7.0
高危
59 个模型检测该样本为恶意!
重新分析
更多

4983921d3469aff39daaa738072cdf18171a7c98184a0a810c9d81daac7082e4

7d49aab031e7600956d2629d3330039a.exe

分析耗时

94s

最近分析

文件大小

678.5KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=86 AIDETECTVM ALI2000015 AUTOG BUAIC4 CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS EMOY EMUW FAREIT HIGH CONFIDENCE HOXHXT IGENT KCLOUD KRYPTIK LOKIBOT MALREP MALWARE2 MALWARE@#1M4A637DBELXF NANOCORE PASSWORDSTEALER QGW@AQZOJNHI QVM05 S + TROJ SCORE STATIC AI SUSPICIOUS PE THIAABO TSCOPE UMWUC UNSAFE WPVI X2094 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Avast Win32:Trojan-gen 20201210 21.1.5827.0
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FVZ!7D49AAB031E7 20201211 6.0.6.653
Tencent 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (11 个事件)
Time & API Arguments Status Return Repeated
1619652152.306125
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75137f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75134de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3614ad
success 0 0
1619652161.477875
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750ce97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750cea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750cb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750cb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750cac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750caed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750c5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750c559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb114ad
success 0 0
1619652166.10275
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75137f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75134de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd8a14ad
success 0 0
1619652171.80625
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750ce97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750cea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750cb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750cb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750cac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750caed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750c5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750c559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdab14ad
success 0 0
1619652178.931125
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75137f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75134de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4714ad
success 0 0
1619652184.978125
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750ce97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750cea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750cb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750cb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750cac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750caed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750c5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750c559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfda514ad
success 0 0
1619652189.79
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75137f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75134de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdd714ad
success 0 0
1619652194.227875
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x749ee97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x749eea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x749eb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x749eb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x749eac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x749eaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x749e5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x749e559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x750e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x750e4de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdae14ad
success 0 0
1619652198.789375
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75137f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75134de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4f14ad
success 0 0
1619652204.742375
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750ce97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750cea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750cb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750cb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750cac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750caed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750c5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750c559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb214ad
success 0 0
1619652209.664375
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75137f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75134de3
7d49aab031e7600956d2629d3330039a+0x40a4d @ 0x440a4d
7d49aab031e7600956d2629d3330039a+0x39254 @ 0x439254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3e14ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 366 个事件)
Time & API Arguments Status Return Repeated
1619652149.915
