7.0
高危
57 个模型检测该样本为恶意!
重新分析
更多

d09b3d3ddff303f38d76bc615b777169e2d3b672647a6e54bf99490db0efc083

a792b73da8ce29e0dd05d168eba833e2.exe

分析耗时

94s

最近分析

文件大小

713.5KB
静态报毒 动态报毒 AI SCORE=88 ALI2000015 AUTOG AUTOIT CLOUD DELF DELFINJECT DELPHILESS DOWNLOADER34 EMTN FAREIT FORMBOOK HIGH CONFIDENCE HPCPCS KRYPTIK KRYPTIKIH LCUO LNNU NANOCORE NONAME@0 OTHZJ QUASAR R011C0WGT20 S15398969 SCORE SGW@AKNAOMHI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE X2091 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!A792B73DA8CE 20200826 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Tencent Win32.Trojan.Kryptik.Lnnu 20200827 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200827 2013.8.14.323
CrowdStrike 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (11 个事件)
Time & API Arguments Status Return Repeated
1619831618.229999
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdc414ad
success 0 0
1619831625.198999
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdad14ad
success 0 0
1619831630.839874
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd8a14ad
success 0 0
1619831636.886999
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfda814ad
success 0 0
1619831642.683501
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5714ad
success 0 0
1619831649.058874
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfda914ad
success 0 0
1619831654.809249
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff2614ad
success 0 0
1619831660.386874
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5914ad
success 0 0
1619831665.292499
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb514ad
success 0 0
1619831670.870999
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfda914ad
success 0 0
1619831675.995501
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
a792b73da8ce29e0dd05d168eba833e2+0x54a4d @ 0x454a4d
a792b73da8ce29e0dd05d168eba833e2+0x4d254 @ 0x44d254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd8b14ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 363 个事件)
Time & API Arguments Status Return Repeated
1619826879.903176
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01dd0000
success 0 0
1619826880.184176
NtAllocateVirtualMemory
process_identifier: 368
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e00000
success 0 0
1619826880.184176
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1619831617.104999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619831617.167999
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00630000
success 0 0
1619831617.167999
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00640000
success 0 0
1619831617.167999
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00680000
success 0 0
1619831617.167999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 286720
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00682000
success 0 0
1619831617.526999
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02180000
success 0 0
1619831617.526999
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02300000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x006e2000
success 0 0
1619831618.136999
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619831617.198501
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00590000
success 0 0
1619831617.214501
NtAllocateVirtualMemory
process_identifier: 284
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005c0000
success 0 0
1619831617.229501
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005f0000
success 0 0
1619831623.464626
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01dc0000
success 0 0
1619831623.495626
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f20000
success 0 0
1619831623.495626
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619831624.886999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619831624.901999
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01d60000
success 0 0
1619831624.901999
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e70000
success 0 0
1619831624.901999
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d60000
success 0 0
1619831624.917999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 286720
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01d62000
success 0 0
1619831624.964999
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01dc0000
success 0 0
1619831624.964999
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01dd0000
success 0 0
1619831625.089999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00572000
success 0 0
1619831625.089999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619831625.089999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00572000
success 0 0
