14.0
0-day
56 个模型检测该样本为恶意!
重新分析
更多

bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2

bf7fe4334d0b4363d70bd997460588a3.exe

分析耗时

108s

最近分析

文件大小

740.5KB
静态报毒 动态报毒 AI SCORE=84 AIDETECTVM AUTOIT AVEMARIA CONFIDENCE DAQC DELF DELPHILESS EMOY FAREIT HIGH CONFIDENCE HNWLWG HPLOKI KCLOUD KRYPTIK LOKIBOT MALWARE1 MALWARE@#15Z7NTLVTJO3K OHTAG PITZ SCORE SIGGEN10 SMBD STATIC AI SUSPICIOUS PE TSCOPE TSPY UGW@AAEUDXII UHXB UNSAFE VFNII X2094 YIWK YMWKA ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Kryptik.8e2e3631 20190527 0.3.0.5
Avast 20201210 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FTB!BF7FE4334D0B 20201211 6.0.6.653
Tencent Win32.Trojan-spy.Avemaria.Pitz 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (38 个事件)
Time & API Arguments Status Return Repeated
1619861593.952875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34733892
registers.edi: 0
registers.eax: 0
registers.ebp: 34733960
registers.edx: 23
registers.ebx: 0
registers.esi: 0
registers.ecx: 668
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: bf7fe4334d0b4363d70bd997460588a3+0x5bd87
exception.instruction: div eax
exception.module: bf7fe4334d0b4363d70bd997460588a3.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871828.886374
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33816388
registers.edi: 0
registers.eax: 0
registers.ebp: 33816456
registers.edx: 23
registers.ebx: 0
registers.esi: 0
registers.ecx: 886
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871835.980124
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74004b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74005d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe6f1485
success 0 0
1619871830.496751
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38403908
registers.edi: 0
registers.eax: 0
registers.ebp: 38403976
registers.edx: 23
registers.ebx: 0
registers.esi: 0
registers.ecx: 480
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871861.527249
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34340676
registers.edi: 0
registers.eax: 0
registers.ebp: 34340744
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 527
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871861.730374
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74064b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74065d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcd51485
success 0 0
1619871861.745999
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 37879620
registers.edi: 0
registers.eax: 0
registers.ebp: 37879688
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 746
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871862.152874
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33423172
registers.edi: 0
registers.eax: 0
registers.ebp: 33423240
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 152
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871862.401999
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74014b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74015d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe7a1485
success 0 0
1619871862.371626
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33881924
registers.edi: 0
registers.eax: 0
registers.ebp: 33881992
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 371
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871863.246374
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33881924
registers.edi: 0
registers.eax: 0
registers.ebp: 33881992
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 246
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871866.418249
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x740b4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x740b5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcc01485
success 0 0
1619871866.418874
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38469444
registers.edi: 0
registers.eax: 0
registers.ebp: 38469512
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 418
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871866.824751
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38993732
registers.edi: 0
registers.eax: 0
registers.ebp: 38993800
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 824
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871867.043874
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74164b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74165d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe751485
success 0 0
1619871867.058499
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38797124
registers.edi: 0
registers.eax: 0
registers.ebp: 38797192
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 58
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871867.668501
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 37879620
registers.edi: 0
registers.eax: 0
registers.ebp: 37879688
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 668
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871867.933501
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x741b4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x741b5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe741485
success 0 0
1619871867.933124
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33554244
registers.edi: 0
registers.eax: 0
registers.ebp: 33554312
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 933
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871869.168501
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34012996
registers.edi: 0
registers.eax: 0
registers.ebp: 34013064
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 168
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871869.621751
