SmartHawk

3.2

中危

该样本未表现出任何异常！

重新分析

下载样本

0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8

0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe

分析耗时

147s

最近分析

386天前

文件大小

661.2KB

静态报毒动态报毒 UNKNOWN

DACN 0.15

FACILE 1.00

IMCLNet 0.74

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.15	Unknown	0.06s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.74	Unknown	0.23s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

未检测暂无反病毒引擎检测结果

查询计算机名称 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545323.093375 GetComputerNameA	computer_name: TU-PC	success	1	0

一个或多个进程崩溃 (12 个事件)

Time & API	Arguments	Status
1727545287.499375 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2336 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 4992337 registers.edi: 0 stacktrace: a+0x47 @ 0x10001b25 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x1455 @ 0x401455 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x179a @ 0x40179a 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545287.499375 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 4992337 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x1455 @ 0x401455 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x179a @ 0x40179a 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545290.891 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2708 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 5910065 registers.edi: 0 stacktrace: a+0x47 @ 0x10001b25 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x1455 @ 0x401455 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x179a @ 0x40179a 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545290.891 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5910065 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x1455 @ 0x401455 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x179a @ 0x40179a 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.874375 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2016 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 5713017 registers.edi: 0 stacktrace: a+0x47 @ 0x10001b25 acrotray+0x1455 @ 0x401455 acrotray+0x179a @ 0x40179a acrotray+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.874375 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5713017 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 acrotray+0x1455 @ 0x401455 acrotray+0x179a @ 0x40179a acrotray+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545326.29675 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 2096 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 3157201 registers.edi: 0 stacktrace: a+0x47 @ 0x10001b25 acrotray+0x1455 @ 0x401455 acrotray+0x179a @ 0x40179a acrotray+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545326.29675 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 3157201 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 acrotray+0x1455 @ 0x401455 acrotray+0x179a @ 0x40179a acrotray+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545328.374125 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 696 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 5188817 registers.edi: 0 stacktrace: a+0x47 @ 0x10001b25 acrotray +0x1455 @ 0x401455 acrotray +0x179a @ 0x40179a acrotray +0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545328.374125 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5188817 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 acrotray +0x1455 @ 0x401455 acrotray +0x179a @ 0x40179a acrotray +0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545330.374375 __exception__	exception.address: 0x1000168f exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b 83 4d fc ff eb exception.symbol: addNumbers-0x3a5 exception.exception_code: 0xc000001d registers.eax: 1 registers.ecx: 1308 registers.edx: 3221225524 registers.ebx: 0 registers.esp: 1636720 registers.ebp: 1636764 registers.esi: 4926761 registers.edi: 0 stacktrace: a+0x47 @ 0x10001b25 acrotray +0x1455 @ 0x401455 acrotray +0x179a @ 0x40179a acrotray +0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545330.374375 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 4926761 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 acrotray +0x1455 @ 0x401455 acrotray +0x179a @ 0x40179a acrotray +0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success

在文件系统上创建可执行文件 (4 个事件)

file	c:\program files (x86)\360\360drvmgr\360drvmgr.exe
file	c:\program files (x86)\360\360tptmon\360tptmon.exe
file	C:\Program Files (x86)\Adobe\acrotray.exe
file	C:\Program Files (x86)\Adobe\acrotray .exe

投放一个二进制文件并执行它 (2 个事件)

file	C:\Program Files (x86)\Adobe\acrotray.exe
file	C:\Program Files (x86)\Adobe\acrotray .exe

一个进程创建了一个隐藏窗口 (7 个事件)

Time & API	Arguments	Status	Return
1727545288.687375 ShellExecuteExW	filepath: C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe filepath_r: C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe parameters: C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe" show_type: 0	success	1
1727545288.703375 ShellExecuteExW	filepath: C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8 .exe filepath_r: C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8 .exe parameters: C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe" show_type: 0	failed	0
1727545322.296375 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray.exe filepath_r: C:\Program Files (x86)\Adobe\acrotray.exe parameters: C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe" show_type: 0	success	1
1727545324.156375 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray.exe filepath_r: C:\Program Files (x86)\Adobe\acrotray.exe parameters: C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe" show_type: 0	success	1
1727545324.265375 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray .exe filepath_r: C:\Program Files (x86)\Adobe\acrotray .exe parameters: C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe" show_type: 0	success	1
1727545328.656125 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray .exe filepath_r: C:\Program Files (x86)\Adobe\acrotray .exe parameters: C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe" show_type: 0	success	1
1727545328.671125 ShellExecuteExW	filepath: C:\Program Files (x86)\Adobe\acrotray .exe filepath_r: C:\Program Files (x86)\Adobe\acrotray .exe parameters: C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe" show_type: 0	failed	0