1619831625.089999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619831625.089999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00572000
success 0 0
1619831625.089999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619831625.089999
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00572000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (45 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.5706394041265686 section {'size_of_data': '0x0003b400', 'virtual_address': '0x0007d000', 'entropy': 7.5706394041265686, 'name': '.rsrc', 'virtual_size': '0x0003b38c'} description A section with a high entropy has been found
entropy 0.33263157894736844 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process a792b73da8ce29e0dd05d168eba833e2.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (22 个事件)
Time & API Arguments Status Return Repeated
1619826880.184176
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x000000f4
process_identifier: 368
failed 0 0
1619831622.964501
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x000001ac
process_identifier: 284
failed 0 0
1619831623.526626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2740
failed 0 0
1619831628.198501
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x00000130
process_identifier: 1932
failed 0 0
1619831629.167874
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1272
failed 0 0
1619831633.917626
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x0000013c
process_identifier: 3000
failed 0 0
1619831634.776626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1804
failed 0 0
1619831639.698751
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x00000148
process_identifier: 2940
failed 0 0
1619831640.715249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3152
failed 0 0
1619831645.917751
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x00000138
process_identifier: 3236
failed 0 0
1619831646.996249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3404
failed 0 0
1619831651.995626
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000013c
process_identifier: 3740
failed 0 0
1619831652.620751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3836
failed 0 0
1619831657.808626
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x00000118
process_identifier: 3908
failed 0 0
1619831659.104751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 4080
failed 0 0
1619831663.698374
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x0000013c
process_identifier: 3036
failed 0 0
1619831664.401874
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3316
failed 0 0
1619831668.698751
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x00000120
process_identifier: 3396
failed 0 0
1619831669.354374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3784
failed 0 0
1619831673.121124
Process32NextW
process_name: a792b73da8ce29e0dd05d168eba833e2.exe
snapshot_handle: 0x00000120
process_identifier: 3896
failed 0 0
1619831674.011626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2548
failed 0 0
1619831679.105249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000140
process_identifier: 3536
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (22 个事件)
Process injection Process 368 called NtSetContextThread to modify thread in remote process 2560
Process injection Process 2308 called NtSetContextThread to modify thread in remote process 1376
Process injection Process 192 called NtSetContextThread to modify thread in remote process 1868
Process injection Process 2144 called NtSetContextThread to modify thread in remote process 2960
Process injection Process 3096 called NtSetContextThread to modify thread in remote process 3172
Process injection Process 3348 called NtSetContextThread to modify thread in remote process 3420
Process injection Process 3772 called NtSetContextThread to modify thread in remote process 3848
Process injection Process 4020 called NtSetContextThread to modify thread in remote process 4088
Process injection Process 3260 called NtSetContextThread to modify thread in remote process 2168
Process injection Process 3624 called NtSetContextThread to modify thread in remote process 3796
Process injection Process 4004 called NtSetContextThread to modify thread in remote process 3008
Time & API Arguments Status Return Repeated
1619826880.715176
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2560
success 0 0
1619831623.917626
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1376
success 0 0
1619831629.667874
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1868
success 0 0
1619831635.151626
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2960
success 0 0
1619831641.199249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3172
success 0 0
