExA

• 0x49b22c RegOpenKeyExA

• 0x49b230 RegCloseKey

Library kernel32.dll:

• 0x49b238 lstrcpyA

• 0x49b23c WriteFile

• 0x49b240 WaitForSingleObject

• 0x49b244 VirtualQuery

• 0x49b248 VirtualProtectEx

• 0x49b24c VirtualAlloc

• 0x49b250 Sleep

• 0x49b254 SizeofResource

• 0x49b258 SetThreadLocale

• 0x49b25c SetFilePointer

• 0x49b260 SetEvent

• 0x49b264 SetErrorMode

• 0x49b268 SetEndOfFile

• 0x49b26c ResetEvent

• 0x49b270 ReadFile

• 0x49b274 MultiByteToWideChar

• 0x49b278 MulDiv

• 0x49b27c LockResource

• 0x49b280 LoadResource

• 0x49b284 LoadLibraryA

• 0x49b288 LeaveCriticalSection

• 0x49b28c InitializeCriticalSection

• 0x49b290 GlobalUnlock

• 0x49b294 GlobalSize

• 0x49b298 GlobalReAlloc

• 0x49b29c GlobalHandle

• 0x49b2a0 GlobalLock

• 0x49b2a4 GlobalFree

• 0x49b2a8 GlobalFindAtomA

• 0x49b2ac GlobalDeleteAtom

• 0x49b2b0 GlobalAlloc

• 0x49b2b4 GlobalAddAtomA

• 0x49b2b8 GetVersionExA

• 0x49b2bc GetVersion

• 0x49b2c0 GetUserDefaultLCID

• 0x49b2c4 GetTickCount

• 0x49b2c8 GetThreadLocale

• 0x49b2cc GetSystemInfo

• 0x49b2d0 GetStringTypeExA

• 0x49b2d4 GetStdHandle

• 0x49b2d8 GetProcAddress

• 0x49b2dc GetModuleHandleA

• 0x49b2e0 GetModuleFileNameA

• 0x49b2e4 GetLocaleInfoA

• 0x49b2e8 GetLocalTime

• 0x49b2ec GetLastError

• 0x49b2f0 GetFullPathNameA

• 0x49b2f4 GetFileAttributesA

• 0x49b2f8 GetDiskFreeSpaceA

• 0x49b2fc GetDateFormatA

• 0x49b300 GetCurrentThreadId

• 0x49b304 GetCurrentProcessId

• 0x49b308 GetCurrentProcess

• 0x49b30c GetComputerNameA

• 0x49b310 GetCPInfo

• 0x49b314 GetACP

• 0x49b318 FreeResource

• 0x49b31c InterlockedIncrement

• 0x49b320 InterlockedExchange

• 0x49b324 InterlockedDecrement

• 0x49b328 FreeLibrary

• 0x49b32c FormatMessageA

• 0x49b330 FindResourceA

• 0x49b334 FindFirstFileA

• 0x49b338 FindClose

• 0x49b33c FileTimeToLocalFileTime

• 0x49b340 FileTimeToDosDateTime

• 0x49b344 EnumCalendarInfoA

• 0x49b348 EnterCriticalSection

• 0x49b34c DeleteCriticalSection

• 0x49b350 CreateThread

• 0x49b354 CreateFileA

• 0x49b358 CreateEventA

• 0x49b35c CompareStringA

• 0x49b360 CloseHandle

Library version.dll:

• 0x49b368 VerQueryValueA

• 0x49b36c GetFileVersionInfoSizeA

• 0x49b370 GetFileVersionInfoA

Library gdi32.dll:

