7.0
高危
59 个模型检测该样本为恶意!
重新分析
更多

7e7186f5a8b37371bfcb4e850870847b2d3722b0af683c1b22f7088dcc8bac2c

d20dc3e26fe8b27f4183ba1cf3272484.exe

分析耗时

94s

最近分析

文件大小

705.5KB
静态报毒 动态报毒 100% AGEN AGENTTESLA AI SCORE=89 AIDETECTVM BTBRW8 CLASSIC CONFIDENCE DELF DELPHILESS ELKP ELOY FAREIT GENERICKD HIGH CONFIDENCE HJEDQX IGENT KRYPTIK LOKIBOT MALICIOUS PE MALWARE2 NQOE QVM05 R + TROJ R03BC0DKM20 SCORE SG0@AKTTRAMI STATIC AI SUSGEN TRJGEN TSCOPE UNSAFE WACATAC WNCF X2059 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FSK!D20DC3E26FE8 20201229 6.0.6.653
Alibaba Trojan:Win32/LokiBot.63d91846 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Avast Win32:Malware-gen 20201229 21.1.5827.0
Tencent Win32.Trojan.Crypt.Wncf 20201229 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20201229 2017.9.26.565
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (31 个事件)
Time & API Arguments Status Return Repeated
1619910851.012176
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49151808
registers.edi: 0
registers.eax: 0
registers.ebp: 49151880
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929392.794
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfda814ad
success 0 0
1619929391.6835
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34406208
registers.edi: 0
registers.eax: 0
registers.ebp: 34406280
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929398.371375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49020736
registers.edi: 0
registers.eax: 0
registers.ebp: 49020808
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929400.965875
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4914ad
success 0 0
1619929400.4655
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49413952
registers.edi: 0
registers.eax: 0
registers.ebp: 49414024
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929404.700125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35454784
registers.edi: 0
registers.eax: 0
registers.ebp: 35454856
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929406.794
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3114ad
success 0 0
1619929408.012375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35520320
registers.edi: 0
registers.eax: 0
registers.ebp: 35520392
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929409.7155
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49151808
registers.edi: 0
registers.eax: 0
registers.ebp: 49151880
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929420.90325
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5514ad
success 0 0
1619929418.433375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34930496
registers.edi: 0
registers.eax: 0
registers.ebp: 34930568
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929427.96575
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35127104
registers.edi: 0
registers.eax: 0
registers.ebp: 35127176
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929430.074625
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3914ad
success 0 0
1619929430.09125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 48758592
registers.edi: 0
registers.eax: 0
registers.ebp: 48758664
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929432.70025
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34996032
registers.edi: 0
registers.eax: 0
registers.ebp: 34996104
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929434.433875
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7510e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7510ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7510b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7510b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7510ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7510aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75105511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7510559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd9514ad
success 0 0
1619929434.480625
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 50265920
registers.edi: 0
registers.eax: 0
registers.ebp: 50265992
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929436.747
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34078528
registers.edi: 0
registers.eax: 0
registers.ebp: 34078600
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929438.699375
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x751c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x751c4de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd9014ad
success 0 0
1619929438.902625
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 48955200
registers.edi: 0
registers.eax: 0
registers.ebp: 48955272
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929441.683375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34471744
registers.edi: 0
registers.eax: 0
registers.ebp: 34471816
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929443.27775