1619831647.449249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3420
success 0 0
1619831652.948751
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3848
success 0 0
1619831659.370751
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4088
success 0 0
1619831664.558874
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2168
success 0 0
1619831669.526374
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3796
success 0 0
1619831674.620626
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3008
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (22 个事件)
Process injection Process 368 resumed a thread in remote process 2560
Process injection Process 2308 resumed a thread in remote process 1376
Process injection Process 192 resumed a thread in remote process 1868
Process injection Process 2144 resumed a thread in remote process 2960
Process injection Process 3096 resumed a thread in remote process 3172
Process injection Process 3348 resumed a thread in remote process 3420
Process injection Process 3772 resumed a thread in remote process 3848
Process injection Process 4020 resumed a thread in remote process 4088
Process injection Process 3260 resumed a thread in remote process 2168
Process injection Process 3624 resumed a thread in remote process 3796
Process injection Process 4004 resumed a thread in remote process 3008
Time & API Arguments Status Return Repeated
1619826881.074176
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2560
success 0 0
1619831624.542626
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 1376
success 0 0
1619831630.292874
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 1868
success 0 0
1619831635.948626
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2960
success 0 0
1619831641.887249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3172
success 0 0
1619831648.293249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3420
success 0 0
1619831653.511751
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3848
success 0 0
1619831659.683751
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 4088
success 0 0
1619831664.792874
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2168
success 0 0
1619831669.948374
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3796
success 0 0
1619831675.120626
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3008
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 88 个事件)
Time & API Arguments Status Return Repeated
1619826880.621176
CreateProcessInternalW
thread_identifier: 192
thread_handle: 0x000000f8
process_identifier: 2560
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619826880.621176
NtUnmapViewOfSection
process_identifier: 2560
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619826880.621176
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 2560
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619826880.715176
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619826880.715176
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2560
success 0 0
1619826881.074176
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2560
success 0 0
1619826881.137176
CreateProcessInternalW
thread_identifier: 3004
thread_handle: 0x00000100
process_identifier: 284
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe" 2 2560 15688171
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619831623.120501
CreateProcessInternalW
thread_identifier: 2852
thread_handle: 0x000001b0
process_identifier: 2308
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001b4
inherit_handles: 0
success 1 0
1619831623.854626
CreateProcessInternalW
thread_identifier: 732
thread_handle: 0x000000f8
process_identifier: 1376
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619831623.854626
NtUnmapViewOfSection
process_identifier: 1376
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619831623.870626
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 1376
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619831623.917626
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619831623.917626
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1376
success 0 0
1619831624.542626
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 1376
success 0 0
1619831625.183626
CreateProcessInternalW
thread_identifier: 1908
thread_handle: 0x00000100
process_identifier: 1932
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe" 2 1376 15695859
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619831628.417501
CreateProcessInternalW
thread_identifier: 3004
thread_handle: 0x00000134
process_identifier: 192
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619831629.558874
CreateProcessInternalW
thread_identifier: 920
thread_handle: 0x000000f8
process_identifier: 1868
