SmartHawk

13.4

0-day

该样本未表现出任何异常！

重新分析

下载样本

eddc999a7e76c2af01abaa813a903686f6f5b7ff94a7587c071bf2d2243b5239

797b0bdc1778264f7cd5f3e4a74b2559.exe

分析耗时

74s

最近分析

文件大小

7.9MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619651983.357374 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619652002.842374 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619651995.669876 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619652034.419876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619651996.310124 GetComputerNameA	computer_name: OSKAR-PC	success	1

This executable is signed

Tries to locate where the browsers are installed (2 个事件)

file	C:\Program Files (x86)\Mozilla Firefox
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619651979.497751 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.ndata

One or more processes crashed (50 out of 78 个事件)

Time & API	Arguments	Status
1619651983.138374 __exception__	stacktrace: 0x7ebc10e0 0x7ebc0f90 registers.esp: 5962664 registers.edi: 17543408 registers.eax: 0 registers.ebp: 5962692 registers.edx: 0 registers.ebx: 3832190272 registers.esi: 10219520 registers.ecx: 53425588 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.138374 __exception__	stacktrace: 0x7ebc10e0 0x7ebc0f90 registers.esp: 5962664 registers.edi: 5962664 registers.eax: 0 registers.ebp: 5962692 registers.edx: 2 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962700 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.138374 __exception__	stacktrace: 0x7ebc10e0 0x7ebc0f90 registers.esp: 5962664 registers.edi: 5962664 registers.eax: 0 registers.ebp: 5962692 registers.edx: 0 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962700 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.138374 __exception__	stacktrace: 0x7ebc10e0 0x7ebc0f90 registers.esp: 5962664 registers.edi: 5962664 registers.eax: 0 registers.ebp: 5962692 registers.edx: 0 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962700 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.138374 __exception__	stacktrace: 0x7ebc10e0 0x7ebc0f90 registers.esp: 5962664 registers.edi: 5962664 registers.eax: 0 registers.ebp: 5962692 registers.edx: 2 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962700 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.138374 __exception__	stacktrace: 0x7ebc10e0 0x7ebc0f90 registers.esp: 5962664 registers.edi: 5962664 registers.eax: 0 registers.ebp: 5962692 registers.edx: 2 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962700 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.170374 __exception__	stacktrace: 0x7ebc1c20 0x7ebc1860 registers.esp: 5962580 registers.edi: 11401892 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 6025216 registers.esi: 10219520 registers.ecx: 10219520 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.170374 __exception__	stacktrace: 0x7ebc1c20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.170374 __exception__	stacktrace: 0x7ebc1c20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.170374 __exception__	stacktrace: 0x7ebc1c20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.170374 __exception__	stacktrace: 0x7ebc1c20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.170374 __exception__	stacktrace: 0x7ebc1c20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.170374 __exception__	stacktrace: 0x7ebc1c20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.170374 __exception__	stacktrace: 0x7ebc1c20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.357374 __exception__	stacktrace: 0x7ebc2340 0x7ebc1860 registers.esp: 5962580 registers.edi: 11401892 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 0 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.373374 __exception__	stacktrace: 0x7ebc2340 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.404374 __exception__	stacktrace: 0x7ebc23a0 0x7ebc1860 registers.esp: 5962580 registers.edi: 11356749 registers.eax: 2324 registers.ebp: 5962608 registers.edx: 5962616 registers.ebx: 4 registers.esi: 4294919751 registers.ecx: 0 exception.instruction_r: cc 68 ae 3d 27 36 e9 16 37 b3 ff c8 43 3a 10 9d exception.instruction: int3 exception.module: 00.exe exception.exception_code: 0x80000003 exception.offset: 7242515 exception.address: 0xfd8313	success