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x750be97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x750bea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x750bb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x750bb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x750bac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x750baed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x750b5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x750b559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4114ad
success 0 0
1619929443.652875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 48561984
registers.edi: 0
registers.eax: 0
registers.ebp: 48562056
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929446.106125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49282880
registers.edi: 0
registers.eax: 0
registers.ebp: 49282952
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929448.0275
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7501e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7501ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7501b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7501b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7501ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7501aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x75015511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7501559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75177f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75174de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3214ad
success 0 0
1619929447.902375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34602816
registers.edi: 0
registers.eax: 0
registers.ebp: 34602888
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929451.293875
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49610560
registers.edi: 0
registers.eax: 0
registers.ebp: 49610632
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929453.434125
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7494e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7494ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7494b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7494b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7494ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7494aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74945511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7494559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75127f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75124de3
d20dc3e26fe8b27f4183ba1cf3272484+0x58a4d @ 0x458a4d
d20dc3e26fe8b27f4183ba1cf3272484+0x51254 @ 0x451254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4314ad
success 0 0
1619929453.965625
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34864960
registers.edi: 0
registers.eax: 0
registers.ebp: 34865032
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
1619929456.63775
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33685312
registers.edi: 0
registers.eax: 0
registers.ebp: 33685384
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 de 9b fa
exception.symbol: d20dc3e26fe8b27f4183ba1cf3272484+0x599bd
exception.instruction: div eax
exception.module: d20dc3e26fe8b27f4183ba1cf3272484.exe
exception.exception_code: 0xc0000094
exception.offset: 367037
exception.address: 0x4599bd
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 333 个事件)
Time & API Arguments Status Return Repeated
1619910850.825176
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619910851.028176
NtAllocateVirtualMemory
process_identifier: 912
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00520000
success 0 0
1619910851.028176
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ea0000
success 0 0
1619929391.513
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619929391.606
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1619929391.606
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b0000
success 0 0
1619929391.606
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01dd0000
success 0 0
1619929391.606
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 299008
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01dd2000
success 0 0
1619929392.106
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x020f0000
success 0 0
1619929392.106
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022e0000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00522000
success 0 0
1619929392.763
NtProtectVirtualMemory
process_identifier: 2240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619929391.6685
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619929391.6835
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00550000
success 0 0
1619929391.6995
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00790000
success 0 0
1619929398.262375
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00370000
success 0 0
1619929398.371375
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003f0000
success 0 0
1619929398.402375
NtAllocateVirtualMemory
process_identifier: 2264