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74114b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74115d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe791485
success 0 0
1619871869.605374
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33685316
registers.edi: 0
registers.eax: 0
registers.ebp: 33685384
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 605
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871870.902626
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 39059268
registers.edi: 0
registers.eax: 0
registers.ebp: 39059336
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 902
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871871.527249
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74164b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74165d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfced1485
success 0 0
1619871871.543499
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33947460
registers.edi: 0
registers.eax: 0
registers.ebp: 33947528
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 543
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871872.855751
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38469444
registers.edi: 0
registers.eax: 0
registers.ebp: 38469512
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 855
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871873.433874
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x741b4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x741b5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcd71485
success 0 0
1619871873.433501
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38862660
registers.edi: 0
registers.eax: 0
registers.ebp: 38862728
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 433
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871874.621374
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38993732
registers.edi: 0
registers.eax: 0
registers.ebp: 38993800
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 621
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871877.152249
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74164b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74165d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe691485
success 0 0
1619871877.168501
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 37879620
registers.edi: 0
registers.eax: 0
registers.ebp: 37879688
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 168
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871878.058499
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38993732
registers.edi: 0
registers.eax: 0
registers.ebp: 38993800
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 58
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871878.574626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74114b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74115d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcd61485
success 0 0
1619871878.574249
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 39059268
registers.edi: 0
registers.eax: 0
registers.ebp: 39059336
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 574
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871885.464751
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 39649092
registers.edi: 0
registers.eax: 0
registers.ebp: 39649160
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 464
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871885.699874
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
svchost+0x6a3f8 @ 0x46a3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74114b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74115d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe641485
success 0 0
1619871885.699501
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33750852
registers.edi: 0
registers.eax: 0
registers.ebp: 33750920
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 699
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
1619871886.760999
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 37945156
registers.edi: 0
registers.eax: 0
registers.ebp: 37945224
registers.edx: 24
registers.ebx: 0
registers.esi: 0
registers.ecx: 761
exception.instruction_r: f7 f0 89 c9 33 c0 5a 59 59 64 89 10 e9 10 93 00
exception.symbol: svchost+0x5bd87
exception.instruction: div eax
exception.module: svchost.exe
exception.exception_code: 0xc0000094
exception.offset: 376199
exception.address: 0x45bd87
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 378 个事件)
Time & API Arguments Status Return Repeated
1619861593.702875
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619861593.952875
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045b000
success 0 0
1619861593.967875
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619871828.886374
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00540000
success 0 0
1619871828.886374
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045b000
success 0 0
1619871828.902374
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00850000
success 0 0
1619871830.558124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619871830.824124
NtAllocateVirtualMemory
process_identifier: 1908
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01de0000
success 0 0
1619871830.824124
NtAllocateVirtualMemory
process_identifier: 1908
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e50000
success 0 0
1619871830.824124
NtAllocateVirtualMemory
process_identifier: 1908
region_size: 401408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01de0000
success 0 0
1619871830.824124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 356352
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01de2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ed2000