搜索运行中的进程，可能用于识别沙箱规避、代码注入或内存转储的进程 (5 个事件)

Time & API	Arguments	Status	Return
1727545330.891 Process32NextW	snapshot_handle: 0x000000f8 process_name: iexplore.exe process_identifier: 856	success	1
1727545330.891 Process32NextW	snapshot_handle: 0x000000f8 process_name: iexplore.exe process_identifier: 1104	success	1
1727545330.891 Process32NextW	snapshot_handle: 0x000000f8 process_name: acrotray.exe process_identifier: 2376	success	1
1727545330.891 Process32NextW	snapshot_handle: 0x000000f8 process_name: acrotray .exe process_identifier: 2388	success	1
1727545330.891 Process32NextW	snapshot_handle: 0x000000f8 process_name: acrotray .exe process_identifier: 2728	success	1

将读写内存保护更改为可读执行（可能是为了避免在同时设置所有 RWX 标志时被检测） (6 个事件)

Time & API	Arguments	Status
1727545287.499375 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 1848	success
1727545290.891 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 3052	success
1727545323.874375 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 1988	success
1727545326.28175 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 2376	success
1727545328.374125 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 2388	success
1727545330.359375 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x10001000 length: 32768 protection: 32 (PAGE_EXECUTE_READ) process_identifier: 2728	success

该二进制文件可能包含加密或压缩数据，表明使用了打包工具 (2 个事件)

section

{'name': '.data', 'virtual_address': '0x00005000', 'virtual_size': '0x000154fc', 'size_of_data': '0x00006800', 'entropy': 6.844124273005614}

entropy

6.844124273005614

description

发现高熵的节

entropy

0.7027027027027027

description

此PE文件的整体熵值较高

检查系统上可疑权限的本地唯一标识符 (6 个事件)

Time & API	Arguments	Status	Return
1727545287.499375 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545290.891 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545323.874375 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545326.29675 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545328.390125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1727545330.374375 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1

重复搜索未找到的进程，您可能希望在分析期间运行一个网络浏览器 (14 个事件)

Time & API	Arguments	Status
1727545287.499375 Process32NextW	snapshot_handle: 0x0000013c process_name: 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe process_identifier: 1848	failed
1727545287.499375 Process32NextW	snapshot_handle: 0x0000013c process_name: 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe process_identifier: 1848	failed
1727545290.891 Process32NextW	snapshot_handle: 0x0000013c process_name: 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe process_identifier: 3052	failed
1727545290.891 Process32NextW	snapshot_handle: 0x0000013c process_name: 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe process_identifier: 3052	failed
1727545310.891 Process32NextW	snapshot_handle: 0x0000013c process_name: 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe process_identifier: 3052	failed
1727545330.891 Process32NextW	snapshot_handle: 0x000000f8 process_name: acrotray .exe process_identifier: 2728	failed
1727545323.890375 Process32NextW	snapshot_handle: 0x0000013c process_name: iexplore.exe process_identifier: 1104	failed
1727545323.890375 Process32NextW	snapshot_handle: 0x0000013c process_name: iexplore.exe process_identifier: 1104	failed
1727545326.29675 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2388	failed
1727545326.31275 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2388	failed
1727545328.390125 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2388	failed
1727545328.390125 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2388	failed
1727545330.374375 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2728	failed
1727545330.374375 Process32NextW	snapshot_handle: 0x0000013c process_name: acrotray .exe process_identifier: 2728	failed

与未执行 DNS 查询的主机进行通信 (1 个事件)

host

114.114.114.114

在 Windows 启动时自我安装以实现自动运行 (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader

reg_value

C:\Program Files (x86)\Adobe\acrotray.exe

通过 in 指令特性检测 VMWare (6 个事件)