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619831629.558874
NtUnmapViewOfSection
process_identifier: 1868
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619831629.573874
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 1868
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619831629.667874
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619831629.667874
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1868
success 0 0
1619831630.292874
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 1868
success 0 0
1619831630.401874
CreateProcessInternalW
thread_identifier: 1688
thread_handle: 0x00000100
process_identifier: 3000
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe" 2 1868 15701609
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619831634.104626
CreateProcessInternalW
thread_identifier: 3060
thread_handle: 0x00000140
process_identifier: 2144
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000144
inherit_handles: 0
success 1 0
1619831634.995626
CreateProcessInternalW
thread_identifier: 2604
thread_handle: 0x000000f8
process_identifier: 2960
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619831634.995626
NtUnmapViewOfSection
process_identifier: 2960
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619831635.011626
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 2960
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619831635.151626
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619831635.151626
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2960
success 0 0
1619831635.948626
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2960
success 0 0
1619831636.151626
CreateProcessInternalW
thread_identifier: 1908
thread_handle: 0x00000100
process_identifier: 2940
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe" 2 2960 15707265
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619831639.901751
CreateProcessInternalW
thread_identifier: 3100
thread_handle: 0x0000014c
process_identifier: 3096
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
1619831641.105249
CreateProcessInternalW
thread_identifier: 3176
thread_handle: 0x000000f8
process_identifier: 3172
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619831641.105249
NtUnmapViewOfSection
process_identifier: 3172
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619831641.121249
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 3172
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619831641.199249
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619831641.199249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3172
success 0 0
1619831641.887249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3172
success 0 0
1619831642.684249
CreateProcessInternalW
thread_identifier: 3240
thread_handle: 0x00000100
process_identifier: 3236
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe" 2 3172 15713203
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619831646.308751
CreateProcessInternalW
thread_identifier: 3352
thread_handle: 0x0000013c
process_identifier: 3348
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000140
inherit_handles: 0
success 1 0
1619831647.309249
CreateProcessInternalW
thread_identifier: 3424
thread_handle: 0x000000f8
process_identifier: 3420
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619831647.309249
NtUnmapViewOfSection
process_identifier: 3420
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619831647.324249
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 3420
commit_size: 671744
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 671744
base_address: 0x00400000
success 0 0
1619831647.449249
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1619831647.449249
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4859520
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3420
success 0 0
1619831648.293249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 3420
success 0 0
1619831648.559249
CreateProcessInternalW
thread_identifier: 3580
thread_handle: 0x00000100
process_identifier: 3576
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe" 2 3420 15719609
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619831652.073626
CreateProcessInternalW
thread_identifier: 3776
thread_handle: 0x00000140
process_identifier: 3772
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000144
inherit_handles: 0
success 1 0
1619831652.870751
CreateProcessInternalW
thread_identifier: 3852
thread_handle: 0x000000f8
process_identifier: 3848
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a792b73da8ce29e0dd05d168eba833e2.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619831652.870751
NtUnmapViewOfSection
process_identifier: 3848
