SmartHawk

13.6

0-day

53 个模型检测该样本为恶意！

重新分析

下载样本

0eb033c0fefb75a3961eb8fb70591a5f8756fe415658dba6e090b8e322fc9b1b

2e8190d9e98467b6bec820c437f22a21.exe

分析耗时

83s

最近分析

文件大小

2.0MB

静态报毒动态报毒 AA0AA8QXXZH AI SCORE=81 AJKNT ARTEMIS CLOUD COINS COINSTEALER CONFIDENCE CRYPTBOT GENERICKD HFSAUTOB HIAUSC HIGH CONFIDENCE HUFX OCCAMY QQPASS QQROB R01FH0CD320 R331878 SALITY SCORE SUSPICIOUS PE THEMIDA TROJANPSW TYEN UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!2E8190D9E984	20200508	6.0.6.653
Alibaba	TrojanPSW:Win32/Coins.c07ac438	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20200508	2013.8.14.323
Tencent	Win32.Trojan-qqpass.Qqrob.Hufx	20200508	1.0.0.1
Avast	Win32:Trojan-gen	20200508	18.4.3895.0
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743428.333374 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (33 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743417.067374 IsDebuggerPresent		failed	0	0
1620743419.036374 IsDebuggerPresent		failed	0	0
1620743421.052374 IsDebuggerPresent		failed	0	0
1620743423.067374 IsDebuggerPresent		failed	0	0
1620743425.083374 IsDebuggerPresent		failed	0	0
1620743427.098374 IsDebuggerPresent		failed	0	0
1620743429.130374 IsDebuggerPresent		failed	0	0
1620743431.177374 IsDebuggerPresent		failed	0	0
1620743433.208374 IsDebuggerPresent		failed	0	0
1620743435.223374 IsDebuggerPresent		failed	0	0
1620743437.239374 IsDebuggerPresent		failed	0	0
1620743439.255374 IsDebuggerPresent		failed	0	0
1620743441.270374 IsDebuggerPresent		failed	0	0
1620743443.286374 IsDebuggerPresent		failed	0	0
1620743445.302374 IsDebuggerPresent		failed	0	0
1620743447.317374 IsDebuggerPresent		failed	0	0
1620743449.333374 IsDebuggerPresent		failed	0	0
1620743451.348374 IsDebuggerPresent		failed	0	0
1620743453.364374 IsDebuggerPresent		failed	0	0
1620743455.380374 IsDebuggerPresent		failed	0	0
1620743457.395374 IsDebuggerPresent		failed	0	0
1620743459.411374 IsDebuggerPresent		failed	0	0
1620743461.427374 IsDebuggerPresent		failed	0	0
1620743463.442374 IsDebuggerPresent		failed	0	0
1620743465.458374 IsDebuggerPresent		failed	0	0
1620743467.473374 IsDebuggerPresent		failed	0	0
1620743469.489374 IsDebuggerPresent		failed	0	0
1620743471.505374 IsDebuggerPresent		failed	0	0
1620743473.520374 IsDebuggerPresent		failed	0	0
1620743475.536374 IsDebuggerPresent		failed	0	0
1620743477.552374 IsDebuggerPresent		failed	0	0
1620743479.567374 IsDebuggerPresent		failed	0	0
1620743481.583374 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743428.348374 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	pbtsuisb
section	jzfnepxc

One or more processes crashed (50 out of 112 个事件)