1619651983.467374 __exception__	stacktrace: registers.esp: 5962580 registers.edi: 11401892 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 0 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 4109893632 exception.instruction_r: cc 68 ed 3d 27 36 e9 79 36 b3 ff 0f 13 89 44 c7 exception.instruction: int3 exception.module: 00.exe exception.exception_code: 0x80000003 exception.offset: 7242672 exception.address: 0xfd83b0	success
1619651983.467374 __exception__	stacktrace: 0x7ebc26a0 0x7ebc1860 registers.esp: 5962580 registers.edi: 11401892 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 0 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.467374 __exception__	stacktrace: 0x7ebc26a0 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.467374 __exception__	stacktrace: 0x7ebc26a0 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.482374 __exception__	stacktrace: 0x7ebc2b20 0x7ebc1860 registers.esp: 5962580 registers.edi: 11401892 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 3745010411 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.482374 __exception__	stacktrace: 0x7ebc2b20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.482374 __exception__	stacktrace: 0x7ebc2b20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.482374 __exception__	stacktrace: 0x7ebc2b20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.498374 __exception__	stacktrace: 0x7ebc2b20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651983.498374 __exception__	stacktrace: 0x7ebc2b20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148094 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.498374 __exception__	stacktrace: 0x7ebc2b20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.498374 __exception__	stacktrace: 0x7ebc2b20 0x7ebc1860 registers.esp: 5962580 registers.edi: 5962580 registers.eax: 0 registers.ebp: 5962608 registers.edx: 0 registers.ebx: 11148051 registers.esi: 0 registers.ecx: 5962616 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 00.exe exception.exception_code: 0xc0000094 exception.offset: 1776381 exception.address: 0xaa1afd	success
1619651983.607374 __exception__	stacktrace: 0x7ebc2dc0 0x7ebc1860 registers.esp: 5962580 registers.edi: 11401892 registers.eax: 0 registers.ebp: 5962608 registers.edx: 2 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 1166656051 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 00.exe exception.exception_code: 0xc000001d exception.offset: 1776424 exception.address: 0xaa1b28	success
1619651995.247876 __exception__	stacktrace: 0x7ebc0d70 0x7ebc0c20 registers.esp: 16121388 registers.edi: 10834160 registers.eax: 0 registers.ebp: 16121416 registers.edx: 0 registers.ebx: 3009696878 registers.esi: 3469312 registers.ecx: 52639156 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.247876 __exception__	stacktrace: 0x7ebc0d70 0x7ebc0c20 registers.esp: 16121388 registers.edi: 16121388 registers.eax: 0 registers.ebp: 16121416 registers.edx: 2 registers.ebx: 4397843 registers.esi: 0 registers.ecx: 16121424 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success
1619651995.247876 __exception__	stacktrace: 0x7ebc0d70 0x7ebc0c20 registers.esp: 16121388 registers.edi: 16121388 registers.eax: 0 registers.ebp: 16121416 registers.edx: 0 registers.ebx: 4397886 registers.esi: 0 registers.ecx: 16121424 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.247876 __exception__	stacktrace: 0x7ebc0d70 0x7ebc0c20 registers.esp: 16121388 registers.edi: 16121388 registers.eax: 0 registers.ebp: 16121416 registers.edx: 2 registers.ebx: 4397843 registers.esi: 0 registers.ecx: 16121424 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success
1619651995.247876 __exception__	stacktrace: 0x7ebc0d70 0x7ebc0c20 registers.esp: 16121388 registers.edi: 16121388 registers.eax: 0 registers.ebp: 16121416 registers.edx: 2 registers.ebx: 4397886 registers.esi: 0 registers.ecx: 16121424 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success
1619651995.247876 __exception__	stacktrace: 0x7ebc0d70 0x7ebc0c20 registers.esp: 16121388 registers.edi: 16121388 registers.eax: 0 registers.ebp: 16121416 registers.edx: 0 registers.ebx: 4397886 registers.esi: 0 registers.ecx: 16121424 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.278876 __exception__	stacktrace: 0x7ebc18b0 0x7ebc14f0 registers.esp: 16121304 registers.edi: 4651684 registers.eax: 0 registers.ebp: 16121332 registers.edx: 2 registers.ebx: 4294242304 registers.esi: 3469312 registers.ecx: 3469312 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success