success 0 0
1619871835.839124
NtProtectVirtualMemory
process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619871830.480751
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619871830.496751
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045b000
success 0 0
1619871830.496751
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008f0000
success 0 0
1619871861.511249
NtAllocateVirtualMemory
process_identifier: 3420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619871861.527249
NtProtectVirtualMemory
process_identifier: 3420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045b000
success 0 0
1619871861.527249
NtAllocateVirtualMemory
process_identifier: 3420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f20000
success 0 0
1619871861.714374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619871861.714374
NtAllocateVirtualMemory
process_identifier: 3492
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1619871861.714374
NtAllocateVirtualMemory
process_identifier: 3492
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f20000
success 0 0
1619871861.714374
NtAllocateVirtualMemory
process_identifier: 3492
region_size: 401408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1619871861.714374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 356352
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e32000
success 0 0
1619871861.730374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00532000
success 0 0
1619871861.730374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619871861.730374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00532000
success 0 0
1619871861.730374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619871861.730374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00532000
success 0 0
1619871861.730374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619871861.730374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00532000
success 0 0
1619871861.730374
NtProtectVirtualMemory
process_identifier: 3492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs
Creates a suspicious process (14 个事件)
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 4048 18142843
cmdline C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3968 18137718
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3284 18139250
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 1908 18101765
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 1108 18149687
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3728 18133687
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 2484 18138359
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3492 18133046
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3824 18148468
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3684 18140890
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3380 18144734
cmdline "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3864 18156984
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (29 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.497929245361852 section {'size_of_data': '0x0004a600', 'virtual_address': '0x00075000', 'entropy': 7.497929245361852, 'name': '.rsrc', 'virtual_size': '0x0004a558'} description A section with a high entropy has been found
entropy 0.40229885057471265 description Overall entropy of this PE file is high
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (38 个事件)
Time & API Arguments Status Return Repeated
1619861593.967875
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x00000100
process_identifier: 1320
failed 0 0
1619871828.902374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000e0
process_identifier: 1868
failed 0 0
1619871830.496751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000d8
process_identifier: 2136
failed 0 0
1619871861.371751
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x0000054c
process_identifier: 2344
failed 0 0
1619871861.527249
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3420
failed 0 0
1619871861.745999
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000d8
process_identifier: 3632
failed 0 0
1619871861.979999
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000e8
process_identifier: 3552
failed 0 0
1619871862.168874
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3656
failed 0 0
1619871862.371626
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3788
failed 0 0
1619871863.043626
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000f8
process_identifier: 3788
failed 0 0
1619871863.246374
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3892
failed 0 0
1619871866.418874
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 4032
failed 0 0
1619871866.636874
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000e8
process_identifier: 4032
failed 0 0
1619871866.839751
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 2940
failed 0 0
1619871867.058499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000d8
process_identifier: 3328
failed 0 0
1619871867.496499
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000f0
process_identifier: 2636
failed 0 0
1619871867.668501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3336
failed 0 0
1619871867.933124
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3172
failed 0 0
1619871869.027124
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x00000108
process_identifier: 3172
failed 0 0
1619871869.168501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3584
failed 0 0
1619871869.605374
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3768
failed 0 0
1619871870.714374
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x00000108
process_identifier: 3768
failed 0 0
1619871870.902626