Time & API	Arguments	Status
1620743416.473374 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3078820 registers.edi: 0 registers.eax: 1 registers.ebp: 3078836 registers.edx: 19705856 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x35d0b9 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 3526841 exception.address: 0x112d0b9	success
1620743416.473374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 1983119592 registers.eax: 30014 registers.ebp: 3864551444 registers.edx: 14483456 registers.ebx: 15266718 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb e9 8b f8 ff ff 89 c2 58 01 d0 e9 00 00 00 00 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0xb8714 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 755476 exception.address: 0xe88714	success
1620743416.473374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 1983119592 registers.eax: 30014 registers.ebp: 3864551444 registers.edx: 241897 registers.ebx: 15266718 registers.esi: 3 registers.ecx: 4294939584 exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 81 ef 04 00 00 00 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0xb8222 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 754210 exception.address: 0xe88222	success
1620743416.473374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 1983119592 registers.eax: 30988 registers.ebp: 3864551444 registers.edx: 241897 registers.ebx: 782455616 registers.esi: 3 registers.ecx: 15271392 exception.instruction_r: fb 31 f6 ff 34 31 ff 34 24 8b 14 24 53 54 5b 81 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0xb8d17 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 757015 exception.address: 0xe88d17	success
1620743416.473374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 1983119592 registers.eax: 30988 registers.ebp: 3864551444 registers.edx: 1259 registers.ebx: 782455616 registers.esi: 4294939068 registers.ecx: 15271392 exception.instruction_r: fb 50 57 89 1c 24 68 ca 4e ff 3f e9 11 00 00 00 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0xb92f7 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 758519 exception.address: 0xe892f7	success
1620743416.473374 __exception__	stacktrace: registers.esp: 3078784 registers.edi: 15275052 registers.eax: 16769953 registers.ebp: 3864551444 registers.edx: 724992 registers.ebx: 724992 registers.esi: 16769449 registers.ecx: 3412000768 exception.instruction_r: fb 68 bc b3 d1 3f 89 14 24 50 b8 13 98 ac 6c 89 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x22edc7 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2289095 exception.address: 0xffedc7	success
1620743416.473374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 15275052 registers.eax: 16801522 registers.ebp: 3864551444 registers.edx: 724992 registers.ebx: 724992 registers.esi: 16769449 registers.ecx: 3412000768 exception.instruction_r: fb 53 e9 00 00 00 00 bb 00 18 ff 73 f7 d3 87 fb exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x22ed0f exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2288911 exception.address: 0xffed0f	success
1620743416.473374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 15275052 registers.eax: 16801522 registers.ebp: 3864551444 registers.edx: 4294938660 registers.ebx: 724992 registers.esi: 27781456 registers.ecx: 3412000768 exception.instruction_r: fb e9 00 00 00 00 81 ec 04 00 00 00 89 34 24 89 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x22e8ad exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2287789 exception.address: 0xffe8ad	success
1620743416.489374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 0 registers.eax: 31904 registers.ebp: 3864551444 registers.edx: 16826294 registers.ebx: 16792322 registers.esi: 50665 registers.ecx: 4294937940 exception.instruction_r: fb 68 25 4d 28 24 ff 34 24 58 e9 aa 04 00 00 81 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2344e6 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2311398 exception.address: 0x10044e6	success
1620743416.489374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 6762114 registers.eax: 27382 registers.ebp: 3864551444 registers.edx: 0 registers.ebx: 16792322 registers.esi: 16812175 registers.ecx: 134889 exception.instruction_r: fb bb a2 ee 57 7e e9 bb 00 00 00 53 bb 7c ec 97 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x237d45 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2325829 exception.address: 0x1007d45	success
1620743416.505374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 6762114 registers.eax: 1447909480 registers.ebp: 3864551444 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 16831418 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 55 89 e5 e9 af f7 ff ff exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x24196f exception.instruction: in eax, dx exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2365807 exception.address: 0x101196f	success
1620743416.505374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 6762114 registers.eax: 1 registers.ebp: 3864551444 registers.edx: 22104 registers.ebx: 0 registers.esi: 16831418 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x240a08 exception.address: 0x1010a08 exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc000001d exception.offset: 2361864	success
1620743416.505374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 6762114 registers.eax: 1447909480 registers.ebp: 3864551444 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16831418 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 e3 29 90 1a 01 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x23ef54 exception.instruction: in eax, dx exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2355028 exception.address: 0x100ef54	success