Time & API	Arguments	Status
1727545287.499375 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 4992337 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x1455 @ 0x401455 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x179a @ 0x40179a 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545290.891 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5910065 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x1455 @ 0x401455 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x179a @ 0x40179a 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.874375 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5713017 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 acrotray+0x1455 @ 0x401455 acrotray+0x179a @ 0x40179a acrotray+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545326.29675 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 3157201 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 acrotray+0x1455 @ 0x401455 acrotray+0x179a @ 0x40179a acrotray+0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545328.374125 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 5188817 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 acrotray +0x1455 @ 0x401455 acrotray +0x179a @ 0x40179a acrotray +0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545330.374375 __exception__	exception.address: 0x10001708 exception.instruction: in eax, dx exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a 83 4d exception.symbol: addNumbers-0x32c exception.exception_code: 0xc0000096 registers.eax: 1447909480 registers.ecx: 10 registers.edx: 22104 registers.ebx: 0 registers.esp: 1636712 registers.ebp: 1636764 registers.esi: 4926761 registers.edi: 0 stacktrace: a+0x5b @ 0x10001b39 acrotray +0x1455 @ 0x401455 acrotray +0x179a @ 0x40179a acrotray +0x3785 @ 0x403785 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success

连接到不再响应请求的 IP 地址（合法服务通常会保持运行） (1 个事件)

dead_host

173.255.194.134:80

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2009-11-21 02:52:14

PE Imphash

4399a9655910fede80a7d0d00b533276

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x000027e2	0x00002800	5.822544950900163
.rdata	0x00004000	0x00000294	0x00000400	3.4737892547629716
.data	0x00005000	0x000154fc	0x00006800	6.844124273005614

Imports

Library KERNEL32.dll:

• 0x404000 GetFileAttributesExA

• 0x404004 QueryPerformanceCounter

• 0x404008 HeapDestroy

• 0x40400c HeapFree

• 0x404010 Sleep

• 0x404014 HeapCreate

• 0x404018 HeapAlloc

• 0x40401c GetProcessHeap

• 0x404020 CloseHandle

• 0x404024 ReadFile

• 0x404028 SetFilePointer

• 0x40402c CreateFileA

• 0x404030 ExitProcess

• 0x404034 GetModuleFileNameA

• 0x404038 GetProcAddress

• 0x40403c LoadLibraryA

• 0x404040 VirtualAlloc

• 0x404044 VirtualFree

• 0x404048 IsBadReadPtr

• 0x40404c lstrcmpiA

• 0x404050 FreeLibrary

• 0x404054 HeapReAlloc

• 0x404058 GetModuleHandleA

• 0x40405c GetStartupInfoA

• 0x404060 GetCommandLineA

L!This program cannot be run in DOS mode.
UUUwUJ
URichU
`.rdata
@.data
E@EE;E}
E@EEUQ}
E@EE;E
E@EE;E
E@EE;E}
uYYEU<
;u^;Ms
EEMM?}
;ujM+M;Us
EpPEp4
EM+H4M
E@EE(EE
E@EE(EE
E@EE@@EE@
EE@@EEM;H
E@EEM;H
GetFileAttributesExA
QueryPerformanceCounter
HeapDestroy
HeapFree
HeapCreate
HeapAlloc
GetProcessHeap
CloseHandle
ReadFile
SetFilePointer
CreateFileA
ExitProcess
GetModuleFileNameA
GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree
IsBadReadPtr
lstrcmpiA
FreeLibrary
KERNEL32.dll
HeapReAlloc
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
]F6JJz]
EDzDkMmNNSM9S
(kqqEKS]
,EiVGm]V
]V/n]y]
]VQ]s]V]
]iMNS*S
]/]]V2p]]
}]nn]]
LQ{Ngw.JJ%w.JJK]
r$\[gw]
N$gwB.JJPd]
u}]VAdK]bK]VPQPYJ]F]
](J{^wu"Ju
*J,.JJJ
]]E/v]
/v7J]A]
]VAdLz?@Ju
6$]/;]i]
]VaJngw!]V
uQPQP]
]VKwJJ
]W]EWu]VdF
]EQ]E]MGPQP]V
JJ%wL]]y]w
%w]=%w<]K]
JJdw]Cgw
**QP]Vgw]
]VhJJ$7JJJ]
.JJJKwhJJ
1.JJ$]VJ
UJJ${]i]i]
JJJE$KYJJJ|%w]
*]]gJJJ\]
Y]VN@]
wHPQPxJu"$]
uv]Vg]V
IL$Ju]
t$$wudHgH]E;]V
aaa"Cg
FJPyJuL
]VJu(J]
w.JJJu
sJJJ$gH
CJ^$gwM ]9]V]
KHJuJ]8]
]VH*]J]
]H]V@]
X.JJPdw]g]
Kw]y]P[]M= ]
M]ip]
2]=M]=K]
]"]}/OdH]
#M[]@gHdHgwUJJ
Y]V*QP]
H;]:%H]<J]
]i<]yI
KH<]/8KH
]E]i/}]VV#]
/}#]V/M#]
]V(J]ivU]
]v=]V/v}J
\J^$$P%HdHgHLdHgH
`*%H<QP
C]ECM]V}
]V]d]}d
p.]T0!.JJ|]V/vJ]"Kw]
Jm]V8]V
iuMQJ]
.JJ]V]V]Vm
*F]n*]sj]s
QPB]VFu
(]V*]/u]V/G
"]sJ]]
JJ](J]/:*]/w']/
TSP(]TN]
&nU]V&n]=T
TOJuLJ
9]2]h2$
]VO]V;
Y]V]V]VZ
\[#]V]
(]]VsG!
/QP]O.$]
;5lJJ]
]V%Hr]
uf]i#s
i] ] ] ]]
dJu]V/n
dH]yH]V9gHKw
gw,hJJ
Y]VuEd]
/;^$Ju
]V_==^
KHKwL]V/]
Pdw]g]
S;7]"Y]
JuH;]}
Y]V}`]
/EuJ](]
P]s#(G
U]#(f]]#(
%w<JJ]/
,]yFI]
(Kw<l]
S]i;]!
Q]V#]$]
W]V]n]V
]]n]}n]
]V&(JJ$$]
,6$g]V/]V]
]Md]ET;#
/]E]Ta ]Ta ]VTa]