1619651995.278876 __exception__	stacktrace: 0x7ebc18b0 0x7ebc14f0 registers.esp: 16121304 registers.edi: 16121304 registers.eax: 0 registers.ebp: 16121332 registers.edx: 2 registers.ebx: 4397886 registers.esi: 0 registers.ecx: 16121340 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success
1619651995.278876 __exception__	stacktrace: 0x7ebc18b0 0x7ebc14f0 registers.esp: 16121304 registers.edi: 16121304 registers.eax: 0 registers.ebp: 16121332 registers.edx: 0 registers.ebx: 4397886 registers.esi: 0 registers.ecx: 16121340 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.669876 __exception__	stacktrace: 0x7ebc1fd0 0x7ebc14f0 registers.esp: 16121304 registers.edi: 4651684 registers.eax: 0 registers.ebp: 16121332 registers.edx: 2 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 3477979759 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success
1619651995.669876 __exception__	stacktrace: 0x7ebc2030 0x7ebc14f0 registers.esp: 16121304 registers.edi: 4606541 registers.eax: 2324 registers.ebp: 16121332 registers.edx: 16121340 registers.ebx: 4 registers.esi: 4294919751 registers.ecx: 0 exception.instruction_r: cc 68 f4 9d 65 83 e9 27 9f b1 ff 0e 55 9b 21 68 exception.instruction: int3 exception.module: 333.exe exception.exception_code: 0x80000003 exception.offset: 7215874 exception.address: 0x981b02	success
1619651995.716876 __exception__	stacktrace: registers.esp: 16121304 registers.edi: 4651684 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 0 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 94961664 exception.instruction_r: cc 68 e6 85 65 83 e9 c6 8b b1 ff ba ee a8 5b 28 exception.instruction: int3 exception.module: 333.exe exception.exception_code: 0x80000003 exception.offset: 7220835 exception.address: 0x982e63	success
1619651995.716876 __exception__	stacktrace: 0x7ebc2330 0x7ebc14f0 registers.esp: 16121304 registers.edi: 4651684 registers.eax: 0 registers.ebp: 16121332 registers.edx: 0 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 0 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.716876 __exception__	stacktrace: 0x7ebc2330 0x7ebc14f0 registers.esp: 16121304 registers.edi: 16121304 registers.eax: 0 registers.ebp: 16121332 registers.edx: 0 registers.ebx: 4397843 registers.esi: 0 registers.ecx: 16121340 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.731876 __exception__	stacktrace: 0x7ebc2330 0x7ebc14f0 registers.esp: 16121304 registers.edi: 16121304 registers.eax: 0 registers.ebp: 16121332 registers.edx: 0 registers.ebx: 4397843 registers.esi: 0 registers.ecx: 16121340 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.731876 __exception__	stacktrace: 0x7ebc2330 0x7ebc14f0 registers.esp: 16121304 registers.edi: 16121304 registers.eax: 0 registers.ebp: 16121332 registers.edx: 2 registers.ebx: 4397843 registers.esi: 0 registers.ecx: 16121340 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success
1619651995.747876 __exception__	stacktrace: 0x7ebc27b0 0x7ebc14f0 registers.esp: 16121304 registers.edi: 4651684 registers.eax: 0 registers.ebp: 16121332 registers.edx: 2 registers.ebx: 4 registers.esi: 4294967295 registers.ecx: 0 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success
1619651995.747876 __exception__	stacktrace: 0x7ebc27b0 0x7ebc14f0 registers.esp: 16121304 registers.edi: 16121304 registers.eax: 0 registers.ebp: 16121332 registers.edx: 0 registers.ebx: 4397886 registers.esi: 0 registers.ecx: 16121340 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.747876 __exception__	stacktrace: 0x7ebc27b0 0x7ebc14f0 registers.esp: 16121304 registers.edi: 16121304 registers.eax: 0 registers.ebp: 16121332 registers.edx: 0 registers.ebx: 4397843 registers.esi: 0 registers.ecx: 16121340 exception.instruction_r: f7 f0 e8 c4 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: 333.exe exception.exception_code: 0xc0000094 exception.offset: 1645309 exception.address: 0x431afd	success
1619651995.747876 __exception__	stacktrace: 0x7ebc27b0 0x7ebc14f0 registers.esp: 16121304 registers.edi: 16121304 registers.eax: 0 registers.ebp: 16121332 registers.edx: 2 registers.ebx: 4397843 registers.esi: 0 registers.ecx: 16121340 exception.instruction_r: 0f 0b e8 99 3f 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: 333.exe exception.exception_code: 0xc000001d exception.offset: 1645352 exception.address: 0x431b28	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 个事件)