1620743416.723374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 0 registers.eax: 3078748 registers.ebp: 3864551444 registers.edx: 1828436779 registers.ebx: 16866395 registers.esi: 1743650809 registers.ecx: 1743627769 exception.instruction_r: cd 01 eb 00 6a 00 55 e8 03 00 00 00 20 5d c3 5d exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x245af0 exception.instruction: int 1 exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000005 exception.offset: 2382576 exception.address: 0x1015af0	success
1620743416.723374 __exception__	stacktrace: registers.esp: 3078784 registers.edi: 16867862 registers.eax: 25545 registers.ebp: 3864551444 registers.edx: 6762114 registers.ebx: 2489171 registers.esi: 1330530953 registers.ecx: 3412000768 exception.instruction_r: fb 68 73 ab cb 45 89 04 24 b8 22 9d 9d 7c e9 90 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2468fd exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2386173 exception.address: 0x10168fd	success
1620743416.723374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 16893407 registers.eax: 25545 registers.ebp: 3864551444 registers.edx: 6762114 registers.ebx: 2489171 registers.esi: 1330530953 registers.ecx: 3412000768 exception.instruction_r: fb 68 29 7f 0e 11 89 04 24 53 89 e3 e9 38 fc ff exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x246bc2 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2386882 exception.address: 0x1016bc2	success
1620743416.723374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 16870695 registers.eax: 0 registers.ebp: 3864551444 registers.edx: 6762114 registers.ebx: 2489171 registers.esi: 1330530953 registers.ecx: 2283 exception.instruction_r: fb 57 e9 47 fe ff ff 01 cf e9 7d 00 00 00 bf 2e exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2467ec exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2385900 exception.address: 0x10167ec	success
1620743416.895374 __exception__	stacktrace: registers.esp: 3078784 registers.edi: 15230538 registers.eax: 30839 registers.ebp: 3864551444 registers.edx: 6 registers.ebx: 2489393 registers.esi: 16929708 registers.ecx: 0 exception.instruction_r: fb 51 e9 8d 00 00 00 47 56 e9 3f fb ff ff 5e 87 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2559cd exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2447821 exception.address: 0x10259cd	success
1620743416.911374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 15230538 registers.eax: 30839 registers.ebp: 3864551444 registers.edx: 6 registers.ebx: 2489393 registers.esi: 16960547 registers.ecx: 0 exception.instruction_r: fb 29 c0 ff 34 30 ff 34 24 e9 27 00 00 00 bf 5b exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x255c76 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2448502 exception.address: 0x1025c76	success
1620743416.911374 __exception__	stacktrace: registers.esp: 3078788 registers.edi: 3924134229 registers.eax: 4294939164 registers.ebp: 3864551444 registers.edx: 6 registers.ebx: 2489393 registers.esi: 16960547 registers.ecx: 0 exception.instruction_r: fb e9 21 ff ff ff 43 55 e9 1b fd ff ff 81 ea 2d exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x255945 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2447685 exception.address: 0x1025945	success
1620743416.911374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 3924134229 registers.eax: 4294940064 registers.ebp: 3864551444 registers.edx: 16977145 registers.ebx: 499177 registers.esi: 16960547 registers.ecx: 884851214 exception.instruction_r: fb e9 16 f9 ff ff 83 c4 04 58 e9 ad ff ff ff c1 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x259f94 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2465684 exception.address: 0x1029f94	success
1620743416.911374 __exception__	stacktrace: registers.esp: 3078776 registers.edi: 3924134229 registers.eax: 30661 registers.ebp: 3864551444 registers.edx: 631907686 registers.ebx: 1337818590 registers.esi: 16960547 registers.ecx: 16954617 exception.instruction_r: fb 81 e9 86 3f fe 1a 81 c1 d5 1d 7b 67 e9 8a ff exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x25bd98 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2473368 exception.address: 0x102bd98	success
1620743416.911374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 3924134229 registers.eax: 30661 registers.ebp: 3864551444 registers.edx: 631907686 registers.ebx: 1337818590 registers.esi: 16960547 registers.ecx: 16985278 exception.instruction_r: fb 31 c0 ff 34 08 ff 34 24 e9 0e 08 00 00 5a e9 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x25b609 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2471433 exception.address: 0x102b609	success
1620743416.911374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 1179202795 registers.eax: 4294939184 registers.ebp: 3864551444 registers.edx: 631907686 registers.ebx: 1337818590 registers.esi: 16960547 registers.ecx: 16985278 exception.instruction_r: fb e9 53 00 00 00 68 75 0e 92 1f 89 14 24 8b 2c exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x25bba8 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2472872 exception.address: 0x102bba8	success
1620743416.927374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 17007436 registers.eax: 31953 registers.ebp: 3864551444 registers.edx: 2130566132 registers.ebx: 406755151 registers.esi: 16960547 registers.ecx: 3412000768 exception.instruction_r: fb 55 54 5d 81 c5 04 00 00 00 81 ed 04 00 00 00 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x260f6f exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2494319 exception.address: 0x1030f6f	success
