7.0
高危
57 个模型检测该样本为恶意!
重新分析
更多

b2878c50fba27726757e7c46764309d8b182beb9a7eb282ebd81b1723ac2ad1d

a771f1eabae22414d2af688ecb579ad8.exe

分析耗时

91s

最近分析

文件大小

835.5KB
静态报毒 动态报毒 0GW@AAAJODNI AGENTTESLA AI SCORE=100 AIDETECTVM ALI2000015 ATTRIBUTE CLOUD COINMINERX CONFIDENCE DELF DELFINJECT DELPHILESS EMOY FAREIT GENERICIH GENETIC HIGH CONFIDENCE HIGHCONFIDENCE HNGRBE HPLOKI KRYPTIK LMUB MALICIOUS PE MALWARE1 MALWARE@#AIU8NZ4MQEBT MODERATE S14938451 SCORE SMBD TSCOPE TSPY UNSAFE UROR USJUU X2085 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVZ!A771F1EABAE2 20200721 6.0.6.653
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Tencent Win32.Trojan.Kryptik.Lmub 20200721 1.0.0.1
Kingsoft 20200721 2013.8.14.323
Avast Win32:CoinminerX-gen [Trj] 20200721 18.4.3895.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (37 个事件)
Time & API Arguments Status Return Repeated
1619826880.833436
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49610564
registers.edi: 0
registers.eax: 0
registers.ebp: 49610632
registers.edx: 14
registers.ebx: 0
registers.esi: 0
registers.ecx: 769
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836796.73525
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75154b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75155d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5914ad
success 0 0
1619836796.423375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34668356
registers.edi: 0
registers.eax: 0
registers.ebp: 34668424
registers.edx: 59
registers.ebx: 0
registers.esi: 0
registers.ecx: 423
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836802.048375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34471748
registers.edi: 0
registers.eax: 0
registers.ebp: 34471816
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 48
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836803.82925
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff2e14ad
success 0 0
1619836804.40725
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 50331460
registers.edi: 0
registers.eax: 0
registers.ebp: 50331528
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 407
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836807.391
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35716932
registers.edi: 0
registers.eax: 0
registers.ebp: 35717000
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 391
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836809.329125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75154b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75155d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5414ad
success 0 0
1619836809.344875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49413956
registers.edi: 0
registers.eax: 0
registers.ebp: 49414024
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 344
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836812.063625
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49413956
registers.edi: 0
registers.eax: 0
registers.ebp: 49414024
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 63
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836813.282125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751a4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751a5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5514ad
success 0 0
1619836814.3915
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34275140
registers.edi: 0
registers.eax: 0
registers.ebp: 34275208
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 376
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836816.938875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34078532
registers.edi: 0
registers.eax: 0
registers.ebp: 34078600
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 923
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836819.438125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4a14ad
success 0 0
1619836819.126
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34209604
registers.edi: 0
registers.eax: 0
registers.ebp: 34209672
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 110
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836826.391125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34275140
registers.edi: 0
registers.eax: 0
registers.ebp: 34275208
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 376
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836828.813
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75154b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75155d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3e14ad
success 0 0
1619836829.048125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49413956
registers.edi: 0
registers.eax: 0
registers.ebp: 49414024
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 48
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836832.548498
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49938244
registers.edi: 0
registers.eax: 0
registers.ebp: 49938312
