19.0
0-day
62 个模型检测该样本为恶意!
重新分析
更多

b1153f4e9733d41d87b833d5104dd232438d396a2e51b326e2336e53b93bf382

7d6336becada954a54a45adb18bd17f7.exe

分析耗时

128s

最近分析

文件大小

731.0KB
静态报毒 动态报毒 0D7WIFVV40Q AI SCORE=87 CLASSIC CONFIDENCE CRIDEX DELF DELPHILESS ELWH ELZG FAREIT GENERICKDZ HIGH CONFIDENCE HKBSJN HPLOKI IXRN KRYPTIK LOKIBOT QCJXD R + MAL SCORE SMBD SPYBOTNET STATIC AI SUSGEN SUSPICIOUS PE TGX@AMHF4RFI TSCOPE TSPY UNSAFE WACATAC X2066 ZELPHIF ZPUP 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FTB!7D6336BECADA 20201226 6.0.6.653
Alibaba Trojan:Win32/Cridex.fda4ee44 20190527 0.3.0.5
Avast Win32:Malware-gen 20201226 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft 20201226 2017.9.26.565
Tencent Win32.Trojan.Bp-generic.Ixrn 20201226 1.0.0.1
CrowdStrike win/malicious_confidence_80% (D) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619649226.299507
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (23 个事件)
Time & API Arguments Status Return Repeated
1619659994.112269
IsDebuggerPresent
failed 0 0
1619659999.268269
IsDebuggerPresent
failed 0 0
1619660004.315269
IsDebuggerPresent
failed 0 0
1619660009.315269
IsDebuggerPresent
failed 0 0
1619660014.315269
IsDebuggerPresent
failed 0 0
1619660019.315269
IsDebuggerPresent
failed 0 0
1619660024.331269
IsDebuggerPresent
failed 0 0
1619660029.346269
IsDebuggerPresent
failed 0 0
1619660034.378269
IsDebuggerPresent
failed 0 0
1619660039.393269
IsDebuggerPresent
failed 0 0
1619660044.393269
IsDebuggerPresent
failed 0 0
1619660049.440269
IsDebuggerPresent
failed 0 0
1619660054.503269
IsDebuggerPresent
failed 0 0
1619660059.518269
IsDebuggerPresent
failed 0 0
1619660064.534269
IsDebuggerPresent
failed 0 0
1619660069.534269
IsDebuggerPresent
failed 0 0
1619660074.550269
IsDebuggerPresent
failed 0 0
1619660079.565269
IsDebuggerPresent
failed 0 0
1619660084.581269
IsDebuggerPresent
failed 0 0
1619660089.596269
IsDebuggerPresent
failed 0 0
1619660094.596269
IsDebuggerPresent
failed 0 0
1619660099.596269
IsDebuggerPresent
failed 0 0
1619660104.612269
IsDebuggerPresent
failed 0 0
Command line console output was observed (15 个事件)
Time & API Arguments Status Return Repeated
1619660425.217875
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
console_handle: 0x00000007
success 1 0
1619660425.233875
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619660425.514875
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
console_handle: 0x00000007
success 1 0
1619660425.514875
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619660425.655875
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
console_handle: 0x00000007
success 1 0
1619660425.655875
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619660425.780875
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
console_handle: 0x00000007
success 1 0
1619660425.796875
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619660426.030875
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
console_handle: 0x00000007
success 1 0
1619660426.030875
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619660426.186875
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
console_handle: 0x00000007
success 1 0
1619660426.202875
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619660426.483875
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
console_handle: 0x00000007
success 1 0
1619660426.499875
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619660426.889875
WriteConsoleW
buffer: 找不到批处理文件。
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619649226.127507
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (3 个事件)
Time & API Arguments Status Return Repeated
1619649224.649988
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49872440
registers.edi: 0
registers.eax: 0
registers.ebp: 49872776
registers.edx: 2130553844
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 9e 92 00 00 e9
exception.symbol: 7d6336becada954a54a45adb18bd17f7+0x58eeb
exception.instruction: div eax
exception.module: 7d6336becada954a54a45adb18bd17f7.exe
exception.exception_code: 0xc0000094
exception.offset: 364267
exception.address: 0x458eeb
success 0 0
1619660419.812125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34405944
registers.edi: 0
registers.eax: 0
registers.ebp: 34406280
registers.edx: 2130553844
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 9e 92 00 00 e9
exception.symbol: azem+0x58eeb
exception.instruction: div eax