1620743416.927374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 16978700 registers.eax: 14827 registers.ebp: 3864551444 registers.edx: 0 registers.ebx: 406755151 registers.esi: 16960547 registers.ecx: 3412000768 exception.instruction_r: fb bb 45 4f fd 75 93 f7 d0 68 dc a9 79 19 89 1c exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2612c3 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2495171 exception.address: 0x10312c3	success
1620743416.958374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 1592315581 registers.eax: 26454 registers.ebp: 3864551444 registers.edx: 2130566132 registers.ebx: 17123023 registers.esi: 17092285 registers.ecx: 3412000768 exception.instruction_r: fb 31 c0 e9 fa 03 00 00 89 3c 24 bf 26 6e d9 6f exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x27e091 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2613393 exception.address: 0x104e091	success
1620743416.958374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 116969 registers.eax: 4294943300 registers.ebp: 3864551444 registers.edx: 2130566132 registers.ebx: 17123023 registers.esi: 17092285 registers.ecx: 3412000768 exception.instruction_r: fb b8 21 89 ff 7b 05 30 9f 7f 4f 05 8e 05 7a 9e exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x27e511 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2614545 exception.address: 0x104e511	success
1620743416.958374 __exception__	stacktrace: registers.esp: 3078744 registers.edi: 17102737 registers.eax: 25778 registers.ebp: 3864551444 registers.edx: 2130566132 registers.ebx: 922525147 registers.esi: 17092285 registers.ecx: 516901954 exception.instruction_r: fb 53 bb b2 25 28 7f 29 df e9 f1 fc ff ff 83 e9 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x27febf exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2621119 exception.address: 0x104febf	success
1620743416.958374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17128515 registers.eax: 25778 registers.ebp: 3864551444 registers.edx: 2130566132 registers.ebx: 922525147 registers.esi: 17092285 registers.ecx: 516901954 exception.instruction_r: fb e9 58 fd ff ff 05 04 00 00 00 e9 ea fc ff ff exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x27fad5 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2620117 exception.address: 0x104fad5	success
1620743416.958374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17128515 registers.eax: 25778 registers.ebp: 3864551444 registers.edx: 2130566132 registers.ebx: 4294944268 registers.esi: 4224237399 registers.ecx: 516901954 exception.instruction_r: fb 50 56 e9 49 f6 ff ff 52 ff 74 24 04 8b 14 24 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x280150 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2621776 exception.address: 0x1050150	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078744 registers.edi: 17128515 registers.eax: 31523 registers.ebp: 3864551444 registers.edx: 337822487 registers.ebx: 4294944268 registers.esi: 4224237399 registers.ecx: 17105912 exception.instruction_r: fb 81 c1 e4 60 7a 7f 57 52 ba 48 f4 f7 6b bf 92 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x280b1a exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2624282 exception.address: 0x1050b1a	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17128515 registers.eax: 31523 registers.ebp: 3864551444 registers.edx: 337822487 registers.ebx: 4294944268 registers.esi: 4224237399 registers.ecx: 17137435 exception.instruction_r: fb 31 f6 81 ec 04 00 00 00 e9 f8 fb ff ff 87 3c exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x280af0 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2624240 exception.address: 0x1050af0	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17128515 registers.eax: 31523 registers.ebp: 3864551444 registers.edx: 22210899 registers.ebx: 4294944268 registers.esi: 4294938376 registers.ecx: 17137435 exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 e9 45 02 00 00 81 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2804aa exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2622634 exception.address: 0x10504aa	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078744 registers.edi: 17128515 registers.eax: 25595 registers.ebp: 3864551444 registers.edx: 22210899 registers.ebx: 17108953 registers.esi: 4294938376 registers.ecx: 29646394 exception.instruction_r: fb 52 c7 04 24 d7 d5 d8 6c 81 34 24 e0 d6 4c 00 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x281347 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2626375 exception.address: 0x1051347	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17128515 registers.eax: 25595 registers.ebp: 3864551444 registers.edx: 22210899 registers.ebx: 17134548 registers.esi: 4294938376 registers.ecx: 29646394 exception.instruction_r: fb 55 c7 04 24 da 27 55 0c 89 3c 24 52 c7 04 24 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2811ca exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2625994 exception.address: 0x10511ca	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 2730297696 registers.eax: 25595 registers.ebp: 3864551444 registers.edx: 22210899 registers.ebx: 17111884 registers.esi: 4294938376 registers.ecx: 0 exception.instruction_r: fb 68 c6 b3 71 52 89 14 24 c7 04 24 1d d5 6c 29 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x281afe exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2628350 exception.address: 0x1051afe	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17157331 registers.eax: 29782 registers.ebp: 3864551444 registers.edx: 2147440175 registers.ebx: 65802 registers.esi: 0 registers.ecx: 2002452622 exception.instruction_r: fb e9 40 00 00 00 8b 24 24 e9 20 05 00 00 81 f1 