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
1619652150.04
NtProtectVirtualMemory
process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619652150.04
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e80000
success 0 0
1619652151.165125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619652151.274125
NtAllocateVirtualMemory
process_identifier: 376
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619652151.274125
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020d0000
success 0 0
1619652151.274125
NtAllocateVirtualMemory
process_identifier: 376
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ce0000
success 0 0
1619652151.274125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 118784
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ce2000
success 0 0
1619652151.665125
NtAllocateVirtualMemory
process_identifier: 376
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01d50000
success 0 0
1619652151.665125
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01d50000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619652152.290125
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619652151.39925
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619652151.43125
NtProtectVirtualMemory
process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619652151.44625
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619652158.602375
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b0000
success 0 0
1619652158.680375
NtProtectVirtualMemory
process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 49152
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00459000
success 0 0
1619652158.680375
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1619652160.508875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619652160.508875
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619652160.508875
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02080000
success 0 0
1619652160.508875
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004c0000
success 0 0
1619652160.508875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 118784
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004c2000
success 0 0
1619652160.555875
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006d0000
success 0 0
1619652160.555875
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c0000
success 0 0
1619652161.133875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005b2000
success 0 0
1619652161.148875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619652161.148875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005b2000
success 0 0
1619652161.148875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619652161.148875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005b2000
success 0 0
1619652161.148875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619652161.148875
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005b2000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 66 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.536792959837473 section {'size_of_data': '0x0003b800', 'virtual_address': '0x00074000', 'entropy': 7.536792959837473, 'name': '.rsrc', 'virtual_size': '0x0003b60c'} description A section with a high entropy has been found
entropy 0.35129151291512917 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process 7d49aab031e7600956d2629d3330039a.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (23 个事件)
Time & API Arguments Status Return Repeated
1619652150.087
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000000f8
process_identifier: 2636
failed 0 0
1619652158.10325
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x000001b8
process_identifier: 2228
failed 0 0
1619652158.805375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2440
failed 0 0
1619652163.93125
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x00000130
process_identifier: 392
failed 0 0
1619652164.69575
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2364
failed 0 0
1619652169.33725
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x00000134
process_identifier: 2760
failed 0 0
1619652170.08725
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2948
failed 0 0
1619652175.08675
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x00000148
process_identifier: 2956
failed 0 0
1619652176.228
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 1916
failed 0 0
1619652181.821125
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x0000012c
process_identifier: 2652
failed 0 0
1619652182.5085
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3276
failed 0 0
1619652187.94575
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000013c
process_identifier: 3436
failed 0 0
1619652188.680875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3608
failed 0 0
1619652192.258875
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x00000138
process_identifier: 3684
failed 0 0
1619652192.899
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3852
failed 0 0
1619652196.22775
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x0000011c
process_identifier: 3928
failed 0 0
1619652197.05575
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 952
failed 0 0
1619652202.461375