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008a0000
success 0 0
1619929400.058875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619929400.074875
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01da0000
success 0 0
1619929400.074875
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01dd0000
success 0 0
1619929400.074875
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00610000
success 0 0
1619929400.074875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 299008
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00612000
success 0 0
1619929400.277875
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f40000
success 0 0
1619929400.277875
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fc0000
success 0 0
1619929400.902875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f32000
success 0 0
1619929400.902875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619929400.902875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f32000
success 0 0
1619929400.902875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619929400.902875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f32000
success 0 0
1619929400.902875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619929400.902875
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f32000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (22 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.565652478268402 section {'size_of_data': '0x0000d000', 'virtual_address': '0x0005a000', 'entropy': 7.565652478268402, 'name': 'DATA', 'virtual_size': '0x0000ce20'} description A section with a high entropy has been found
entropy 7.475887012246672 section {'size_of_data': '0x00041a00', 'virtual_address': '0x00074000', 'entropy': 7.475887012246672, 'name': '.rsrc', 'virtual_size': '0x00041930'} description A section with a high entropy has been found
entropy 0.4464158977998581 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process d20dc3e26fe8b27f4183ba1cf3272484.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (21 个事件)
Time & API Arguments Status Return Repeated
1619910851.044176
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000000f8
process_identifier: 2264
failed 0 0
1619929397.8245
Process32NextW
process_name: d20dc3e26fe8b27f4183ba1cf3272484.exe
snapshot_handle: 0x000001a8
process_identifier: 2860
failed 0 0
1619929398.465375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 1432
failed 0 0
1619929403.8085
Process32NextW
process_name: d20dc3e26fe8b27f4183ba1cf3272484.exe
snapshot_handle: 0x0000013c
process_identifier: 1880
failed 0 0
1619929404.903125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 1760
failed 0 0
1619929409.230375
Process32NextW
process_name: d20dc3e26fe8b27f4183ba1cf3272484.exe
snapshot_handle: 0x00000120
process_identifier: 2448
failed 0 0
1619929409.7465
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2952
failed 0 0
1619929427.418375
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000001fc
process_identifier: 3160
failed 0 0
1619929428.10575
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3252
failed 0 0
1619929432.23125
Process32NextW
process_name: d20dc3e26fe8b27f4183ba1cf3272484.exe
snapshot_handle: 0x0000012c
process_identifier: 3332
failed 0 0
1619929432.79425
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3504
failed 0 0
1619929436.402625
Process32NextW
process_name: d20dc3e26fe8b27f4183ba1cf3272484.exe
snapshot_handle: 0x00000134
process_identifier: 3580
failed 0 0
1619929436.763
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3740
failed 0 0
1619929441.152625
Process32NextW
process_name: d20dc3e26fe8b27f4183ba1cf3272484.exe
snapshot_handle: 0x00000138
process_identifier: 3824
failed 0 0
1619929441.824375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3984
failed 0 0
1619929445.527875
Process32NextW
process_name: d20dc3e26fe8b27f4183ba1cf3272484.exe
snapshot_handle: 0x0000011c
process_identifier: 4064
failed 0 0
1619929446.106125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3328
failed 0 0
1619929450.652375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000140
process_identifier: 3408
failed 0 0
1619929451.308875
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x000000f8
process_identifier: 3108
failed 0 0
1619929455.496625
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000118
process_identifier: 3940
failed 0 0
1619929456.63775
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 3996
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (20 个事件)
Process injection Process 912 called NtSetContextThread to modify thread in remote process 2240
Process injection Process 2264 called NtSetContextThread to modify thread in remote process 2504
Process injection Process 796 called NtSetContextThread to modify thread in remote process 1888
Process injection Process 624 called NtSetContextThread to modify thread in remote process 2604
Process injection Process 3200 called NtSetContextThread to modify thread in remote process 3272