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x285e5d exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2645597 exception.address: 0x1055e5d	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17130375 registers.eax: 24811 registers.ebp: 3864551444 registers.edx: 2147440175 registers.ebx: 0 registers.esi: 0 registers.ecx: 2002452622 exception.instruction_r: fb 55 e9 bf 05 00 00 33 04 24 31 04 24 33 04 24 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x285d57 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2645335 exception.address: 0x1055d57	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17130375 registers.eax: 27379 registers.ebp: 3864551444 registers.edx: 17165392 registers.ebx: 0 registers.esi: 0 registers.ecx: 2002452622 exception.instruction_r: fb 29 db ff 34 13 e9 00 00 00 00 ff 34 24 ff 34 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x288ac0 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2656960 exception.address: 0x1058ac0	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 17130375 registers.eax: 27379 registers.ebp: 3864551444 registers.edx: 17165392 registers.ebx: 4294942368 registers.esi: 3939837675 registers.ecx: 2002452622 exception.instruction_r: fb 83 ec 04 89 2c 24 89 3c 24 89 14 24 e9 28 01 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x288380 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2655104 exception.address: 0x1058380	success
1620743416.973374 __exception__	stacktrace: registers.esp: 3078744 registers.edi: 1003931200 registers.eax: 26621 registers.ebp: 3864551444 registers.edx: 17142090 registers.ebx: 177902081 registers.esi: 17127182 registers.ecx: 37377 exception.instruction_r: fb 81 ea d3 6a ff 4f 53 54 5b 81 c3 04 00 00 00 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2898f8 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2660600 exception.address: 0x10598f8	success
1620743416.989374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 157417 registers.eax: 4294943552 registers.ebp: 3864551444 registers.edx: 17168711 registers.ebx: 177902081 registers.esi: 17127182 registers.ecx: 37377 exception.instruction_r: fb 50 e9 82 05 00 00 5e 51 b9 1b dc da 3f e9 00 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x289648 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2659912 exception.address: 0x1059648	success
1620743416.989374 __exception__	stacktrace: registers.esp: 3078744 registers.edi: 157417 registers.eax: 17145984 registers.ebp: 3864551444 registers.edx: 1191816275 registers.ebx: 645791966 registers.esi: 17127182 registers.ecx: 37377 exception.instruction_r: fb 68 80 71 de 7e e9 00 00 00 00 89 0c 24 e9 8b exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x28aa4b exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2665035 exception.address: 0x105aa4b	success
1620743416.989374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 81129 registers.eax: 17148591 registers.ebp: 3864551444 registers.edx: 1191816275 registers.ebx: 645791966 registers.esi: 0 registers.ecx: 37377 exception.instruction_r: fb 56 52 89 e2 50 b8 04 00 00 00 01 c2 58 57 bf exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x28a3e5 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2663397 exception.address: 0x105a3e5	success
1620743417.005374 __exception__	stacktrace: registers.esp: 3078744 registers.edi: 3864616189 registers.eax: 26653 registers.ebp: 3864551444 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 17190066 registers.ecx: 3412000768 exception.instruction_r: fb 50 b8 e9 67 df 7f 01 c6 8b 04 24 83 c4 04 e9 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x29539e exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2708382 exception.address: 0x106539e	success
1620743417.005374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 2298801283 registers.eax: 26653 registers.ebp: 3864551444 registers.edx: 4294943184 registers.ebx: 2147483650 registers.esi: 17216719 registers.ecx: 3412000768 exception.instruction_r: fb 53 83 ec 04 e9 08 00 00 00 89 04 24 e9 4e 01 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x294e2e exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2706990 exception.address: 0x1064e2e	success
1620743417.005374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 2298801283 registers.eax: 27412 registers.ebp: 3864551444 registers.edx: 4294943184 registers.ebx: 2147483650 registers.esi: 17216719 registers.ecx: 17220390 exception.instruction_r: fb 29 ff ff 34 0f ff 34 24 5a 51 68 26 49 46 73 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2959a6 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2709926 exception.address: 0x10659a6	success
1620743417.005374 __exception__	stacktrace: registers.esp: 3078748 registers.edi: 4294942592 registers.eax: 27412 registers.ebp: 3864551444 registers.edx: 452945 registers.ebx: 2147483650 registers.esi: 17216719 registers.ecx: 17220390 exception.instruction_r: fb e9 0a fc ff ff 81 c6 2e 93 bf 5d 51 81 ec 04 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x295c34 exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2710580 exception.address: 0x1065c34	success
1620743417.067374 __exception__	stacktrace: registers.esp: 3078744 registers.edi: 17272931 registers.eax: 32037 registers.ebp: 3864551444 registers.edx: 974088 registers.ebx: 2002452454 registers.esi: 17293287 registers.ecx: 3412000768 exception.instruction_r: fb 50 e9 c5 09 00 00 b8 81 c3 df 59 48 f7 d8 51 exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x2ae18e exception.instruction: sti exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2810254 exception.address: 0x107e18e	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 个事件)