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 548
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836833.423875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfde414ad
success 0 0
1619836833.76675
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34406212
registers.edi: 0
registers.eax: 0
registers.ebp: 34406280
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 766
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836835.907125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49348420
registers.edi: 0
registers.eax: 0
registers.ebp: 49348488
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 907
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836837.0165
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75154b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75155d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdab14ad
success 0 0
1619836837.735375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49807172
registers.edi: 0
registers.eax: 0
registers.ebp: 49807240
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 719
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836840.34425
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34733892
registers.edi: 0
registers.eax: 0
registers.ebp: 34733960
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 344
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836842.641375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751a4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751a5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4314ad
success 0 0
1619836842.42375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 48627524
registers.edi: 0
registers.eax: 0
registers.ebp: 48627592
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 407
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836845.532625
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34602820
registers.edi: 0
registers.eax: 0
registers.ebp: 34602888
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 532
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836847.094375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75154b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75155d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5d14ad
success 0 0
1619836847.813
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49217348
registers.edi: 0
registers.eax: 0
registers.ebp: 49217416
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 798
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836849.86075
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 50724676
registers.edi: 0
registers.eax: 0
registers.ebp: 50724744
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 860
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836850.938125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdaf14ad
success 0 0
1619836851.657
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 48430916
registers.edi: 0
registers.eax: 0
registers.ebp: 48430984
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 657
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836853.516375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49217348
registers.edi: 0
registers.eax: 0
registers.ebp: 49217416
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 516
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836854.45425
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
a771f1eabae22414d2af688ecb579ad8+0x783f8 @ 0x4783f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75154b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75155d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdab14ad
success 0 0
1619836855.0795
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49282884
registers.edi: 0
registers.eax: 0
registers.ebp: 49282952
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 63
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
1619836859.282875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35913540
registers.edi: 0
registers.eax: 0
registers.ebp: 35913608
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 266
exception.instruction_r: f7 f0 89 c9 89 c9 33 c0 5a 59 59 64 89 10 e9 af
exception.symbol: a771f1eabae22414d2af688ecb579ad8+0x8ddba
exception.instruction: div eax
exception.module: a771f1eabae22414d2af688ecb579ad8.exe
exception.exception_code: 0xc0000094
exception.offset: 581050
exception.address: 0x48ddba
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 375 个事件)
Time & API Arguments Status Return Repeated
1619826880.630436
NtAllocateVirtualMemory
process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003a0000
success 0 0
1619826880.833436
NtProtectVirtualMemory
process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 45056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0048d000
success 0 0
1619826880.833436
NtAllocateVirtualMemory
process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008a0000
success 0 0
1619836796.32925
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619836796.36025