Process injection Process 3448 called NtSetContextThread to modify thread in remote process 3520
Process injection Process 3688 called NtSetContextThread to modify thread in remote process 3764
Process injection Process 3928 called NtSetContextThread to modify thread in remote process 4004
Process injection Process 2536 called NtSetContextThread to modify thread in remote process 3352
Process injection Process 3592 called NtSetContextThread to modify thread in remote process 3524
Time & API Arguments Status Return Repeated
1619910851.856176
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2240
success 0 0
1619929399.027375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2504
success 0 0
1619929405.450125
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1888
success 0 0
1619929413.9185
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2604
success 0 0
1619929428.76275
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3272
success 0 0
1619929433.30925
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3520
success 0 0
1619929437.622
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3764
success 0 0
1619929442.512375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4004
success 0 0
1619929446.716125
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3352
success 0 0
1619929452.121875
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3524
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (20 个事件)
Process injection Process 912 resumed a thread in remote process 2240
Process injection Process 2264 resumed a thread in remote process 2504
Process injection Process 796 resumed a thread in remote process 1888
Process injection Process 624 resumed a thread in remote process 2604
Process injection Process 3200 resumed a thread in remote process 3272
Process injection Process 3448 resumed a thread in remote process 3520
Process injection Process 3688 resumed a thread in remote process 3764
Process injection Process 3928 resumed a thread in remote process 4004
Process injection Process 2536 resumed a thread in remote process 3352
Process injection Process 3592 resumed a thread in remote process 3524
Time & API Arguments Status Return Repeated
1619910852.200176
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2240
success 0 0
1619929399.808375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2504
success 0 0
1619929406.028125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1888
success 0 0
1619929417.9965
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2604
success 0 0
1619929429.29375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3272
success 0 0
1619929433.87225
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3520
success 0 0
1619929438.122
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3764
success 0 0
1619929442.871375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 4004
success 0 0
1619929447.169125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3352
success 0 0
1619929452.574875
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3524
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 80 个事件)
Time & API Arguments Status Return Repeated
1619910851.778176
CreateProcessInternalW
thread_identifier: 2316
thread_handle: 0x000000fc
process_identifier: 2240
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619910851.778176
NtUnmapViewOfSection
process_identifier: 2240
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619910851.794176
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2240
commit_size: 704512
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 704512
base_address: 0x00400000
success 0 0
1619910851.840176
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619910851.856176
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2240
success 0 0
1619910852.200176
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2240
success 0 0
1619910852.278176
CreateProcessInternalW
thread_identifier: 2740
thread_handle: 0x00000104
process_identifier: 2860
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe" 2 2240 12087406
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619929397.9495
CreateProcessInternalW
thread_identifier: 880
thread_handle: 0x000001ac
process_identifier: 2264
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001b0
inherit_handles: 0
success 1 0
1619929398.871375
CreateProcessInternalW
thread_identifier: 2316
thread_handle: 0x000000fc
process_identifier: 2504
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619929398.871375
NtUnmapViewOfSection
process_identifier: 2504
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619929398.887375
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2504
commit_size: 704512
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 704512
base_address: 0x00400000
success 0 0
1619929399.012375
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619929399.027375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2504
success 0 0
1619929399.808375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2504
success 0 0
1619929400.012375