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x0000016c
process_identifier: 3232
failed 0 0
1619652202.99325
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3456
failed 0 0
1619652207.555875
Process32NextW
process_name: 7d49aab031e7600956d2629d3330039a.exe
snapshot_handle: 0x00000144
process_identifier: 3672
failed 0 0
1619652208.243125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3884
failed 0 0
1619652213.0865
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000158
process_identifier: 4032
failed 0 0
1619652213.977625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3224
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (22 个事件)
Process injection Process 2316 called NtSetContextThread to modify thread in remote process 376
Process injection Process 2536 called NtSetContextThread to modify thread in remote process 1320
Process injection Process 648 called NtSetContextThread to modify thread in remote process 1940
Process injection Process 1300 called NtSetContextThread to modify thread in remote process 2944
Process injection Process 2548 called NtSetContextThread to modify thread in remote process 2840
Process injection Process 3220 called NtSetContextThread to modify thread in remote process 3320
Process injection Process 3552 called NtSetContextThread to modify thread in remote process 3624
Process injection Process 3796 called NtSetContextThread to modify thread in remote process 3868
Process injection Process 4040 called NtSetContextThread to modify thread in remote process 3084
Process injection Process 3504 called NtSetContextThread to modify thread in remote process 3572
Process injection Process 3720 called NtSetContextThread to modify thread in remote process 3912
Time & API Arguments Status Return Repeated
1619652150.243
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 376
success 0 0
1619652159.680375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1320
success 0 0
1619652164.88375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1940
success 0 0
1619652170.52425
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2944
success 0 0
1619652176.712
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2840
success 0 0
1619652182.7585
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3320
success 0 0
1619652188.852875
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3624
success 0 0
1619652193.04
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3868
success 0 0
1619652197.60275
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3084
success 0 0
1619652203.13425
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3572
success 0 0
1619652208.431125
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3912
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (22 个事件)
Process injection Process 2316 resumed a thread in remote process 376
Process injection Process 2536 resumed a thread in remote process 1320
Process injection Process 648 resumed a thread in remote process 1940
Process injection Process 1300 resumed a thread in remote process 2944
Process injection Process 2548 resumed a thread in remote process 2840
Process injection Process 3220 resumed a thread in remote process 3320
Process injection Process 3552 resumed a thread in remote process 3624
Process injection Process 3796 resumed a thread in remote process 3868
Process injection Process 4040 resumed a thread in remote process 3084
Process injection Process 3504 resumed a thread in remote process 3572
Process injection Process 3720 resumed a thread in remote process 3912
Time & API Arguments Status Return Repeated
1619652150.962
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 376
success 0 0
1619652160.352375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1320
success 0 0
1619652165.41475
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1940
success 0 0
1619652171.18125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2944
success 0 0
1619652177.274
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2840
success 0 0
1619652183.2735
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3320
success 0 0
1619652189.211875
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3624
success 0 0
1619652193.524
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3868
success 0 0
1619652198.08675
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3084
success 0 0
1619652203.91525
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3572
success 0 0
1619652208.790125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3912
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 88 个事件)
Time & API Arguments Status Return Repeated
1619652150.196
CreateProcessInternalW
thread_identifier: 392
thread_handle: 0x000000fc
process_identifier: 376
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619652150.196
NtUnmapViewOfSection
process_identifier: 376
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619652150.212
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 376
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619652150.243
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619652150.243
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 376
success 0 0
1619652150.962
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 376