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3936
failed 0 0
1619871871.558499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000d8
process_identifier: 3076
failed 0 0
1619871872.652499
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x00000108
process_identifier: 2956
failed 0 0
1619871872.855751
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 2996
failed 0 0
1619871873.433501
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000d8
process_identifier: 3520
failed 0 0
1619871874.418501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x00000104
process_identifier: 3436
failed 0 0
1619871874.636374
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 3484
failed 0 0
1619871877.183501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000d8
process_identifier: 3856
failed 0 0
1619871877.839501
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x000000f8
process_identifier: 3960
failed 0 0
1619871878.058499
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 884
failed 0 0
1619871878.574249
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 300
failed 0 0
1619871885.293249
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000001d4
process_identifier: 300
failed 0 0
1619871885.464751
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d8
process_identifier: 2976
failed 0 0
1619871885.699501
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000d8
process_identifier: 3508
failed 0 0
1619871886.574501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x00000100
process_identifier: 2576
failed 0 0
1619871886.776999
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000d8
process_identifier: 1760
failed 0 0
Created a process named as a common system process (13 个事件)
Time & API Arguments Status Return Repeated
1619871828.698999
CreateProcessInternalW
thread_identifier: 2536
thread_handle: 0x000000d0
process_identifier: 2468
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619871861.386751
CreateProcessInternalW
thread_identifier: 3424
thread_handle: 0x00000550
process_identifier: 3420
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000554
inherit_handles: 0
success 1 0
1619871862.026999
CreateProcessInternalW
thread_identifier: 3660
thread_handle: 0x000000ec
process_identifier: 3656
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000f0
inherit_handles: 0
success 1 0
1619871863.089626
CreateProcessInternalW
thread_identifier: 3896
thread_handle: 0x000000fc
process_identifier: 3892
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619871866.683874
CreateProcessInternalW
thread_identifier: 1160
thread_handle: 0x000000ec
process_identifier: 2940
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000f0
inherit_handles: 0
success 1 0
1619871867.543499
CreateProcessInternalW
thread_identifier: 3340
thread_handle: 0x000000f4
process_identifier: 3336
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000f8
inherit_handles: 0
success 1 0
1619871869.043124
CreateProcessInternalW
thread_identifier: 3424
thread_handle: 0x0000010c
process_identifier: 3584
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619871870.730374
CreateProcessInternalW
thread_identifier: 3932
thread_handle: 0x0000010c
process_identifier: 3936
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619871872.699499
CreateProcessInternalW
thread_identifier: 3080
thread_handle: 0x0000010c
process_identifier: 2996
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000110
inherit_handles: 0
success 1 0
1619871874.464501
CreateProcessInternalW
thread_identifier: 1760
thread_handle: 0x00000108
process_identifier: 3484
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619871877.902501
CreateProcessInternalW
thread_identifier: 2116
thread_handle: 0x000000fc
process_identifier: 884
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619871885.308249
CreateProcessInternalW
thread_identifier: 1976
thread_handle: 0x000001d8
process_identifier: 2976
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001dc
inherit_handles: 0
success 1 0
1619871886.589501
CreateProcessInternalW
thread_identifier: 1740
thread_handle: 0x00000104
process_identifier: 2528
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619861595.577875
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
Manipulates memory of a non-child process indicative of process injection (3 个事件)
Process injection Process 2528 manipulating memory of non-child process 3668
Time & API Arguments Status Return Repeated
1619871886.854999
NtUnmapViewOfSection
process_identifier: 3668
region_size: 4096
process_handle: 0x000000e4
base_address: 0x00400000
success 0 0
1619871886.854999
NtMapViewOfSection
section_handle: 0x000000f4
process_identifier: 3668
commit_size: 851968
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000e4
allocation_type: 0 ()
section_offset: 0
view_size: 851968
base_address: 0x00400000
success 0 0
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2772 created a thread in remote process 1688
Time & API Arguments Status Return Repeated
1619861595.577875
NtQueueApcThread
thread_handle: 0x00000110
process_identifier: 1688
function_address: 0x000b05c0
parameter: 0x00100000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619861595.577875
WriteProcessMemory
process_identifier: 1688
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000108
base_address: 0x000b0000
success 1 0
1619861595.577875
WriteProcessMemory
process_identifier: 1688
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bf7fe4334d0b4363d70bd997460588a3.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bf7fe4334d0b4363d70bd997460588a3.exe" Java UpdateseT xuOZ = cReateobjeCt("wscrIpT.SHELL") xUOz.RUN """%ls""", 0, False
process_handle: 0x00000108
base_address: 0x00100000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (26 个事件)