• 0x49b378 UnrealizeObject

• 0x49b37c StretchBlt

• 0x49b380 SetWindowOrgEx

• 0x49b384 SetWinMetaFileBits

• 0x49b388 SetViewportOrgEx

• 0x49b38c SetTextColor

• 0x49b390 SetStretchBltMode

• 0x49b394 SetROP2

• 0x49b398 SetPixel

• 0x49b39c SetMapMode

• 0x49b3a0 SetEnhMetaFileBits

• 0x49b3a4 SetDIBColorTable

• 0x49b3a8 SetColorSpace

• 0x49b3ac SetBrushOrgEx

• 0x49b3b0 SetBkMode

• 0x49b3b4 SetBkColor

• 0x49b3b8 SelectPalette

• 0x49b3bc SelectObject

• 0x49b3c0 SelectClipRgn

• 0x49b3c4 SaveDC

• 0x49b3c8 RestoreDC

• 0x49b3cc Rectangle

• 0x49b3d0 RectVisible

• 0x49b3d4 RealizePalette

• 0x49b3d8 Polyline

• 0x49b3dc Polygon

• 0x49b3e0 PlayEnhMetaFile

• 0x49b3e4 PatBlt

• 0x49b3e8 MoveToEx

• 0x49b3ec MaskBlt

• 0x49b3f0 LineTo

• 0x49b3f4 LPtoDP

• 0x49b3f8 IntersectClipRect

• 0x49b3fc GetWindowOrgEx

• 0x49b400 GetWinMetaFileBits

• 0x49b404 GetTextMetricsA

• 0x49b408 GetTextExtentPoint32A

• 0x49b40c GetSystemPaletteEntries

• 0x49b410 GetStockObject

• 0x49b414 GetPixel

• 0x49b418 GetPaletteEntries

• 0x49b41c GetObjectA

• 0x49b420 GetEnhMetaFilePaletteEntries

• 0x49b424 GetEnhMetaFileHeader

• 0x49b428 GetEnhMetaFileDescriptionA

• 0x49b42c GetEnhMetaFileBits

• 0x49b430 GetDeviceCaps

• 0x49b434 GetDIBits

• 0x49b438 GetDIBColorTable

• 0x49b43c GetDCOrgEx

• 0x49b440 GetCurrentPositionEx

• 0x49b444 GetClipBox

• 0x49b448 GetBrushOrgEx

• 0x49b44c GetBitmapBits

• 0x49b450 ExtTextOutA

• 0x49b454 ExcludeClipRect

• 0x49b458 DeleteObject

• 0x49b45c DeleteEnhMetaFile

• 0x49b460 DeleteDC

• 0x49b464 CreateSolidBrush

• 0x49b468 CreatePenIndirect

• 0x49b46c CreatePalette

• 0x49b470 CreateHalftonePalette

• 0x49b474 CreateFontIndirectA

• 0x49b478 CreateEnhMetaFileA

• 0x49b47c CreateDIBitmap

• 0x49b480 CreateDIBSection

• 0x49b484 CreateCompatibleDC

• 0x49b488 CreateCompatibleBitmap

• 0x49b48c CreateBrushIndirect

• 0x49b490 CreateBitmap

• 0x49b494 CopyEnhMetaFileA

• 0x49b498 CloseEnhMetaFile

• 0x49b49c BitBlt

Library user32.dll:

• 0x49b4a4 CreateWindowExA

• 0x49b4a8 WindowFromPoint

• 0x49b4ac WinHelpA

• 0x49b4b0 WaitMessage

• 0x49b4b4 UpdateWindow

• 0x49b4b8 UnregisterClassA

• 0x49b4bc UnhookWindowsHookEx

• 0x49b4c0 TranslateMessage

• 0x49b4c4 TranslateMDISysAccel

• 0x49b4c8 TrackPopupMenu

• 0x49b4cc SystemParametersInfoA

• 0x49b4d0 ShowWindow

• 0x49b4d4 ShowScrollBar

• 0x49b4d8 ShowOwnedPopups

• 0x49b4dc ShowCursor

• 0x49b4e0 SetWindowsHookExA

• 0x49b4e4 SetWindowTextA

• 0x49b4e8 SetWindowPos

• 0x49b4ec SetWindowPlacement

• 0x49b4f0 SetWindowLongA

• 0x49b4f4 SetTimer

• 0x49b4f8 SetScrollRange

• 0x49b4fc SetScrollPos

• 0x49b500 SetScrollInfo

• 0x49b504 SetRect

• 0x49b508 SetPropA

• 0x49b50c SetParent

• 0x49b510 SetMenuItemInfoA

• 0x49b514 SetMenu

• 0x49b518 SetForegroundWindow

• 0x49b51c SetFocus

• 0x49b520 SetCursor

• 0x49b524 SetClassLongA

• 0x49b528 SetCapture

• 0x49b52c SetActiveWindow

• 0x49b530 SendMessageA

• 0x49b534 ScrollWindow

• 0x49b538 ScreenToClient

• 0x49b53c RemovePropA

• 0x49b540 RemoveMenu

• 0x49b544 ReleaseDC

• 0x49b548 ReleaseCapture

• 0x49b54c RegisterWindowMessageA

• 0x49b550 RegisterClipboardFormatA

• 0x49b554 RegisterClassA

• 0x49b558 RedrawWindow

• 0x49b55c PtInRect

• 0x49b560 PostQuitMessage

• 0x49b564 PostMessageA

• 0x49b568 PeekMessageA

• 0x49b56c OffsetRect

• 0x49b570 OemToCharA

• 0x49b574 MessageBoxA

• 0x49b578 MapWindowPoints

• 0x49b57c MapVirtualKeyA

• 0x49b580 LoadStringA

• 0x49b584 LoadKeyboardLayoutA

• 0x49b588 LoadIconA

• 0x49b58c LoadCursorA

• 0x49b590 LoadBitmapA

• 0x49b594 KillTimer

• 0x49b598 IsZoomed

• 0x49b59c IsWindowVisible

• 0x49b5a0 IsWindowEnabled

• 0x49b5a4 IsWindow

• 0x49b5a8 IsRectEmpty

• 0x49b5ac IsIconic

• 0x49b5b0 IsDialogMessageA

• 0x49b5b4 IsChild

• 0x49b5b8 InvalidateRect

• 0x49b5bc IntersectRect

• 0x49b5c0 InsertMenuItemA

• 0x49b5c4 InsertMenuA

• 0x49b5c8 InflateRect

• 0x49b5cc GetWindowThreadProcessId

• 0x49b5d0 GetWindowTextA

• 0x49b5d4 GetWindowRect

• 0x49b5d8 GetWindowPlacement

• 0x49b5dc GetWindowLongA

• 0x49b5e0 GetWindowDC

• 0x49b5e4 GetTopWindow

• 0x49b5e8 GetSystemMetrics

• 0x49b5ec GetSystemMenu

• 0x49b5f0 GetSysColorBrush

• 0x49b5f4 GetSysColor

• 0x49b5f8 GetSubMenu

• 0x49b5fc GetScrollRange

• 0x49b600 GetScrollPos

• 0x49b604 GetScrollInfo

• 0x49b608 GetPropA

• 0x49b60c GetParent

• 0x49b610 GetWindow

• 0x49b614 GetMessageTime

• 0x49b618 GetMenuStringA

• 0x49b61c GetMenuState

• 0x49b620 GetMenuItemInfoA

• 0x49b624 GetMenuItemID

• 0x49b628 GetMenuItemCount

• 0x49b62c GetMenu

• 0x49b630 GetLastActivePopup

• 0x49b634 GetKeyboardState

• 0x49b638 GetKeyboardLayoutList

• 0x49b63c GetKeyboardLayout

• 0x49b640 GetKeyState

• 0x49b644 GetKeyNameTextA

• 0x49b648 GetIconInfo

• 0x49b64c GetForegroundWindow

• 0x49b650 GetFocus

• 0x49b654 GetDlgItem

• 0x49b658 GetDesktopWindow

• 0x49b65c GetDCEx

• 0x49b660 GetDC

• 0x49b664 GetCursorPos

• 0x49b668 GetCursor

• 0x49b66c GetClipboardData

• 0x49b670 GetClientRect

• 0x49b674 GetClassNameA

• 0x49b678 GetClassInfoA

• 0x49b67c GetCapture