success 0 0
1619652151.071
CreateProcessInternalW
thread_identifier: 2364
thread_handle: 0x00000104
process_identifier: 2228
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe" 2 376 24088734
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619652158.24325
CreateProcessInternalW
thread_identifier: 2236
thread_handle: 0x000001bc
process_identifier: 2536
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001c0
inherit_handles: 0
success 1 0
1619652159.539375
CreateProcessInternalW
thread_identifier: 1948
thread_handle: 0x000000fc
process_identifier: 1320
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619652159.539375
NtUnmapViewOfSection
process_identifier: 1320
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619652159.617375
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 1320
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619652159.680375
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619652159.680375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1320
success 0 0
1619652160.352375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1320
success 0 0
1619652160.445375
CreateProcessInternalW
thread_identifier: 1060
thread_handle: 0x00000104
process_identifier: 392
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe" 2 1320 24098125
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619652164.11825
CreateProcessInternalW
thread_identifier: 2420
thread_handle: 0x00000134
process_identifier: 648
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619652164.85275
CreateProcessInternalW
thread_identifier: 624
thread_handle: 0x000000fc
process_identifier: 1940
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619652164.85275
NtUnmapViewOfSection
process_identifier: 1940
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619652164.85275
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 1940
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619652164.88375
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619652164.88375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1940
success 0 0
1619652165.41475
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1940
success 0 0
1619652166.05575
CreateProcessInternalW
thread_identifier: 1948
thread_handle: 0x00000104
process_identifier: 2760
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe" 2 1940 24103187
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619652169.54025
CreateProcessInternalW
thread_identifier: 2668
thread_handle: 0x00000138
process_identifier: 1300
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000013c
inherit_handles: 0
success 1 0
1619652170.43125
CreateProcessInternalW
thread_identifier: 1916
thread_handle: 0x000000fc
process_identifier: 2944
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619652170.43125
NtUnmapViewOfSection
process_identifier: 2944
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619652170.44625
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2944
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619652170.52425
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619652170.52425
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2944
success 0 0
1619652171.18125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2944
success 0 0
1619652171.72825
CreateProcessInternalW
thread_identifier: 2952
thread_handle: 0x00000104
process_identifier: 2956
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe" 2 2944 24108953
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619652175.32075
CreateProcessInternalW
thread_identifier: 1124
thread_handle: 0x0000014c
process_identifier: 2548
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
1619652176.634
CreateProcessInternalW
thread_identifier: 2576
thread_handle: 0x000000fc
process_identifier: 2840
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619652176.634
NtUnmapViewOfSection
process_identifier: 2840
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619652176.649
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2840
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619652176.712
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619652176.712
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2840
success 0 0
1619652177.274
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2840
success 0 0
1619652177.915
CreateProcessInternalW
thread_identifier: 2616
thread_handle: 0x00000104
process_identifier: 2652
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe" 2 2840 24115046
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619652181.946125
CreateProcessInternalW
thread_identifier: 3224
thread_handle: 0x00000130
process_identifier: 3220
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000134
inherit_handles: 0
success 1 0
1619652182.7115
CreateProcessInternalW
thread_identifier: 3324
thread_handle: 0x000000fc
process_identifier: 3320
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619652182.7115
NtUnmapViewOfSection
process_identifier: 3320
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619652182.7275
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 3320
commit_size: 520192
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 520192
base_address: 0x00400000
success 0 0
1619652182.7585