request	GET http://ip-api.com/line
request	GET http://ip-api.com/line/

Resolves a suspicious Top Level Domain (TLD) (1 个事件)

domain

tworr03.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 609 个事件)

Time & API	Arguments	Status
1619651979.512751 NtProtectVirtualMemory	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74711000	success
1619651979.512751 NtProtectVirtualMemory	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76881000	success
1619651981.184751 NtProtectVirtualMemory	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10001000	success
1619651981.200751 NtProtectVirtualMemory	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74f91000	success
1619651982.606751 NtProtectVirtualMemory	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74f82000	success
1619651982.951374 NtProtectVirtualMemory	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74451000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01700000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01704000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01708000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01728000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0172c000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01734000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01758000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0175c000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01764000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01768000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0176c000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01770000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01774000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01778000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0177c000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01780000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01784000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01788000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0178c000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01790000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01794000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01798000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0179c000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017a0000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017a4000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017a8000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017ac000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017b0000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017b4000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017b8000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017bc000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017c0000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017c4000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017c8000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017cc000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017d0000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017d4000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017d8000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017dc000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017e0000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017e4000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017e8000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017ec000	success
1619651982.982374 NtAllocateVirtualMemory	process_identifier: 2196 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x017f0000	success

A process attempted to delay the analysis task. (3 个事件)

description	333.exe tried to sleep 212 seconds, actually delayed analysis time by 212 seconds
description	krinj.exe tried to sleep 210 seconds, actually delayed analysis time by 210 seconds
description	00.exe tried to sleep 278 seconds, actually delayed analysis time by 278 seconds

Steals private information from local Internet browsers (50 out of 59 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookiesm-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Login Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Datam-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Login Datam
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Login Datam
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Datam-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Datam-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Login Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Dataf-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Cookiesm
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Web Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Cookiesf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Cookiesm
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Datam
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Web Datam
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookiesf-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Login Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Dataf-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Dataf-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Datam
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookiesm-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Dataf-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookiesm
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Datam-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookiesf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookiesf-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Web Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Cookiesf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Cookiesf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Web Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Web Datam
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Cookiesm
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Web Datam
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Login Datam
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Datam

Looks up the external IP address (1 个事件)

domain

ip-api.com

Creates executable files on the filesystem (6 个事件)

file	C:\Program Files (x86)\Lovin\execute\Setup.vbs
file	C:\Program Files (x86)\Lovin\execute\krinj.exe
file	C:\Program Files (x86)\Lovin\execute\00.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl604C.tmp\UAC.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl604C.tmp\nsExec.dll
file	C:\Program Files (x86)\Lovin\execute\333.exe

Drops an executable to the user AppData folder (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl604C.tmp\nsExec.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl604C.tmp\UAC.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619651984.967374 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to identify installed AV products by installation directory (12 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Cookies
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Web Datam
file	C:\ProgramData\AVAST Software
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Login Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Web Dataf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Cookiesm
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Cookiesf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\AVAST Software\Browser\User Data\Default\Login Datam
file	C:\ProgramData\AVG

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWDEBUG
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (3 个事件)

Time & API	Arguments	Status
1619651983.404374 FindWindowA	class_name: OLLYDBG window_name:	failed
1619651995.669876 FindWindowA	class_name: OLLYDBG window_name:	failed
1619651996.326124 FindWindowA	class_name: OLLYDBG window_name:	failed

Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (2 个事件)

file	C:\ProgramData\ZWTPfZX4oUcu\files_\cryptocurrency\Electrum\wallets
file	C:\ProgramData\T4rMvzjMusb\_Files\_Wallet\Electrum\wallets

Collects information about installed applications (16 个事件)