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ed0000
success 0 0
1619836796.36025
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f40000
success 0 0
1619836796.36025
NtAllocateVirtualMemory
process_identifier: 2340
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005d0000
success 0 0
1619836796.36025
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 434176
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005d2000
success 0 0
1619836796.68825
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.68825
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619836796.68825
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.68825
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619836796.68825
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.68825
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619836796.68825
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.68825
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02032000
success 0 0
1619836796.70425
NtProtectVirtualMemory
process_identifier: 2340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619836796.407375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ed0000
success 0 0
1619836796.423375
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 45056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0048d000
success 0 0
1619836796.438375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619836802.032375
NtAllocateVirtualMemory
process_identifier: 3148
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e0000
success 0 0
1619836802.048375
NtProtectVirtualMemory
process_identifier: 3148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 45056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0048d000
success 0 0
1619836802.063375
NtAllocateVirtualMemory
process_identifier: 3148
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008f0000
success 0 0
1619836803.48525
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619836803.50125
NtAllocateVirtualMemory
process_identifier: 3220
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f00000
success 0 0
1619836803.50125
NtAllocateVirtualMemory
process_identifier: 3220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ff0000
success 0 0
1619836803.50125
NtAllocateVirtualMemory
process_identifier: 3220
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e00000
success 0 0
1619836803.50125
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 434176
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e02000
success 0 0
1619836803.78225
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d82000
success 0 0
1619836803.78225
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619836803.78225
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d82000
success 0 0
1619836803.78225
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619836803.79825
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d82000
success 0 0
1619836803.79825
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619836803.79825
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d82000
success 0 0
1619836803.79825
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619836803.79825
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d82000
success 0 0
1619836803.79825
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619836803.79825
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d82000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (35 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.013223318742773 section {'size_of_data': '0x0002b400', 'virtual_address': '0x000ab000', 'entropy': 7.013223318742773, 'name': '.rsrc', 'virtual_size': '0x0002b264'} description A section with a high entropy has been found
entropy 0.20730976632714201 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process a771f1eabae22414d2af688ecb579ad8.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (37 个事件)
Time & API Arguments Status Return Repeated
1619826880.848436
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000000f8
process_identifier: 2712
failed 0 0
1619836796.454375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 192
failed 0 0
1619836801.469375
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x0000018c
process_identifier: 2984
failed 0 0
1619836802.079375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3204
failed 0 0
1619836804.43825
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3424
failed 0 0
1619836806.00125
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x00000120
process_identifier: 3320
failed 0 0
1619836807.423
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3508
failed 0 0
1619836809.376875
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000f8
process_identifier: 3676
failed 0 0
1619836811.376875
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x00000134
process_identifier: 3592
failed 0 0
1619836812.094625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3768
failed 0 0
1619836814.4385