• 0x49b680 GetActiveWindow

• 0x49b684 FrameRect

• 0x49b688 FindWindowA

• 0x49b68c FillRect

• 0x49b690 EqualRect

• 0x49b694 EnumWindows

• 0x49b698 EnumThreadWindows

• 0x49b69c EndPaint

• 0x49b6a0 EnableWindow

• 0x49b6a4 EnableScrollBar

• 0x49b6a8 EnableMenuItem

• 0x49b6ac DrawTextA

• 0x49b6b0 DrawMenuBar

• 0x49b6b4 DrawIconEx

• 0x49b6b8 DrawIcon

• 0x49b6bc DrawFrameControl

• 0x49b6c0 DrawFocusRect

• 0x49b6c4 DrawEdge

• 0x49b6c8 DispatchMessageA

• 0x49b6cc DestroyWindow

• 0x49b6d0 DestroyMenu

• 0x49b6d4 DestroyIcon

• 0x49b6d8 DestroyCursor

• 0x49b6dc DeleteMenu

• 0x49b6e0 DefWindowProcA

• 0x49b6e4 DefMDIChildProcA

• 0x49b6e8 DefFrameProcA

• 0x49b6ec CreatePopupMenu

• 0x49b6f0 CreateMenu

• 0x49b6f4 CreateIcon

• 0x49b6f8 ClientToScreen

• 0x49b6fc CheckMenuItem

• 0x49b700 CallWindowProcA

• 0x49b704 CallNextHookEx

• 0x49b708 BeginPaint

• 0x49b70c CharNextA

• 0x49b710 CharLowerBuffA

• 0x49b714 CharLowerA

• 0x49b718 CharUpperBuffA

• 0x49b71c CharToOemA

• 0x49b720 AdjustWindowRectEx

• 0x49b724 ActivateKeyboardLayout

Library kernel32.dll:

• 0x49b72c Sleep

Library oleaut32.dll:

• 0x49b734 SafeArrayPtrOfIndex

• 0x49b738 SafeArrayPutElement

• 0x49b73c SafeArrayGetElement

• 0x49b740 SafeArrayUnaccessData

• 0x49b744 SafeArrayAccessData

• 0x49b748 SafeArrayGetUBound

• 0x49b74c SafeArrayGetLBound

• 0x49b750 SafeArrayCreate

• 0x49b754 VariantChangeType

• 0x49b758 VariantCopyInd

• 0x49b75c VariantCopy

• 0x49b760 VariantClear

• 0x49b764 VariantInit

Library ole32.dll:

• 0x49b76c CreateStreamOnHGlobal

• 0x49b770 IsAccelerator

• 0x49b774 OleDraw

• 0x49b778 OleSetMenuDescriptor

• 0x49b77c CoTaskMemFree

• 0x49b780 ProgIDFromCLSID

• 0x49b784 StringFromCLSID

• 0x49b788 CoCreateInstance

• 0x49b78c CoGetClassObject

• 0x49b790 CoUninitialize

• 0x49b794 CoInitialize

• 0x49b798 IsEqualGUID

Library oleaut32.dll:

• 0x49b7a0 CreateErrorInfo

• 0x49b7a4 GetErrorInfo

• 0x49b7a8 SetErrorInfo

• 0x49b7ac GetActiveObject

• 0x49b7b0 SysFreeString

Library comctl32.dll:

• 0x49b7b8 ImageList_SetIconSize

• 0x49b7bc ImageList_GetIconSize

• 0x49b7c0 ImageList_Write

• 0x49b7c4 ImageList_Read

• 0x49b7c8 ImageList_GetDragImage

• 0x49b7cc ImageList_DragShowNolock

• 0x49b7d0 ImageList_SetDragCursorImage

• 0x49b7d4 ImageList_DragMove

• 0x49b7d8 ImageList_DragLeave

• 0x49b7dc ImageList_DragEnter

• 0x49b7e0 ImageList_EndDrag

• 0x49b7e4 ImageList_BeginDrag

• 0x49b7e8 ImageList_Remove

• 0x49b7ec ImageList_DrawEx

• 0x49b7f0 ImageList_Replace

• 0x49b7f4 ImageList_Draw

• 0x49b7f8 ImageList_GetBkColor

• 0x49b7fc ImageList_SetBkColor

• 0x49b800 ImageList_ReplaceIcon

• 0x49b804 ImageList_Add

• 0x49b808 ImageList_GetImageCount

• 0x49b80c ImageList_Destroy

• 0x49b810 ImageList_Create

• 0x49b814 InitCommonControls

Library comdlg32.dll:

• 0x49b81c GetSaveFileNameA

• 0x49b820 GetOpenFileNameA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.41.34	203.208.40.98
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49227	203.208.41.34 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.