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader34.9756
MicroWorld-eScan Gen:Variant.Zusy.310100
FireEye Generic.mg.a792b73da8ce29e0
CAT-QuickHeal Trojan.KryptikIH.S15398969
McAfee Fareit-FPQ!A792B73DA8CE
Cylance Unsafe
Zillya Trojan.Injector.Win32.754948
Sangfor Malware
K7AntiVirus Trojan ( 0056b5241 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056b5241 )
Cybereason malicious.7f5bb8
Arcabit Trojan.Zusy.D4BB54
TrendMicro TROJ_GEN.R011C0WGT20
BitDefenderTheta Gen:NN.ZelphiF.34196.SGW@aKNaOMhi
Cyren W32/Trojan.LCUO-5348
Symantec Trojan.Gen.MBT
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Nanocore-9142740-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Gen:Variant.Zusy.310100
NANO-Antivirus Trojan.Win32.Kryptik.hpcpcs
ViRobot Trojan.Win32.Z.Zusy.730624.F
Tencent Win32.Trojan.Kryptik.Lnnu
Ad-Aware Gen:Variant.Zusy.310100
Comodo fls.noname@0
F-Secure Trojan.TR/Injector.othzj
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
Sophos Troj/AutoG-IO
SentinelOne DFI - Suspicious PE
Jiangmin Trojan.Kryptik.byk
Avira TR/Injector.othzj
Antiy-AVL Trojan/Win32.Kryptik
Microsoft Trojan:Win32/FormBook!rfn
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Gen:Variant.Zusy.310100
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2091
Acronis suspicious
VBA32 TScope.Trojan.Delf
MAX malware (ai score=88)
Malwarebytes Backdoor.Quasar
Zoner Trojan.Win32.91603
ESET-NOD32 a variant of Win32/Injector.EMTN
TrendMicro-HouseCall TROJ_GEN.R011C0WGT20
Rising Trojan.Injector!1.C961 (CLOUD)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x47113c VirtualFree
0x471140 VirtualAlloc
0x471144 LocalFree
0x471148 LocalAlloc
0x47114c GetVersion
0x471150 GetCurrentThreadId
0x47115c VirtualQuery
0x471160 WideCharToMultiByte
0x471164 MultiByteToWideChar
0x471168 lstrlenA
0x47116c lstrcpynA
0x471170 LoadLibraryExA
0x471174 GetThreadLocale
0x471178 GetStartupInfoA
0x47117c GetProcAddress
0x471180 GetModuleHandleA
0x471184 GetModuleFileNameA
0x471188 GetLocaleInfoA
0x47118c GetCommandLineA
0x471190 FreeLibrary
0x471194 FindFirstFileA
0x471198 FindClose
0x47119c ExitProcess
0x4711a0 WriteFile
0x4711a8 RtlUnwind
0x4711ac RaiseException
0x4711b0 GetStdHandle
Library user32.dll:
0x4711b8 GetKeyboardType
0x4711bc LoadStringA
0x4711c0 MessageBoxA
0x4711c4 CharNextA
Library advapi32.dll:
0x4711cc RegQueryValueExA
0x4711d0 RegOpenKeyExA
0x4711d4 RegCloseKey
Library oleaut32.dll:
0x4711dc SysFreeString
0x4711e0 SysReAllocStringLen
0x4711e4 SysAllocStringLen
Library kernel32.dll:
0x4711ec TlsSetValue
0x4711f0 TlsGetValue
0x4711f4 LocalAlloc
0x4711f8 GetModuleHandleA
Library advapi32.dll:
0x471200 RegQueryValueExA
0x471204 RegOpenKeyExA
0x471208 RegCloseKey
Library kernel32.dll:
0x471210 lstrcpyA
0x471214 WriteFile
0x471218 WaitForSingleObject
0x47121c VirtualQuery
0x471220 VirtualAlloc
0x471224 Sleep
0x471228 SizeofResource
0x47122c SetThreadLocale
0x471230 SetFilePointer
0x471234 SetEvent
0x471238 SetErrorMode
0x47123c SetEndOfFile
0x471240 ResetEvent
0x471244 ReadFile
0x471248 MulDiv
0x47124c LockResource
0x471250 LoadResource
0x471254 LoadLibraryA
0x471260 GlobalUnlock
0x471264 GlobalReAlloc
0x471268 GlobalHandle
0x47126c GlobalLock
0x471270 GlobalFree
0x471274 GlobalFindAtomA
0x471278 GlobalDeleteAtom
0x47127c GlobalAlloc
0x471280 GlobalAddAtomA
0x471284 GetVersionExA
0x471288 GetVersion
0x47128c GetTickCount
0x471290 GetThreadLocale
0x471294 GetSystemInfo
0x471298 GetStringTypeExA
0x47129c GetStdHandle
0x4712a0 GetProcAddress
0x4712a4 GetModuleHandleA
0x4712a8 GetModuleFileNameA
0x4712ac GetLocaleInfoA
0x4712b0 GetLocalTime
0x4712b4 GetLastError
0x4712b8 GetFullPathNameA
0x4712bc GetDiskFreeSpaceA
0x4712c0 GetDateFormatA
0x4712c4 GetCurrentThreadId
0x4712c8 GetCurrentProcessId
0x4712cc GetCPInfo
0x4712d0 GetACP
0x4712d4 FreeResource
0x4712d8 InterlockedExchange
0x4712dc FreeLibrary
0x4712e0 FormatMessageA
0x4712e4 FindResourceA
0x4712e8 EnumCalendarInfoA
0x4712f4 CreateThread
0x4712f8 CreateFileA
0x4712fc CreateEventA
0x471300 CompareStringA
0x471304 CloseHandle
Library version.dll:
0x47130c VerQueryValueA
0x471314 GetFileVersionInfoA
Library gdi32.dll:
0x47131c UnrealizeObject
0x471320 StretchBlt
0x471324 SetWindowOrgEx
0x471328 SetViewportOrgEx
0x47132c SetTextColor
0x471330 SetStretchBltMode
0x471334 SetROP2
0x471338 SetPixel
0x47133c SetDIBColorTable
0x471340 SetBrushOrgEx
0x471344 SetBkMode
0x471348 SetBkColor
0x47134c SelectPalette
0x471350 SelectObject
0x471354 SelectClipRgn
0x471358 SaveDC
0x47135c RestoreDC
0x471360 Rectangle
0x471364 RectVisible
0x471368 RealizePalette
0x47136c PatBlt
0x471370 MoveToEx
0x471374 MaskBlt
0x471378 LineTo
0x47137c IntersectClipRect
0x471380 GetWindowOrgEx
0x471384 GetTextMetricsA
0x471390 GetStockObject
0x471394 GetPixel
0x471398 GetPaletteEntries