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3940
failed 0 0
1619836816.2985
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x00000124
process_identifier: 3844
failed 0 0
1619836817.032875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4024
failed 0 0
1619836819.391
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3108
failed 0 0
1619836825.86
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x000001b4
process_identifier: 2236
failed 0 0
1619836826.485125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3196
failed 0 0
1619836829.094125
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x000000f8
process_identifier: 3300
failed 0 0
1619836831.376125
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000128
process_identifier: 1272
failed 0 0
1619836832.579498
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3572
failed 0 0
1619836833.76675
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3772
failed 0 0
1619836835.53275
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x00000120
process_identifier: 2448
failed 0 0
1619836836.016125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2952
failed 0 0
1619836837.829375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3952
failed 0 0
1619836839.266375
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x00000128
process_identifier: 4000
failed 0 0
1619836840.34425
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2284
failed 0 0
1619836842.53275
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 1932
failed 0 0
1619836845.09475
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x0000012c
process_identifier: 3004
failed 0 0
1619836845.751625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 300
failed 0 0
1619836847.954
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3604
failed 0 0
1619836849.204
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x00000118
process_identifier: 3688
failed 0 0
1619836849.89175
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 3988
failed 0 0
1619836851.688
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2516
failed 0 0
1619836852.969
Process32NextW
process_name: a771f1eabae22414d2af688ecb579ad8.exe
snapshot_handle: 0x0000011c
process_identifier: 1740
failed 0 0
1619836853.563375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3364
failed 0 0
1619836855.1885
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 1812
failed 0 0
1619836857.3605
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000120
process_identifier: 3884
failed 0 0
1619836859.391875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 1272
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (24 个事件)
Process injection Process 2136 called NtSetContextThread to modify thread in remote process 2340
Process injection Process 3148 called NtSetContextThread to modify thread in remote process 3220
Process injection Process 3444 called NtSetContextThread to modify thread in remote process 3524
Process injection Process 3712 called NtSetContextThread to modify thread in remote process 3784
Process injection Process 3968 called NtSetContextThread to modify thread in remote process 4040
Process injection Process 3040 called NtSetContextThread to modify thread in remote process 2996
Process injection Process 3496 called NtSetContextThread to modify thread in remote process 3612
Process injection Process 3860 called NtSetContextThread to modify thread in remote process 2948
Process injection Process 2120 called NtSetContextThread to modify thread in remote process 2576
Process injection Process 1760 called NtSetContextThread to modify thread in remote process 3536
Process injection Process 3608 called NtSetContextThread to modify thread in remote process 3776
Process injection Process 4036 called NtSetContextThread to modify thread in remote process 3180
Time & API Arguments Status Return Repeated
1619826881.395436
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2340
success 0 0
1619836802.673375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3220
success 0 0
1619836808.298
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3524
success 0 0
1619836812.360625
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3784
success 0 0
1619836817.829875
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4040
success 0 0
1619836828.016125
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2996
success 0 0
1619836832.735498
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3612
success 0 0
1619836836.173125
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2948
success 0 0
1619836840.87625
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2576
success 0 0
1619836846.204625
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3536
success 0 0
1619836850.09475
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3776
success 0 0
1619836853.688375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3180
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (24 个事件)
Process injection Process 2136 resumed a thread in remote process 2340