exception.module: azem.exe
exception.exception_code: 0xc0000094
exception.offset: 364267
exception.address: 0x458eeb
success 0 0
1619659997.534146
__exception__
stacktrace: 
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdc5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf173c3
CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7feffdc62ba
Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdfdb949
CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feffdc21d0
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feffc7d8a2
ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7feffc81bb3
ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7feffc81b22
CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7feffc817eb
CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7feffc81417
CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7feffc794fa
CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7feffc79428
CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7feffc79b49
CoRegisterMessageFilter+0x153b CoUninitialize-0x3341 ole32+0x1dfd3 @ 0x7feffc6dfd3
CoRegisterMessageFilter+0x11c0 CoUninitialize-0x36bc ole32+0x1dc58 @ 0x7feffc6dc58
CoRegisterMessageFilter+0xb97 CoUninitialize-0x3ce5 ole32+0x1d62f @ 0x7feffc6d62f
CoRegisterMessageFilter+0x13fe CoUninitialize-0x347e ole32+0x1de96 @ 0x7feffc6de96
ObjectStublessClient32+0x73c2 CoDisconnectContext-0x9cb6 ole32+0x4aec2 @ 0x7feffc9aec2
CoUninitialize+0x1010 CoInitializeEx-0x70c ole32+0x22324 @ 0x7feffc72324
CoRegisterMessageFilter+0x3c30 CoUninitialize-0xc4c ole32+0x206c8 @ 0x7feffc706c8
CoRegisterMessageFilter+0x3c01 CoUninitialize-0xc7b ole32+0x20699 @ 0x7feffc70699
CoUninitialize+0x1290 CoInitializeEx-0x48c ole32+0x225a4 @ 0x7feffc725a4
CoUninitialize+0xa6 CoInitializeEx-0x1676 ole32+0x213ba @ 0x7feffc713ba
New_ole32_CoUninitialize+0x57 New_ole32_OleConvertOLESTREAMToIStorage-0x53 @ 0x7563774b
SHCreateThreadRef+0xc5 SHLockShared-0x7b7 shlwapi+0x6aad @ 0x7feff886aad
SHRegGetUSValueW+0x31a SHCreateThread-0x1d2 shlwapi+0xc77e @ 0x7feff88c77e
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521

registers.r14: 0
registers.r9: 0
registers.rcx: 35840672
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rdi: 0
registers.r11: 35842432
registers.r8: 0
registers.rdx: 1
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 35846896
registers.rax: 1978336031
registers.r13: 0
exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80010012
exception.offset: 42141
exception.address: 0x7fefdc5a49d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3662848051&cup2hreq=32613258e9de0f3316e5f61027ccfa63268c467704dc96ffb8eda7dcd2883f1d
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619631555&mv=u&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=6b257d5dd61fc59&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619631615&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:3662848051&cup2hreq=32613258e9de0f3316e5f61027ccfa63268c467704dc96ffb8eda7dcd2883f1d
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3662848051&cup2hreq=32613258e9de0f3316e5f61027ccfa63268c467704dc96ffb8eda7dcd2883f1d
Allocates read-write-execute memory (usually to unpack itself) (15 个事件)
Time & API Arguments Status Return Repeated
1619649224.508988
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00370000
success 0 0
1619649224.664988
NtProtectVirtualMemory
process_identifier: 2128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 45056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619649224.664988
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00680000
success 0 0
1619649226.158507
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00560000
success 0 0
1619649226.158507
NtProtectVirtualMemory
process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77547000
success 0 0
1619649226.158507
NtProtectVirtualMemory
process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77534000
success 0 0
1619649226.221507
NtProtectVirtualMemory
process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00415000
success 0 0
1619649226.221507
NtProtectVirtualMemory
process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00415000
success 0 0
1619660419.765125
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619660419.812125
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 45056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00458000
success 0 0
1619660419.812125