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619652182.7585
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4708112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3320
success 0 0
1619652183.2735
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3320
success 0 0
1619652184.6805
CreateProcessInternalW
thread_identifier: 3408
thread_handle: 0x00000104
process_identifier: 3404
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe" 2 3320 24121046
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619652188.21175
CreateProcessInternalW
thread_identifier: 3556
thread_handle: 0x00000140
process_identifier: 3552
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000144
inherit_handles: 0
success 1 0
1619652188.805875
CreateProcessInternalW
thread_identifier: 3628
thread_handle: 0x000000fc
process_identifier: 3624
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d49aab031e7600956d2629d3330039a.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619652188.805875
NtUnmapViewOfSection
process_identifier: 3624
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Stealer.28999
MicroWorld-eScan Trojan.Delf.FareIt.Gen.7
FireEye Generic.mg.7d49aab031e76009
ALYac Trojan.Delf.FareIt.Gen.7
Malwarebytes Spyware.PasswordStealer
Zillya Trojan.Injector.Win32.753781
AegisLab Trojan.Win32.Kryptik.4!c
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Trojan.Delf.FareIt.Gen.7
K7GW Riskware ( 0040eff71 )
Cybereason malicious.580022
BitDefenderTheta Gen:NN.ZelphiF.34670.QGW@aqzojNhi
Cyren W32/Injector.WPVI-5619
Symantec Infostealer.Lokibot!43
APEX Malicious
Avast Win32:Trojan-gen
ClamAV Win.Dropper.AgentTesla-9122548-1
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
Alibaba Trojan:Win32/DelfInject.ali2000015
NANO-Antivirus Trojan.Win32.Kryptik.hoxhxt
Rising Trojan.Injector!1.C99D (CLASSIC)
Ad-Aware Trojan.Delf.FareIt.Gen.7
Sophos Mal/Generic-S + Troj/AutoG-IO
Comodo Malware@#1m4a637dbelxf
F-Secure Trojan.TR/Kryptik.umwuc
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.Win32.MALREP.THIAABO
McAfee-GW-Edition BehavesLike.Win32.Fareit.jc
Emsisoft Trojan.Delf.FareIt.Gen.7 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Kryptik.byb
Avira TR/Kryptik.umwuc
MAX malware (ai score=86)
Antiy-AVL Trojan/Win32.Kryptik
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/NanoCore.VD!MTB
Arcabit Trojan.Delf.FareIt.Gen.7
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.Delf.FareIt.Gen.7
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
Acronis suspicious
McAfee Fareit-FVZ!7D49AAB031E7
VBA32 TScope.Trojan.Delf
Cylance Unsafe
Panda Trj/CI.A
Zoner Trojan.Win32.94619
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46813c VirtualFree
0x468140 VirtualAlloc
0x468144 LocalFree
0x468148 LocalAlloc
0x46814c GetVersion
0x468150 GetCurrentThreadId
0x46815c VirtualQuery
0x468160 WideCharToMultiByte
0x468164 MultiByteToWideChar
0x468168 lstrlenA
0x46816c lstrcpynA
0x468170 LoadLibraryExA
0x468174 GetThreadLocale
0x468178 GetStartupInfoA
0x46817c GetProcAddress
0x468180 GetModuleHandleA
0x468184 GetModuleFileNameA
0x468188 GetLocaleInfoA
0x46818c GetCommandLineA
0x468190 FreeLibrary
0x468194 FindFirstFileA
0x468198 FindClose
0x46819c ExitProcess
0x4681a0 WriteFile
0x4681a8 RtlUnwind
0x4681ac RaiseException
0x4681b0 GetStdHandle
Library user32.dll:
0x4681b8 GetKeyboardType
0x4681bc LoadStringA
0x4681c0 MessageBoxA
0x4681c4 CharNextA
Library advapi32.dll:
0x4681cc RegQueryValueExA
0x4681d0 RegOpenKeyExA
0x4681d4 RegCloseKey
Library oleaut32.dll:
0x4681dc SysFreeString
0x4681e0 SysReAllocStringLen
0x4681e4 SysAllocStringLen
Library kernel32.dll:
0x4681ec TlsSetValue
0x4681f0 TlsGetValue
0x4681f4 LocalAlloc
0x4681f8 GetModuleHandleA
Library advapi32.dll:
0x468200 RegQueryValueExA
0x468204 RegOpenKeyExA
0x468208 RegCloseKey
Library kernel32.dll:
0x468210 lstrcpyA
0x468214 WriteFile
0x468218 WaitForSingleObject
0x46821c VirtualQuery
0x468220 VirtualAlloc
0x468224 Sleep
0x468228 SizeofResource
0x46822c SetThreadLocale
0x468230 SetFilePointer
0x468234 SetEvent
0x468238 SetErrorMode
0x46823c SetEndOfFile
0x468240 ResetEvent
0x468244 ReadFile
0x468248 MulDiv
0x46824c LockResource
0x468250 LoadResource
0x468254 LoadLibraryA
0x468260 GlobalUnlock
0x468264 GlobalReAlloc
0x468268 GlobalHandle
0x46826c GlobalLock
0x468270 GlobalFree
0x468274 GlobalFindAtomA
0x468278 GlobalDeleteAtom
0x46827c GlobalAlloc
0x468280 GlobalAddAtomA
0x468284 GetVersionExA
0x468288 GetVersion
0x46828c GetTickCount
0x468290 GetThreadLocale
0x468294 GetSystemInfo
0x468298 GetStringTypeExA
0x46829c GetStdHandle
0x4682a0 GetProcAddress
0x4682a4 GetModuleHandleA
0x4682a8 GetModuleFileNameA
0x4682ac GetLocaleInfoA
0x4682b0 GetLocalTime
0x4682b4 GetLastError
0x4682b8 GetFullPathNameA
0x4682bc GetDiskFreeSpaceA
0x4682c0 GetDateFormatA
0x4682c4 GetCurrentThreadId
0x4682c8 GetCurrentProcessId
0x4682cc GetCPInfo
0x4682d0 GetACP
0x4682d4 FreeResource
0x4682d8 InterlockedExchange
0x4682dc FreeLibrary
0x4682e0 FormatMessageA
0x4682e4 FindResourceA
0x4682e8 EnumCalendarInfoA
0x4682f4 CreateThread
0x4682f8 CreateFileA
0x4682fc CreateEventA
0x468300 CompareStringA
0x468304 CloseHandle
Library version.dll:
0x46830c VerQueryValueA
0x468314 GetFileVersionInfoA
Library gdi32.dll:
0x46831c UnrealizeObject