Process injection Process 3148 resumed a thread in remote process 3220
Process injection Process 3444 resumed a thread in remote process 3524
Process injection Process 3712 resumed a thread in remote process 3784
Process injection Process 3968 resumed a thread in remote process 4040
Process injection Process 3040 resumed a thread in remote process 2996
Process injection Process 3496 resumed a thread in remote process 3612
Process injection Process 3860 resumed a thread in remote process 2948
Process injection Process 2120 resumed a thread in remote process 2576
Process injection Process 1760 resumed a thread in remote process 3536
Process injection Process 3608 resumed a thread in remote process 3776
Process injection Process 4036 resumed a thread in remote process 3180
Time & API Arguments Status Return Repeated
1619826881.755436
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2340
success 0 0
1619836803.219375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3220
success 0 0
1619836808.751
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3524
success 0 0
1619836812.751625
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3784
success 0 0
1619836818.391875
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 4040
success 0 0
1619836828.313125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2996
success 0 0
1619836833.079498
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3612
success 0 0
1619836836.485125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2948
success 0 0
1619836841.48525
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2576
success 0 0
1619836846.657625
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3536
success 0 0
1619836850.50175
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 3776
success 0 0
1619836854.048375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3180
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 96 个事件)
Time & API Arguments Status Return Repeated
1619826881.208436
CreateProcessInternalW
thread_identifier: 3040
thread_handle: 0x000000fc
process_identifier: 2340
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619826881.208436
NtUnmapViewOfSection
process_identifier: 2340
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619826881.208436
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2340
commit_size: 970752
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 970752
base_address: 0x00400000
success 0 0
1619826881.395436
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619826881.395436
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2340
success 0 0
1619826881.755436
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2340
success 0 0
1619826881.817436
CreateProcessInternalW
thread_identifier: 2344
thread_handle: 0x00000104
process_identifier: 2984
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe" 2 2340 8487578
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619836801.829375
CreateProcessInternalW
thread_identifier: 3152
thread_handle: 0x00000190
process_identifier: 3148
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000194
inherit_handles: 0
success 1 0
1619836802.563375
CreateProcessInternalW
thread_identifier: 3224
thread_handle: 0x000000fc
process_identifier: 3220
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619836802.563375
NtUnmapViewOfSection
process_identifier: 3220
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619836802.563375
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 3220
commit_size: 970752
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 970752
base_address: 0x00400000
success 0 0
1619836802.673375
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619836802.673375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3220
success 0 0
1619836803.219375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3220
success 0 0
1619836803.938375
CreateProcessInternalW
thread_identifier: 3324
thread_handle: 0x00000104
process_identifier: 3320
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe" 2 3220 8494671
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619836806.79825
CreateProcessInternalW
thread_identifier: 3448
thread_handle: 0x00000124
process_identifier: 3444
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619836808.11
CreateProcessInternalW
thread_identifier: 3528
thread_handle: 0x000000fc
process_identifier: 3524
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619836808.11
NtUnmapViewOfSection
process_identifier: 3524
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619836808.126
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 3524
commit_size: 970752
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 970752
base_address: 0x00400000
success 0 0
1619836808.282
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619836808.298
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3524
success 0 0
1619836808.751
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3524
success 0 0