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f70000
success 0 0
1619660420.5305
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003f0000
success 0 0
1619660420.5305
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77547000
success 0 0
1619660420.5305
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77534000
success 0 0
1619660062.127896
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004070000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpe7e60e17.bat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
Creates a suspicious process (1 个事件)
cmdline "C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\tmpe7e60e17.bat"
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619660429.9675
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.277475900229728 section {'size_of_data': '0x0004ac00', 'virtual_address': '0x00072000', 'entropy': 7.277475900229728, 'name': '.rsrc', 'virtual_size': '0x0004ab64'} description A section with a high entropy has been found
entropy 0.4101508916323731 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619649226.252507
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1619649226.283507
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619660429.3275
InternetOpenA
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
One or more of the buffers contains an embedded PE file (13 个事件)
buffer Buffer with sha1: a6ceab0f7560ca24170d4fd291e55c4abd214587
buffer Buffer with sha1: 4998757ff32dd908d2109d2c8785c66d78c9b07b
buffer Buffer with sha1: deb8e03cfb6a30cc036e1c9e5dee983d22e0d25a
buffer Buffer with sha1: 5b0dbbf7a15090ec1e9e68411a7fe5d33a97db6a
buffer Buffer with sha1: f32957750291a8789910dd3a208a73d426acbc39
buffer Buffer with sha1: 07eb396aebe81ad083786504e5d612ccf805f5f5
buffer Buffer with sha1: afe08e8bcad616258e1bcf59338f1b853860122d
buffer Buffer with sha1: fdc2085b6cdf37e92b281afa783901beaa8fe681
buffer Buffer with sha1: dd12d62e154d30c4c55fd873d83cdebcbdd2ef17
buffer Buffer with sha1: ee56b9358a84aa650618f88e5bb9f9e3ddecdf7f
buffer Buffer with sha1: 168307a75be55d15accedf57afea4454ff4cb96a
buffer Buffer with sha1: 73bfc3a2ecd027c56afcb0a3cba9ead8227397e6
buffer Buffer with sha1: 04bcbfb0d9808ad6e9474aa1e856c06e4c1d4a34
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (19 个事件)
Time & API Arguments Status Return Repeated
1619660420.6555
NtAllocateVirtualMemory
process_identifier: 1336
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x022c0000
success 0 0
1619660421.1085
NtAllocateVirtualMemory
process_identifier: 1384
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619660421.6555
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x06d00000
success 0 0
1619660422.2025
NtAllocateVirtualMemory
process_identifier: 2072
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1619660422.8745
NtAllocateVirtualMemory
process_identifier: 2940
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1619660424.6555
NtAllocateVirtualMemory
process_identifier: 2132
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02ae0000
success 0 0
1619660424.6555
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02b10000
success 0 0
1619660424.6865
NtAllocateVirtualMemory
process_identifier: 420
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01be0000
success 0 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 368
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 472
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 152
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9995
NtAllocateVirtualMemory
process_identifier: 3292
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02180000
success 0 0
1619660427.0305
NtAllocateVirtualMemory
process_identifier: 3344
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619660427.9525
NtAllocateVirtualMemory
process_identifier: 3436
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660428.0305
NtAllocateVirtualMemory
process_identifier: 3508
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00550000
success 0 0
1619660428.6555
NtAllocateVirtualMemory
process_identifier: 3616
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00250000
success 0 0
1619660484.8895
NtAllocateVirtualMemory
process_identifier: 3288
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000490
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00450000
success 0 0