Time & API	Arguments	Status
1619652002.920374 RegQueryValueExW	key_handle: 0x000004c0 value: Microsoft .NET Framework 4 Client Profile regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile\DisplayName	success
1619652002.935374 RegQueryValueExW	key_handle: 0x00000494 value: Microsoft .NET Framework 4 Extended regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Extended\DisplayName	success
1619652002.951374 RegQueryValueExW	key_handle: 0x000004c0 value: Oracle VM VirtualBox Guest Additions 6.1.18 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName	success
1619652002.982374 RegQueryValueExW	key_handle: 0x00000494 value: Microsoft .NET Framework 4 Extended regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}\DisplayName	success
1619652002.982374 RegQueryValueExW	key_handle: 0x000004c0 value: Python 2.7.18 (64-bit) regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	success
1619652002.998374 RegQueryValueExW	key_handle: 0x00000494 value: Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}\DisplayName	success
1619652003.013374 RegQueryValueExW	key_handle: 0x000004c0 value: Microsoft .NET Framework 4 Client Profile regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}\DisplayName	success
1619652003.045374 RegQueryValueExW	key_handle: 0x00000494 value: Google Chrome regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	success
1619652034.497876 RegQueryValueExW	key_handle: 0x0000051c value: Microsoft .NET Framework 4 Client Profile regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile\DisplayName	success
1619652034.512876 RegQueryValueExW	key_handle: 0x00000518 value: Microsoft .NET Framework 4 Extended regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Extended\DisplayName	success
1619652034.528876 RegQueryValueExW	key_handle: 0x0000051c value: Oracle VM VirtualBox Guest Additions 6.1.18 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName	success
1619652034.559876 RegQueryValueExW	key_handle: 0x00000518 value: Microsoft .NET Framework 4 Extended regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}\DisplayName	success
1619652034.559876 RegQueryValueExW	key_handle: 0x0000051c value: Python 2.7.18 (64-bit) regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	success
1619652034.575876 RegQueryValueExW	key_handle: 0x00000518 value: Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}\DisplayName	success
1619652034.591876 RegQueryValueExW	key_handle: 0x0000051c value: Microsoft .NET Framework 4 Client Profile regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}\DisplayName	success
1619652034.622876 RegQueryValueExW	key_handle: 0x00000518 value: Google Chrome regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	success

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (22 个事件)

Time & API	Arguments	Status
1619651987.513374 RegSetValueExA	key_handle: 0x00000478 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619651987.513374 RegSetValueExA	key_handle: 0x00000478 value: (<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619651987.513374 RegSetValueExA	key_handle: 0x00000478 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619651987.513374 RegSetValueExW	key_handle: 0x00000478 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619651987.513374 RegSetValueExA	key_handle: 0x0000048c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619651987.513374 RegSetValueExA	key_handle: 0x0000048c value: (<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619651987.513374 RegSetValueExA	key_handle: 0x0000048c value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619651989.232374 RegSetValueExA	key_handle: 0x000004a4 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619651989.232374 RegSetValueExA	key_handle: 0x000004a4 value: ß)<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619651989.232374 RegSetValueExA	key_handle: 0x000004a4 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619651989.232374 RegSetValueExW	key_handle: 0x000004a4 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619651989.232374 RegSetValueExA	key_handle: 0x000004a8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619651989.232374 RegSetValueExA	key_handle: 0x000004a8 value: ß)<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619651989.232374 RegSetValueExA	key_handle: 0x000004a8 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619651986.934999 RegSetValueExA	key_handle: 0x000004ac value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619651986.950999 RegSetValueExA	key_handle: 0x000004ac value: p`'<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619651986.950999 RegSetValueExA	key_handle: 0x000004ac value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619651986.950999 RegSetValueExW	key_handle: 0x000004ac value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619651986.950999 RegSetValueExA	key_handle: 0x000004c0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619651986.950999 RegSetValueExA	key_handle: 0x000004c0 value: p`'<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619651986.950999 RegSetValueExA	key_handle: 0x000004c0 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619651986.966999 RegSetValueExW	key_handle: 0x000004a8 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Network activity contains more than one unique useragent (3 个事件)

process	00.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
process	cscript.exe	useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
process	krinj.exe	useragent	AutoHotkey