Process injection Process 2468 called NtSetContextThread to modify thread in remote process 1908
Process injection Process 3420 called NtSetContextThread to modify thread in remote process 3492
Process injection Process 3656 called NtSetContextThread to modify thread in remote process 3728
Process injection Process 3892 called NtSetContextThread to modify thread in remote process 3968
Process injection Process 2940 called NtSetContextThread to modify thread in remote process 2484
Process injection Process 3336 called NtSetContextThread to modify thread in remote process 3284
Process injection Process 3584 called NtSetContextThread to modify thread in remote process 3684
Process injection Process 3936 called NtSetContextThread to modify thread in remote process 4048
Process injection Process 2996 called NtSetContextThread to modify thread in remote process 3380
Process injection Process 3484 called NtSetContextThread to modify thread in remote process 3824
Process injection Process 884 called NtSetContextThread to modify thread in remote process 1108
Process injection Process 2976 called NtSetContextThread to modify thread in remote process 3864
Process injection Process 2528 called NtSetContextThread to modify thread in remote process 3668
Time & API Arguments Status Return Repeated
1619871828.996374
NtSetContextThread
thread_handle: 0x000000f0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1908
success 0 0
1619871861.558249
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3492
success 0 0
1619871862.199874
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3728
success 0 0
1619871863.589374
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3968
success 0 0
1619871866.871751
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2484
success 0 0
1619871867.746501
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3284
success 0 0
1619871869.214501
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3684
success 0 0
1619871871.324626
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4048
success 0 0
1619871873.246751
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3380
success 0 0
1619871875.589374
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3824
success 0 0
1619871878.183499
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1108
success 0 0
1619871885.511751
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3864
success 0 0
1619871886.901999
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3668
success 0 0
Expresses interest in specific running processes (1 个事件)
process: potential process injection target svchost.exe
Resumed a suspended thread in a remote process potentially indicative of process injection (24 个事件)
Process injection Process 2468 resumed a thread in remote process 1908
Process injection Process 3420 resumed a thread in remote process 3492
Process injection Process 3656 resumed a thread in remote process 3728
Process injection Process 3892 resumed a thread in remote process 3968
Process injection Process 2940 resumed a thread in remote process 2484
Process injection Process 3336 resumed a thread in remote process 3284
Process injection Process 3584 resumed a thread in remote process 3684
Process injection Process 3936 resumed a thread in remote process 4048
Process injection Process 2996 resumed a thread in remote process 3380
Process injection Process 3484 resumed a thread in remote process 3824
Process injection Process 884 resumed a thread in remote process 1108
Process injection Process 2976 resumed a thread in remote process 3864
Time & API Arguments Status Return Repeated
1619871830.308374
NtResumeThread
thread_handle: 0x000000f0
suspend_count: 1
process_identifier: 1908
success 0 0
1619871861.589249
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3492
success 0 0
1619871862.230874
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3728
success 0 0
1619871866.261374
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3968
success 0 0
1619871866.902751
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2484
success 0 0
1619871867.793501
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3284
success 0 0
1619871869.433501
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3684
success 0 0
1619871871.386626
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 4048
success 0 0
1619871873.277751
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3380
success 0 0
1619871876.996374
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3824
success 0 0
1619871878.230499
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 1108
success 0 0
1619871885.527751
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3864
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 107 个事件)
Time & API Arguments Status Return Repeated
1619861595.577875
CreateProcessInternalW
thread_identifier: 2272
thread_handle: 0x00000110
process_identifier: 1688
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619861595.577875
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619861595.577875
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1619861595.577875
WriteProcessMemory
process_identifier: 1688
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000108
base_address: 0x000b0000
success 1 0
1619861595.577875
WriteProcessMemory
process_identifier: 1688
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bf7fe4334d0b4363d70bd997460588a3.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bf7fe4334d0b4363d70bd997460588a3.exe" Java UpdateseT xuOZ = cReateobjeCt("wscrIpT.SHELL") xUOz.RUN """%ls""", 0, False
process_handle: 0x00000108
base_address: 0x00100000
success 1 0
1619871828.698999
CreateProcessInternalW
thread_identifier: 2536
thread_handle: 0x000000d0