Installs itself for autorun at Windows startup (50 out of 514 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yzdeegavmi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Biizu\azem.exe
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d6336becada954a54a45adb18bd17f7.exe
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (26 个事件)
Process injection Process 2196 created a remote thread in non-child process 1336
Process injection Process 2196 created a remote thread in non-child process 1384
Process injection Process 2196 created a remote thread in non-child process 1424
Process injection Process 2196 created a remote thread in non-child process 2072
Process injection Process 2196 created a remote thread in non-child process 2940
Process injection Process 2196 created a remote thread in non-child process 2132
Process injection Process 2196 created a remote thread in non-child process 1316
Process injection Process 2196 created a remote thread in non-child process 420
Process injection Process 2196 created a remote thread in non-child process 3292
Process injection Process 2196 created a remote thread in non-child process 3344
Process injection Process 2196 created a remote thread in non-child process 3508
Process injection Process 2196 created a remote thread in non-child process 3616
Process injection Process 2196 created a remote thread in non-child process 3288
Time & API Arguments Status Return Repeated
1619660421.0925
CreateRemoteThread
thread_identifier: 0
process_identifier: 1336
function_address: 0x022d9c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660421.6395
CreateRemoteThread
thread_identifier: 0
process_identifier: 1384
function_address: 0x00149c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660422.2025
CreateRemoteThread
thread_identifier: 0
process_identifier: 1424
function_address: 0x06d19c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660422.8585
CreateRemoteThread
thread_identifier: 0
process_identifier: 2072
function_address: 0x00139c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660424.6555
CreateRemoteThread
thread_identifier: 0
process_identifier: 2940
function_address: 0x00159c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660424.6555
CreateRemoteThread
thread_identifier: 0
process_identifier: 2132
function_address: 0x02af9c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660424.6715
CreateRemoteThread
thread_identifier: 0
process_identifier: 1316
function_address: 0x02b29c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660426.9525
CreateRemoteThread
thread_identifier: 0
process_identifier: 420
function_address: 0x01bf9c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660427.0145
CreateRemoteThread
thread_identifier: 0
process_identifier: 3292
function_address: 0x02199c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660427.9525
CreateRemoteThread
thread_identifier: 0
process_identifier: 3344
function_address: 0x01fa9c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660428.6085
CreateRemoteThread
thread_identifier: 0
process_identifier: 3508
function_address: 0x00569c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660429.1085
CreateRemoteThread
thread_identifier: 0
process_identifier: 3616
function_address: 0x00269c27
flags: 0
process_handle: 0x00000148
parameter: 0x00000000
stack_size: 0
failed 0 0
1619660485.2025
CreateRemoteThread
thread_identifier: 0
process_identifier: 3288
function_address: 0x00469c27
flags: 0
process_handle: 0x00000490
parameter: 0x00000000
stack_size: 0
failed 0 0
Manipulates memory of a non-child process indicative of process injection (38 个事件)
Process injection Process 2196 manipulating memory of non-child process 1336
Process injection Process 2196 manipulating memory of non-child process 1384
Process injection Process 2196 manipulating memory of non-child process 1424
Process injection Process 2196 manipulating memory of non-child process 2072
Process injection Process 2196 manipulating memory of non-child process 2940
Process injection Process 2196 manipulating memory of non-child process 2132
Process injection Process 2196 manipulating memory of non-child process 1316
Process injection Process 2196 manipulating memory of non-child process 420
Process injection Process 2196 manipulating memory of non-child process 2128
Process injection Process 2196 manipulating memory of non-child process 2104
Process injection Process 2196 manipulating memory of non-child process 368