Detects VirtualBox through the presence of a registry key (2 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayVersion
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49193

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2012-02-25 03:20:04

Imports

Library KERNEL32.dll:

• 0x409060 SetFileTime

• 0x409064 CompareFileTime

• 0x409068 SearchPathW

• 0x40906c GetShortPathNameW

• 0x409070 GetFullPathNameW

• 0x409074 MoveFileW

• 0x409078 SetCurrentDirectoryW

• 0x40907c GetFileAttributesW

• 0x409080 GetLastError

• 0x409084 CreateDirectoryW

• 0x409088 SetFileAttributesW

• 0x40908c Sleep

• 0x409090 GetTickCount

• 0x409094 GetFileSize

• 0x409098 GetModuleFileNameW

• 0x40909c GetCurrentProcess

• 0x4090a0 CopyFileW

• 0x4090a4 ExitProcess

• 0x4090a8 GetWindowsDirectoryW

• 0x4090ac GetTempPathW

• 0x4090b0 GetCommandLineW

• 0x4090b4 SetErrorMode

• 0x4090b8 lstrcpynA

• 0x4090bc CloseHandle

• 0x4090c0 lstrcpynW

• 0x4090c4 GetDiskFreeSpaceW

• 0x4090c8 GlobalUnlock

• 0x4090cc GlobalLock

• 0x4090d0 CreateThread

• 0x4090d4 LoadLibraryW

• 0x4090d8 CreateProcessW

• 0x4090dc lstrcmpiA

• 0x4090e0 CreateFileW

• 0x4090e4 GetTempFileNameW

• 0x4090e8 lstrcatW

• 0x4090ec GetProcAddress

• 0x4090f0 LoadLibraryA

• 0x4090f4 GetModuleHandleA

• 0x4090f8 OpenProcess

• 0x4090fc lstrcpyW

• 0x409100 GetVersionExW

• 0x409104 GetSystemDirectoryW

• 0x409108 GetVersion

• 0x40910c lstrcpyA

• 0x409110 RemoveDirectoryW

• 0x409114 lstrcmpA

• 0x409118 lstrcmpiW

• 0x40911c lstrcmpW

• 0x409120 ExpandEnvironmentStringsW

• 0x409124 GlobalAlloc

• 0x409128 WaitForSingleObject

• 0x40912c GetExitCodeProcess

• 0x409130 GlobalFree

• 0x409134 GetModuleHandleW

• 0x409138 LoadLibraryExW

• 0x40913c FreeLibrary

• 0x409140 WritePrivateProfileStringW

• 0x409144 GetPrivateProfileStringW

• 0x409148 WideCharToMultiByte

• 0x40914c lstrlenA

• 0x409150 MulDiv

• 0x409154 WriteFile

• 0x409158 ReadFile

• 0x40915c MultiByteToWideChar

• 0x409160 SetFilePointer

• 0x409164 FindClose

• 0x409168 FindNextFileW

• 0x40916c FindFirstFileW

• 0x409170 DeleteFileW

• 0x409174 lstrlenW

Library USER32.dll:

• 0x409198 GetAsyncKeyState

• 0x40919c IsDlgButtonChecked

• 0x4091a0 ScreenToClient

• 0x4091a4 GetMessagePos

• 0x4091a8 CallWindowProcW

• 0x4091ac IsWindowVisible

• 0x4091b0 LoadBitmapW

• 0x4091b4 CloseClipboard

• 0x4091b8 SetClipboardData

• 0x4091bc EmptyClipboard

• 0x4091c0 OpenClipboard

• 0x4091c4 TrackPopupMenu

• 0x4091c8 GetWindowRect

• 0x4091cc AppendMenuW

• 0x4091d0 CreatePopupMenu

• 0x4091d4 GetSystemMetrics

• 0x4091d8 EndDialog

• 0x4091dc EnableMenuItem

• 0x4091e0 GetSystemMenu

• 0x4091e4 SetClassLongW

• 0x4091e8 IsWindowEnabled

• 0x4091ec SetWindowPos

• 0x4091f0 DialogBoxParamW

• 0x4091f4 CheckDlgButton

• 0x4091f8 CreateWindowExW

• 0x4091fc SystemParametersInfoW

• 0x409200 RegisterClassW

• 0x409204 SetDlgItemTextW

• 0x409208 GetDlgItemTextW

• 0x40920c MessageBoxIndirectW

• 0x409210 CharNextA

• 0x409214 CharUpperW

• 0x409218 CharPrevW

• 0x40921c wvsprintfW

• 0x409220 DispatchMessageW

• 0x409224 PeekMessageW

• 0x409228 wsprintfA

• 0x40922c DestroyWindow

• 0x409230 CreateDialogParamW

• 0x409234 SetTimer

• 0x409238 SetWindowTextW

• 0x40923c PostQuitMessage

• 0x409240 SetForegroundWindow

• 0x409244 ShowWindow

• 0x409248 wsprintfW

• 0x40924c SendMessageTimeoutW

• 0x409250 LoadCursorW

• 0x409254 SetCursor

• 0x409258 GetWindowLongW

• 0x40925c GetSysColor

• 0x409260 CharNextW

• 0x409264 GetClassInfoW

• 0x409268 ExitWindowsEx

• 0x40926c IsWindow

• 0x409270 GetDlgItem

• 0x409274 SetWindowLongW

• 0x409278 LoadImageW

• 0x40927c GetDC

• 0x409280 EnableWindow

• 0x409284 InvalidateRect

• 0x409288 SendMessageW

• 0x40928c DefWindowProcW

• 0x409290 BeginPaint

• 0x409294 GetClientRect

• 0x409298 FillRect

• 0x40929c DrawTextW

• 0x4092a0 EndPaint

• 0x4092a4 FindWindowExW

Library GDI32.dll:

• 0x40903c SetBkColor

• 0x409040 GetDeviceCaps

• 0x409044 DeleteObject

• 0x409048 CreateBrushIndirect

• 0x40904c CreateFontIndirectW

• 0x409050 SetBkMode

• 0x409054 SetTextColor

• 0x409058 SelectObject

Library SHELL32.dll:

• 0x40917c SHBrowseForFolderW

• 0x409180 SHGetPathFromIDListW

• 0x409184 SHGetFileInfoW

• 0x409188 ShellExecuteW

• 0x40918c SHFileOperationW

• 0x409190 SHGetSpecialFolderLocation

Library ADVAPI32.dll:

• 0x409000 RegEnumKeyW

• 0x409004 RegOpenKeyExW

• 0x409008 RegCloseKey

• 0x40900c RegDeleteKeyW

• 0x409010 RegDeleteValueW

• 0x409014 RegCreateKeyExW

• 0x409018 RegSetValueExW

• 0x40901c RegQueryValueExW

• 0x409020 RegEnumValueW

Library COMCTL32.dll:

• 0x409028 ImageList_AddMasked

• 0x40902c ImageList_Destroy

• 0x409030

• 0x409034 ImageList_Create

Library ole32.dll:

• 0x4092bc CoTaskMemFree

• 0x4092c0 OleInitialize

• 0x4092c4 OleUninitialize

• 0x4092c8 CoCreateInstance

Library VERSION.dll:

• 0x4092ac GetFileVersionInfoSizeW

• 0x4092b0 GetFileVersionInfoW

• 0x4092b4 VerQueryValueW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
rrrload02.top
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
iplogger.org	A 88.99.66.31	88.99.66.31
tworr03.top
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
cedss04.top
ip-api.com	A 208.95.112.1	208.95.112.1
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49182	208.95.112.1 ip-api.com	80
192.168.56.101	49192	208.95.112.1 ip-api.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://ip-api.com/line	GET /line HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ip-api.com Connection: Keep-Alive
http://ip-api.com/line/	GET /line/ HTTP/1.1 User-Agent: AutoHotkey Host: ip-api.com Cache-Control: no-cache

URI

Data

http://ip-api.com/line

GET /line HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ip-api.com
Connection: Keep-Alive

http://ip-api.com/line/

GET /line/ HTTP/1.1
User-Agent: AutoHotkey
Host: ip-api.com
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.