\O]VNv]V
T]VvG!]
!]]VT]dW]V]d`]i3]V
Y]VNd]
]m]VJ*Kw]
{]V}5]
^]V`a]V]
!JdHdGz
]/]i}d
PdH]V/Hk]
,]I$wudH
Y]Vid]
#!J]V](?7rQX]
]Nv]V]im]
!7n]H]
]Hv]HJJ$7
]iN]V*
]VEl.]
]/y.JJ
dP]Vb]Vd`]6}]6
:u]VdF]
]GMPQP[
`uQPm!
u]AQPJ]
&z]iS]W
&]i?*:]
iu(dHdF
7JJJ7.JJdHGMdH
}]VE]d
dG]]Ju
*y]EyudHG!
` JJ$]
`AQVG Pw]dF
]s]H7JJ]/}3]
,gH]VH]V
<dHH<]Vw]]
wuQPdH]
|.JJ$$dF
dHMP]]w7J]w(
L]VMG^]
Pt]V(]
]Vv({]
5]]V5?]
ZF]8]]
T@]i=]
23]i(]
Ad]=<dH]vJM]
}LdH<]}<J
K2%HvdH
LKud]]
KH,]XXwJu,f]
]v$$r]
KfUJJKw]
f]V~]
&q]k]s]j
B](,](H](]y]
dHgwp|JJ]
dMu]yGMP]n
_O]V=]/S7]V
]VA]w]
`<*i]A
dH?]Vn
]Vgw]Ad]VVK]g
}]VJm]
]i(^7]V5gw]
]VW*QP]
]Vw.JJ]#
LKFK(]
dJuJgH,
`,`v%H]
~F(dH7Y]V-KF<]
(]V%H]V
<]J]7]
]`]AGgHdHdJuJ]
%H]Vz]VCf]
CfdHf]CfJf]y]V6%H]V6
Bz]Vy]
dHdJuJw`%Hr]V
]V]V^2]VTz
KKUJJ>E]MKKB]
K]iKYUJJ]
nr]V\QJm
KKUJJE
]]$nKK3],d
KrUJJ]sw]
w]Ow*]
XG]V]9!UJJKF
w]@P:\!kM
]V]8]a]a]a,]
]gwpUJJJ]VU$?]V$M]
f<]VM]V
gHJ](M]
H]V\kudHL]V
u]]@]V#:e]
RUJJ]VHdFg
g]Vr<+
]V]V{)]
]V(-[]
uM]V(G!]
]sg0Q]
gUJJ]Vg]
wmGiK]iKYz]g]
UJJ]EH]i
]J]s]ydH
m]g]i@J
g]Ow*M]
P]g]V-]
w-uJuUJJ$]
L]V(]Vp6Jr^]
,MgH<]
OQPQPD]
:]iiJM]S*]SB]
]Vt]O"]
>b]>b]%]
]Vu]8]i]Vy{]
JJ]Ev|]
%w'JJQ]VHw
W,Jf^dw']
1JJ$$]
/!l]E[a]
/KKlJJ
]Eq]V/]
KK]h]
]qplJJ]n
$7a.JJ]q
(]qGUJJ]
]V(]]V]]8]V]V]
X]yo]V(]]
(}]z]]
(]V/a]
/n$7hJJ\]
]/,]/]
PJJ$gwB]
Kwr]Vq]VwX]
H,*yJ]
CJJ$7]
a]VKK*]
l]J7lU]
]=X]/l]
!]iUJJ]#Y]
d*ydw]dJ]
KQ]~Fu
%AgHKH]
]io]yX<dH<sHQ
dLagFdHd
aJm^d;]]iM]8]
L}%H<]Vp]
*dFad]V
/~]i/]
MF]M]O]QdFd
HVdFg]V$]
dFaJ]V]V
]V5]VE]
M]VEJu]
X*]VdFddJa]V5]]
Qw*dF]
XuQPdF
]VRS]8F
g]]lyk]V2ga]VH%]
d]dygQ]
CQ]A%]
/n]S]V1
LdH]gH]
$gyP]VgFd]
@dHKQ]
P]VgHdFad]
ba"}]V
HgdF]/]
F]V'%]
cJcJ]V'Xgw<UJJ%]
'N]VH]]
n]VE-$1d]
dK](=]
]VJJJ$]V
K`|%H]
P;]V]V
Ju]MJu
T6]z]V]
{JJJ$$6]
M`8.JJZ5J
-$1dH
Fy]i0DKH]=]
JuJuJu
n]V]V]
]]VH<]
K=PPC]
P]c(]}cJu]V
"C]2`%HJ]
]Vu]V[]VYD]
KHJ];J]VE8]
*uG]V]V
]Vg]8]
_uw]M]gWa]y
L%whJJ}]
 ]vPdw]g]
+XKw]V
H]H](H]]
O<JJKwM<]
sJ]@J]
m*]VJ]V~n
L]Bi#=[]B
]m](3](
Ju<]}d
X]aw*(]
/P}]y(]VqZ\]V'
}]BKH<]v}]}
9<]9udH<]
<]Vg`]_
]g1JJ$]
EdHddFd
J]6O]iGJ]VdFg]
y]E]<]V/
{JuvJ]
]i2]X]X]VXJu
y#]V]i
3]EW]VE
]VEML]E}]
E<]E]VE
]Eh]E]
P]iy]y
]y]Vy=]yz]iy]y_]iyn]y]y]
]yw]iy]y*]iy]y9]y]y]iy]y]iy]yn]iy]y]iym]yE]iy]yh]
K]VyG]yL]iy
]y]iy]y]iy{]y5]iyp]y3]iy3]y]iyf]y]iyz]yu]iy]y]y
]y]iyB]y]iy]y
]yM]iyL]y
]iy]y.]
]iy]y]iy}]y]iy]y
]yn]y]iyX]y{]iy]yq]iy]y]y]y]iy]y]iy]y