Process injection Process 2196 manipulating memory of non-child process 472
Process injection Process 2196 manipulating memory of non-child process 152
Process injection Process 2196 manipulating memory of non-child process 3292
Process injection Process 2196 manipulating memory of non-child process 3344
Process injection Process 2196 manipulating memory of non-child process 3436
Process injection Process 2196 manipulating memory of non-child process 3508
Process injection Process 2196 manipulating memory of non-child process 3616
Process injection Process 2196 manipulating memory of non-child process 3288
Time & API Arguments Status Return Repeated
1619660420.6555
NtAllocateVirtualMemory
process_identifier: 1336
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x022c0000
success 0 0
1619660421.1085
NtAllocateVirtualMemory
process_identifier: 1384
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619660421.6555
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x06d00000
success 0 0
1619660422.2025
NtAllocateVirtualMemory
process_identifier: 2072
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1619660422.8745
NtAllocateVirtualMemory
process_identifier: 2940
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1619660424.6555
NtAllocateVirtualMemory
process_identifier: 2132
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02ae0000
success 0 0
1619660424.6555
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02b10000
success 0 0
1619660424.6865
NtAllocateVirtualMemory
process_identifier: 420
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01be0000
success 0 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 368
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 472
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9525
NtAllocateVirtualMemory
process_identifier: 152
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660426.9995
NtAllocateVirtualMemory
process_identifier: 3292
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02180000
success 0 0
1619660427.0305
NtAllocateVirtualMemory
process_identifier: 3344
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619660427.9525
NtAllocateVirtualMemory
process_identifier: 3436
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00000000
failed 3221225738 0
1619660428.0305
NtAllocateVirtualMemory
process_identifier: 3508
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00550000
success 0 0
1619660428.6555
NtAllocateVirtualMemory
process_identifier: 3616
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000148
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00250000
success 0 0
1619660484.8895
NtAllocateVirtualMemory
process_identifier: 3288
region_size: 241664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000490
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00450000
success 0 0
Potential code injection by writing to the memory of another process (50 out of 65 个事件)
Process injection Process 2196 injected into non-child 1336
Process injection Process 2196 injected into non-child 1384
Process injection Process 2196 injected into non-child 1424
Process injection Process 2196 injected into non-child 2072
Process injection Process 2196 injected into non-child 2940
Process injection Process 2196 injected into non-child 2132
Process injection Process 2196 injected into non-child 1316
Process injection Process 2196 injected into non-child 420
Process injection Process 2196 injected into non-child 3292
Process injection Process 2196 injected into non-child 3344
Time & API Arguments Status Return Repeated
1619660420.6555
WriteProcessMemory
process_identifier: 1336
buffer:
process_handle: 0x00000148
base_address: 0x022f6d60
success 1 0
1619660420.6555
WriteProcessMemory
process_identifier: 1336
buffer: ,
process_handle: 0x00000148
base_address: 0x022f6d74
success 1 0
1619660420.6555
WriteProcessMemory
process_identifier: 1336
buffer: ¸
process_handle: 0x00000148
base_address: 0x022f716c
success 1 0
1619660420.6555
WriteProcessMemory
process_identifier: 1336
buffer: ´
process_handle: 0x00000148
base_address: 0x022f7170
success 1 0
1619660421.1085
WriteProcessMemory
process_identifier: 1384
buffer:
process_handle: 0x00000148
base_address: 0x00166d60
success 1 0
1619660421.1085
WriteProcessMemory
process_identifier: 1384
buffer: 
process_handle: 0x00000148
base_address: 0x00166d74
success 1 0
1619660421.1085
WriteProcessMemory
process_identifier: 1384