0x468320 StretchBlt
0x468324 SetWindowOrgEx
0x468328 SetViewportOrgEx
0x46832c SetTextColor
0x468330 SetStretchBltMode
0x468334 SetROP2
0x468338 SetPixel
0x46833c SetDIBColorTable
0x468340 SetBrushOrgEx
0x468344 SetBkMode
0x468348 SetBkColor
0x46834c SelectPalette
0x468350 SelectObject
0x468354 SaveDC
0x468358 RestoreDC
0x46835c Rectangle
0x468360 RectVisible
0x468364 RealizePalette
0x468368 Polyline
0x46836c PatBlt
0x468370 MoveToEx
0x468374 MaskBlt
0x468378 LineTo
0x46837c IntersectClipRect
0x468380 GetWindowOrgEx
0x468384 GetTextMetricsA
0x468390 GetStockObject
0x468394 GetPixel
0x468398 GetPaletteEntries
0x46839c GetObjectA
0x4683a0 GetDeviceCaps
0x4683a4 GetDIBits
0x4683a8 GetDIBColorTable
0x4683ac GetDCOrgEx
0x4683b4 GetClipBox
0x4683b8 GetBrushOrgEx
0x4683bc GetBitmapBits
0x4683c0 ExcludeClipRect
0x4683c4 DeleteObject
0x4683c8 DeleteDC
0x4683cc CreateSolidBrush
0x4683d0 CreatePenIndirect
0x4683d4 CreatePalette
0x4683dc CreateFontIndirectA
0x4683e0 CreateDIBitmap
0x4683e4 CreateDIBSection
0x4683e8 CreateCompatibleDC
0x4683f0 CreateBrushIndirect
0x4683f4 CreateBitmap
0x4683f8 BitBlt
Library user32.dll:
0x468400 CreateWindowExA
0x468404 WindowFromPoint
0x468408 WinHelpA
0x46840c WaitMessage
0x468410 UpdateWindow
0x468414 UnregisterClassA
0x468418 UnhookWindowsHookEx
0x46841c TranslateMessage
0x468424 TrackPopupMenu
0x46842c ShowWindow
0x468430 ShowScrollBar
0x468434 ShowOwnedPopups
0x468438 ShowCursor
0x46843c SetWindowsHookExA
0x468440 SetWindowTextA
0x468444 SetWindowPos
0x468448 SetWindowPlacement
0x46844c SetWindowLongA
0x468450 SetTimer
0x468454 SetScrollRange
0x468458 SetScrollPos
0x46845c SetScrollInfo
0x468460 SetRect
0x468464 SetPropA
0x468468 SetParent
0x46846c SetMenuItemInfoA
0x468470 SetMenu
0x468474 SetForegroundWindow
0x468478 SetFocus
0x46847c SetCursor
0x468480 SetClassLongA
0x468484 SetCapture
0x468488 SetActiveWindow
0x46848c SendMessageA
0x468490 ScrollWindow
0x468494 ScreenToClient
0x468498 RemovePropA
0x46849c RemoveMenu
0x4684a0 ReleaseDC
0x4684a4 ReleaseCapture
0x4684b0 RegisterClassA
0x4684b4 RedrawWindow
0x4684b8 PtInRect
0x4684bc PostQuitMessage
0x4684c0 PostMessageA
0x4684c4 PeekMessageA
0x4684c8 OffsetRect
0x4684cc OemToCharA
0x4684d0 MessageBoxA
0x4684d4 MessageBeep
0x4684d8 MapWindowPoints
0x4684dc MapVirtualKeyA
0x4684e0 LoadStringA
0x4684e4 LoadKeyboardLayoutA
0x4684e8 LoadIconA
0x4684ec LoadCursorA
0x4684f0 LoadBitmapA
0x4684f4 KillTimer
0x4684f8 IsZoomed
0x4684fc IsWindowVisible
0x468500 IsWindowEnabled
0x468504 IsWindow
0x468508 IsRectEmpty
0x46850c IsIconic
0x468510 IsDialogMessageA
0x468514 IsChild
0x468518 InvalidateRect
0x46851c IntersectRect
0x468520 InsertMenuItemA
0x468524 InsertMenuA
0x468528 InflateRect
0x468530 GetWindowTextA
0x468534 GetWindowRect
0x468538 GetWindowPlacement
0x46853c GetWindowLongA
0x468540 GetWindowDC
0x468544 GetTopWindow
0x468548 GetSystemMetrics
0x46854c GetSystemMenu
0x468550 GetSysColorBrush
0x468554 GetSysColor
0x468558 GetSubMenu
0x46855c GetScrollRange
0x468560 GetScrollPos
0x468564 GetScrollInfo
0x468568 GetPropA
0x46856c GetParent
0x468570 GetWindow
0x468574 GetMenuStringA
0x468578 GetMenuState
0x46857c GetMenuItemInfoA
0x468580 GetMenuItemID
0x468584 GetMenuItemCount
0x468588 GetMenu
0x46858c GetLastActivePopup
0x468590 GetKeyboardState
0x468598 GetKeyboardLayout
0x46859c GetKeyState
0x4685a0 GetKeyNameTextA
0x4685a4 GetIconInfo
0x4685a8 GetForegroundWindow
0x4685ac GetFocus
0x4685b0 GetDlgItem
0x4685b4 GetDesktopWindow
0x4685b8 GetDCEx
0x4685bc GetDC
0x4685c0 GetCursorPos
0x4685c4 GetCursor
0x4685c8 GetClientRect
0x4685cc GetClassNameA
0x4685d0 GetClassInfoA
0x4685d4 GetCapture
0x4685d8 GetActiveWindow
0x4685dc FrameRect
0x4685e0 FindWindowA
0x4685e4 FillRect
0x4685e8 EqualRect
0x4685ec EnumWindows
0x4685f0 EnumThreadWindows
0x4685f4 EndPaint
0x4685f8 EnableWindow
0x4685fc EnableScrollBar
0x468600 EnableMenuItem
0x468604 DrawTextA
0x468608 DrawMenuBar
0x46860c DrawIconEx
0x468610 DrawIcon
0x468614 DrawFrameControl
0x468618 DrawFocusRect
0x46861c DrawEdge
0x468620 DispatchMessageA
0x468624 DestroyWindow
0x468628 DestroyMenu
0x46862c DestroyIcon
0x468630 DestroyCursor
0x468634 DeleteMenu
0x468638 DefWindowProcA
0x46863c DefMDIChildProcA
0x468640 DefFrameProcA
0x468644 CreatePopupMenu
0x468648 CreateMenu
0x46864c CreateIcon
0x468650 ClientToScreen
0x468654 CheckMenuItem
0x468658 CallWindowProcA
0x46865c CallNextHookEx
0x468660 BeginPaint
0x468664 CharNextA
0x468668 CharLowerA
0x46866c CharToOemA
0x468670 AdjustWindowRectEx
Library kernel32.dll:
0x46867c Sleep
Library oleaut32.dll:
0x468684 SafeArrayPtrOfIndex
0x468688 SafeArrayGetUBound
0x46868c SafeArrayGetLBound
0x468690 SafeArrayCreate
0x468694 VariantChangeType
0x468698 VariantCopy
0x46869c VariantClear
0x4686a0 VariantInit
Library comctl32.dll:
0x4686b0 ImageList_Write
0x4686b4 ImageList_Read
0x4686c4 ImageList_DragMove
0x4686c8 ImageList_DragLeave
0x4686cc ImageList_DragEnter
0x4686d0 ImageList_EndDrag
0x4686d4 ImageList_BeginDrag
0x4686d8 ImageList_Remove
0x4686dc ImageList_DrawEx
0x4686e0 ImageList_Replace
0x4686e4 ImageList_Draw
0x4686f4 ImageList_Add
0x4686fc ImageList_Destroy
0x468700 ImageList_Create
0x468704 InitCommonControls
Library comdlg32.dll:
0x46870c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.