]iy]y]y
]y]iy*]y]iy]yJ ]y]yc]
y{]y]iyp]yR]iy]y
]iy]yZ]
]iy]y]iyB]y]iy]y]
]y]iy]y]
y]iy]y]iy
]y]yM]yt]iy]yD]yQn]yr]iyX]y]y
]y]iy]yg]iy]y]iy]y]iy]y"]y
m]yH]iy]y
]y]iy!]y]iy]y]y]yo]iyr]yj]iy]yY]yB]y]iy]y]iy]y]iyL]y:]iy<]y]iy]y]
]iy]y]iy}]y]iy=]y(]yM]yQ]iy]y1]y
]y,]iy]y>]iy]y]iy]y~]iy]y]
'JJ]V~
aaJu$]
cuVdH]
>]y.`]?dF]V
*V]@PP]
]Fw*M]V
JJJ$]V
/gH<]/8dH]
]`HGM]
s]Vx]V|]
dF-y/dF]
QgHLdHL
]]](Q]Q](uQPb]s]
7gF<7JJJd]
zMsHdFgdH]
w](/]
K]VzH<
 VidF]
]"By]}A]8[8id]
F]A[]/V][]
Ju JJ]
`F]gH<]i]
H``]VDaHZ$
`Q*P]i
P]i=8]
=S]=]y=]
=7]V.0H<
Cu]VE]
$$gHdHH<*]+
r]]Vos]VHL
]V*]VQ
77Ju,]VwWJ]
~dHH,gH7]V
QgwB]V
8]dFG]@dF
]V]V]V
u]V/8];]V+u]
BnT JJ$P(]i`]
/7.]V.]/
JJ$]/$]
]/$ ]/$]V
f<]E]]
]7]T]V]QP]
]iPPPPlP|P1P]
]V%HJJ]
]V{V%H<
]V<]V{
]YdF7FgFP
X]VZ]V]E
dH<gH](0$]V0QddH<Z`dH=;g;dF
4JgF]]
]]onP]on]
]Bb]t$]
]t$]E]t$](]t$]E
9]d]@]
g'JJJKKUJJ]
72]i]V
\>]>JJd]
l"FJJKH]
|QJJ%HEf]
$$]EhJJ]|]V|]
>JJ]V&dJ]
]vhPj]i]
$>JJ]h
J7{hJJ]
]V/.]]V
J]Ah]A]AHd]
]V]V,]
s]/]g]
]kY]k]@]
]Vj](Db]V
EdHH*]V
dH<PQP-]
{]]M%]VT]Ey]
]V2]#:]
;J@,J@*]
}Lsdwd4d
dgzPu]
]VSw$#]
"$$Pwu
"KNdEw*J]
"duCd`w'u
.Qu\]VC"Jw*C"JJJw]
.gHuwuC
1.JJw']Iu
]@,]yuH]
gHdH?;J@^
PJuJ*Jn^$rP
7QG53P
hJJd"CJJu
b]VdJw*EJ@JJGPQ
?;"Cdd1
Vi*CG]
u%VP=]Ouydg
*G*Vd
*",JJ$]=]
w]V]0]0d
dw'*"]VlO]
]/g]/G
{{{6{m{{{
{{-{{'{VZ
ZXZZ"ZZ/ZZfZrZZtZLZQ
VGGGGGQ]V/Vm/]V
=vMv]E]
v}8]VM=OM
]s]ss]
HI0b2F
mN*u:Wn
J1n{>yR/
,]ZJJJJ]
]V/,]i
^]]j^]i
^]i&m]]*N*Np]
umC0.N9
Sm*Q*N9m:
EI*k**Nk
HoQCNk*]
S`Hk*]
S*HNNNb]
ajQCSk*Nk
Fu*k:*
kN9*N:I*]i
("SNkS
mS*J]V
mk9SNj]
]n]/I]
/82:N]Em
*]/F*Nk9]wXN
9**S*]=]
mkuN]V]
Q]V8z]9m?9m*?]
?*??*NS
S*N$0?H
xQ*N*N
m:_QN]V
k*kSkW
?*Num?
Fk9N*Ck
]nnS9N*NS:]9*
MHmNNH*
MNNNM@u]KV]
*MSM*Mm9kkMm]
]V/xFk]
]yM]@]
]N]]}9N
@S?k@]
:"HSN?]V/]
20H]EH
nnS*]@
Sk*SS9Nkm*
0NNM@**m]
]]}nHHHH]]VVHMCHMI]y]o]V/"]V]]XhQ]]s]Vqmu9*0
]V99m*M
@@]VV]V
0]num]@]V
9]}S]8
S]]V]V
]}}]MnSS*9]
kS9Sk*9SNk]
XW9k9S]
SNS9Su9]Vg9Smm]
]V/i99*]
9N9]V/=
X]V/mS
*S]m*S
N]S9ukSN]
mN*9*]
w]Vuk]
k9m]Vm9
kN]V]V]
]MS]VwS]V
N]V69]
C]/?]M]i2]wnnWnnnV
XXXXwX^XXrX<XM
nnmndnn|nn
BQXEXXMXX
Bo) Q9 
T)<XXXXX
X2XXSXNX
XjXXXXhX
]V/4(n}nznxn
X}XXXX"XXmXX
XZX\XRX
XXX1X'X=
Su!zYj4EI*
XnXXXXXX~XX)XX
%Bo|.8'
(M2a:j
XXXXX0X6XXXKXXXXXX|X
@IkWd~>,1Q(`%
7]V/PmBvnnnnznnnJn]
AXnX/XgX
XXXX'XhX
}p!3f
]V/Ln,]
>n4*1$VY
![H/?e
x'P{~f
DRO6(=
X@2-A`dB
kernel32.dll
VirtualProtect