request

GET http://ip-api.com/line

Allocates read-write-execute memory (usually to unpack itself) (33 个事件)

Time & API	Arguments	Status
1620743417.083374 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620743417.083374 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620743417.333374 NtProtectVirtualMemory	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 401408 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00dd1000	success
1620743417.380374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00400000	success
1620743417.380374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00420000	success
1620743417.380374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00530000	success
1620743417.380374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00540000	success
1620743417.380374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743417.380374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00660000	success
1620743417.380374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b50000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b60000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b70000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bc0000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bd0000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00be0000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bf0000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c00000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c10000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d20000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00db0000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00dc0000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x026d0000	success
1620743417.395374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x026e0000	success
1620743417.411374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x026f0000	success
1620743417.411374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743417.411374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743417.427374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743417.427374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743417.458374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743417.458374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743417.458374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743417.458374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620743428.895374 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04220000	success

A process attempted to delay the analysis task. (1 个事件)

description

2e8190d9e98467b6bec820c437f22a21.exe tried to sleep 606 seconds, actually delayed analysis time by 606 seconds

Steals private information from local Internet browsers (31 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\CookiesCopy

Looks up the external IP address (1 个事件)

domain

ip-api.com

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743425.020374 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)

entropy

7.981295446094259

section

{'size_of_data': '0x00061800', 'virtual_address': '0x00001000', 'entropy': 7.981295446094259, 'name': ' \\x00 ', 'virtual_size': '0x000b1000'}

description

A section with a high entropy has been found

entropy

7.625303703775635

section

{'size_of_data': '0x00001400', 'virtual_address': '0x000b2000', 'entropy': 7.625303703775635, 'name': '.rsrc', 'virtual_size': '0x00002005'}

description

A section with a high entropy has been found

entropy

7.95314743347343

section

{'size_of_data': '0x0019d400', 'virtual_address': '0x0035d000', 'entropy': 7.95314743347343, 'name': 'pbtsuisb', 'virtual_size': '0x0019e000'}

description

A section with a high entropy has been found

entropy

0.9992681141741888

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

system

Queries for potentially installed applications (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743428.395374 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	failed	2	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to identify installed AV products by installation directory (2 个事件)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avg