1619836808.86
CreateProcessInternalW
thread_identifier: 3596
thread_handle: 0x00000104
process_identifier: 3592
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe" 2 3524 8500203
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619836811.610875
CreateProcessInternalW
thread_identifier: 3716
thread_handle: 0x00000138
process_identifier: 3712
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000013c
inherit_handles: 0
success 1 0
1619836812.313625
CreateProcessInternalW
thread_identifier: 3788
thread_handle: 0x000000fc
process_identifier: 3784
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619836812.313625
NtUnmapViewOfSection
process_identifier: 3784
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619836812.313625
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 3784
commit_size: 970752
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 970752
base_address: 0x00400000
success 0 0
1619836812.360625
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619836812.360625
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3784
success 0 0
1619836812.751625
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3784
success 0 0
1619836813.376625
CreateProcessInternalW
thread_identifier: 3848
thread_handle: 0x00000104
process_identifier: 3844
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe" 2 3784 8504203
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619836816.5165
CreateProcessInternalW
thread_identifier: 3972
thread_handle: 0x00000128
process_identifier: 3968
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000012c
inherit_handles: 0
success 1 0
1619836817.751875
CreateProcessInternalW
thread_identifier: 4044
thread_handle: 0x000000fc
process_identifier: 4040
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619836817.751875
NtUnmapViewOfSection
process_identifier: 4040
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619836817.766875
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 4040
commit_size: 970752
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 970752
base_address: 0x00400000
success 0 0
1619836817.829875
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619836817.829875
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4040
success 0 0
1619836818.391875
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 4040
success 0 0
1619836818.516875
CreateProcessInternalW
thread_identifier: 580
thread_handle: 0x00000104
process_identifier: 2236
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe" 2 4040 8509843
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619836826.048
CreateProcessInternalW
thread_identifier: 2424
thread_handle: 0x000001b8
process_identifier: 3040
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001bc
inherit_handles: 0
success 1 0
1619836827.079125
CreateProcessInternalW
thread_identifier: 152
thread_handle: 0x000000fc
process_identifier: 2996
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619836827.079125
NtUnmapViewOfSection
process_identifier: 2996
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619836827.094125
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2996
commit_size: 970752
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 970752
base_address: 0x00400000
success 0 0
1619836828.016125
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619836828.016125
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5160560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2996
success 0 0
1619836828.313125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2996
success 0 0
1619836828.485125
CreateProcessInternalW
thread_identifier: 3332
thread_handle: 0x00000104
process_identifier: 3300
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe" 2 2996 8519765
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619836831.813125
CreateProcessInternalW
thread_identifier: 1868
thread_handle: 0x0000012c
process_identifier: 3496
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619836832.719498
CreateProcessInternalW
thread_identifier: 3604
thread_handle: 0x000000fc
process_identifier: 3612
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a771f1eabae22414d2af688ecb579ad8.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619836832.719498
NtUnmapViewOfSection
process_identifier: 3612
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware1
MicroWorld-eScan Gen:Variant.Zusy.308908
FireEye Generic.mg.a771f1eabae22414
CAT-QuickHeal Trojan.GenericIH.S14938451
Qihoo-360 Win32/Trojan.469
McAfee Fareit-FVZ!A771F1EABAE2
Cylance Unsafe
Zillya Trojan.Injector.Win32.749210
CrowdStrike win/malicious_confidence_70% (W)
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056a4951 )
K7AntiVirus Trojan ( 0056a4951 )
Arcabit Trojan.Zusy.D4B6AC
Invincea heuristic
F-Prot W32/Injector.JFL
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Gen:Variant.Zusy.308908
NANO-Antivirus Trojan.Win32.Kryptik.hngrbe
AegisLab Trojan.Win32.Kryptik.4!c
Tencent Win32.Trojan.Kryptik.Lmub
Endgame malicious (high confidence)