Process Tree

0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe (1848) "C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe"
- acrotray.exe (1988) "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe"
  - acrotray.exe (2376) "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe"
  - acrotray .exe (2388) "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe"
    - acrotray .exe (2728) "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe"
- 0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe (3052) "C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe" C:\Users\Administrator\AppData\Local\Temp\0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe"

0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe, PID: 1848, Parent PID: 844

default registry file network process services synchronisation iexplore office pdf

0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe, PID: 3052, Parent PID: 1848

default registry file network process services synchronisation iexplore office pdf

acrotray.exe, PID: 1988, Parent PID: 1848

default registry file network process services synchronisation iexplore office pdf

acrotray.exe, PID: 2376, Parent PID: 1988

default registry file network process services synchronisation iexplore office pdf

acrotray .exe, PID: 2388, Parent PID: 1988

default registry file network process services synchronisation iexplore office pdf

acrotray .exe, PID: 2728, Parent PID: 2388

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114
173.255.194.134

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
www2.megawebfind.com	A 198.58.118.167 A 45.33.18.44 A 45.56.79.23 A 96.126.123.244 A 45.33.20.235 A 45.33.30.197 A 45.79.19.196 A 72.14.185.43 A 45.33.23.183 A 173.255.194.134 A 72.14.178.174 A 45.33.2.79	45.33.30.197

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	56933	114.114.114.114	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	5df0aa6c3dffee62_acrotray.exe
Filepath	C:\Program Files (x86)\Adobe\acrotray.exe
Size	673.8KB
Processes	1848 (0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`df2ef9651ba004c3960d26068b8bb469`
SHA1	`f150df37d3c497122f05e3ab08209b97a24cf17a`
SHA256	`5df0aa6c3dffee62b8177a40e961eb49c58373909aaa59659f48a4ab58651d6b`
CRC32	`45BEDFA0`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	ce22679c2c7fd0da_360tptmon.exe
Filepath	C:\Program Files (x86)\360\360TptMon\360tptmon.exe
Size	697.3KB
Processes	1848 (0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6589c6534dfaf6b53be2a9d789636830`
SHA1	`5b2450dc1a952e885641184a850dfe6ab88ce2c2`
SHA256	`ce22679c2c7fd0da7cae2a1ea3f6054bb2020309e4350f4361c99b4772a38341`
CRC32	`80F1CF24`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	72602b38480beba0_acrotray .exe
Filepath	C:\Program Files (x86)\Adobe\acrotray .exe
Size	666.8KB
Processes	1848 (0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fd80f6f4569a77afe98f87f709415640`
SHA1	`6147ff471e8a7829286bd2e309da247ca3be80b6`
SHA256	`72602b38480beba0e277598e2e7570d5e096abf6200179cb9293e69851aeff51`
CRC32	`41611ABB`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	4f89735d10b256b7_360drvmgr.exe
Filepath	C:\Program Files (x86)\360\360DrvMgr\360drvmgr.exe
Size	670.5KB
Processes	1848 (0240b429c3c878f2e5c6145faba2d80d7164a87bcff2913ecb98f59f681321d8.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`87d9986543cc28ca641802cb6d1d2f9d`
SHA1	`7eebb2ad0497d6efd01cdf54328c715321cbbdf2`
SHA256	`4f89735d10b256b73810bdfb773b3cf769b9e33c050014a0dde153a87183215e`
CRC32	`B954D633`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.