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 197 个事件)

Time & API	Arguments	Status
1620743417.052374 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743417.067374 FindWindowA	class_name: GBDYLLO window_name:	failed
1620743417.067374 FindWindowA	class_name: pediy06 window_name:	failed
1620743417.067374 FindWindowA	class_name: FilemonClass window_name:	failed
1620743417.067374 FindWindowA	class_name: FilemonClass window_name:	failed
1620743417.067374 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620743417.083374 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620743417.083374 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620743417.083374 FindWindowA	class_name: RegmonClass window_name:	failed
1620743417.083374 FindWindowA	class_name: RegmonClass window_name:	failed
1620743417.083374 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1620743417.083374 FindWindowA	class_name: 18467-41 window_name:	failed
1620743417.333374 FindWindowA	class_name: FilemonClass window_name:	failed
1620743417.333374 FindWindowA	class_name: FilemonClass window_name:	failed
1620743417.333374 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620743417.333374 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620743417.333374 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620743419.036374 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743419.036374 FindWindowA	class_name: GBDYLLO window_name:	failed
1620743419.036374 FindWindowA	class_name: pediy06 window_name:	failed
1620743421.052374 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743421.052374 FindWindowA	class_name: GBDYLLO window_name:	failed
1620743421.052374 FindWindowA	class_name: pediy06 window_name:	failed
1620743421.380374 FindWindowA	class_name: Regmonclass window_name:	failed
1620743421.380374 FindWindowA	class_name: Regmonclass window_name:	failed
1620743421.692374 FindWindowA	class_name: 18467-41 window_name:	failed
1620743422.005374 FindWindowA	class_name: Filemonclass window_name:	failed
1620743422.005374 FindWindowA	class_name: Filemonclass window_name:	failed
1620743422.005374 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620743423.067374 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743423.067374 FindWindowA	class_name: GBDYLLO window_name:	failed
1620743423.067374 FindWindowA	class_name: pediy06 window_name:	failed
1620743425.083374 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743425.083374 FindWindowA	class_name: GBDYLLO window_name:	failed
1620743425.083374 FindWindowA	class_name: pediy06 window_name:	failed
1620743426.005374 FindWindowA	class_name: Regmonclass window_name:	failed
1620743426.005374 FindWindowA	class_name: Regmonclass window_name:	failed
1620743426.317374 FindWindowA	class_name: 18467-41 window_name:	failed
1620743426.630374 FindWindowA	class_name: Filemonclass window_name:	failed
1620743426.630374 FindWindowA	class_name: Filemonclass window_name:	failed
1620743426.630374 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620743427.098374 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743427.098374 FindWindowA	class_name: GBDYLLO window_name:	failed
1620743427.098374 FindWindowA	class_name: pediy06 window_name:	failed
1620743429.130374 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743429.161374 FindWindowA	class_name: GBDYLLO window_name:	failed
1620743429.161374 FindWindowA	class_name: pediy06 window_name:	failed
1620743430.645374 FindWindowA	class_name: Regmonclass window_name:	failed
1620743430.645374 FindWindowA	class_name: Regmonclass window_name:	failed
1620743431.020374 FindWindowA	class_name: 18467-41 window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (1 个事件)