buffer: @
process_handle: 0x00000148
base_address: 0x0016716c
success 1 0
1619660421.1085
WriteProcessMemory
process_identifier: 1384
buffer: ä
process_handle: 0x00000148
base_address: 0x00167170
success 1 0
1619660421.6715
WriteProcessMemory
process_identifier: 1424
buffer:
process_handle: 0x00000148
base_address: 0x06d36d60
success 1 0
1619660421.6715
WriteProcessMemory
process_identifier: 1424
buffer: Ð
process_handle: 0x00000148
base_address: 0x06d36d74
success 1 0
1619660421.6715
WriteProcessMemory
process_identifier: 1424
buffer: ¬
process_handle: 0x00000148
base_address: 0x06d3716c
success 1 0
1619660421.6715
WriteProcessMemory
process_identifier: 1424
buffer: ü
process_handle: 0x00000148
base_address: 0x06d37170
success 1 0
1619660422.2335
WriteProcessMemory
process_identifier: 2072
buffer:
process_handle: 0x00000148
base_address: 0x00156d60
success 1 0
1619660422.2335
WriteProcessMemory
process_identifier: 2072
buffer: 
process_handle: 0x00000148
base_address: 0x00156d74
success 1 0
1619660422.2335
WriteProcessMemory
process_identifier: 2072
buffer: l
process_handle: 0x00000148
base_address: 0x0015716c
success 1 0
1619660422.2335
WriteProcessMemory
process_identifier: 2072
buffer: p
process_handle: 0x00000148
base_address: 0x00157170
success 1 0
1619660422.8895
WriteProcessMemory
process_identifier: 2940
buffer:
process_handle: 0x00000148
base_address: 0x00176d60
success 1 0
1619660422.8895
WriteProcessMemory
process_identifier: 2940
buffer: 
process_handle: 0x00000148
base_address: 0x00176d74
success 1 0
1619660422.8895
WriteProcessMemory
process_identifier: 2940
buffer: 
process_handle: 0x00000148
base_address: 0x0017716c
success 1 0
1619660422.8895
WriteProcessMemory
process_identifier: 2940
buffer: $
process_handle: 0x00000148
base_address: 0x00177170
success 1 0
1619660424.6555
WriteProcessMemory
process_identifier: 2132
buffer:
process_handle: 0x00000148
base_address: 0x02b16d60
success 1 0
1619660424.6555
WriteProcessMemory
process_identifier: 2132
buffer: ®
process_handle: 0x00000148
base_address: 0x02b16d74
success 1 0
1619660424.6555
WriteProcessMemory
process_identifier: 2132
buffer: l
process_handle: 0x00000148
base_address: 0x02b1716c
success 1 0
1619660424.6555
WriteProcessMemory
process_identifier: 2132
buffer: p
process_handle: 0x00000148
base_address: 0x02b17170
success 1 0
1619660424.6715
WriteProcessMemory
process_identifier: 1316
buffer:
process_handle: 0x00000148
base_address: 0x02b46d60
success 1 0
1619660424.6715
WriteProcessMemory
process_identifier: 1316
buffer: ±
process_handle: 0x00000148
base_address: 0x02b46d74
success 1 0
1619660424.6715
WriteProcessMemory
process_identifier: 1316
buffer: (
process_handle: 0x00000148
base_address: 0x02b4716c
success 1 0
1619660424.6715
WriteProcessMemory
process_identifier: 1316
buffer: 
process_handle: 0x00000148
base_address: 0x02b47170
success 1 0
1619660424.7175
WriteProcessMemory
process_identifier: 420
buffer:
process_handle: 0x00000148
base_address: 0x01c16d60
success 1 0
1619660424.7175
WriteProcessMemory
process_identifier: 420
buffer: ¾
process_handle: 0x00000148
base_address: 0x01c16d74
success 1 0
1619660424.7175
WriteProcessMemory
process_identifier: 420
buffer: <
process_handle: 0x00000148
base_address: 0x01c1716c
success 1 0
1619660424.7175
WriteProcessMemory
process_identifier: 420
buffer: 0
process_handle: 0x00000148
base_address: 0x01c17170
success 1 0
1619660427.0145
WriteProcessMemory
process_identifier: 3292
buffer:
process_handle: 0x00000148
base_address: 0x021b6d60
success 1 0
1619660427.0145
WriteProcessMemory
process_identifier: 3292
buffer: 
process_handle: 0x00000148
base_address: 0x021b6d74
success 1 0
1619660427.0145
WriteProcessMemory
process_identifier: 3292
buffer: 4
process_handle: 0x00000148
base_address: 0x021b716c
success 1 0
1619660427.0145
WriteProcessMemory
process_identifier: 3292
buffer: <
process_handle: 0x00000148
base_address: 0x021b7170
success 1 0
1619660427.0305
WriteProcessMemory
process_identifier: 3344
buffer:
process_handle: 0x00000148
base_address: 0x01fc6d60
success 1 0
1619660427.0305
WriteProcessMemory
process_identifier: 3344
buffer: ù
process_handle: 0x00000148
base_address: 0x01fc6d74
success 1 0
1619660427.0305
WriteProcessMemory
process_identifier: 3344
buffer: ˆ
process_handle: 0x00000148
base_address: 0x01fc716c
success 1 0
1619660427.0305
WriteProcessMemory
process_identifier: 3344
buffer: Ä
process_handle: 0x00000148