CreateProcessInternalW
thread_identifier: 1908
thread_handle: 0x00000104
process_identifier: 1880
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe" 2 2504 12095921
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619929404.1055
CreateProcessInternalW
thread_identifier: 2544
thread_handle: 0x00000140
process_identifier: 796
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000144
inherit_handles: 0
success 1 0
1619929405.372125
CreateProcessInternalW
thread_identifier: 1948
thread_handle: 0x000000fc
process_identifier: 1888
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619929405.372125
NtUnmapViewOfSection
process_identifier: 1888
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619929405.388125
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 1888
commit_size: 704512
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 704512
base_address: 0x00400000
success 0 0
1619929405.434125
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619929405.450125
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1888
success 0 0
1619929406.028125
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 1888
success 0 0
1619929406.153125
CreateProcessInternalW
thread_identifier: 1816
thread_handle: 0x00000104
process_identifier: 2448
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe" 2 1888 12102140
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619929409.371375
CreateProcessInternalW
thread_identifier: 1932
thread_handle: 0x00000124
process_identifier: 624
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619929410.0745
CreateProcessInternalW
thread_identifier: 2964
thread_handle: 0x000000fc
process_identifier: 2604
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619929410.0745
NtUnmapViewOfSection
process_identifier: 2604
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619929410.0745
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2604
commit_size: 704512
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 704512
base_address: 0x00400000
success 0 0
1619929413.9185
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619929413.9185
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2604
success 0 0
1619929417.9965
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2604
success 0 0
1619929418.0585
CreateProcessInternalW
thread_identifier: 2536
thread_handle: 0x00000104
process_identifier: 2796
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe" 2 2604 12114109
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619929427.543375
CreateProcessInternalW
thread_identifier: 3204
thread_handle: 0x00000200
process_identifier: 3200
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000204
inherit_handles: 0
success 1 0
1619929428.69975
CreateProcessInternalW
thread_identifier: 3276
thread_handle: 0x000000fc
process_identifier: 3272
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619929428.69975
NtUnmapViewOfSection
process_identifier: 3272
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619929428.71575
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 3272
commit_size: 704512
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 704512
base_address: 0x00400000
success 0 0
1619929428.76275
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619929428.76275
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3272
success 0 0
1619929429.29375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3272
success 0 0
1619929429.46575
CreateProcessInternalW
thread_identifier: 3336
thread_handle: 0x00000104
process_identifier: 3332
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe" 2 3272 12125406
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619929432.32525
CreateProcessInternalW
thread_identifier: 3452
thread_handle: 0x00000130
process_identifier: 3448
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000134
inherit_handles: 0
success 1 0
1619929433.23125
CreateProcessInternalW
thread_identifier: 3524
thread_handle: 0x000000fc
process_identifier: 3520
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619929433.23125
NtUnmapViewOfSection
process_identifier: 3520
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619929433.26325
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 3520
commit_size: 704512
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 704512
base_address: 0x00400000
success 0 0
1619929433.30925
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619929433.30925
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4894224
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3520
success 0 0
1619929433.87225
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3520
success 0 0
1619929433.91925
CreateProcessInternalW
thread_identifier: 3584
thread_handle: 0x00000104
process_identifier: 3580
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe" 2 3520 12129984
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619929436.433625
CreateProcessInternalW
thread_identifier: 3692
thread_handle: 0x00000138
process_identifier: 3688