file	C:\ProgramData\qIYPVFbmxZH\Files\Crypto\Electrum\wallets

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620743427.583374 RegSetValueExA	key_handle: 0x0000047c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620743427.583374 RegSetValueExA	key_handle: 0x0000047c value: í1F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620743427.583374 RegSetValueExA	key_handle: 0x0000047c value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620743427.583374 RegSetValueExW	key_handle: 0x0000047c value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620743427.583374 RegSetValueExA	key_handle: 0x00000490 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620743427.583374 RegSetValueExA	key_handle: 0x00000490 value: í1F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620743427.583374 RegSetValueExA	key_handle: 0x00000490 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620743427.630374 RegSetValueExW	key_handle: 0x00000478 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620743428.223374 RegSetValueExA	key_handle: 0x000004a4 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620743428.223374 RegSetValueExA	key_handle: 0x000004a4 value: aí1F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620743428.223374 RegSetValueExA	key_handle: 0x000004a4 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620743428.223374 RegSetValueExW	key_handle: 0x000004a4 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620743428.223374 RegSetValueExA	key_handle: 0x000004a8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620743428.223374 RegSetValueExA	key_handle: 0x000004a8 value: aí1F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620743428.223374 RegSetValueExA	key_handle: 0x000004a8 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743416.505374 __exception__	stacktrace: registers.esp: 3078780 registers.edi: 6762114 registers.eax: 1447909480 registers.ebp: 3864551444 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 16831418 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 55 89 e5 e9 af f7 ff ff exception.symbol: 2e8190d9e98467b6bec820c437f22a21+0x24196f exception.instruction: in eax, dx exception.module: 2e8190d9e98467b6bec820c437f22a21.exe exception.exception_code: 0xc0000096 exception.offset: 2365807 exception.address: 0x101196f	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

Generates some ICMP traffic

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

Bkav	W32.HfsAutoB.
MicroWorld-eScan	Trojan.GenericKD.42917960
FireEye	Generic.mg.2e8190d9e98467b6
McAfee	Artemis!2E8190D9E984
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 00561cb11 )
Alibaba	TrojanPSW:Win32/Coins.c07ac438
K7GW	Trojan ( 00561cb11 )
Cybereason	malicious.4def19
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.Win32.Coins.wbp
BitDefender	Trojan.GenericKD.42917960
NANO-Antivirus	Trojan.Win32.Coins.hiausc
AegisLab	Trojan.Win32.Generic.a!c
Rising	Downloader.Generic!8.141 (CLOUD)
Endgame	malicious (high confidence)
Emsisoft	Trojan.GenericKD.42917960 (B)
F-Secure	Trojan.TR/PSW.Coins.ajknt
Zillya	Trojan.Coins.Win32.3973
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Sality.vc
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
SentinelOne	DFI - Suspicious PE
Cyren	W32/Trojan.TYEN-4375
Webroot	W32.Coins.wbp
Avira	TR/PSW.Coins.ajknt
MAX	malware (ai score=81)
Antiy-AVL	Trojan[PSW]/Win32.Coins
Microsoft	Trojan:Win32/Occamy.C
Arcabit	Trojan.Generic.D28EE048
ZoneAlarm	Trojan-PSW.Win32.Coins.wbp
GData	Trojan.GenericKD.42917960
AhnLab-V3	Trojan/Win32.CoinStealer.R331878
Acronis	suspicious
TACHYON	Trojan-PWS/W32.Coins.2102784
Ad-Aware	Trojan.GenericKD.42917960
Malwarebytes	Spyware.CryptBot.Generic
Panda	Trj/CI.A
ESET-NOD32	a variant of Win32/Packed.Themida.HIX
TrendMicro-HouseCall	TROJ_GEN.R01FH0CD320
Tencent	Win32.Trojan-qqpass.Qqrob.Hufx
Yandex	Trojan.Themida!
Ikarus	Trojan.Win32.Themida
Fortinet	W32/Generic!tr.dldr
BitDefenderTheta	Gen:NN.ZexaF.34108.aA0aa8QxXZh
AVG	Win32:Trojan-gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-11 18:19:48

Imports

Library kernel32.dll:

• 0x4b5033 lstrcpy

Library comctl32.dll:

• 0x4b503b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
lerm04.info
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
ip-api.com	A 208.95.112.1	208.95.112.1
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49179	208.95.112.1 ip-api.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	53660	239.255.255.250	1900

HTTP & HTTPS Requests

URI	Data
http://ip-api.com/line	GET /line HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ip-api.com Connection: Keep-Alive

URI

Data

http://ip-api.com/line

GET /line HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ip-api.com
Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.