base_address: 0x01fc7170
success 1 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x466150 VirtualFree
0x466154 VirtualAlloc
0x466158 LocalFree
0x46615c LocalAlloc
0x466160 GetVersion
0x466164 GetCurrentThreadId
0x466170 VirtualQuery
0x466174 WideCharToMultiByte
0x466178 MultiByteToWideChar
0x46617c lstrlenA
0x466180 lstrcpynA
0x466184 LoadLibraryExA
0x466188 GetThreadLocale
0x46618c GetStartupInfoA
0x466190 GetProcAddress
0x466194 GetModuleHandleA
0x466198 GetModuleFileNameA
0x46619c GetLocaleInfoA
0x4661a0 GetCommandLineA
0x4661a4 FreeLibrary
0x4661a8 FindFirstFileA
0x4661ac FindClose
0x4661b0 ExitProcess
0x4661b4 WriteFile
0x4661bc RtlUnwind
0x4661c0 RaiseException
0x4661c4 GetStdHandle
Library user32.dll:
0x4661cc GetKeyboardType
0x4661d0 LoadStringA
0x4661d4 MessageBoxA
0x4661d8 CharNextA
Library advapi32.dll:
0x4661e0 RegQueryValueExA
0x4661e4 RegOpenKeyExA
0x4661e8 RegCloseKey
Library oleaut32.dll:
0x4661f0 SysFreeString
0x4661f4 SysReAllocStringLen
0x4661f8 SysAllocStringLen
Library kernel32.dll:
0x466200 TlsSetValue
0x466204 TlsGetValue
0x466208 LocalAlloc
0x46620c GetModuleHandleA
Library advapi32.dll:
0x466214 RegQueryValueExA
0x466218 RegOpenKeyExA
0x46621c RegCloseKey
Library kernel32.dll:
0x466224 lstrcpyA
0x466228 lstrcmpA
0x46622c WriteFile
0x466230 WaitForSingleObject
0x466234 VirtualQuery
0x466238 VirtualProtect
0x46623c VirtualAlloc
0x466240 Sleep
0x466244 SizeofResource
0x466248 SetThreadLocale
0x46624c SetFilePointer
0x466250 SetEvent
0x466254 SetErrorMode
0x466258 SetEndOfFile
0x46625c ResetEvent
0x466260 ReadFile
0x466264 MulDiv
0x466268 LockResource
0x46626c LoadResource
0x466270 LoadLibraryA
0x46627c GlobalUnlock
0x466280 GlobalReAlloc
0x466284 GlobalHandle
0x466288 GlobalLock
0x46628c GlobalFree
0x466290 GlobalFindAtomA
0x466294 GlobalDeleteAtom
0x466298 GlobalAlloc
0x46629c GlobalAddAtomA
0x4662a0 GetVersionExA
0x4662a4 GetVersion
0x4662a8 GetTickCount
0x4662ac GetThreadLocale
0x4662b4 GetSystemTime
0x4662b8 GetSystemInfo
0x4662bc GetStringTypeExA
0x4662c0 GetStdHandle
0x4662c4 GetProcAddress
0x4662c8 GetModuleHandleA
0x4662cc GetModuleFileNameA
0x4662d0 GetLocaleInfoA
0x4662d4 GetLocalTime
0x4662d8 GetLastError
0x4662dc GetFullPathNameA
0x4662e0 GetDiskFreeSpaceA
0x4662e4 GetDateFormatA
0x4662e8 GetCurrentThreadId
0x4662ec GetCurrentProcessId
0x4662f0 GetCPInfo
0x4662f4 GetACP
0x4662f8 FreeResource
0x4662fc InterlockedExchange
0x466300 FreeLibrary
0x466304 FormatMessageA
0x466308 FindResourceA
0x466310 ExitThread
0x466314 EnumCalendarInfoA
0x466320 CreateThread
0x466324 CreateFileA
0x466328 CreateEventA
0x46632c CompareStringA
0x466330 CloseHandle
Library version.dll:
0x466338 VerQueryValueA
0x466340 GetFileVersionInfoA
Library gdi32.dll:
0x466348 UnrealizeObject
0x46634c StretchBlt
0x466350 SetWindowOrgEx
0x466354 SetViewportOrgEx
0x466358 SetTextColor
0x46635c SetStretchBltMode
0x466360 SetROP2
0x466364 SetPixel
0x466368 SetDIBColorTable
0x46636c SetBrushOrgEx
0x466370 SetBkMode
0x466374 SetBkColor
0x466378 SelectPalette
0x46637c SelectObject
0x466380 SaveDC
0x466384 RestoreDC
0x466388 RectVisible
0x46638c RealizePalette
0x466390 PatBlt
0x466394 MoveToEx
0x466398 MaskBlt
0x46639c LineTo
0x4663a0 IntersectClipRect
0x4663a4 GetWindowOrgEx
0x4663a8 GetTextMetricsA
0x4663b4 GetStockObject
0x4663b8 GetPixel
0x4663bc GetPaletteEntries
0x4663c0 GetObjectA
0x4663c4 GetDeviceCaps
0x4663c8 GetDIBits
0x4663cc GetDIBColorTable
0x4663d0 GetDCOrgEx
0x4663d8 GetClipBox
0x4663dc GetBrushOrgEx
0x4663e0 GetBitmapBits
0x4663e4 ExcludeClipRect
0x4663e8 DeleteObject
0x4663ec DeleteDC
0x4663f0 CreateSolidBrush
0x4663f4 CreatePenIndirect
0x4663f8 CreatePalette
0x466400 CreateFontIndirectA
0x466404 CreateDIBitmap
0x466408 CreateDIBSection
0x46640c CreateCompatibleDC
0x466414 CreateBrushIndirect
0x466418 CreateBitmap
0x46641c BitBlt
Library user32.dll:
0x466424 CreateWindowExA
0x466428 WindowFromPoint
0x46642c WinHelpA
0x466430 WaitMessage
0x466434 UpdateWindow
0x466438 UnregisterClassA
0x46643c UnhookWindowsHookEx
0x466440 TranslateMessage
0x466448 TrackPopupMenu
0x466450 ShowWindow
0x466454 ShowScrollBar
0x466458 ShowOwnedPopups
0x46645c ShowCursor
0x466460 SetWindowsHookExA
0x466464 SetWindowTextA
0x466468 SetWindowPos
0x46646c SetWindowPlacement
0x466470 SetWindowLongA
0x466474 SetTimer
0x466478 SetScrollRange
0x46647c SetScrollPos
0x466480 SetScrollInfo
0x466484 SetRect
0x466488 SetPropA
0x46648c SetParent