process_identifier: 2468
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619871828.964374
CreateProcessInternalW
thread_identifier: 368
thread_handle: 0x000000f0
process_identifier: 1908
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000e8
inherit_handles: 0
success 1 0
1619871828.964374
NtUnmapViewOfSection
process_identifier: 1908
region_size: 4096
process_handle: 0x000000e8
base_address: 0x00400000
success 0 0
1619871828.964374
NtMapViewOfSection
section_handle: 0x000000f8
process_identifier: 1908
commit_size: 851968
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000e8
allocation_type: 0 ()
section_offset: 0
view_size: 851968
base_address: 0x00400000
success 0 0
1619871828.996374
NtGetContextThread
thread_handle: 0x000000f0
success 0 0
1619871828.996374
NtSetContextThread
thread_handle: 0x000000f0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1908
success 0 0
1619871830.308374
NtResumeThread
thread_handle: 0x000000f0
suspend_count: 1
process_identifier: 1908
success 0 0
1619871830.324374
CreateProcessInternalW
thread_identifier: 1760
thread_handle: 0x000000f4
process_identifier: 2344
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 1908 18101765
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619871861.386751
CreateProcessInternalW
thread_identifier: 3424
thread_handle: 0x00000550
process_identifier: 3420
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000554
inherit_handles: 0
success 1 0
1619871861.543249
CreateProcessInternalW
thread_identifier: 3496
thread_handle: 0x000000ec
process_identifier: 3492
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000e4
inherit_handles: 0
success 1 0
1619871861.543249
NtUnmapViewOfSection
process_identifier: 3492
region_size: 4096
process_handle: 0x000000e4
base_address: 0x00400000
success 0 0
1619871861.543249
NtMapViewOfSection
section_handle: 0x000000f4
process_identifier: 3492
commit_size: 851968
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000e4
allocation_type: 0 ()
section_offset: 0
view_size: 851968
base_address: 0x00400000
success 0 0
1619871861.558249
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
1619871861.558249
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3492
success 0 0
1619871861.589249
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3492
success 0 0
1619871861.605249
CreateProcessInternalW
thread_identifier: 3556
thread_handle: 0x000000f0
process_identifier: 3552
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3492 18133046
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619871862.026999
CreateProcessInternalW
thread_identifier: 3660
thread_handle: 0x000000ec
process_identifier: 3656
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000f0
inherit_handles: 0
success 1 0
1619871862.183874
CreateProcessInternalW
thread_identifier: 3732
thread_handle: 0x000000ec
process_identifier: 3728
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000e4
inherit_handles: 0
success 1 0
1619871862.183874
NtUnmapViewOfSection
process_identifier: 3728
region_size: 4096
process_handle: 0x000000e4
base_address: 0x00400000
success 0 0
1619871862.183874
NtMapViewOfSection
section_handle: 0x000000f4
process_identifier: 3728
commit_size: 851968
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000e4
allocation_type: 0 ()
section_offset: 0
view_size: 851968
base_address: 0x00400000
success 0 0
1619871862.199874
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
1619871862.199874
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3728
success 0 0
1619871862.230874
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3728
success 0 0
1619871862.230874
CreateProcessInternalW
thread_identifier: 3792
thread_handle: 0x000000f0
process_identifier: 3788
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3728 18133687
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619871863.089626
CreateProcessInternalW
thread_identifier: 3896
thread_handle: 0x000000fc
process_identifier: 3892
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619871863.293374
CreateProcessInternalW
thread_identifier: 3972
thread_handle: 0x000000ec
process_identifier: 3968
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000e4
inherit_handles: 0
success 1 0
1619871863.293374
NtUnmapViewOfSection
process_identifier: 3968
region_size: 4096
process_handle: 0x000000e4
base_address: 0x00400000
success 0 0
1619871863.293374
NtMapViewOfSection
section_handle: 0x000000f4
process_identifier: 3968
commit_size: 851968
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000e4
allocation_type: 0 ()
section_offset: 0
view_size: 851968
base_address: 0x00400000
success 0 0
1619871863.589374
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
1619871863.589374
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3968
success 0 0
1619871866.261374
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3968
success 0 0
1619871866.277374
CreateProcessInternalW
thread_identifier: 4036
thread_handle: 0x000000f0
process_identifier: 4032
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 3968 18137718
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619871866.683874
CreateProcessInternalW
thread_identifier: 1160
thread_handle: 0x000000ec
process_identifier: 2940
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000f0
inherit_handles: 0
success 1 0
1619871866.855751
CreateProcessInternalW
thread_identifier: 1124
thread_handle: 0x000000ec
process_identifier: 2484
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000e4
inherit_handles: 0
success 1 0
1619871866.855751
NtUnmapViewOfSection
process_identifier: 2484
region_size: 4096
process_handle: 0x000000e4
base_address: 0x00400000
success 0 0
1619871866.855751
NtMapViewOfSection
section_handle: 0x000000f4