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000013c
inherit_handles: 0
success 1 0
1619929437.513
CreateProcessInternalW
thread_identifier: 3768
thread_handle: 0x000000fc
process_identifier: 3764
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d20dc3e26fe8b27f4183ba1cf3272484.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619929437.513
NtUnmapViewOfSection
process_identifier: 3764
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Stealer.23680
MicroWorld-eScan Trojan.GenericKD.33712358
FireEye Generic.mg.d20dc3e26fe8b27f
McAfee Fareit-FSK!D20DC3E26FE8
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 005653ce1 )
Alibaba Trojan:Win32/LokiBot.63d91846
K7GW Trojan ( 005653ce1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D20268E6
BitDefenderTheta Gen:NN.ZelphiF.34700.SG0@aKttrami
Cyren W32/Delf.NQOE-7492
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Injector.ELOY
APEX Malicious
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan.Win32.Crypt.gen
BitDefender Trojan.GenericKD.33712358
NANO-Antivirus Trojan.Win32.TrjGen.hjedqx
Paloalto generic.ml
Tencent Win32.Trojan.Crypt.Wncf
Ad-Aware Trojan.GenericKD.33712358
Emsisoft Trojan.GenericKD.33712358 (B)
F-Secure Heuristic.HEUR/AGEN.1136310
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R03BC0DKM20
McAfee-GW-Edition BehavesLike.Win32.Fareit.bc
Sophos Mal/Generic-R + Troj/Inject-FWD
Ikarus Trojan.Inject
Jiangmin Trojan.Crypt.dcg
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1136310
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Trojan.Win32.Kryptik.ba!s1
Microsoft Trojan:Win32/LokiBot.AG!MTB
AegisLab Trojan.Win32.Crypt.4!c
ZoneAlarm HEUR:Trojan.Win32.Crypt.gen
GData Trojan.GenericKD.33712358
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2059
Acronis suspicious
ALYac Trojan.GenericKD.33712358
MAX malware (ai score=89)
VBA32 TScope.Trojan.Delf
Malwarebytes Spyware.AgentTesla
Zoner Trojan.Win32.89576
TrendMicro-HouseCall TROJ_GEN.R03BC0DKM20
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46813c VirtualFree
0x468140 VirtualAlloc
0x468144 LocalFree
0x468148 LocalAlloc
0x46814c GetVersion
0x468150 GetCurrentThreadId
0x46815c VirtualQuery
0x468160 WideCharToMultiByte
0x468164 MultiByteToWideChar
0x468168 lstrlenA
0x46816c lstrcpynA
0x468170 LoadLibraryExA
0x468174 GetThreadLocale
0x468178 GetStartupInfoA
0x46817c GetProcAddress
0x468180 GetModuleHandleA
0x468184 GetModuleFileNameA
0x468188 GetLocaleInfoA
0x46818c GetCommandLineA
0x468190 FreeLibrary
0x468194 FindFirstFileA
0x468198 FindClose
0x46819c ExitProcess
0x4681a0 WriteFile
0x4681a8 RtlUnwind
0x4681ac RaiseException
0x4681b0 GetStdHandle
Library user32.dll:
0x4681b8 GetKeyboardType
0x4681bc LoadStringA
0x4681c0 MessageBoxA
0x4681c4 CharNextA
Library advapi32.dll:
0x4681cc RegQueryValueExA
0x4681d0 RegOpenKeyExA
0x4681d4 RegCloseKey
Library oleaut32.dll:
0x4681dc SysFreeString
0x4681e0 SysReAllocStringLen
0x4681e4 SysAllocStringLen
Library kernel32.dll:
0x4681ec TlsSetValue
0x4681f0 TlsGetValue
0x4681f4 LocalAlloc
0x4681f8 GetModuleHandleA
Library advapi32.dll:
0x468200 RegQueryValueExA
0x468204 RegOpenKeyExA
0x468208 RegCloseKey
Library kernel32.dll:
0x468210 lstrcpyA
0x468214 WriteFile
0x46821c WaitForSingleObject
0x468220 VirtualQuery
0x468224 VirtualAlloc
0x468228 Sleep
0x46822c SizeofResource
0x468230 SetThreadLocale
0x468234 SetFilePointer
0x468238 SetEvent
0x46823c SetErrorMode
0x468240 SetEndOfFile
0x468244 ResetEvent
0x468248 ReadFile
0x46824c MulDiv
0x468250 LockResource
0x468254 LoadResource
0x468258 LoadLibraryA
0x468264 GlobalUnlock
0x468268 GlobalReAlloc
0x46826c GlobalHandle
0x468270 GlobalLock
0x468274 GlobalFree
0x468278 GlobalFindAtomA
0x46827c GlobalDeleteAtom
0x468280 GlobalAlloc
0x468284 GlobalAddAtomA
0x468288 GetVersionExA
0x46828c GetVersion
0x468290 GetTickCount
0x468294 GetThreadLocale
0x46829c GetSystemTime
0x4682a0 GetSystemInfo
0x4682a4 GetStringTypeExA
0x4682a8 GetStdHandle
0x4682ac GetProcAddress
0x4682b0 GetModuleHandleA
0x4682b4 GetModuleFileNameA
0x4682b8 GetLocaleInfoA
0x4682bc GetLocalTime
0x4682c0 GetLastError
0x4682c4 GetFullPathNameA
0x4682c8 GetDiskFreeSpaceA
0x4682cc GetDateFormatA
0x4682d0 GetCurrentThreadId
0x4682d4 GetCurrentProcessId
0x4682d8 GetCPInfo
0x4682dc GetACP
0x4682e0 FreeResource
0x4682e4 InterlockedExchange
0x4682e8 FreeLibrary
0x4682ec FormatMessageA
0x4682f0 FindResourceA
0x4682f8 ExitThread
0x4682fc EnumCalendarInfoA
0x468308 CreateThread
0x46830c CreateFileA
0x468310 CreateEventA
0x468314 CompareStringA
0x468318 CloseHandle
Library version.dll:
0x468320 VerQueryValueA
0x468328 GetFileVersionInfoA
Library gdi32.dll:
0x468330 UnrealizeObject
0x468334 StretchBlt
0x468338 SetWindowOrgEx
0x46833c SetWinMetaFileBits
0x468340 SetViewportOrgEx
0x468344 SetTextColor
0x468348 SetStretchBltMode
0x46834c SetROP2
0x468350 SetPixel
0x468354 SetEnhMetaFileBits
0x468358 SetDIBColorTable
0x46835c SetBrushOrgEx
0x468360 SetBkMode
0x468364 SetBkColor
0x468368 SelectPalette
0x46836c SelectObject
0x468370 SaveDC
0x468374 RestoreDC
0x468378 Rectangle