0x466490 SetMenuItemInfoA
0x466494 SetMenu
0x466498 SetForegroundWindow
0x46649c SetFocus
0x4664a0 SetCursor
0x4664a4 SetClassLongA
0x4664a8 SetCapture
0x4664ac SetActiveWindow
0x4664b0 SendMessageA
0x4664b4 ScrollWindow
0x4664b8 ScreenToClient
0x4664bc RemovePropA
0x4664c0 RemoveMenu
0x4664c4 ReleaseDC
0x4664c8 ReleaseCapture
0x4664d4 RegisterClassA
0x4664d8 RedrawWindow
0x4664dc PtInRect
0x4664e0 PostQuitMessage
0x4664e4 PostMessageA
0x4664e8 PeekMessageA
0x4664ec OffsetRect
0x4664f0 OemToCharA
0x4664f4 MessageBoxA
0x4664f8 MapWindowPoints
0x4664fc MapVirtualKeyA
0x466500 LoadStringA
0x466504 LoadKeyboardLayoutA
0x466508 LoadIconA
0x46650c LoadCursorA
0x466510 LoadBitmapA
0x466514 KillTimer
0x466518 IsZoomed
0x46651c IsWindowVisible
0x466520 IsWindowEnabled
0x466524 IsWindow
0x466528 IsRectEmpty
0x46652c IsIconic
0x466530 IsDialogMessageA
0x466534 IsChild
0x466538 InvalidateRect
0x46653c IntersectRect
0x466540 InsertMenuItemA
0x466544 InsertMenuA
0x466548 InflateRect
0x466550 GetWindowTextA
0x466554 GetWindowRect
0x466558 GetWindowPlacement
0x46655c GetWindowLongA
0x466560 GetWindowDC
0x466564 GetTopWindow
0x466568 GetSystemMetrics
0x46656c GetSystemMenu
0x466570 GetSysColorBrush
0x466574 GetSysColor
0x466578 GetSubMenu
0x46657c GetScrollRange
0x466580 GetScrollPos
0x466584 GetScrollInfo
0x466588 GetPropA
0x46658c GetParent
0x466590 GetWindow
0x466594 GetMenuStringA
0x466598 GetMenuState
0x46659c GetMenuItemInfoA
0x4665a0 GetMenuItemID
0x4665a4 GetMenuItemCount
0x4665a8 GetMenu
0x4665ac GetLastActivePopup
0x4665b0 GetKeyboardState
0x4665b8 GetKeyboardLayout
0x4665bc GetKeyState
0x4665c0 GetKeyNameTextA
0x4665c4 GetIconInfo
0x4665c8 GetForegroundWindow
0x4665cc GetFocus
0x4665d0 GetDlgItem
0x4665d4 GetDesktopWindow
0x4665d8 GetDCEx
0x4665dc GetDC
0x4665e0 GetCursorPos
0x4665e4 GetCursor
0x4665e8 GetClientRect
0x4665ec GetClassNameA
0x4665f0 GetClassInfoA
0x4665f4 GetCapture
0x4665f8 GetActiveWindow
0x4665fc FrameRect
0x466600 FindWindowA
0x466604 FillRect
0x466608 EqualRect
0x46660c EnumWindows
0x466610 EnumThreadWindows
0x466614 EndPaint
0x466618 EnableWindow
0x46661c EnableScrollBar
0x466620 EnableMenuItem
0x466624 DrawTextA
0x466628 DrawMenuBar
0x46662c DrawIconEx
0x466630 DrawIcon
0x466634 DrawFrameControl
0x466638 DrawEdge
0x46663c DispatchMessageA
0x466640 DestroyWindow
0x466644 DestroyMenu
0x466648 DestroyIcon
0x46664c DestroyCursor
0x466650 DeleteMenu
0x466654 DefWindowProcA
0x466658 DefMDIChildProcA
0x46665c DefFrameProcA
0x466660 CreatePopupMenu
0x466664 CreateMenu
0x466668 CreateIcon
0x46666c ClientToScreen
0x466670 CheckMenuItem
0x466674 CallWindowProcA
0x466678 CallNextHookEx
0x46667c BeginPaint
0x466680 CharNextA
0x466684 CharLowerA
0x466688 CharToOemA
0x46668c AdjustWindowRectEx
Library kernel32.dll:
0x466698 Sleep
Library oleaut32.dll:
0x4666a0 SafeArrayPtrOfIndex
0x4666a4 SafeArrayGetUBound
0x4666a8 SafeArrayGetLBound
0x4666ac SafeArrayCreate
0x4666b0 VariantChangeType
0x4666b4 VariantCopy
0x4666b8 VariantClear
0x4666bc VariantInit
Library ole32.dll:
0x4666c4 CoTaskMemAlloc
0x4666c8 CoCreateInstance
0x4666cc CoUninitialize
0x4666d0 CoInitialize
Library comctl32.dll:
0x4666e0 ImageList_Write
0x4666e4 ImageList_Read
0x4666f4 ImageList_DragMove
0x4666f8 ImageList_DragLeave
0x4666fc ImageList_DragEnter
0x466700 ImageList_EndDrag
0x466704 ImageList_BeginDrag
0x466708 ImageList_Remove
0x46670c ImageList_DrawEx
0x466710 ImageList_Draw
0x466720 ImageList_Add
0x466728 ImageList_Destroy
0x46672c ImageList_Create
0x466730 InitCommonControls
Library comdlg32.dll:
0x466738 GetSaveFileNameA
0x46673c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49222 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49221 113.108.239.161 redirector.gvt1.com 80
192.168.56.101 49220 203.208.50.98 update.googleapis.com 443
192.168.56.101 49223 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 53661 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57089 114.114.114.114 53
192.168.56.101 57367 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619631555&mv=u&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619631555&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=6b257d5dd61fc59&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619631615&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=6b257d5dd61fc59&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619631615&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.