process_identifier: 2484
commit_size: 851968
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000e4
allocation_type: 0 ()
section_offset: 0
view_size: 851968
base_address: 0x00400000
success 0 0
1619871866.871751
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
1619871866.871751
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5038336
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2484
success 0 0
1619871866.902751
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2484
success 0 0
1619871866.902751
CreateProcessInternalW
thread_identifier: 3148
thread_handle: 0x000000f0
process_identifier: 2636
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe" 2 2484 18138359
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619871867.543499
CreateProcessInternalW
thread_identifier: 3340
thread_handle: 0x000000f4
process_identifier: 3336
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000f8
inherit_handles: 0
success 1 0
1619871867.730501
CreateProcessInternalW
thread_identifier: 2856
thread_handle: 0x000000ec
process_identifier: 3284
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\SubDir\svchost.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000e4
inherit_handles: 0
success 1 0
1619871867.730501
NtUnmapViewOfSection
process_identifier: 3284
region_size: 4096
process_handle: 0x000000e4
base_address: 0x00400000
success 0 0
1619871867.730501
NtMapViewOfSection
section_handle: 0x000000f4
process_identifier: 3284
commit_size: 851968
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000e4
allocation_type: 0 ()
section_offset: 0
view_size: 851968
base_address: 0x00400000
success 0 0
1619871867.746501
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Siggen10.5206
MicroWorld-eScan Trojan.Delf.FareIt.Gen.7
ALYac Trojan.Delf.FareIt.Gen.7
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 005690671 )
BitDefender Trojan.Delf.FareIt.Gen.7
K7GW Trojan ( 005690671 )
Cybereason malicious.38c5db
BitDefenderTheta Gen:NN.ZelphiF.34670.UGW@aaEUDXii
Cyren W32/Trojan.YIWK-2138
Symantec Infostealer.Lokibot!43
TrendMicro-HouseCall TSPY_HPLOKI.SMBD
Paloalto generic.ml
ClamAV Win.Malware.Daqc-6598201-0
Kaspersky HEUR:Trojan-Spy.Win32.AveMaria.gen
Alibaba Trojan:Win32/Kryptik.8e2e3631
NANO-Antivirus Riskware.Win32.Delf.hnwlwg
AegisLab Adware.Win32.Generic.2!c
Ad-Aware Trojan.Delf.FareIt.Gen.7
Emsisoft Trojan.Delf.FareIt.Gen.7 (B)
Comodo Malware@#15z7ntlvtjo3k
F-Secure Trojan.TR/Injector.vfnii
Zillya Trojan.Injector.Win32.750366
TrendMicro TSPY_HPLOKI.SMBD
McAfee-GW-Edition BehavesLike.Win32.Fareit.bc
FireEye Generic.mg.bf7fe4334d0b4363
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin AdWare.Generic.uhxb
Avira TR/Injector.vfnii
Antiy-AVL Trojan[Spy]/Win32.AveMaria
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft PWS:Win32/Fareit.AQ!MTB
Arcabit Trojan.Delf.FareIt.Gen.7
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.Delf.FareIt.Gen.7
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
Acronis suspicious
McAfee Fareit-FTB!BF7FE4334D0B
MAX malware (ai score=84)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
APEX Malicious
ESET-NOD32 a variant of Win32/Injector.EMOY
Tencent Win32.Trojan-spy.Avemaria.Pitz
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46913c VirtualFree
0x469140 VirtualAlloc
0x469144 LocalFree
0x469148 LocalAlloc
0x46914c GetVersion
0x469150 GetCurrentThreadId
0x46915c VirtualQuery
0x469160 WideCharToMultiByte
0x469164 MultiByteToWideChar
0x469168 lstrlenA
0x46916c lstrcpynA
0x469170 LoadLibraryExA
0x469174 GetThreadLocale
0x469178 GetStartupInfoA
0x46917c GetProcAddress
0x469180 GetModuleHandleA
0x469184 GetModuleFileNameA
0x469188 GetLocaleInfoA
0x46918c GetCommandLineA
0x469190 FreeLibrary
0x469194 FindFirstFileA
0x469198 FindClose
0x46919c ExitProcess
0x4691a0 WriteFile
0x4691a8 RtlUnwind
0x4691ac RaiseException
0x4691b0 GetStdHandle
Library user32.dll:
0x4691b8 GetKeyboardType
0x4691bc LoadStringA
0x4691c0 MessageBoxA
0x4691c4 CharNextA
Library advapi32.dll:
0x4691cc RegQueryValueExA
0x4691d0 RegOpenKeyExA
0x4691d4 RegCloseKey
Library oleaut32.dll:
0x4691dc SysFreeString
0x4691e0 SysReAllocStringLen
0x4691e4 SysAllocStringLen
Library kernel32.dll:
0x4691ec TlsSetValue
0x4691f0 TlsGetValue
0x4691f4 LocalAlloc
0x4691f8 GetModuleHandleA
Library advapi32.dll:
0x469200 RegQueryValueExA
0x469204 RegOpenKeyExA
0x469208 RegCloseKey
Library kernel32.dll:
0x469210 lstrcpyA
0x469214 WriteFile
0x469218 WaitForSingleObject
0x46921c VirtualQuery
0x469220 VirtualProtectEx
0x469224 VirtualAlloc
0x469228 Sleep
0x46922c SizeofResource
0x469230 SetThreadLocale
0x469234 SetFilePointer
0x469238 SetEvent
0x46923c SetErrorMode
0x469240 SetEndOfFile
0x469244 ResetEvent
0x469248 ReadFile
0x46924c MulDiv
0x469250 LockResource
0x469254 LoadResource
0x469258 LoadLibraryA
0x469264 GlobalUnlock
0x469268 GlobalReAlloc
0x46926c GlobalHandle
0x469270 GlobalLock
0x469274 GlobalFree
0x469278 GlobalFindAtomA
0x46927c GlobalDeleteAtom
0x469280 GlobalAlloc
0x469284 GlobalAddAtomA
0x469288 GetVersionExA
0x46928c GetVersion
0x469290 GetTickCount
0x469294 GetThreadLocale
0x469298 GetSystemInfo
0x46929c GetStringTypeExA
0x4692a0 GetStdHandle
0x4692a4 GetProcAddress
0x4692a8 GetModuleHandleA
0x4692ac GetModuleFileNameA
0x4692b0 GetLocaleInfoA
0x4692b4 GetLocalTime
0x4692b8 GetLastError
0x4692bc GetFullPathNameA
0x4692c0 GetFileAttributesA
0x4692c4 GetDiskFreeSpaceA
0x4692c8 GetDateFormatA
0x4692cc GetCurrentThreadId
0x4692d0 GetCurrentProcessId
0x4692d4 GetCurrentProcess
0x4692d8 GetCPInfo
0x4692dc GetACP
0x4692e0 FreeResource
0x4692e4 InterlockedExchange
0x4692e8 FreeLibrary
0x4692ec FormatMessageA
0x4692f0 FindResourceA
0x4692f4 FindFirstFileA
0x4692f8 FindClose
0x469304 EnumCalendarInfoA
0x469310 CreateThread