0x46837c RectVisible
0x468380 RealizePalette
0x468384 PlayEnhMetaFile
0x468388 PathToRegion
0x46838c PatBlt
0x468390 MoveToEx
0x468394 MaskBlt
0x468398 LineTo
0x46839c IntersectClipRect
0x4683a0 GetWindowOrgEx
0x4683a4 GetWinMetaFileBits
0x4683a8 GetTextMetricsA
0x4683b4 GetStockObject
0x4683b8 GetPixel
0x4683bc GetPaletteEntries
0x4683c0 GetObjectA
0x4683cc GetEnhMetaFileBits
0x4683d0 GetDeviceCaps
0x4683d4 GetDIBits
0x4683d8 GetDIBColorTable
0x4683dc GetDCOrgEx
0x4683e4 GetClipBox
0x4683e8 GetBrushOrgEx
0x4683ec GetBitmapBits
0x4683f0 ExcludeClipRect
0x4683f4 DeleteObject
0x4683f8 DeleteEnhMetaFile
0x4683fc DeleteDC
0x468400 CreateSolidBrush
0x468404 CreatePenIndirect
0x468408 CreatePalette
0x468410 CreateFontIndirectA
0x468414 CreateDIBitmap
0x468418 CreateDIBSection
0x46841c CreateCompatibleDC
0x468424 CreateBrushIndirect
0x468428 CreateBitmap
0x46842c CopyEnhMetaFileA
0x468430 BitBlt
Library user32.dll:
0x468438 CreateWindowExA
0x46843c WindowFromPoint
0x468440 WinHelpA
0x468444 WaitMessage
0x468448 UpdateWindow
0x46844c UnregisterClassA
0x468450 UnhookWindowsHookEx
0x468454 TranslateMessage
0x46845c TrackPopupMenu
0x468464 ShowWindow
0x468468 ShowScrollBar
0x46846c ShowOwnedPopups
0x468470 ShowCursor
0x468474 SetWindowsHookExA
0x468478 SetWindowPos
0x46847c SetWindowPlacement
0x468480 SetWindowLongA
0x468484 SetTimer
0x468488 SetScrollRange
0x46848c SetScrollPos
0x468490 SetScrollInfo
0x468494 SetRect
0x468498 SetPropA
0x46849c SetParent
0x4684a0 SetMenuItemInfoA
0x4684a4 SetMenu
0x4684a8 SetForegroundWindow
0x4684ac SetFocus
0x4684b0 SetCursor
0x4684b4 SetClassLongA
0x4684b8 SetCapture
0x4684bc SetActiveWindow
0x4684c0 SendMessageA
0x4684c4 ScrollWindow
0x4684c8 ScreenToClient
0x4684cc RemovePropA
0x4684d0 RemoveMenu
0x4684d4 ReleaseDC
0x4684d8 ReleaseCapture
0x4684e4 RegisterClassA
0x4684e8 RedrawWindow
0x4684ec PtInRect
0x4684f0 PostQuitMessage
0x4684f4 PostMessageA
0x4684f8 PeekMessageA
0x4684fc OffsetRect
0x468500 OemToCharA
0x468504 MessageBoxA
0x468508 MapWindowPoints
0x46850c MapVirtualKeyA
0x468510 LoadStringA
0x468514 LoadKeyboardLayoutA
0x468518 LoadIconA
0x46851c LoadCursorA
0x468520 LoadBitmapA
0x468524 KillTimer
0x468528 IsZoomed
0x46852c IsWindowVisible
0x468530 IsWindowEnabled
0x468534 IsWindow
0x468538 IsRectEmpty
0x46853c IsIconic
0x468540 IsDialogMessageA
0x468544 IsChild
0x468548 InvalidateRect
0x46854c IntersectRect
0x468550 InsertMenuItemA
0x468554 InsertMenuA
0x468558 InflateRect
0x468560 GetWindowTextA
0x468564 GetWindowRect
0x468568 GetWindowPlacement
0x46856c GetWindowLongA
0x468570 GetWindowDC
0x468574 GetTopWindow
0x468578 GetSystemMetrics
0x46857c GetSystemMenu
0x468580 GetSysColorBrush
0x468584 GetSysColor
0x468588 GetSubMenu
0x46858c GetScrollRange
0x468590 GetScrollPos
0x468594 GetScrollInfo
0x468598 GetPropA
0x46859c GetParent
0x4685a0 GetWindow
0x4685a4 GetMenuStringA
0x4685a8 GetMenuState
0x4685ac GetMenuItemInfoA
0x4685b0 GetMenuItemID
0x4685b4 GetMenuItemCount
0x4685b8 GetMenu
0x4685bc GetLastActivePopup
0x4685c0 GetKeyboardState
0x4685c8 GetKeyboardLayout
0x4685cc GetKeyState
0x4685d0 GetKeyNameTextA
0x4685d4 GetIconInfo
0x4685d8 GetForegroundWindow
0x4685dc GetFocus
0x4685e0 GetDlgItem
0x4685e4 GetDesktopWindow
0x4685e8 GetDCEx
0x4685ec GetDC
0x4685f0 GetCursorPos
0x4685f4 GetCursor
0x4685f8 GetClipboardData
0x4685fc GetClientRect
0x468600 GetClassNameA
0x468604 GetClassInfoA
0x468608 GetCapture
0x46860c GetActiveWindow
0x468610 FrameRect
0x468614 FindWindowA
0x468618 FillRect
0x46861c EqualRect
0x468620 EnumWindows
0x468624 EnumThreadWindows
0x468628 EndPaint
0x46862c EnableWindow
0x468630 EnableScrollBar
0x468634 EnableMenuItem
0x468638 DrawTextA
0x46863c DrawMenuBar
0x468640 DrawIconEx
0x468644 DrawIcon
0x468648 DrawFrameControl
0x46864c DrawFocusRect
0x468650 DrawEdge
0x468654 DispatchMessageA
0x468658 DestroyWindow
0x46865c DestroyMenu
0x468660 DestroyIcon
0x468664 DestroyCursor
0x468668 DeleteMenu
0x46866c DefWindowProcA
0x468670 DefMDIChildProcA
0x468674 DefFrameProcA
0x468678 CreatePopupMenu
0x46867c CreateMenu
0x468680 CreateIcon
0x468684 ClientToScreen
0x468688 CheckMenuItem
0x46868c CallWindowProcA
0x468690 CallNextHookEx
0x468694 BeginPaint
0x468698 CharNextA
0x46869c CharLowerBuffA
0x4686a0 CharLowerA
0x4686a4 CharToOemA
0x4686a8 AdjustWindowRectEx
Library kernel32.dll:
0x4686b4 Sleep
Library oleaut32.dll:
0x4686bc SafeArrayPtrOfIndex
0x4686c0 SafeArrayGetUBound
0x4686c4 SafeArrayGetLBound
0x4686c8 SafeArrayCreate
0x4686cc VariantChangeType
0x4686d0 VariantCopy
0x4686d4 VariantClear
0x4686d8 VariantInit
Library comctl32.dll:
0x4686e8 ImageList_Write
0x4686ec ImageList_Read
0x4686fc ImageList_DragMove
0x468700 ImageList_DragLeave
0x468704 ImageList_DragEnter
0x468708 ImageList_EndDrag
0x46870c ImageList_BeginDrag
0x468710 ImageList_Remove
0x468714 ImageList_DrawEx
0x468718 ImageList_Draw
0x468728 ImageList_Add
0x468730 ImageList_Destroy
0x468734 ImageList_Create
Library comdlg32.dll:
0x46873c GetSaveFileNameA
0x468740 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.