Emsisoft Gen:Variant.Zusy.308908 (B)
Comodo Malware@#aiu8nz4mqebt
F-Secure Trojan.TR/Injector.usjuu
DrWeb Trojan.PWS.Stealer.28804
VIPRE Trojan.Win32.Generic!BT
TrendMicro TSPY_HPLOKI.SMBD
Trapmine malicious.moderate.ml.score
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Cyren W32/Injector.UROR-2273
Avira TR/Injector.usjuu
Antiy-AVL Trojan/Win32.Kryptik
Microsoft PWS:Win32/Fareit.AQ!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Gen:Variant.Zusy.308908
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2085
BitDefenderTheta Gen:NN.ZelphiF.34136.0GW@aaajOdni
ALYac Gen:Variant.Zusy.308908
MAX malware (ai score=100)
VBA32 TScope.Trojan.Delf
Malwarebytes Spyware.AgentTesla
Panda Trj/Genetic.gen
ESET-NOD32 a variant of Win32/Injector.EMOY
TrendMicro-HouseCall TSPY_HPLOKI.SMBD
Rising Trojan.Injector!1.C898 (CLOUD)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x49b164 VirtualFree
0x49b168 VirtualAlloc
0x49b16c LocalFree
0x49b170 LocalAlloc
0x49b174 GetVersion
0x49b178 GetCurrentThreadId
0x49b184 VirtualQuery
0x49b188 WideCharToMultiByte
0x49b18c MultiByteToWideChar
0x49b190 lstrlenA
0x49b194 lstrcpynA
0x49b198 LoadLibraryExA
0x49b19c GetThreadLocale
0x49b1a0 GetStartupInfoA
0x49b1a4 GetProcAddress
0x49b1a8 GetModuleHandleA
0x49b1ac GetModuleFileNameA
0x49b1b0 GetLocaleInfoA
0x49b1b4 GetCommandLineA
0x49b1b8 FreeLibrary
0x49b1bc FindFirstFileA
0x49b1c0 FindClose
0x49b1c4 ExitProcess
0x49b1c8 WriteFile
0x49b1d0 RtlUnwind
0x49b1d4 RaiseException
0x49b1d8 GetStdHandle
Library user32.dll:
0x49b1e0 GetKeyboardType
0x49b1e4 LoadStringA
0x49b1e8 MessageBoxA
0x49b1ec CharNextA
Library advapi32.dll:
0x49b1f4 RegQueryValueExA
0x49b1f8 RegOpenKeyExA
0x49b1fc RegCloseKey
Library oleaut32.dll:
0x49b204 SysFreeString
0x49b208 SysReAllocStringLen
0x49b20c SysAllocStringLen
Library kernel32.dll:
0x49b214 TlsSetValue
0x49b218 TlsGetValue
0x49b21c LocalAlloc
0x49b220 GetModuleHandleA
Library advapi32.dll:
0x49b228 RegQueryValueExA
0x49b22c RegOpenKeyExA
0x49b230 RegCloseKey
Library kernel32.dll:
0x49b238 lstrcpyA
0x49b23c WriteFile
0x49b240 WaitForSingleObject
0x49b244 VirtualQuery
0x49b248 VirtualProtectEx
0x49b24c VirtualAlloc
0x49b250 Sleep
0x49b254 SizeofResource
0x49b258 SetThreadLocale
0x49b25c SetFilePointer
0x49b260 SetEvent
0x49b264 SetErrorMode
0x49b268 SetEndOfFile
0x49b26c ResetEvent
0x49b270 ReadFile
0x49b274 MultiByteToWideChar
0x49b278 MulDiv
0x49b27c LockResource
0x49b280 LoadResource
0x49b284 LoadLibraryA
0x49b290 GlobalUnlock
0x49b294 GlobalSize
0x49b298 GlobalReAlloc
0x49b29c GlobalHandle
0x49b2a0 GlobalLock
0x49b2a4 GlobalFree
0x49b2a8 GlobalFindAtomA
0x49b2ac GlobalDeleteAtom
0x49b2b0 GlobalAlloc
0x49b2b4 GlobalAddAtomA
0x49b2b8 GetVersionExA
0x49b2bc GetVersion
0x49b2c0 GetUserDefaultLCID
0x49b2c4 GetTickCount
0x49b2c8 GetThreadLocale
0x49b2cc GetSystemInfo
0x49b2d0 GetStringTypeExA
0x49b2d4 GetStdHandle
0x49b2d8 GetProcAddress
0x49b2dc GetModuleHandleA
0x49b2e0 GetModuleFileNameA
0x49b2e4 GetLocaleInfoA
0x49b2e8 GetLocalTime
0x49b2ec GetLastError
0x49b2f0 GetFullPathNameA
0x49b2f4 GetFileAttributesA
0x49b2f8 GetDiskFreeSpaceA
0x49b2fc GetDateFormatA
0x49b300 GetCurrentThreadId
0x49b304 GetCurrentProcessId
0x49b308 GetCurrentProcess
0x49b30c GetComputerNameA
0x49b310 GetCPInfo
0x49b314 GetACP
0x49b318 FreeResource
0x49b320 InterlockedExchange
0x49b328 FreeLibrary
0x49b32c FormatMessageA
0x49b330 FindResourceA
0x49b334 FindFirstFileA
0x49b338 FindClose
0x49b344 EnumCalendarInfoA
0x49b350 CreateThread
0x49b354 CreateFileA
0x49b358 CreateEventA
0x49b35c CompareStringA
0x49b360 CloseHandle
Library version.dll:
0x49b368 VerQueryValueA
0x49b370 GetFileVersionInfoA
Library gdi32.dll:
0x49b378 UnrealizeObject
0x49b37c StretchBlt
0x49b380 SetWindowOrgEx
0x49b384 SetWinMetaFileBits
0x49b388 SetViewportOrgEx
0x49b38c SetTextColor
0x49b390 SetStretchBltMode
0x49b394 SetROP2
0x49b398 SetPixel
0x49b39c SetMapMode
0x49b3a0 SetEnhMetaFileBits
0x49b3a4 SetDIBColorTable
0x49b3a8 SetColorSpace
0x49b3ac SetBrushOrgEx
0x49b3b0 SetBkMode
0x49b3b4 SetBkColor
0x49b3b8 SelectPalette
0x49b3bc SelectObject
0x49b3c0 SelectClipRgn
0x49b3c4 SaveDC
0x49b3c8 RestoreDC
0x49b3cc Rectangle
0x49b3d0 RectVisible
0x49b3d4 RealizePalette
0x49b3d8 Polyline
0x49b3dc Polygon
0x49b3e0 PlayEnhMetaFile
0x49b3e4 PatBlt
0x49b3e8 MoveToEx
0x49b3ec MaskBlt
0x49b3f0 LineTo
0x49b3f4 LPtoDP
0x49b3f8 IntersectClipRect
0x49b3fc GetWindowOrgEx
0x49b400 GetWinMetaFileBits
0x49b404 GetTextMetricsA
0x49b410 GetStockObject
0x49b414 GetPixel
0x49b418 GetPaletteEntries
0x49b41c GetObjectA
0x49b42c GetEnhMetaFileBits
0x49b430 GetDeviceCaps
0x49b434 GetDIBits
0x49b438 GetDIBColorTable
0x49b43c GetDCOrgEx
0x49b444 GetClipBox
0x49b448 GetBrushOrgEx
0x49b44c GetBitmapBits
0x49b450 ExtTextOutA
0x49b454 ExcludeClipRect
0x49b458 DeleteObject
0x49b45c DeleteEnhMetaFile
0x49b460 DeleteDC
0x49b464 CreateSolidBrush
0x49b468 CreatePenIndirect
0x49b46c CreatePalette
0x49b474 CreateFontIndirectA
0x49b478 CreateEnhMetaFileA
0x49b47c CreateDIBitmap