0x47139c GetObjectA
0x4713a0 GetDeviceCaps
0x4713a4 GetDIBits
0x4713a8 GetDIBColorTable
0x4713ac GetDCOrgEx
0x4713b4 GetClipRgn
0x4713b8 GetClipBox
0x4713bc GetBrushOrgEx
0x4713c0 GetBitmapBits
0x4713c4 ExcludeClipRect
0x4713c8 DeleteObject
0x4713cc DeleteDC
0x4713d0 CreateSolidBrush
0x4713d4 CreateRectRgn
0x4713d8 CreatePenIndirect
0x4713dc CreatePen
0x4713e0 CreatePalette
0x4713e8 CreateFontIndirectA
0x4713ec CreateDIBitmap
0x4713f0 CreateDIBSection
0x4713f4 CreateCompatibleDC
0x4713fc CreateBrushIndirect
0x471400 CreateBitmap
0x471404 BitBlt
Library user32.dll:
0x47140c CreateWindowExA
0x471410 WindowFromPoint
0x471414 WinHelpA
0x471418 WaitMessage
0x47141c ValidateRect
0x471420 UpdateWindow
0x471424 UnregisterClassA
0x471428 UnhookWindowsHookEx
0x47142c TranslateMessage
0x471434 TrackPopupMenu
0x47143c ShowWindow
0x471440 ShowScrollBar
0x471444 ShowOwnedPopups
0x471448 ShowCursor
0x47144c SetWindowsHookExA
0x471450 SetWindowPos
0x471454 SetWindowPlacement
0x471458 SetWindowLongA
0x47145c SetTimer
0x471460 SetScrollRange
0x471464 SetScrollPos
0x471468 SetScrollInfo
0x47146c SetRect
0x471470 SetPropA
0x471474 SetParent
0x471478 SetMenuItemInfoA
0x47147c SetMenu
0x471480 SetForegroundWindow
0x471484 SetFocus
0x471488 SetCursor
0x47148c SetClassLongA
0x471490 SetCapture
0x471494 SetActiveWindow
0x471498 SendMessageA
0x47149c ScrollWindow
0x4714a0 ScreenToClient
0x4714a4 RemovePropA
0x4714a8 RemoveMenu
0x4714ac ReleaseDC
0x4714b0 ReleaseCapture
0x4714bc RegisterClassA
0x4714c0 RedrawWindow
0x4714c4 PtInRect
0x4714c8 PostQuitMessage
0x4714cc PostMessageA
0x4714d0 PeekMessageA
0x4714d4 OffsetRect
0x4714d8 OemToCharA
0x4714dc MessageBoxA
0x4714e0 MapWindowPoints
0x4714e4 MapVirtualKeyA
0x4714e8 LoadStringA
0x4714ec LoadKeyboardLayoutA
0x4714f0 LoadIconA
0x4714f4 LoadCursorA
0x4714f8 LoadBitmapA
0x4714fc KillTimer
0x471500 IsZoomed
0x471504 IsWindowVisible
0x471508 IsWindowEnabled
0x47150c IsWindow
0x471510 IsRectEmpty
0x471514 IsIconic
0x471518 IsDialogMessageA
0x47151c IsChild
0x471520 InvalidateRect
0x471524 IntersectRect
0x471528 InsertMenuItemA
0x47152c InsertMenuA
0x471530 InflateRect
0x471538 GetWindowTextA
0x47153c GetWindowRect
0x471540 GetWindowPlacement
0x471544 GetWindowLongA
0x471548 GetWindowDC
0x47154c GetTopWindow
0x471550 GetSystemMetrics
0x471554 GetSystemMenu
0x471558 GetSysColorBrush
0x47155c GetSysColor
0x471560 GetSubMenu
0x471564 GetScrollRange
0x471568 GetScrollPos
0x47156c GetScrollInfo
0x471570 GetPropA
0x471574 GetParent
0x471578 GetWindow
0x47157c GetMenuStringA
0x471580 GetMenuState
0x471584 GetMenuItemInfoA
0x471588 GetMenuItemID
0x47158c GetMenuItemCount
0x471590 GetMenu
0x471594 GetLastActivePopup
0x471598 GetKeyboardState
0x4715a0 GetKeyboardLayout
0x4715a4 GetKeyState
0x4715a8 GetKeyNameTextA
0x4715ac GetIconInfo
0x4715b0 GetForegroundWindow
0x4715b4 GetFocus
0x4715b8 GetDlgItem
0x4715bc GetDesktopWindow
0x4715c0 GetDCEx
0x4715c4 GetDC
0x4715c8 GetCursorPos
0x4715cc GetCursor
0x4715d0 GetClientRect
0x4715d4 GetClassNameA
0x4715d8 GetClassInfoA
0x4715dc GetCapture
0x4715e0 GetActiveWindow
0x4715e4 FrameRect
0x4715e8 FindWindowA
0x4715ec FillRect
0x4715f0 EqualRect
0x4715f4 EnumWindows
0x4715f8 EnumThreadWindows
0x4715fc EndPaint
0x471600 EndDeferWindowPos
0x471604 EnableWindow
0x471608 EnableScrollBar
0x47160c EnableMenuItem
0x471610 DrawTextA
0x471614 DrawMenuBar
0x471618 DrawIconEx
0x47161c DrawIcon
0x471620 DrawFrameControl
0x471624 DrawFocusRect
0x471628 DrawEdge
0x47162c DispatchMessageA
0x471630 DestroyWindow
0x471634 DestroyMenu
0x471638 DestroyIcon
0x47163c DestroyCursor
0x471640 DeleteMenu
0x471644 DeferWindowPos
0x471648 DefWindowProcA
0x47164c DefMDIChildProcA
0x471650 DefFrameProcA
0x471654 CreatePopupMenu
0x471658 CreateMenu
0x47165c CreateIcon
0x471660 ClientToScreen
0x471664 CheckMenuItem
0x471668 CallWindowProcA
0x47166c CallNextHookEx
0x471670 BeginPaint
0x471674 BeginDeferWindowPos
0x471678 CharNextA
0x47167c CharLowerA
0x471680 CharToOemA
0x471684 AdjustWindowRectEx
Library kernel32.dll:
0x471690 Sleep
Library oleaut32.dll:
0x471698 SafeArrayPtrOfIndex
0x47169c SafeArrayGetUBound
0x4716a0 SafeArrayGetLBound
0x4716a4 SafeArrayCreate
0x4716a8 VariantChangeType
0x4716ac VariantCopy
0x4716b0 VariantClear
0x4716b4 VariantInit
Library comctl32.dll:
0x4716c4 ImageList_Write
0x4716c8 ImageList_Read
0x4716d8 ImageList_DragMove
0x4716dc ImageList_DragLeave
0x4716e0 ImageList_DragEnter
0x4716e4 ImageList_EndDrag
0x4716e8 ImageList_BeginDrag
0x4716ec ImageList_Remove
0x4716f0 ImageList_DrawEx
0x4716f4 ImageList_Draw
0x471704 ImageList_Add
0x47170c ImageList_Destroy
0x471710 ImageList_Create
0x471714 InitCommonControls
Library comdlg32.dll:
0x47171c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.