0x469314 CreateFileA
0x469318 CreateEventA
0x46931c CompareStringA
0x469320 CloseHandle
Library version.dll:
0x469328 VerQueryValueA
0x469330 GetFileVersionInfoA
Library gdi32.dll:
0x469338 UnrealizeObject
0x46933c StretchBlt
0x469340 SetWindowOrgEx
0x469344 SetWinMetaFileBits
0x469348 SetViewportOrgEx
0x46934c SetTextColor
0x469350 SetStretchBltMode
0x469354 SetROP2
0x469358 SetPixel
0x46935c SetEnhMetaFileBits
0x469360 SetDIBColorTable
0x469364 SetBrushOrgEx
0x469368 SetBkMode
0x46936c SetBkColor
0x469370 SelectPalette
0x469374 SelectObject
0x469378 SaveDC
0x46937c RestoreDC
0x469380 Rectangle
0x469384 RectVisible
0x469388 RealizePalette
0x46938c Polyline
0x469390 PlayEnhMetaFile
0x469394 PatBlt
0x469398 MoveToEx
0x46939c MaskBlt
0x4693a0 LineTo
0x4693a4 IntersectClipRect
0x4693a8 GetWindowOrgEx
0x4693ac GetWinMetaFileBits
0x4693b0 GetTextMetricsA
0x4693bc GetStockObject
0x4693c0 GetPixel
0x4693c4 GetPaletteEntries
0x4693c8 GetObjectA
0x4693d4 GetEnhMetaFileBits
0x4693d8 GetDeviceCaps
0x4693dc GetDIBits
0x4693e0 GetDIBColorTable
0x4693e4 GetDCOrgEx
0x4693ec GetClipBox
0x4693f0 GetBrushOrgEx
0x4693f4 GetBitmapBits
0x4693f8 ExcludeClipRect
0x4693fc DeleteObject
0x469400 DeleteEnhMetaFile
0x469404 DeleteDC
0x469408 CreateSolidBrush
0x46940c CreatePenIndirect
0x469410 CreatePen
0x469414 CreatePalette
0x46941c CreateFontIndirectA
0x469420 CreateDIBitmap
0x469424 CreateDIBSection
0x469428 CreateCompatibleDC
0x469430 CreateBrushIndirect
0x469434 CreateBitmap
0x469438 CopyEnhMetaFileA
0x46943c BitBlt
Library user32.dll:
0x469444 CreateWindowExA
0x469448 WindowFromPoint
0x46944c WinHelpA
0x469450 WaitMessage
0x469454 ValidateRect
0x469458 UpdateWindow
0x46945c UnregisterClassA
0x469460 UnhookWindowsHookEx
0x469464 TranslateMessage
0x46946c TrackPopupMenu
0x469474 ShowWindow
0x469478 ShowScrollBar
0x46947c ShowOwnedPopups
0x469480 ShowCursor
0x469484 SetWindowsHookExA
0x469488 SetWindowPos
0x46948c SetWindowPlacement
0x469490 SetWindowLongA
0x469494 SetTimer
0x469498 SetScrollRange
0x46949c SetScrollPos
0x4694a0 SetScrollInfo
0x4694a4 SetRect
0x4694a8 SetPropA
0x4694ac SetParent
0x4694b0 SetMenuItemInfoA
0x4694b4 SetMenu
0x4694b8 SetForegroundWindow
0x4694bc SetFocus
0x4694c0 SetCursor
0x4694c4 SetClassLongA
0x4694c8 SetCapture
0x4694cc SetActiveWindow
0x4694d0 SendMessageA
0x4694d4 ScrollWindow
0x4694d8 ScreenToClient
0x4694dc RemovePropA
0x4694e0 RemoveMenu
0x4694e4 ReleaseDC
0x4694e8 ReleaseCapture
0x4694f4 RegisterClassA
0x4694f8 RedrawWindow
0x4694fc PtInRect
0x469500 PostQuitMessage
0x469504 PostMessageA
0x469508 PeekMessageA
0x46950c OffsetRect
0x469510 OemToCharA
0x469514 MessageBoxA
0x469518 MapWindowPoints
0x46951c MapVirtualKeyA
0x469520 LoadStringA
0x469524 LoadKeyboardLayoutA
0x469528 LoadIconA
0x46952c LoadCursorA
0x469530 LoadBitmapA
0x469534 KillTimer
0x469538 IsZoomed
0x46953c IsWindowVisible
0x469540 IsWindowEnabled
0x469544 IsWindow
0x469548 IsRectEmpty
0x46954c IsIconic
0x469550 IsDialogMessageA
0x469554 IsChild
0x469558 InvalidateRect
0x46955c IntersectRect
0x469560 InsertMenuItemA
0x469564 InsertMenuA
0x469568 InflateRect
0x469570 GetWindowTextA
0x469574 GetWindowRect
0x469578 GetWindowPlacement
0x46957c GetWindowLongA
0x469580 GetWindowDC
0x469584 GetTopWindow
0x469588 GetSystemMetrics
0x46958c GetSystemMenu
0x469590 GetSysColorBrush
0x469594 GetSysColor
0x469598 GetSubMenu
0x46959c GetScrollRange
0x4695a0 GetScrollPos
0x4695a4 GetScrollInfo
0x4695a8 GetPropA
0x4695ac GetParent
0x4695b0 GetWindow
0x4695b4 GetMenuStringA
0x4695b8 GetMenuState
0x4695bc GetMenuItemInfoA
0x4695c0 GetMenuItemID
0x4695c4 GetMenuItemCount
0x4695c8 GetMenu
0x4695cc GetLastActivePopup
0x4695d0 GetKeyboardState
0x4695d8 GetKeyboardLayout
0x4695dc GetKeyState
0x4695e0 GetKeyNameTextA
0x4695e4 GetIconInfo
0x4695e8 GetForegroundWindow
0x4695ec GetFocus
0x4695f0 GetDlgItem
0x4695f4 GetDesktopWindow
0x4695f8 GetDCEx
0x4695fc GetDC
0x469600 GetCursorPos
0x469604 GetCursor
0x469608 GetClipboardData
0x46960c GetClientRect
0x469610 GetClassNameA
0x469614 GetClassInfoA
0x469618 GetCapture
0x46961c GetActiveWindow
0x469620 FrameRect
0x469624 FindWindowA
0x469628 FillRect
0x46962c EqualRect
0x469630 EnumWindows
0x469634 EnumThreadWindows
0x469638 EndPaint
0x46963c EnableWindow
0x469640 EnableScrollBar
0x469644 EnableMenuItem
0x469648 DrawTextA
0x46964c DrawMenuBar
0x469650 DrawIconEx
0x469654 DrawIcon
0x469658 DrawFrameControl
0x46965c DrawEdge
0x469660 DispatchMessageA
0x469664 DestroyWindow
0x469668 DestroyMenu
0x46966c DestroyIcon
0x469670 DestroyCursor
0x469674 DeleteMenu
0x469678 DefWindowProcA
0x46967c DefMDIChildProcA
0x469680 DefFrameProcA
0x469684 CreatePopupMenu
0x469688 CreateMenu
0x46968c CreateIcon
0x469690 ClientToScreen
0x469694 CheckMenuItem
0x469698 CallWindowProcA
0x46969c CallNextHookEx
0x4696a0 BeginPaint
0x4696a4 CharNextA
0x4696a8 CharLowerBuffA
0x4696ac CharLowerA
0x4696b0 CharToOemA
0x4696b4 AdjustWindowRectEx
Library kernel32.dll:
0x4696c0 Sleep
Library oleaut32.dll:
0x4696c8 SafeArrayPtrOfIndex
0x4696cc SafeArrayGetUBound
0x4696d0 SafeArrayGetLBound
0x4696d4 SafeArrayCreate
0x4696d8 VariantChangeType
0x4696dc VariantCopy
0x4696e0 VariantClear
0x4696e4 VariantInit
Library comctl32.dll:
0x4696f4 ImageList_Write
0x4696f8 ImageList_Read
0x469708 ImageList_DragMove
0x46970c ImageList_DragLeave
0x469710 ImageList_DragEnter
0x469714 ImageList_EndDrag
0x469718 ImageList_BeginDrag
0x46971c ImageList_Remove
0x469720 ImageList_DrawEx
0x469724 ImageList_Replace
0x469728 ImageList_Draw
0x469738 ImageList_Add
0x469740 ImageList_Destroy
0x469744 ImageList_Create
0x469748 InitCommonControls
Library comdlg32.dll:
0x469750 GetSaveFileNameA
0x469754 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 55369 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.