0x49b480 CreateDIBSection
0x49b484 CreateCompatibleDC
0x49b48c CreateBrushIndirect
0x49b490 CreateBitmap
0x49b494 CopyEnhMetaFileA
0x49b498 CloseEnhMetaFile
0x49b49c BitBlt
Library user32.dll:
0x49b4a4 CreateWindowExA
0x49b4a8 WindowFromPoint
0x49b4ac WinHelpA
0x49b4b0 WaitMessage
0x49b4b4 UpdateWindow
0x49b4b8 UnregisterClassA
0x49b4bc UnhookWindowsHookEx
0x49b4c0 TranslateMessage
0x49b4c8 TrackPopupMenu
0x49b4d0 ShowWindow
0x49b4d4 ShowScrollBar
0x49b4d8 ShowOwnedPopups
0x49b4dc ShowCursor
0x49b4e0 SetWindowsHookExA
0x49b4e4 SetWindowTextA
0x49b4e8 SetWindowPos
0x49b4ec SetWindowPlacement
0x49b4f0 SetWindowLongA
0x49b4f4 SetTimer
0x49b4f8 SetScrollRange
0x49b4fc SetScrollPos
0x49b500 SetScrollInfo
0x49b504 SetRect
0x49b508 SetPropA
0x49b50c SetParent
0x49b510 SetMenuItemInfoA
0x49b514 SetMenu
0x49b518 SetForegroundWindow
0x49b51c SetFocus
0x49b520 SetCursor
0x49b524 SetClassLongA
0x49b528 SetCapture
0x49b52c SetActiveWindow
0x49b530 SendMessageA
0x49b534 ScrollWindow
0x49b538 ScreenToClient
0x49b53c RemovePropA
0x49b540 RemoveMenu
0x49b544 ReleaseDC
0x49b548 ReleaseCapture
0x49b554 RegisterClassA
0x49b558 RedrawWindow
0x49b55c PtInRect
0x49b560 PostQuitMessage
0x49b564 PostMessageA
0x49b568 PeekMessageA
0x49b56c OffsetRect
0x49b570 OemToCharA
0x49b574 MessageBoxA
0x49b578 MapWindowPoints
0x49b57c MapVirtualKeyA
0x49b580 LoadStringA
0x49b584 LoadKeyboardLayoutA
0x49b588 LoadIconA
0x49b58c LoadCursorA
0x49b590 LoadBitmapA
0x49b594 KillTimer
0x49b598 IsZoomed
0x49b59c IsWindowVisible
0x49b5a0 IsWindowEnabled
0x49b5a4 IsWindow
0x49b5a8 IsRectEmpty
0x49b5ac IsIconic
0x49b5b0 IsDialogMessageA
0x49b5b4 IsChild
0x49b5b8 InvalidateRect
0x49b5bc IntersectRect
0x49b5c0 InsertMenuItemA
0x49b5c4 InsertMenuA
0x49b5c8 InflateRect
0x49b5d0 GetWindowTextA
0x49b5d4 GetWindowRect
0x49b5d8 GetWindowPlacement
0x49b5dc GetWindowLongA
0x49b5e0 GetWindowDC
0x49b5e4 GetTopWindow
0x49b5e8 GetSystemMetrics
0x49b5ec GetSystemMenu
0x49b5f0 GetSysColorBrush
0x49b5f4 GetSysColor
0x49b5f8 GetSubMenu
0x49b5fc GetScrollRange
0x49b600 GetScrollPos
0x49b604 GetScrollInfo
0x49b608 GetPropA
0x49b60c GetParent
0x49b610 GetWindow
0x49b614 GetMessageTime
0x49b618 GetMenuStringA
0x49b61c GetMenuState
0x49b620 GetMenuItemInfoA
0x49b624 GetMenuItemID
0x49b628 GetMenuItemCount
0x49b62c GetMenu
0x49b630 GetLastActivePopup
0x49b634 GetKeyboardState
0x49b63c GetKeyboardLayout
0x49b640 GetKeyState
0x49b644 GetKeyNameTextA
0x49b648 GetIconInfo
0x49b64c GetForegroundWindow
0x49b650 GetFocus
0x49b654 GetDlgItem
0x49b658 GetDesktopWindow
0x49b65c GetDCEx
0x49b660 GetDC
0x49b664 GetCursorPos
0x49b668 GetCursor
0x49b66c GetClipboardData
0x49b670 GetClientRect
0x49b674 GetClassNameA
0x49b678 GetClassInfoA
0x49b67c GetCapture
0x49b680 GetActiveWindow
0x49b684 FrameRect
0x49b688 FindWindowA
0x49b68c FillRect
0x49b690 EqualRect
0x49b694 EnumWindows
0x49b698 EnumThreadWindows
0x49b69c EndPaint
0x49b6a0 EnableWindow
0x49b6a4 EnableScrollBar
0x49b6a8 EnableMenuItem
0x49b6ac DrawTextA
0x49b6b0 DrawMenuBar
0x49b6b4 DrawIconEx
0x49b6b8 DrawIcon
0x49b6bc DrawFrameControl
0x49b6c0 DrawFocusRect
0x49b6c4 DrawEdge
0x49b6c8 DispatchMessageA
0x49b6cc DestroyWindow
0x49b6d0 DestroyMenu
0x49b6d4 DestroyIcon
0x49b6d8 DestroyCursor
0x49b6dc DeleteMenu
0x49b6e0 DefWindowProcA
0x49b6e4 DefMDIChildProcA
0x49b6e8 DefFrameProcA
0x49b6ec CreatePopupMenu
0x49b6f0 CreateMenu
0x49b6f4 CreateIcon
0x49b6f8 ClientToScreen
0x49b6fc CheckMenuItem
0x49b700 CallWindowProcA
0x49b704 CallNextHookEx
0x49b708 BeginPaint
0x49b70c CharNextA
0x49b710 CharLowerBuffA
0x49b714 CharLowerA
0x49b718 CharUpperBuffA
0x49b71c CharToOemA
0x49b720 AdjustWindowRectEx
Library kernel32.dll:
0x49b72c Sleep
Library oleaut32.dll:
0x49b734 SafeArrayPtrOfIndex
0x49b738 SafeArrayPutElement
0x49b73c SafeArrayGetElement
0x49b744 SafeArrayAccessData
0x49b748 SafeArrayGetUBound
0x49b74c SafeArrayGetLBound
0x49b750 SafeArrayCreate
0x49b754 VariantChangeType
0x49b758 VariantCopyInd
0x49b75c VariantCopy
0x49b760 VariantClear
0x49b764 VariantInit
Library ole32.dll:
0x49b770 IsAccelerator
0x49b774 OleDraw
0x49b77c CoTaskMemFree
0x49b780 ProgIDFromCLSID
0x49b784 StringFromCLSID
0x49b788 CoCreateInstance
0x49b78c CoGetClassObject
0x49b790 CoUninitialize
0x49b794 CoInitialize
0x49b798 IsEqualGUID
Library oleaut32.dll:
0x49b7a0 CreateErrorInfo
0x49b7a4 GetErrorInfo
0x49b7a8 SetErrorInfo
0x49b7ac GetActiveObject
0x49b7b0 SysFreeString
Library comctl32.dll:
0x49b7c0 ImageList_Write
0x49b7c4 ImageList_Read
0x49b7d4 ImageList_DragMove
0x49b7d8 ImageList_DragLeave
0x49b7dc ImageList_DragEnter
0x49b7e0 ImageList_EndDrag
0x49b7e4 ImageList_BeginDrag
0x49b7e8 ImageList_Remove
0x49b7ec ImageList_DrawEx
0x49b7f0 ImageList_Replace
0x49b7f4 ImageList_Draw
0x49b804 ImageList_Add
0x49b80c ImageList_Destroy
0x49b810 ImageList_Create
0x49b814 InitCommonControls
Library comdlg32.dll:
0x49b81c GetSaveFileNameA
0x49b820 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 57875 239.255.255.250 3702
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.